Edit tour

Windows Analysis Report
Inst7__9510085.exe

Overview

General Information

Sample Name:	Inst7__9510085.exe
Analysis ID:	686895
MD5:	9fadc5c7c3282e203c68b0d45bfa0b10
SHA1:	5f0914179d66b63cafe61dd55d8d418e64e36ea5
SHA256:	260dc2a2adc2e1e29bb5f8bc243fb45fbd29baaec7a28feed59260a9f2b12a29
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Hides threads from debuggers

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to infect the boot sector

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Is looking for software installed on the system

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Checks for debuggers (devices)

Contains capabilities to detect virtual machines

Queries disk information (often used to detect virtual machines)

Contains functionality to query network adapater information

Classification

Process Tree

System is w10x64

Inst7__9510085.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\Inst7__9510085.exe" MD5: 9FADC5C7C3282E203C68B0D45BFA0B10)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0xd718a:$r1: Classes\Folder\shell\open\command 0xd71d0:$k1: DelegateExecute

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.517276957.000000006D3FC000.00000002.00000001.01000000.00000006.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x47c6:$xo1: jVWM\x1ENLQYL_S\x1E]_PPQJ\x1E\[\x1ELKP\x1EWP\x1Ezqm\x1ESQZ[ 0xb176e:$xo1: \xAA\x96\x97\x8D\xDE\x8E\x8C\x91\x99\x8C\x9F\x93\xDE\x9D\x9F\x90\x90\x91\x8A\xDE\x9C\x9B\xDE\x8C\x8B\x90\xDE\x97\x90\xDE\xBA\xB1\xAD\xDE\x93\x91\x9A\x9B
00000001.00000002.516870106.000000006D2A2000.00000002.00000001.01000000.00000006.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x2ccdc:$xo1: \x113&500=sirl 0x120d54:$xo1: Hj\x7Fliid*0+5
00000001.00000002.516870106.000000006D2A2000.00000002.00000001.01000000.00000006.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0xaa6:$xo1: \x0845/\|,.3;.=1\|?=223(\|>9\|.)2\|52\|\x18\x13\x0F\|1389 0x3b8a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x3d4a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x408a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x424a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x436a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x458a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x474a6:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x62066:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x7935a:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x7e35a:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0x8cb22:$xo1: \xFC\xC0\xC1\xDB\x88\xD8\xDA\xC7\xCF\xDA\xC9\xC5\x88\xCB\xC9\xC6\xC6\xC7\xDC\x88\xCA\xCD\x88\xDA\xDD\xC6\x88\xC1\xC6\x88\xEC\xE7\xFB\x88\xC5\xC7\xCC\xCD 0xa49e6:$xo1: Qmlv%uwjbwdh%fdkkjq%g`%wpk%lk%AJV%hja`
00000001.00000002.517660018.000000006D558000.00000002.00000001.01000000.00000006.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x28c9c:$xo1: \xA3\x81\x94\x87\x82\x82\x8F\xC1\xDB\xC0\xDE 0x564e4:$xo1: \xEE\xCC\xD9\xCA\xCF\xCF\xC2\x8C\x96\x8D\x93
00000001.00000002.517660018.000000006D558000.00000002.00000001.01000000.00000006.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x4516:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\xCE\x83\x81\x8A\x8B 0x362f6:$xo1: \xF7\xCB\xCA\xD0\x83\xD3\xD1\xCC\xC4\xD1\xC2\xCE\x83\xC0\xC2\xCD\xCD\xCC\xD7\x83\xC1\xC6\x83\xD1\xD6\xCD\x83\xCA\xCD\x83\xE7\xEC\xF0\x83\xCE\xCC\xC7\xC6

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Inst7__9510085.exe.6d180000.1.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0xd718a:$r1: Classes\Folder\shell\open\command 0xd71d0:$k1: DelegateExecute

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: Inst7__9510085.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.192.108.21:443 -> 192.168.2.3:49749 version: TLS 1.2

Source: Inst7__9510085.exe

Static PE information: certificate valid

Source: Inst7__9510085.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://123.com/
Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://123.com/safeinstallregion.infosafeinstallregionsi:2sdinstall.infosdinstallsi:1C:
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Inst7__9510085.exe, 00000001.00000002.514378056.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Inst7__9510085.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Inst7__9510085.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Inst7__9510085.exe, 00000001.00000003.377394693.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.441207792.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000002.514502663.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.441297453.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.377302134.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Inst7__9510085.exe, 00000001.00000002.514378056.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Inst7__9510085.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Inst7__9510085.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Inst7__9510085.exe, 00000001.00000002.514378056.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Inst7__9510085.exe, 00000001.00000002.514378056.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://dl.360safe.com/gf/%u.cabHTTP/1.1GETRANGE:bytes=%d-%d
Source: Inst7__9510085.exe, 00000001.00000002.516815501.000000006D28F000.00000008.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://dl.360safe.com/gf/360DenyPidList.cabhttp://dl.360safe.com/gf/extdll.cabhttp://dl.360safe.com/
Source: Inst7__9510085.exe	String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: Inst7__9510085.exe, 00000001.00000002.516815501.000000006D28F000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://dl.360safe.com/gf/360ini.cabhttp://dl2.360safe.com/partner/installer.exe
Source: 360ini.dll.1.dr	String found in binary or memory: http://dl.360safe.com/gf/360ini.cabhttp://dl2.360safe.com/partner/installer.exehttp://dl.360safe.com
Source: Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://dl.360safe.com/inst_gf_popup.exehttp://dl.360safe.com/inst_js_popup.exehttp://dl.360safe.com/
Source: Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: http://dl.360safe.com/inst_gf_popup_t.exe
Source: Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://dl.360safe.com/sev3/sewstgold.cabhttp://dl.360safe.com/sev3/sewstggf.cabhttp://dl.360safe.com
Source: Inst7__9510085.exe, 00000001.00000003.379525429.0000000003A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl2.360safe.com/partner/installer.exe
Source: Inst7__9510085.exe, 00000001.00000002.516067983.0000000003A10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl2.360safe.com/partner/installer.exeAA
Source: Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload1383.exehttp://dl.360safe.com/360/ins
Source: Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://down.360.cn/360sd/360sd_gf64.exehttp://down.360.cn/360sd/360sd_gfhips.exe
Source: Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://down.360.cn/360sd/360sd_gf64hips.exehttp://dl.360safe.com/sev3/sewstgcs.cabhttp://dl.360safe.
Source: Inst7__9510085.exe	String found in binary or memory: http://down.360safe.com/setup.exe
Source: Inst7__9510085.exe	String found in binary or memory: http://down.360safe.com/setup.exePath360ver.dllIsBetaVersion
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: Inst7__9510085.exe	String found in binary or memory: http://down.360safe.com/setupbeta.exe
Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://inf.safe.360.cn/sein/thinkhttp://inf.safe.360.cn/wsin/think%u621af95ab39cccc79fd560bfc8b793bc
Source: Inst7__9510085.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Inst7__9510085.exe, 00000001.00000002.514378056.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Inst7__9510085.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://www.360.cn
Source: Inst7__9510085.exe, 00000001.00000002.514378056.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 360ini.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/5U
Source: Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/AT8
Source: Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000002.514293260.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/gf/MyNewIni2.cab
Source: Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/gf/MyNewIni2.cab3=l
Source: Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/gf/MyNewIni2.cab6
Source: Inst7__9510085.exe, 00000001.00000002.514293260.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/gf/MyNewIni2.cabP
Source: Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/gf/MyNewIni2.cabw=
Source: Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379513619.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.360safe.com/t)
Source: Inst7__9510085.exe	String found in binary or memory: https://hao.360.cn
Source: Inst7__9510085.exe	String found in binary or memory: https://hao.360.cn/
Source: Inst7__9510085.exe, Inst7__9510085.exe, 00000001.00000002.514045489.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.cn/?installer
Source: Inst7__9510085.exe	String found in binary or memory: https://hao.360.cnhttps://http://https://hao.360.cn/?installerhttps://hao.360.cn/%s
Source: Inst7__9510085.exe, 360ini.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 360ini.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: dl.360safe.com

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C03420 _memset,_memset,_memset,_memset,_memset,Sleep,InternetCrackUrlW,InternetSetOptionW,GetTempPathW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetOpenW,PathAppendW,InternetConnectW,_memset,HttpOpenRequestW,HttpOpenRequestW,HttpQueryInfoW,HttpOpenRequestW,CreateFileW,_memset,InternetReadFile,WriteFile,FlushFileBuffers,_memset,InternetReadFile,FlushFileBuffers,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00C03420

Source: global traffic	HTTP traffic detected: GET /gf/MyNewIni2.cab HTTP/1.1RANGE: bytes=0-10711User-Agent: BeaconHost: dl.360safe.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gf/360ini.cab HTTP/1.1User-Agent: BeaconHost: dl.360safe.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 104.192.108.21:443 -> 192.168.2.3:49749 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Inst7__9510085.exe.6d180000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll, type: DROPPED	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen

Source: Inst7__9510085.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Inst7__9510085.exe.6d180000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000001.00000002.517276957.000000006D3FC000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000002.516870106.000000006D2A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000001.00000002.516870106.000000006D2A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000002.517660018.000000006D558000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000001.00000002.517660018.000000006D558000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C03420	1_2_00C03420
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C14850	1_2_00C14850
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C09820	1_2_00C09820
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C139D0	1_2_00C139D0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C259D0	1_2_00C259D0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C31986	1_2_00C31986
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C13CD0	1_2_00C13CD0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C04540	1_2_00C04540
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C45545	1_2_00C45545
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C06E60	1_2_00C06E60

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C025E0: GetCurrentProcessId,CreateFileW,DeviceIoControl,CloseHandle,

1_2_00C025E0

Source: 360ini.dll.1.dr

Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: Inst7__9510085.exe, 00000001.00000000.247517273.0000000000C5E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstDirect2DLayer.exeh$ vs Inst7__9510085.exe
Source: Inst7__9510085.exe	Binary or memory string: OriginalFilenameInstDirect2DLayer.exeh$ vs Inst7__9510085.exe

Source: Inst7__9510085.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Inst7__9510085.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 360ini.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 360ini.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: Inst7__9510085.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

File created: C:\Users\user\AppData\Local\Temp\360ini.cab

Jump to behavior

Source: classification engine

Classification label: mal60.evad.winEXE@1/45@7/5

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C1BF90 CoCreateInstance,

1_2_00C1BF90

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C1A370 _memset,CreateToolhelp32Snapshot,Process32FirstW,_wcsncpy,Process32NextW,FindCloseChangeNotification,

1_2_00C1A370

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 5064
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\360InstallForChannel
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Mutant created: \Sessions\1\BaseNamedObjects\{EF05DB74-1623-48f2-B923-8738727916C1}

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C02260 LoadResource,LockResource,SizeofResource,

1_2_00C02260

Source: Inst7__9510085.exe	String found in binary or memory: --silent-install=3_1_1 --homepage=%s
Source: Inst7__9510085.exe	String found in binary or memory: --silent-install=3_1_1
Source: Inst7__9510085.exe	String found in binary or memory: zBSOFTWARE\KitTipCLSIDjsflag_%dSOFTWARE\KitTipCLSID\kittip_%d_flag --IniReInstal --nocloud--silent-install=3_1_1--silent-install=3_1_1 --homepage=%s

Source: C:\Users\user\Desktop\Inst7__9510085.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Inst7__9510085.exe

Static PE information: certificate valid

Source: Inst7__9510085.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Inst7__9510085.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Inst7__9510085.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Inst7__9510085.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Inst7__9510085.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Inst7__9510085.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Inst7__9510085.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Inst7__9510085.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Inst7__9510085.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Inst7__9510085.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Inst7__9510085.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Inst7__9510085.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Inst7__9510085.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C10430 push ecx; mov dword ptr [esp], 00000000h		1_2_00C10431
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C28741 push ecx; ret		1_2_00C28754

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C4788F LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_00C4788F

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d	1_2_00C0D950
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	1_2_00C24220
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	1_2_00C245E0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00C12ED0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00C24770
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00C0D720

Source: C:\Users\user\Desktop\Inst7__9510085.exe

File created: C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d	1_2_00C0D950
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	1_2_00C24220
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	1_2_00C245E0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00C12ED0
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00C24770
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00C0D720

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_1-18167

Source: C:\Users\user\Desktop\Inst7__9510085.exe TID: 4780

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-18423
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_1-18333

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDesc

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,__wcsicoll,StrStrIA,StrStrIA,StrStrIA,GetProcessHeap,GetProcessHeap,HeapFree,

1_2_00C0B9B0

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

API call chain: ExitProcess graph end node

graph_1-18425

Source: Inst7__9510085.exe, 00000001.00000002.514130057.000000000080C000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000002.514293260.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Inst7__9510085.exe, 00000001.00000002.514293260.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C2669E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_00C2669E

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C17DD0 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

1_2_00C17DD0

Source: C:\Users\user\Desktop\Inst7__9510085.exe

1_2_00C4788F

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C23856 GetProcessHeap,HeapAlloc,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,

1_2_00C23856

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: FILEMON701
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: FILEVXD
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: REGVXD
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: NTICE
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: REGMON701
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: SICE
Source: C:\Users\user\Desktop\Inst7__9510085.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C32AF7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00C32AF7
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C2669E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00C2669E
Source: C:\Users\user\Desktop\Inst7__9510085.exe	Code function: 1_2_00C28E68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00C28E68

Source: Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr

Binary or memory string: >%s\%sCommon StartupSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders360safeEmFixer.lnk/fix /fixid=%d/fix /hidetray /fixid=%dSOFTWARE\360Safe\statManExitSOFTWARE\360Safe\safemonDisableAutorun360leakfixer.exe360tray.exeWtsapi32.dllWTSQueryUserTokenShell_TrayWndWinSta0\Default"%s" %sdeepscan\ZhuDongFangYu.exe/Install/Start360Safe360Safe\save_record.iniidPIDy:%u;m:%u;d:%u;h:%u;m:%u;s:%utimeDATEsafemonsafemon\360tray.exe /On%08xuninst.exe%s\ucl%d%s\sucl%d%dSystemStartOptionsSYSTEM\CurrentControlSet\ControlSAFEBOOTSYSTEM360ver.dllopenQ360SafeMonClasshipsver.dllsafemon\360cactus.tpijsflag_%dSOFTWARE\KitTipCLSIDIsSafeExistIsSafeExist2dkeaoaskeugn%dUCLGAPSAVETIMEOUTSAVEDISABLETRAYMINDAY__/tipflagStart_UIdep360.exe/ini /kittip 360Tray.exeDo505_ImplTestUIIsBrowserInstalledIsBrowserInstalled2BrowserLaunch--IniReInstal --nocloudIs360ZipExistStart360Zip_UIIsPalmInputExistStartPalmInput_UIIsDesktopLiteExistStartDesktopLite_UIIsSDExistStartSD_UISeTakeOwnershipPrivilegeDisallowedQihooNotifyForTray

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: GetLocaleInfoA,

1_2_00C480BA

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C06960 cpuid

1_2_00C06960

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C0EAB0 GetSystemTimeAsFileTime,

1_2_00C0EAB0

Source: C:\Users\user\Desktop\Inst7__9510085.exe

Code function: 1_2_00C064E0 _memset,_memset,GetVersionExW,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleHandleW,GetProcAddress,_memset,

1_2_00C064E0

Source: Inst7__9510085.exe, Inst7__9510085.exe, 00000001.00000000.247496913.0000000000C4E000.00000002.00000001.01000000.00000003.sdmp, Inst7__9510085.exe, 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	15 Virtualization/Sandbox Evasion	LSASS Memory	181 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	15 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	13 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	53 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
Inst7__9510085.exe	3%	Virustotal	Browse
Inst7__9510085.exe	9%	Metadefender	Browse
Inst7__9510085.exe	4%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll	4%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.Inst7__9510085.exe.c00000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
1.0.Inst7__9510085.exe.c00000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://hao.360.cnhttps://http://https://hao.360.cn/?installerhttps://hao.360.cn/%s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dl.360safe.com.dl.360qhcdn.com	104.192.108.21	true	false	unknown
s.360.cn	180.163.251.231	true	false	high
dl.360safe.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dl.360safe.com/gf/MyNewIni2.cab	false		high
http://dl.360safe.com/gf/360ini.cab	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://down.360safe.com/setup.exe	Inst7__9510085.exe	false		high
http://dl2.360safe.com/partner/installer.exeAA	Inst7__9510085.exe, 00000001.00000002.516067983.0000000003A10000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.360safe.com/5U	Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp	false		high
http://down.360safe.com/setupbeta.exe	Inst7__9510085.exe	false		high
http://dl2.360safe.com/partner/installer.exe	Inst7__9510085.exe, 00000001.00000003.379525429.0000000003A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe	Inst7__9510085.exe, 360ini.dll.1.dr	false		high
https://dl.360safe.com/gf/MyNewIni2.cab6	Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload1383.exehttp://dl.360safe.com/360/ins	Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
http://dl.360safe.com/inst_gf_popup.exehttp://dl.360safe.com/inst_js_popup.exehttp://dl.360safe.com/	Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
https://dl.360safe.com/t)	Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379513619.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dl.360safe.com/gf/360ini.cabhttp://dl2.360safe.com/partner/installer.exe	Inst7__9510085.exe, 00000001.00000002.516815501.000000006D28F000.00000008.00000001.01000000.00000006.sdmp	false		high
http://123.com/safeinstallregion.infosafeinstallregionsi:2sdinstall.infosdinstallsi:1C:	Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
https://curl.haxx.se/docs/http-cookies.html	Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
https://hao.360.cn/?installer	Inst7__9510085.exe, Inst7__9510085.exe, 00000001.00000002.514045489.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hao.360.cnhttps://http://https://hao.360.cn/?installerhttps://hao.360.cn/%s	Inst7__9510085.exe	false	Avira URL Cloud: safe	unknown
http://inf.safe.360.cn/sein/thinkhttp://inf.safe.360.cn/wsin/think%u621af95ab39cccc79fd560bfc8b793bc	Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
https://dl.360safe.com/gf/MyNewIni2.cabw=	Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hao.360.cn/	Inst7__9510085.exe	false		high
https://hao.360.cn	Inst7__9510085.exe	false		high
http://down.360.cn/360sd/360sd_gf64hips.exehttp://dl.360safe.com/sev3/sewstgcs.cabhttp://dl.360safe.	Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
http://dl.360safe.com/sev3/sewstgold.cabhttp://dl.360safe.com/sev3/sewstggf.cabhttp://dl.360safe.com	Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
http://down.360.cn/360sd/360sd_gf64.exehttp://down.360.cn/360sd/360sd_gfhips.exe	Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
https://dl.360safe.com/gf/MyNewIni2.cab3=l	Inst7__9510085.exe, 00000001.00000003.379418134.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Inst7__9510085.exe, 00000001.00000003.379482053.0000000000891000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dl.360safe.com/gf/360DenyPidList.cabhttp://dl.360safe.com/gf/extdll.cabhttp://dl.360safe.com/	Inst7__9510085.exe, 00000001.00000002.516815501.000000006D28F000.00000008.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
https://dl.360safe.com/gf/MyNewIni2.cabP	Inst7__9510085.exe, 00000001.00000002.514293260.000000000084E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dl.360safe.com/gf/%u.cabHTTP/1.1GETRANGE:bytes=%d-%d	Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
http://dl.360safe.com/gf/360ini.cabhttp://dl2.360safe.com/partner/installer.exehttp://dl.360safe.com	360ini.dll.1.dr	false		high
http://dl.360safe.com/inst_gf_popup_t.exe	Inst7__9510085.exe, 00000001.00000002.516829622.000000006D292000.00000004.00000001.01000000.00000006.sdmp	false		high
http://www.360.cn	Inst7__9510085.exe, 360ini.dll.1.dr	false		high
http://123.com/	Inst7__9510085.exe, 00000001.00000002.516675345.000000006D248000.00000002.00000001.01000000.00000006.sdmp, 360ini.dll.1.dr	false		high
http://down.360safe.com/setup.exePath360ver.dllIsBetaVersion	Inst7__9510085.exe	false		high
https://dl.360safe.com/AT8	Inst7__9510085.exe, 00000001.00000002.514390785.0000000000872000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.192.108.21	dl.360safe.com.dl.360qhcdn.com	United States	55992	QIHOOBeijingQihuTechnologyCompanyLimitedCN	false
180.163.251.231	s.360.cn	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
180.163.251.230	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
171.13.14.66	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	686895
Start date and time:	2022-08-19 14:43:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Inst7__9510085.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.winEXE@1/45@7/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 95.9%) Quality average: 84.7% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 94% Number of executed functions: 35 Number of non-executed functions: 89
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
180.163.251.231	xaAKuXBlkn.apk	Get hash	malicious	Browse
	xaAKuXBlkn.apk	Get hash	malicious	Browse
	A1FsbRkm5m.exe	Get hash	malicious	Browse
180.163.251.230	xaAKuXBlkn.apk	Get hash	malicious	Browse
180.163.251.230	A1FsbRkm5m.exe	Get hash	malicious	Browse
171.13.14.66	xaAKuXBlkn.apk	Get hash	malicious	Browse
	7YyaK2cB1s.apk	Get hash	malicious	Browse
	A1FsbRkm5m.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
s.360.cn	A1FsbRkm5m.exe	Get hash	malicious	Browse	171.8.167.89
	http://www.360.cn/download/	Get hash	malicious	Browse	171.8.167.89
	S38G0o4jF9.exe	Get hash	malicious	Browse	171.8.167.89
	https://dl.pconline.com.cn/download/467865.html	Get hash	malicious	Browse	171.8.167.89
	instbeta.exe	Get hash	malicious	Browse	171.8.167.89

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
QIHOOBeijingQihuTechnologyCompanyLimitedCN	xaAKuXBlkn.apk	Get hash	malicious	Browse	101.198.193.20
	xaAKuXBlkn.apk	Get hash	malicious	Browse	101.198.193.20
	com.qihoo360.mobilesafe.chargescreen.apk	Get hash	malicious	Browse	101.198.193.20
	com.qihoo.paymentmethod.apk	Get hash	malicious	Browse	101.198.0.16
	r7y1NIYYgB	Get hash	malicious	Browse	101.197.235.247
	7YyaK2cB1s.apk	Get hash	malicious	Browse	101.198.193.20
	ke6H0OudC9	Get hash	malicious	Browse	101.197.177.133
	j2HOMEQy59	Get hash	malicious	Browse	101.199.91.145
	sora.arm	Get hash	malicious	Browse	101.197.235.218
	apep.x86	Get hash	malicious	Browse	101.199.91.148
	Sz45LdfKVF	Get hash	malicious	Browse	101.197.149.9
	hOh1ZwLnVq	Get hash	malicious	Browse	101.197.85.209
	0xZU1uLFYs	Get hash	malicious	Browse	101.197.85.221
	arm-20220401-2259	Get hash	malicious	Browse	101.197.85.222
	mirror1.o	Get hash	malicious	Browse	101.199.133.243
	Rakitin.x86	Get hash	malicious	Browse	101.197.85.209
	EGbDLRwaLA	Get hash	malicious	Browse	101.198.137.194
	hc0B1CYKcL	Get hash	malicious	Browse	101.198.182.209
	582D4t0Bne	Get hash	malicious	Browse	101.197.85.246
	smQXkoH9Fk	Get hash	malicious	Browse	101.197.235.232
CHINANET-SH-APChinaTelecomGroupCN	TtGZLMEeM9	Get hash	malicious	Browse	222.70.184.232
	skid.x86-20220819-0453	Get hash	malicious	Browse	218.79.224.216
	skid.mpsl-20220819-0453	Get hash	malicious	Browse	222.68.156.118
	iZNau4ksFx	Get hash	malicious	Browse	114.87.176.29
	mEADpMWrZL	Get hash	malicious	Browse	222.70.57.67
	SvzJZrFbVD	Get hash	malicious	Browse	218.82.97.97
	p89LfV3O5c	Get hash	malicious	Browse	101.87.175.193
	7KsN731Rwz	Get hash	malicious	Browse	114.88.189.141
	2a3RdBEgat	Get hash	malicious	Browse	222.73.165.52
	V2wOepXoQr	Get hash	malicious	Browse	114.87.204.171
	pBSukTIjxt	Get hash	malicious	Browse	116.234.235.238
	sJqgSCTgR7	Get hash	malicious	Browse	116.238.120.40
	gIGCMXT1Zd	Get hash	malicious	Browse	180.164.82.98
	vhlFaAE4Mq	Get hash	malicious	Browse	180.164.182.108
	rf6NT3iJPf	Get hash	malicious	Browse	114.86.108.236
	GFGKMctmKH	Get hash	malicious	Browse	116.224.3.14
	zrD1CxdxuF	Get hash	malicious	Browse	58.40.193.205
	a84pe0qmNp	Get hash	malicious	Browse	114.81.112.8
	IDTkPkfSPq	Get hash	malicious	Browse	61.172.89.185
	j9C3Ja5YQy	Get hash	malicious	Browse	116.225.231.216

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	https://secureowa674.weebly.com/	Get hash	malicious	Browse	104.192.108.21
	zOdGiVpqXJ.exe	Get hash	malicious	Browse	104.192.108.21
	SecuriteInfo.com.Gen.Variant.Nemesis.10030.13880.exe	Get hash	malicious	Browse	104.192.108.21
	CMI_Business_Banking_1.2.6.exe	Get hash	malicious	Browse	104.192.108.21
	NJUODEI1fC.exe	Get hash	malicious	Browse	104.192.108.21
	iFCuu2NeW9.exe	Get hash	malicious	Browse	104.192.108.21
	hanglung.com.html	Get hash	malicious	Browse	104.192.108.21
	http://free.xjs.lol	Get hash	malicious	Browse	104.192.108.21
	vbc.exe	Get hash	malicious	Browse	104.192.108.21
	PORTFOLIO-356274##.htm	Get hash	malicious	Browse	104.192.108.21
	SecuriteInfo.com.Variant.Lazy.234727.32325.exe	Get hash	malicious	Browse	104.192.108.21
	https://notifications.google.com/g/p/APNL1TirmAeCyygwQxqQ4cYrz-vlkxJqotX4ApGvOIhnf5plw8E2q_X2gwM8OxvaJt_wwRTzdZzH9ToK3dqRiUwObbj835EZayDFX0Y1N7t8dgIKvjKA	Get hash	malicious	Browse	104.192.108.21
	https://express.adobe.com/page/S5TkOml9tdwzl/	Get hash	malicious	Browse	104.192.108.21
	NEW ORDER.exe	Get hash	malicious	Browse	104.192.108.21
	PEDIDO78.xlsx	Get hash	malicious	Browse	104.192.108.21
	https://kutt.it/t6killx	Get hash	malicious	Browse	104.192.108.21
	SecuriteInfo.com.Gen.Variant.Nemesis.10030.23341.exe	Get hash	malicious	Browse	104.192.108.21
	Voice3873639.htm	Get hash	malicious	Browse	104.192.108.21
	https://www.dropbox.com/scl/fi/1rc2u2xp4mhqkcurhpaen/PO88041_1911-You-have-been-invited_-to-view-the-folder%E2%80%9CPO8841_1911%E2%80%9DNew.paper?dl=0&rlkey=6gbt2fivnpf6cxgbd0ssks1ey	Get hash	malicious	Browse	104.192.108.21
	https://couillardconstruction-my.sharepoint.com/:o:/g/personal/mmarcoux_couillardconstruction_ca/EojxdO2A3BFFlQ8uMYx8K3gB1DW3lrAVIipOa4_9eg4pUg?e=BZ8Ta7	Get hash	malicious	Browse	104.192.108.21

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\360ini[1].cab

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	Microsoft Cabinet archive data, 2234731 bytes, 1 file
Category:	dropped
Size (bytes):	2234731
Entropy (8bit):	7.998089110810114
Encrypted:	true
SSDEEP:	49152:f3mwjPxrhCVdehRjqkJHHqBKmPFRQBe8lXUf1MIcs6:f3mmxrhCVIrrNK4Be8Gfi1
MD5:	A5553BC968023ADF38EC51E64C692EBC
SHA1:	8179EA7BD1B5380686767C02ABDD10159E3294B9
SHA-256:	3A1EACCA488F243B3D949FF984B7FCABDD7DE1B3FA356E3EA3A5545792820E40
SHA-512:	3EB7A8DBB3CAAF5F5388D96E3B746AFA9AFD86E4DE69713FEF275BDC041B777E175372171FC44E5C7B3BF31406548877625F240A59C8BC72A397708EC609CE9C
Malicious:	false
Reputation:	low
Preview:	MSCF....k.".....,...................G.........C........Sb. .360InI.dll.B.?..:..CK.}y`S..o.6MR. ..E..*......Z. j..)3.... ..Z.L...z..uB/\qF.DDTl).Y&...D.@.E.......).}......~.w.^k.....>{.o..'.....D...........?.....e...c6._j...>.p...&.5..{....{'x....0...q.&d..p..c:..Z4.a......]Z..<...:......M.;oYk....Gvb\|.u+JO8...U.s..;q:.....Z..~..f%.....+..wg!..U!....i.2.....Cy{........f0.\.....m08.a......a04.2!4,.P...K......E...i........J....p...M..+7...@.sn4..Jb..../...o.5....M...,......3.KX8.......<....F...=mD.....5.#...fp.JMoN.S..6?....w.d.........&M.t'=.6..1L'l...z'..?........../.9.......?.WVe/}...l....B....d....dZ...../(..z..=...6.O.OT.!:...d".....T...o.=..'....J7./I....s.?...d......#1.O...[b.W....U.1..Ee..,u`.c./........./!J.X.'.Y.(VJ.W.#...z......^...r...p.../.yg.C...._.C_Q.0..4.@...8...I....P....W...&...4.p.>.5.......-..........g.9.qn..a/....G..F....k64./W....m...A..Y..'..n......e[..."..s..\|..z}Z...^.w..?=.....;..?...;..L...4.....D....\|U..~G.%+

C:\Users\user\AppData\Local\Temp\360ini.cab

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	Microsoft Cabinet archive data, 2234731 bytes, 1 file
Category:	dropped
Size (bytes):	2234731
Entropy (8bit):	7.998089110810114
Encrypted:	true
SSDEEP:	49152:f3mwjPxrhCVdehRjqkJHHqBKmPFRQBe8lXUf1MIcs6:f3mmxrhCVIrrNK4Be8Gfi1
MD5:	A5553BC968023ADF38EC51E64C692EBC
SHA1:	8179EA7BD1B5380686767C02ABDD10159E3294B9
SHA-256:	3A1EACCA488F243B3D949FF984B7FCABDD7DE1B3FA356E3EA3A5545792820E40
SHA-512:	3EB7A8DBB3CAAF5F5388D96E3B746AFA9AFD86E4DE69713FEF275BDC041B777E175372171FC44E5C7B3BF31406548877625F240A59C8BC72A397708EC609CE9C
Malicious:	false
Reputation:	low
Preview:	MSCF....k.".....,...................G.........C........Sb. .360InI.dll.B.?..:..CK.}y`S..o.6MR. ..E..*......Z. j..)3.... ..Z.L...z..uB/\qF.DDTl).Y&...D.@.E.......).}......~.w.^k.....>{.o..'.....D...........?.....e...c6._j...>.p...&.5..{....{'x....0...q.&d..p..c:..Z4.a......]Z..<...:......M.;oYk....Gvb\|.u+JO8...U.s..;q:.....Z..~..f%.....+..wg!..U!....i.2.....Cy{........f0.\.....m08.a......a04.2!4,.P...K......E...i........J....p...M..+7...@.sn4..Jb..../...o.5....M...,......3.KX8.......<....F...=mD.....5.#...fp.JMoN.S..6?....w.d.........&M.t'=.6..1L'l...z'..?........../.9.......?.WVe/}...l....B....d....dZ...../(..z..=...6.O.OT.!:...d".....T...o.=..'....J7./I....s.?...d......#1.O...[b.W....U.1..Ee..,u`.c./........./!J.X.'.Y.(VJ.W.#...z......^...r...p.../.yg.C...._.C_Q.0..4.@...8...I....P....W...&...4.p.>.5.......-..........g.9.qn..a/....G..F....k64./W....m...A..Y..'..n......e[..."..s..\|..z}Z...^.w..?=.....;..?...;..L...4.....D....\|U..~G.%+

C:\Users\user\AppData\Local\Temp\bCfYaEhIiUiPnHfJ.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	780
Entropy (8bit):	7.754610131964816
Encrypted:	false
SSDEEP:	24:kBX5uN/V/ggbUyNSd1+krQQor+N4x2zY99gON6o:IIu8Uz+1jx2zw9/n
MD5:	8B6AA741160C9722F3BC658AFF055BE4
SHA1:	B6EDFE3EEC9844A35359620B9F8576FC602561CA
SHA-256:	CCEA94D9E9F4DB15EDDFAD4C35799D113B13AC09FAD569C72EAA346D4DD31820
SHA-512:	43E81B47672C8414FABEDADD9CA0AE575534B973B98D37FD26BC014FC3393CEB3D9D0A1D15C72434CC059AA55565F6470BFD8E0CB23846A515BE3F6EC5BA5C04
Malicious:	false
Reputation:	low
Preview:	.a..........]..Q.7...ZS....Q./.&^.pw.q...e0.5r..m..3l..v.9u.1e{.......+..{N...t.......q..A ...!s..WE..s.Fc.y..%............]..(q'213H%0..mC!D..q.2.l..3}Q.-.....#.=.1.f...m._...3..Z....U....w..}QH..Bd.......J"....?...43..X......gs..)...\|..B$..W.{.....+6..`..p.+`...z.}(.Q.w....s..k.....e.N.q..r.WL....S^o.....1..G.x...j?.....n.B?.t..-4.%.=..].!..W.[..6.....8.Cr.....K.H..T.K.....).........../;.pW.=.?..5...._....b.[B+..o..1.`.).e..\...u~t..-.G.W..k:`n.+mw<....7l ./M^........ .Qh8./.7.+Y.Q....S...k..En..\p...)k.\|l.:/..:...O....q.K.XXB.&....b_...?y.`.~..O...3....bI..h.p...@.. ..'......K...3....%B...L...F.,yE.~b..Z.],[&.;F.y.+6.O.#-V..<.r..e.e.....je.v.N...P....z...c$[...a....,o1Y...x.t7..vB.OC..>.....\...0............m.P.J2.nw.

C:\Users\user\AppData\Local\Temp\cAaAjCwGnAxAmJlM\{EAFED793-831C-4949-A6C6-BBA0E659A8F1}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	519
Entropy (8bit):	7.65023517378212
Encrypted:	false
SSDEEP:	12:uJJKi5MwMvcI1In8dFGpsa7MXgyhoZm5lZRRkyQ9ksWfNoN8bE8:cK4zn8HGWga5l3Rkn9WFoNF8
MD5:	6EB0D208587876B8B1A27AA39A6956B5
SHA1:	EB0B80F9D02313D4995B36CC16AF53D92F524F5C
SHA-256:	A0EB075C469EFFE2F3A14F6AAA661586C6916D97BD08868798153F4939A534C3
SHA-512:	F4C191DA288DFD33311594563067CFC83C45735E70D79FA476823A51AA223D26999B31EA013252CA3B87C69315210CDF98642D88647B279CD655FA6CECF8C578
Malicious:	false
Reputation:	low
Preview:	f_F.3&g.}....`x...]....D-q...i.....N.....q...[..w.W...x.mr6.E..../f0u46.W....8...G.7.\....2U^l...T.~...>}....pP..J...A..j.?Bx...4..=.....0^.9...7/Mez.........(.ZZ.....,......[N\...\|...`......m.@..........-.q...1.R.^82.w)R.Z...fP .X..oZp7c[...\|.....\....fq..!..9.&......t..h.'.&.kS..{...)\85r..P....._B.QhB^.%..v...(.?#.tN.{.iK..@(.=O.m!@6.v.H.=k.P.........9jd..........b...Y....V..9A..J....~..N...Xa.....<....A8....i....uMp.C..R&..W$exz....(O...3..........P5V..?;.U..H......<..7.....

C:\Users\user\AppData\Local\Temp\cXhCjVwGaVyAoUmP\{9A91E1DD-4BFB-4029-88CE-478244A3C748}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	465
Entropy (8bit):	7.567113468895047
Encrypted:	false
SSDEEP:	12:EzuLOEXo+On9gx5YQk58BJ6uvCWe8jcjtccJqxhNapGWMmWO:EIUn9gxs+BENBRt4xh4GM/
MD5:	462AFC4E66CB9172B8C50653B266A635
SHA1:	3A8292C59A3839680EB5F1AA6A0E66276892936A
SHA-256:	FEF97A06B353949EF348458035C3B53229A8AFED8BC2FBFB84C92F7FD0A0E0E0
SHA-512:	771CF75B0DF61DB1BD31A071C45446EB416317220B9A6A7797460B808A21D1491FADFF63C44D7CAEFDF83C949D4B22DB3BF34651688250C9884539C4F2CF8434
Malicious:	false
Reputation:	low
Preview:	..J..%.{.......+.....to.V......#MLKC.\|.......mp.DW....\...Z.....G/.'.$.R...2h.P..Z.~#V...0}0..z......6Z.#,v...YrRX....6R.1.....]....,.+.J....X%.....k......".......k......(X.#F..].\<.P...`....M...&.W5.I.e..<.k[.w..<....8...."..^(@.l...}....`....Y[.......>v.>./.PM.}...t.&......U6W...Z)..kv9...y..c..I..~.=..g...W...=}ULI.....'-".)=..?}.(i.$^y...h.?.=.<n....<"........*U......\|-[.E..T...G...X.r.u...#_....y...T...L..........6.a=......

C:\Users\user\AppData\Local\Temp\dCiUqYjVhBiQbTpE.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	532
Entropy (8bit):	7.573135827986852
Encrypted:	false
SSDEEP:	12:ZyhI+Eqd9vcAJl6J6Ot6D/OHIaApAXVOe+HH8M:z+5YAn6T+aAGXb+HcM
MD5:	CBA3271DE2A4E383701E0CE9B10C516B
SHA1:	8DCFB8FF37B32F656BAEBD0C4E779F372E14DB8B
SHA-256:	BC84719A85D5ED983A4EDEAF82047773C1D07D0B36F8077A889866550D9B1E3A
SHA-512:	2C8AE85A7DA01741C10F99AFAE4267AD5DEED684D4A302FF6F0D4C485620B86538AA6E16D276233BE37AC190147CF13BB8150F5A4BAC1FAFB354CF0B136914ED
Malicious:	false
Reputation:	low
Preview:	........N.~P.u.y.......h.A.{.#...1._c.I5o........-o8.mJ.......X....b .8.&%.~3.]{......../..?.Sn..A.h.n.2...Jh..1@.....@....H..:RW.........b..){./.S1...K..em.b.s.N.'09..4..d.:.\;v..^S&..l.!`X... ."-.$..p........BS.A..eZiS}..^-y..#`.yx0..R.P...X{.........b..R...o...^..v.k.{..].$Sm..R......x..~..S.._..bN.>HmX.#..^?8#*..'#.2.........XY..G..0..i......9.~...C.l.._.<....b.+4.OWu..:...z.3...<6. .....4..m..$.8O ....t@..-i....D.zG%.......%.......$..^.[5.l.:.7wU.7..-...I1.....~/..p9.{...`.....\|..{....o.(.]T.R..7

C:\Users\user\AppData\Local\Temp\eKjNuHeSmTrLoJtI\{D0D0F78C-E32B-45d9-9F88-6FC2EC8776C2}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	503
Entropy (8bit):	7.542313163803107
Encrypted:	false
SSDEEP:	12:2LlwF5DH4t2aGF6MH2nk7i3QEvJpJY5nsCnAxmTvop:2Lm3DK3/MH2N3QEvJp25xAATvo
MD5:	37FEBAB054FD789E860BD80AD97B7473
SHA1:	57AAC37D48D0AD13A54DB4C28A2F38992D8E8957
SHA-256:	3FBCA6F43A339DB0822FA966C417E67F1ED1B11E9718D01803DE7739A773AF29
SHA-512:	0994BA4E70AA0E948CFC232A34ED642D60B41EFD4E62D5D02FD6B8D330DDEA4A7AE36B65DB9776259FF68BF4CA1FB18E799D55B3B433B4ACA4630939EEE2CD56
Malicious:	false
Reputation:	low
Preview:	.E..u.5B."e.E.V]..0...N..p.......F.w../.#...sKw+0.n.-....!..\|h.Q.......b..9...Q}b..Hnp.0-J...e..vj,&....@-.j.5...j7?i5. .5O.@.H@.u<.b.M\|.B%.....>....&....[...um..{..y(.:h#..Pr2..M.nFse...[.@ ...58._<..-...fwt.O.]..ry[/jw...A...e.X.I...kRbO.r.....l$.z......k.....9....3...q2.g........q~,.wQ...nI#.{O..?).[..P}...g.....$...]...$.........'.'f........&..f cgC..kd{..B#'.....=.q.I....u-..H....v...;.....v'Q..{:......8.K.P.....H:AC&h.F....dK.'J.4..z\....y.......].s.w.F.KZ.Y..{ns7w

C:\Users\user\AppData\Local\Temp\gJsCuFfLfVtBkUlP.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	264
Entropy (8bit):	7.155729251753923
Encrypted:	false
SSDEEP:	6:BPhLgTnUPfCwerjVJDCeaMlk1ijshrdqoM7PK6b9mvh1u:PAnUfzQ+ZUk1iYhkK6b9mvh1u
MD5:	4CE4501503B3D1114391C4D29E8A49E9
SHA1:	F7C46B04767DC50D386B315F40DD231C639A5B44
SHA-256:	7B542DB2D8AD46046AA4B25CE447FE1B94C8C59E851ECB74201994D92DA8A75F
SHA-512:	0373176603CDA9CE12A62E26472A22435A3070530F33E541566B61E783CE210DE0878215A7AC55416EEFC320C18217BBDBBA4EA0E25E158D072C7A33B496CA83
Malicious:	false
Reputation:	low
Preview:	...T,...2.....3QB.T.A....!.Q.o...V....3}...d..DAY.A.c..T=V..u u0....t.F.J%.5R^5.).u..+.......W......&t.%~.r.9....1.{^a....d...).,.sc.;=!....2...2...C.+I..;...o..MeP.{XPa.0.qqM.'..y...A..D..`Q..XE......J+V.......9"h~.%...K.../.bj.:.......d.l.....)P..t.

C:\Users\user\AppData\Local\Temp\gYtQtCcEiWiWnGiV.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	990
Entropy (8bit):	7.78954917813486
Encrypted:	false
SSDEEP:	24:oaCUEo9YYyyAUMFjyltBpmlaH9kOWij78UsyXxz:N/Eo9YYyWiymlaH9hnXxz
MD5:	2F4EE35EDD3AE9625C7577993AC4AF62
SHA1:	A130549F0936EFD900FFBE5B5732BACAE28D33AE
SHA-256:	61C1E87CEC3B145B7BF32F93DECDB509115558D70FABD241B49D257C793D4350
SHA-512:	5A22E0F3E6AAF7E22852CFDD7A466660F963BDC09D14ED9CD72CFD2D26227E0871C5BB9F713FCA2AC3A3EE9DB8306DEF331E3862451A28B170C807B18A51A8E1
Malicious:	false
Reputation:	low
Preview:	9>U..Fi..n....+\|.g..Y].~M.B,`).P.\... \t.}......m_{O..d..+q...@.+i):...@HM.e.K-.,.........\z..R....u.8.z...........'...&%..).s.O0.5XV...R.......Q,s...x.4.Z.]...r..R9...H.9"C,.....9.....gM.S...4..k..#.6..\|.y'....v.o.-..,.F.<....]..%..&.~.....o.....1D]....1...8.kV.;z..U>.. .g.=~.J..8.....a...pr;M{.....:..~XA.....%bG{R...Z.XiMa...{...j^.Q).P".0<.n.\|Z.g..i.!..a.c.$n=.d..........0...bd..!.o...W."0.5\<ZBy.B.U...r.xpYX.-.C..)........C.w.3........n.^yS.(2..zZ<..9..[...f%...B.J..#..nm...l....d.....]Z...,..V..&^..h+.F..w@....K...aY.,.Z.mz-(.\|+..s....!U..\..i[........R....MjA...z..z..EWe.f.?t.W....k..`eQ..H........}..+.b?m....%zAS...x...S........6.....4...<]..a.+.3..>6%.o{..kC........../-.:.2].t..1.r..O.I.K.......C..3..R..?..k..?.a^...?G......G.yB,.Z9..Q... .X.J.8.._...(d<..=.-....l.n&.u1.V0.,2..x.......f..t.;Y$..f......W..>..J.........;$.`.....W;......y..a...?....a.$Bg.0..4.Z.C.O]m........1..._...Y...(.._.CQ.Tv ..70.z..,4.6.)i..

C:\Users\user\AppData\Local\Temp\hKfEzNcZqVxDcFtV.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	807
Entropy (8bit):	7.746809909222307
Encrypted:	false
SSDEEP:	12:+DlHP3l6HCH9m3sFXFkz7HRseSKwxJ3uA862Ci3z7cRBioJDAMUNGvEtvm1RTjXu:+DJ96isMOJPStxJ3uAECyZoJ7vpLTjXu
MD5:	45485036AC4CC6FA21FDB8DBCF24D2D7
SHA1:	760CD1A5773E1D95C079277798CB95653B729A7D
SHA-256:	7B669ECD0A96E179C79487079BB4C676ADEB8A6AC66EF5348F5B993EDF487552
SHA-512:	4C5640D43535AD489913B56D7BFFB91539DFB6871BBDD1FE94BDA83496B4892E4312EDF4FBA6E27D16250E443A883CA4649E79166F21872C55FF4CDEDA4BC231
Malicious:	false
Reputation:	low
Preview:	.;t.5"=...%r.)....#r.0.dU..l...INiZ.....E[k...s..%.....i..z...3.{:>.gH...Qz..w?..Z.E.....X.r.\|5..[...=..0.......Gy..rLw...H._"...6.l8......:Sl.%roO....]...U!y..).....!4.aC.A\|.C0.L.g%...R.$....^........@..!..g$s0.X..q.r.x[:..-2"5.lF.....F~..=e..\|n..n)>..-...D.9TK...%sx..M$Z....:.L.#....a....r...V.R/...xn.P#....:Y_..t...&...'..D...B.....u.2=;.....D2..;.t..j..<......VX...].!.Kg.;.A..`.jV=O/L..P.....)..3.....q}..'G...I.~cc.]..5..`..........;`P.........^...........@o.S.p'r.#~......~"8.^..v..8.b..L..Z....%.JK.../dR..........m.6.~......N. E.^.@....0.`um...J..OD..o..../..`.DGt.......)....d........_r...}.).VdR....o..L..5..}.(..vN.z.+.H/As.l...&....y.\|.\|6m..>..,}......m.i.. .TI..=.9a....~...........'Ok..`y'...4.......03..<\..f.O.....E.DK..6.....i..8S.P

C:\Users\user\AppData\Local\Temp\jOwNzOmWaJiKuOkT\{75E63B99-FB7D-46f0-80F5-16829FE6223E}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	223
Entropy (8bit):	6.959698218131323
Encrypted:	false
SSDEEP:	3:xgyyvMaazUgxqf6rx2OJt/fvdXhvC3Uw3B5zCcgb1ZLqR+x14oZIIonnb+vn:y9FazZxntFXhKkYBUcgLx1KVavn
MD5:	85B0F70435FDA84617CE4F38D22A6A0E
SHA1:	304D6F8F268B4B36DB2DEF112E8BBAD9B5EA9C6E
SHA-256:	9C23706C794762B234B6D3105627A82DE90C8A45B17F3CD84077446F5EC84815
SHA-512:	33FEF7C0F4410A0BDF8425A14EC3E97891E1CD1C37FAE306263B602B1D0D9E1BB37E03DEA1F3AD17B0BC62E0A9FD678FCA2C693DB236D7016BC77BC37E12E011
Malicious:	false
Reputation:	low
Preview:	....R..O.\..W.;..[H...b.#.&.C.........M.Vf5E.cW.j.u..-.....b.b.N......cF...Y.u.....;.....I4.$....o.B....q5..N.z../?..!.......C...K..m...."...........^.Z..-h.......uj.d..i.~..~....,~..q..?7-f........B.!.)~..

C:\Users\user\AppData\Local\Temp\mCcQyFvLbDxJsJeF\{BE03A119-6DF6-4e06-8F37-F71682FCCCF8}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	7.220781005825952
Encrypted:	false
SSDEEP:	6:xYFVeTNhScK6jrx+yzLVWcWQcpRU8frjt5yNJ593TnsW:xYnuzbK6jAsLQRDdn8t3TnsW
MD5:	2A9A702F63D7C2AF9A174075B9C06E65
SHA1:	10F8238A93A8F2226393145A24A067839A164DE9
SHA-256:	1A610CB584670E0AD554EBC2B0869CFA2290F35114D3434C33E752985BA4D37A
SHA-512:	3435CF39EDF35C810D65E5239FBE7542938EB0FF0DE57706C2FBC82673B5A1913EE897BCA7E1B52F36621109AD09657122E72AEFEF53353E58D86E4A5F9E76F7
Malicious:	false
Reputation:	low
Preview:	......./.....9...p.d...1.7...y...zK.z.h......g.o.&..8;.......t..O......*..Sf.i.'.....0.V?;.d......<...t....ax...e..!.u9.5..q..3...G`....rK....?.8...s.].U..z..1.5...5..eE^nMd!.O->.._.P.5......(.`w.M...<<[JdC<.M...PJ.3....H......u.......z\|o.kkz.......o;I

C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4447712
Entropy (8bit):	7.414018925094948
Encrypted:	false
SSDEEP:	98304:NroZ4kVXXuiPyeDzDf+1jhRk0OQAPqDPbbfH0r++XWhVF26YAheiOO:dKVuiPyKfadRk0tAPqQzXWvF2Ye6
MD5:	08D27E92C01292950C6E773C0B5DC890
SHA1:	547713801BA834742154F421F9958D46AEE15B6B
SHA-256:	9BE6DD74DB8CDFF8A8A8A71F8FACD58F774232F15D019004041E9DC328896293
SHA-512:	743D96DBE834C7961C348F603EF654E73461461935C3090A46B87DEAF07A41D975C0DF8ABB2C1A73480AB07DAE21113436FCF0E9DACAD8B06615A8BB94C798D9
Malicious:	false
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll, Author: ditekSHen
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 4%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MAJH,/.H,/.H,/.V~..L,/..c..A,/.AT..V,/.AT.._-/.AT...,/.o.B.M,/.H,...-/.o.T.o,/.AT...,/.AT..I,/.V~..I,/.AT..I,/.RichH,/.........PE..L...[.a...........!.....h...07...............................................D....../D...@.........................@x...... T..\|.... ...~1...........C.H?....C.@...................................P...@...............\|............................text...hf.......h.................. ..`.rdata..S............l..............@..@.data................h..............@....tls................................@....rsrc....~1.. ....1.................@..@.reloc..f.....C.......B.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oOiVlOoEvGnWfArP.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	620
Entropy (8bit):	7.701719143124821
Encrypted:	false
SSDEEP:	12:jW+yxrbXkx9PXyrP+n1C6MiftVHs6kH5m2J6IUUveOj5D/TvTH:HYrbXkx4C1Cxi1a6Qm21Rv9lXvTH
MD5:	2035CFEDDC047CBA008654EFBF9AB6A4
SHA1:	47BFE4AF4ED9E32C538D4A7331BFCF9DBA40DB3B
SHA-256:	D690A5E0737812C4A9BE47E45938965282876F8FFC55535A7DD2170D53235BF0
SHA-512:	37A65B79F7FC7CBEAC888685073C5D8D1BCCF81DA3187EC55F423D7BCE8AF1A075D215F2A3CFEF3CCB91BA3E06BF955A262E631402A6EE91495F38E90B06960D
Malicious:	false
Reputation:	low
Preview:	..FX=.@..3 Gm.....h: .m.a.b...:./Ski.Av...@.....`.,.3d(O.4.s.'..9H:.+..#Vj..`08...-<Mg.D..e.H"E.6U..ZV..MN..l).2.....~.X.9h.L.....9.?...Si......z...i....npu.n..].t..j........t.P.....#..&p......Qj..X.{..#.>/....9.=....\|....cpV..7.=....,..{...n.Lv..5...6..g.c...`..uD.8.W.".#.?..6..yx.np.jL...(....+.#..eSCD..+B...\...4vV. ...0.C.{....gO...r..u4....+...46..D../4.Yh..c..I......g:.(Dg..SiM...V(,.z."%.w.~%J.w..c}...!.D......,]..~F...A..}x4.Tx..0x...@. ....b.+....?.....(...r...s.........n.......7....7.bQ.t..j.K.(...>.....,....HC~h.o..2..$...o..-I.C./1ux.._...0.=..&.w{..9..`.'..._."..z./......N

C:\Users\user\AppData\Local\Temp\rQyDqOiWmDbSxSkK.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	225
Entropy (8bit):	7.0941660667804225
Encrypted:	false
SSDEEP:	3:Ingzqh+YvF6y6rNvXgRj38RhXVUiGs7MNNyFm6f84PTrt8QlzQxY65PKJkpLcwL3:egehvvF64hYX+iR7MNMLUcVyY3JkpLL3
MD5:	60B02FF6FDA7F7FB9EBD4E773B41A881
SHA1:	B62B92149E39A14D973B317B1A7D115B06F2AD0A
SHA-256:	FF20B59F245676D46D4E1B69781A72A344383619834F66BF1E2109E496E83F37
SHA-512:	8D0C3EE60758A9DA47643B5640925467712337F1CC062BB77D52C5BF3331A324E986F896AD147A4E3FFC36B3343B0AFB0EFAA7B6EC8B02021F9F43BF68B6D6C1
Malicious:	false
Reputation:	low
Preview:	;.A.P1}.H...5m>.8N...S.Op............%y..q..S.......y..Q.UPoM{..G........*zN]A.V...e...N.mR7W...S1..uU.V.p...r{3.(i.....a.Fh..6{../.....z..j.=.....;Ki.NH.)ucW[3,jn..e..N..j.G.,.!......6.'mK....b..1.@..Q2}>.....M

C:\Users\user\AppData\Local\Temp\rXvQzHoJbYgKvIvC\{67814E68-983E-4b54-A639-CF4292A50745}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	147
Entropy (8bit):	6.748892327785406
Encrypted:	false
SSDEEP:	3:f+X+VelU/Vvz3XQ3eIyFlrhG/HT8Un9+8ua+eefWAWJPSFw6:WuVnz3g3erl1spn9+S+eO2B+
MD5:	26414572AC6E17E16A428152FB1F2449
SHA1:	297061A52FD42AE0E46D6DC937FCF44C9EE01671
SHA-256:	F384FE3BC78B9718993AEC2A71D4A109F888BD3FBE3C6DF38F99FC71B9DBBEA3
SHA-512:	9E545967B68CB21877318C17006808C9F28D01729625B04186ACB5472AE8D8AF5A907554D4C99F281E27484A562AC74D8AE1703A2CF4D5B6162A35412296CEA8
Malicious:	false
Preview:	K5-..._...C(.n..PF..:..N..u.QU.. 1..r`N^..NVj.k..(...X..U/..o.g.....m.'g..N....K&"f.b..D.a1."...G*.#D.Y...\%VWC.?S.x...HA.J.esl.w...C...Xok

C:\Users\user\AppData\Local\Temp\sJaXwXpNyUvEhRfL\{AE73F880-31EA-48cb-8E61-A7B9EC8FB18B}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	241
Entropy (8bit):	7.004039467030801
Encrypted:	false
SSDEEP:	6:tIe6+ILe7BQG2RC7WNPl56Io1thxujioFcgXjUMo:ye6+/BQ7N9I1th0ibSUp
MD5:	C89F535E892492E5AFC6D6E0D3FF046A
SHA1:	8F801EF69CE7DBBDEC05C0B48E80EA712FBDE050
SHA-256:	385F660FC06077927786016D7D9185B17933648B28E8959683913463688073A3
SHA-512:	413E3B91118D5B045399AB4BFCEAE19BBDBD8FB99E3958F79899E2006C6C4CA1B5C9D05FAAE3EBC36511D3FF94A3EA4F613C4E97A935EBD386AEBC68C03A76A0
Malicious:	false
Preview:	'...+.d......s.5[W......d..;.\........E.FL>.F'...."g.#...@S..3%^.T..4.c..O5@#......y.n.g.3;....n4.$6..R$;B....m`L[.-~. ...5..8^...t...j..iK.=...q..\|..x.....Kpj...=..i..P}...H.5.%..nC..rxx..k\|.k.......U.#...&s-..Y.$".....=...8N.

C:\Users\user\AppData\Local\Temp\sZmPiYpNiIeQoUeN\{620C3DA3-6754-4b2b-BEF1-DC03DCCF2850}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	556
Entropy (8bit):	7.545080903452871
Encrypted:	false
SSDEEP:	12:fOQ79FbiXL+7CTr1ccudtt9MhCn9YRr28q4FN3/+P:XbqLd8fMhC9YRrftY
MD5:	55DAE3A38C88641F2CFAAFFEEDC81A96
SHA1:	163F6880124DC60B469310D94B1FE223FBB15866
SHA-256:	E94E035ABAA3701719D9B82DCC9E51E9BE66D6CECDDC909188F91D211B7AF9EA
SHA-512:	6B02202BA895A49483CD7F109AF79D8310F55EE47F92B37AC6ADBB72807E988CA67FE7E5B4B7A1B997C18D72A525C106135EDEFCE8B49F816BDEA5328BD22AAE
Malicious:	false
Preview:	......B.........\dtj.z.6C...K..I...$.j.,..C.ZP.%.....;Z...D6..^.<.p.\...J...4>.`YV/K..]......<.....A.1YT.n.tB.@g.....m.Kx.........55.up...2..@.z;. .t.N..9.un.B].+..m...1.@.t.#....#,.^...../)..1Fd.b.Q;..j....1bOAJ.A.K..{...x.Pk..V.o.:A..Y...N..F..VFemO.,D..n.l..h..b.....rZX.......7..1H1. Z\d....`..M.:..+...e......hTZ.:....aXC...?_...1:..Q...*.U6yI....O..W...3Q.(...l...Z.C.j@....X.2Y9X....p.\|k)P.q.<".T........b%8m..?.5#...am".k.'.C.TV'G.....Z.........N.b..+`B.\|....+do...<....K..E...t..<..<z+.n..-..T9....A...."..9.\.\b.

C:\Users\user\AppData\Local\Temp\uDdJkGwTfCyDkPmZ.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.748747874590077
Encrypted:	false
SSDEEP:	24:65B5oMnGMtJZUJuYL92OL9YZ8rSK8XIxmIC:65ByMnGoOL6ZsmIC
MD5:	FE80F705129CF0577FF5064297C8E43C
SHA1:	5E788091480D5D3FF00F217A734431A130FE499A
SHA-256:	A9513E5A24CDCDDD800C4A48AE70964934F36F1F0BA8E98CBEBC439D8356DD2F
SHA-512:	A073B66C9032E00C1C1AD77E5DF9C660F90603829AA2B4D24381AB33892DA97B491B6509B41CAD1BAB16EB635CB84E363B8F5E0D9BB77F7A49FA4B0E11E57DBE
Malicious:	false
Preview:	.J..b.qv.J......b.t..Va..Mmq@h....0"...z.5.U;{...Bk..b.t...O....0.i.0....:HS./$......._O.3._.Uf.~.t..n._..]!W.......w/'A......0..."...7..G....m.q.Z&/X%.y-.>Tw.....z8......cXx.I..0.....3..P...hC6..C'.`...iO.....eQ}Z..I.G.,.{xn[$.'.BQ..{.\e-...h.#%..>.[..v..l..)o..v.V...m.....n."...Y.?-YA..Z>.v8........,.#....0'$.2y7_'%8..h[..}-D...~.l.3Sw.h;....[v........2T.....\...ze......)..v...c.#.SSs.,eO....#...L...H$..).eH...6....`1..\.}b..V=G..Y..X..Yk<?.,oD.{..k..T....=."..AqQ.:d.pZ....e..#.....<..T.....W...6j....C..N?..w)\|..8..t...s..Jv........BW....G....xk.:....8.w..E-..........2...~dN@....I.a..M...n.)...<W..tR?...$b.....@....ms..f...A........\....[.HnS..b......_..Tx..S6...d..n5.E..(.G:......3qm.e....($H.6...?.o.v/A8^](..5....rU..`.lQI..I.\|.:.'.T...d.o.....4.#. v..V.^...W..2.......E>...

C:\Users\user\AppData\Local\Temp\uUiPwAsZnJzRzGjK.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.726145950485839
Encrypted:	false
SSDEEP:	12:BqXXKA2EcXnHdgtm75kHgP48mhn4L0OOpDweRTnO+IDnaqlliSXD1+8phnWOITxR:8xVcXHdgk5kHgwthn4L0OOpvxnO9aqlU
MD5:	73FC33D171452FB354839BEBFADAD35A
SHA1:	D7C5517495FF82753FB47DD549A96808BC7BC1EC
SHA-256:	930E133136AFAA9ABFE1B4980E01A761004D9DF981D95708354EDD067DF6530C
SHA-512:	963BC38DB4551697D78E01B8FE77B9DCA0335438835F0EC7988DF1EA653281E50BB8F6F3345AE08BFD1AA32E28A6B40ED5C04A6FC6EF4D6A29157847186C9F6F
Malicious:	false
Preview:	3g.p.9..- .....Wa...d.I.79.#.P.`..i....'o.}...^..l.i....r8,.j...0f..$.......x(..T.y....?i..>......Zof...Y\.!C..jZ.....Qh....4...-....?....AfL%...TE^..CS.5.7......a9....X..7......p..Y8f.f...1.wQ...#........L.C..`...5.K.e...3}.G0y`E....../^...r)........+../...Vw.....0Q..y...b......./%.2iT..5.J<.9)..R..X=..M#.r.........r...e.8)...P).8G.....#.Z.t..2...0.].._...}.Z}.x..wn......0..@...j.3.......1....P.....l....!..R.......0.yORv..@xC...5/...r86"w.\|.e]..?.2P..]..../' :.".x..d...S%B..9\C...v..u)7.4;.=..Z.x.N[.E98._.[.$..E.........c.G.4\|...KUz......Sk._..(.K&.olv..h...N....i.L.....m....S-<$......n.._.w...z_.8/T...h.4....Rf@.ud..........G.T6+...956..ETqY...@...Y...c*^....-D.G.<:..`.h

C:\Users\user\AppData\Local\Temp\yXoElBuX.tmp (copy)

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	10712
Entropy (8bit):	7.982497184192566
Encrypted:	false
SSDEEP:	192:uyc5DXAjRVh7O4BemOUtddDB+9xHIWr0NhxkvTtYpEK2GGid4rokwCgH:uZ5DSRfpbOEdj8urhxkvTt+EKxjaroUy
MD5:	C93FF5C9F68F071BFD5BEAEC759C71DE
SHA1:	76877DE797ECDEEA55F3C384A032704EA8ED1D16
SHA-256:	BA27BBBBFD68861CC2B26592BFB3B9226568A92B166EE14540EBEA9912F6B67E
SHA-512:	C2FDB36D92E3CCC93CF2A9841678BDB69D5639B36D7F8ACA0C2E9A5CC0E5F8948B6794D21582FC6656CEA7AB438C2B029727A11953183A5DFFC7F965108B87C5
Malicious:	false
Preview:	V...ZG..O.a.d.....c..+.y;]...../X.R.R.-....5........X..+.X........dY...8.3....L..}t'.....'..:O.1....UB...-..ce.....<.i3GIz....!.6f...JS,.EO6..M..?.....~../a.3,1-w(.V.#.G.=yRJ.OP......4..F..U...P......yu.Oh.....:..8...Xj...[/....A...u.:...[..7r.....#y.V.....$7.=.&@Q.).t..>:;`8.....\)0.X.)...=,i5.Sa4e...bM2,..!2....V....Q..3S.<."..<E.mx......r.Q..]...........2.K..a.6i...']p.W......A......VRF..n...U>d..?-...Xv18T..}....IlKe&.....s+.o.U{...+....M...Q......l....uF......ko.C....;..........6.kV....z...C.....}.......".'...q. M]....6.T.n.....s...4@oef..2.xAsr...L..ok....(=E7..UR.......!:.c>.....<..........@...nuI...^)e."'...".7.R>h.a.LZY..v.........X>!....i...SH/.m..lH....~._VCe...Yn~O..+....Ea.....t.. .6.:2H\...6`l.D......9l.......R$..D.....f!^@C. SQ.....\|.C....4A..=T..ETUC.8{....q.X..R.?..!..G&.F.G.l"0.N0r.x1..e<l`.....r..sJ..w...."........I.]..z..x9x_X.M.>!".T.j}!.6.I..I......s`.z@...}*..8..<...qEq....y.Jg...e........2.WO.BR9.M..29...=...y

C:\Users\user\AppData\Local\Temp\zLcAtArCvWvDiIbV\{F330530F-6FF3-452e-B47B-239E16693261}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	71
Entropy (8bit):	5.8186235278944425
Encrypted:	false
SSDEEP:	3:x5lbE7zYoHf98SThObE8VD0n/xCSDn:x5BSzYoHf98s4ViXD
MD5:	ED6BC50D24D5946EA417C95B7B423988
SHA1:	DDD63688C02489D7F435AD3BD084F3759B668423
SHA-256:	EE7401D994EC26202F0C4912B2DF99C177C4E91BB3FB0E6A71304ADDA0B72709
SHA-512:	2D1BCD2E163AC8627E0D73C2E31C3E518E669FD13D3BE0ECFF35DB5F693089D7B1BEB4B35255FE339D29AD678D1F20901C9B5E7B6B2A7B52A059C3992387A861
Malicious:	false
Preview:	G.X....~......x..7......'.P....C.."...0A..l.u..f.p......Z6....BH!..7<..

C:\Users\user\AppData\Local\Temp\zZwMhJnUuPtWuDfJ.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	943
Entropy (8bit):	7.816902824161429
Encrypted:	false
SSDEEP:	24:Nqm3u1j3IM1K+eN7xuXbsQq+xj0WRoXC1Z0:NW3Z1JegbsqIeoo0
MD5:	12F8BA5C3F02830663FF111D45345BD5
SHA1:	0978DDDB7FEC4F5417B4F0509D143B12BCD7CC46
SHA-256:	C4323F331EA4F24B4C59D6E68DB43BB317E240E2F87E0AEFCEF2CCB40F21CF5E
SHA-512:	223AEA862C0C55AE722B3CDD52A7A550F8E38EEF7D1186C5341808F8E22D304BEB75DEF771D2835FCFE657CCE67120EEFDE4BFFBF47AEDB8AA2D2C7AD2A164D2
Malicious:	false
Preview:	.S......y.e..5{b.f^V...w..+a..Gu)<j.O.#...!.]]H.K\6.s6..t...>i..R.......Mp.../.I....}}.p......N.".....I..a[.........q.o.7[M.=...\|9.vj'w>.Q.0..._..z..3..\Y7..;...>.#.........%...K~./-.n...._X......=..`\|Z...(..k.~;[.t.2...9..4......-J..sV...!...L..`=Kr....{.w.......U#_4...L.......Y.].HV..I.]...Bb....Id.......c.6.!.j..........lO.E-.z...;.p.y ......a..K'7.....t...)..\|(f..'Q....."zoz.Ovn.w......Z.Z.\!7U.sh_..@.w....cXy..-.z.R{......kw.eq.g.....?.o....h.qa<0u.OD....[BGb.k..:#.\...+c....LM.K.......h.syE...s..s..o..9.<.A..../.VFP(i....@.P.J-.H..)T..VY..R.9...O../.9 4..D.,@.}S.d.z]V.........w...r.)Q......C'En..N.x........p....LO~.3F.v..K.zVX....,.t.b..... %....5.6."..;.....K.`.\|........s.dG.qt!.Uv.n..Jg0\..q..K.d....y.....[61.a..6....O.}....f.l..!j.?..........g.Tf.&n....-........Tj..i[k\|.G...^..k.;2i..$...e....8k..M.....-.]e.c.d-......y..]..../......GG..@,.....F3t....H.%.b....qS....'<l7

C:\Users\user\AppData\Local\Temp\{05942839-E8CB-474d-B22E-D8B6295B39A9}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	7.494599183768397
Encrypted:	false
SSDEEP:	12:+CRfPYIeHeeKrC8ZZgB1bs+uTNriUK4hZa8:ri2e0ngB1bp6tbKoZ7
MD5:	A7745089194AD53CC71D6D9BE9711C61
SHA1:	BD46365C1602F981360073AB1BDD58687537D669
SHA-256:	502DA8BD5D550FB06F3C1BC5672C70B493A37B962FC5EFB9087115AF526D9CE9
SHA-512:	E870AADC0878CE8DA24132BCDCF52E7DECB3ED39D957392A15F6B2271C19B58F00B2DB2931C0BB3B7CDBAF0CE6F2A50053F6578C569D254217601F5D9963D041
Malicious:	false
Preview:	.8.vy...ZR..:...L."....B....Gv. ...M.l1.0G.^..B.-M....1...H=6._7..l.TKY.x.R....'....I.d.+x...L.....\|.lo.`..c+........y..@J...Z.U.<`.S.y....!Y ...-PI4..r..pvqt}..m....n/~....6.+..x..-.T....t"..F+..zElz.[.u....a..^..ZJ.nt..~.apH2.h.g%J.....J..Y...........vY...M+N...=.F.f......@%..;>c..Gd...r...m..Sm.\A75......f._.p..E.....{Uf'. ..-..``..g.s...5._...W..B...w.....R.s.Y.Q....'.%v....K.G.B.\|.VoP.....s....

C:\Users\user\AppData\Local\Temp\{0FCF70C5-F7D0-45b1-BEFC-29748F0D411A}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	5.713151523938108
Encrypted:	false
SSDEEP:	3:tKDuIJl+mVcgqlxwoTan:t/I6X/u
MD5:	16A7F34F62FBDA186A54E1E4BF729874
SHA1:	277F78A9F53E830E46A56ADF1195158AD9F90C5B
SHA-256:	C7AFB44F9230DC2EBEC8A1A8EDBEC91B9CB061C9DC4F9CFD27768A95F297D24C
SHA-512:	252BA75B5DC3D757A112BF7D025FA0BB363E5C9F3299E0074D1793E00093BE5C076CA8B67E04DFEC71ABED4455252027FED8C85B2497624C325F65492510B1BF
Malicious:	false
Preview:	..;..........J7...e..s.......XU..."..O.cL:...m....&

C:\Users\user\AppData\Local\Temp\{17E099DD-616C-4895-A255-DB7BA51FFCDF}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	618
Entropy (8bit):	7.635582495238713
Encrypted:	false
SSDEEP:	12:Zt0wvES/EmuVTc+OVPb35cZPt6kdWFi4dRLdYFTyCI:hvE8SVYrVPbJyt68MFRLURI
MD5:	32B522E1B7A6B52E880CE2880EA934A3
SHA1:	C5F7724245C15940F07CBF054DA18FDCFC5EC199
SHA-256:	11BD19B7D7E95BEEC553E9139E47533CFA0E155B089D396B24DD4D5F77BE2CCE
SHA-512:	308244A9378CAF09E8AABFFE17218B19510E790FEEDD0EE2FFD435E69A8C442B86B6D8AEF98D2C3CDC2217CB1B14CB8FB6A901A2FF1FD3E134C7A3D4EC0F9011
Malicious:	false
Preview:	.w..!d...\|.}.!2...r.W.r0}..k.J..g......RI2...m.......6_....^>X.....o.....)..8...^P.E.d..\|.O.&.>i....Z.q..U.}..xE...[..' .Z....=.AA....=.....9.(h?..p.^...T....?.`;V..h..0X.w...ui&.OQ+M..2.........tzQ........s...0...4...f ....u..e$...A.9..r....2..Z..6..$D.x..p\...9.H.a..2*...K....@t.....M.....$=.b.bT.../B..>>..A...\.B.{../.~f.....c.[S......K....E..'i.AS ....%..xs]..D.y.]..i_%u&o....R.Q!>B.q=U.g..X....oD.....S..9.[<xF;Jg,.u......~:.#.......6......F.6..X@u.h..1...`Bq.k..b...^:F.M..D.g0.G...3n... .uw.i...J....$...4Y..+.......]......2.......^g.z...k.x...A..:[... .#.7..j.....%.../..pLY.a..

C:\Users\user\AppData\Local\Temp\{195A5235-9B64-4a76-9729-22CEE7A6A97D}\gCzYbWpWaDgRkQvR.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	842
Entropy (8bit):	7.786093674297277
Encrypted:	false
SSDEEP:	24:8fMSumsT/hwP9bEstgxRyoVYs07IS95gT9tKU04ge:yumy/hwpEnxP/0cKEbp045
MD5:	642C93DB4AF5745C73735FBFBF772CF1
SHA1:	6AAEB6B4B285279757E0D53BAD1380ED5CA1B2C4
SHA-256:	47AA1E7A551D4B14261C2A508CF0741C5A8C3883B53A42F6E08FF0A0587F6B8F
SHA-512:	CA9FE95B0A684995D02D4CAAAA85B1C1D1587CECA7E79478671B2B52394B04DBDC32CE587D6D8E5DBEF4A8B5BD20A414885CEEBD32771C969BDEEE6BB2990CA3
Malicious:	false
Preview:	'h.8{u...."[9.'..D..B......s.....:.W./o"Zezt..kI../........].[d..l..y...5)..u..5.02.C.h..`P...=....9$m...{......+%.V....5.Y......_.b......o.f5.Ty...K...?.z....vc.Ulgn.@2.m..Z....F.K....n......%.........j.....4.D.P.Q.l.....S(n.Oa[C.\|c...n4OG...#..}fo.m.\...../...r....^;.X..q...q?s)A..D.\|P.."^.N;..?.N..4>..x..1Z4p>}.=.."=F..iS.k.V..")".w..i..ni%.......C..).kn..np....(Pg.L...]..2....{........b......S.p......F...fMv...!.QSo....R...d.8g....r6.....Q.>d...K.?%}v.Z...37.@...X.g......q.......c.muV.....9.#..Y?-.D..Q...D.....%...).....F....3..bi.b.F.7.6.B>..C..$V.%]...h.!..&R...@.U..F.X...S(.....F..MG.H.h_r.......".&w......a..`.$.#- .Q.[..@W.dmmA..e.4*.hw..t....\L.5..4.fK....&tm./....ic:..e..m..X...'...K.\x.....p>.}..\....C..}.U.'.....#...>.7Qe.H..B.r....N....6rNo.^f2MSz. ..E,. ....ts.Z..x.f..R...(5YN..

C:\Users\user\AppData\Local\Temp\{1F38C237-2315-4952-A90E-72A1FE4450A6}\fLwZlKnXuAwIwGjR.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	950
Entropy (8bit):	7.797422312672079
Encrypted:	false
SSDEEP:	12:ERIqBEtZboBLiOErIvERBuY3tJSMKol3of5BV6dwKIGZhD9tkpu1UMhnOZY/SC8Y:E+qBAboBLXErfCTV6uKIGlfo3XZEilw
MD5:	B6BB5DD93A018DBD6724E55010A7171A
SHA1:	E2B4FBE60F5E8D445C374DE57B99E55E25C67566
SHA-256:	B4571338C3341D49EFFEF639D12BA7945753A0889BEB847E65685BA95A802DFC
SHA-512:	20F23863F1CDFB394890210106DB54350E4F511A8E884E20D1820A81DD07A19CD2B7DDEA23CDAD4C11FE202D79FA52222746F22A9723BA6C394160AC2FF07E25
Malicious:	false
Preview:	..}Lm.S.....o.X..N..S.Rb44.......R........1U`.].8....J..6..$...Y.....iE.g..4.oU..D.N......mW%.}m..y..n..2.}...$\|..B.$qC...N.V.}....V...6.L{5....-....K..xp..a"...Q0...l....S.!.lo&An.~.c......I..K.A.E...Ad...M...u.x..N..c/e.EiC......@T.....I..gF\|......e.u...v.r....5.j.....R........p..[.%..>z........X.X....~.\.OmqJjE..6..[.hV...F.)u..D.....c~...(.....zP.X..`.m..L.:q...M...Y..7.].e..c>.g...F..B....6......P.l......K....bm...B...M.T..i..@2..k^..x.p..........(....f..8[.K..b[.K..<+.<2...N...FH.I.R......e..G.T......o`...WA.7..>(...:...Js...6...^.k.T2.+._.{.~<....r.9`SoedO}vE.c_..Uw...Y.N.4.4....Uf..B.G.51....a"Q.'w.J.cS.T']zB.x3..'Yh....q...e..7.-.......7--'.7w=....h~"...T:..e..D8L.<.Q..{0T.\.....fe.;Q.}H..b.U=...e..fy...Y...g5-_.N...d..?.<.a."...s?H&.NP.2.k.....Z.6x,..U.A..U.<.O@.\|.D.:.@t.5.B..hG.&es<.....Z8Y..?(R3...X..9.=.DK.2w]...C"...N..*@ur.[..).m(.o...........e...}..Rh.!..'`......1.([DE.?..d

C:\Users\user\AppData\Local\Temp\{22594BDC-1963-4953-ADDC-2C4C2003AD72}\aIuKuKiBmOdCsWtW.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	5.871178126382219
Encrypted:	false
SSDEEP:	3:fjxDKFOtzAu2xKzFypN4iH:LxDtunj4iH
MD5:	F230A3B15F77FB2A3A8587EA15F89453
SHA1:	4B8640FBD8AF210EC414386BC119F8900AE205D8
SHA-256:	70FADCD8991AC703AF77EADB7F2583A75EC9071E53CB5122AA8AA7965CE59A26
SHA-512:	64F62ECCCAB8985D8A857C4B969CCD3027612C071CC17ECCBBAAF78192FD81B6AD95839B1C3D9904D076050D1B4D3C6A415F0048E7F7E8921A75A9CD99AFF90F
Malicious:	false
Preview:	.........X..w..5zF...~..].....e..8].z..,..........P..).P..N...W.!(...BE"

C:\Users\user\AppData\Local\Temp\{2F550EAD-1038-494d-8D36-11C29A3B1C0B}\aBdUkGiJuKpWqOrI.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	569
Entropy (8bit):	7.6360958348271115
Encrypted:	false
SSDEEP:	12:OChwXoYmJNlPdhybpJjFaAcjCMjeC2J9D4saxIc7aXtMV:RGmnRYbxq+QG3VKNGGV
MD5:	FA5CC23B91F9FB44FB05827270BA5739
SHA1:	246ED5279A8E565F66661B0A02C6AA48EFA8DE81
SHA-256:	485209F437D6BABE6C4E6AC7AFD6FB13130E80BFCB9E75D51522AAE4800C4147
SHA-512:	6FD4B8AFABFE023457479AB9A5B191677E4404CE8C40673144AF7D73EAEC1D38DAA99C5E8EBD3DEB1DB84E12F96351CE206287B838FB9B31ED209A3C50D990AF
Malicious:	false
Preview:	.F..m^a...8.Xz.\...^.s..n......)....o.@-..Aa........?....l...K.......0CV<h..Y.....#.j.na....\.'...h.....h0Z.:..m.......!...-+..K.....4..V..,..x..a...i6..s..v........Pg...Z..)..#.lo..>........v7..x.h..:?=zOS....R\|.1.&....XS....v..#-u.5n.?p.yS..n/..sp.(.C....$...ye ..Z(....S.C5.=O.....Q....j....D.x[)+.s.u.t.]...0!.....V<..\.F.....W&.+.n[...^u.....%.z<3.0..)c.....@H.F.<....U6 .4..^.&.X&.z~7...%7P...-`Q2AYw..e...\|;......52..U,.....4.h.....Z..4..n ..o........4...N.DA3a.8.M. (.Bs=p.........#...b$X.... _{\|..oXM.8..R0.....\|gx...

C:\Users\user\AppData\Local\Temp\{36F2EA06-741D-407b-8C5A-C4296AA03D4F}

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	10712
Entropy (8bit):	7.982497184192566
Encrypted:	false
SSDEEP:	192:uyc5DXAjRVh7O4BemOUtddDB+9xHIWr0NhxkvTtYpEK2GGid4rokwCgH:uZ5DSRfpbOEdj8urhxkvTt+EKxjaroUy
MD5:	C93FF5C9F68F071BFD5BEAEC759C71DE
SHA1:	76877DE797ECDEEA55F3C384A032704EA8ED1D16
SHA-256:	BA27BBBBFD68861CC2B26592BFB3B9226568A92B166EE14540EBEA9912F6B67E
SHA-512:	C2FDB36D92E3CCC93CF2A9841678BDB69D5639B36D7F8ACA0C2E9A5CC0E5F8948B6794D21582FC6656CEA7AB438C2B029727A11953183A5DFFC7F965108B87C5
Malicious:	false
Preview:	V...ZG..O.a.d.....c..+.y;]...../X.R.R.-....5........X..+.X........dY...8.3....L..}t'.....'..:O.1....UB...-..ce.....<.i3GIz....!.6f...JS,.EO6..M..?.....~../a.3,1-w(.V.#.G.=yRJ.OP......4..F..U...P......yu.Oh.....:..8...Xj...[/....A...u.:...[..7r.....#y.V.....$7.=.&@Q.).t..>:;`8.....\)0.X.)...=,i5.Sa4e...bM2,..!2....V....Q..3S.<."..<E.mx......r.Q..]...........2.K..a.6i...']p.W......A......VRF..n...U>d..?-...Xv18T..}....IlKe&.....s+.o.U{...+....M...Q......l....uF......ko.C....;..........6.kV....z...C.....}.......".'...q. M]....6.T.n.....s...4@oef..2.xAsr...L..ok....(=E7..UR.......!:.c>.....<..........@...nuI...^)e."'...".7.R>h.a.LZY..v.........X>!....i...SH/.m..lH....~._VCe...Yn~O..+....Ea.....t.. .6.:2H\...6`l.D......9l.......R$..D.....f!^@C. SQ.....\|.C....4A..=T..ETUC.8{....q.X..R.?..!..G&.F.G.l"0.N0r.x1..e<l`.....r..sJ..w...."........I.]..z..x9x_X.M.>!".T.j}!.6.I..I......s`.z@...}*..8..<...qEq....y.Jg...e........2.WO.BR9.M..29...=...y

C:\Users\user\AppData\Local\Temp\{3FDCD0FF-E6BB-4c17-AE71-A7CD11DDF852}\nFkYgWxEbBqTeDuI.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	6.850446968919972
Encrypted:	false
SSDEEP:	3:0+AayPoaTtQYbA8RsWvhWxjyElfI90MC6UFdJMMbNtk2vMngb0Z93V+5n:gRBOYb/sWvhuBfI90MC6eIasPngb0Z9Q
MD5:	AC630F6B3B1CC1569B128676C5A70C83
SHA1:	B7BEE60507036CE6F3917637DE1DF80996EA5FDE
SHA-256:	F060DA04EA0BA81B1503960AE9998189C2FB7F4ED186D54FF757301D58FA771C
SHA-512:	8F9ADE19BAA86F610EDF399C6B677C40AB952ECA2B2206E319DD905EA1162EAF6C5B7C0F7F4A5363AE5282D3ACB03B1CCE63A3510DA652847708305944A14AE7
Malicious:	false
Preview:	..&.....N?W....N...c.".As=f.Z.......!HY......H....a..D3..b+;..=...Wv.t....z...J.X..E...$..1.B.....d...Sg..G..8.8..~S'...U/.9.I..UE.}.B.Z.vSM...i..4..c..y..[.

C:\Users\user\AppData\Local\Temp\{5C8FD48F-9230-40a4-A2F9-5A278F11B70C}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	702
Entropy (8bit):	7.697653981712762
Encrypted:	false
SSDEEP:	12:2xxjDzVxLdZLL1KEa6O0VcOHzMJpofb9VSIqM+h3wQnniG6mi4tgRTy9YfnHZqcI:2xpDzHR1h1OkHgJpofuLhvXtgl++HZqX
MD5:	376E743708C32E2A0CD07E826F3781E4
SHA1:	42B0C6F0F46C1B3DA7B0872D8C4EE7ED70FB4D22
SHA-256:	B62C2BBECCB53C1B2C1858E97D3AD9D1685CA09C9A029FC59924FDF3C9F9FC03
SHA-512:	A1740B53E93A015E84A989370891244E39DADD41C7848E85AA77D7FB69EED4C7A9BA161984F10CF57C4F0D1B45AA02139EAA90F3269FF2351A214BBA8F91EA4C
Malicious:	false
Preview:	..3Q.Z../....W.W.$..7...Q3j...;...{(.H.Phn..E..m.Ln..k>.E]......9D...dl.@.W....R....;.1...)C.w/..P...3....P...G..J!..r/q3?.v.\|._..I.N.../R...b)..E.y.....7.u........V...87%k?...T%...P.).:..z.]q.JR.SW..`..+.Y..<...,d......z.X+..z6......8."F....g......?Tx.?....).b...)...yd..........K)....P....r]s.......O.?-<..V.a..:...2.&..X.3.S8...20..V..H..&8<..F.CB.{>..&..>....c...".d.C...u..Ed.~a.B.......C.U.E [......Z..Y./..P.~s.&d0.1.p....(.ie......(..N.._C}...........\......~H!!.j.....\|u.SE......3-m...ya.i..X.>]...u<......Bb.s....=X../.l.E.4$.R....i.........U..0.I.c.....l.x-...m.j.I.z:..PDE0...pb.F........$.!W.>.< ....m.=>..Z.1.Fe.R....N6{yv2s\|B..7.w*v.)$..>.a..6...@&.Z.

C:\Users\user\AppData\Local\Temp\{6567A1AA-A2C1-4e14-AECF-954E0086CC71}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	784
Entropy (8bit):	7.736229931233587
Encrypted:	false
SSDEEP:	12:tPfl7rid+5jVckTdoJOt5EWqsISPu9CHWr+AMycB6uX9YEOLKFZoylLGmlpSOx+:tZrIeZ15yoPk+AMpBnGA6e8Ox+
MD5:	9920989219AA7FEC4904B7565980B1D1
SHA1:	3D94D4EB183DA63BBFA3893BA4B92D57E48B8CB1
SHA-256:	A73FF75F3BEF1FD882BFDCE914ABB2EC09CCEA2448AD0FFFAB176F4C0EF8BF6A
SHA-512:	3C1A9B88E1011DAC860E0871CDAD8F5233B557C4A560BC441D4C46AD7E9569681E200EDE7C1B3F3C907EF8ACDD573894C6D4CA9979304852CB289DEDF0196981
Malicious:	false
Preview:	.c.........o#.c.../...D....mN..[.z+..z....f.-.i.[..yo..@ f.Y.d.%.ZI\|X....)0...V.^g........N.).fi.. ..#`..+H..n..)...x ....j1.}.....b....P..T-.qb....cS3_...WRY...=$1,.6C.@37N...k._^t,...4/...........P.........!.H...R@...[>.t.jgD0.hY.s^.$c.....F.=.t...u.Y......J..$`l..!..Xqdk.b.dN.....k...)}....t.5...z...LO...Y..WQ./..VlD..H...C...aU".03._......5.~...!.w..Mw.pl.)E.5..Yu..F^$...."B4......Y...R.?;....s.D..$.S..;..3;..dP@\r.Epb..e./...\.5.!m......35..W.\...G@Bq.[.4..#+.d`<u.v.n, $r..a.t...}.>...{.lb..#=\|..^.fGL.j.U....D.{.4=..nL...2.u.(2O...g.k.l..._..o.n.......s.z..\|R... ...G...7.ex....w.....n3.+.ja..\|..^".N..r.......Y...C(..KA-....$p.k.Nz=..;W1.daL3h..GC..@+A.3...~.QK..wS....+Y..n}.........}....[....e.a...1.E.i .J...C...A.(bA...

C:\Users\user\AppData\Local\Temp\{6CEC644C-BA38-4675-A5BD-BDFAB86FFD18}\yPzLrEtVaDdUcVdQ.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	762
Entropy (8bit):	7.732146932254139
Encrypted:	false
SSDEEP:	12:WncSkcrH/rG144M35NwBo6OaBFkkOPO6YgsZwi48GPqQhhXfaMteOXH:GcS1S14jJNwBo6PFa/YgshkfhhXf5EO3
MD5:	EE7EA4E55C42FF866AE416573BF7BDB1
SHA1:	3431FC1B7FAAC87A32942EB361D04262F0E812CB
SHA-256:	5F91C02A15EAE20721A724BDD525321045FC6801B9DA643FD3793EE5AF1C2ECC
SHA-512:	8CFE42A30648FF92A98341F0BC6A303D1D18F6D7C9907CE8EE8561A15A39A8B974D3B7A76F8DE5D2260D037C175887C182B670654D71706FC73B9449E75C3B0C
Malicious:	false
Preview:	.e'..........{G...Z.JS.Z.A1..m..?.TjO............gw.(w....[j..f.$.#.vew.wX..^....xO.S;..+.b5...k...L...?..s...9..x%.C3W..KY.h...jQ{..z..(.(/..$.$3[A%p..(...s%.....'$..i8...s...+.miX.q!..Y0A...e}Z...q..C.c.2xsy"L...^..q.~.k...OfH..._.....h`.A....w.....p.^/..;b57.L.T..[...3...EK.\.....2.....S..le.WB......4Xz..Y.[H..fR..k.........T......d...I...]...V./a.yd.'.....D...s~_T.5..4..4..O`.@g..;..Dt.b.D.....W.WC;..g..b.HhC....8}....eN..m$G(..,..\|.w..`I3..[m.L..&....6y,.._.e...1/N.ul..i.{...i....G....&w..........QVl3.K2M&......s.JnL.p..P...!..._.+....qN...cjzDwh..q...{.`. .^F...3.]e...^...-..........x...0...EB?R.!.P;...NCj......x.........D<.C...3...Iw..8..\|*...s.."."FZ...R"..rY^kP#...ee8.}G#..[......I......=.:g..#j.u.D~.1.W...

C:\Users\user\AppData\Local\Temp\{A28A7DF4-91EF-4c32-9787-CE496D28B711}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	721
Entropy (8bit):	7.702553862684569
Encrypted:	false
SSDEEP:	12:b6drmT7UgFa8Qic8t4wTJ1cJSejdUSPXBFGmy/cb6iIr7Du4KmO8OEkdFsjL2w7K:b6JmfXq1wTbiXBFGm3IDuHmOv8P2wm
MD5:	EB1210E32F9578BC4DB923C124805EB1
SHA1:	C30963F1993D91E8A46F5CFE78746D02D0D2BD29
SHA-256:	70492118DE83BB57DAA0873A2DF3C39AB7FB7158B918E674FB2242978E91C306
SHA-512:	4EAD52094B7949AD1EC8AAE4C5901ABE5850FEFA6BDBF29F7C251B3DBB3BCAD82FEDABA0A33A1B376E5D339B9F00CBA70AC43FCB2E14A53163DD0908E870F095
Malicious:	false
Preview:	'0j.v.&...{..W.....-..y.Hy.T.o6...&V.X..O.[5..6...0.......0.j......'....D.O.....v.`..L.ao...A..&6F.%....j-.yM.}4..........V..EX.9Qi..Rn2.a...,!._K..BS.4.2Hm(...u....<.<....T....`..... .cO.(g....B....)..Vtt.S.....9...!.q.NU....^...>.xF(.E.y....~..!.^).@....Z.lp.d.~.t..b...t....u.....WL+..e2o..&..qN............tj.".[z..n7\|0._E{...w..Gsvt.9#.!......NL{.p..\|z\|..Ws...r.xsC\|..r..;.....E....^...x...'..g...M.#.v..7r`......Bz..~....G...~...t.@.D.......U.o....L4iSG.....N.a$D..\|W.E...t:......@....M?.....?..._.?Z.8.........5.iN.sq.Q]..zzg..hE]!...."....eM!s....u...........x...p1.P.(..3W......9c.p...b!2JN"..3..3mU.<.X*.oO..^..R.-nR.Re.-r.>Se.......,.3U..S..#.......l.K$Y.j\|.!^.~...6..L

C:\Users\user\AppData\Local\Temp\{A575A662-64E9-4b84-9E84-9806E73EB03E}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	926
Entropy (8bit):	7.763991704068963
Encrypted:	false
SSDEEP:	24:mqlOyfSAr3RtDpJKKjtbSHENgM9PI6ln1woE:LOyqArhgKJbSHFsI6A
MD5:	EADA285D5E3EC6705B6C7322F0F1434F
SHA1:	E364972507C7FB72E2B6BC67EFC77EE0FB6F6820
SHA-256:	7390DC153290A7232E822193D789A6781D463300BABB3203E3FE11772E2B3846
SHA-512:	DB3AD10747FA83E3E0691533DACB1E708778C9E3791374FF7C7447EA041FAC981691530E75FF7447BA43B1FC91B8A941222FB8FF8FC2046DC8E6341165361EC2
Malicious:	false
Preview:	.\|....O....UL....u.=.y...HY.<....iI<XU...wi_.....s..=.wV#J....K......fc..h.'...Gx.L.5.......]......hL8H..?...l..B2.+!b.@..f..O....3....n..u.^h.>^rx....u...^..\.^x.z1V`..lJ3.r.#S1w.i.&...-.\|.]....{;.B.u.j.D.y9.c\|..7....,..{..lQ.....@ZOp..d.l><\..q.......Y....../..b.zlj><......:.e.~...h..._............'...xp..fvj....w.#..o.h4..1..J."'.J..A'.2.Hy3..^g.b.gBK..ZPZ.2.a&..K....q.......a.6..K....(..z.5..Q..../...G_j....H...........M.../.,PUy.V\|.B.0.@..;.5]f...i..."S.......g3.....X..c....B..m..k.T..D?.%R.g]..w........%.4.j.a.......M.....f..c>.......h.F.S.:..<.k.f.?...[w.)VQC9..........z..r..o.d...u.{.....>V...2)eBZ......\...T.....d...7.o.....D....' ..#]..%\|5GJ.PW%..9..W.R.q.+F..<...Vt..W.>.=K.<......=.....Y.....zy.W!.Y...9.>..q...WH?..+.R.....D...."9.....G.D.R.w .._.3..w.#.....{=t9L.F]k..T.`..R..z.`..._.D'....J[..P.[..8...W.V..\|s..p..?....`.xW..^g.....U..+.4.yH...r..I

C:\Users\user\AppData\Local\Temp\{A7DAAB58-587A-468a-93FB-C95105C6A6CA}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	94
Entropy (8bit):	6.235439915507419
Encrypted:	false
SSDEEP:	3:2atuODFju82E6egN9kGg5RWdMv1:aOBjP1gk5r9
MD5:	641A72BE40E09836A23540F6E28942E8
SHA1:	5297B5A200141AE6C28D3F161C990C04BC46E71C
SHA-256:	6CF6FC555EDE751587A5986584D9E699A083518BB3312574BB8FAB3DFA3F26EA
SHA-512:	10109E680E5C186C14EF6F82883A2F1CB0E369C5EF4C534D4D99A528B0D9879AF36ACB63D34057D5E1A3D7691D078C96FDB98F49D56468799FC6C7105A658C35
Malicious:	false
Preview:	R.....b....>.O/Tx.yZ....`?.[.A8....e.!t..\|.%.{..-..il...?r.{X.bl;...S..j.....3 ........

C:\Users\user\AppData\Local\Temp\{BA418003-1BFE-44f0-A1A9-C59970A23DA9}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	706
Entropy (8bit):	7.746078876475687
Encrypted:	false
SSDEEP:	12:Z0kXX5542rKDLD4zQhUMUWyMEKON+1dMotUS86kqaVWl68vZiw4n:ZrXTxr6UkhUL1z1CdMo+qaavYw4n
MD5:	DAA65BE46CC3F957ECEE3478A2B785E5
SHA1:	DB7AC396A47E0310C9F04D5A3AB9688060B0C9D8
SHA-256:	E013B8418B7C5CBA606B1BEB2D28457A6A02DD03D5D60C1C2FAAEEC48A426ABA
SHA-512:	542C10BDB298D33E3F9C73D6F0A78FFCF0D97B2A3BAC230DC6465FFB78B02B6E489BF85FBB9D182BA9466689FAF41E639F80E67B3EB31D53C618CC8C3F154472
Malicious:	false
Preview:	...rd..b:0.x..T..v.8...B.b..d..WJ+6D.n....4.w>.":..v...)[..I.Hu6j9\..v...7~.e...B.U-....n..d^.i4,c).Sp..#.Gb[...6].R.7.r....O.z3..}..@...,0cv....{.....4....%..FZ...8...s<...vV..]..&E..E.-...n..Rso..&.-.m.....p....=...C.{.fDr....7F..E.%....A.\|..+..(#.ARQ..#z.....o.&0X.@n.`.9w.../.B.5.O..4...a..b1G.~?__..k..2...}0C....:..FS..9..k..i.`.i:0..{.q..mG.[AC.-...e.-`..q'?.../....I.>B..0&.U..<o.9K!".~.u.t.P.........h.c.H.t.M_.F,....e.....?...JE..d..Ni..L...T...L0zH.b'.].f.p...[.6.G$W.A....a.-N\hA.HI1..;.m.]a8.q...gz67..y...3_..l...H...........5yd[v.S& ..F.`...J..B..U......[..>{..5..d&C..M.r..t.5.;..tQH..V.x.A-\|9..Qy.(.D.bm%....(.Xw..\|..I..'$.K..f...0..Y.^^..c..-...=.(.U.0h.l

C:\Users\user\AppData\Local\Temp\{BEC92E33-ED1D-45ff-A301-EFFD27BB832E}\nKqAoWjWqFdLmGqC.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	200
Entropy (8bit):	6.895612487316016
Encrypted:	false
SSDEEP:	6:Aby3l+Lg3nNK4VHfUCa86LREcXif76DOiV:ACLVHfba8QXY6DOiV
MD5:	CCC0871EE280C24B260063E87E18E64B
SHA1:	24F36B9DD2C1BFDA59DF7563D8777E66CED59CDD
SHA-256:	065A504B4D54273827D22AADA21B797C962F61852DE15F971CF2D84990BCD073
SHA-512:	35D5EA722EEFA0276C78EE7C58FCBDDF515E3915A59BACDD18AB4504C768106A2CB794694AE855F777E781F94407F9F02D29449ABB921F50868A19D18339D1D7
Malicious:	false
Preview:	..:2.e....T.MA..TJ...S..J"......"...M.xl....~bE...N..J.D....."^'...[Z..a..7.L.:a!......h...H......C.?G.g.(..R..CImX..&.+-I.K....p.9jA..'.d....?.v.."...J.9Z<W.l..{..i..j.e...Z.XU..R..6Y.

C:\Users\user\AppData\Local\Temp\{CDDBBE14-5D4C-413d-9DD3-A1BC2A077D14}\zKdChZvGlXeQcZbL.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	799
Entropy (8bit):	7.760534593657344
Encrypted:	false
SSDEEP:	24:tEAQpBxQwL+eOtCofV3yE6KxADe8uBiOVBtv1HGJbheYOITU0Iu:thoLPOyQAC8aioB91HGREYOSU03
MD5:	6C7FC2AEC18D4A10F9D2CC322E07CB27
SHA1:	1FD55B29015158A4EDE7A1344244ADEA311239D8
SHA-256:	6722B65F9A35AC0E5C4D7086A1A5E4C142C486F8078ABE9B6D0C28C1E9CEEF27
SHA-512:	337A1940B9B5DD7F16476619EF0C1E7B06F91BA7C1F071ED1312B466C63DB2A3AA56F7DC986499880EA4B995EE443EE4CA64A93D23FC620A2CB86A5B3FC4C212
Malicious:	false
Preview:	...Z.....S>..;....SU.l.....XU..y.9......l.p\|\=...$. ..Ew.:{.%.).+.G......F..\....(..l'..e.D.]D..Y....M.......}....g.f2..Q. .X......N.._..u.....CEu....2...DE.....7ko=."..O...[...y\mJ.............. ..`.lN..8...'s....;.n...A..Y.....B.`sb....e$...H......,{.l......1..S. ..S.b.~.6...7u...R..)]J....=_.\|..s)...v.'<&..hk...t...W.7..6.X.M........op...S..=D.B..........qi...@........I^e...o..p\_=.b.0.O...Q.....h!..-...3P..R.....#o.. ...V.n..;...D.)......3\|...s..J$......P.. .......a....\ekC..,1zXv...d.$..'.]...(.o.....E...'B....*>A6w.d.K3..h.T.....a.....=z=..&>g.l....cQ)s@;....X...C...)........zZ.U+r.....jF..X.....DE.. U..r.J\&.y.0.f..u....4pPn..A.U1.IV ........1r}.ZlC8C&gA.....J..a[..>~...5.......i{......^..Y..%../3...3..s.f..K....mq......v...1.=[C.....U.]OFd.....o...

C:\Users\user\AppData\Local\Temp\{D95FB633-DCE6-43e1-B743-5FDBB0927E83}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	916
Entropy (8bit):	7.767547715360379
Encrypted:	false
SSDEEP:	24:igaog58d44vrZ5vsSSS+pOjMQf2znmYdBRdyA6S:igar5MvvrZ5USt+U92jdBRdlT
MD5:	CF2FC47968EDC30A82FEF4609C69CAC9
SHA1:	0E2DF7EF3C440F91628200978B7FA136A0E5A3C5
SHA-256:	133BF8BAA07759D4FFCC073B0E1540273B6038C4B4307B5042D8EB3675A34E81
SHA-512:	8C7CD4F3C174DE8804DF953BDF680924E30B5CBE2C8575B5AD5A7FE375B5E82F6E4CD2BE6C37220D590F4669ABCFBCCEB70B354E29C4B0117D8EF78F1A7CFF75
Malicious:	false
Preview:	.}u..p.?b..ScOy._.....#....{.....75...9..]Nd.L.~;G{..u.!...eAz8..~m....Dq.......8......Eo$0.%.n..&..i..O...o....<....Z..es.QM.u.P........d.....4~..J..E...v.......0.Q.PK.,q...b._.K.._4\.,....]...r.....<.?..d...>.....>.~.).G.lF.`\p.....[.N.f....<.lV..tE..B..?....}'..n...G[x.......C,.Z..}..pX.Oy......k\..n...!..E.a.B...k...3..6...7....c... V...0...[...5.....?. ....U.....T.;..K$..`.....RO.\|.....:V,p.B./..`......k.2...l1]h]..dE\|GR.TR.T...G......+L..0D.z...0.`b.8..w\|....^....s.eC:\|~$.....)U@.....mN....$.TM/.....i@..(VW.p]....J..AD_~....7..R..:S......<......`r(!...cm..y>V......A.[R& ..!..)....[.T.^.%.......%.&h./..s.w`.im...J<.w..6DE....^.m0yZ.?..9P...q..Pg9.....A........A..d..[..W.2.H9A.F...N`..?.E.E..&p...YR..w..I..<I.f.y6.C..Yf....R.....3.....R.,.WS..i3.I...@4.\}....kK.i3/N(.%.S....w..'...........-......LLb....i....m..W....-.*b..........)"&...G......5.e.C\|V.<....

C:\Users\user\AppData\Local\Temp\{DCFB95FB-354E-49d3-8209-367BE7C87B03}\uTaHfZcAgFsCnTjJ.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	627
Entropy (8bit):	7.635916194204237
Encrypted:	false
SSDEEP:	12:HBQw+RLdPLEMBTZ0kfUqR3noA6HwxI6SZP04ezQcfl0Eopj7hOrJ6Xg5aTrgpqX5:HBL4PLE9k8qpnoAczTZKt90E+j7OJ671
MD5:	9EF1F787B223877FF8F827165FAD2F68
SHA1:	C7717E9E784970DF839B4D8D0272B22277A06A41
SHA-256:	3D9680DA5AFD3BD16A6CFE248FBCF56B991F0642061A3BD27F5DCA0BB8528E7A
SHA-512:	326693F6BD3D54CD3052F30401D3B19FAA3A626A1674567669DCB58AB612BEA1F6AF1A398C784BDBE9F9523D61B40764EAFF898A7230F05AD363DE39D7C37535
Malicious:	false
Preview:	..$.J...h.d7.)g.%.?...Ti.6\|.?.....G..../.D.....S...'.........GP..6.2\|.w..k.y.D..."....l..v.5..e...g+.?)......5M..L.."tO.m..V..c.....0...s.].6.J;........+@h...."oP.jmG..9=VM....[.iz.D._..N."...`...0c.."...s.Q...$..e....fV.X.".g.k&u.:....^...(%X.6;i ...p8M.....m...S.z..Mwm.yW..g.6s6.b..Q..R..0Ya.z....=..z8...._.0j...W]...r.......-o...s.s.......B(u.q....h.......(......K..2S..r...O..C.M.^........6.LxZ..D.i..,..Y.....;..KfA/..t)Z....b.<..b..k.........1o.............i....6.....c...w...7..mc.....u%...o..d..K...D(............l.C.4.O.Wq.....t...B...;*8.S.X..U$\|H."....PR...j.BE.^.....z...WG....

C:\Users\user\AppData\Local\Temp\{F64578A2-B460-415e-912E-CA5162D15FD7}.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	7.3458783035336666
Encrypted:	false
SSDEEP:	6:y7agSnqEJOLN8tFOqPhisCPBH0TrAZA67q3yiptKvqktORMnLUQmAOhPb8l8xDn:y7agUqEgLN8isCPBUnAZAj5gCktORtQc
MD5:	1504018AAC874BE4BAC3152DE504AD76
SHA1:	D47A13A2284F38F24BE83B16BA877F85326BA196
SHA-256:	68C17E69FF763C75537065A6ACBE0D2D12B31596A56C40DFFB2DC4AD8C7D6D5C
SHA-512:	E76107D115C031B2ACF6FBD7CCB58C00B3A4AF47DF5BDD1B0DC36E3142FE8351B09C0F05950C3683D489246C46BA401293DE39E3C9F8259720B4C41827BDC48F
Malicious:	false
Preview:	\I.2j!.....F.....,.W...0...;L...=.#R0...`Yb.M..b!@..u..u.^./.u.g......a.....0'.^.%/.i..PY`=.....jN....T.X.~I.......,..(".hd...l..Q..l$3@..\...\.k.0.;....N.P..\|...(/B.WMB^.R2.W.b.F.HT......dv..B<..^j.U..?T.,..&.....#2..8t.1..{n...!.7.......s..X3I...o.E.r..q... #....s..,a..%........z{.... 9fI&t'....6.Q..V..h1...W..Z-...

C:\Users\user\AppData\Local\Temp\{FA1D9583-BA43-4716-88E9-444F2C182C05}\lIaTiOrQzNfXnRrM.tmp

Download File

Process:	C:\Users\user\Desktop\Inst7__9510085.exe
File Type:	data
Category:	dropped
Size (bytes):	831
Entropy (8bit):	7.769688570516351
Encrypted:	false
SSDEEP:	24:mt684fRxYa1VOiCsp1/7YR10r1SHSs9uiWEjdxDjYDP:E684fRxh1Z1n7010sLWEjdxQz
MD5:	C539B4F1EBF15A3D522F08775A65543C
SHA1:	0FFEB50E2AD65951C17E567A02D04FD27457A54E
SHA-256:	145AB0EA7F5624BADAA6FE38173DF8A66E421676AFEEE08AD31B74B57058FE04
SHA-512:	3C7B8C1A61BF48E3D3A3B9BAA5E8CA875AE1DC8C6E8F313D2AD08F02DD1C6E6638E7D4DB5239C3415BFCFB8E55DA222579A7F57C9D15BE898C31F4E69A28828B
Malicious:	false
Preview:	s.7....7.H.9p.K-VB..+y..\|\|}Z....m<3.X'.....m.z.=G.nw..`\[z..(..D..(..Xl...G.~....\4w...:..1...B...........F.1......9..{,$Xx.4.....^..C.....F!......)..UBh.....85.4....:......p^......Y..=X.0.a5h..b....sbl4.c.N..3/....%8.R.M......(.?..$.H..y.&K.........s.G...QTH..E.n.....\|q..v....T..R.A....w_...XK....Rl..K.t<..~..R.q%.U.:d..[...6.j.2...M.6..(.01.H...TQ.v.:.x.E3.Z...0.g.d.D.\|...5..B.W.d..3...c.+.~.....j.#./..M1..{v.......z..........~".l...#[bo~^...>K?..o..#C.}\|.K.....QL...dpf...T ].vd....HZLxH.x/.F'..mn...VS..p.5.\.B8......Pi>..h....?...`(..:.n.\...).2y.m.....g.{....vU..&.B..s<.\b..#..b..j.g..........i.Q....`z....%2.-.?.T..l..T.AD.NY-X.>...#.J....<W.ql....K...v......i.E...5S.I.)..N_N..h.\.6.\`....k]._...!&qo.-.O...".....;....9njZ{.;kI._...Kf/r..D.Nr.......3.M.-.Ag....s/..t...l.o

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.645499386103101
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Inst7__9510085.exe
File size:	418832
MD5:	9fadc5c7c3282e203c68b0d45bfa0b10
SHA1:	5f0914179d66b63cafe61dd55d8d418e64e36ea5
SHA256:	260dc2a2adc2e1e29bb5f8bc243fb45fbd29baaec7a28feed59260a9f2b12a29
SHA512:	cc5edac75020d8115104d90ec834ae44e03fbdfc2e7d50bd47ab78022f0c37ebe5fd931da9a04dc4f9a1072839f44230401a88d345eddf01a4e5ae7bd83dd0ca
SSDEEP:	12288:KCKeGGfG6udZpIcJPQLGCQaOHbOceDg6frUgVBy99:KCKeGG8dZ/QiuOCcQg6DUgVE99
TLSH:	82948D12F781C036E8A2143AAAAED779593A7971031691C7B7D81E797F203D1FA3530E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eW..!6q.!6q.!6q..y..#6q.(N..46q.(N..^6q.(N..66q.....#6q.....:6q.!6p..6q.(N..k6q.?d.. 6q.(N.. 6q.Rich!6q.........PE..L.....xb...

File Icon


Icon Hash:	78eccccca8e0fee0

Static PE Info

General

Entrypoint:	0x4286ef
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6278D7CA [Mon May 9 08:58:50 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	47d9c05d55bbc3899f831347ecc6bf93

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/21/2019 4:00:00 PM 2/4/2023 4:00:00 AM
Subject Chain	CN="Beijing Qihu Technology Co., Ltd.", O="Beijing Qihu Technology Co., Ltd.", S=Beijing, C=CN
Version:	3
Thumbprint MD5:	C8CC974AF2AEFA9AB9ADB687F8419FCD
Thumbprint SHA-1:	8279B87C89507BC6E209A7BD8B5C24B31FB9A6DC
Thumbprint SHA-256:	C7660BAA3C9E74A6BB68EA56335D220E46FC7590ECF5E000DB585779794C5ECA
Serial:	0A1F3A057A1DCE4BF7D76D0C7ADF837E

Entrypoint Preview

Instruction
call 00007F2708991A57h
jmp 00007F2708983C3Eh
int3
int3
int3
push 004276D0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00458320h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov edi, edi
push ebp
mov ebp, esp
mov edx, dword ptr [ebp+08h]
mov eax, edx
mov cx, word ptr [edx]
inc edx
inc edx
test cx, cx
jne 00007F2708983DB8h
dec edx
dec edx
cmp dword ptr [ebp+10h], 00000000h
push esi
je 00007F2708983DDDh
mov esi, dword ptr [ebp+0Ch]
movzx ecx, word ptr [esi]
dec dword ptr [ebp+10h]
mov word ptr [edx], cx
inc edx
inc edx
inc esi
inc esi
test cx, cx
je 00007F2708983DCDh
cmp dword ptr [ebp+10h], 00000000h
jne 00007F2708983DAAh
xor ecx, ecx
mov word ptr [edx], cx
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push edi
mov edi, 000003E8h
push edi
call dword ptr [0044E11Ch]
push dword ptr [ebp+08h]
call dword ptr [0044E074h]
add edi, 000003E8h

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x565d8	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x61bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62098	0x4378
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x65000	0x2de4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4e460	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x53ef8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x3ec	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c670	0x4c800	False	0.4953469669117647	data	6.568253415101748	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0x9b00	0x9c00	False	0.40184294871794873	data	5.331316041525747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x58000	0x55d4	0x2400	False	0.23328993055555555	data	2.9402395254763483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x61bc	0x6200	False	0.5950653698979592	data	5.76888318269011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x65000	0x2fce	0x3000	False	0.76318359375	data	6.5864132849714405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x5e2b0	0xea8	data	English	United States
RT_ICON	0x5f158	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 10403977, next used block 12246158	English	United States
RT_ICON	0x5fa00	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x5ff68	0x25a8	data	English	United States
RT_ICON	0x62510	0x10a8	data	English	United States
RT_ICON	0x635b8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x63a20	0x5e	data	Chinese	China
RT_RCDATA	0x63a80	0x80	data	English	United States
RT_GROUP_ICON	0x63b00	0x5a	data	English	United States
RT_VERSION	0x63b5c	0x250	data	Chinese	China
RT_MANIFEST	0x63dac	0x40e	ASCII text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateMutexA, SetLastError, GetCurrentThreadId, DeleteCriticalSection, FlushInstructionCache, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, InterlockedIncrement, InterlockedDecrement, GetModuleHandleW, lstrlenW, InitializeCriticalSection, FreeLibrary, MultiByteToWideChar, LoadLibraryExW, lstrcmpiW, GetProcAddress, ReleaseMutex, GetLastError, GetCurrentProcessId, OpenProcess, TerminateProcess, CreateToolhelp32Snapshot, HeapWalk, HeapLock, OpenThread, HeapUnlock, OutputDebugStringW, GetFileSizeEx, SetFilePointerEx, SetEndOfFile, LocalFileTimeToFileTime, SystemTimeToFileTime, SetEnvironmentVariableA, CompareStringW, CompareStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetTimeZoneInformation, GetLocaleInfoW, Process32FirstW, GetConsoleCP, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, Process32NextW, CloseHandle, InterlockedCompareExchange, Sleep, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, RaiseException, GetDateFormatA, GetTimeFormatA, GetStringTypeW, GetStringTypeA, LCMapStringA, InitializeCriticalSectionAndSpinCount, InterlockedExchange, SetConsoleCtrlHandler, GetTickCount, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetStdHandle, FatalAppExitA, GetModuleFileNameW, GetCommandLineW, HeapCreate, LCMapStringW, GetCurrentThread, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, RtlUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetSystemTimeAsFileTime, ExitProcess, GetStartupInfoW, CreateThread, ExitThread, FreeResource, GetVersionExW, GetSystemWindowsDirectoryW, lstrlenA, lstrcmpiA, lstrcmpA, LocalFree, GetConsoleMode, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, LoadLibraryA, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, CreateFileW, SetFilePointer, LoadLibraryW, ReadFile, DeviceIoControl, WriteFile, FlushFileBuffers, GetTempPathW, DeleteFileW, OpenMutexW, CreateMutexW, WaitForSingleObject, WideCharToMultiByte, GetSystemDirectoryW, CreateFileA
USER32.dll	GetActiveWindow, DefWindowProcW, FindWindowW, SendMessageTimeoutW, MessageBoxW, UnregisterClassA, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, DestroyWindow, wsprintfW, CreateDialogParamW, GetParent, GetWindow, GetWindowRect, GetWindowLongW, MonitorFromWindow, GetMonitorInfoW, GetClientRect, MapWindowPoints, SetWindowPos, IsDialogMessageW, SendMessageW, SetWindowTextW, PostMessageW, PostQuitMessage, GetSystemMetrics, LoadImageW, CharNextW, SetWindowLongW, ShowWindow
ADVAPI32.dll	RegCreateKeyExW, OpenProcessToken, RegOpenKeyExA, RegQueryValueExW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegOpenKeyExW, GetTokenInformation, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExA, RegQueryValueExA
SHELL32.dll	ShellExecuteExW, CommandLineToArgvW, ShellExecuteW
ole32.dll	CoInitializeEx, CoSetProxyBlanket, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoInitialize, CoCreateGuid, CoCreateInstance, CoInitializeSecurity, CoUninitialize
OLEAUT32.dll	SysAllocString, SysFreeString, VarUI4FromStr, VariantInit, VariantClear
SHLWAPI.dll	StrToIntExW, SHGetValueA, PathIsDirectoryW, PathAppendW, PathFileExistsW, PathCombineW, SHSetValueA, StrTrimA, StrCmpNIW, StrStrIA, PathRemoveExtensionW, StrStrIW, SHGetValueW, SHDeleteValueW, SHSetValueW, StrCmpIW, PathFindFileNameW
COMCTL32.dll	InitCommonControlsEx
SETUPAPI.dll	SetupIterateCabinetW
WININET.dll	InternetOpenW, InternetCloseHandle, InternetReadFile, HttpOpenRequestW, InternetConnectW, HttpSendRequestW, InternetQueryOptionW, InternetSetOptionW, HttpQueryInfoW, InternetCrackUrlW
WS2_32.dll	htons, closesocket, gethostbyname, connect, inet_ntoa, send, recv, socket, WSAStartup, WSACleanup
VERSION.dll	VerQueryValueW
IPHLPAPI.DLL	GetAdaptersInfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 19, 2022 14:44:11.527740002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:11.696269989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:11.696439981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:11.697119951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:11.865731001 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:11.866466999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:11.866636992 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:11.868011951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.038064957 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038120985 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038160086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038189888 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038228989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038268089 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038305998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038342953 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038382053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038419962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038455009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.038465023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038506031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.038506031 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.038580894 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207343102 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207441092 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207482100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207511902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207550049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207590103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207626104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207664967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207704067 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207741976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207778931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207792997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207814932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207820892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207825899 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207830906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207848072 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207870007 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207881927 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207911968 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207930088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207951069 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207977057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.207988977 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.207994938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208028078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208045006 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208065987 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208074093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208106041 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208121061 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208142996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208149910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208200932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208620071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208661079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208672047 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208698988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208707094 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208739042 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208754063 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208781958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208790064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208820105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208826065 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208858967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208863974 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208897114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208900928 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208935022 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208944082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.208972931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.208986044 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209012032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209017038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209050894 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209057093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209090948 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209106922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209129095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209132910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209167004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209171057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209204912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209216118 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209287882 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209296942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209333897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.209342003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.209388971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.376986027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377064943 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377087116 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377104998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377125025 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377146006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377151012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377183914 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377201080 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377223015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377228022 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377260923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377273083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377300024 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377325058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377341032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377371073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377401114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377440929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377500057 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377532005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377540112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377541065 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377563953 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377578974 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377609015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377616882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377628088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377655029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377679110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377692938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377697945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377732038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377743959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377778053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377788067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377815008 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377830982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377855062 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377871990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377916098 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.377923965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377963066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.377978086 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378000021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378038883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378051043 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378057003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378076077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378112078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378114939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378154993 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378165960 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378177881 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378191948 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378200054 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378231049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378267050 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378285885 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378325939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378365993 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378370047 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378403902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378432035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378443003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378469944 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378482103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378495932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378521919 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378591061 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378607988 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378629923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378670931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378686905 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378710985 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378717899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378758907 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378772020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378801107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378829002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378840923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378854990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378881931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378896952 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378921986 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378945112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.378962040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.378968954 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379000902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379017115 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379040956 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379051924 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379081011 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379100084 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379121065 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379123926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379159927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379194021 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379199028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379230022 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379237890 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379247904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379276991 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379298925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379317999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379328966 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379378080 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379528046 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379569054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379585981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379609108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379630089 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379648924 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379674911 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379688978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379699945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379729033 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.379744053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.379775047 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548321009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548373938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548414946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548451900 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548491955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548497915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548532963 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548532963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548538923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548571110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548594952 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548640013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548676968 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548695087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548717976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548723936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548760891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548779011 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548800945 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548809052 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548841953 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548855066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548882961 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548892975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548921108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548933983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.548962116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.548980951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549014091 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549057961 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549096107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549103975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549137115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549146891 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549206018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549221992 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549254894 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549320936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549359083 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549371958 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549407959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549448967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549489021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549496889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549557924 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549648046 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549685955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549695015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549726009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549741983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549770117 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549777985 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549813986 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549848080 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549855947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549870014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549895048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.549905062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549948931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.549987078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550025940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550036907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550085068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550292015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550332069 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550345898 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550374031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550390005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550412893 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550421000 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550453901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550468922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550493956 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550504923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550533056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550546885 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550573111 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550579071 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550611973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550620079 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550652981 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550662994 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550693989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550702095 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550731897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.550750971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.550801039 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551311970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551373005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551443100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551486015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551498890 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551526070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551536083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551600933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551608086 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551640034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551657915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551680088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551686049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551721096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551728010 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551759958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551788092 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551800966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551810980 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551853895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551858902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551898003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551903009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551939011 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551944971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.551978111 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.551995993 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552017927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552026033 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552057028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552073956 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552094936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552122116 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552134991 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552150011 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552175045 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552192926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552216053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552225113 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552257061 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552270889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552295923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552309990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552349091 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552701950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552740097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552751064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552805901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552877903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552920103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552928925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552961111 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.552972078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.552999020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.553018093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.553039074 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.553044081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.553078890 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.553086996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.553117037 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.553136110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.553158045 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.553165913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.553216934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717109919 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717160940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717204094 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717253923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717366934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717406988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717436075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717466116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717525959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717530966 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717566967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717585087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717605114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717616081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717647076 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717662096 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717686892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717691898 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717726946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717740059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717768908 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717773914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717808962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717813015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717849016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717869997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717888117 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717889071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717927933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717935085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.717967987 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.717978954 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718007088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718019009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718048096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718064070 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718090057 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718095064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718127012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718133926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718168020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718183041 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718226910 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718234062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718296051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718302011 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718334913 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718344927 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718375921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718391895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718417883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718426943 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718488932 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718492985 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718527079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718533039 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718566895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718573093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718606949 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718612909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718645096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718662977 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718684912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718689919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718724012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718730927 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718764067 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718781948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718811035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718862057 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718900919 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.718907118 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718951941 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.718967915 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719005108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719012976 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719043970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719058990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719084978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719096899 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719140053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719244957 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719285011 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719300032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719336987 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719455004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719492912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719506979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719532013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719537973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719571114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719585896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719619036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719640970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719677925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719685078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719732046 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719820976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719860077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719871998 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719916105 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.719930887 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719969988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.719974041 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720017910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720103979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720144987 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720150948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720182896 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720195055 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720223904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720227003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720262051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720268011 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720299959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720309973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720366001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720413923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720453024 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720464945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720506907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720611095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720652103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720657110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720689058 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720706940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720729113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720736027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720768929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720781088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720809937 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720824957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720861912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.720947981 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720988035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.720995903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721026897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721040964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721065998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721086025 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721107006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721112013 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721146107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721153975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721185923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721198082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721226931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721244097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721292973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721292973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721333027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721338034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721396923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721472025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721509933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721523046 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721551895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721554995 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721601009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721605062 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721643925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721653938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721683979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721700907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721733093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721796036 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721868992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721877098 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721939087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721959114 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.721976995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.721981049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722017050 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722028971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722058058 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722074986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722096920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722111940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722138882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722150087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722178936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722193956 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722217083 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722235918 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722256899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722266912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722299099 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722317934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722345114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722382069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722387075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722424984 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722424984 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722461939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722465038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722470045 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722505093 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722542048 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722543955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722582102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722583055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722590923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722624063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722637892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722665071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722676039 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722706079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722712994 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722759008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722824097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722862959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722871065 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722901106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722915888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.722940922 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.722946882 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723001003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723054886 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723093987 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723103046 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723149061 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723300934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723340034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723352909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723390102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723403931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723445892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723450899 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723484039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723510027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723525047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723530054 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723563910 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723587990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723603010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723640919 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723650932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723666906 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723680019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723685026 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723718882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723733902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723758936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723766088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723804951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723854065 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723891020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.723907948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723938942 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.723978996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724020004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724024057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724061012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724217892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724256039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724267006 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724296093 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724307060 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724334955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724339962 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724374056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724379063 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724414110 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724417925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724452019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724477053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724489927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724494934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724544048 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724555969 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724595070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724606991 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724647999 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724730968 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724769115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724787951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724811077 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724859953 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724899054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.724909067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.724955082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.885994911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.886049986 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.886080980 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.886090040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.886118889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.886128902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.886136055 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.886178970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887249947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887316942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887346983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887367010 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887480974 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887521029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887533903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887561083 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887563944 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887600899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887603045 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887639046 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887651920 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887679100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887701988 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887717009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887722969 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887753963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887773991 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887792110 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887799978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887834072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887840986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887895107 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887904882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887943983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887950897 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.887983084 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.887989998 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888021946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888039112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888061047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888067961 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888102055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888112068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888139963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888159990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888179064 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888181925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888216972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888231993 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888253927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888289928 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888302088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888324976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888365030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888396978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888401985 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888411999 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888441086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888447046 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888480902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888485909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888519049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888545990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888572931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888614893 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888667107 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888700008 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888741016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888767958 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888777971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888782978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888817072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888828993 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888859034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888875008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888896942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888902903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888936996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888951063 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.888973951 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.888982058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889014006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889018059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889053106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889053106 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889091015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889108896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889130116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889133930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889168024 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889173031 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889204979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889209032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889242887 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889257908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889281034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889288902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889319897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889336109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889362097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889365911 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889398098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889399052 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889436960 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889453888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889475107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889488935 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889513016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889528036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889553070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889573097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889590979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889597893 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889630079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889647007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889671087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889672995 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889707088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889717102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889745951 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889764071 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889786959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889787912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889828920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889837027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889867067 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889878988 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889905930 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889916897 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889945030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889960051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.889985085 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.889988899 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890022039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890028000 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890060902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890065908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890100002 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890115976 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890136957 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890146017 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890175104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890183926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890213966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890229940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890261889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890397072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890434027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890454054 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890472889 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890476942 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890512943 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890517950 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890551090 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890559912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890588999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890600920 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890628099 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890638113 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890665054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890685081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890711069 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890733004 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890748978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890755892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890803099 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890909910 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890949011 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.890976906 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.890985012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891000986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891024113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891031981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891076088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891180038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891216993 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891237974 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891258001 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891261101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891298056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891314030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891340017 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891411066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891449928 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891462088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891505003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891526937 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891563892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891578913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891602039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891608953 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891654968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891737938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891776085 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891784906 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891813040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891829014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891854048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891855001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891899109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.891942024 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891982079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.891987085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892035961 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892070055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892107964 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892106056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892164946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892182112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892200947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892211914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892241955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892249107 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892282009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892296076 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892337084 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892348051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892416954 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892421961 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892465115 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892534018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892579079 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892644882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892684937 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892693043 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892721891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892745972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892762899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892775059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892802000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892822027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892841101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892844915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892888069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.892913103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.892957926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893002033 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893040895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893059015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893076897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893079042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893115997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893134117 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893165112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893188953 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893229961 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893233061 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893269062 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893294096 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893306971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893335104 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893351078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893378019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893416882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893421888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893454075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893460989 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893493891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893512964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893532991 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893543959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893570900 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893599987 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893610001 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893687963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893703938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893717051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893728018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893733025 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893796921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893832922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893837929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893846035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893877029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893897057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893918037 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893918037 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893955946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.893974066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.893996000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894022942 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894041061 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894177914 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894224882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894246101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894269943 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894299030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894340038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894349098 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894378901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894391060 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894418955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894423008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894458055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894469023 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894498110 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894526005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894536018 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894540071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894577980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894582987 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894615889 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894633055 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894654036 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894659042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894691944 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894695044 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894730091 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894742966 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894768000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894774914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894807100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894820929 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894850969 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894910097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894953966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.894983053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894992113 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.894994020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895035028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895035028 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895071983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895083904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895112038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895126104 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895150900 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895169973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895189047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895196915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895226955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895235062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895265102 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895272970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895303011 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895319939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895342112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895345926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895405054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895406008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895442963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895448923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895481110 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895507097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895519972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895530939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895556927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895566940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895596027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895601988 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895675898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895684958 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895714998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895730019 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895755053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895768881 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895792007 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895798922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895833015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895838976 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895870924 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895896912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895909071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895921946 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895947933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895953894 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.895986080 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.895998001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896024942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896040916 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896064043 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896070957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896100998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896112919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896138906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896152973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896177053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896193981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896213055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896219969 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896251917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896255970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896290064 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896289110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896330118 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896334887 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896368980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:12.896379948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:12.896421909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.054744959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.054794073 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.054835081 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.054846048 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.054873943 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.054876089 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.054887056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.054929972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.056874037 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.056916952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.056953907 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.056967974 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.056994915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.057035923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.057250977 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.057348967 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.058573961 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.058643103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.058679104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.058720112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.058729887 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.058758020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.058768034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.058796883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.058803082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.058835983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.058844090 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.058877945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059129000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059171915 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059187889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059211016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059226990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059247971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059257030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059287071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059298038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059324980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059334993 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059392929 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059441090 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059482098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059497118 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059519053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059529066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059557915 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059570074 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059602976 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059632063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059673071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059681892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059719086 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059868097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059906960 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059923887 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059945107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059957981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.059983969 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.059990883 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060024023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060025930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060064077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060067892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060110092 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060167074 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060205936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060220957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060255051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060336113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060374975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060391903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060415030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060729980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060770988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060796976 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060811996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060863018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060903072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060910940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060940027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060949087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.060980082 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.060981989 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.061024904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.061335087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.061372995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.061391115 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.061435938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.064768076 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.064834118 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.064871073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.064914942 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.064960957 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065002918 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065027952 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065042973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065047979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065079927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065143108 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065151930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065360069 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065398932 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065440893 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065449953 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065469027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065509081 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065535069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065548897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065561056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065587997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065629005 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065633059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065668106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065668106 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065675020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065707922 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065717936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065747976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065758944 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065784931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065798998 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065823078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065844059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065865040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065875053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065901995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065920115 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065942049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065953970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.065980911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.065995932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066020012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066046953 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066060066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066065073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066097021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066114902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066135883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066140890 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066211939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066230059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066250086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066262007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066288948 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066304922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066328049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066335917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066400051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066407919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066440105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066451073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066478014 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066490889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066519976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066529036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066560030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066576004 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066596985 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066605091 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066636086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066643000 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066677094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066682100 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066745043 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066761017 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066785097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066792965 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066823959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066849947 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066864967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066864967 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066906929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066911936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066943884 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066951036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.066983938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.066988945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067022085 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067024946 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067061901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067075014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067101955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067118883 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067140102 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067143917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067179918 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067195892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067223072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067236900 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067261934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067282915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067301989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067312002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067339897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067374945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067399979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067429066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067440033 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067461014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067480087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067508936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067517042 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067523956 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067558050 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067575932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067596912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067599058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067634106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067643881 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067673922 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067687035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067713976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067729950 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067753077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067760944 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067794085 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067810059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067832947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067838907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067872047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067887068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067912102 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067918062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067950010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.067954063 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.067987919 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068001032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068026066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068030119 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068065882 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068070889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068105936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068108082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068141937 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068160057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068181038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068181038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068221092 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068231106 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068258047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068272114 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068295956 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068300962 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068334103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068334103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068372965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068388939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068413019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068423033 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068450928 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068465948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068490028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068505049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068527937 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068556070 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068564892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068576097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068604946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068619013 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068644047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068670988 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068681955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068687916 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068730116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068744898 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068756104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.068767071 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.068808079 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.223683119 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223735094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223773003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223774910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.223812103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223817110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.223875999 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.223877907 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223884106 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.223917961 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223932981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.223956108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.223964930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224023104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224061966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224067926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224076986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224101067 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224106073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224138021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224143982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224175930 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224183083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224220037 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224229097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224256039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224271059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224294901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224306107 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224334955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224354982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224385023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224394083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224425077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224443913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224462032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224467039 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224499941 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224514961 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224539042 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224543095 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224575043 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224585056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224613905 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224626064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224653006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224661112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224694014 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224704027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224733114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224742889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224771023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224781036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224808931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224818945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224849939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224858999 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224888086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224901915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224926949 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224931955 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.224965096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.224968910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225004911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225007057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225044966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225049973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225081921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225092888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225121021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225133896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225158930 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225169897 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225197077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225207090 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225234985 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225249052 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225272894 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225277901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225311995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225321054 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225352049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225359917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225389004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225395918 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225426912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225430965 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225466013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225474119 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225502014 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225518942 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225541115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225544930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225579023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225581884 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225616932 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225625038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225657940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225662947 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225694895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225698948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225733042 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225735903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225770950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225776911 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225807905 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225815058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225846052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225855112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225886106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225900888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225924969 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225934029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.225965023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.225979090 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226001978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226007938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226039886 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226056099 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226078033 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226087093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226114988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226133108 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226154089 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226155996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226191998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226206064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226231098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226255894 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226269960 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226273060 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226308107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226320028 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226346970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.226356983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.226396084 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227211952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227274895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227297068 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227343082 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227371931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227396011 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227405071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227442026 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227451086 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227480888 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227494001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227529049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227698088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227796078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.227802992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.227848053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228076935 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228120089 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228154898 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228159904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228173018 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228198051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228207111 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228245020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228270054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228310108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228316069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228352070 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228559017 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228604078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228672028 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228677034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228681087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228717089 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228720903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228754044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228770018 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228792906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228802919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228848934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228888035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228897095 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228905916 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228934050 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228950024 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228961945 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.228972912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.228991985 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229007006 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229018927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229034901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229048014 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229057074 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229077101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229090929 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229149103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229347944 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229382992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229412079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229424953 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229440928 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229473114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229505062 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229510069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229521990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229536057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229545116 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229612112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229805946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229860067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.229861021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.229924917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.233746052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.233814001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.233845949 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.233892918 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.233896971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.233932972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.233939886 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.233971119 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.234004974 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.234014034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.234030962 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.234061003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237364054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237437963 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237438917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237479925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237497091 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237520933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237534046 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237559080 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237585068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237600088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237627029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237639904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237649918 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237679958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237700939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237723112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237731934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237761974 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237773895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237802982 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237811089 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237845898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237848997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237885952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237894058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237926006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.237967968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237977028 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.237996101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238035917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238079071 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238085032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238122940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238152027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238157034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238182068 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238213062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238219976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238220930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238259077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238264084 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238300085 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238306999 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238337040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238353014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238375902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238380909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238415003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238421917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238452911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238466024 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238492012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238502026 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238531113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238538980 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238569975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238581896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238640070 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238645077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238683939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238691092 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238720894 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238739014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238759995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238763094 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238799095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238812923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238835096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238842010 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238876104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238888979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238914967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238917112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238954067 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.238957882 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.238993883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239007950 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239032030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239051104 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239069939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239073992 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239109039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239120007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239146948 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239161968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239186049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239188910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239223003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239267111 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239279032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239295006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239332914 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239340067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239384890 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239398003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239437103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239469051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239473104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239480972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239511967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239552975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239589930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239614964 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239617109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239653111 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239660978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239691973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239697933 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239731073 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239746094 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239768028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239798069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239809990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239851952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239892960 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239897966 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239933014 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.239948034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.239978075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240017891 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240025997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240031958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240068913 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240073919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240107059 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240120888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240148067 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240149975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240187883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240190983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240227938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240241051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240284920 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240313053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240360975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240386009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240400076 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240432024 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240475893 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240484953 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240523100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240530968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240561962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240566015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240600109 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240612030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240638971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240643978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240679026 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240684032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240736008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240740061 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240787029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240806103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240844965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240858078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240885973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240889072 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240926027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240931034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.240962982 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.240969896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.241000891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.241005898 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.241055012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.395514965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395587921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395685911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395741940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395796061 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395788908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.395833015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.395848989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395859957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.395905972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.395960093 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396014929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396019936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396059036 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396115065 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396127939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396163940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396168947 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396213055 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396215916 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396265030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396270990 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396317959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396326065 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396373987 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396380901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396426916 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396430969 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396471977 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396481991 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396512985 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396527052 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396559954 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396565914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396603107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396605015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396652937 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396658897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396707058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396708965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396754980 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396760941 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396802902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396805048 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396846056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396848917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396892071 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396899939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396943092 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396948099 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.396980047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.396987915 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397021055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397037029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397059917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397064924 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397098064 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397104025 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397139072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397167921 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397178888 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397186041 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397218943 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397236109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397260904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397264957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397298098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397305012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397337914 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397346020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397411108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397428036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397449970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397468090 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397491932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397574902 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397619963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397743940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397773981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397802114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397814035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397850990 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397864103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397907019 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397911072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.397958040 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.397965908 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398013115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398030996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398056984 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398057938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398106098 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398116112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398161888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398169041 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398211956 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398222923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398257971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398267031 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398308992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398310900 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398354053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398355961 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398397923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398421049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398487091 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398493052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398539066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398545980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398592949 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398593903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398642063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398653030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398682117 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398694992 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398720980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398722887 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398761988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.398766994 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.398850918 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399061918 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399143934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399146080 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399193048 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399202108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399249077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399262905 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399298906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399302959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399374962 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399385929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399437904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399441004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399487972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399493933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399540901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399543047 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399585962 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399595022 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399641991 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399642944 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399689913 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399693966 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399734020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399743080 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399787903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399791002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399835110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399837017 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399883986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399905920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.399951935 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.399956942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400003910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400015116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400063038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400063992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400110960 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400116920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400161982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400173903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400218010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400219917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400259972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400260925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400306940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400316954 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400357962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400363922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400402069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400412083 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400460005 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400460005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400505066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400506973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400552034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400552988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400594950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400600910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400638103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400645018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400686979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.400691986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400733948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.400937080 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401016951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401077986 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401130915 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401146889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401180983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401192904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401226044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401231050 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401266098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401274920 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401307106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401343107 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401344061 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401379108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.401382923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401391983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.401431084 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.402472019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.402522087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.402559042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.402568102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.402575016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.402611017 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.402620077 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.402647972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.402661085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.402686119 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.402695894 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.402741909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.409595966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.409651995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.409776926 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.409867048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.409885883 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.409923077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.409924030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.409931898 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.409970999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.409991026 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410028934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410034895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410084009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410088062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410147905 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410167933 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410196066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410234928 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410278082 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410315037 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410315990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410350084 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410362959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410379887 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410391092 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410396099 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410444021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410445929 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410495996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410505056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410541058 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410552979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410579920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410589933 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410631895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410634995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410676003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410682917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410725117 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410732985 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410763979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410772085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410810947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410820007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410852909 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410866976 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410904884 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410907984 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410940886 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410949945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.410984039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.410991907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411017895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411035061 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411051035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411062002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411086082 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411104918 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411119938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411132097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411154032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411185026 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411189079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411204100 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411230087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411238909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411277056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411284924 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411324024 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411328077 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411395073 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411400080 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411447048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411456108 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411498070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411499977 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411544085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411549091 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411592960 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411597967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411643982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411648035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411689997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411695957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411724091 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411736965 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411757946 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411773920 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411792040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411801100 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411823988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411839008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411859989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411878109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411896944 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411901951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411943913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.411945105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411983013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.411990881 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412017107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412033081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412051916 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412062883 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412084103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412097931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412117958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412130117 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412151098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412184000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412188053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412215948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412218094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412221909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412250996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412266970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412283897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412297964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412317991 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412332058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412349939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412378073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412384033 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412393093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412416935 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412432909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412451982 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412461996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412494898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412497997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412533998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412543058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412579060 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412589073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412625074 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412626982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412667990 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412672043 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412708044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412713051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412750959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412754059 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412797928 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412803888 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412851095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412852049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412885904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412894964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412919044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412945032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412952900 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.412961006 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.412985086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.413006067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.413018942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.413028955 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.413053036 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.413068056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.413086891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.413096905 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.413121939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.413131952 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.413155079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.413167000 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.413197041 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566339970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566421032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566461086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566514015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566601992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566636086 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566660881 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566713095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566751003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566760063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566788912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566814899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566855907 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566857100 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566895962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566900969 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566934109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566936016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.566973925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.566976070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567017078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567050934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567055941 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567092896 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567125082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567131996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567171097 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567172050 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567210913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567235947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567275047 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567276955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567317963 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567327023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567364931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567390919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567451000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567492962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567540884 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567548990 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567591906 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567608118 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567646027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567650080 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567689896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567692041 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567728043 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567742109 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567766905 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567794085 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567796946 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567850113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567878008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567925930 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.567936897 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.567980051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568006039 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568042994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568072081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568097115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568133116 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568147898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568187952 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568195105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568234921 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568253994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568273067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568300962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568312883 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568347931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568384886 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568403006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568443060 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568459034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568483114 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568506956 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568546057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568556070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568609953 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568613052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568655968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568660021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568681002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568722010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568723917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568773031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568802118 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568816900 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568856001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568869114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568900108 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568912029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568933010 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568952084 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.568967104 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.568991899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569031000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569036007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569072008 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569106102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569109917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569149971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569165945 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569192886 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569231987 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569248915 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569287062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569318056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569336891 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569375992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569412947 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569428921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569472075 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569483995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569494009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569535971 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569571972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569576025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569624901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569628000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569669008 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569681883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569700003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569722891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569741964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569773912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569811106 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569814920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569854975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569873095 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569904089 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569916010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569952011 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.569972038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.569997072 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570025921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570080996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570089102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570133924 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570147038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570187092 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570208073 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570236921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570274115 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570281029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570291042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570333004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570369959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570372105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570410967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570421934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570449114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570466995 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570494890 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570502996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570545912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570554018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570564032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570610046 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570612907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570667028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570683002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570712090 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570748091 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570760965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570766926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570807934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570844889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570852041 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570897102 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570907116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570946932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.570959091 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.570969105 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571013927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571048975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571079016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571099043 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571111917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571146965 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571151018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571180105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571185112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571213007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571217060 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571249008 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571254969 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571284056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571290970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571317911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571326971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571374893 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571382999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571420908 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571455956 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571456909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571487904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571521997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571521997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571557045 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571584940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571592093 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571624041 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571633101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571659088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571692944 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571693897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571729898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571757078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571763992 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571789026 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571791887 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571821928 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571854115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571855068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571890116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571923971 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571924925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571959972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.571963072 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.571990013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572021008 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572026014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572055101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572088003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572089911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572124958 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572125912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572154999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572182894 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572187901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572220087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572252035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572256088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572288036 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572288990 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572324038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572349072 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572369099 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572405100 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572405100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572441101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572470903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572474957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572501898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572529078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572540998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572571039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572585106 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572607040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572639942 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572640896 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572671890 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572679996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572746038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572771072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572807074 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572841883 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572843075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572882891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572911978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572921038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572957039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.572959900 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.572993994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573020935 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573028088 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573055983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573084116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573090076 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573126078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573188066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573580980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573609114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573643923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573661089 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573683023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573707104 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573719978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573750019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573771000 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573777914 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573811054 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573837996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573844910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573865891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573894978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573899031 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573929071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.573939085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.573968887 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574002981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574007034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574035883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574063063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574070930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574146032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574209929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574213982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574244022 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574269056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574445009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574459076 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574465036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574547052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574582100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574606895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574615002 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574634075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574659109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574661016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574692965 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574698925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574729919 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574759007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574760914 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574790955 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574795008 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574824095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574856043 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574860096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574898958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574923038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.574945927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574978113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.574980974 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575012922 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575042963 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575047970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575084925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575110912 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575120926 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575150013 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575150967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575189114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575212955 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575222015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575253963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575263023 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575287104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575320959 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575320959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575372934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575392962 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575421095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575453997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575454950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575490952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575524092 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575539112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575572968 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575578928 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575608015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575638056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575644016 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575680017 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575706005 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575709105 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575733900 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575741053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575805902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575892925 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575932980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.575962067 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.575973034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576000929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576014996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576040983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576064110 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576076031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576111078 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576113939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576143026 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576172113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576208115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576225042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576246023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576281071 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576283932 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576319933 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576323032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576355934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576384068 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576390028 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576411009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576440096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576446056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576466084 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576493025 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576494932 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576520920 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.576550961 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.576611042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.581768990 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581796885 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581819057 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581840038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581856966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581872940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581880093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.581890106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581912041 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581913948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.581929922 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581933975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.581948996 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581948996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.581969023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581976891 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.581990004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.581995010 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582010031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582012892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582030058 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582031012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582052946 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582070112 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582072020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582103014 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582113028 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582135916 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582149982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582151890 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582171917 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582189083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582242966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582259893 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582276106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582283020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582304001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582319975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582377911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582398891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582417011 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582425117 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582437038 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582439899 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582458019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582459927 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582474947 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582475901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582490921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582499981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582518101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582537889 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582537889 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582561970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582581997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582586050 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582591057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582607031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582628012 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582634926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582647085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582648993 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582668066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582679033 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582689047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582705975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582714081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582729101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582735062 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582746983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582763910 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582767010 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582781076 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582784891 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582799911 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582834005 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582834005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582851887 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582871914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582875013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582889080 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582894087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582914114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582917929 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582928896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582936049 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582956076 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582962036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582973003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.582973957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582992077 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.582993031 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583019018 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583029985 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583031893 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583054066 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583077908 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583087921 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583096027 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583098888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583115101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583120108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583133936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583141088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583162069 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583165884 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583184958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583189964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583206892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583209991 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583223104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583228111 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583245039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583249092 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583266020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583266020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583278894 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583283901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583302021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583307981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583324909 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583326101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583342075 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583369970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583373070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583389997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583405972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583415031 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583432913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583448887 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.583966970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.583985090 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584005117 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584028006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584050894 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584054947 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584072113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584075928 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584090948 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584110975 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584115028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584134102 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584141016 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584156036 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584160089 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584172964 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584188938 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584208012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584208965 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584216118 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584238052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584240913 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584259987 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584270000 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584285975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584286928 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584305048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584309101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584327936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584332943 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584342957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584345102 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584362030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584374905 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584378004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584394932 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584394932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584414005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584435940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584582090 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584599018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584666014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584681988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584692955 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584717989 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584733963 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584739923 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584750891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584758997 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584775925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584794044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.584794998 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.584845066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585032940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585052013 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585068941 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585103989 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585122108 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585158110 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585180044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585200071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585201979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585216999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585227966 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585233927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585253954 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585259914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585285902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585361958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585395098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585445881 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585465908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585602999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585618973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585685968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585700035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585716009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585764885 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585778952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585824013 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585840940 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585858107 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585875034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585882902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585890055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585900068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585922003 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585937977 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.585975885 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.585990906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586050034 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586061954 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586076975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586121082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586203098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586225033 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586246967 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586263895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586266041 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586282969 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586299896 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586306095 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586318970 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586318970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586335897 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586339951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586352110 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.586360931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586380005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.586401939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741350889 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741451025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741504908 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741550922 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741595984 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741628885 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741661072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741710901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741708040 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741746902 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741753101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741754055 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741782904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741806030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741806030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741858006 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741899967 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741935968 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.741950035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.741986036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742000103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742018938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742043972 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742093086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742101908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742134094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742172003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742197037 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742218018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742264032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742271900 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742297888 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742336035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742350101 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742376089 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742419958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742429972 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742451906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742486000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742508888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742520094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742567062 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742573023 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742609978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742659092 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742666960 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742707968 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742748976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742774963 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742794991 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742846966 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742852926 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.742891073 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742952108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.742960930 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743011951 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743067026 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743072987 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743110895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743150949 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743179083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743189096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743200064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743227005 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743241072 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743267059 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743284941 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743318081 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743320942 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743397951 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743457079 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743457079 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743499994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743539095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743563890 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743590117 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743628979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743653059 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743680954 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743736029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743737936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743784904 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743788004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743837118 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743887901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743921041 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743942976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.743982077 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.743998051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744014978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744046926 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744091988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744101048 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744132042 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744169950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744195938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744209051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744215012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744263887 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744313955 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744326115 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744358063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744410038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744415998 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744462013 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744463921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744517088 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744573116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744575977 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744626999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744683981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744688034 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744739056 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744743109 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744793892 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744842052 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744851112 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744889975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.744947910 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.744951010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745007038 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745062113 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745069981 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745104074 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745141029 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745160103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745193005 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745244026 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745245934 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745295048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745348930 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745353937 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745402098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745429039 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745452881 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745502949 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745513916 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745557070 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745604992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745615959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745654106 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745701075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745712996 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745753050 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745801926 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745811939 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745851994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745906115 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.745908022 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.745948076 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746002913 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746007919 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746043921 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746083021 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746098042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746124983 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746170044 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746186018 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746213913 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746270895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746272087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746321917 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746368885 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746375084 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746409893 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746421099 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746454000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746467113 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746511936 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746556997 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746573925 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746598959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746608973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746656895 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746695042 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746711969 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746742964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746747017 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746793032 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746809006 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746844053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746895075 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746900082 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.746948004 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.746999025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747004032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747052908 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747101068 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747107983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747150898 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747205973 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747205973 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747251987 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747308016 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747309923 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747364044 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747400999 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747442007 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747493982 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747505903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747545958 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747596979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747601032 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747648001 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747692108 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747704029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747730970 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747771978 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747787952 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747819901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747819901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747874975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747931957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.747934103 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.747982025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748034000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748039007 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748086929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748137951 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748145103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748188019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748230934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748243093 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748270988 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748313904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748322964 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748368025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748421907 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748423100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748476028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748518944 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748531103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748574018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748625040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748631954 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748677969 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748727083 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748735905 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748770952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748815060 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748828888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748863935 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748917103 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.748920918 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.748975039 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749017954 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749032021 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749066114 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749120951 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749123096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749176979 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749185085 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749228001 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749279022 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749284029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749335051 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749388933 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749391079 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749444962 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749496937 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749515057 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749547005 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749550104 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749598980 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749650002 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749664068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749701023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749756098 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749758959 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749798059 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749805927 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749850035 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749916077 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.749918938 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.749972105 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750015974 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750027895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750070095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750121117 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750128031 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750166893 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750205994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750221014 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750245094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750291109 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750304937 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750338078 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750390053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750400066 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750442982 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750443935 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750492096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750540018 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750545979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750591040 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750643015 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750647068 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750686884 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750699043 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750749111 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750801086 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750804901 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750844002 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750893116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.750895977 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.750948906 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751003027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751004934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751049042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751055002 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751096010 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751136065 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751149893 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751173019 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751223087 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751223087 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751266956 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751280069 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751332998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751379967 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751424074 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751534939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751580954 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751595020 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751627922 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751632929 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751686096 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751735926 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751744986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751785994 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751841068 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751857042 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751887083 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751934052 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.751944065 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.751997948 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752043009 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752078056 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752090931 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752096891 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752135992 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752173901 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752187967 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752222061 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752274036 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752275944 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752322912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752324104 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752371073 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752419949 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752427101 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752480030 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752526999 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752527952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752574921 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752578020 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752629995 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752680063 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752682924 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752728939 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752783060 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752796888 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752831936 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752842903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752883911 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752899885 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752919912 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752927065 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752935886 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752952099 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752953053 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752970934 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.752979994 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.752988100 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753000021 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753005028 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753022909 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753031015 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753038883 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753048897 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753057003 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753073931 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753081083 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753091097 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753108025 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753115892 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753124952 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753128052 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753143072 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753150940 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753160954 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753166914 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753177881 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753187895 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753195047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753196001 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753211975 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753221035 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753228903 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753228903 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753246069 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753252983 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753263950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753268957 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753281116 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753283978 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753298998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753303051 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753315926 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753319979 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753334045 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753340960 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753351927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753355026 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753370047 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753375053 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753386974 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753391027 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753405094 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753413916 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753422976 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753427029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753441095 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753442049 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753458023 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753463030 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753475904 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753488064 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753493071 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753495932 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753509998 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753511906 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753528118 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753535986 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753546000 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753549099 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753562927 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753576040 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753582001 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753583908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753598928 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753617048 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753619909 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753634930 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753638029 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753649950 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:13.753664017 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.753690958 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:13.756283998 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:25.329283953 CEST	49732	80	192.168.2.3	180.163.251.231
Aug 19, 2022 14:44:28.499495983 CEST	49732	80	192.168.2.3	180.163.251.231
Aug 19, 2022 14:44:28.584368944 CEST	80	49727	104.192.108.21	192.168.2.3
Aug 19, 2022 14:44:28.584482908 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:44:34.499933004 CEST	49732	80	192.168.2.3	180.163.251.231
Aug 19, 2022 14:44:46.924146891 CEST	49742	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:44:50.063714027 CEST	49742	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:44:56.064225912 CEST	49742	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:45:09.795439005 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:09.795486927 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:09.795628071 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:09.824722052 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:09.824744940 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.348314047 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.348539114 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.627381086 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.627432108 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.628137112 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.628946066 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.634161949 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.675384045 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.803915024 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.804042101 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.804116011 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.804153919 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.804534912 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.804564953 CEST	443	49749	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.804627895 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.804693937 CEST	49749	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.871938944 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.871994019 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:10.872184992 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.872697115 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:10.872726917 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.212886095 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.213018894 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.213912964 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.213929892 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.220937967 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.220957994 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.590162992 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.590208054 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.590262890 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.590277910 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.590305090 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.590317965 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.590336084 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.590361118 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.590435982 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:11.590486050 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.591578960 CEST	49750	443	192.168.2.3	104.192.108.21
Aug 19, 2022 14:45:11.591600895 CEST	443	49750	104.192.108.21	192.168.2.3
Aug 19, 2022 14:45:12.376318932 CEST	49751	80	192.168.2.3	180.163.251.230
Aug 19, 2022 14:45:15.378480911 CEST	49751	80	192.168.2.3	180.163.251.230
Aug 19, 2022 14:45:21.394629002 CEST	49751	80	192.168.2.3	180.163.251.230
Aug 19, 2022 14:45:33.463660002 CEST	49754	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:45:36.473949909 CEST	49754	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:45:42.505739927 CEST	49754	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:45:54.563925982 CEST	49756	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:45:57.569658995 CEST	49756	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:46:01.073591948 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:46:01.476116896 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:46:02.194988012 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:46:03.570112944 CEST	49756	80	192.168.2.3	171.13.14.66
Aug 19, 2022 14:46:03.616966009 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:46:06.460932016 CEST	49727	80	192.168.2.3	104.192.108.21
Aug 19, 2022 14:46:12.258332014 CEST	49727	80	192.168.2.3	104.192.108.21

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 19, 2022 14:44:11.170814037 CEST	49302	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:44:11.507666111 CEST	53	49302	8.8.8.8	192.168.2.3
Aug 19, 2022 14:44:24.963196993 CEST	51139	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:44:25.288887024 CEST	53	51139	8.8.8.8	192.168.2.3
Aug 19, 2022 14:44:46.595859051 CEST	57134	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:44:46.919248104 CEST	53	57134	8.8.8.8	192.168.2.3
Aug 19, 2022 14:45:12.005748034 CEST	65107	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:45:12.374857903 CEST	53	65107	8.8.8.8	192.168.2.3
Aug 19, 2022 14:45:33.443509102 CEST	58691	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:45:33.462851048 CEST	53	58691	8.8.8.8	192.168.2.3
Aug 19, 2022 14:45:54.543719053 CEST	59433	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:45:54.562694073 CEST	53	59433	8.8.8.8	192.168.2.3
Aug 19, 2022 14:46:15.572467089 CEST	56949	53	192.168.2.3	8.8.8.8
Aug 19, 2022 14:46:15.892940998 CEST	53	56949	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 19, 2022 14:44:11.170814037 CEST	192.168.2.3	8.8.8.8	0x2db1	Standard query (0)	dl.360safe.com	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:24.963196993 CEST	192.168.2.3	8.8.8.8	0x5faf	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:46.595859051 CEST	192.168.2.3	8.8.8.8	0x664e	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:12.005748034 CEST	192.168.2.3	8.8.8.8	0x403c	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:33.443509102 CEST	192.168.2.3	8.8.8.8	0xcee0	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:54.543719053 CEST	192.168.2.3	8.8.8.8	0x950f	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)
Aug 19, 2022 14:46:15.572467089 CEST	192.168.2.3	8.8.8.8	0xbd26	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 19, 2022 14:44:11.507666111 CEST	8.8.8.8	192.168.2.3	0x2db1	No error (0)	dl.360safe.com	dl.360safe.com.qh-cdn.com		CNAME (Canonical name)	IN (0x0001)
Aug 19, 2022 14:44:11.507666111 CEST	8.8.8.8	192.168.2.3	0x2db1	No error (0)	dl.360safe.com.qh-cdn.com	dl.360safe.com.dl.360qhcdn.com		CNAME (Canonical name)	IN (0x0001)
Aug 19, 2022 14:44:11.507666111 CEST	8.8.8.8	192.168.2.3	0x2db1	No error (0)	dl.360safe.com.dl.360qhcdn.com		104.192.108.21	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:11.507666111 CEST	8.8.8.8	192.168.2.3	0x2db1	No error (0)	dl.360safe.com.dl.360qhcdn.com		104.192.108.17	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:11.507666111 CEST	8.8.8.8	192.168.2.3	0x2db1	No error (0)	dl.360safe.com.dl.360qhcdn.com		104.192.108.19	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:11.507666111 CEST	8.8.8.8	192.168.2.3	0x2db1	No error (0)	dl.360safe.com.dl.360qhcdn.com		104.192.108.20	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:25.288887024 CEST	8.8.8.8	192.168.2.3	0x5faf	No error (0)	s.360.cn		180.163.251.231	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:25.288887024 CEST	8.8.8.8	192.168.2.3	0x5faf	No error (0)	s.360.cn		180.163.251.230	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:25.288887024 CEST	8.8.8.8	192.168.2.3	0x5faf	No error (0)	s.360.cn		171.8.167.90	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:25.288887024 CEST	8.8.8.8	192.168.2.3	0x5faf	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:46.919248104 CEST	8.8.8.8	192.168.2.3	0x664e	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:46.919248104 CEST	8.8.8.8	192.168.2.3	0x664e	No error (0)	s.360.cn		171.8.167.89	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:46.919248104 CEST	8.8.8.8	192.168.2.3	0x664e	No error (0)	s.360.cn		101.198.2.147	A (IP address)	IN (0x0001)
Aug 19, 2022 14:44:46.919248104 CEST	8.8.8.8	192.168.2.3	0x664e	No error (0)	s.360.cn		180.163.251.231	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:12.374857903 CEST	8.8.8.8	192.168.2.3	0x403c	No error (0)	s.360.cn		180.163.251.230	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:12.374857903 CEST	8.8.8.8	192.168.2.3	0x403c	No error (0)	s.360.cn		171.8.167.90	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:12.374857903 CEST	8.8.8.8	192.168.2.3	0x403c	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:12.374857903 CEST	8.8.8.8	192.168.2.3	0x403c	No error (0)	s.360.cn		171.8.167.89	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:33.462851048 CEST	8.8.8.8	192.168.2.3	0xcee0	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:33.462851048 CEST	8.8.8.8	192.168.2.3	0xcee0	No error (0)	s.360.cn		171.8.167.89	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:33.462851048 CEST	8.8.8.8	192.168.2.3	0xcee0	No error (0)	s.360.cn		101.198.2.147	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:33.462851048 CEST	8.8.8.8	192.168.2.3	0xcee0	No error (0)	s.360.cn		180.163.251.231	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:54.562694073 CEST	8.8.8.8	192.168.2.3	0x950f	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:54.562694073 CEST	8.8.8.8	192.168.2.3	0x950f	No error (0)	s.360.cn		171.8.167.89	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:54.562694073 CEST	8.8.8.8	192.168.2.3	0x950f	No error (0)	s.360.cn		101.198.2.147	A (IP address)	IN (0x0001)
Aug 19, 2022 14:45:54.562694073 CEST	8.8.8.8	192.168.2.3	0x950f	No error (0)	s.360.cn		180.163.251.231	A (IP address)	IN (0x0001)
Aug 19, 2022 14:46:15.892940998 CEST	8.8.8.8	192.168.2.3	0xbd26	No error (0)	s.360.cn		171.8.167.90	A (IP address)	IN (0x0001)
Aug 19, 2022 14:46:15.892940998 CEST	8.8.8.8	192.168.2.3	0xbd26	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)
Aug 19, 2022 14:46:15.892940998 CEST	8.8.8.8	192.168.2.3	0xbd26	No error (0)	s.360.cn		171.8.167.89	A (IP address)	IN (0x0001)
Aug 19, 2022 14:46:15.892940998 CEST	8.8.8.8	192.168.2.3	0xbd26	No error (0)	s.360.cn		101.198.2.147	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

dl.360safe.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49749	104.192.108.21	443	C:\Users\user\Desktop\Inst7__9510085.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49750	104.192.108.21	443	C:\Users\user\Desktop\Inst7__9510085.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49727	104.192.108.21	80	C:\Users\user\Desktop\Inst7__9510085.exe

Timestamp	kBytes transferred	Direction	Data
Aug 19, 2022 14:44:11.697119951 CEST	738	OUT	HEAD /gf/360ini.cab HTTP/1.1 User-Agent: Beacon Host: dl.360safe.com Cache-Control: no-cache
Aug 19, 2022 14:44:11.866466999 CEST	738	IN	HTTP/1.1 200 OK Date: Fri, 19 Aug 2022 12:44:11 GMT Content-Type: application/octet-stream Content-Length: 2234731 Connection: keep-alive Expires: Fri, 19 Aug 2022 12:58:44 GMT Last-Modified: Tue, 14 Dec 2021 12:04:12 GMT Cache-Control: max-age=1800 ETag: "61b8883c-22196b" KCS-Via: HIT from w-f05.lato;MISS from back-f03.dl.lato;HIT from w-subsrc02.lato;MISS from back-subsrc02.dl.lato K-Cache-status: MISS Accept-Ranges: bytes
Aug 19, 2022 14:44:11.868011951 CEST	738	OUT	GET /gf/360ini.cab HTTP/1.1 User-Agent: Beacon Host: dl.360safe.com Cache-Control: no-cache
Aug 19, 2022 14:44:12.038064957 CEST	740	IN	HTTP/1.1 200 OK Date: Fri, 19 Aug 2022 12:44:11 GMT Content-Type: application/octet-stream Content-Length: 2234731 Connection: keep-alive Expires: Fri, 19 Aug 2022 13:14:11 GMT Last-Modified: Tue, 14 Dec 2021 12:04:12 GMT Cache-Control: max-age=1800 ETag: "61b8883c-22196b" KCS-Via: HIT from w-f05.lato;MISS from back-f03.dl.lato;HIT from w-subsrc02.lato;MISS from back-subsrc02.dl.lato K-Cache-status: MISS Accept-Ranges: bytes Data Raw: 4d 53 43 46 00 00 00 00 6b 19 22 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 47 00 00 00 88 00 01 00 e0 dd 43 00 00 00 00 00 00 00 8e 53 62 9f 20 00 33 36 30 49 6e 49 2e 64 6c 6c 00 42 1b 3f d6 cf 3a 00 80 43 4b e5 7d 79 60 53 d5 d6 6f d2 86 36 4d 52 12 20 d5 00 45 8b 9e 2a d8 02 85 a0 16 0b 5a b0 20 6a c1 8e 29 33 a8 80 a5 a2 20 a4 80 5a 15 4c ab 0d 87 7a 1d ea 75 42 2f 5c 71 46 05 44 44 54 6c 29 94 59 26 19 14 07 44 d4 40 19 45 a0 ca 90 b7 d6 fe ad b4 29 e2 7d de f7 bd f7 d7 f3 7e e5 77 f6 5e 6b af b5 f6 b4 f6 3e 7b ed 93 6f c0 90 27 0d 91 06 83 c1 44 7f c1 a0 c1 b0 d4 80 ff d2 0d 7f e3 3f a3 c1 d0 fc d2 65 cd 0d 8b 63 36 b6 5f 6a cc dc d8 3e af 70 dc e4 84 89 93 26 dc 35 e9 f6 7b 12 ee bc fd de 7b 27 78 13 ee 18 93 30 a9 f8 de 84 71 f7 26 64 dc 96 9b 70 cf 84 d1 63 3a c7 c6 5a 34 11 61 1b d0 fb 96 fe c9 5d 5a 87 fe 3c 0f bf d3 3a 93 f0 c4 9d 1f b7 ee 4d d8 3b 6f 59 6b 8f c2 f9 ad 47 76 62 7c a7 75 2b 4a 4f 38 d0 a7 f5 00 55 a6 73 eb 17 3b 71 3a af f5 04 c5 f7 5a eb 8b 15 7e d6 fa 66 25 ef 13 85 bd f3 96 2b cc 19 77 67 21 eb 09 55 21 ab af c1 90 69 8c 32 0c fd f5 b5 db 43 79 7b 0c 11 ed ad c6 18 83 a1 d0 66 30 a4 5c ab f2 2e 9d 17 6d 30 38 e8 61 ba 8d 93 0e f5 1c 61 30 34 93 32 21 34 2c c8 50 8d b9 a2 4b 06 91 d3 8d aa 90 03 45 80 80 f4 69 cd 0d ad a8 e1 13 f2 9a 1b 4a 88 cb 90 d0 d2 70 e6 e1 ae 0d 4d fb fc 2b 37 1a fa df 40 0f 73 6e 34 a4 bf 4a 62 1f b7 19 e2 2f d0 05 cf 6f 8f 35 b8 b8 1e 84 4d fa 8c ec 2c 89 fa eb ae eb ec 1d 33 cd 4b 58 38 d6 06 83 b8 ae a6 a6 3c 09 06 c3 a8 ce 93 46 df ee a5 96 c9 3d 6d 44 dd cf 10 8e b7 35 e1 23 bd e9 9d c1 66 70 cd a0 4a 4d 6f 4e 06 53 e3 14 36 3f 9f af aa b3 77 fc 64 03 9a 8e f4 b6 c4 83 ab c5 9f f9 26 4d 9e 74 27 3d ab 36 a1 b6 31 4c 27 6c d3 e2 cf 7a 27 8d 19 3f 81 18 c7 1a 8d aa ad 0c 11 84 2f f6 39 9f af cf df 19 ce ff 3f fe 57 56 65 2f 7d 9d 9a ac 6c ab bd f4 15 42 fb 12 b3 c7 be 64 a2 b1 c0 be 64 5a b3 ea 1f cc ee 2f 28 15 11 7a 88 0c 3d 98 aa 7f 36 bb 4f 11 4f 54 e8 21 3a f4 10 e3 9f 64 22 0e b3 df 12 ca b1 54 dc d2 c0 6f 0d 3d c4 fa 27 99 89 cd 16 4a 37 b7 2f 49 b7 ab 04 ff 73 d4 3f c9 b6 fa d1 a3 64 a0 85 fe f4 da ea 80 23 31 c8 4f a6 b2 d4 5b 62 1d 57 b3 f3 d1 cf 55 1f 31 cf f8 45 65 f7 fc 2c 75 60 ac 63 c6 2f e4 c4 0c 89 ec ca dc ab 99 ec b2 2f 21 4a bf 58 07 27 1b 59 fb 28 56 4a b9 57 bb 23 f4 1e ee 7a 7f 1f 87 de c7 ec 5e ed ef e3 72 d7 fa 1f 70 fa fb c4 2f ef 79 67 ac 43 0f ea d9 2e 5f b5 43 5f 51 1d 30 eb 7f 34 98 40 ba aa 8f 38 1a 05 92 49 89 ac 9a 0d 50 ba ff 98 b1 57 d1 9c cf b2 b2 26 86 cc d8 ab 34 af 70 f7 3e e3 ab 35 b9 fb 9d f1 f7 b6 e9 2d dc 9b fd d9 0e bd b7 c9 bd c2 df db a9 67 9b 39 ed 9a 71 6e 14 19 61 2f 9b 1a 0c 06 47 ba ab 46 d4 f8 d6 Data Ascii: MSCFk",GCSb 360InI.dllB?:CK}y`So6MR E*Z j)3 ZLzuB/\qFDDTl)Y&D@E)}~w^k>{o'D?ec6_j>p&5{{'x0q&dpc:Z4a]Z<:M;oYkGvb\|u+JO8Us;q:Z~f%+wg!U!i2Cy{f0\.m08aa042!4,PKEiJpM+7@sn4Jb/o5M,3KX8<F=mD5#fpJMoNS6?wd&Mt'=61L'lz'?/9?WVe/}lBddZ/(z=6OOT!:d"To='J7/Is?d#1O[bWU1Ee,u`c//!JX'Y(VJW#z^rp/ygC._C_Q04@8IPW&4p>5-g9qna/GF
Aug 19, 2022 14:44:12.038120985 CEST	741	IN	Data Raw: 04 6b 36 34 f9 2f 57 1f a6 99 f5 6d 81 ee e7 82 41 ea cb 59 1a cd 27 fd 19 6e b8 c8 ad 9e c8 ad ee 93 05 65 5b 1f be a9 22 f3 19 73 c5 8d e6 7c aa cf b8 7a 7d 5a bd bf b0 5e 1f 77 c6 7f 3f 3d 9f f1 17 9e d1 3b fa ef 3f a3 a7 fa 3b e8 e3 4c fe 1e Data Ascii: k64/WmAY'ne["s\|z}Z^w?=;?;L4D\|U~G%+/cGCI?7FuTc]z99grw,u%~P[bT%f&$uGs!&)Qm??1UdE*5>4
Aug 19, 2022 14:44:12.038160086 CEST	742	IN	Data Raw: 2d cc bf 73 5d 1a 7c 3b b9 87 78 f1 ef db 1b 56 60 fb 92 47 53 ef c0 ea aa 6f a1 51 69 5f f2 34 a7 79 3a af a8 de 63 56 9b a4 10 a7 a2 20 7b e7 79 79 34 c2 35 7a 5b 52 6e e7 22 06 47 b9 c7 08 c7 e3 51 7e bd 3a 34 36 ed 4b a6 2b 85 3b 2f a0 6c fb Data Ascii: -s]\|;xV`GSoQi_4y:cV {yy45z[Rn"GQ~:46K+;/lm>&qr&QE{v:lS]I:3,c1g@+z/yAKPn9o6k'\|8oJs[_dNi:oXMI/wp\|Uf3)>B
Aug 19, 2022 14:44:12.038189888 CEST	744	IN	Data Raw: ee c9 d7 e7 6b 29 f4 54 5e aa c5 02 5a 19 d9 ad 7b 88 d3 45 4f 52 80 20 01 a0 71 67 57 17 e8 7f d4 96 6a 36 7a ae ad 45 c9 69 84 cd 09 83 84 76 c2 ae 84 dc d9 ed 09 5b 10 6e 20 6c 49 78 6b 2d 54 dc 49 e8 24 5c 48 78 11 61 5b c2 8b 09 9f ad 85 e2 Data Ascii: k)T^Z{EOR qgWj6zEiv[n lIxk-TI$\Hxa[agQ1'MY1mRo6+zYl{(OC-O\2@0XQ^yI%*>UiRL3V)/NUn)
Aug 19, 2022 14:44:12.038228989 CEST	745	IN	Data Raw: 11 0c ba ab 06 d7 7c de d9 e0 48 20 65 1b 09 b7 d3 df b7 f4 f7 13 fd 1d a2 bf 13 42 6b d5 05 d8 96 fe 9a c4 67 79 9a b1 fb 77 9f 54 eb f1 5c ae 8e de 2e 15 6e a7 b9 1e cb b5 2a 5b 6b 2f 2b e5 57 b7 73 3d e1 6d b0 6c ec a4 31 3f ad 64 a3 1e ab 29 Data Ascii: \|H eBkgywT\.n*[k/+Ws=ml1?d)a)ld\jmslVpf}ZbU ^R~3l%BoST]a2IZB}\]>Q}x{P}h$MpF~x4x}[J5
Aug 19, 2022 14:44:12.038268089 CEST	746	IN	Data Raw: 58 45 98 14 89 83 b8 4e 84 36 c2 ce 92 e6 d6 35 13 ba b9 96 84 dc f6 91 84 57 13 fa 09 af 25 ec 40 98 2a fc 3d b8 37 08 af 23 34 11 a6 11 de 4e d8 53 e8 bd 08 13 c9 8c eb 61 cd 0d 80 74 40 6f 02 1a 60 71 4d e6 38 0d 30 d5 1b 7a ec f8 ff cd aa d2 Data Ascii: XEN65W%@=7#4NSat@o`qM80z3[9NMfk5sZq=R)PC7)K&RO&~{y5:Hu G~g;kf;Cn6{rE4g.O...eE6tv7kXy:obfPg:Sm)4
Aug 19, 2022 14:44:12.038305998 CEST	748	IN	Data Raw: e7 60 aa 42 6e 35 c1 44 d2 b0 02 8a 6a 00 2b 01 ab 50 e1 5a b0 ae 16 01 6b 20 60 2d 72 d7 11 a4 12 ef 7a 14 d9 00 d8 08 f8 02 02 36 81 75 b3 74 fe 16 08 d8 8a dc 6d d2 af 5f 22 b9 5d ea b2 03 4c 3b 21 61 17 e0 2b f0 7c 2d 82 76 83 e7 1b 10 bf 05 Data Ascii: `Bn5Dj+PZk `-rz6utm_"]L;!a+\|-v\|$ -?}<hl'!q"~Eh&3SOFcsVEH<sxA$fl44dYm(A1f3<i%43g,Tbf
Aug 19, 2022 14:44:12.038342953 CEST	749	IN	Data Raw: 67 a9 a9 af 0f 70 16 f2 0f df 14 10 0f 4f 55 3f a6 24 51 79 ea 05 62 bf 32 19 f4 35 be 95 36 eb 3a be 46 ce c7 f7 de be 85 9b f9 b2 db 2c 6d 36 9f 90 e6 64 15 54 94 a8 43 df e4 c0 fb 5f b3 25 ce b2 aa e2 74 75 dd 9c 4a 70 80 4d 29 50 ff e4 64 65 Data Ascii: gpOU?$Qyb256:F,m6dTC_%tuJpM)PdeJ1yQwH>}po+p(DWgO.n>j).J@r&n9u!^tC"qDmISnObX>cjnW98%k\Lh{7a8up
Aug 19, 2022 14:44:12.038382053 CEST	751	IN	Data Raw: db 6d 8b ef e8 55 91 d5 e5 ce eb 13 a5 f9 5b ea 6b c8 d7 8c 6c 29 26 44 fd 37 cd bf e5 6c d3 e6 77 ff 57 cd df a4 e9 a3 ff 67 4d af 7b a9 da e7 35 bf 27 bc f9 cd 8d cd 1f 85 e6 bf f4 6c 43 f3 fb 36 06 fd f3 e1 90 94 d3 31 35 90 92 f5 5e b8 39 96 Data Ascii: mU[kl)&D7lwWgM{5'lC615^9Jv6%W*}v&Q'6=q'=)+S_8c<c^d56m7vk?[gJVDsUIFM2&1-`fBU5Jht]q^x9-DKt;z
Aug 19, 2022 14:44:12.038419962 CEST	752	IN	Data Raw: ad 12 da e1 79 ce 91 b0 6c be a2 d1 18 11 93 40 cf 2e ca bd 01 c9 74 d1 d8 5b 2c ec 23 16 de 28 16 66 c4 c0 59 f4 05 7b 3f a9 3d 87 7b ea 29 bb 3f 64 df 0c ea 2d 22 e4 56 11 c2 e1 1e 3e dc e2 70 cf 53 12 ef e1 0e ba 0d ec 59 31 38 ae 0a 0b f7 0c Data Ascii: yl@.t[,#(fY{?={)?d-"V>pSY18pO=y<dsZ=Fp[b9AbAv-XPIvCzXQvH-DjHx^>As`I7EW)S-$\|'h'"9lK<""
Aug 19, 2022 14:44:12.038465023 CEST	753	IN	Data Raw: ae 03 75 3d a8 1b 08 3e e0 35 9a b0 80 a8 5f 80 ba 09 d4 cd 04 8b f9 32 25 92 5b 2d 88 42 6f 13 77 f4 a5 74 ff 76 0b 5e 25 76 80 6d a7 8c c4 5d e2 dd be b2 e0 aa c2 d7 16 84 5d 77 0b fd 1b f1 66 df 8a 83 fe 0e c5 bf 27 98 c3 ef d2 16 84 c4 7f c0 Data Ascii: u=>5_2%[-Bowtv^%vm]]wf'0~>?Y,_[AAH9d\!(,x/UZ8zi^-\|R;j=<,A%/`UTFa*fx]BT;mj

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49749	104.192.108.21	443	C:\Users\user\Desktop\Inst7__9510085.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-19 12:45:10 UTC	0	OUT	HEAD /gf/MyNewIni2.cab HTTP/1.1 User-Agent: Beacon Host: dl.360safe.com Cache-Control: no-cache
2022-08-19 12:45:10 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 19 Aug 2022 12:45:10 GMT Content-Type: application/octet-stream Content-Length: 10712 Connection: close Expires: Fri, 19 Aug 2022 13:14:30 GMT Last-Modified: Tue, 16 Aug 2022 13:04:55 GMT Cache-Control: max-age=1800 ETag: "62fb95f7-29d8" KCS-Via: HIT from w-f05.lato;MISS from back-f04.dl.lato;HIT from w-subsrc02.lato;MISS from back-subsrc02.dl.lato K-Cache-status: MISS Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49750	104.192.108.21	443	C:\Users\user\Desktop\Inst7__9510085.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-19 12:45:11 UTC	0	OUT	GET /gf/MyNewIni2.cab HTTP/1.1 RANGE: bytes=0-10711 User-Agent: Beacon Host: dl.360safe.com Cache-Control: no-cache
2022-08-19 12:45:11 UTC	0	IN	HTTP/1.1 206 Partial Content Date: Fri, 19 Aug 2022 12:45:11 GMT Content-Type: application/octet-stream Content-Length: 10712 Connection: close Expires: Fri, 19 Aug 2022 13:15:11 GMT Last-Modified: Tue, 16 Aug 2022 13:04:55 GMT Cache-Control: max-age=1800 ETag: "62fb95f7-29d8" KCS-Via: HIT from w-f05.lato;MISS from back-f04.dl.lato;HIT from w-subsrc02.lato;MISS from back-subsrc02.dl.lato K-Cache-status: MISS Content-Range: bytes 0-10711/10712
2022-08-19 12:45:11 UTC	1	IN	Data Raw: 56 15 f3 bc e9 5a 47 9a c9 4f 09 61 f0 a4 bd 64 01 f0 cb 9e 93 f1 63 ed db 2b c1 79 3b 5d a8 87 05 07 9e 2f 58 8e 52 ad 52 de 2d 10 cf d6 06 35 90 b3 c5 98 bf f0 07 06 2a fd 58 be ae 2b e2 a2 58 a9 80 80 10 a9 80 80 d9 64 59 2e 07 89 38 a3 33 0f a0 b6 b3 4c f0 13 7d 74 27 a2 88 1d e6 d7 9a 27 a7 9d 3a 4f 98 31 be 95 84 14 55 42 88 0f a6 2d 8b 12 63 65 04 02 cb 8f c8 1b 3c 04 69 33 47 49 7a 0e a0 8a f9 21 d1 36 66 c1 fa e8 4a 53 2c fe 45 4f 36 c0 a1 4d 0c 06 3f 9b 09 1d 2e e3 7e e2 03 2f 61 9f 33 2c 31 2d 77 28 0f 56 1e 23 92 2a 47 fe 3d 79 52 4a f3 4f 50 17 b9 d0 10 08 dc 34 0e 9e 46 d8 a7 c2 55 99 c7 cb 50 02 aa d4 a9 d1 90 83 1b 79 75 cc 4f 68 90 b2 bf bf c6 b9 3a 8f cf 38 cd e3 87 86 01 58 6a aa 13 1c 5b 2f 00 93 a2 b3 41 2e 1a de 75 c3 3a c6 1b f0 5b Data Ascii: VZGOadc+y;]/XRR-5X+XdY.83L}t'':O1UB-ce<i3GIz!6fJS,EO6M?.~/a3,1-w(V#G=yRJOP4FUPyuOh:8Xj[/A.u:[

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Inst7__9510085.exePID: 5064, Parent PID: 5356

General

Target ID:	1
Start time:	14:44:10
Start date:	19/08/2022
Path:	C:\Users\user\Desktop\Inst7__9510085.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Inst7__9510085.exe"
Imagebase:	0xc00000
File size:	418832 bytes
MD5 hash:	9FADC5C7C3282E203C68B0D45BFA0B10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000002.517276957.000000006D3FC000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000001.00000002.516870106.000000006D2A2000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000002.516870106.000000006D2A2000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000001.00000002.517660018.000000006D558000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000002.517660018.000000006D558000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Inst7__9510085.exePID: 5064, Parent PID: 5356COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00C03420 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 356
networkCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00C03420(void* __ebx, intOrPtr __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a32, void* _a36, char _a40, char* _a52, intOrPtr _a56, char* _a64, long _a68, char* _a72, long _a76, char* _a80, intOrPtr _a84, char _a96, char _a98, short _a236, char _a352, char _a354, short _a492, char _a608, char _a610, short _a920, short _a972, char _a974, char _a5288, char _a5290, signed int _a9276, signed int _a9440, signed int _a9456) {
				intOrPtr _v0;
				void _v12;
				short _v20;
				void _v28;
				void _v44;
				short _v56;
				void _v60;
				signed int _v64;
				signed short* _v68;
				void _v76;
				void* _v92;
				void* _v132;
				long _v152;
				void* _v156;
				void* _v160;
				void* _v164;
				void _v168;
				void* _v184;
				intOrPtr _v188;
				long _v200;
				long _v216;
				long _v224;
				WCHAR* _v232;
				intOrPtr _v236;
				long _v240;
				intOrPtr _v248;
				void* __esi;
				signed int _t80;
				int _t95;
				intOrPtr _t96;
				void* _t104;
				void* _t106;
				void* _t109;
				void* _t110;
				void* _t112;
				signed int _t119;
				void* _t124;
				void* _t125;
				signed int _t131;
				long _t132;
				signed int _t135;
				signed int _t136;
				signed short* _t138;
				void* _t142;
				long _t143;
				void* _t144;
				void* _t145;
				signed int _t158;
				signed int _t164;
				signed int _t177;
				void* _t178;
				void* _t181;
				void* _t183;
				intOrPtr _t184;
				void* _t189;
				void* _t190;
				void* _t193;
				signed int _t194;
				signed int _t195;

				_t189 = __ebp;
				_t178 = __edi;
				_t141 = __ebx;
				E00C26E30(0x24f4);
				_t80 =  *0xc58320; // 0x96c0a7a
				_a9456 = _t80 ^ _t194;
				_t184 = __ecx;
				_v0 = __ecx;
				_a608 = 0;
				E00C266B0(__edi,  &_a610, 0, 0x1fe);
				_a96 = 0;
				E00C266B0(_t178,  &_a98, 0, 0xfe);
				_a352 = 0;
				E00C266B0(_t178,  &_a354, 0, 0xfe);
				_a5288 = 0;
				E00C266B0(_t178,  &_a5290, 0, 0x1046);
				E00C266B0(_t178,  &_a40, 0, 0x38);
				_a52 =  &_a608;
				_a68 = 0x80;
				_a76 = 0x80;
				_t195 = _t194 + 0x3c;
				_t170 =  &_a352;
				_a36 = 0x3c;
				_a56 = 0x100;
				_a64 =  &_a96;
				_a72 =  &_a352;
				_a80 =  &_a5288;
				_a84 = 0x824;
				if(_t184 == 0) {
					__eflags = 0;
					return E00C2669E(0, __ebx, _a9456 ^ _t195,  &_a352, _t178, _t184);
				} else {
					_push(_t178);
					_t95 = InternetCrackUrlW(L"http://dl.360safe.com/gf/360ini.cab", 0, 0,  &_a36); // executed
					_t96 = _a32;
					if(_t95 == 0 || _t96 != 3) {
						if(_t96 == 4) {
							goto L5;
						} else {
							_pop(_t183);
							return E00C2669E(0, _t141, _a9440 ^ _t195, _t170, _t183, _t184);
						}
					} else {
						L5:
						_push(_t141);
						__eflags = _t96 - 4;
						_v12 = 0x7530;
						_t185 = 0 | _t96 == 0x00000004; // executed
						InternetSetOptionW(0, 2,  &_v12, 4); // executed
						InternetSetOptionW(0, 5,  &_v28, 4);
						InternetSetOptionW(0, 6,  &_v44, 4);
						InternetSetOptionW(0, 7,  &_v60, 4);
						InternetSetOptionW(0, 8,  &_v76, 4);
						_t104 = InternetOpenW(L"Beacon", 0, 0, 0, 0); // executed
						_t142 = _t104;
						_v92 = _t142;
						__eflags = _t142;
						if(_t142 != 0) {
							_push(_t189);
							_t175 =  &_a492;
							_t106 = InternetConnectW(_t142,  &_a492, _v56,  &_v20,  &_a236, 3, 0, 0); // executed
							_t190 = _t106;
							_v132 = _t190;
							__eflags = _t190;
							if(_t190 != 0) {
								_a972 = 0;
								E00C266B0(InternetSetOptionW,  &_a974, 0, 0x1046);
								_t195 = _t195 + 0xc;
								__eflags = _v64;
								if(_v64 == 0) {
									_t109 = 0;
									do {
										_t48 = _t109 + "/"; // 0x2f
										_t158 =  *_t48 & 0x0000ffff;
										 *(_t195 + _t109 + 0x470) = _t158;
										_t109 = _t109 + 2;
										__eflags = _t158;
									} while (_t158 != 0);
								} else {
									_t138 = _v68;
									_t177 =  &_a972 - _t138;
									__eflags = _t177;
									do {
										_t164 =  *_t138 & 0x0000ffff;
										 *(_t138 + _t177) = _t164;
										_t138 =  &(_t138[1]);
										__eflags = _t164;
									} while (_t164 != 0);
								}
								asm("sbb esi, esi");
								_t143 = ( ~_t185 & 0x00800000) + 0x80000000;
								_t175 =  &_a972;
								_t110 = HttpOpenRequestW(_t190, L"HEAD",  &_a972, L"HTTP/1.1", 0xc53300, 0, _t143, 0); // executed
								_t185 = _t110;
								_v160 = _t110;
								_t180 = E00C03320(_t185);
								__eflags = _t180;
								if(_t180 != 0) {
									_t175 = _t185;
									_v168 = 0;
									_v152 = 4;
									_t119 = HttpQueryInfoW(_t185, 0x20000005,  &_v168,  &_v152, 0);
									__eflags = _t119;
									if(_t119 == 0) {
										L19:
										_t193 = HttpOpenRequestW(_v184, L"GET",  &_a920, L"HTTP/1.1", 0xc53300, 0, _t143, 0);
										_t185 = _t193;
										_t180 = E00C03320(_t193);
										__eflags = _t180;
										if(_t180 != 0) {
											_t175 = _v232;
											_t124 = CreateFileW(_v232, 0x40000000, 3, 0, 2, 0x80, 0); // executed
											_t185 = _t124;
											__eflags = _t185 - 0xffffffff;
											if(__eflags != 0) {
												_push(0x80000); // executed
												_t125 = E00C2785C(_t143, _t180, __eflags); // executed
												_t145 = _t125;
												_t180 = 0;
												_t195 = _t195 + 4;
												__eflags = _t145;
												if(_t145 != 0) {
													_v232 = 0;
													_v200 = 0;
													_v224 = 0;
													E00C266B0(0, _t145, 0, 0x80000);
													_t195 = _t195 + 0xc;
													_t131 = InternetReadFile(_t193, _t145, 0x80000,  &_v224); // executed
													_t180 = _t131;
													__eflags = _t180;
													while(_t180 != 0) {
														_t132 = _v240;
														_t180 = 0;
														__eflags = _t132;
														if(__eflags <= 0) {
															if(__eflags == 0) {
																__eflags = _v248 - _v236;
																if(_v248 == _v236) {
																	_t180 = 1;
																}
															} else {
																goto L29;
															}
														} else {
															_v248 = _v248 + _t132;
															_t136 = WriteFile(_t185, _t145, _t132,  &_v216, 0); // executed
															_t180 = _t136;
															__eflags = _t180;
															if(_t180 != 0) {
																FlushFileBuffers(_t185);
																goto L29;
															}
														}
														goto L33;
														L29:
														_v240 = 0;
														E00C266B0(_t180, _t145, 0, 0x80000);
														_t195 = _t195 + 0xc;
														_t175 =  &_v240;
														_t135 = InternetReadFile(_t193, _t145, 0x80000,  &_v240); // executed
														_t180 = _t135;
														__eflags = _t180;
													}
												}
												L33:
												FlushFileBuffers(_t185);
												CloseHandle(_t185);
												__eflags = _t145;
												if(__eflags != 0) {
													_push(_t145); // executed
													E00C2768A(_t145, _t175, _t180, _t185, __eflags); // executed
													_t195 = _t195 + 4;
												}
											} else {
												_t180 = 0;
											}
										}
										__eflags = _t193;
										if(_t193 != 0) {
											InternetCloseHandle(_t193);
										}
									} else {
										__eflags = _v188 - 0x3e800000;
										if(_v188 <= 0x3e800000) {
											goto L19;
										} else {
											_t180 = 0;
										}
									}
								}
								_t112 = _v160;
								__eflags = _t112;
								if(_t112 != 0) {
									InternetCloseHandle(_t112);
								}
								_t142 = _v156;
								_t190 = _v164;
							} else {
								_t180 = 0;
							}
							__eflags = _t190;
							if(_t190 != 0) {
								InternetCloseHandle(_t190);
							}
						} else {
							_t180 = 0;
						}
						__eflags = _t142;
						if(_t142 != 0) {
							InternetCloseHandle(_t142);
						}
						_pop(_t144);
						_pop(_t181);
						__eflags = _a9276 ^ _t195;
						return E00C2669E(_t180, _t144, _a9276 ^ _t195, _t175, _t181, _t185);
					}
				}
			}

0x00c03420
0x00c03420
0x00c03420
0x00c03425
0x00c0342a
0x00c03431
0x00c0343b
0x00c0344b
0x00c0344f
0x00c03457
0x00c03469
0x00c0346e
0x00c03483
0x00c0348b
0x00c034a0
0x00c034a8
0x00c034b6
0x00c034c2
0x00c034cb
0x00c034d2
0x00c034d9
0x00c034e0
0x00c034ee
0x00c034f6
0x00c034fe
0x00c03502
0x00c03506
0x00c0350a
0x00c03514
0x00c038a7
0x00c038b4
0x00c0351a
0x00c0351a
0x00c03529
0x00c03531
0x00c03535
0x00c0353f
0x00000000
0x00c03541
0x00c03545
0x00c0355b
0x00c0355b
0x00c0355c
0x00c0355c
0x00c03564
0x00c03565
0x00c03576
0x00c0357e
0x00c03580
0x00c0358d
0x00c0359a
0x00c035a7
0x00c035b4
0x00c035c3
0x00c035c9
0x00c035cb
0x00c035cf
0x00c035d1
0x00c035de
0x00c035f6
0x00c035ff
0x00c03605
0x00c03607
0x00c0360b
0x00c0360d
0x00c03626
0x00c0362e
0x00c03633
0x00c03636
0x00c0363b
0x00c03661
0x00c03670
0x00c03670
0x00c03670
0x00c03677
0x00c0367f
0x00c03682
0x00c03682
0x00c0363d
0x00c0363d
0x00c03648
0x00c03648
0x00c03650
0x00c03650
0x00c03653
0x00c03657
0x00c0365a
0x00c0365a
0x00c0365f
0x00c03689
0x00c03699
0x00c036a8
0x00c036bc
0x00c036be
0x00c036c0
0x00c036c9
0x00c036cb
0x00c036cd
0x00c036e4
0x00c036e7
0x00c036ef
0x00c036f7
0x00c036fd
0x00c036ff
0x00c03712
0x00c03735
0x00c03737
0x00c0373e
0x00c03740
0x00c03742
0x00c03748
0x00c0375f
0x00c03765
0x00c03767
0x00c0376a
0x00c03773
0x00c03778
0x00c0377d
0x00c0377f
0x00c03781
0x00c03784
0x00c03786
0x00c03793
0x00c03797
0x00c0379b
0x00c0379f
0x00c037a4
0x00c037b3
0x00c037b9
0x00c037bb
0x00c037bd
0x00c037c0
0x00c037c4
0x00c037c6
0x00c037c8
0x00c037ec
0x00c03824
0x00c03828
0x00c0382a
0x00c0382a
0x00000000
0x00000000
0x00000000
0x00c037ca
0x00c037ca
0x00c037d7
0x00c037dd
0x00c037df
0x00c037e1
0x00c037e4
0x00000000
0x00c037e4
0x00c037e1
0x00000000
0x00c037ee
0x00c037f6
0x00c037fe
0x00c03803
0x00c03806
0x00c03812
0x00c03818
0x00c0381a
0x00c0381a
0x00c037bd
0x00c0382f
0x00c03830
0x00c03837
0x00c0383d
0x00c0383f
0x00c03841
0x00c03842
0x00c03847
0x00c03847
0x00c0376c
0x00c0376c
0x00c0376c
0x00c0376a
0x00c0384a
0x00c0384c
0x00c0384f
0x00c0384f
0x00c03701
0x00c03701
0x00c03709
0x00000000
0x00c0370b
0x00c0370b
0x00c0370b
0x00c03709
0x00c036ff
0x00c03855
0x00c03859
0x00c0385b
0x00c0385e
0x00c0385e
0x00c03864
0x00c03868
0x00c0360f
0x00c0360f
0x00c0360f
0x00c0386c
0x00c0386e
0x00c03871
0x00c03871
0x00c035d3
0x00c035d3
0x00c035d3
0x00c03878
0x00c0387a
0x00c0387d
0x00c0387d
0x00c03883
0x00c03886
0x00c0388f
0x00c0389c
0x00c0389c
0x00c03535

APIs

_memset.LIBCMT ref: 00C03457
_memset.LIBCMT ref: 00C0346E
_memset.LIBCMT ref: 00C0348B
_memset.LIBCMT ref: 00C034A8
_memset.LIBCMT ref: 00C034B6
InternetCrackUrlW.WININET(http://dl.360safe.com/gf/360ini.cab,00000000,00000000,?), ref: 00C03529
InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 00C03580
InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 00C0358D
InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 00C0359A
InternetSetOptionW.WININET(00000000,00000007,?,00000004), ref: 00C035A7
InternetSetOptionW.WININET(00000000,00000008,?,00000004), ref: 00C035B4
InternetOpenW.WININET(Beacon,00000000,00000000,00000000,00000000), ref: 00C035C3
InternetConnectW.WININET(00000000,?,?,?,?,00000003,00000000,00000000), ref: 00C035FF
_memset.LIBCMT ref: 00C0362E
HttpOpenRequestW.WININET(00000000,HEAD,?,HTTP/1.1,00C53300,00000000,-80000000,00000000), ref: 00C036BC
HttpQueryInfoW.WININET(00000000,20000005,?,?,00000000), ref: 00C036F7
InternetCloseHandle.WININET(?), ref: 00C0385E
InternetCloseHandle.WININET(?), ref: 00C03871
InternetCloseHandle.WININET(?), ref: 00C0387D

Strings

http://dl.360safe.com/gf/360ini.cab, xrefs: 00C03524
GET, xrefs: 00C0372D
<, xrefs: 00C034EE
HTTP/1.1, xrefs: 00C036A3, 00C03720
HEAD, xrefs: 00C036B0
Beacon, xrefs: 00C035BE
0u, xrefs: 00C03576

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Internet$_memset$Option$CloseHandle$HttpOpen$ConnectCrackInfoQueryRequest
String ID: 0u$<$Beacon$GET$HEAD$HTTP/1.1$http://dl.360safe.com/gf/360ini.cab
API String ID: 3713169831-2193797925
Opcode ID: 71c4987eb892675ee46a3165dc7f65582fa329ab4f55c97d974c2dfff053fc3b
Instruction ID: 4f0acfbccb5c4ba232fdaaee919252464ff5c2b6eb3b46eaa2ef3a28baa27421
Opcode Fuzzy Hash: 71c4987eb892675ee46a3165dc7f65582fa329ab4f55c97d974c2dfff053fc3b
Instruction Fuzzy Hash: 7DC1B2B5644380ABE320DF659C46F6F76E8BBC4B00F10492DFA59971D1EBB09A04CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00C23856 Relevance: 10.6, APIs: 7, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00C23856() {
				intOrPtr _t1;
				void* _t2;
				void* _t4;
				void* _t12;
				void* _t16;
				void* _t18;
				void* _t19;

				if( *0xc5a9b8 != 0 || E00C236D8() != 0) {
					_t1 =  *0xc5a9b8; // 0x7f8f20
					if(_t1 != 1) {
						_t2 =  *0xc5a9c0(_t1);
						if(_t2 != 0) {
							return _t2;
						} else {
							_t4 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
							_t18 = _t4;
							if(_t18 != 0) {
								_push( *0xc5a9b8);
								if( *0xc5a9c0() == 0) {
									_t16 = _t18;
									_t19 = _t18 + 0xff0;
									do {
										 *0xc5a9bc( *0xc5a9b8, _t16);
										_t16 = _t16 + 0x10;
									} while (_t16 < _t19);
									L13:
									return _t16;
								}
								VirtualFree(_t18, 0, 0x8000);
								goto L13;
							}
							goto L8;
						}
					} else {
						_t12 = HeapAlloc(GetProcessHeap(), 0, 0xd);
						if(_t12 == 0) {
							goto L8;
						} else {
							return _t12;
						}
					}
				} else {
					L8:
					return 0;
				}
			}

0x00c237b9
0x00c237c4
0x00c237cc
0x00c237e6
0x00c237ee
0x00c23850
0x00c237f0
0x00c237fb
0x00c23801
0x00c23805
0x00c2380e
0x00c2381e
0x00c23830
0x00c23832
0x00c23838
0x00c2383f
0x00c23845
0x00c23848
0x00c2384c
0x00000000
0x00c2384e
0x00c23828
0x00000000
0x00c23828
0x00000000
0x00c23805
0x00c237ce
0x00c237d9
0x00c237e1
0x00000000
0x00c237e4
0x00c237e4
0x00c237e4
0x00c237e1
0x00c23807
0x00c23807
0x00c2380a
0x00c2380a

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,?,00C1B47E), ref: 00C237D2
HeapAlloc.KERNEL32(00000000,?,00C1B47E), ref: 00C237D9

Part of subcall function 00C236D8: IsProcessorFeaturePresent.KERNEL32(0000000C,00C237C0,?,00C1B47E), ref: 00C236DA

RtlInterlockedPopEntrySList.NTDLL(007F8F20), ref: 00C237E6
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00C1B47E), ref: 00C237FB
RtlInterlockedPopEntrySList.NTDLL ref: 00C23814
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00C1B47E), ref: 00C23828
RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00C2383F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
String ID:
API String ID: 2304957937-0
Opcode ID: 2f4edddc3c4208af69a451fecb5b39ae1d721f6282b4f4ec0f711b5aa16a93d4
Instruction ID: 7688f6dc47ece9a4b39193168d9bd1b08b13f0a2bef3b342642f96d29a13eb11
Opcode Fuzzy Hash: 2f4edddc3c4208af69a451fecb5b39ae1d721f6282b4f4ec0f711b5aa16a93d4
Instruction Fuzzy Hash: 4D01F5796453B177EB711726FC0CB5E3B29BB80B02F120121F900EAAD0DB78CE818A65

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A370 Relevance: 9.1, APIs: 6, Instructions: 66
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00C1A370(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				char _v532;
				intOrPtr _v560;
				char _v564;
				void* _v568;
				int _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t26;
				void* _t39;
				void* _t46;
				void* _t47;
				signed int _t48;

				_t22 =  *0xc58320; // 0x96c0a7a
				_v8 = _t22 ^ _t48;
				_v12 = 0;
				_v568 = 0;
				E00C266B0(_t46,  &_v564, 0, 0x228);
				_v572 = 0;
				_v568 = 0x22c;
				_t26 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t26;
				if(_v12 != 0xffffffff) {
					_push( &_v568);
					if(Process32FirstW(_v12) != 0) {
						while(_v560 != _a4) {
							if(Process32NextW(_v12,  &_v568) != 0) {
								continue;
							}
							goto L5;
						}
						_t45 = _a8;
						E00C274B7(_a8,  &_v532, _a12 - 1);
						_v572 = 1;
					}
					L5:
					FindCloseChangeNotification(_v12); // executed
				}
				return E00C2669E(_v572, _t39, _v8 ^ _t48, _t45, _t46, _t47);
			}

0x00c1a379
0x00c1a380
0x00c1a386
0x00c1a38d
0x00c1a3a5
0x00c1a3ad
0x00c1a3b7
0x00c1a3c5
0x00c1a3ca
0x00c1a3d1
0x00c1a3d9
0x00c1a3e5
0x00c1a3e7
0x00c1a42a
0x00000000
0x00000000
0x00000000
0x00c1a42a
0x00c1a400
0x00c1a404
0x00c1a40c
0x00c1a40c
0x00c1a42c
0x00c1a430
0x00c1a430
0x00c1a44c

APIs

_memset.LIBCMT ref: 00C1A3A5
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C1A3C5
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 00C1A3DE
_wcsncpy.LIBCMT ref: 00C1A404
Process32NextW.KERNEL32(000000FF,0000022C), ref: 00C1A423
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00C1A430

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset_wcsncpy
String ID:
API String ID: 3232420637-0
Opcode ID: b4fcc5d6e69c91c599e2e2465824a54e7899d9161165a9ac13cfd456d0534224
Instruction ID: 204f9dc93bbdd6cbd6266190ba31172907611906d5ef1c62ba365b351509921b
Opcode Fuzzy Hash: b4fcc5d6e69c91c599e2e2465824a54e7899d9161165a9ac13cfd456d0534224
Instruction Fuzzy Hash: 1D215471901219ABDB10EFA4EC8DBDEB7B8EF05310F5005D9F509A7181DB74AB84DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00C025E0() {
				long _v4;
				void _v8;
				void _v12;
				void* _t8;
				signed int _t10;
				void* _t16;

				_v8 = GetCurrentProcessId();
				_v12 = 0;
				_t8 = CreateFileW(L"\\\\.\\360SelfProtection", 0x80, 3, 0, 3, 0, 0); // executed
				_t16 = _t8;
				if(_t16 != 0xffffffff) {
					_t10 = DeviceIoControl(_t16, 0x22204c,  &_v8, 4,  &_v12, 4,  &_v4, 0);
					CloseHandle(_t16);
					asm("sbb esi, esi");
					return  ~_t10 & _v12;
				} else {
					return 0;
				}
			}

0x00c025fe
0x00c02602
0x00c0260a
0x00c02610
0x00c02615
0x00c0263a
0x00c02643
0x00c0264b
0x00c02658
0x00c02617
0x00c0261d
0x00c0261d

APIs

GetCurrentProcessId.KERNEL32 ref: 00C025E4
CreateFileW.KERNEL32 ref: 00C0260A
DeviceIoControl.KERNEL32 ref: 00C0263A
CloseHandle.KERNEL32(00000000), ref: 00C02643

Strings

\\.\360SelfProtection, xrefs: 00C025F9

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleProcess
String ID: \\.\360SelfProtection
API String ID: 3778458602-936859468
Opcode ID: e7eb62675a1a03202aa24d7e8ffbb85873fd0ad6125d03c7f7649013cb84268c
Instruction ID: 865b85e646a27bdbeff5b08c5d63c8bea734df3b89681bf2c35c6060238f0f14
Opcode Fuzzy Hash: e7eb62675a1a03202aa24d7e8ffbb85873fd0ad6125d03c7f7649013cb84268c
Instruction Fuzzy Hash: 69F0A4367443107BE2109B64FC0AF6E77A8BB89F11F410618FB94A71D0D7B49608C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 00C03AA0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00C03AA0(WCHAR* __edx, void* __ebp) {
				signed int _v8;
				signed int _v16;
				char _v536;
				short _v1076;
				short _v1084;
				short _v1572;
				char _v1576;
				char _v1580;
				short _v1596;
				short _v2096;
				void* _v2100;
				intOrPtr _v2104;
				signed int _v2108;
				intOrPtr _v2112;
				short _v2116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				WCHAR* _t37;
				void* _t38;
				WCHAR* _t42;
				int _t44;
				WCHAR* _t49;
				void* _t63;
				WCHAR* _t64;
				void* _t67;

				_t60 = __edx;
				_t68 =  &_v2100;
				_t27 =  *0xc58320; // 0x96c0a7a
				_v8 = _t27 ^  &_v2100;
				_t49 = GetTempPathW;
				_t64 = 0;
				_v2100 = 0;
				GetTempPathW(0x104,  &_v1572);
				_t67 = PathAppendW;
				PathAppendW( &_v1572, L"360ini.cab");
				_t63 = Sleep;
				while(E00C03420(_t49,  &_v1576, _t63, _t67, 0) == 0) {
					Sleep(0x3e8);
					_t64 = _t64 + 1;
					if(_t64 < 3) {
						continue;
					}
					L3:
					_t38 = 0;
					L16:
					return E00C2669E(_t38, _t49, _v16 ^ _t68, _t60, _t63, _t65);
				}
				GetTempPathW(0x104,  &_v2096);
				_t65 =  &_v536;
				E00C03170( &_v1576,  &_v2096, _t63, _t65);
				PathAppendW( &_v2096, _t65);
				_t60 =  &_v2100;
				_t37 = PathIsDirectoryW(_t60); // executed
				__eflags = _t37;
				if(_t37 != 0) {
					L7:
					_t49 = 0;
					__eflags = 0;
					L8:
					__eflags = _v2108 & 0x00000001;
					if((_v2108 & 0x00000001) != 0) {
						_t37 = _v2104 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t60 = (_t60 | 0xffffffff) - 1;
						__eflags = _t60;
						if(_t60 <= 0) {
							_t60 =  *( *_t37);
							_t37 =  *(( *( *_t37))[2])(_t37);
						}
					}
					__eflags = _t49;
					if(_t49 != 0) {
						goto L3;
					} else {
						_t60 =  &_v1580;
						__imp__SetupIterateCabinetW( &_v1580, 0, 0xc03220,  &_v2100); // executed
						_t65 = _t37;
						DeleteFileW( &_v1596); // executed
						__eflags = _t37;
						if(_t37 == 0) {
							goto L3;
						}
						_t60 =  &_v1076;
						_t42 = PathCombineW( &_v1076,  &_v2116, L"360ini.dll");
						__eflags = _t42;
						if(_t42 == 0) {
							goto L3;
						}
						_t44 = PathFileExistsW( &_v1084); // executed
						__eflags = _t44;
						if(__eflags == 0) {
							goto L3;
						}
						_t65 =  &_v1084;
						_t38 = E00C05980( &_v1084, __eflags);
						goto L16;
					}
				}
				_t37 =  *(E00C01860(_t49, _t67,  &_v2100));
				_v2112 = 1;
				__imp__#165(0, _t37); // executed
				__eflags = _t37;
				if(_t37 == 0) {
					goto L7;
				}
				_t49 = 1;
				goto L8;
			}

0x00c03aa0
0x00c03aa0
0x00c03aa6
0x00c03aad
0x00c03ab5
0x00c03ac6
0x00c03acd
0x00c03ad1
0x00c03ad3
0x00c03ae6
0x00c03ae8
0x00c03af0
0x00c03b05
0x00c03b07
0x00c03b0b
0x00000000
0x00000000
0x00c03b0d
0x00c03b0d
0x00c03c13
0x00c03c2b
0x00c03c2b
0x00c03b1e
0x00c03b20
0x00c03b27
0x00c03b34
0x00c03b36
0x00c03b3b
0x00c03b41
0x00c03b43
0x00c03b6e
0x00c03b6e
0x00c03b6e
0x00c03b70
0x00c03b70
0x00c03b75
0x00c03b7b
0x00c03b84
0x00c03b88
0x00c03b89
0x00c03b8b
0x00c03b8f
0x00c03b95
0x00c03b95
0x00c03b8b
0x00c03b97
0x00c03b99
0x00000000
0x00c03b9f
0x00c03bab
0x00c03bb3
0x00c03bb9
0x00c03bc3
0x00c03bc9
0x00c03bcb
0x00000000
0x00000000
0x00c03bdb
0x00c03be3
0x00c03be9
0x00c03beb
0x00000000
0x00000000
0x00c03bf9
0x00c03bff
0x00c03c01
0x00000000
0x00000000
0x00c03c07
0x00c03c0e
0x00000000
0x00c03c0e
0x00c03b99
0x00c03b53
0x00c03b58
0x00c03b60
0x00c03b66
0x00c03b68
0x00000000
0x00000000
0x00c03b6a
0x00000000

APIs

GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001), ref: 00C03AD1
PathAppendW.SHLWAPI(?,360ini.cab,?,?,?,00000001), ref: 00C03AE6

Part of subcall function 00C03420: _memset.LIBCMT ref: 00C03457
Part of subcall function 00C03420: _memset.LIBCMT ref: 00C0346E
Part of subcall function 00C03420: _memset.LIBCMT ref: 00C0348B
Part of subcall function 00C03420: _memset.LIBCMT ref: 00C034A8
Part of subcall function 00C03420: _memset.LIBCMT ref: 00C034B6
Part of subcall function 00C03420: InternetCrackUrlW.WININET(http://dl.360safe.com/gf/360ini.cab,00000000,00000000,?), ref: 00C03529

Sleep.KERNEL32(000003E8,?,?,?,00000001), ref: 00C03B05
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001), ref: 00C03B1E
PathAppendW.SHLWAPI(?,?,?,?,?,00000001), ref: 00C03B34
PathIsDirectoryW.SHLWAPI(?), ref: 00C03B3B
SHCreateDirectory.SHELL32(00000000), ref: 00C03B60
SetupIterateCabinetW.SETUPAPI(?,00000000,00C03220,?), ref: 00C03BB3
DeleteFileW.KERNEL32(?), ref: 00C03BC3
PathCombineW.SHLWAPI(?,?,360ini.dll), ref: 00C03BE3
PathFileExistsW.SHLWAPI(?), ref: 00C03BF9

Strings

360ini.dll, xrefs: 00C03BD1
360ini.cab, xrefs: 00C03AD9

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Path$_memset$AppendDirectoryFileTemp$CabinetCombineCrackCreateDeleteExistsInternetIterateSetupSleep
String ID: 360ini.cab$360ini.dll
API String ID: 2211139378-2973119954
Opcode ID: a3eddf084e69ec0ab255df67c45e36febb22261ff7982e78ea6592f27c67e6a5
Instruction ID: aabd92cf30110b939ab500bbaea893adc6a069372b5e550454250cd0017acf15
Opcode Fuzzy Hash: a3eddf084e69ec0ab255df67c45e36febb22261ff7982e78ea6592f27c67e6a5
Instruction Fuzzy Hash: E341BB762043819BD320DBA4DC85BAFB7ACBB89710F054A1CB595870E1DB70EA08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C03C30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 115
synchronizationlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00C03C30(WCHAR* __edx, CHAR* _a4) {
				long _v8;
				char _v16;
				char _v24;
				void** _v28;
				void* __ebp;
				signed int _t16;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__* _t25;
				struct _SECURITY_ATTRIBUTES* _t28;
				void* _t29;
				void* _t33;
				WCHAR* _t50;
				void* _t52;
				signed int _t53;
				signed int _t55;

				_t50 = __edx;
				_push(0xffffffff);
				_push(0xc4d326);
				_push( *[fs:0x0]);
				_t55 = (_t53 & 0xfffffff8) - 0x10;
				_t16 =  *0xc58320; // 0x96c0a7a
				_push(_t16 ^ _t55);
				 *[fs:0x0] =  &_v16;
				if(( *0xc5c43c & 0x00000001) == 0) {
					 *0xc5c43c =  *0xc5c43c | 0x00000001;
					_v8 = 0;
					 *0xc5c424 = 0;
					 *0xc5c428 = 0;
					 *0xc5c42c = 0;
					 *0xc5c430 = 0;
					 *0xc5c434 = 0;
					 *0xc5c438 = 0;
					_t33 = E00C05800();
					_t58 = _t33;
					if(_t33 < 0) {
						_push(_t33);
						E00C02370();
					}
					E00C273C4(_t58, 0xc4d520); // executed
					_t55 = _t55 + 4;
					_v8 = 0xffffffff;
				}
				if(( *0xc5c43c & 0x00000002) == 0) {
					 *0xc5c43c =  *0xc5c43c | 0x00000002;
					 *0xc5c41c = 0;
					E00C273C4( *0xc5c43c, 0xc4d500);
				}
				EnterCriticalSection(0xc5c424);
				if( *0xc5c420 != 0 ||  *0xc5c41c != 0) {
					L11:
					LeaveCriticalSection(0xc5c424);
					_v28 = 0xc5c41c;
					WaitForSingleObject( *0xc5c41c, 0xffffffff);
					_v24 = 1;
					_v8 = 1;
					__eflags =  *0xc5c420;
					if( *0xc5c420 != 0) {
						L14:
						ReleaseMutex( *0xc5c41c);
						_t24 = GetProcAddress( *0xc5c420, _a4);
						 *[fs:0x0] = _v16;
						return _t24;
					} else {
						_t25 = E00C03AA0(_t50, _t52);
						 *0xc5c420 = _t25;
						__eflags = _t25;
						if(_t25 != 0) {
							goto L14;
						} else {
							ReleaseMutex( *0xc5c41c);
							__eflags = 0;
							 *[fs:0x0] = _v16;
							return 0;
						}
					}
				} else {
					_t28 = OpenMutexW(0x1f0001, 0, L"{A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}");
					 *0xc5c41c = _t28;
					if(_t28 != 0) {
						goto L11;
					} else {
						_t29 = CreateMutexW(_t28, _t28, L"{A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}"); // executed
						 *0xc5c41c = _t29;
						if(_t29 != 0) {
							goto L11;
						} else {
							LeaveCriticalSection(0xc5c424);
							 *[fs:0x0] = _v16;
							return 0;
						}
					}
				}
			}

0x00c03c30
0x00c03c36
0x00c03c38
0x00c03c43
0x00c03c44
0x00c03c48
0x00c03c4f
0x00c03c54
0x00c03c65
0x00c03c67
0x00c03c6f
0x00c03c7c
0x00c03c81
0x00c03c86
0x00c03c8b
0x00c03c90
0x00c03c95
0x00c03c9a
0x00c03c9f
0x00c03ca1
0x00c03ca3
0x00c03ca4
0x00c03ca4
0x00c03cae
0x00c03cb3
0x00c03cb6
0x00c03cb6
0x00c03cc9
0x00c03ccb
0x00c03cd6
0x00c03ce0
0x00c03ce5
0x00c03ced
0x00c03cfa
0x00c03d54
0x00c03d59
0x00c03d67
0x00c03d6f
0x00c03d75
0x00c03d79
0x00c03d7d
0x00c03d84
0x00c03db4
0x00c03dbb
0x00c03dcc
0x00c03dd6
0x00c03de2
0x00c03d86
0x00c03d86
0x00c03d8b
0x00c03d90
0x00c03d92
0x00000000
0x00c03d94
0x00c03d9b
0x00c03da1
0x00c03da7
0x00c03db3
0x00c03db3
0x00c03d92
0x00c03d05
0x00c03d11
0x00c03d17
0x00c03d1e
0x00000000
0x00c03d20
0x00c03d27
0x00c03d2d
0x00c03d34
0x00000000
0x00c03d36
0x00c03d3b
0x00c03d47
0x00c03d53
0x00c03d53
0x00c03d34
0x00c03d1e

APIs

EnterCriticalSection.KERNEL32(00C5C424,096C0A7A), ref: 00C03CED
OpenMutexW.KERNEL32(001F0001,00000000,{A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}), ref: 00C03D11
CreateMutexW.KERNEL32(00000000,00000000,{A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}), ref: 00C03D27
LeaveCriticalSection.KERNEL32(00C5C424), ref: 00C03D3B

Part of subcall function 00C05800: InitializeCriticalSection.KERNEL32(00C5C424,096C0A7A,?,?,00000001,?,096C0A7A), ref: 00C0583B

LeaveCriticalSection.KERNEL32(00C5C424), ref: 00C03D59
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,00C4D326,000000FF), ref: 00C03D6F
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,00C4D326,000000FF), ref: 00C03D9B

Part of subcall function 00C02370: __CxxThrowException@8.LIBCMT ref: 00C02382

ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,00C4D326,000000FF), ref: 00C03DBB
GetProcAddress.KERNEL32(?,?), ref: 00C03DCC

Strings

{A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}, xrefs: 00C03D05, 00C03D20

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CriticalMutexSection$LeaveRelease$AddressCreateEnterException@8InitializeObjectOpenProcSingleThrowWait
String ID: {A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}
API String ID: 1083608638-2563637749
Opcode ID: 7c132b1d9f09bd2cfd9aff9b4e7806f16b4dbdd58a42ac7dc772d7565661a18f
Instruction ID: 5563560426bfaf4181807d297208830c3d990624fba169ea70e83b842c2b1eac
Opcode Fuzzy Hash: 7c132b1d9f09bd2cfd9aff9b4e7806f16b4dbdd58a42ac7dc772d7565661a18f
Instruction Fuzzy Hash: 9741D0B95043408FE710CF24ECA6B397BE8F748726F004729E866E22E1E7708588CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00C20620 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C20620(intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v52;
				int _v120;
				int _v124;
				int _t32;
				int _t33;
				void* _t35;
				int _t38;
				int _t39;
				void* _t80;

				_t80 = __eflags;
				_v8 = __ecx;
				E00C21840(_v8 + 4, 0); // executed
				_t32 = GetSystemMetrics(0xc);
				_t33 = GetSystemMetrics(0xb);
				_t35 = LoadImageW(E00C21310(0xc5a570), 0x80, 1, _t33, _t32, "true"); // executed
				_v12 = _t35;
				E00C217E0(_v8 + 4, _v12, 1); // executed
				_t38 = GetSystemMetrics(0x32);
				_t39 = GetSystemMetrics(0x31);
				_v16 = LoadImageW(E00C21310(0xc5a570), 0x80, 1, _t39, _t38, 0);
				E00C217E0(_v8 + 4, _v16, 0); // executed
				_v20 = E00C21740(0xc5a570, _t80, GetCurrentThreadId());
				if(_v8 == 0) {
					_v124 = 0;
				} else {
					_v124 = _v8 + 0x20;
				}
				E00C21680(_v20, _v124);
				if(_v8 == 0) {
					_v124 = 0;
				} else {
					_v124 = _v8 + 0x24;
				}
				E00C216E0(_v20, _v124);
				E00C21BE0(_v8 + 0x28,  *((intOrPtr*)(_v8 + 4)));
				E00C217B0(_v8 + 4, L"InstallerForChannel"); // executed
				E00C21C20( &_v52, E00C208A0, _v8, 0, 1, 0, 0); // executed
				_v120 = 1;
				E00C21C90( &_v52, _v8 + 4); // executed
				return _v120;
			}

0x00c20620
0x00c20629
0x00c20634
0x00c2063d
0x00c20646
0x00c2065f
0x00c20665
0x00c20674
0x00c2067d
0x00c20686
0x00c206a5
0x00c206b4
0x00c206ca
0x00c206d1
0x00c206de
0x00c206d3
0x00c206d9
0x00c206d9
0x00c206ec
0x00c206f5
0x00c20702
0x00c206f7
0x00c206fd
0x00c206fd
0x00c20710
0x00c20722
0x00c20732
0x00c2074b
0x00c20750
0x00c2075a
0x00c20768

APIs

Part of subcall function 00C21840: GetParent.USER32 ref: 00C21870
Part of subcall function 00C21840: GetWindowRect.USER32 ref: 00C21896
Part of subcall function 00C21840: GetWindowLongW.USER32(00000000,000000F0), ref: 00C218B6
Part of subcall function 00C21840: MonitorFromWindow.USER32(00000000,00000002), ref: 00C218ED

GetSystemMetrics.USER32 ref: 00C2063D
GetSystemMetrics.USER32 ref: 00C20646
LoadImageW.USER32 ref: 00C2065F

Part of subcall function 00C217E0: SendMessageW.USER32(?,00000080,?,?), ref: 00C217FF

GetSystemMetrics.USER32 ref: 00C2067D
GetSystemMetrics.USER32 ref: 00C20686
LoadImageW.USER32 ref: 00C2069F
GetCurrentThreadId.KERNEL32 ref: 00C206B9

Strings

InstallerForChannel, xrefs: 00C20727

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: MetricsSystem$Window$ImageLoad$CurrentFromLongMessageMonitorParentRectSendThread
String ID: InstallerForChannel
API String ID: 2254577150-1524948080
Opcode ID: 2e216584e4203526644ced8adf87b35c4c4222db5ab0a38d87185b8ea2065f40
Instruction ID: 0de6df41ab71c52c153411f4e71a737118b05a5b3be46c11691c2a57be640c12
Opcode Fuzzy Hash: 2e216584e4203526644ced8adf87b35c4c4222db5ab0a38d87185b8ea2065f40
Instruction Fuzzy Hash: 2E415374A40214AFEB14DFE4EC56FAD7774FF44740F240059FA02A72D2CA712A40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00C1A610(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				long _v12;
				intOrPtr _v16;
				char _v534;
				short _v536;
				int _v540;
				struct HWND__* _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				intOrPtr _t24;
				int _t29;
				void* _t34;
				struct HWND__* _t36;
				signed char _t40;
				void* _t45;
				void* _t53;
				void* _t54;
				void* _t55;
				signed int _t56;
				void* _t57;
				void* _t60;
				void* _t63;

				_t63 = __eflags;
				_t53 = __edx;
				_t20 =  *0xc58320; // 0x96c0a7a
				_v8 = _t20 ^ _t56;
				_v12 = GetCurrentProcessId();
				_t24 = E00C1A4A0(_t63, _v12); // executed
				_v16 = _t24;
				_v536 = 0;
				E00C266B0(_t54,  &_v534, 0, 0x206);
				_t29 = E00C1A370(_t63, _v16,  &_v536, 0x104); // executed
				_t60 = _t57 + 0x1c;
				if(_t29 != 0) {
					_t29 = StrCmpIW( &_v536, L"dllhost.exe"); // executed
					_t65 = _t29;
					if(_t29 == 0) {
						_t29 = E00C1A450(_v16);
						_t60 = _t60 + 4;
					}
				}
				__imp__CoInitialize(0); // executed
				_v540 = _t29;
				DefWindowProcW(0, 0, 0, 0);
				E00C1AAE0(4);
				_v540 = E00C1AD40(0xc5a570, _t65, 0, _a4, 0);
				_v544 = 0;
				_t34 = E00C1A560(_t53); // executed
				if(_t34 != 0) {
					L5:
					_t36 = E00C1A240(_t53, _t67, _a12, _a16); // executed
					_v544 = _t36;
					goto L7;
				} else {
					_t40 = E00C1A750(0xc5a5b0); // executed
					_t67 = _t40 & 0x000000ff;
					if((_t40 & 0x000000ff) == 0) {
						E00C1A190();
						L7:
						E00C1AEA0(0xc5a570, _t67);
						__imp__CoUninitialize();
						return E00C2669E(_v544, _t45, _v8 ^ _t56, _t53, _t54, _t55);
					}
					goto L5;
				}
			}

0x00c1a610
0x00c1a610
0x00c1a619
0x00c1a620
0x00c1a62c
0x00c1a633
0x00c1a63b
0x00c1a640
0x00c1a655
0x00c1a66d
0x00c1a672
0x00c1a677
0x00c1a685
0x00c1a68b
0x00c1a68d
0x00c1a693
0x00c1a698
0x00c1a698
0x00c1a68d
0x00c1a69d
0x00c1a6a3
0x00c1a6b1
0x00c1a6b9
0x00c1a6d3
0x00c1a6d9
0x00c1a6e3
0x00c1a6ea
0x00c1a6fd
0x00c1a705
0x00c1a70d
0x00000000
0x00c1a6ec
0x00c1a6f1
0x00c1a6f9
0x00c1a6fb
0x00c1a715
0x00c1a71a
0x00c1a71f
0x00c1a724
0x00c1a740
0x00c1a740
0x00000000
0x00c1a6fb

APIs

GetCurrentProcessId.KERNEL32 ref: 00C1A626

Part of subcall function 00C1A4A0: _memset.LIBCMT ref: 00C1A4DC
Part of subcall function 00C1A4A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C1A4F2
Part of subcall function 00C1A4A0: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 00C1A50B
Part of subcall function 00C1A4A0: FindCloseChangeNotification.KERNEL32(000000FF,000000FF,0000022C,00000002,00000000), ref: 00C1A542

_memset.LIBCMT ref: 00C1A655

Part of subcall function 00C1A370: _memset.LIBCMT ref: 00C1A3A5
Part of subcall function 00C1A370: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C1A3C5
Part of subcall function 00C1A370: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 00C1A3DE
Part of subcall function 00C1A370: _wcsncpy.LIBCMT ref: 00C1A404
Part of subcall function 00C1A370: FindCloseChangeNotification.KERNEL32(000000FF), ref: 00C1A430

StrCmpIW.SHLWAPI(?,dllhost.exe), ref: 00C1A685

Part of subcall function 00C1A450: OpenProcess.KERNEL32(00000001,00000001,?), ref: 00C1A461
Part of subcall function 00C1A450: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C1A476

CoInitialize.OLE32(00000000), ref: 00C1A69D
DefWindowProcW.USER32(00000000,00000000,00000000,00000000), ref: 00C1A6B1
CoUninitialize.OLE32(?,00000000), ref: 00C1A724

Strings

dllhost.exe, xrefs: 00C1A679

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Process_memset$ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32$CurrentInitializeOpenProcTerminateUninitializeWindow_wcsncpy
String ID: dllhost.exe
API String ID: 2256785820-3520973717
Opcode ID: cbf09e96a213bd34fa0839f093f2997231bf1237560d86c3e56f06833e6fd89e
Instruction ID: e2db4d8e966bcdc1dd51fd286238b98f87a991e10aa58ad1bb0cbb352875fcf4
Opcode Fuzzy Hash: cbf09e96a213bd34fa0839f093f2997231bf1237560d86c3e56f06833e6fd89e
Instruction Fuzzy Hash: E6317FB5E41208AFD710EFB49C49FDE77B4BF15315F400065F909D7181EA709A84AB67

Uniqueness

Uniqueness Score: -1.00%

Function 00C10E80 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00C10E80(intOrPtr* __eax, signed int __ecx, signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed short _t142;
				signed int _t143;
				signed int _t147;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int _t156;
				signed int _t160;
				signed int _t163;
				void* _t165;
				signed int _t166;
				signed int _t168;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t177;
				signed int _t184;
				signed int _t185;
				signed int _t192;
				signed short _t193;
				signed int _t196;
				void* _t204;
				intOrPtr _t207;
				signed short _t216;
				intOrPtr* _t217;
				void* _t218;
				void* _t219;
				void* _t220;

				_t202 = __edx;
				_t217 =  *((intOrPtr*)(_t218 + 0x64));
				_t205 = 0;
				_t177 = __eax;
				_t211 = __ecx;
				 *((intOrPtr*)(_t218 + 0x28)) = 0;
				 *((intOrPtr*)(_t218 + 0x24)) = 0;
				_t126 = E00C266B0(0, _t218 + 0x3c, 0, 0x30);
				_t219 = _t218 + 0xc;
				 *(_t219 + 0x40) = _t211;
				__imp__GetFileSizeEx(_t211, _t219 + 0x58);
				if(_t126 != 0) {
					 *((intOrPtr*)(_t219 + 0x68)) = 0x4000;
					_t127 = E00C27A03(_t177, _t202, 0, 0x4000); // executed
					_t211 = _t127;
					_t220 = _t219 + 4;
					__eflags = _t211;
					if(_t211 == 0) {
						SetLastError(8);
					}
					 *(_t220 + 0x60) = _t211;
					__eflags = _t211 - _t205;
					if(_t211 != _t205) {
						_t205 = _t220 + 0x48;
						_t128 = E00C10C10(_t220 + 0x48, _t220 + 0x48, _t220 + 0x48, _t177, 0x40);
						_t220 = _t220 + 0x10;
						__eflags = _t128;
						if(__eflags == 0) {
							goto L72;
						}
						_t202 = 0x5a4d;
						__eflags =  *_t177 - 0x5a4d;
						if( *_t177 != 0x5a4d) {
							L70:
							E00C15590(1, 0xc53300);
							goto L71;
						}
						_t136 =  *(_t177 + 0x3c);
						__eflags = _t136;
						if(_t136 <= 0) {
							goto L70;
						}
						asm("cdq");
						_t137 = E00C10C10(_t205, _t136, 0x5a4d, _t220 + 0x30, 4);
						_t220 = _t220 + 0x10;
						__eflags = _t137;
						if(__eflags == 0) {
							goto L72;
						}
						__eflags =  *((intOrPtr*)(_t220 + 0x2c)) - 0x4550;
						if( *((intOrPtr*)(_t220 + 0x2c)) != 0x4550) {
							goto L70;
						}
						_t138 =  *(_t177 + 0x3c);
						_t211 = _t138 + 4;
						 *(_t220 + 0x34) = 0;
						 *((intOrPtr*)(_t217 + 0xa0)) = 0;
						__eflags = _t138 - 0x110;
						if(_t138 < 0x110) {
							L15:
							_t202 =  *(_t220 + 0x34);
							_t205 = _t220 + 0x48;
							_t139 = E00C10C10(_t220 + 0x48, _t211,  *(_t220 + 0x34), _t177, 0x14);
							_t220 = _t220 + 0x10;
							__eflags = _t139;
							if(__eflags == 0) {
								goto L72;
							}
							_t211 = _t211 + 0x14;
							asm("adc eax, 0x0");
							 *(_t220 + 0x44) =  *(_t220 + 0x34);
							_t141 = E00C10C10(_t205, _t211,  *(_t220 + 0x34), _t220 + 0x2c, 2);
							_t220 = _t220 + 0x10;
							__eflags = _t141;
							if(__eflags == 0) {
								goto L72;
							}
							_t142 =  *(_t220 + 0x28);
							_t202 = 0x10b;
							__eflags = _t142 - 0x10b;
							if(_t142 != 0x10b) {
								__eflags = _t142 - 0x20b;
								if(_t142 != 0x20b) {
									goto L70;
								}
								_t184 =  *(_t177 + 0x10) & 0x0000ffff;
								_t202 = 0x88;
								__eflags = _t184 - 0x88;
								if(_t184 < 0x88) {
									goto L70;
								}
								_t202 = 0;
								__eflags = 0;
								 *(_t220 + 0x14) = 0xf0;
								_t143 =  *(_t220 + 0x14);
								 *(_t220 + 0x20) = 0;
								L23:
								_t185 = _t184 & 0x0000ffff;
								__eflags = _t185 - _t143;
								if(_t185 < _t143) {
									 *(_t220 + 0x14) = _t185;
									_t143 = _t185;
								}
								 *(_t220 + 0x10) =  *(_t177 + 2) & 0x0000ffff;
								__eflags = _t143 - _t202;
								if(_t143 == _t202) {
									L28:
									 *_t217 = _t211 + 0x40;
									__eflags =  *(_t220 + 0x20) - _t202;
									if( *(_t220 + 0x20) == _t202) {
										 *((intOrPtr*)(_t217 + 4)) = _t211 + 0x90;
										 *(_t217 + 0xc) =  *(_t177 + 0x90);
										 *((intOrPtr*)(_t217 + 0x14)) =  *((intOrPtr*)(_t177 + 0x94));
										 *((intOrPtr*)(_t217 + 0x10)) =  *((intOrPtr*)(_t177 + 0x40));
										_t192 = 1;
										 *((char*)(_t217 + 0x9c)) = 1;
										__eflags =  *((intOrPtr*)(_t177 + 0x44)) - 1;
										if( *((intOrPtr*)(_t177 + 0x44)) != 1) {
											 *((char*)(_t217 + 0x9d)) = 0;
										} else {
											 *((char*)(_t217 + 0x9d)) = 1;
										}
										 *(_t220 + 0x20) =  *(_t177 + 0x80);
										_t207 =  *((intOrPtr*)(_t177 + 0x84));
									} else {
										 *((intOrPtr*)(_t217 + 4)) = _t211 + 0x80;
										 *(_t217 + 0xc) =  *(_t177 + 0x80);
										 *((intOrPtr*)(_t217 + 0x14)) =  *((intOrPtr*)(_t177 + 0x84));
										 *((intOrPtr*)(_t217 + 0x10)) =  *((intOrPtr*)(_t177 + 0x40));
										_t192 = 1;
										 *((char*)(_t217 + 0x9c)) = 0;
										__eflags =  *((intOrPtr*)(_t177 + 0x44)) - 1;
										if( *((intOrPtr*)(_t177 + 0x44)) != 1) {
											 *((char*)(_t217 + 0x9d)) = 0;
											 *(_t220 + 0x20) =  *(_t177 + 0x70);
											_t207 =  *((intOrPtr*)(_t177 + 0x74));
										} else {
											 *((char*)(_t217 + 0x9d)) = 1;
											 *(_t220 + 0x20) =  *(_t177 + 0x70);
											_t207 =  *((intOrPtr*)(_t177 + 0x74));
										}
									}
									 *((intOrPtr*)(_t220 + 0x24)) = _t207;
									_t205 =  *((intOrPtr*)(_t217 + 4)) + 4;
									_t211 = _t211 + _t143;
									asm("adc [esp+0x34], edx");
									 *((intOrPtr*)(_t217 + 8)) =  *((intOrPtr*)(_t217 + 4)) + 4;
									 *(_t220 + 0x30) = _t211;
									 *(_t217 + 0x18) = _t202;
									 *((char*)(_t217 + 0x9e)) = 0;
									 *(_t217 + 0xb0) = _t211;
									__eflags =  *((intOrPtr*)(_t217 + 0xa0)) - _t202;
									if( *((intOrPtr*)(_t217 + 0xa0)) == _t202) {
										L39:
										 *(_t220 + 0x14) = _t202;
										goto L40;
									} else {
										__eflags =  *((char*)(_t217 + 0x9c));
										if( *((char*)(_t217 + 0x9c)) != 0) {
											goto L39;
										}
										__eflags =  *((char*)(_t217 + 0x9d));
										 *(_t220 + 0x14) = _t192;
										if( *((char*)(_t217 + 0x9d)) != 0) {
											L40:
											__eflags =  *(_t220 + 0x20) - _t202;
											if( *(_t220 + 0x20) != _t202) {
												L42:
												_t193 =  *(_t220 + 0x10);
												_t202 = 0x333;
												 *(_t220 + 0x28) = 0x333;
												__eflags = _t193 - 0x333;
												if(__eflags <= 0) {
													__eflags = _t193 - 0xffff;
													if(__eflags == 0) {
														 *(_t220 + 0x10) = 0xfffe;
													}
												} else {
													 *(_t220 + 0x10) = 0x333;
												}
												_t211 = ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4 + ( *(_t220 + 0x10) & 0x0000ffff) + ( *(_t220 + 0x10) & 0x0000ffff) * 4;
												_t147 = E00C10510(_t211, __eflags);
												 *(_t220 + 0x18) = _t147;
												__eflags = _t147;
												if(_t147 != 0) {
													__eflags = _t211;
													if(_t211 == 0) {
														L51:
														 *(_t217 + 0xb0) =  *(_t217 + 0xb0) + _t211;
														__eflags =  *(_t220 + 0x14);
														_t216 =  *(_t220 + 0x10);
														if( *(_t220 + 0x14) == 0) {
															L58:
															_t202 =  *(_t220 + 0x20);
															_t211 = E00C11440(_t147,  *(_t220 + 0x20), _t205, _t216,  *((intOrPtr*)(_t220 + 0x24)));
															_t220 = _t220 + 4;
															 *(_t220 + 0x20) = _t211;
															__eflags = _t211;
															if(__eflags == 0) {
																L69:
																 *(_t220 + 0x1c) = 1;
																goto L72;
															}
															_push(0xa);
															_push(_t211);
															_t150 = E00C11390(_t220 + 0x40, _t177);
															_t220 = _t220 + 8;
															__eflags = _t150;
															if(__eflags == 0) {
																goto L69;
															}
															_t151 =  *(_t150 + 4);
															__eflags = _t151;
															if(__eflags >= 0) {
																goto L69;
															}
															_push(0x360);
															_push((_t151 & 0x7fffffff) + _t211);
															_t155 = E00C11390(_t220 + 0x40, _t177);
															_t220 = _t220 + 8;
															__eflags = _t155;
															if(__eflags == 0) {
																goto L69;
															}
															_t156 =  *(_t155 + 4);
															__eflags = _t156;
															if(__eflags >= 0) {
																goto L69;
															}
															_push(0);
															_push((_t156 & 0x7fffffff) + _t211);
															_t160 = E00C11390(_t220 + 0x40, _t177);
															_t220 = _t220 + 8;
															__eflags = _t160;
															if(__eflags == 0) {
																goto L69;
															}
															_t161 =  *(_t160 + 4);
															__eflags =  *(_t160 + 4);
															if(__eflags < 0) {
																goto L69;
															}
															_t205 = _t220 + 0x48;
															_t163 = E00C10C10(_t220 + 0x48, _t161 + _t211, 0, _t177, 0x10);
															_t220 = _t220 + 0x10;
															__eflags = _t163;
															if(__eflags == 0) {
																goto L72;
															}
															__eflags =  *((intOrPtr*)(_t177 + 4)) - 0x80;
															if(__eflags != 0) {
																goto L69;
															}
															_t211 =  *(_t220 + 0x10);
															_t165 = E00C11440( *(_t220 + 0x18),  *_t177, _t205,  *(_t220 + 0x10), 0x80);
															_t202 = _t217 + 0x1c;
															_t166 = E00C10C10(_t205, _t165, 0, _t217 + 0x1c, 0x80);
															_t220 = _t220 + 0x14;
															__eflags = _t166;
															if(__eflags == 0) {
																goto L72;
															}
															 *(_t217 + 0x18) =  *(_t220 + 0x20);
															goto L69;
														}
														_t205 = 0;
														_t204 = 0;
														_t196 = _t147;
														__eflags = 0 - _t216;
														if(0 >= _t216) {
															goto L58;
														} else {
															goto L53;
														}
														do {
															L53:
															__eflags =  *_t196 - 0x54494e49;
															if( *_t196 != 0x54494e49) {
																goto L55;
															}
															__eflags =  *((char*)(_t196 + 4));
															if( *((char*)(_t196 + 4)) == 0) {
																 *((char*)(_t217 + 0x9e)) = 1;
																goto L58;
															}
															L55:
															_t204 = _t204 + 1;
															_t196 = _t196 + 0x28;
															__eflags = _t204 - _t216;
														} while (_t204 < _t216);
														goto L58;
													}
													_t202 =  *(_t220 + 0x30);
													_t205 = _t220 + 0x48;
													_t168 = E00C10C10(_t220 + 0x48,  *(_t220 + 0x30),  *(_t220 + 0x34), _t147, _t211);
													_t220 = _t220 + 0x10;
													__eflags = _t168;
													if(__eflags == 0) {
														goto L72;
													}
													_t147 =  *(_t220 + 0x18);
													goto L51;
												} else {
													E00C152E0(0xc53300, 0xc53300);
													goto L71;
												}
											}
											__eflags =  *(_t220 + 0x14) - _t202;
											if(__eflags == 0) {
												goto L69;
											}
											goto L42;
										}
										goto L39;
									}
								} else {
									_t202 =  *(_t220 + 0x34);
									_t205 = _t220 + 0x48;
									_t171 = E00C10C10(_t220 + 0x48, _t211,  *(_t220 + 0x34), _t177, _t143);
									_t220 = _t220 + 0x10;
									__eflags = _t171;
									if(__eflags == 0) {
										goto L72;
									}
									_t143 =  *(_t220 + 0x14);
									_t202 = 0;
									__eflags = 0;
									goto L28;
								}
							}
							_t184 =  *(_t177 + 0x10) & 0x0000ffff;
							__eflags = _t184 - 0x78;
							if(_t184 < 0x78) {
								goto L70;
							}
							_t143 = 0xe0;
							 *(_t220 + 0x20) = 1;
							 *(_t220 + 0x14) = 0xe0;
							_t202 = 0;
							goto L23;
						}
						_t172 = E00C10C10(_t205, 0x80, 0, _t177, 0x90);
						_t220 = _t220 + 0x10;
						__eflags = _t172;
						if(__eflags == 0) {
							goto L72;
						}
						__eflags =  *_t177 - 0x82c8851f;
						if( *_t177 == 0x82c8851f) {
							 *((intOrPtr*)(_t217 + 0xa0)) = 0x80;
						}
						goto L15;
					}
					E00C152E0(0xc53300, 0xc53300);
					goto L71;
				} else {
					E00C152E0(0xc53300, 0xc53300);
					L71:
					_t220 = _t220 + 4;
					L72:
					_t129 =  *(_t220 + 0x60);
					_t224 = _t129;
					if(_t129 != 0) {
						_push(_t129);
						E00C27501(_t177, _t202, _t205, _t211, _t224);
						_t220 = _t220 + 4;
					}
					_t130 =  *(_t220 + 0x18);
					_t225 = _t130;
					if(_t130 != 0) {
						_push(_t130);
						E00C27501(_t177, _t202, _t205, _t211, _t225);
						_t220 = _t220 + 4;
					}
					return  *(_t220 + 0x1c);
				}
			}

0x00c10e80
0x00c10e85
0x00c10e8b
0x00c10e8f
0x00c10e97
0x00c10e99
0x00c10e9d
0x00c10ea1
0x00c10ea6
0x00c10eaf
0x00c10eb3
0x00c10ebb
0x00c10ed6
0x00c10ede
0x00c10ee3
0x00c10ee5
0x00c10ee8
0x00c10eea
0x00c10eee
0x00c10eee
0x00c10ef4
0x00c10ef8
0x00c10efa
0x00c10f15
0x00c10f19
0x00c10f1e
0x00c10f21
0x00c10f23
0x00000000
0x00000000
0x00c10f29
0x00c10f2e
0x00c10f31
0x00c1134f
0x00c11359
0x00000000
0x00c11359
0x00c10f37
0x00c10f3a
0x00c10f3c
0x00000000
0x00000000
0x00c10f44
0x00c10f4c
0x00c10f51
0x00c10f54
0x00c10f56
0x00000000
0x00000000
0x00c10f5c
0x00c10f64
0x00000000
0x00000000
0x00c10f6a
0x00c10f6f
0x00c10f72
0x00c10f76
0x00c10f7c
0x00c10f81
0x00c10fb1
0x00c10fb1
0x00c10fba
0x00c10fbe
0x00c10fc3
0x00c10fc6
0x00c10fc8
0x00000000
0x00000000
0x00c10fd4
0x00c10fdb
0x00c10fe1
0x00c10fe5
0x00c10fea
0x00c10fed
0x00c10fef
0x00000000
0x00000000
0x00c10ff5
0x00c10ff9
0x00c10ffe
0x00c11001
0x00c1102b
0x00c1102e
0x00000000
0x00000000
0x00c11034
0x00c11038
0x00c1103d
0x00c11040
0x00000000
0x00000000
0x00c11046
0x00c11046
0x00c11048
0x00c11050
0x00c11054
0x00c11058
0x00c11058
0x00c1105b
0x00c1105d
0x00c1105f
0x00c11063
0x00c11063
0x00c11069
0x00c1106d
0x00c1106f
0x00c11093
0x00c11096
0x00c11099
0x00c1109d
0x00c110fd
0x00c11106
0x00c1110f
0x00c11115
0x00c11118
0x00c1111d
0x00c11124
0x00c11128
0x00c11132
0x00c1112a
0x00c1112a
0x00c1112a
0x00c1113f
0x00c11143
0x00c1109f
0x00c110a5
0x00c110ae
0x00c110b7
0x00c110bd
0x00c110c0
0x00c110c5
0x00c110cc
0x00c110d0
0x00c110e4
0x00c110ee
0x00c110f2
0x00c110d2
0x00c110d2
0x00c110db
0x00c110df
0x00c110df
0x00c110d0
0x00c11149
0x00c11150
0x00c11153
0x00c11155
0x00c11159
0x00c1115c
0x00c11160
0x00c11163
0x00c1116a
0x00c11170
0x00c11176
0x00c1118e
0x00c1118e
0x00000000
0x00c11178
0x00c11178
0x00c1117f
0x00000000
0x00000000
0x00c11181
0x00c11188
0x00c1118c
0x00c11192
0x00c11192
0x00c11196
0x00c111a2
0x00c111a2
0x00c111ab
0x00c111ad
0x00c111b1
0x00c111b4
0x00c111c1
0x00c111c4
0x00c111c6
0x00c111c6
0x00c111b6
0x00c111b6
0x00c111b6
0x00c111da
0x00c111de
0x00c111e3
0x00c111e7
0x00c111e9
0x00c111ff
0x00c11201
0x00c11227
0x00c11227
0x00c1122d
0x00c11232
0x00c11236
0x00c11263
0x00c11267
0x00c11271
0x00c11273
0x00c11276
0x00c1127a
0x00c1127c
0x00c11345
0x00c11345
0x00000000
0x00c11345
0x00c11282
0x00c11284
0x00c11289
0x00c1128e
0x00c11291
0x00c11293
0x00000000
0x00000000
0x00c11299
0x00c1129c
0x00c1129e
0x00000000
0x00000000
0x00c112ab
0x00c112b0
0x00c112b5
0x00c112ba
0x00c112bd
0x00c112bf
0x00000000
0x00000000
0x00c112c5
0x00c112c8
0x00c112ca
0x00000000
0x00000000
0x00c112d3
0x00c112d5
0x00c112da
0x00c112df
0x00c112e2
0x00c112e4
0x00000000
0x00000000
0x00c112e6
0x00c112e9
0x00c112eb
0x00000000
0x00000000
0x00c112f6
0x00c112fa
0x00c112ff
0x00c11302
0x00c11304
0x00000000
0x00000000
0x00c11306
0x00c1130d
0x00000000
0x00000000
0x00c1130f
0x00c1131e
0x00c1132b
0x00c11332
0x00c11337
0x00c1133a
0x00c1133c
0x00000000
0x00000000
0x00c11342
0x00000000
0x00c11342
0x00c11238
0x00c1123a
0x00c1123c
0x00c1123e
0x00c11241
0x00000000
0x00000000
0x00000000
0x00000000
0x00c11243
0x00c11243
0x00c11243
0x00c11249
0x00000000
0x00000000
0x00c1124b
0x00c1124f
0x00c1125c
0x00000000
0x00c1125c
0x00c11251
0x00c11251
0x00c11252
0x00c11255
0x00c11255
0x00000000
0x00c1125a
0x00c11207
0x00c1120f
0x00c11213
0x00c11218
0x00c1121b
0x00c1121d
0x00000000
0x00000000
0x00c11223
0x00000000
0x00c111eb
0x00c111f5
0x00000000
0x00c111f5
0x00c111e9
0x00c11198
0x00c1119c
0x00000000
0x00000000
0x00000000
0x00c1119c
0x00000000
0x00c1118c
0x00c11071
0x00c11071
0x00c11079
0x00c1107d
0x00c11082
0x00c11085
0x00c11087
0x00000000
0x00000000
0x00c1108d
0x00c11091
0x00c11091
0x00000000
0x00c11091
0x00c1106f
0x00c11003
0x00c11007
0x00c1100b
0x00000000
0x00000000
0x00c11011
0x00c11016
0x00c1101e
0x00c11022
0x00000000
0x00c11022
0x00c10f8f
0x00c10f94
0x00c10f97
0x00c10f99
0x00000000
0x00000000
0x00c10f9f
0x00c10fa5
0x00c10fa7
0x00c10fa7
0x00000000
0x00c10fa5
0x00c10f06
0x00000000
0x00c10ebd
0x00c10ec7
0x00c1135e
0x00c1135e
0x00c11361
0x00c11361
0x00c11365
0x00c11367
0x00c11369
0x00c1136a
0x00c1136f
0x00c1136f
0x00c11372
0x00c11376
0x00c11378
0x00c1137a
0x00c1137b
0x00c11380
0x00c11380
0x00c1138e
0x00c1138e

APIs

_memset.LIBCMT ref: 00C10EA1
GetFileSizeEx.KERNEL32(?,?,00000000,?,00000000), ref: 00C10EB3
_malloc.LIBCMT ref: 00C10EDE
SetLastError.KERNEL32(00000008,?,?,?,00004000), ref: 00C10EEE

Strings

PE, xrefs: 00C10F5C
INIT, xrefs: 00C11243

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ErrorFileLastSize_malloc_memset
String ID: INIT$PE
API String ID: 942205088-3949469810
Opcode ID: 73ce72ba9bace671140ee3cb4117b51b363abf4b0a31e78ef1a8c58582d2a8d1
Instruction ID: cace1f7ddd936577d409d0b163fa78f758a9c52c7294ec5231e9abbc71471f48
Opcode Fuzzy Hash: 73ce72ba9bace671140ee3cb4117b51b363abf4b0a31e78ef1a8c58582d2a8d1
Instruction Fuzzy Hash: C5E12471A043409BDB20DF15C8417EB77E4BF86700F48492DFE588B281E778DA85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C28452 Relevance: 10.6, APIs: 7, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00C28452(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				char _t41;
				void* _t44;

				_t39 = __edx;
				_t41 = _a12;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E00C2F30E();
					_t44 = E00C30B95(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E00C27501(0, _t39, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E00C2AF51(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00C2F4FC(0, __eflags) + 0x6c)));
						_push(_t44);
						E00C2F39C(0, __edx, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t25 =  &_a12;
						}
						_t20 = CreateThread(_a4, _a8, E00C283CF, _t44, _a20, _t25); // executed
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E00C2AF2B(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E00C28FCF(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}

0x00c28452
0x00c2845a
0x00c2845f
0x00c28462
0x00c28464
0x00c28482
0x00c28483
0x00c28494
0x00c28498
0x00c2849a
0x00c284e6
0x00c284e6
0x00c284e7
0x00c284ed
0x00c284f0
0x00c284f5
0x00c284fa
0x00c284fb
0x00c284fb
0x00c2849c
0x00c284a1
0x00c284a4
0x00c284a5
0x00c284ad
0x00c284b1
0x00c284b4
0x00c284b9
0x00c284bc
0x00c284be
0x00c284c0
0x00c284c0
0x00c284d3
0x00c284d9
0x00c284db
0x00c284e3
0x00000000
0x00c284e3
0x00c284db
0x00c28466
0x00c28466
0x00c2846b
0x00c2846c
0x00c2846d
0x00c2846e
0x00c2846f
0x00c28470
0x00c28476
0x00c2847e
0x00c2847e
0x00c28501

APIs

___set_flsgetvalue.LIBCMT ref: 00C28483
__calloc_crt.LIBCMT ref: 00C2848F
__getptd.LIBCMT ref: 00C2849C
__initptd.LIBCMT ref: 00C284A5
CreateThread.KERNEL32 ref: 00C284D3
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00C284DD
__dosmaperr.LIBCMT ref: 00C284F5

Part of subcall function 00C2AF2B: __getptd_noexit.LIBCMT ref: 00C2AF2B

Part of subcall function 00C28FCF: __decode_pointer.LIBCMT ref: 00C28FDA

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: 68fbed23457aebf3f04de45ea79bea8e13d6077fd83dccd5f77a84574e224a1e
Instruction ID: 589bd4a6754e2dfc0365d3ed93cb8fb389ceccc9eef100fc36a3e326e085e817
Opcode Fuzzy Hash: 68fbed23457aebf3f04de45ea79bea8e13d6077fd83dccd5f77a84574e224a1e
Instruction Fuzzy Hash: A611237210522AAFDB11FFA4FC8299E7BE5FF04324B20443DF914D6851DF719A05AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A4A0 Relevance: 7.6, APIs: 5, Instructions: 58
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00C1A4A0(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				int _v12;
				void* _v16;
				int _v548;
				intOrPtr _v564;
				char _v568;
				void* _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t24;
				int _t28;
				void* _t35;
				void* _t40;
				void* _t41;
				void* _t42;
				signed int _t43;

				_t20 =  *0xc58320; // 0x96c0a7a
				_v8 = _t20 ^ _t43;
				_v12 = 0;
				_v16 = 0;
				_v572 = 0;
				E00C266B0(_t41,  &_v568, 0, 0x228);
				_v572 = 0x22c;
				_t24 = CreateToolhelp32Snapshot(2, 0); // executed
				_v16 = _t24;
				if(_v16 != 0xffffffff) {
					_push( &_v572);
					_t28 = Process32FirstW(_v16); // executed
					if(_t28 != 0) {
						while(_v564 != _a4) {
							if(Process32NextW(_v16,  &_v572) != 0) {
								continue;
							}
							goto L5;
						}
						_v12 = _v548;
					}
					L5:
					FindCloseChangeNotification(_v16); // executed
				}
				return E00C2669E(_v12, _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x00c1a4a9
0x00c1a4b0
0x00c1a4b6
0x00c1a4bd
0x00c1a4c4
0x00c1a4dc
0x00c1a4e4
0x00c1a4f2
0x00c1a4f7
0x00c1a4fe
0x00c1a506
0x00c1a50b
0x00c1a512
0x00c1a514
0x00c1a53c
0x00000000
0x00000000
0x00000000
0x00c1a53c
0x00c1a525
0x00c1a525
0x00c1a53e
0x00c1a542
0x00c1a542
0x00c1a55b

APIs

_memset.LIBCMT ref: 00C1A4DC
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C1A4F2
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 00C1A50B
Process32NextW.KERNEL32(000000FF,0000022C), ref: 00C1A535
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,0000022C,00000002,00000000), ref: 00C1A542

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
String ID:
API String ID: 949835396-0
Opcode ID: 53efa1e3934707027d781ce72c19d334a6bebc75547127e8d693a0e3a83162d8
Instruction ID: 0746e9659c2d4715c9a1dba20badc158ad0875dd13d133e7b4af341a5d8cc271
Opcode Fuzzy Hash: 53efa1e3934707027d781ce72c19d334a6bebc75547127e8d693a0e3a83162d8
Instruction Fuzzy Hash: 5D114C71900218BBDB20EFA4E889BDDB7B8EF09310F104595F515A7281DB349B84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C27501 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00C27501(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0xc54dd0);
				_t8 = E00C286FC(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00C28741(_t8);
				}
				if( *0xc5d59c != 3) {
					_push(_t24);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0xc5b6a8); // executed
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E00C2AF2B(_t32);
						 *_t10 = E00C2AEE9(GetLastError());
					}
					goto L9;
				}
				E00C3135A(__ebx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00C31488(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00C314B8();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E00C27557();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x00c27501
0x00c27503
0x00c27508
0x00c2750d
0x00c27512
0x00c27589
0x00c2758e
0x00c2758e
0x00c2751b
0x00c27560
0x00c27561
0x00c27561
0x00c27569
0x00c2756f
0x00c27571
0x00c27573
0x00c27586
0x00c27588
0x00000000
0x00c27571
0x00c2751f
0x00c27525
0x00c2752a
0x00c27530
0x00c27535
0x00c27537
0x00c27538
0x00c27539
0x00c2753f
0x00c27540
0x00c27547
0x00c27550
0x00000000
0x00c27552
0x00c27552
0x00000000
0x00c27552

APIs

__lock.LIBCMT ref: 00C2751F

Part of subcall function 00C3135A: __mtinitlocknum.LIBCMT ref: 00C31370
Part of subcall function 00C3135A: __amsg_exit.LIBCMT ref: 00C3137C
Part of subcall function 00C3135A: EnterCriticalSection.KERNEL32(?,?,?,00C2F5A7,0000000D,00C55008,00000008,00C2842E,?,00000000), ref: 00C31384

___sbh_find_block.LIBCMT ref: 00C2752A
___sbh_free_block.LIBCMT ref: 00C27539
RtlFreeHeap.NTDLL(00000000,?,00C54DD0,0000000C,00C2F4ED,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C), ref: 00C27569
GetLastError.KERNEL32(?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375,?,?,?,00C2F5A7,0000000D), ref: 00C2757A

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 8c85585c45348c3401e4f79c98b52e6654a41e62b4583bc320d2f015d08c3fb0
Instruction ID: 50a6c3f59db84b8f28841764fdffe48df05595db5f50005d0425c8fe9c7ccf0d
Opcode Fuzzy Hash: 8c85585c45348c3401e4f79c98b52e6654a41e62b4583bc320d2f015d08c3fb0
Instruction Fuzzy Hash: 3401F971805326EFDF307FB1BC4AB5DBA64AF00721F244628F414A65D1DF748A80EA54

Uniqueness

Uniqueness Score: -1.00%

Function 00C209A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00C209A0(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void _v12;
				int _v16;
				int _v20;
				short _v540;
				int _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				int _t22;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t14 =  *0xc58320; // 0x96c0a7a
				_v8 = _t14 ^ _t32;
				_v12 = 1;
				_v16 = 4;
				_v20 = 4;
				E00C266B0(_t30,  &_v540, 0, 0x208);
				E00C213E0( &_v540, 0x104, L"jsflag_%d", _a4);
				_t22 = SHSetValueW(0x80000001, L"SOFTWARE\\KitTipCLSID",  &_v540, _v20,  &_v12, _v16); // executed
				_v544 = _t22;
				return E00C2669E(_t22, _t24, _v8 ^ _t32, _v20, _t30, _t31);
			}

0x00c209a9
0x00c209b0
0x00c209b6
0x00c209bd
0x00c209c4
0x00c209d9
0x00c209f6
0x00c20a1b
0x00c20a21
0x00c20a37

APIs

_memset.LIBCMT ref: 00C209D9
SHSetValueW.SHLWAPI(80000001,SOFTWARE\KitTipCLSID,?,00000004,00000001,00000004), ref: 00C20A1B

Strings

SOFTWARE\KitTipCLSID, xrefs: 00C20A11
jsflag_%d, xrefs: 00C209E5

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Value_memset
String ID: SOFTWARE\KitTipCLSID$jsflag_%d
API String ID: 806425143-1331931182
Opcode ID: acdfb75c894fc4fc1adc803b15b6ddd6c672cefb6006de7cc6233fc0769bddb9
Instruction ID: 26ca23c6b43a3d7a5fe19552b6dcf195ae21fb63009d00ba64e5e1d5a35cc540
Opcode Fuzzy Hash: acdfb75c894fc4fc1adc803b15b6ddd6c672cefb6006de7cc6233fc0769bddb9
Instruction Fuzzy Hash: DE0152B5A4021CABDB10DF94DC89FEEB7B8FB14704F004199BA05A7181DA716A44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C118A0 Relevance: 6.2, APIs: 4, Instructions: 190
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00C118A0(intOrPtr* __eax, void* __edi) {
				intOrPtr _t55;
				signed int _t58;
				long _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				int _t76;
				long _t85;
				void* _t88;
				union _LARGE_INTEGER _t89;
				signed int _t90;
				signed int _t99;
				void* _t106;
				intOrPtr* _t108;
				signed int _t110;
				intOrPtr* _t111;
				long _t112;
				void* _t113;

				_t106 = __edi;
				_t111 =  *((intOrPtr*)(_t113 + 0x38));
				_t88 = __eax + 0xccc;
				_t55 =  *__eax;
				 *(_t113 + 0x24) = _t88;
				 *((intOrPtr*)(_t113 + 0x20)) = _t55;
				__imp__GetFileSizeEx(_t55, _t111);
				if(_t55 != 0) {
					_t89 = 0;
					_t108 =  *((intOrPtr*)(_t113 + 0x34)) + 8;
					 *(_t113 + 0x28) = 0;
					 *(_t113 + 0x2c) = 0;
					 *((intOrPtr*)(_t113 + 0xc)) = 0;
					 *((intOrPtr*)(_t113 + 0x14)) = _t108;
					L3:
					while(1) {
						if( *((intOrPtr*)(_t113 + 0xc)) !=  *((intOrPtr*)(_t113 + 0x38))) {
							_t58 =  *((intOrPtr*)(_t108 - 8)) - _t89;
							_t90 =  *(_t108 - 4);
						} else {
							_t58 =  *_t111 - _t89;
							_t90 =  *(_t111 + 4);
						}
						asm("sbb ecx, edx");
						_t99 = (_t90 << 0x00000020 | _t58) >> 0xf;
						_t59 = _t58 & 0x00007fff;
						 *(_t113 + 0x10) = _t99;
						_t112 = _t59;
						if(_t59 != 0) {
							_t99 = _t99 + 1;
							 *(_t113 + 0x10) = _t99;
						} else {
							_t112 = 0x8000;
						}
						if(_t99 <= 0) {
							L20:
							if( *((intOrPtr*)(_t113 + 0xc)) >=  *((intOrPtr*)(_t113 + 0x38))) {
								L27:
								_t61 =  *((intOrPtr*)(_t113 + 0xc)) + 1;
								_t108 = _t108 + 0x18;
								 *((intOrPtr*)(_t113 + 0xc)) = _t61;
								 *((intOrPtr*)(_t113 + 0x14)) = _t108;
								if(_t61 >  *((intOrPtr*)(_t113 + 0x38))) {
									goto L32;
								} else {
									_t111 =  *((intOrPtr*)(_t113 + 0x3c));
									_t89 =  *(_t113 + 0x28);
									continue;
								}
							} else {
								_t63 =  *_t108;
								if(_t63 == 0) {
									L32:
									return 1;
								} else {
									if(E00C0EF40 == 0 ||  *((intOrPtr*)(_t108 + 4)) == 0) {
										L26:
										 *(_t113 + 0x28) =  *_t108 +  *((intOrPtr*)(_t108 - 8));
										asm("adc eax, ecx");
										 *(_t113 + 0x2c) =  *(_t108 - 4);
										goto L27;
									} else {
										if(_t63 > 0x8000) {
											E00C15590(8, 0xc53300);
											return 0;
										} else {
											E00C266B0(_t106, _t88, 0, _t63);
											_t113 = _t113 + 0xc;
											if(E00C0EF40(_t106, _t88,  *_t108) == 0) {
												E00C15590(0x11, 0xc53300);
												return 0;
											} else {
												goto L26;
											}
										}
									}
								}
							}
						} else {
							while(1) {
								_push(0);
								_t76 = SetFilePointerEx( *(_t113 + 0x18),  *(_t113 + 0x28),  *(_t113 + 0x2c), 0); // executed
								if(_t76 == 0 || ReadFile( *(_t113 + 0x18), _t88, _t112, _t113 + 0x24, 0) == 0) {
									goto L1;
								}
								if(_t112 !=  *((intOrPtr*)(_t113 + 0x20))) {
									E00C15590(1, 0xc53300);
									return 0;
								} else {
									if(E00C0EF40 != 0) {
										_t110 =  *(_t106 + 0x20) & 0x0000003f;
										_t85 = _t112;
										if(_t112 > 0) {
											do {
												 *((char*)(_t106 + _t110 + 0x28)) =  *_t88;
												_t110 = _t110 + 1;
												_t88 = _t88 + 1;
												 *(_t106 + 0x20) =  *(_t106 + 0x20) + 1;
												asm("adc dword [edi+0x24], 0x0");
												_t85 = _t85 - 1;
												 *(_t113 + 0x24) = _t85;
												if(_t110 == 0x40) {
													_t110 = 0;
													E00C13BD0(_t106);
													_t85 =  *(_t113 + 0x24);
												}
											} while (_t85 > 0);
										}
										_t108 =  *((intOrPtr*)(_t113 + 0x14));
										_t88 =  *(_t113 + 0x1c);
									}
									 *(_t113 + 0x28) =  *(_t113 + 0x28) + _t112;
									_t112 = 0x8000;
									asm("adc dword [esp+0x2c], 0x0");
									_t38 = _t113 + 0x10;
									 *_t38 =  *(_t113 + 0x10) - 1;
									if( *_t38 != 0) {
										continue;
									} else {
										goto L20;
									}
								}
								goto L33;
							}
							goto L1;
						}
						goto L33;
					}
				} else {
					L1:
					E00C152E0(0xc53300, 0xc53300);
					return 0;
				}
				L33:
			}

0x00c118a0
0x00c118a5
0x00c118aa
0x00c118b0
0x00c118b4
0x00c118b8
0x00c118bc
0x00c118c4
0x00c118e7
0x00c118e9
0x00c118ec
0x00c118f0
0x00c118f4
0x00c118f8
0x00000000
0x00c11900
0x00c11908
0x00c11917
0x00c11919
0x00c1190a
0x00c1190d
0x00c1190f
0x00c1190f
0x00c1191c
0x00c11920
0x00c11927
0x00c1192c
0x00c11930
0x00c11932
0x00c1193b
0x00c1193c
0x00c11934
0x00c11934
0x00c11934
0x00c11942
0x00c119f0
0x00c119f8
0x00c11a48
0x00c11a4c
0x00c11a4d
0x00c11a50
0x00c11a54
0x00c11a5c
0x00000000
0x00c11a5e
0x00c11a5e
0x00c11a62
0x00000000
0x00c11a66
0x00c119fa
0x00c119fa
0x00c119fe
0x00c11ac2
0x00c11acb
0x00c11a04
0x00c11a0b
0x00c11a34
0x00c11a3b
0x00c11a42
0x00c11a44
0x00000000
0x00c11a13
0x00c11a18
0x00c11a94
0x00c11aa4
0x00c11a1a
0x00c11a1e
0x00c11a25
0x00c11a32
0x00c11aaf
0x00c11abf
0x00000000
0x00000000
0x00000000
0x00c11a32
0x00c11a18
0x00c11a0b
0x00c119fe
0x00c11948
0x00c11948
0x00c11954
0x00c1195b
0x00c11963
0x00000000
0x00000000
0x00c11989
0x00c11a79
0x00c11a89
0x00c1198f
0x00c11996
0x00c1199b
0x00c1199e
0x00c119a2
0x00c119a4
0x00c119a6
0x00c119aa
0x00c119ab
0x00c119ac
0x00c119b0
0x00c119b4
0x00c119b5
0x00c119bc
0x00c119c0
0x00c119c2
0x00c119c7
0x00c119c7
0x00c119cb
0x00c119a4
0x00c119cf
0x00c119d3
0x00c119d3
0x00c119d7
0x00c119db
0x00c119e0
0x00c119e5
0x00c119e5
0x00c119ea
0x00000000
0x00000000
0x00000000
0x00000000
0x00c119ea
0x00000000
0x00c11989
0x00000000
0x00c11948
0x00000000
0x00c11942
0x00c118c6
0x00c118c6
0x00c118d0
0x00c118e0
0x00c118e0
0x00000000

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,00C128F8,?,00000000,?), ref: 00C118BC
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00C128F8,?,00000000,?), ref: 00C1195B
ReadFile.KERNEL32(?,?,00008000,?,00000000,?,?,?,?,?,00C128F8,?,00000000,?), ref: 00C11977
_memset.LIBCMT ref: 00C11A1E

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: File$PointerReadSize_memset
String ID:
API String ID: 1834740430-0
Opcode ID: 1e3d674197c27f41d38fee3f44b7a78e6df6dd7a1052d96e6336d14219dee417
Instruction ID: 35ac7f9ee971d4b8d11d78805f2653c3aa0ec50a246541c02b2a90fc1a25bcc2
Opcode Fuzzy Hash: 1e3d674197c27f41d38fee3f44b7a78e6df6dd7a1052d96e6336d14219dee417
Instruction Fuzzy Hash: 4B51A0716083009BD714DE29D8807ABB7E4FF89750F48492CFDA9D7240E638EA85AB56

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AB10 Relevance: 6.1, APIs: 4, Instructions: 87
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00C1AB10(intOrPtr* __ecx) {
				intOrPtr* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				struct HWND__* _v88;
				int _t31;
				void* _t38;
				int _t41;
				void* _t44;
				void* _t63;

				_v8 = __ecx;
				_v12 = 1;
				_v16 = 0;
				L1:
				while(1) {
					L1:
					while(1) {
						while(_v12 != 0) {
							_t41 = PeekMessageW(_v8 + 0x1c, 0, 0, 0, 0); // executed
							if(_t41 != 0) {
								break;
							}
							_v88 = _v16;
							_t44 =  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 4))))(_v88);
							_v16 =  &(_v16->i);
							if(_t44 == 0) {
								_v12 = 0;
							}
						}
						_t31 = GetMessageW(_v8 + 0x1c, 0, 0, 0); // executed
						_v20 = _t31;
						if(_v20 != 0xffffffff) {
							if(_v20 != 0) {
								_push(_v8 + 0x1c);
								if( *((intOrPtr*)( *((intOrPtr*)( *_v8))))() == 0) {
									TranslateMessage(_v8 + 0x1c);
									DispatchMessageW(_v8 + 0x1c); // executed
								}
								_t38 = E00C1AC10(_v8 + 0x1c);
								_t63 = _t63 + 4;
								if(_t38 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								continue;
							}
							return  *((intOrPtr*)(_v8 + 0x24));
						}
					}
				}
			}

0x00c1ab19
0x00c1ab1c
0x00c1ab23
0x00000000
0x00c1ab2a
0x00000000
0x00c1ab2a
0x00c1ab2a
0x00c1ab3f
0x00c1ab47
0x00000000
0x00000000
0x00c1ab4c
0x00c1ab5e
0x00c1ab66
0x00c1ab6b
0x00c1ab6d
0x00c1ab6d
0x00c1ab74
0x00c1ab83
0x00c1ab89
0x00c1ab90
0x00c1ab9a
0x00c1aba4
0x00c1abb3
0x00c1abbc
0x00c1abc9
0x00c1abc9
0x00c1abd6
0x00c1abdb
0x00c1abe0
0x00c1abe2
0x00c1abe9
0x00c1abe9
0x00000000
0x00c1abf0
0x00c1ac01
0x00c1ac01
0x00c1ab92
0x00c1ab2a

APIs

PeekMessageW.USER32 ref: 00C1AB3F
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00C1AB83

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CallbackDispatcherMessagePeekUser
String ID:
API String ID: 1705738138-0
Opcode ID: f0e5f834ec8657fdbc8d9dda96a64ccee714ca17f4aa7dd0836a458334cb9319
Instruction ID: d568976f70c858c3621e0a5ad98f04a866670008f305d38f342c2d2252ec9546
Opcode Fuzzy Hash: f0e5f834ec8657fdbc8d9dda96a64ccee714ca17f4aa7dd0836a458334cb9319
Instruction Fuzzy Hash: 8A314B74E05209EBDB10DF98C945B9EB7B9BF05304F208195E411A7392D7B4EF80EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C03170 Relevance: 6.1, APIs: 4, Instructions: 54
sleepCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00C03170(void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v4;
				char _v526;
				void* _v528;
				void* __ebx;
				signed int _t16;
				signed int _t23;
				signed short* _t25;
				intOrPtr _t26;
				signed int _t27;
				signed int _t34;
				signed int _t37;
				short _t38;
				intOrPtr _t41;
				signed int _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t35 = __edx;
				_t42 =  &_v528;
				_t16 =  *0xc58320; // 0x96c0a7a
				_v4 = _t16 ^ _t42;
				_t18 = 0;
				_t44 = __esi;
				if(__esi != 0) {
					_push(_t26);
					 *((short*)(__esi)) = 0;
					E00C29010(E00C28B45(__ecx, __edx, _t44, 0));
					Sleep(0xa); // executed
					_v528 = 0;
					E00C266B0(__edi,  &_v526, 0, 0x208);
					_t42 = _t42 + 0x14;
					_t27 = 0;
					do {
						_t23 = E00C29022(0);
						asm("cdq");
						_t37 = _t23 % 0x1a;
						if((_t27 & 0x00000001) != 0) {
							_t38 = _t37 + 0x41;
							__eflags = _t38;
						} else {
							_t38 = _t37 + 0x61;
						}
						 *((short*)(_t42 + 4 + _t27 * 2)) = _t38;
						_t27 = _t27 + 1;
					} while (_t27 < 0x10);
					_t25 =  &_v528;
					_t35 = _t41 - _t25;
					_pop(_t26);
					do {
						_t34 =  *_t25 & 0x0000ffff;
						 *(_t35 + _t25) = _t34;
						_t25 =  &(_t25[1]);
					} while (_t34 != 0);
					_t18 = 1;
				}
				return E00C2669E(_t18, _t26, _v4 ^ _t42, _t35, _t40, _t41);
			}

0x00c03170
0x00c03170
0x00c03170
0x00c03170
0x00c03176
0x00c0317d
0x00c03184
0x00c03186
0x00c03188
0x00c0318a
0x00c0318c
0x00c03195
0x00c0319f
0x00c031b2
0x00c031b7
0x00c031bc
0x00c031bf
0x00c031c1
0x00c031c1
0x00c031c6
0x00c031cc
0x00c031d1
0x00c031d8
0x00c031d8
0x00c031d3
0x00c031d3
0x00c031d3
0x00c031db
0x00c031e0
0x00c031e1
0x00c031e6
0x00c031ee
0x00c031f0
0x00c031f1
0x00c031f1
0x00c031f4
0x00c031f8
0x00c031fb
0x00c03200
0x00c03200
0x00c03219

APIs

__time64.LIBCMT ref: 00C0318F

Part of subcall function 00C28B45: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,769C4A70,00C03194,00000000,74D0FAA0), ref: 00C28B50
Part of subcall function 00C28B45: __aulldiv.LIBCMT ref: 00C28B70

Part of subcall function 00C29010: __getptd.LIBCMT ref: 00C29015

Sleep.KERNEL32(0000000A,?,74D0FAA0), ref: 00C0319F
_memset.LIBCMT ref: 00C031B7
_rand.LIBCMT ref: 00C031C1

Part of subcall function 00C29022: __getptd.LIBCMT ref: 00C29022

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Time__getptd$FileSleepSystem__aulldiv__time64_memset_rand
String ID:
API String ID: 3797240984-0
Opcode ID: 1bf5cc195262ef0d7682fb827faa39594e9898bb17dffc8680fcf4ae5480df8d
Instruction ID: d7a24fbc2751c322cb5362cce01a7ae137a24274a462d51c6058a42c648236cf
Opcode Fuzzy Hash: 1bf5cc195262ef0d7682fb827faa39594e9898bb17dffc8680fcf4ae5480df8d
Instruction Fuzzy Hash: B30145B5B053405BDB14AB38D85B76F72E4EF8D300F00882DF84787292FA74C9049352

Uniqueness

Uniqueness Score: -1.00%

Function 00C114A0 Relevance: 4.6, APIs: 3, Instructions: 114
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C114A0(long __ecx, void* __edx, void* __edi, void* __ebp, union _LARGE_INTEGER _a4, union _LARGE_INTEGER* _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v4;
				short _v10;
				short _v12;
				void _v16;
				long _v20;
				long* _v24;
				long _v28;
				long _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __esi;
				signed int _t29;
				intOrPtr* _t31;
				int _t33;
				int _t35;
				long* _t39;
				long _t52;
				void* _t63;
				long _t64;
				union _LARGE_INTEGER* _t66;
				signed int _t67;

				_t63 = __edi;
				_t29 =  *0xc58320; // 0x96c0a7a
				_v4 = _t29 ^ _t67;
				_t31 = _a16;
				_t52 = 0;
				_t64 = __ecx;
				_v20 = __ecx;
				_v24 = _t31;
				_v32 = 0;
				if(_t31 != 0) {
					_v36 =  *_t31;
				} else {
					_v36 = 0xffffffff;
				}
				_t66 = _a8;
				_push(_t52);
				_t33 = SetFilePointerEx(_t63, _a4.LowPart, _t66, _t52); // executed
				if(_t33 != 0) {
					_t35 = ReadFile(_t63,  &_v16, 8,  &_v28, 0); // executed
					if(_t35 != 0) {
						if(_v28 == 8) {
							if(_a12 == _t52) {
								_t64 = _v16;
								if(_t64 <= _v36) {
									_t62 = _a4.LowPart;
									_t52 = 0;
									_push(0);
									if(SetFilePointerEx(_t63, _a4.LowPart, _t66, 0) != 0) {
										_t62 = _t63;
										if(E00C10690(_t63, _t64) != 0) {
											_t52 = _v16;
											goto L19;
										}
									} else {
										E00C152E0(0xc53300, 0xc53300);
										_t67 = _t67 + 4;
									}
								} else {
									_t52 = _t64;
									goto L11;
								}
							} else {
								_t52 = 8;
								if(_v36 >= 8) {
									_t62 = _v12;
									 *_t64 = _v16;
									 *((short*)(_t64 + 4)) = _v12;
									 *((short*)(_t64 + 6)) = _v10;
									L19:
									_v32 = 1;
								} else {
									L11:
									E00C15590(5, 0xc53300);
									_t67 = _t67 + 4;
								}
							}
						} else {
							E00C15590(1, 0xc53300);
							_t67 = _t67 + 4;
						}
					} else {
						E00C152E0(0xc53300, 0xc53300);
						_t67 = _t67 + 4;
					}
				} else {
					E00C152E0(0xc53300, 0xc53300);
					_t67 = _t67 + 4;
				}
				_t39 = _v24;
				if(_t39 != 0) {
					 *_t39 = _t52;
				}
				return E00C2669E(_v32, _t52, _v4 ^ _t67, _t62, _t63, _t64);
			}

0x00c114a0
0x00c114a3
0x00c114aa
0x00c114ae
0x00c114b4
0x00c114b7
0x00c114b9
0x00c114bd
0x00c114c1
0x00c114c7
0x00c114d5
0x00c114c9
0x00c114c9
0x00c114c9
0x00c114d9
0x00c114e1
0x00c114e6
0x00c114ee
0x00c11516
0x00c1151e
0x00c11540
0x00c1155d
0x00c11595
0x00c1159d
0x00c115a3
0x00c115a7
0x00c115a9
0x00c115b6
0x00c115d0
0x00c115d9
0x00c115db
0x00000000
0x00c115db
0x00c115b8
0x00c115c2
0x00c115c7
0x00c115c7
0x00c1159f
0x00c1159f
0x00000000
0x00c1159f
0x00c1155f
0x00c1155f
0x00c11565
0x00c1157f
0x00c11584
0x00c1158b
0x00c1158f
0x00c115df
0x00c115df
0x00c11567
0x00c11567
0x00c11571
0x00c11576
0x00c11576
0x00c11565
0x00c11542
0x00c1154c
0x00c11551
0x00c11551
0x00c11520
0x00c1152a
0x00c1152f
0x00c1152f
0x00c114f0
0x00c114fa
0x00c114ff
0x00c114ff
0x00c115e7
0x00c115ed
0x00c115ef
0x00c115ef
0x00c11606

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,000000CC,?,?,?,?,?,00C11F50,?,?), ref: 00C114E6
ReadFile.KERNEL32(?,?,00000008,?,00000000,?,?,?,?,?,00C11F50,?,?,00000001,00000000), ref: 00C11516

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 03863fec01e36401db8a7b1b0711eed2f82e87a5a74214c8856733dce028d42d
Instruction ID: 10548effe8993a2a4df6ec543586241142eef4e7ef4236c57014b3b0b87028dc
Opcode Fuzzy Hash: 03863fec01e36401db8a7b1b0711eed2f82e87a5a74214c8856733dce028d42d
Instruction Fuzzy Hash: ED41CF746087419BD300DF519880AAFB6E9FBCA748F04082DF99787250E778DE85AB93

Uniqueness

Uniqueness Score: -1.00%

Function 00C0F900 Relevance: 4.5, APIs: 3, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00C0F900(WCHAR* __eax, long* __edi, void* __ebp, intOrPtr _a4) {
				void* __ecx;
				void* _t3;
				void* _t4;
				void* _t15;

				_t3 = CreateFileW(__eax, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t15 = _t3;
				if(_t15 != 0xffffffff) {
					_push(0);
					_push(__edi);
					_push(_a4);
					_t4 = E00C0F9F0(_t15, __eflags);
					_push(_t15);
					__eflags = _t4;
					if(_t4 != 0) {
						FindCloseChangeNotification(); // executed
						return 1;
					} else {
						CloseHandle();
						__eflags = 0;
						return 0; // executed
					}
				} else {
					if(__edi != 0) {
						 *__edi = 1;
					}
					E00C152E0(0xc53300, 0xc53300);
					return 0;
				}
			}

0x00c0f915
0x00c0f91b
0x00c0f920
0x00c0f947
0x00c0f949
0x00c0f94a
0x00c0f94d
0x00c0f955
0x00c0f956
0x00c0f958
0x00c0f965
0x00c0f972
0x00c0f95a
0x00c0f95a
0x00c0f960
0x00c0f964
0x00c0f964
0x00c0f922
0x00c0f924
0x00c0f926
0x00c0f926
0x00c0f936
0x00c0f942
0x00c0f942

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00C0271D,?), ref: 00C0F915
CloseHandle.KERNEL32(00000000), ref: 00C0F95A
FindCloseChangeNotification.KERNEL32(00000000), ref: 00C0F965

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Close$ChangeCreateFileFindHandleNotification
String ID:
API String ID: 1406203172-0
Opcode ID: 0532cd2dafaa1aac5126171f0739e379eab3093c64347e8505bca6eb2c3d8e95
Instruction ID: 2999dbcd284873dfb572c5992751265e0e18e808e93bd7574e92d940076dd68e
Opcode Fuzzy Hash: 0532cd2dafaa1aac5126171f0739e379eab3093c64347e8505bca6eb2c3d8e95
Instruction Fuzzy Hash: D4F0E9BA74021076FA302774BC0AF9F6648EB45B72F21013CFA22E65C1EAA4558192A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A750 Relevance: 4.5, APIs: 3, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C1A750(void** __ecx) {
				void** _v8;
				void* _t15;

				_v8 = __ecx;
				_t15 = CreateMutexA(0, 0,  &(_v8[2])); // executed
				 *_v8 = _t15;
				_v8[1] = GetLastError();
				if(_v8[1] == 0xb7 || _v8[1] == 5) {
					if( *_v8 != 0) {
						CloseHandle( *_v8);
						 *_v8 = 0;
					}
					return 0;
				} else {
					return 1;
				}
			}

0x00c1a759
0x00c1a767
0x00c1a770
0x00c1a77b
0x00c1a788
0x00c1a799
0x00c1a7a1
0x00c1a7aa
0x00c1a7aa
0x00000000
0x00c1a7b4
0x00000000
0x00c1a7b4

APIs

CreateMutexA.KERNEL32(00000000,00000000,-00000008), ref: 00C1A767
GetLastError.KERNEL32 ref: 00C1A772
CloseHandle.KERNEL32(00000000), ref: 00C1A7A1

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: d0d156d3aa6ff8a6346223ae3ec40a1c07eb59ab3a7bf2a77ecc504933641982
Instruction ID: e734169feda5b1f77c25772f212846c05d5d2322201ce61c8e37d233a2f321a2
Opcode Fuzzy Hash: d0d156d3aa6ff8a6346223ae3ec40a1c07eb59ab3a7bf2a77ecc504933641982
Instruction Fuzzy Hash: 3F012C78A01204EFDB10CF98DA49B9DB7F5FB46315F104095E80597390C7759F41EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C275AA Relevance: 4.5, APIs: 3, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00C275AA(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v0;
				signed int _v8;
				char _v16;
				void* __ebp;
				void* _t17;
				signed int _t18;
				signed int _t23;
				signed int _t26;
				intOrPtr* _t28;
				void* _t32;
				signed int _t33;
				signed int _t39;
				signed int _t46;
				void* _t48;
				signed int _t49;
				signed int _t52;

				_t48 = __edi;
				_t32 = __ebx;
				while(1) {
					_t17 = E00C27A03(_t32, _t46, _t48, _a4); // executed
					if(_t17 != 0) {
						break;
					}
					_t18 = E00C32407(_a4);
					__eflags = _t18;
					if(_t18 == 0) {
						__eflags =  *0xc5b2dc & 0x00000001;
						if(( *0xc5b2dc & 0x00000001) == 0) {
							 *0xc5b2dc =  *0xc5b2dc | 0x00000001;
							__eflags =  *0xc5b2dc;
							E00C2758F(0xc5b2d0);
							E00C273C4( *0xc5b2dc, 0xc4d65c);
						}
						E00C04FB0( &_v16, 0xc5b2d0);
						E00C291AE( &_v16, 0xc55968);
						asm("int3");
						_t39 = _v8;
						_push(_t32);
						_t33 = 0;
						__eflags = _t39;
						if(_t39 <= 0) {
							L10:
							_push(0xc5b2d0);
							_push(_t48);
							_t52 = _t39 * _a8;
							__eflags = _v0 - _t33;
							if(__eflags != 0) {
								_push(_v0);
								_t33 = E00C30C81(_t33, _t46, _t48, _t52, __eflags);
							}
							_push(_t52);
							_push(_v0);
							_t49 = E00C3242F(_t33, _t46, _t48, _t52, __eflags);
							__eflags = _t49;
							if(_t49 != 0) {
								__eflags = _t33 - _t52;
								if(_t33 < _t52) {
									_t35 = _t33 + _t49;
									__eflags = _t33 + _t49;
									E00C266B0(_t49, _t35, 0, _t52 - _t33);
								}
							}
							_t23 = _t49;
						} else {
							_t26 = 0xffffffe0;
							_t46 = _t26 % _t39;
							__eflags = _t26 / _t39 - _a8;
							if(__eflags >= 0) {
								goto L10;
							} else {
								_t28 = E00C2AF2B(__eflags);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								 *_t28 = 0xc;
								E00C28FCF(_t46, _t48, 0xc5b2d0);
								_t23 = 0;
							}
						}
						return _t23;
					} else {
						continue;
					}
					L17:
				}
				return _t17;
				goto L17;
			}

0x00c275aa
0x00c275aa
0x00c275c1
0x00c275c4
0x00c275cc
0x00000000
0x00000000
0x00c275b7
0x00c275bd
0x00c275bf
0x00c275d0
0x00c275dc
0x00c275de
0x00c275de
0x00c275e7
0x00c275f1
0x00c275f6
0x00c275fb
0x00c27609
0x00c2760e
0x00c27614
0x00c27617
0x00c27618
0x00c2761a
0x00c2761c
0x00c27646
0x00c2764a
0x00c2764b
0x00c2764c
0x00c2764e
0x00c27651
0x00c27653
0x00c2765c
0x00c2765c
0x00c2765e
0x00c2765f
0x00c27667
0x00c2766b
0x00c2766d
0x00c2766f
0x00c27671
0x00c27678
0x00c27678
0x00c2767b
0x00c27680
0x00c27671
0x00c27683
0x00c2761e
0x00c27622
0x00c27623
0x00c27625
0x00c27628
0x00000000
0x00c2762a
0x00c2762a
0x00c2762f
0x00c27630
0x00c27631
0x00c27632
0x00c27633
0x00c27634
0x00c2763a
0x00c27642
0x00c27642
0x00c27628
0x00c27689
0x00000000
0x00000000
0x00000000
0x00000000
0x00c275bf
0x00c275cf
0x00000000

APIs

_malloc.LIBCMT ref: 00C275C4

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

std::bad_alloc::bad_alloc.LIBCMT ref: 00C275E7

Part of subcall function 00C2758F: std::exception::exception.LIBCMT ref: 00C2759B

__CxxThrowException@8.LIBCMT ref: 00C27609

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID:
API String ID: 3715980512-0
Opcode ID: 3146e3e9962e02772ace8ca2715f5b14a16f4f2a080555ca754a4d501b0b0a04
Instruction ID: 2da785e3b6db55481a8d827f228dd42f0528c1c9ecdadfcef42e07c15db8aeed
Opcode Fuzzy Hash: 3146e3e9962e02772ace8ca2715f5b14a16f4f2a080555ca754a4d501b0b0a04
Instruction Fuzzy Hash: 48F0E23540C3296ACF04B761FC46A9DBF944B01324F004138FC14658D1DF609F86EA51

Uniqueness

Uniqueness Score: -1.00%

Function 00C10C10 Relevance: 3.2, APIs: 2, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C10C10(void** __edi, union _LARGE_INTEGER _a4, union _LARGE_INTEGER* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				void* _v24;
				void* __ebx;
				void* __esi;
				void* _t72;
				signed int _t74;
				void* _t77;
				void* _t78;
				int _t79;
				signed int _t83;
				void* _t88;
				int _t89;
				signed int _t90;
				union _LARGE_INTEGER _t109;
				void* _t114;
				void* _t115;
				signed int _t116;
				void* _t126;
				void* _t129;
				void** _t146;
				union _LARGE_INTEGER* _t149;
				void* _t150;
				signed int _t155;
				void* _t157;
				signed int _t160;
				void* _t161;
				void** _t163;
				void* _t169;

				_t146 = __edi;
				_t163 =  &_v24;
				_t129 = __edi[6];
				_t109 = _a4;
				_t160 = _a16;
				_t72 = _t160 + _t109;
				asm("adc ecx, [esp+0x28]");
				_v20 = 0;
				__edi[3] = 0;
				__edi[2] = _t72;
				_v24 = _t72;
				asm("adc eax, [edi+0x14]");
				_v8 = _t129 + __edi[4];
				_v16 = __edi[8];
				_t114 = __edi[9];
				_t169 = _v20 - _t114;
				_v12 = _t114;
				if(_t169 < 0 || _t169 <= 0 && _v24 <= _v16) {
					_t115 = _t146[5];
					_t149 = _a8;
					__eflags = _t149 - _t115;
					if(__eflags > 0) {
						L14:
						__eflags = _t149;
						if(__eflags > 0) {
							goto L22;
						} else {
							if(__eflags < 0) {
								L17:
								__eflags = _v20;
								if(__eflags > 0) {
									L21:
									_t97 = _t109 - _t146[4];
									_t157 = _t129 - _t109 - _t146[4];
									E00C2F920(_t109, _t146, _t157, _a12, _t146[0xa] + _t97, _t157);
									_a12 = _a12 + _t157;
									_t163 =  &(_t163[3]);
									_t109 = _t109 + _t157;
									asm("adc dword [esp+0x2c], 0x0");
									_t160 = _t160 - _t157;
									__eflags = _t160;
									_t149 = _a8;
									goto L22;
								} else {
									if(__eflags < 0) {
										L20:
										_t143 = _t146[0xa] - _t146[4] + _t109;
										__eflags = _t146[0xa] - _t146[4] + _t109;
										E00C2F920(_t109, _t146, _t149, _a12, _t143, _t160);
										return 1;
									} else {
										__eflags = _v24 - _v8;
										if(_v24 > _v8) {
											goto L21;
										} else {
											goto L20;
										}
									}
								}
							} else {
								__eflags = _t109 - _v8;
								if(_t109 >= _v8) {
									goto L22;
								} else {
									goto L17;
								}
							}
						}
					} else {
						if(__eflags < 0) {
							L7:
							__eflags = _v20 - _t115;
							if(__eflags >= 0) {
								_t126 = _v24;
								if(__eflags > 0) {
									L10:
									__eflags = _v20;
									if(__eflags <= 0) {
										if(__eflags < 0) {
											L13:
											_t102 = _t146[4];
											_t160 = _t146[4] - _t109;
											E00C2F920(_t109, _t146, _t149, _a12 + _t160, _t146[0xa], _t126 - _t102);
											_t163 =  &(_t163[3]);
										} else {
											__eflags = _t126 - _v8;
											if(_t126 <= _v8) {
												goto L13;
											}
										}
									}
								} else {
									__eflags = _t126 - _t146[4];
									if(_t126 > _t146[4]) {
										goto L10;
									}
								}
							}
							L22:
							_t116 = _t146[0xb];
							_t74 = _t160;
							__eflags = _t74 / _t116;
							if(_t74 / _t116 == 0) {
								_t77 = _v16 - _t109;
								asm("sbb ecx, esi");
								__eflags = _v12;
								if(__eflags >= 0) {
									if(__eflags > 0) {
										L30:
										_t77 = _t146[0xb];
									} else {
										__eflags = _t77 - _t146[0xb];
										if(_t77 >= _t146[0xb]) {
											goto L30;
										}
									}
								}
								_push(0);
								_t146[6] = _t77;
								_t150 = _t77;
								_t78 =  *_t146;
								_a16 = _t146[0xa];
								_v24 = _t78;
								_t79 = SetFilePointerEx(_t78, _t109, _a8, 0); // executed
								__eflags = _t79;
								if(_t79 == 0) {
									goto L24;
								} else {
									_t83 = E00C10690(_v24, _t150);
									__eflags = _t83;
									if(_t83 != 0) {
										_t146[4] = _t109;
										_t146[5] = _a8;
										E00C2F920(_t109, _t146, _t150, _a12, _t146[0xa], _t160);
										return 1;
									} else {
										goto L33;
									}
								}
							} else {
								_t88 =  *_t146;
								_push(0);
								_a16 = _t88;
								_t89 = SetFilePointerEx(_t88, _t109, _t149, 0);
								__eflags = _t89;
								if(_t89 != 0) {
									_t90 = E00C10690(_a16, _t160);
									__eflags = _t90;
									if(_t90 == 0) {
										L33:
										__eflags = 0;
										return 0;
									} else {
										_t155 = _t146[0xb];
										_t161 = _t160 - _t155;
										asm("adc ecx, [esp+0x2c]");
										_t138 = _a12 + _t161;
										__eflags = _a12 + _t161;
										_t146[4].LowPart = _t161 + _t109;
										_t146[5] = 0;
										E00C2F920(_t109, _t146, _t155, _t146[0xa], _t138, _t155);
										_t146[6] = _t155;
										return 1;
									}
								} else {
									L24:
									E00C152E0(0xc53300, 0xc53300);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							__eflags = _t109 - _t146[4].LowPart;
							if(_t109 >= _t146[4].LowPart) {
								goto L14;
							} else {
								goto L7;
							}
						}
					}
				} else {
					E00C15590(1, 0xc53300);
					return 0;
				}
			}

0x00c10c10
0x00c10c10
0x00c10c13
0x00c10c17
0x00c10c1c
0x00c10c22
0x00c10c29
0x00c10c31
0x00c10c35
0x00c10c38
0x00c10c3b
0x00c10c45
0x00c10c48
0x00c10c4f
0x00c10c53
0x00c10c56
0x00c10c5a
0x00c10c5e
0x00c10c87
0x00c10c8a
0x00c10c8e
0x00c10c90
0x00c10ce9
0x00c10ce9
0x00c10ceb
0x00000000
0x00c10ced
0x00c10ced
0x00c10cf5
0x00c10cf5
0x00c10cf9
0x00c10d2a
0x00c10d2f
0x00c10d34
0x00c10d3f
0x00c10d44
0x00c10d48
0x00c10d4b
0x00c10d4d
0x00c10d52
0x00c10d52
0x00c10d54
0x00000000
0x00c10cfb
0x00c10cfb
0x00c10d07
0x00c10d12
0x00c10d12
0x00c10d16
0x00c10d29
0x00c10cfd
0x00c10d01
0x00c10d05
0x00000000
0x00000000
0x00000000
0x00000000
0x00c10d05
0x00c10cfb
0x00c10cef
0x00c10cef
0x00c10cf3
0x00000000
0x00000000
0x00000000
0x00000000
0x00c10cf3
0x00c10ced
0x00c10c92
0x00c10c92
0x00c10c99
0x00c10c99
0x00c10c9d
0x00c10ca3
0x00c10ca7
0x00c10cb4
0x00c10cb4
0x00c10cb8
0x00c10cbe
0x00c10cca
0x00c10cca
0x00c10cd9
0x00c10cdf
0x00c10ce4
0x00c10cc0
0x00c10cc0
0x00c10cc4
0x00000000
0x00000000
0x00c10cc4
0x00c10cbe
0x00c10ca9
0x00c10cac
0x00c10cae
0x00000000
0x00000000
0x00c10cae
0x00c10ca7
0x00c10d58
0x00c10d58
0x00c10d5d
0x00c10d61
0x00c10d63
0x00c10df2
0x00c10df4
0x00c10df8
0x00c10dfa
0x00c10dfc
0x00c10e03
0x00c10e03
0x00c10dfe
0x00c10dfe
0x00c10e01
0x00000000
0x00000000
0x00c10e01
0x00c10dfc
0x00c10e0d
0x00c10e12
0x00c10e15
0x00c10e17
0x00c10e1b
0x00c10e1f
0x00c10e23
0x00c10e29
0x00c10e2b
0x00000000
0x00c10e31
0x00c10e39
0x00c10e3e
0x00c10e40
0x00c10e59
0x00c10e5c
0x00c10e5f
0x00c10e72
0x00000000
0x00000000
0x00000000
0x00c10e40
0x00c10d69
0x00c10d69
0x00c10d6b
0x00c10d72
0x00c10d76
0x00c10d7c
0x00c10d7e
0x00c10da5
0x00c10daa
0x00c10dac
0x00c10e42
0x00c10e42
0x00c10e4a
0x00c10db2
0x00c10db2
0x00c10db9
0x00c10dc1
0x00c10dc6
0x00c10dc6
0x00c10dc8
0x00c10dd0
0x00c10dd3
0x00c10dd8
0x00c10de9
0x00c10de9
0x00c10d80
0x00c10d80
0x00c10d8a
0x00c10d92
0x00c10d9a
0x00c10d9a
0x00c10d7e
0x00c10c94
0x00c10c94
0x00c10c97
0x00000000
0x00000000
0x00000000
0x00000000
0x00c10c97
0x00c10c92
0x00c10c6c
0x00c10c76
0x00c10c86
0x00c10c86

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000CCC,?,00C10F1E,00000000,00000000,00000CCC,00000040), ref: 00C10D76

Part of subcall function 00C10690: ReadFile.KERNEL32(?,?,?,00C10E3E,00000000,?,00C10E3E,?,00C10F1E,00000000,00000000,00000CCC,00000040), ref: 00C1069B

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 51c6dd473b72d1865246196e31c6ea7b9b3241b98591bb574b80e76df851edaa
Instruction ID: 9d05525daf15a6d7a622e1f05d98ae6676e2803227008942c2728529e87da9d2
Opcode Fuzzy Hash: 51c6dd473b72d1865246196e31c6ea7b9b3241b98591bb574b80e76df851edaa
Instruction Fuzzy Hash: C4717A71604702AFC704EF68E881A9AB3E5FB89310F644A2DF85883700E774F9D59BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00C11E90 Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C11E90(void* __eflags, signed int _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t44;
				void* _t51;
				intOrPtr* _t56;
				void* _t62;
				void* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				void* _t69;
				void* _t70;

				_t34 = E00C27A03(_t56, _t62, _t64, 0x8cd8); // executed
				_t66 = _t34;
				_t65 = 0;
				_t69 =  &_v8 + 4;
				if(_t66 != 0) {
					_t2 = _t66 + 4; // 0x4
					_t63 = _t2;
					_t3 = _t66 + 0xccc; // 0xccc
					_push(_t2);
					 *_t66 = _a4;
					 *((intOrPtr*)(_t66 + 0xc4)) = 0;
					 *((intOrPtr*)(_t66 + 0xc8)) = 0;
					_t36 = E00C10E80(_t3, _a4, _t2, __eflags);
					_t70 = _t69 + 4;
					__eflags = _t36;
					if(__eflags == 0) {
						L16:
						_push(_t66);
						E00C27501(_t56, _t63, _t65, _t66, __eflags);
						__eflags = 0;
						return 0;
					} else {
						_t39 =  *((intOrPtr*)(_t66 + 0x10));
						__eflags = _t39;
						if(_t39 == 0) {
							L17:
							 *((intOrPtr*)(_t66 + 0x10)) = _t65;
							 *((intOrPtr*)(_t66 + 0x18)) = _t65;
							goto L18;
						} else {
							__eflags =  *((intOrPtr*)(_t66 + 0x18));
							if( *((intOrPtr*)(_t66 + 0x18)) == 0) {
								goto L17;
							} else {
								_t67 = 0;
								__eflags =  *((intOrPtr*)(_t66 + 0xc4)) - 0x100;
								_v8 = _t39;
								_v4 = 0;
								_t11 = _t66 + 0xcc; // 0xcc
								_t56 = _t11;
								if( *((intOrPtr*)(_t66 + 0xc4)) >= 0x100) {
									L13:
									_t41 = 0x10;
									goto L15;
								} else {
									while(1) {
										_t65 = _a4;
										_t15 = _t66 + 0xccc; // 0xccc
										_t44 = E00C114A0(_t15, _t63, _a4, _t67, _v8, _v4, 1, _a4);
										_t70 = _t70 + 0x10;
										__eflags = _t44;
										if(__eflags == 0) {
											goto L16;
										}
										 *_t56 = _t67;
										_t63 =  *((intOrPtr*)(_t66 + 0xccc));
										 *((intOrPtr*)(_t56 + 4)) =  *((intOrPtr*)(_t66 + 0xccc));
										 *((short*)(_t56 + 8)) =  *((intOrPtr*)(_t66 + 0xcd2));
										__eflags =  *((intOrPtr*)(_t66 + 0xc8)) - 0xffff;
										if( *((intOrPtr*)(_t66 + 0xc8)) > 0xffff) {
											goto L13;
										} else {
											 *((short*)(_t56 + 0xa)) =  *((intOrPtr*)(_t66 + 0xc8));
											 *((intOrPtr*)(_t66 + 0xc8)) =  *((intOrPtr*)(_t66 + 0xc8)) + 1;
											_t51 = ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3) + ( *((intOrPtr*)(_t66 + 0xccc)) + 7 >> 3);
											_v8 = _v8 + _t51;
											asm("adc dword [esp+0x14], 0x0");
											 *((intOrPtr*)(_t66 + 0xc4)) =  *((intOrPtr*)(_t66 + 0xc4)) + 1;
											_t67 = _t67 + _t51;
											_t56 = _t56 + 0xc;
											__eflags = _t67 -  *((intOrPtr*)(_t66 + 0x18));
											if(__eflags == 0) {
												L18:
												return _t66;
											} else {
												if(__eflags > 0) {
													_t41 = 1;
													L15:
													E00C15590(_t41, 0xc53300);
													_t70 = _t70 + 4;
													goto L16;
												} else {
													__eflags =  *((intOrPtr*)(_t66 + 0xc4)) - 0x100;
													if( *((intOrPtr*)(_t66 + 0xc4)) < 0x100) {
														_t65 = 0;
														__eflags = 0;
														continue;
													} else {
														goto L13;
													}
												}
											}
										}
										goto L19;
									}
									goto L16;
								}
							}
						}
					}
				} else {
					SetLastError(8);
					E00C152E0(0xc53300, 0xc53300);
					return 0;
				}
				L19:
			}

0x00c11e9c
0x00c11ea1
0x00c11ea3
0x00c11ea5
0x00c11eaa
0x00c11ed4
0x00c11ed4
0x00c11ed7
0x00c11edd
0x00c11ede
0x00c11ee0
0x00c11ee6
0x00c11eec
0x00c11ef1
0x00c11ef4
0x00c11ef6
0x00c11fe8
0x00c11fe8
0x00c11fe9
0x00c11ff1
0x00c11ffa
0x00c11efc
0x00c11efc
0x00c11eff
0x00c11f01
0x00c11ffb
0x00c11ffb
0x00c11ffe
0x00000000
0x00c11f07
0x00c11f07
0x00c11f0a
0x00000000
0x00c11f10
0x00c11f10
0x00c11f12
0x00c11f1c
0x00c11f20
0x00c11f24
0x00c11f24
0x00c11f2a
0x00c11fd2
0x00c11fd2
0x00000000
0x00c11f30
0x00c11f34
0x00c11f3d
0x00c11f45
0x00c11f4b
0x00c11f50
0x00c11f53
0x00c11f55
0x00000000
0x00000000
0x00c11f5b
0x00c11f5d
0x00c11f63
0x00c11f6d
0x00c11f71
0x00c11f7b
0x00000000
0x00c11f7d
0x00c11f84
0x00c11f8d
0x00c11fa3
0x00c11fa5
0x00c11fa9
0x00c11fae
0x00c11fb4
0x00c11fb9
0x00c11fbc
0x00c11fbe
0x00c12002
0x00c1200a
0x00c11fc0
0x00c11fc0
0x00c11fd9
0x00c11fdb
0x00c11fe0
0x00c11fe5
0x00000000
0x00c11fc2
0x00c11fc2
0x00c11fcc
0x00c11f32
0x00c11f32
0x00000000
0x00000000
0x00000000
0x00000000
0x00c11fcc
0x00c11fc0
0x00c11fbe
0x00000000
0x00c11f7b
0x00000000
0x00c11f34
0x00c11f2a
0x00c11f0a
0x00c11f01
0x00c11eac
0x00c11eae
0x00c11ebe
0x00c11ecf
0x00c11ecf
0x00000000

APIs

_malloc.LIBCMT ref: 00C11E9C

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

SetLastError.KERNEL32(00000008,00000000,00C0FAB0,00000000,00002000,00000000,?,?), ref: 00C11EAE

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: AllocateErrorHeapLast_malloc
String ID:
API String ID: 3224363687-0
Opcode ID: c5128f6969b9c2d06b60e979ecbb62228c90a788f167059296d0d098cc3d5c4e
Instruction ID: 98eba6bc7c9f952b772178a4d4ac5215eda1193f4135d5dc567034d9de13c3b1
Opcode Fuzzy Hash: c5128f6969b9c2d06b60e979ecbb62228c90a788f167059296d0d098cc3d5c4e
Instruction Fuzzy Hash: 2141947560570187E720DF65EC41BD7F3E0FF81711F084A2EE99A83240E779A989D792

Uniqueness

Uniqueness Score: -1.00%

Function 00C12340 Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C12340(void** __eax, union _LARGE_INTEGER* _a4) {
				union _LARGE_INTEGER* _v0;
				union _LARGE_INTEGER* _v4;
				void* _v8;
				union _LARGE_INTEGER* _v12;
				intOrPtr _v16;
				void* __esi;
				intOrPtr _t14;
				union _LARGE_INTEGER* _t16;
				int _t18;
				union _LARGE_INTEGER* _t19;
				union _LARGE_INTEGER* _t21;
				union _LARGE_INTEGER* _t22;
				union _LARGE_INTEGER _t32;
				intOrPtr _t34;
				intOrPtr _t40;
				union _LARGE_INTEGER* _t41;
				void** _t42;

				_t42 = __eax;
				_t14 =  *((intOrPtr*)(__eax));
				_t40 =  *((intOrPtr*)(__eax + 0x18));
				_v8 = 0;
				_v4 = 0;
				__imp__GetFileSizeEx(_t14,  &_v8);
				if(_t14 != 0) {
					_t34 =  *((intOrPtr*)(__eax + 0xb4));
					_t41 = _v12;
					asm("sbb edi, edx");
					_t32 = _v16 - _t40 - 0x298;
					asm("sbb edi, ebp");
					__eflags = _t41;
					if(__eflags < 0) {
						L13:
						_t16 = _a4;
						__eflags = _t16;
						if(_t16 != 0) {
							__eflags = 0;
							_t16->LowPart = 0;
						}
						goto L15;
					} else {
						if(__eflags > 0) {
							L5:
							_t45 =  *_t42;
							_push(0);
							_t18 = SetFilePointerEx( *_t42, _t32, _t41, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								_t19 = E00C10690(_t45, 0x298);
								__eflags = _t19;
								if(_t19 == 0) {
									goto L7;
								} else {
									_t21 = _v0;
									__eflags = _t21;
									if(_t21 != 0) {
										 *_t21 = _t32;
										_t21->LowPart.HighPart = _t41;
									}
									_t22 = _a4;
									__eflags = _t22;
									if(_t22 == 0) {
										L15:
										return 1;
									} else {
										_t22->LowPart = 1;
										return 1;
									}
								}
							} else {
								E00C152E0(0xc53300, 0xc53300);
								L7:
								__eflags = 0;
								return 0;
							}
						} else {
							__eflags = _t32 - _t34;
							if(_t32 < _t34) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E00C152E0(0xc53300, 0xc53300);
					return 0;
				}
			}

0x00c12347
0x00c12349
0x00c1234b
0x00c12358
0x00c1235c
0x00c12360
0x00c12368
0x00c1238a
0x00c12394
0x00c12398
0x00c1239a
0x00c123a0
0x00c123a4
0x00c123a6
0x00c12418
0x00c12418
0x00c1241c
0x00c1241e
0x00c12420
0x00c12422
0x00c12422
0x00000000
0x00c123a8
0x00c123a8
0x00c123ae
0x00c123ae
0x00c123b0
0x00c123b7
0x00c123bd
0x00c123bf
0x00c123e8
0x00c123ed
0x00c123ef
0x00000000
0x00c123f1
0x00c123f1
0x00c123f5
0x00c123f7
0x00c123f9
0x00c123fb
0x00c123fb
0x00c123fe
0x00c12402
0x00c12404
0x00c12428
0x00c12431
0x00c12406
0x00c1240b
0x00c12417
0x00c12417
0x00c12404
0x00c123c1
0x00c123cb
0x00c123d3
0x00c123d3
0x00c123dc
0x00c123dc
0x00c123aa
0x00c123aa
0x00c123ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00c123ac
0x00c123a8
0x00c1236a
0x00c12374
0x00c12385
0x00c12385

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000003,00000003,?,?,?,?,00002000,00000000,?,?), ref: 00C12360
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,00002000,00000000,?,?), ref: 00C123B7

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: File$PointerSize
String ID:
API String ID: 3549600656-0
Opcode ID: 94020de46b6af9abf216d0d117d0e874395854e84ca06a2ad3d60acb4ef2753e
Instruction ID: 339d31ccfd80acb261ce7e8da197e8f8ae338a26b53c26bb956e849174c960f3
Opcode Fuzzy Hash: 94020de46b6af9abf216d0d117d0e874395854e84ca06a2ad3d60acb4ef2753e
Instruction Fuzzy Hash: 5C21E13A7043044BD710DF2ABC40B9BB7D9EBC6751F840479E914C3250EA7AE99DA7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A840 Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00C1A840(intOrPtr __ecx, struct HWND__* _a4, long _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HWND__* _v16;
				intOrPtr _t13;
				struct HWND__* _t18;

				_v8 = __ecx;
				do {
				} while (0 != 0 || 0 != 0);
				_t13 = E00C1B390(_v8 + 8, 0, 0); // executed
				_v12 = _t13;
				if(_v12 != 0) {
					E00C1AA10(0xc5a964, _v8 + 8, _v8);
					_t18 = CreateDialogParamW(E00C1A9F0(0xc5a92c), 0x81, _a4, E00C1BB90, _a8); // executed
					_v16 = _t18;
					do {
					} while (0 != 0 || 0 != 0);
					return _v16;
				}
				SetLastError(0xe);
				return 0;
			}

0x00c1a849
0x00c1a84c
0x00c1a84c
0x00c1a85e
0x00c1a863
0x00c1a86a
0x00c1a888
0x00c1a8aa
0x00c1a8b0
0x00c1a8b3
0x00c1a8b3
0x00000000
0x00c1a8bb
0x00c1a86e
0x00000000

APIs

SetLastError.KERNEL32(0000000E,00000000,00000000), ref: 00C1A86E
CreateDialogParamW.USER32 ref: 00C1A8AA

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CreateDialogErrorLastParam
String ID:
API String ID: 3445605341-0
Opcode ID: 441c62388862df18a7f4b06546526e8caa1362cd900c738dbfd0ce1d91001f01
Instruction ID: 9609e15953f7c6641ad9759a5452387f2fa711f37fc77b0504cc74d1b7893df2
Opcode Fuzzy Hash: 441c62388862df18a7f4b06546526e8caa1362cd900c738dbfd0ce1d91001f01
Instruction Fuzzy Hash: 1301B5B5B41108BBEB04EBB4CC05BEEB7A8EF55351F004465F511E7281D6705E80EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2838E Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C2838E(void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t12;
				void* _t17;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				E00C286FC(_t12, __edi, __esi);
				_t8 = E00C2F4FC(_t12, _t21);
				_t1 = _t20 - 4;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E00C28351( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0xc54e10, 0xc));
				_t10 =  *((intOrPtr*)(_t20 - 0x14));
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E00C35B39(_t12, _t17,  *_t1, _t14, _t10);
			}

0x00c2838e
0x00c28395
0x00c2839a
0x00c2839f
0x00c2839f
0x00c283aa
0x00c283af
0x00c283b4
0x00c283b6
0x00c283c2

APIs

__getptd.LIBCMT ref: 00C2839A

Part of subcall function 00C2F4FC: __getptd_noexit.LIBCMT ref: 00C2F4FF
Part of subcall function 00C2F4FC: __amsg_exit.LIBCMT ref: 00C2F50C

Part of subcall function 00C28351: __IsNonwritableInCurrentImage.LIBCMT ref: 00C28364
Part of subcall function 00C28351: __getptd_noexit.LIBCMT ref: 00C28374
Part of subcall function 00C28351: __freeptd.LIBCMT ref: 00C2837E
Part of subcall function 00C28351: ExitThread.KERNEL32 ref: 00C28387

__XcptFilter.LIBCMT ref: 00C283BB

Part of subcall function 00C35B39: __getptd_noexit.LIBCMT ref: 00C35B41

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 393088965-0
Opcode ID: cbd54844f005b2845f470818611524175374fc7d531a2f39526838e4c4819938
Instruction ID: 206e97eb4b40bd8efd368619ef97159ad8ff51c6a0353a426a8b83061e624a21
Opcode Fuzzy Hash: cbd54844f005b2845f470818611524175374fc7d531a2f39526838e4c4819938
Instruction Fuzzy Hash: 49E0ECB5951614AFEB08FBA0E806E3E7775AF08705F200458F6026B6A2CE759984AA24

Uniqueness

Uniqueness Score: -1.00%

Function 00C20AC0 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C20AC0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				char _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v636;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				void* _t44;
				intOrPtr _t67;
				signed int _t71;
				intOrPtr _t78;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				signed int _t97;
				void* _t98;
				signed int _t108;

				_t94 = __edx;
				_t37 =  *0xc58320; // 0x96c0a7a
				_v8 = _t37 ^ _t97;
				_v12 = __ecx;
				_v16 = E00C21DD0(E00C22C80());
				_v20 = E00C21EE0(E00C22C80());
				_t44 = E00C21F20(E00C22C80());
				_t100 = _t44;
				if(_t44 != 0) {
					E00C209A0(_t100, _v16); // executed
					_t98 = _t98 + 4;
				}
				_push(_v20);
				_push(_v16);
				_v24 = E00C01040();
				_v28 = E00C010A0();
				if(E00C21F00(E00C22C80()) != 0 || _v28 == 0) {
					_v32 = 2;
					if(_v20 != 0) {
						_v32 = _v32 | _v20;
					}
					if(E00C21F00(E00C22C80()) != 0) {
						_v32 = _v32 | 0x00000010;
					}
					if(_v16 == 0x911c93) {
						_t71 = _v32 & 0xfffffffd;
						_t108 = _t71;
						_v32 = _t71;
					}
					E00C266B0(_t95,  &_v564, 0, 0x214);
					_t98 = _t98 + 0xc;
					_v36 = _v32;
					_v564 = _v16;
					_v560 = 2;
					if(E00C20EB0(_v12, _t94, _t108, _v16) != 0) {
						_v560 = 1;
					}
					E00C05A40( &_v556, 0x103, E00C01930(E00C21DF0(E00C22C80(),  &_v636)));
					E00C01910( &_v636, _t94);
					_push( &_v564);
					_v568 = E00C010E0();
				}
				_t67 = E00C21F20(E00C22C80());
				_t110 = _t67;
				if(_t67 != 0) {
					_t67 = E00C20A40(_t110, _v16);
				}
				return E00C2669E(_t67, _t78, _v8 ^ _t97, _t94, _t95, _t96);
			}

0x00c20ac0
0x00c20ac9
0x00c20ad0
0x00c20ad6
0x00c20ae5
0x00c20af4
0x00c20afe
0x00c20b03
0x00c20b05
0x00c20b0b
0x00c20b10
0x00c20b10
0x00c20b16
0x00c20b1a
0x00c20b20
0x00c20b28
0x00c20b39
0x00c20b45
0x00c20b50
0x00c20b58
0x00c20b58
0x00c20b69
0x00c20b71
0x00c20b71
0x00c20b7b
0x00c20b80
0x00c20b80
0x00c20b83
0x00c20b83
0x00c20b94
0x00c20b99
0x00c20b9f
0x00c20ba5
0x00c20bab
0x00c20bc3
0x00c20bc5
0x00c20bc5
0x00c20bf6
0x00c20c01
0x00c20c0c
0x00c20c12
0x00c20c12
0x00c20c1f
0x00c20c24
0x00c20c26
0x00c20c2c
0x00c20c31
0x00c20c44

APIs

_memset.LIBCMT ref: 00C20B94

Part of subcall function 00C209A0: _memset.LIBCMT ref: 00C209D9
Part of subcall function 00C209A0: SHSetValueW.SHLWAPI(80000001,SOFTWARE\KitTipCLSID,?,00000004,00000001,00000004), ref: 00C20A1B

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$Value
String ID:
API String ID: 1564614240-0
Opcode ID: 9cbd1967db9fa79c7b1897f45eba35c88d28624db3178cdf4c529518bff2eb77
Instruction ID: fa86dc5990b829e0d4348739296bbdd1b277e94c5bd533176f306243b79c6638
Opcode Fuzzy Hash: 9cbd1967db9fa79c7b1897f45eba35c88d28624db3178cdf4c529518bff2eb77
Instruction Fuzzy Hash: 3E416770E00229ABDF10FBF4D85A6AEB7B4AF04340F044569F915E7642EB38DA40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C21C90 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C21C90(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _t15;

				_v8 = __ecx;
				 *_v8 = 0xc4ec1c;
				if(E00C21CF0(_v8) != 0) {
					FindCloseChangeNotification( *(_v8 + 4)); // executed
					 *(_v8 + 4) = 0;
				}
				 *((intOrPtr*)(_v8 + 8)) = 0xffffffff;
				_t15 = _v8;
				 *(_t15 + 0x18) = 0;
				return _t15;
			}

0x00c21c99
0x00c21c9f
0x00c21caf
0x00c21cb8
0x00c21cc1
0x00c21cc1
0x00c21ccb
0x00c21cd2
0x00c21cd5
0x00c21ce2

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,00C2075F,00C208A0,00000000,00000000,00000001,00000000,00000000,InstallerForChannel,?,00000000), ref: 00C21CB8

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8be060cc7c552a5650d1404cda35ce66ded8111f0596ec8cc4bd17b6170da6f6
Instruction ID: 5ecb0e91e83cd33ab0942b5a14d1acd44115270826bd3041ecd9211ea575295c
Opcode Fuzzy Hash: 8be060cc7c552a5650d1404cda35ce66ded8111f0596ec8cc4bd17b6170da6f6
Instruction Fuzzy Hash: E1F0DAB8600208EFC714DF99DA85A5DFBF8FB49350F254195E804973A1C730DE00DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C208A0 Relevance: 1.5, APIs: 1, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C208A0(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t14;

				_v8 = _a4;
				if(_v8 != 0) {
					E00C208E0(_v8, _t14); // executed
					PostMessageW( *(_v8 + 4), 0x111, 1, 0);
				}
				return 0;
			}

0x00c208ac
0x00c208b3
0x00c208b8
0x00c208cd
0x00c208cd
0x00c208db

APIs

PostMessageW.USER32(?,00000111,00000001,00000000), ref: 00C208CD

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 45f850c37395d73b0dcaee6a032033e30d6d0ce204b67a06ae5f5a09c913a00a
Instruction ID: 2b5735a841d5b3d7e2f32290c7d83ea2de64483c22bf21de3f388800ca29c526
Opcode Fuzzy Hash: 45f850c37395d73b0dcaee6a032033e30d6d0ce204b67a06ae5f5a09c913a00a
Instruction Fuzzy Hash: 7AE09275B0020CBBD710DBA8DD4AF9EF7B8EB44350F104066FA00AB2D1D6B09E00DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00C10690 Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C10690(void* __edx, long __esi) {
				long _v4;
				int _t3;
				void* _t10;

				_t3 = ReadFile(__edx, _t10, __esi,  &_v4, 0); // executed
				if(_t3 != 0) {
					if(__esi != _v4) {
						E00C15590(1, 0xc53300);
						return 0;
					}
					return 1;
				} else {
					E00C152E0(0xc53300, 0xc53300);
					return 0;
				}
			}

0x00c1069b
0x00c106a3
0x00c106c3
0x00c106ca
0x00000000
0x00c106d2
0x00c106d5
0x00c106a5
0x00c106af
0x00c106ba
0x00c106ba

APIs

ReadFile.KERNEL32(?,?,?,00C10E3E,00000000,?,00C10E3E,?,00C10F1E,00000000,00000000,00000CCC,00000040), ref: 00C1069B

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: eb662994ee9eb8a7b6b92debc41537fcfa8cb502dcca04471ac01f0cdb0ae007
Instruction ID: 2452054c3d952716b431a3f9eb4ab5e4d11784128dd725e6dceafdc4b3ae61ec
Opcode Fuzzy Hash: eb662994ee9eb8a7b6b92debc41537fcfa8cb502dcca04471ac01f0cdb0ae007
Instruction Fuzzy Hash: 80E086EA7146007AE610A2706C0BF9B2658EB81B42F100478FC46D2150FDA4EAD4B266

Uniqueness

Uniqueness Score: -1.00%

Function 00C217E0 Relevance: 1.5, APIs: 1, Instructions: 22
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C217E0(struct HWND__** __ecx, long _a4, int _a8) {
				struct HWND__** _v8;
				long _t7;

				_v8 = __ecx;
				_t7 = SendMessageW( *_v8, 0x80, _a8, _a4); // executed
				return _t7;
			}

0x00c217e9
0x00c217ff
0x00c2180b

APIs

SendMessageW.USER32(?,00000080,?,?), ref: 00C217FF

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b449d2cfe3bc6e516f4ee2ffdcd40001ea10713d0c75eefe3113c26a232348e2
Instruction ID: 407f87989e7f1b9b7edeb505f8ad0f944911d7c1eede9125a0f4ce1e4d9542f0
Opcode Fuzzy Hash: b449d2cfe3bc6e516f4ee2ffdcd40001ea10713d0c75eefe3113c26a232348e2
Instruction Fuzzy Hash: 71E0ECB6601208BBD700EF99E885D9FF7ACFB49661F108166F948C7240D671AD1487E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B360 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C1B360(struct HWND__** __ecx, int _a4) {
				struct HWND__** _v8;
				int _t5;

				_v8 = __ecx;
				_t5 = ShowWindow( *_v8, _a4); // executed
				return _t5;
			}

0x00c1b369
0x00c1b376
0x00c1b382

APIs

ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C1A2BB,00000000), ref: 00C1B376

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d4583ff4adca04660379c717de8916a14f1b5fbb81691085201985843736f2e5
Instruction ID: 05a37778b4eec96521b2c211b149ff53ad7aa290a9116afa865bbcac4a1c2c75
Opcode Fuzzy Hash: d4583ff4adca04660379c717de8916a14f1b5fbb81691085201985843736f2e5
Instruction Fuzzy Hash: 07D017BA600208AB8200DA99E884CABBBBCEB89661B10816AF908C3310C6319D1096A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C217B0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C217B0(struct HWND__** __ecx, WCHAR* _a4) {
				struct HWND__** _v8;
				int _t5;

				_v8 = __ecx;
				_t5 = SetWindowTextW( *_v8, _a4); // executed
				return _t5;
			}

0x00c217b9
0x00c217c6
0x00c217d2

APIs

SetWindowTextW.USER32(?,?), ref: 00C217C6

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: fd1daa19de2463724a34256aba9265d1feca9a2c81a7aa37aaf03a43b8712e19
Instruction ID: 0276e85adeeb35874952a24d1ab4492dd34b2cca1e277744c327e9b411a55d72
Opcode Fuzzy Hash: fd1daa19de2463724a34256aba9265d1feca9a2c81a7aa37aaf03a43b8712e19
Instruction Fuzzy Hash: AED05EBA600208BB8300EE9DE884C9FFBBCEB89651B1081AAF908C3310C6319D1096F0

Uniqueness

Uniqueness Score: -1.00%

Function 00C05980 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C05980(WCHAR* __esi, void* __eflags) {
				void* __ecx;
				void* _t1;
				struct HINSTANCE__* _t2;
				void* _t4;

				_t1 = E00C02820(0, _t4, __eflags, __esi, 0, 0); // executed
				if(_t1 != 0) {
					_t2 = LoadLibraryW(__esi); // executed
					return _t2;
				} else {
					return _t1;
				}
			}

0x00c05988
0x00c0598f
0x00c05994
0x00c0599b
0x00c05992
0x00c05992
0x00c05992

APIs

LoadLibraryW.KERNEL32(?,?,00C03C13), ref: 00C05994

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a65a04f253267c28217f905e264840409598a95db684333f905bc178405dd2ec
Instruction ID: 179c07fe4415af449db3b2f7ecb65beb50192ecf7f67d865d662b3ee7b76f91d
Opcode Fuzzy Hash: a65a04f253267c28217f905e264840409598a95db684333f905bc178405dd2ec
Instruction Fuzzy Hash: 85C08CB220220062EA2C17202C0ABDF02086B01322F30011DF203840C0AB80E1016094

Uniqueness

Uniqueness Score: -1.00%

Function 00C27388 Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00C27388(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0xc54db0);
				E00C286FC(__ebx, __edi, __esi);
				E00C28831();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E00C2729D(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E00C273BE();
				return E00C28741( *((intOrPtr*)(_t18 - 0x1c)));
			}

0x00c27388
0x00c2738a
0x00c2738f
0x00c27394
0x00c27399
0x00c273a0
0x00c273a6
0x00c273a9
0x00c273b0
0x00c273bd

APIs

Part of subcall function 00C28831: __lock.LIBCMT ref: 00C28833

__onexit_nolock.LIBCMT ref: 00C273A0

Part of subcall function 00C2729D: __decode_pointer.LIBCMT ref: 00C272AC
Part of subcall function 00C2729D: __decode_pointer.LIBCMT ref: 00C272BC
Part of subcall function 00C2729D: __msize.LIBCMT ref: 00C272DA
Part of subcall function 00C2729D: __realloc_crt.LIBCMT ref: 00C272FE
Part of subcall function 00C2729D: __realloc_crt.LIBCMT ref: 00C27314
Part of subcall function 00C2729D: __encode_pointer.LIBCMT ref: 00C27326
Part of subcall function 00C2729D: __encode_pointer.LIBCMT ref: 00C27334
Part of subcall function 00C2729D: __encode_pointer.LIBCMT ref: 00C2733F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: 527aed682885e3e154e15298387b41b8accad3a852ff6391b0cdb9143016cf71
Instruction ID: f5730433ece6d0af1ddc3925558878fe3530048b5e5e054d560ada99e36bb1d4
Opcode Fuzzy Hash: 527aed682885e3e154e15298387b41b8accad3a852ff6391b0cdb9143016cf71
Instruction Fuzzy Hash: FCD05E70802324EADB10FBA4F802B9C77B0AF00710F708254F020669D2CE744A85BE54

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F26A Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C2F26A() {
				void* _t1;

				_t1 = E00C2F1F8(0); // executed
				return _t1;
			}

0x00c2f26c
0x00c2f272

APIs

__encode_pointer.LIBCMT ref: 00C2F26C

Part of subcall function 00C2F1F8: TlsGetValue.KERNEL32(00000000,?,00C2F271,00000000,00C4789F,00C5B808,00000000,00000314,?,00C32A5C,00C5B808,Microsoft Visual C++ Runtime Library,00012010), ref: 00C2F20A
Part of subcall function 00C2F1F8: TlsGetValue.KERNEL32(00000005,?,00C2F271,00000000,00C4789F,00C5B808,00000000,00000314,?,00C32A5C,00C5B808,Microsoft Visual C++ Runtime Library,00012010), ref: 00C2F221
Part of subcall function 00C2F1F8: RtlEncodePointer.NTDLL(00000000,?,00C2F271,00000000,00C4789F,00C5B808,00000000,00000314,?,00C32A5C,00C5B808,Microsoft Visual C++ Runtime Library,00012010), ref: 00C2F25F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 8b98515ae72bd2da7279afb482e2d988f3a5312edef7788f48a4c9b22f59e067
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C0B9B0 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 369
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00C0B9B0(void* __ecx, void* __edx, long __edi, void* __esi, void* __eflags) {
				void* __ebx;
				signed int _t103;
				void* _t109;
				void* _t110;
				void* _t112;
				void* _t123;
				void _t124;
				intOrPtr _t127;
				void* _t134;
				void*** _t137;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void*** _t147;
				intOrPtr* _t151;
				void _t152;
				void* _t156;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t194;
				void* _t215;
				intOrPtr _t219;
				long _t226;
				intOrPtr _t228;
				char* _t229;
				intOrPtr _t230;
				signed int _t237;
				void* _t239;
				void* _t240;
				void* _t245;
				void* _t246;
				void* _t251;
				signed int _t252;
				void* _t253;
				void* _t261;

				_t261 = __eflags;
				_t223 = __edi;
				_t214 = __edx;
				_push(0xffffffff);
				_push(0xc4d1c9);
				_push( *[fs:0x0]);
				_t252 = _t251 - 0x40;
				_push(_t245);
				_push(__edi);
				_t103 =  *0xc58320; // 0x96c0a7a
				_push(_t103 ^ _t252);
				 *[fs:0x0] = _t252 + 0x54;
				_t235 =  *((intOrPtr*)(_t252 + 0x64));
				_t178 = 0;
				 *((intOrPtr*)(_t252 + 0x18)) = 0;
				E00C07C80( *((intOrPtr*)(_t252 + 0x64)));
				E00C0BF80(_t261, _t252 + 0x38);
				 *((intOrPtr*)(_t252 + 0x60)) = 0;
				_t109 = E00C0B760(_t245, _t252 + 0x38);
				_t253 = _t252 + 4;
				if(_t109 != 0) {
					_t224 = GetProcessHeap;
					 *(_t253 + 0x24) = 0x288;
					_t110 = GetProcessHeap();
					_t236 = HeapAlloc;
					_t246 = HeapAlloc(_t110, 0, 0x288);
					 *(_t253 + 0x28) = _t246;
					__eflags = _t246;
					if(_t246 != 0) {
						_t112 = _t253 + 0x1c;
						_push(_t112);
						_push(_t246);
						L00C4C3F2();
						__eflags = _t112 - 0x6f;
						if(_t112 != 0x6f) {
							L12:
							_t215 = _t253 + 0x1c;
							_push(_t215);
							_push(_t246);
							 *(_t253 + 0x2c) = 1;
							L00C4C3F2();
							__eflags = _t112;
							if(_t112 != 0) {
								L62:
								__eflags = _t246 - _t178;
								if(_t246 != _t178) {
									HeapFree(GetProcessHeap(), _t178, _t246);
								}
								goto L64;
							} else {
								__eflags = _t246 - _t178;
								if(_t246 == _t178) {
									L64:
									_t216 =  *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x64))));
									__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x64)))) - 0xc)) - _t178;
									_t237 = 0 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x64)))) - 0xc)) != _t178;
									_t115 =  *(_t253 + 0x44);
									__eflags =  *(_t253 + 0x44) - _t178;
									if(__eflags != 0) {
										_t224 =  *(_t253 + 0x48);
										E00C0C4C0(_t115, _t216,  *(_t253 + 0x48));
										E00C2657F(_t178, _t216,  *(_t253 + 0x48), _t237, __eflags,  *(_t253 + 0x44));
										_t253 = _t253 + 4;
									}
									 *(_t253 + 0x48) = _t178;
									 *(_t253 + 0x4c) = _t178;
									 *(_t253 + 0x50) = _t178;
									E00C2657F(_t178,  *(_t253 + 0x38), _t224, _t237, __eflags,  *(_t253 + 0x38));
									 *[fs:0x0] =  *((intOrPtr*)(_t253 + 0x58));
									return _t237;
								} else {
									do {
										_t239 =  *(_t253 + 0x44);
										__eflags = _t239 -  *(_t253 + 0x48);
										if(_t239 >  *(_t253 + 0x48)) {
											E00C28FF5();
										}
										_t180 =  *(_t253 + 0x38);
										 *(_t253 + 0x30) = _t180;
										while(1) {
											_t226 =  *(_t253 + 0x48);
											 *(_t253 + 0x34) = _t239;
											__eflags =  *(_t253 + 0x44) - _t226;
											if( *(_t253 + 0x44) > _t226) {
												E00C28FF5();
											}
											__eflags = _t180;
											if(_t180 == 0) {
												goto L22;
											}
											L21:
											__eflags = _t180 -  *(_t253 + 0x38);
											if(_t180 !=  *(_t253 + 0x38)) {
												goto L22;
											}
											L23:
											__eflags = _t239 - _t226;
											if(_t239 == _t226) {
												break;
											} else {
												__eflags =  *((intOrPtr*)(_t246 + 0x190)) - 6;
												if( *((intOrPtr*)(_t246 + 0x190)) != 6) {
													L33:
													_t181 = 0;
													__eflags = 0;
													goto L34;
												} else {
													_t42 = _t246 + 8; // 0x8
													_t194 = _t42;
													_t151 = E00C0BEF0(_t194, _t246, _t253 + 0x2c);
													 *((char*)(_t253 + 0x5c)) = 1;
													 *(_t253 + 0x18) =  *(_t253 + 0x18) | 0x00000001;
													_t230 =  *_t151;
													__eflags = _t180;
													if(_t180 != 0) {
														_t152 =  *_t180;
													} else {
														E00C28FF5();
														_t152 = 0;
														__eflags = 0;
													}
													__eflags = _t239 -  *((intOrPtr*)(_t152 + 0x10));
													if(_t239 >=  *((intOrPtr*)(_t152 + 0x10))) {
														E00C28FF5();
													}
													_t230 = _t230 != 0;
													if(_t230 != 0) {
														L67:
														_push(0x80004005);
														_t140 = E00C02370();
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t180);
														_t182 = _t194;
														E00C0C1A0(_t140, _t182);
														return _t182;
													} else {
														_t156 = E00C268D3(_t215,  *_t239, _t230);
														_t253 = _t253 + 8;
														__eflags = _t156;
														if(_t156 != 0) {
															goto L33;
														} else {
															_t181 = 1;
														}
														L34:
														 *((intOrPtr*)(_t253 + 0x5c)) = 0;
														__eflags =  *(_t253 + 0x18) & 0x00000001;
														if(( *(_t253 + 0x18) & 0x00000001) != 0) {
															 *(_t253 + 0x18) =  *(_t253 + 0x18) & 0xfffffffe;
															_t147 =  *(_t253 + 0x2c) + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t215 = (_t215 | 0xffffffff) - 1;
															__eflags = _t215;
															if(_t215 <= 0) {
																_t215 =  *( *_t147);
																 *((intOrPtr*)( *((intOrPtr*)(_t215 + 4))))(_t147);
															}
														}
														__eflags = _t181;
														if(_t181 == 0) {
															L54:
															_t123 =  *(_t253 + 0x30);
															__eflags = _t123;
															if(_t123 != 0) {
																_t124 =  *_t123;
															} else {
																E00C28FF5();
																_t124 = 0;
																__eflags = 0;
															}
															__eflags = _t239 -  *((intOrPtr*)(_t124 + 0x10));
															if(_t239 >=  *((intOrPtr*)(_t124 + 0x10))) {
																E00C28FF5();
															}
															_t180 =  *(_t253 + 0x30);
															_t239 = _t239 + 4;
															_t226 =  *(_t253 + 0x48);
															 *(_t253 + 0x34) = _t239;
															__eflags =  *(_t253 + 0x44) - _t226;
															if( *(_t253 + 0x44) > _t226) {
																E00C28FF5();
															}
															__eflags = _t180;
															if(_t180 == 0) {
																goto L22;
															}
															goto L23;
														} else {
															_t127 =  *((intOrPtr*)(_t246 + 0x1a0));
															_t240 = 0;
															__eflags = _t127 - 0x47;
															if(_t127 == 0x47) {
																L42:
																_t240 = 1;
																goto L43;
															} else {
																__eflags = _t127 - 6;
																if(_t127 != 6) {
																	L53:
																	_t239 =  *(_t253 + 0x34);
																	goto L54;
																} else {
																	_t59 = _t246 + 0x10c; // 0x10c
																	_t229 = _t59;
																	_t144 = StrStrIA(_t229, "wifi");
																	__eflags = _t144;
																	if(_t144 != 0) {
																		goto L42;
																	} else {
																		_t145 = StrStrIA(_t229, "wireless");
																		__eflags = _t145;
																		if(_t145 != 0) {
																			goto L42;
																		}
																	}
																	L43:
																	__eflags =  *(_t253 + 0x24);
																	if( *(_t253 + 0x24) != 0) {
																		L45:
																		_t219 =  *0xc5a910; // 0xc4f8dc
																		_t61 = _t219 + 0xc; // 0xc23088
																		 *((intOrPtr*)(_t253 + 0x20)) =  *((intOrPtr*)( *_t61))() + 0x10;
																		 *((char*)(_t253 + 0x5c)) = 2;
																		_push( *(_t246 + 0x199) & 0x000000ff);
																		_push( *(_t246 + 0x198) & 0x000000ff);
																		_push( *(_t246 + 0x197) & 0x000000ff);
																		_push( *(_t246 + 0x196) & 0x000000ff);
																		_push( *(_t246 + 0x195) & 0x000000ff);
																		E00C09030("%02X%02X%02X%02X%02X%02X",  *(_t246 + 0x194) & 0x000000ff);
																		_t180 =  *(_t253 + 0x80);
																		_t134 =  *_t180;
																		_t228 =  *((intOrPtr*)(_t253 + 0x3c));
																		_t253 = _t253 + 0x1c;
																		__eflags =  *(_t134 - 0xc);
																		if( *(_t134 - 0xc) == 0) {
																			L50:
																			E00C0C1A0(_t253 + 0x20, _t180);
																			goto L51;
																		} else {
																			__eflags =  *(_t253 + 0x24) - 1;
																			if( *(_t253 + 0x24) != 1) {
																				L48:
																				__eflags = _t134;
																				_t194 = 0 | _t134 != 0x00000000;
																				__eflags = _t194;
																				if(_t194 == 0) {
																					goto L67;
																				} else {
																					_t143 = E00C2AA20(_t228, _t134);
																					_t253 = _t253 + 8;
																					__eflags = _t143;
																					if(_t143 < 0) {
																						goto L50;
																					}
																					L51:
																					__eflags = _t240;
																					_t137 = _t228 - 0x10;
																					 *((char*)(_t253 + 0x5c)) = 0;
																					_t215 =  &(_t137[3]);
																					 *(_t253 + 0x24) = 0 | _t240 != 0x00000000;
																					asm("lock xadd [edx], ecx");
																					__eflags = 0xfffffffffffffffe;
																					if(0xfffffffffffffffe <= 0) {
																						_t215 =  *( *_t137);
																						 *((intOrPtr*)( *((intOrPtr*)(_t215 + 4))))(_t137);
																					}
																					goto L53;
																				}
																			} else {
																				__eflags = _t240;
																				if(_t240 == 0) {
																					goto L50;
																				} else {
																					goto L48;
																				}
																			}
																		}
																	} else {
																		__eflags = _t240;
																		if(_t240 != 0) {
																			goto L53;
																		} else {
																			goto L45;
																		}
																	}
																}
															}
														}
													}
												}
											}
											goto L68;
											L22:
											E00C28FF5();
											goto L23;
										}
										_t246 =  *_t246;
										__eflags = _t246;
									} while (_t246 != 0);
									_t246 =  *(_t253 + 0x28);
									_t224 = GetProcessHeap;
									_t178 = 0;
									__eflags = 0;
									goto L62;
								}
							}
						} else {
							HeapFree(GetProcessHeap(), 0, _t246);
							_t112 = HeapAlloc(GetProcessHeap(), 0,  *(_t253 + 0x1c));
							 *(_t253 + 0x28) = _t112;
							__eflags = _t112;
							if(_t112 != 0) {
								_t246 = _t112;
								goto L12;
							} else {
								E00C0BFE0(0, _t253 + 0x38);
								__eflags = 0;
								 *[fs:0x0] =  *((intOrPtr*)(_t253 + 0x54));
								return 0;
							}
						}
					} else {
						_t166 =  *(_t253 + 0x44);
						__eflags =  *(_t253 + 0x44);
						if(__eflags != 0) {
							_t224 =  *(_t253 + 0x48);
							E00C0C4C0(_t166, _t214,  *(_t253 + 0x48));
							E00C2657F(0, _t214,  *(_t253 + 0x48), HeapAlloc, __eflags,  *(_t253 + 0x44));
							_t253 = _t253 + 4;
						}
						 *(_t253 + 0x48) = _t178;
						 *(_t253 + 0x4c) = _t178;
						 *(_t253 + 0x50) = _t178;
						E00C2657F(_t178,  *(_t253 + 0x38), _t224, _t236, __eflags,  *(_t253 + 0x38));
						__eflags = 0;
						 *[fs:0x0] =  *((intOrPtr*)(_t253 + 0x58));
						return 0;
					}
				} else {
					_t171 =  *(_t253 + 0x44);
					_t263 =  *(_t253 + 0x44);
					if( *(_t253 + 0x44) != 0) {
						_t223 =  *(_t253 + 0x48);
						E00C0C4C0(_t171, _t214,  *(_t253 + 0x48));
						_t214 =  *(_t253 + 0x44);
						E00C2657F(0,  *(_t253 + 0x44),  *(_t253 + 0x48), _t235, _t263,  *(_t253 + 0x44));
						_t253 = _t253 + 4;
					}
					 *(_t253 + 0x48) = _t178;
					 *(_t253 + 0x4c) = _t178;
					 *(_t253 + 0x50) = _t178;
					E00C2657F(_t178, _t214, _t223, _t235, _t263,  *(_t253 + 0x38));
					 *[fs:0x0] =  *((intOrPtr*)(_t253 + 0x58));
					return 0;
				}
				L68:
			}

0x00c0b9b0
0x00c0b9b0
0x00c0b9b0
0x00c0b9b0
0x00c0b9b2
0x00c0b9bd
0x00c0b9be
0x00c0b9c2
0x00c0b9c4
0x00c0b9c5
0x00c0b9cc
0x00c0b9d1
0x00c0b9d7
0x00c0b9db
0x00c0b9dd
0x00c0b9e1
0x00c0b9eb
0x00c0b9f5
0x00c0b9f9
0x00c0b9fe
0x00c0ba03
0x00c0ba52
0x00c0ba5e
0x00c0ba66
0x00c0ba68
0x00c0ba71
0x00c0ba73
0x00c0ba77
0x00c0ba79
0x00c0bac8
0x00c0bacc
0x00c0bacd
0x00c0bace
0x00c0bad3
0x00c0bad6
0x00c0bb17
0x00c0bb17
0x00c0bb1b
0x00c0bb1c
0x00c0bb1d
0x00c0bb25
0x00c0bb2a
0x00c0bb2c
0x00c0bd7e
0x00c0bd7e
0x00c0bd80
0x00c0bd87
0x00c0bd87
0x00000000
0x00c0bb32
0x00c0bb32
0x00c0bb34
0x00c0bd8d
0x00c0bd91
0x00c0bd95
0x00c0bd9b
0x00c0bd9d
0x00c0bda1
0x00c0bda3
0x00c0bda5
0x00c0bda9
0x00c0bdb3
0x00c0bdb8
0x00c0bdb8
0x00c0bdc0
0x00c0bdc4
0x00c0bdc8
0x00c0bdcc
0x00c0bdda
0x00c0bde9
0x00c0bb40
0x00c0bb40
0x00c0bb40
0x00c0bb44
0x00c0bb48
0x00c0bb4a
0x00c0bb4a
0x00c0bb4f
0x00c0bb53
0x00c0bb57
0x00c0bb57
0x00c0bb5b
0x00c0bb5f
0x00c0bb63
0x00c0bb65
0x00c0bb65
0x00c0bb6a
0x00c0bb6c
0x00000000
0x00000000
0x00c0bb6e
0x00c0bb6e
0x00c0bb72
0x00000000
0x00000000
0x00c0bb79
0x00c0bb79
0x00c0bb7b
0x00000000
0x00c0bb81
0x00c0bb81
0x00c0bb88
0x00c0bbdf
0x00c0bbdf
0x00c0bbdf
0x00000000
0x00c0bb8a
0x00c0bb8e
0x00c0bb8e
0x00c0bb92
0x00c0bb97
0x00c0bb9c
0x00c0bba1
0x00c0bba3
0x00c0bba5
0x00c0bbdb
0x00c0bba7
0x00c0bba7
0x00c0bbac
0x00c0bbac
0x00c0bbac
0x00c0bbae
0x00c0bbb1
0x00c0bbb3
0x00c0bbb3
0x00c0bbbf
0x00c0bbc1
0x00c0bdea
0x00c0bdea
0x00c0bdef
0x00c0bdf4
0x00c0bdf5
0x00c0bdf6
0x00c0bdf7
0x00c0bdf8
0x00c0bdf9
0x00c0bdfa
0x00c0bdfb
0x00c0bdfc
0x00c0bdfd
0x00c0bdfe
0x00c0bdff
0x00c0be00
0x00c0be01
0x00c0be03
0x00c0be0b
0x00c0bbc7
0x00c0bbcb
0x00c0bbd0
0x00c0bbd3
0x00c0bbd5
0x00000000
0x00c0bbd7
0x00c0bbd7
0x00c0bbd7
0x00c0bbe1
0x00c0bbe1
0x00c0bbe9
0x00c0bbee
0x00c0bbf4
0x00c0bbf9
0x00c0bc02
0x00c0bc06
0x00c0bc07
0x00c0bc09
0x00c0bc0d
0x00c0bc13
0x00c0bc13
0x00c0bc09
0x00c0bc15
0x00c0bc17
0x00c0bd3e
0x00c0bd3e
0x00c0bd42
0x00c0bd44
0x00c0bd63
0x00c0bd46
0x00c0bd46
0x00c0bd4b
0x00c0bd4b
0x00c0bd4b
0x00c0bd4d
0x00c0bd50
0x00c0bd52
0x00c0bd52
0x00c0bd57
0x00c0bd5b
0x00c0bb57
0x00c0bb5b
0x00c0bb5f
0x00c0bb63
0x00c0bb65
0x00c0bb65
0x00c0bb6a
0x00c0bb6c
0x00000000
0x00000000
0x00000000
0x00c0bc1d
0x00c0bc1d
0x00c0bc23
0x00c0bc25
0x00c0bc28
0x00c0bc57
0x00c0bc57
0x00000000
0x00c0bc2a
0x00c0bc2a
0x00c0bc2d
0x00c0bd3a
0x00c0bd3a
0x00000000
0x00c0bc33
0x00c0bc3e
0x00c0bc3e
0x00c0bc45
0x00c0bc47
0x00c0bc49
0x00000000
0x00c0bc4b
0x00c0bc51
0x00c0bc53
0x00c0bc55
0x00000000
0x00000000
0x00c0bc55
0x00c0bc5c
0x00c0bc5c
0x00c0bc61
0x00c0bc6b
0x00c0bc6b
0x00c0bc71
0x00c0bc7e
0x00c0bc82
0x00c0bc9c
0x00c0bca4
0x00c0bcac
0x00c0bcb4
0x00c0bcb5
0x00c0bcc0
0x00c0bcc5
0x00c0bccc
0x00c0bcce
0x00c0bcd2
0x00c0bcd5
0x00c0bcd9
0x00c0bd03
0x00c0bd07
0x00000000
0x00c0bcdb
0x00c0bcdb
0x00c0bce0
0x00c0bce6
0x00c0bce8
0x00c0bcea
0x00c0bced
0x00c0bcef
0x00000000
0x00c0bcf5
0x00c0bcf7
0x00c0bcfc
0x00c0bcff
0x00c0bd01
0x00000000
0x00000000
0x00c0bd0c
0x00c0bd0e
0x00c0bd13
0x00c0bd16
0x00c0bd1b
0x00c0bd1e
0x00c0bd27
0x00c0bd2c
0x00c0bd2e
0x00c0bd32
0x00c0bd38
0x00c0bd38
0x00000000
0x00c0bd2e
0x00c0bce2
0x00c0bce2
0x00c0bce4
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0bce4
0x00c0bce0
0x00c0bc63
0x00c0bc63
0x00c0bc65
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0bc65
0x00c0bc61
0x00c0bc2d
0x00c0bc28
0x00c0bc17
0x00c0bbc1
0x00c0bb88
0x00000000
0x00c0bb74
0x00c0bb74
0x00000000
0x00c0bb74
0x00c0bd67
0x00c0bd6a
0x00c0bd6a
0x00c0bd72
0x00c0bd76
0x00c0bd7c
0x00c0bd7c
0x00000000
0x00c0bd7c
0x00c0bb34
0x00c0bad8
0x00c0badd
0x00c0baec
0x00c0baee
0x00c0baf2
0x00c0baf4
0x00c0bb15
0x00000000
0x00c0baf6
0x00c0bafa
0x00c0baff
0x00c0bb05
0x00c0bb14
0x00c0bb14
0x00c0baf4
0x00c0ba7b
0x00c0ba7b
0x00c0ba7f
0x00c0ba81
0x00c0ba83
0x00c0ba87
0x00c0ba91
0x00c0ba96
0x00c0ba96
0x00c0ba9e
0x00c0baa2
0x00c0baa6
0x00c0baaa
0x00c0bab2
0x00c0bab8
0x00c0bac7
0x00c0bac7
0x00c0ba05
0x00c0ba05
0x00c0ba09
0x00c0ba0b
0x00c0ba0d
0x00c0ba11
0x00c0ba16
0x00c0ba1b
0x00c0ba20
0x00c0ba20
0x00c0ba28
0x00c0ba2c
0x00c0ba30
0x00c0ba34
0x00c0ba42
0x00c0ba51
0x00c0ba51
0x00000000

APIs

Part of subcall function 00C0B760: RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318},00000000,00000008,?,096C0A7A,00000000,?,?,00000000), ref: 00C0B7CD
Part of subcall function 00C0B760: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C0B810
Part of subcall function 00C0B760: RegOpenKeyExW.ADVAPI32(?), ref: 00C0B83F
Part of subcall function 00C0B760: RegCloseKey.ADVAPI32(?,00000000), ref: 00C0B880

GetProcessHeap.KERNEL32 ref: 00C0BA66
HeapAlloc.KERNEL32(00000000), ref: 00C0BA6F
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00C0BACE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C0BADA
HeapFree.KERNEL32(00000000), ref: 00C0BADD
GetProcessHeap.KERNEL32(00000000,?), ref: 00C0BAE9
HeapAlloc.KERNEL32(00000000), ref: 00C0BAEC
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00C0BB25
__wcsicoll.LIBCMT ref: 00C0BBCB
StrStrIA.SHLWAPI(0000010C,wifi), ref: 00C0BC45
StrStrIA.SHLWAPI(0000010C,wireless), ref: 00C0BC51
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?), ref: 00C0BD84
HeapFree.KERNEL32(00000000), ref: 00C0BD87

Strings

wifi, xrefs: 00C0BC39
%02X%02X%02X%02X%02X%02X, xrefs: 00C0BCB7
wireless, xrefs: 00C0BC4B

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Heap$Process$AdaptersAllocFreeInfoOpen$CloseEnum__wcsicoll
String ID: %02X%02X%02X%02X%02X%02X$wifi$wireless
API String ID: 3423256894-294613102
Opcode ID: 8bc30748c9fc3a9573ea586b0bcb7c1755855ee03810b9dcbc6aacaa644fc4fe
Instruction ID: 7cd3ea49b7569d7279e4a411c62873ddd39f90a38fd09d221235854fbef4603d
Opcode Fuzzy Hash: 8bc30748c9fc3a9573ea586b0bcb7c1755855ee03810b9dcbc6aacaa644fc4fe
Instruction Fuzzy Hash: C7C19D726083409FD720EF69C881A6AF7E8FF89310F44492DF9A587295DB35EE44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C064E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 118
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C064E0(struct _OSVERSIONINFOW* __ebx, void* __ebp, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				char _v1042;
				char _v1044;
				char* _v1320;
				signed int _v1324;
				void _v1328;
				unsigned int _v1360;
				signed short _v1364;
				char _v1380;
				char _v1384;
				void* _v1388;
				intOrPtr _v1392;
				void* __edi;
				void* __esi;
				signed int _t45;
				_Unknown_base(*)()* _t52;
				signed int _t66;
				void* _t69;
				void* _t75;
				signed int _t77;
				signed short _t81;
				signed int _t82;
				signed int _t89;
				void* _t90;
				void* _t91;
				signed int _t99;
				signed int _t100;

				_t75 = __ebx;
				_t99 =  &_v1388;
				_t45 =  *0xc58320; // 0x96c0a7a
				_v4 = _t45 ^ _t99;
				_v1388 = _a4;
				E00C266B0(_t90,  &_v1328, 0, 0x11c);
				_v1328 = 0x11c;
				E00C266B0(_t90, __ebx, 0, 0x11c);
				_t100 = _t99 + 0x18;
				 *__ebx = 0x11c;
				GetVersionExW(__ebx);
				_t91 = GetProcAddress;
				if(__ebx->dwMajorVersion != 5) {
					L4:
					_t52 = GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlGetVersion");
					if(_t52 != 0) {
						 *_t52( &_v1328);
					}
					_t91 =  *(_t75 + 8) + ( *(_t75 + 4) +  *(_t75 + 4) * 4) * 2;
					_t88 = _v1320;
					_t77 = _v1324 + _v1324 * 4;
					_t107 = _t88 + _t77 * 2 - _t91;
					if(_t88 + _t77 * 2 > _t91) {
						_t69 = memcpy(_t75,  &_v1328, 0x47 << 2);
						_t100 = _t100 + 0xc;
						_t91 = _t69;
					}
					_v1044 = 0;
					E00C266B0(_t91,  &_v1042, 0, 0x40e);
					_t100 = _t100 + 0xc;
					_t95 =  &_v1044;
					if(E00C063E0(_t75, _t91,  &_v1044, _t107) < 0) {
						L13:
						 *((intOrPtr*)(_v1388 + 4)) = 0;
						goto L14;
					} else {
						_t88 =  &_v1380;
						if(E00C06680( &_v1044,  &_v1380) == 0) {
							goto L13;
						}
						_t81 = _v1364;
						_t66 = _t81 >> 0x10;
						_t82 = _t81 & 0x0000ffff;
						_t89 = _t66 + _t66 * 4;
						_t88 = _t82 + _t89 * 2;
						if(_t91 >= _t82 + _t89 * 2) {
							_t88 = _v1388;
							 *((intOrPtr*)(_v1388 + 4)) = 0;
						} else {
							 *(_t75 + 4) = _t66;
							 *(_t75 + 8) = _t82;
							 *(_t75 + 0xc) = _v1360 >> 0x10;
							 *((intOrPtr*)(_v1388 + 4)) = 1;
						}
						L14:
						return E00C2669E(1, _t75, _v4 ^ _t100, _t88, _t91, _t95);
					}
				}
				_t95 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				_v1384 = 0;
				if(_t95 == 0) {
					goto L4;
				}
				_t88 =  &_v1384;
				_push( &_v1384);
				_push(GetCurrentProcess());
				if( *_t95() == 0 || _v1392 == 0) {
					goto L4;
				} else {
					goto L13;
				}
			}

0x00c064e0
0x00c064e0
0x00c064e6
0x00c064ed
0x00c0650a
0x00c0650e
0x00c0651b
0x00c06523
0x00c06528
0x00c0652c
0x00c06532
0x00c0653c
0x00c06548
0x00c06584
0x00c06591
0x00c06595
0x00c0659c
0x00c0659c
0x00c065a7
0x00c065ae
0x00c065b2
0x00c065b8
0x00c065ba
0x00c065c7
0x00c065c7
0x00c065c9
0x00c065c9
0x00c065db
0x00c065e3
0x00c065e8
0x00c065eb
0x00c065f9
0x00c0664b
0x00c0664f
0x00000000
0x00c065fb
0x00c065fb
0x00c06609
0x00000000
0x00000000
0x00c0660b
0x00c06611
0x00c06614
0x00c06617
0x00c0661a
0x00c0661f
0x00c0663e
0x00c06642
0x00c06621
0x00c06621
0x00c06628
0x00c06632
0x00c06635
0x00c06635
0x00c06656
0x00c06672
0x00c06672
0x00c065f9
0x00c06559
0x00c0655b
0x00c06565
0x00000000
0x00000000
0x00c06567
0x00c0656b
0x00c06572
0x00c06577
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_memset.LIBCMT ref: 00C0650E
_memset.LIBCMT ref: 00C06523
GetVersionExW.KERNEL32(?,?,00000000,0000011C,00000000,?), ref: 00C06532
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00C06554
GetProcAddress.KERNEL32(00000000), ref: 00C06557
GetCurrentProcess.KERNEL32(00000000), ref: 00C0656C
GetModuleHandleW.KERNEL32(ntdll,RtlGetVersion), ref: 00C0658E
GetProcAddress.KERNEL32(00000000), ref: 00C06591
_memset.LIBCMT ref: 00C065E3

Strings

RtlGetVersion, xrefs: 00C06584
IsWow64Process, xrefs: 00C0654A
ntdll, xrefs: 00C06589
kernel32, xrefs: 00C0654F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$AddressHandleModuleProc$CurrentProcessVersion
String ID: IsWow64Process$RtlGetVersion$kernel32$ntdll
API String ID: 3825021448-1059190566
Opcode ID: e6ad925884b7ad997964b155fa589b8467b199a74511cdd388b8125fdda45b38
Instruction ID: f3fad134ea03c62e145b309d5ddca6674e69d03f90dbb7cb22412eac3a6ebfc7
Opcode Fuzzy Hash: e6ad925884b7ad997964b155fa589b8467b199a74511cdd388b8125fdda45b38
Instruction Fuzzy Hash: 71418E716043419FC710DF28DC81BABBBE4BF85304F45891CF9589B291EB72D919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D950 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 260
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C0D950(int* __ecx, int __edx, void* __ebp) {
				char _v4;
				char _v12;
				signed int _v16;
				char _v528;
				intOrPtr _v1500;
				int _v1504;
				int _v1512;
				int _v1516;
				char _v1518;
				void _v1528;
				char _v1792;
				char _v1796;
				intOrPtr _v2072;
				intOrPtr _v2076;
				char _v2080;
				intOrPtr _v2084;
				void _v2088;
				void _v2092;
				long _v2096;
				char _v2100;
				char _v2104;
				char _v2108;
				char _v2112;
				int* _v2116;
				char _v2120;
				long _v2124;
				char _v2128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t88;
				signed int _t90;
				void* _t96;
				int _t100;
				intOrPtr _t102;
				char* _t103;
				intOrPtr _t106;
				int _t110;
				int _t116;
				int _t120;
				int _t121;
				int _t125;
				int _t131;
				int _t135;
				WCHAR* _t153;
				void* _t154;
				int _t165;
				void* _t185;
				struct _OVERLAPPED* _t191;
				void* _t192;
				void* _t198;
				void* _t200;
				signed int _t201;

				_t173 = __edx;
				_push(0xffffffff);
				_push(0xc4d011);
				_push( *[fs:0x0]);
				_t201 = _t200 - 0x844;
				_t88 =  *0xc58320; // 0x96c0a7a
				_v16 = _t88 ^ _t201;
				_push(__ebp);
				_t90 =  *0xc58320; // 0x96c0a7a
				_push(_t90 ^ _t201);
				 *[fs:0x0] =  &_v12;
				_t184 = __ecx;
				_v2116 = __ecx;
				_v2112 = 0;
				do {
					_t198 = 0;
					_v2124 = 0;
					_t153 =  &_v528;
					_v4 = 0;
					E00C0D400(0x200, _t153, L"\\\\.\\PhysicalDrive%d", _v2112);
					_t201 = _t201 + 8;
					_t191 = 0;
					_t96 = CreateFileW(_t153, 0, 3, 0, 3, 0, 0);
					if(_t96 != 0xffffffff) {
						_t198 = _t96;
						_v2124 = _t198;
						L5:
						E00C266B0(_t184,  &_v1528, _t191, 0x3e8);
						_t201 = _t201 + 0xc;
						_v2092 = 0;
						_v2088 = 0;
						_v2084 = 0;
						_t173 =  &_v2092;
						_v2092 = _t191;
						_v2088 = _t191;
						_v2096 = _t191;
						_t100 = DeviceIoControl(_t198, 0x2d1400,  &_v2092, 0xc,  &_v1528, 0x3e8,  &_v2096, _t191);
						__eflags = _t100;
						if(_t100 == 0) {
							L39:
							_v4 = 0xffffffff;
							__eflags = _t198 - _t191;
							if(_t198 != _t191) {
								CloseHandle(_t198);
							}
							goto L41;
						}
						__eflags = _t198 - _t191;
						if(_t198 != _t191) {
							CloseHandle(_t198);
							_t198 = 0;
							__eflags = 0;
							_v2124 = 0;
						}
						__eflags = _v1518;
						if(_v1518 != 0) {
							goto L39;
						} else {
							_t106 = _v1500;
							__eflags = _t106 - 1;
							if(_t106 == 1) {
								goto L39;
							}
							__eflags = _t106 - 0xa;
							if(_t106 == 0xa) {
								goto L39;
							}
							__eflags = _t106 - 4;
							if(_t106 == 4) {
								goto L39;
							}
							__eflags = _t106 - 7;
							if(_t106 == 7) {
								goto L39;
							}
							__eflags = _t106 - 0xe;
							if(_t106 == 0xe) {
								goto L39;
							}
							__eflags = _t106 - 0xf;
							if(_t106 == 0xf) {
								goto L39;
							}
							E00C07A90( &_v2120);
							_t194 =  &_v2108;
							E00C07A90( &_v2108);
							_t164 = _v2112;
							_t173 =  &_v2120;
							_v4 = 2;
							_t110 = E00C0D720(_v2112,  &_v2120, _t198,  &_v2108);
							_t201 = _t201 + 4;
							__eflags = _t110;
							if(_t110 == 0) {
								L17:
								E00C07AB0( &_v2108, _t173);
								_v4 = 0;
								E00C07AB0( &_v2120, _t173);
								_t116 = E00C0D930( &_v1528);
								__eflags = _t116;
								if(_t116 != 0) {
									_t173 =  &_v1792;
									E00C266B0(_t184,  &_v1792, 0, 0x104);
									_t201 = _t201 + 0xc;
									__eflags = _v1504;
									if(_v1504 == 0) {
										L26:
										_t184 = _v2116;
										_t165 =  *_v2116;
										__eflags =  *(_t165 - 0xc);
										if( *(_t165 - 0xc) == 0) {
											goto L18;
										}
										E00C266B0(_t184,  &_v1792, 0, 0x104);
										_t120 = _v1516;
										_t201 = _t201 + 0xc;
										__eflags = _t120;
										if(_t120 != 0) {
											_t194 = _t201 + _t120 + 0x26c;
											_t131 = E00C0E160(0x104,  &_v1792,  &_v2104);
											__eflags = _t131;
											if(_t131 >= 0) {
												__eflags = 0x104;
												E00C0E110(_t194, _t201 + _v2104 + 0x164, 0x104 - _v2104);
											}
										}
										__eflags = _v1792;
										if(_v1792 != 0) {
											StrTrimA( &_v1792, " ");
										}
										_t121 = _v1512;
										__eflags = _t121;
										if(_t121 != 0) {
											_t194 = _t201 + _t121 + 0x26c;
											_t125 = E00C0E160(0x104,  &_v1792,  &_v2100);
											__eflags = _t125;
											if(_t125 >= 0) {
												__eflags = 0x104;
												E00C0E110(_t194, _t201 + _v2100 + 0x164, 0x104 - _v2100);
											}
										}
										__eflags = _v1792;
										if(_v1792 != 0) {
											StrTrimA( &_v1792, " ");
											E00C0DD60( &_v1792,  &_v1796, _v2120, _t194);
										}
										_t184 = _v2116;
										_t173 =  *_v2116;
										__eflags =  *(_t173 - 0xc);
										if( *(_t173 - 0xc) != 0) {
											L45:
											E00C0D340( &_v2124);
											_t103 = 1;
											L43:
											 *[fs:0x0] = _v12;
											_pop(_t185);
											_pop(_t192);
											_pop(_t154);
											return E00C2669E(_t103, _t154, _v16 ^ _t201, _t173, _t185, _t192);
										} else {
											_t191 = 0;
											__eflags = 0;
											goto L39;
										}
									}
									_v2080 = 0x11c;
									_t194 = 1;
									_t135 = E00C06770(2, _t164,  &_v1792,  &_v2080, _t198);
									__eflags = _t135;
									if(_t135 == 0) {
										L25:
										_t173 = 0x104;
										E00C096B0(_t201 + _v1504 + 0x26c,  &_v1792, 0x104);
										E00C0D620( &_v1792, _t198, _v2116, _t194);
										_t201 = _t201 + 8;
										goto L26;
									}
									__eflags = _v2076 - 6;
									if(__eflags > 0) {
										L24:
										_t194 = 0;
										__eflags = 0;
										goto L25;
									}
									if(__eflags != 0) {
										goto L25;
									}
									__eflags = _v2072 - 2;
									if(_v2072 < 2) {
										goto L25;
									}
									goto L24;
								}
								L18:
								_v4 = 0xffffffff;
								E00C0D340( &_v2124);
								goto L41;
							}
							_t164 = _v2120;
							__eflags =  *(_t164 - 0xc);
							if( *(_t164 - 0xc) != 0) {
								E00C0C1A0( &_v2120, _t184);
								_t173 =  *(_v2108 - 0xc);
								E00C07BC0(_t184,  *(_v2108 - 0xc),  &_v2108, _t198, _t184, _v2108);
								E00C07AB0( &_v2116,  *(_v2108 - 0xc));
								E00C07AB0( &_v2128,  *(_v2108 - 0xc));
								goto L45;
							}
							goto L17;
						}
					}
					if(E00C0D2E0() == 0) {
						goto L5;
					} else {
						_v4 = 0xffffffff;
					}
					L41:
					_t102 = _v2112 + 1;
					_v2112 = _t102;
				} while (_t102 < 0x10);
				_t103 = 0;
				goto L43;
			}

0x00c0d950
0x00c0d950
0x00c0d952
0x00c0d95d
0x00c0d95e
0x00c0d964
0x00c0d96b
0x00c0d973
0x00c0d976
0x00c0d97d
0x00c0d985
0x00c0d98b
0x00c0d98d
0x00c0d991
0x00c0d999
0x00c0d999
0x00c0d99b
0x00c0d9ae
0x00c0d9b5
0x00c0d9bc
0x00c0d9c1
0x00c0d9c4
0x00c0d9d1
0x00c0d9da
0x00c0d9f5
0x00c0d9f7
0x00c0d9fb
0x00c0da09
0x00c0da0e
0x00c0da14
0x00c0da18
0x00c0da1c
0x00c0da34
0x00c0da3f
0x00c0da43
0x00c0da47
0x00c0da4b
0x00c0da51
0x00c0da53
0x00c0dcc4
0x00c0dcc4
0x00c0dccf
0x00c0dcd1
0x00c0dcd4
0x00c0dcd4
0x00000000
0x00c0dcd1
0x00c0da59
0x00c0da5b
0x00c0da5e
0x00c0da64
0x00c0da64
0x00c0da66
0x00c0da66
0x00c0da6a
0x00c0da72
0x00000000
0x00c0da78
0x00c0da78
0x00c0da7f
0x00c0da82
0x00000000
0x00000000
0x00c0da88
0x00c0da8b
0x00000000
0x00000000
0x00c0da91
0x00c0da94
0x00000000
0x00000000
0x00c0da9a
0x00c0da9d
0x00000000
0x00000000
0x00c0daa3
0x00c0daa6
0x00000000
0x00000000
0x00c0daac
0x00c0daaf
0x00000000
0x00000000
0x00c0dab9
0x00c0dabe
0x00c0dac2
0x00c0dac7
0x00c0dad3
0x00c0dad7
0x00c0dade
0x00c0dae3
0x00c0dae6
0x00c0dae8
0x00c0daf8
0x00c0dafc
0x00c0db05
0x00c0db0d
0x00c0db19
0x00c0db1e
0x00c0db20
0x00c0db40
0x00c0db4a
0x00c0db4f
0x00c0db52
0x00c0db5a
0x00c0dbbd
0x00c0dbbd
0x00c0dbc1
0x00c0dbc3
0x00c0dbc7
0x00000000
0x00000000
0x00c0dbdc
0x00c0dbe1
0x00c0dbe8
0x00c0dbeb
0x00c0dbed
0x00c0dbff
0x00c0dc06
0x00c0dc0b
0x00c0dc0d
0x00c0dc18
0x00c0dc23
0x00c0dc23
0x00c0dc0d
0x00c0dc28
0x00c0dc30
0x00c0dc3f
0x00c0dc3f
0x00c0dc45
0x00c0dc4c
0x00c0dc4e
0x00c0dc60
0x00c0dc67
0x00c0dc6c
0x00c0dc6e
0x00c0dc79
0x00c0dc84
0x00c0dc84
0x00c0dc6e
0x00c0dc89
0x00c0dc91
0x00c0dca0
0x00c0dcb1
0x00c0dcb1
0x00c0dcb6
0x00c0dcba
0x00c0dcbc
0x00c0dcc0
0x00c0dd41
0x00c0dd45
0x00c0dd4a
0x00c0dcee
0x00c0dcf5
0x00c0dcfd
0x00c0dcfe
0x00c0dd00
0x00c0dd15
0x00c0dcc2
0x00c0dcc2
0x00c0dcc2
0x00000000
0x00c0dcc2
0x00c0dcc0
0x00c0db60
0x00c0db68
0x00c0db6d
0x00c0db72
0x00c0db74
0x00c0db89
0x00c0db97
0x00c0dba3
0x00c0dbb5
0x00c0dbba
0x00000000
0x00c0dbba
0x00c0db7a
0x00c0db7d
0x00c0db87
0x00c0db87
0x00c0db87
0x00000000
0x00c0db87
0x00c0db7f
0x00000000
0x00000000
0x00c0db81
0x00c0db85
0x00000000
0x00000000
0x00000000
0x00c0db85
0x00c0db22
0x00c0db26
0x00c0db31
0x00000000
0x00c0db31
0x00c0daea
0x00c0daee
0x00c0daf2
0x00c0dd1c
0x00c0dd25
0x00c0dd2a
0x00c0dd33
0x00c0dd3c
0x00000000
0x00c0dd3c
0x00000000
0x00c0daf2
0x00c0da72
0x00c0d9e3
0x00000000
0x00c0d9e5
0x00c0d9e5
0x00c0d9e5
0x00c0dcda
0x00c0dcde
0x00c0dce2
0x00c0dce2
0x00c0dcec
0x00000000

APIs

Part of subcall function 00C0D400: _vswprintf_s.LIBCMT ref: 00C0D42C

CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?), ref: 00C0D9D1
_memset.LIBCMT ref: 00C0DA09
DeviceIoControl.KERNEL32 ref: 00C0DA4B
CloseHandle.KERNEL32(00000000,?,?,?,?,?), ref: 00C0DA5E

Part of subcall function 00C0D2E0: GetLastError.KERNEL32(00C0D7BC), ref: 00C0D2E0

_memset.LIBCMT ref: 00C0DB4A
_memset.LIBCMT ref: 00C0DBDC
StrTrimA.SHLWAPI(?,00C539F8), ref: 00C0DC3F
StrTrimA.SHLWAPI(?,00C539F8), ref: 00C0DCA0
CloseHandle.KERNEL32(00000000), ref: 00C0DCD4

Part of subcall function 00C07BC0: _memcpy_s.LIBCMT ref: 00C07C4A

Part of subcall function 00C0D340: CloseHandle.KERNEL32(00000000,00C0DB36), ref: 00C0D347

Strings

\\.\PhysicalDrive%d, xrefs: 00C0D9A4

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseHandle_memset$Trim$ControlCreateDeviceErrorFileLast_memcpy_s_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 654334192-2935326385
Opcode ID: 47c7a106b97c24dffa8d28b3ce0f60009ae355bece2c68fe62d769dfcd3f99ae
Instruction ID: b9728af45aa727706ffd025eb90a19203eb48caaa9c41bb650c6848747934cf5
Opcode Fuzzy Hash: 47c7a106b97c24dffa8d28b3ce0f60009ae355bece2c68fe62d769dfcd3f99ae
Instruction Fuzzy Hash: ACA1A0715083809FD320EF64D845BAFB7E8FB84714F104A2DF59A932D1DBB5AA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C06960 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00C06960(void* __ebp, intOrPtr* _a4) {
				char _v4;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				struct _CRITICAL_SECTION* _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t101;
				void* _t105;
				intOrPtr* _t117;
				void* _t122;
				intOrPtr* _t127;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t151;
				intOrPtr _t153;
				intOrPtr _t154;
				void* _t156;
				void* _t158;
				intOrPtr* _t161;
				intOrPtr* _t162;
				void* _t164;
				intOrPtr* _t166;
				void* _t168;
				signed int _t169;
				void* _t170;

				_push(0xffffffff);
				_push(0xc4ccf8);
				_push( *[fs:0x0]);
				_t169 = _t168 - 0x7c;
				_t87 =  *0xc58320; // 0x96c0a7a
				_v16 = _t87 ^ _t169;
				_push(_t156);
				_t89 =  *0xc58320; // 0x96c0a7a
				_push(_t89 ^ _t169);
				 *[fs:0x0] =  &_v12;
				_t166 = _a4;
				_v136 = 0xffffffff;
				_v132 = 0;
				_v128 = 0;
				_v124 = 0;
				_v120 = 0;
				EnterCriticalSection(0xc5c1e0);
				_v116 = 0xc5c1e0;
				_v4 = 0;
				if( *0xc5c0f0 == 0) {
					_v112 = 0;
					_v108 = 0;
					_v104 = 0;
					_v100 = 0;
					_v96 = 0;
					_v92 = 0;
					_v88 = 0;
					_v84 = 0;
					asm("cpuid");
					_t20 =  &_v136; // 0x96c0a7a
					_t161 = _t20;
					 *_t161 = 0;
					 *((intOrPtr*)(_t161 + 4)) = 0;
					 *((intOrPtr*)(_t161 + 8)) = 0;
					 *((intOrPtr*)(_t161 + 0xc)) = _t144;
					_t145 = _v128;
					_v112 = _v132;
					_v108 = _v124;
					_v104 = _t145;
					if(_v136 >= 1) {
						asm("cpuid");
						 *_t161 = 1;
						 *((intOrPtr*)(_t161 + 4)) = 0;
						 *((intOrPtr*)(_t161 + 8)) = 0;
						 *((intOrPtr*)(_t161 + 0xc)) = _t145;
						_t34 =  &_v136; // 0x96c0a7a
						_v120 =  *_t34;
					}
					asm("cpuid");
					_t36 =  &_v136; // 0x96c0a7a
					_t162 = _t36;
					 *_t162 = 0x80000000;
					 *((intOrPtr*)(_t162 + 4)) = 0;
					 *((intOrPtr*)(_t162 + 8)) = 0;
					 *((intOrPtr*)(_t162 + 0xc)) = _t145;
					E00C266B0(_t156,  &_v80, 0, 0x40);
					_t170 = _t169 + 0xc;
					if(_v136 >= 0x80000004) {
						asm("cpuid");
						 *_t162 = 0x80000002;
						 *((intOrPtr*)(_t162 + 4)) = 0;
						 *((intOrPtr*)(_t162 + 8)) = 0;
						 *((intOrPtr*)(_t162 + 0xc)) = _t145;
						_v76 = _v132;
						_v72 = _v128;
						_v80 = _v136;
						_t153 = _v124;
						_v68 = _t153;
						asm("cpuid");
						 *_t162 = 0x80000003;
						 *((intOrPtr*)(_t162 + 4)) = 0;
						 *((intOrPtr*)(_t162 + 8)) = 0;
						 *((intOrPtr*)(_t162 + 0xc)) = _t153;
						_t154 = _v128;
						_v64 = _v136;
						_v60 = _v132;
						_v52 = _v124;
						_v56 = _t154;
						asm("cpuid");
						 *_t162 = 0x80000004;
						 *((intOrPtr*)(_t162 + 4)) = 0;
						 *((intOrPtr*)(_t162 + 8)) = 0;
						 *((intOrPtr*)(_t162 + 0xc)) = _t154;
						_v48 = _v136;
						_v44 = _v132;
						_v40 = _v128;
						_v36 = _v124;
					}
					StrTrimA( &_v112, " ");
					StrTrimA( &_v84, " ");
					_t127 = "GenuineIotel";
					_t101 =  &_v120;
					while(1) {
						_t147 =  *_t101;
						if(_t147 !=  *_t127) {
							break;
						}
						if(_t147 == 0) {
							L13:
							_t101 = 0;
						} else {
							_t151 =  *((intOrPtr*)(_t101 + 1));
							if(_t151 !=  *((intOrPtr*)(_t127 + 1))) {
								break;
							} else {
								_t101 = _t101 + 2;
								_t127 = _t127 + 2;
								if(_t151 != 0) {
									continue;
								} else {
									goto L13;
								}
							}
						}
						L15:
						if(_t101 == 0) {
							E00C096B0("GenuineIntel",  &_v120, 0x20);
						}
						_push( &_v88);
						_push(_v128);
						E00C09030("%s,%x,%s",  &_v120);
						_t169 = _t170 + 0x10;
						_t149 = 0x80;
						_t105 = E00C096B0( *_t166, 0xc5c0f0, 0x80);
						goto L18;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L15;
				} else {
					_t117 = 0xc5c0f0;
					_t11 = _t117 + 1; // 0xc5c0f1
					_t149 = _t11;
					do {
						_t143 =  *_t117;
						_t117 = _t117 + 1;
					} while (_t143 != 0);
					_t105 = E00C08AA0(_t166, _t143, _t117 - _t149, 0xc5c0f0);
				}
				L18:
				LeaveCriticalSection(0xc5c1e0);
				 *[fs:0x0] = _v20;
				_pop(_t158);
				_pop(_t164);
				_pop(_t122);
				return E00C2669E(_t105, _t122, _v24 ^ _t169, _t149, _t158, _t164);
			}

0x00c06960
0x00c06962
0x00c0696d
0x00c0696e
0x00c06971
0x00c06978
0x00c0697f
0x00c06980
0x00c06987
0x00c0698f
0x00c06995
0x00c069a5
0x00c069ad
0x00c069b1
0x00c069b5
0x00c069b9
0x00c069bd
0x00c069c3
0x00c069cb
0x00c069d8
0x00c06a00
0x00c06a04
0x00c06a08
0x00c06a0e
0x00c06a12
0x00c06a16
0x00c06a1a
0x00c06a1e
0x00c06a22
0x00c06a24
0x00c06a24
0x00c06a28
0x00c06a2a
0x00c06a2d
0x00c06a30
0x00c06a3b
0x00c06a3f
0x00c06a48
0x00c06a4c
0x00c06a54
0x00c06a58
0x00c06a5a
0x00c06a5c
0x00c06a5f
0x00c06a62
0x00c06a65
0x00c06a69
0x00c06a69
0x00c06a74
0x00c06a76
0x00c06a76
0x00c06a7a
0x00c06a7c
0x00c06a7f
0x00c06a8b
0x00c06a8e
0x00c06a93
0x00c06a9e
0x00c06aab
0x00c06aad
0x00c06aaf
0x00c06ab2
0x00c06ab5
0x00c06ac4
0x00c06ac8
0x00c06acc
0x00c06ad0
0x00c06ad6
0x00c06adf
0x00c06ae1
0x00c06ae3
0x00c06ae6
0x00c06ae9
0x00c06af4
0x00c06af8
0x00c06b00
0x00c06b04
0x00c06b0a
0x00c06b13
0x00c06b15
0x00c06b17
0x00c06b1a
0x00c06b1d
0x00c06b2c
0x00c06b34
0x00c06b38
0x00c06b3c
0x00c06b3c
0x00c06b50
0x00c06b5c
0x00c06b5e
0x00c06b63
0x00c06b67
0x00c06b67
0x00c06b6b
0x00000000
0x00000000
0x00c06b6f
0x00c06b83
0x00c06b83
0x00c06b71
0x00c06b71
0x00c06b77
0x00000000
0x00c06b79
0x00c06b79
0x00c06b7c
0x00c06b81
0x00000000
0x00000000
0x00000000
0x00000000
0x00c06b81
0x00c06b77
0x00c06b8c
0x00c06b8e
0x00c06b9e
0x00c06b9e
0x00c06bab
0x00c06bac
0x00c06bb9
0x00c06bc1
0x00c06bc4
0x00c06bce
0x00000000
0x00c06bce
0x00c06b87
0x00c06b89
0x00000000
0x00c069da
0x00c069da
0x00c069df
0x00c069df
0x00c069e2
0x00c069e2
0x00c069e4
0x00c069e5
0x00c069f4
0x00c069f4
0x00c06bd3
0x00c06bd8
0x00c06be5
0x00c06bed
0x00c06bee
0x00c06bf0
0x00c06c02

APIs

EnterCriticalSection.KERNEL32 ref: 00C069BD
_memset.LIBCMT ref: 00C06A8E
StrTrimA.SHLWAPI(?,00C539F8,?,?,?,?,?,?,?,?,?,?,?,?,-00000010,00C4CCF8), ref: 00C06B50
StrTrimA.SHLWAPI(?,00C539F8,?,?,?,?,?,?,?,?,?,?,?,?,-00000010,00C4CCF8), ref: 00C06B5C
LeaveCriticalSection.KERNEL32(00C5C1E0,?,?,?,?,?,?,?), ref: 00C06BD8

Strings

GenuineIotel, xrefs: 00C06B5E
zl, xrefs: 00C06A24, 00C06A76, 00C06A65
GenuineIntel, xrefs: 00C06B90
%s,%x,%s, xrefs: 00C06BB2

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CriticalSectionTrim$EnterLeave_memset
String ID: %s,%x,%s$GenuineIntel$GenuineIotel$zl
API String ID: 2102966345-2736197191
Opcode ID: 4573f69f86712f0f9f548b14afae4eba3d2afeb9154851b1ab2ea46f7ce7fb0d
Instruction ID: d262931cf6bb1aae94a35b6bed0e82b106646b6cb25287aa0e20c303c3f856b2
Opcode Fuzzy Hash: 4573f69f86712f0f9f548b14afae4eba3d2afeb9154851b1ab2ea46f7ce7fb0d
Instruction Fuzzy Hash: D781F3B4A087418FC364CF29D48161BBBE1BB88754F50892EF89AD3391E735D948CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00C12ED0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00C12ED0(signed int __edx, void* __edi, void* __esi, void* __ebp, signed int _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				struct _OVERLAPPED* _v12;
				void _v16;
				signed int _v20;
				long _v24;
				void* _v28;
				void* __ebx;
				signed int _t23;
				signed int _t25;
				signed int _t37;
				signed int _t39;
				void* _t42;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t59;
				void* _t60;
				void* _t62;
				void* _t63;
				signed int _t66;
				signed int _t67;

				_t61 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				_t66 =  &_v28;
				_t23 =  *0xc58320; // 0x96c0a7a
				_v4 = _t23 ^ _t66;
				_t25 = _a4;
				_v20 = _t25;
				_v28 = 0;
				_v24 = 0;
				if(_t25 == 0 || _a8 == 0) {
					__eflags = _t25 | 0xffffffff;
					return E00C2669E(_t25 | 0xffffffff, _t45, _v4 ^ _t66, _t57, _t58, _t61);
				} else {
					_push(_t45);
					_t46 = E00C27A03(_t45, __edx, __edi, 0x2800);
					_t67 = _t66 + 4;
					if(_t46 != 0) {
						_push(__esi);
						_push(__edi);
						_t59 = 0;
						do {
							E00C103A0(_t46, 0x2800, "\\\\.\\PhysicalDrive%d", _t59);
							_t67 = _t67 + 8;
							_t62 = CreateFileA(_t46, 0, 3, 0, 3, 0x80, 0);
							__eflags = _t62 - 0xffffffff;
							if(_t62 == 0xffffffff) {
								goto L10;
							} else {
								_v16 = 0;
								_v12 = 0;
								_v8 = 0;
								_v16 = 0;
								_v12 = 0;
								E00C266B0(_t59, _t46, 0, 0x2800);
								_t67 = _t67 + 0xc;
								_t37 = DeviceIoControl(_t62, 0x2d1400,  &_v16, 0xc, _t46, 0x2800,  &_v24, 0);
								__eflags = _t37;
								if(_t37 != 0) {
									_t39 =  *(_t46 + 0x18);
									__eflags = _t39;
									if(_t39 > 0) {
										_t57 = _v20;
										__eflags = _t46 + _t39;
										_t42 = E00C12C50(_a8, "DISKID:", _v20, _t46 + _t39);
										_t67 = _t67 + 0xc;
										_v28 = _t42;
									}
								}
								CloseHandle(_t62);
								__eflags = _v28;
								if(__eflags == 0) {
									goto L10;
								}
							}
							break;
							L10:
							_t59 = _t59 + 1;
							__eflags = _t59 - 0x10;
						} while (__eflags < 0);
						E00C27501(_t46, _t57, _t59, _t62, __eflags);
						_t60 = _t46;
						_pop(_t63);
						_pop(_t47);
						__eflags = _v4 ^ _t67 + 0x00000004;
						return E00C2669E(_v28, _t47, _v4 ^ _t67 + 0x00000004, _t57, _t60, _t63);
					} else {
						SetLastError(8);
						_pop(_t48);
						return E00C2669E(_t28 | 0xffffffff, _t48, _v4 ^ _t67, _t57, __edi, __esi);
					}
				}
			}

0x00c12ed0
0x00c12ed0
0x00c12ed0
0x00c12ed0
0x00c12ed3
0x00c12eda
0x00c12ede
0x00c12ee5
0x00c12ee9
0x00c12eed
0x00c12ef3
0x00c13017
0x00c13022
0x00c12f03
0x00c12f03
0x00c12f0e
0x00c12f10
0x00c12f15
0x00c12f33
0x00c12f34
0x00c12f35
0x00c12f40
0x00c12f4b
0x00c12f50
0x00c12f66
0x00c12f68
0x00c12f6b
0x00000000
0x00c12f6d
0x00c12f75
0x00c12f79
0x00c12f7e
0x00c12f82
0x00c12f86
0x00c12f8a
0x00c12f8f
0x00c12fab
0x00c12fb1
0x00c12fb3
0x00c12fb5
0x00c12fb8
0x00c12fba
0x00c12fbc
0x00c12fc0
0x00c12fcd
0x00c12fd2
0x00c12fd5
0x00c12fd5
0x00c12fba
0x00c12fda
0x00c12fe0
0x00c12fe4
0x00000000
0x00000000
0x00c12fe4
0x00000000
0x00c12fe6
0x00c12fe6
0x00c12fe7
0x00c12fe7
0x00c12ff1
0x00c12ffd
0x00c12ffe
0x00c12fff
0x00c13005
0x00c1300f
0x00c12f17
0x00c12f19
0x00c12f1f
0x00c12f32
0x00c12f32
0x00c12f15

APIs

_malloc.LIBCMT ref: 00C12F09

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

SetLastError.KERNEL32(00000008,76A1E730,?,?,?,?,00C12D64,00000000,00002000,00C0E6AF,?,?,?,00C0ED1E,?,?), ref: 00C12F19
CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000080,00000000,00000000,00002000,76A1E730,?,?,?,?,00C12D64,00000000), ref: 00C12F60
_memset.LIBCMT ref: 00C12F8A
DeviceIoControl.KERNEL32 ref: 00C12FAB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00C12D64,00000000,00002000,00C0E6AF), ref: 00C12FDA

Strings

\\.\PhysicalDrive%d, xrefs: 00C12F41
DISKID:, xrefs: 00C12FC8

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: AllocateCloseControlCreateDeviceErrorFileHandleHeapLast_malloc_memset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 2839847783-3765948602
Opcode ID: 8a26b1c8c9e86bf339690f1e2e5cbc41f781d5605177a3fa8c957a7bba82930d
Instruction ID: b5b87636fb29ac1ae5bccba94fa159daeeaaf5a223e0c0c544cb6a104345dd14
Opcode Fuzzy Hash: 8a26b1c8c9e86bf339690f1e2e5cbc41f781d5605177a3fa8c957a7bba82930d
Instruction Fuzzy Hash: 4E312A75608304AFD300DF68AC86B2FB7E8FF85750F50092DF45686291DB70EA9897A7

Uniqueness

Uniqueness Score: -1.00%

Function 00C17DD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C17DD0(intOrPtr* __ebx, void* __edi, void* __ebp) {
				long _v4;
				void* _v8;
				intOrPtr _v16;
				intOrPtr _t20;
				void* _t21;
				intOrPtr* _t22;
				long _t23;
				void* _t24;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr* _t33;
				void* _t34;
				void* _t42;
				void* _t46;
				void* _t48;

				_t48 = __ebp;
				_t42 = __edi;
				_t33 = __ebx;
				_v8 = 0;
				_v4 = GetCurrentThreadId();
				_t20 =  *__ebx;
				_t34 =  *(_t20 + 0x5b0);
				_t21 = _t20 + 8;
				 *(_t21 + 0x5b0) = _t34;
				if(_t34 != _t21) {
					 *(_t21 + 0x5b0) =  *(_t34 + 0x5a8);
				} else {
					_t34 = 0;
				}
				_t46 = _t34;
				if(_t34 == 0) {
					L16:
					_t22 = E00C18160( *_t33 + 8);
					if(_t22 != 0) {
						 *_t22 = _v4;
					}
					goto L18;
				} else {
					_push(_t48);
					_push(_t42);
					do {
						_t23 =  *_t46;
						if(_v4 != _t23) {
							_t24 = OpenThread(0x40, 1, _t23);
							if(_t24 != 0) {
								CloseHandle(_t24);
							} else {
								if(GetLastError() != 0x57) {
									OutputDebugStringW("****** ");
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x5ac)) + 0x5a8)) =  *((intOrPtr*)(_t46 + 0x5a8));
									 *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x5a8)) + 0x5ac)) =  *((intOrPtr*)(_t46 + 0x5ac));
									_t31 = GetProcessHeap();
									if(_t31 != 0) {
										HeapFree(_t31, 0, _t46);
									}
								}
							}
						} else {
							_v8 = _t46;
						}
						_t26 =  *_t33;
						_t46 =  *(_t26 + 0x5b8);
						_t27 = _t26 + 8;
						if(_t46 == _t27) {
							break;
						}
						 *((intOrPtr*)(_t27 + 0x5b0)) =  *((intOrPtr*)(_t46 + 0x5a8));
					} while (_t46 != 0);
					_t22 = _v16;
					if(_t22 != 0) {
						L18:
						return _t22;
					}
					goto L16;
				}
			}

0x00c17dd0
0x00c17dd0
0x00c17dd0
0x00c17dd3
0x00c17de0
0x00c17de4
0x00c17de6
0x00c17dec
0x00c17def
0x00c17df7
0x00c17e03
0x00c17df9
0x00c17df9
0x00c17df9
0x00c17e0a
0x00c17e0e
0x00c17ebd
0x00c17ec2
0x00c17ec9
0x00c17ecf
0x00c17ecf
0x00000000
0x00c17e14
0x00c17e14
0x00c17e1b
0x00c17e22
0x00c17e22
0x00c17e28
0x00c17e35
0x00c17e39
0x00c17e8a
0x00c17e3b
0x00c17e44
0x00c17e81
0x00c17e46
0x00c17e52
0x00c17e64
0x00c17e6a
0x00c17e6e
0x00c17e74
0x00c17e74
0x00c17e6e
0x00c17e44
0x00c17e2a
0x00c17e2a
0x00c17e2a
0x00c17e90
0x00c17e92
0x00c17e98
0x00c17e9d
0x00000000
0x00000000
0x00c17ea5
0x00c17eab
0x00c17eb3
0x00c17ebb
0x00c17ed1
0x00c17ed5
0x00c17ed5
0x00000000
0x00c17ebb

APIs

GetCurrentThreadId.KERNEL32 ref: 00C17DDA
OpenThread.KERNEL32(00000040,00000001,-00000008,00000000,?,?,?,74CB4C30,00C53300), ref: 00C17E35
GetLastError.KERNEL32(?,?,?,74CB4C30,00C53300), ref: 00C17E3B
GetProcessHeap.KERNEL32(?,?,?,74CB4C30,00C53300), ref: 00C17E6A
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,74CB4C30,00C53300), ref: 00C17E74
OutputDebugStringW.KERNEL32(****** ,?,?,?,74CB4C30,00C53300), ref: 00C17E81
CloseHandle.KERNEL32(00000000,?,?,?,74CB4C30,00C53300), ref: 00C17E8A

Strings

****** , xrefs: 00C17E7C

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: HeapThread$CloseCurrentDebugErrorFreeHandleLastOpenOutputProcessString
String ID: ******
API String ID: 2450575844-1974978773
Opcode ID: 1a486aa6b7951a283158253fb8311e458573642cf415384590d2afd9c412d53d
Instruction ID: 8a1baf3ff595c44b4c19a126f32d7bdf79e38cdade72c2fb768562850ee051c0
Opcode Fuzzy Hash: 1a486aa6b7951a283158253fb8311e458573642cf415384590d2afd9c412d53d
Instruction Fuzzy Hash: 6F318C386087019FC724DB64DC44BAB7BF5BF46312F0546ADE8A997350D770AC809F62

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D720 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00C0D720(signed int __ecx, void* __edx, void* __ebp, intOrPtr _a4) {
				struct _OVERLAPPED* _v4;
				char _v12;
				signed int _v20;
				short _v532;
				char _v1006;
				char _v1032;
				void _v1068;
				char _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				char _v1094;
				intOrPtr _v1096;
				intOrPtr _v1100;
				void _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void _v1128;
				intOrPtr _v1132;
				struct _OVERLAPPED* _v1136;
				long _v1140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t43;
				void* _t49;
				void* _t57;
				void* _t78;
				void* _t98;
				void* _t102;
				void* _t103;
				void* _t106;
				void* _t108;
				signed int _t109;
				signed int _t110;

				_push(0xffffffff);
				_push(0xc4cbeb);
				_push( *[fs:0x0]);
				_t109 = _t108 - 0x468;
				_t41 =  *0xc58320; // 0x96c0a7a
				_v20 = _t41 ^ _t109;
				_push(__ebp);
				_t43 =  *0xc58320; // 0x96c0a7a
				_push(_t43 ^ _t109);
				 *[fs:0x0] =  &_v12;
				_v1132 = _a4;
				_t102 = __edx;
				E00C0D400(0x200,  &_v532, L"\\\\.\\PhysicalDrive%d", __ecx & 0x000000ff);
				_t106 = 0;
				_t110 = _t109 + 8;
				_v1136 = 0;
				_t93 =  &_v532;
				_v4 = 0;
				_t49 = CreateFileW( &_v532, 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t49 != 0xffffffff) {
					_t106 = _t49;
					_v1136 = _t106;
					L2:
					_v1128 = 0;
					_v1124 = 0;
					_v1120 = 0;
					_v1116 = 0;
					_v1112 = 0;
					_v1108 = 0;
					_v1140 = 0;
					if(DeviceIoControl(_t106, 0x74080, 0, 0,  &_v1128, 0x18,  &_v1140, 0) != 0) {
						E00C266B0(DeviceIoControl,  &_v1068, 0, 0x211);
						_t110 = _t110 + 0xc;
						_v1096 = 0;
						_v1104 = 0;
						_v1100 = 0;
						_v1092 = 0;
						_v1088 = 0;
						_v1084 = 0;
						_v1080 = 0;
						_v1076 = 0;
						_v1072 = 0;
						_t93 =  &_v1104;
						_v1094 = 0xec;
						if(DeviceIoControl(_t106, 0x7c088,  &_v1104, 0x20,  &_v1068, 0x211,  &_v1140, 0) == 0) {
							goto L3;
						}
						E00C0D520(0x14,  &_v1032);
						E00C07C80(_t102);
						E00C07BC0(0, 0x14, _t102, _t106, _t102,  &_v1032);
						E00C0DE30(_t102, 0x14, E00C0DDA0(_t102, 0x14, DeviceIoControl));
						E00C0D520(0x28,  &_v1006);
						_t104 = _v1140;
						E00C07C80(_v1140);
						_t93 = 0x28;
						E00C07BC0(_t102, 0x28, _v1140, _t106, _t104,  &_v1006);
						E00C0DE30(_t104, 0x28, E00C0DDA0(_t104, 0x28, _t65));
						if(_t106 != 0) {
							CloseHandle(_t106);
						}
						_t57 = 1;
						L11:
						 *[fs:0x0] = _v12;
						_pop(_t98);
						_pop(_t103);
						_pop(_t78);
						return E00C2669E(_t57, _t78, _v20 ^ _t110, _t93, _t98, _t103);
					}
					L3:
					if(_t106 != 0) {
						CloseHandle(_t106);
					}
					L5:
					_t57 = 0;
					goto L11;
				}
				if(E00C0D2E0() != 0) {
					goto L5;
				}
				goto L2;
			}

0x00c0d720
0x00c0d722
0x00c0d72d
0x00c0d72e
0x00c0d734
0x00c0d73b
0x00c0d743
0x00c0d746
0x00c0d74d
0x00c0d755
0x00c0d766
0x00c0d77b
0x00c0d77d
0x00c0d782
0x00c0d784
0x00c0d789
0x00c0d79d
0x00c0d7a5
0x00c0d7ac
0x00c0d7b5
0x00c0d811
0x00c0d813
0x00c0d7c0
0x00c0d7c9
0x00c0d7cd
0x00c0d7d1
0x00c0d7d5
0x00c0d7d9
0x00c0d7dd
0x00c0d7f5
0x00c0d7fd
0x00c0d824
0x00c0d82b
0x00c0d82f
0x00c0d833
0x00c0d837
0x00c0d83b
0x00c0d83f
0x00c0d843
0x00c0d847
0x00c0d84b
0x00c0d84f
0x00c0d864
0x00c0d86f
0x00c0d878
0x00000000
0x00000000
0x00c0d886
0x00c0d88b
0x00c0d89e
0x00c0d8ac
0x00c0d8bd
0x00c0d8c2
0x00c0d8c6
0x00c0d8d4
0x00c0d8d9
0x00c0d8e7
0x00c0d8ee
0x00c0d8f1
0x00c0d8f1
0x00c0d8f7
0x00c0d8fc
0x00c0d903
0x00c0d90b
0x00c0d90c
0x00c0d90e
0x00c0d923
0x00c0d923
0x00c0d7ff
0x00c0d801
0x00c0d804
0x00c0d804
0x00c0d80a
0x00c0d80a
0x00000000
0x00c0d80a
0x00c0d7be
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00C0D400: _vswprintf_s.LIBCMT ref: 00C0D42C

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00000002), ref: 00C0D7AC
DeviceIoControl.KERNEL32 ref: 00C0D7F9
CloseHandle.KERNEL32(00000000), ref: 00C0D804

Part of subcall function 00C0D2E0: GetLastError.KERNEL32(00C0D7BC), ref: 00C0D2E0

_memset.LIBCMT ref: 00C0D824
DeviceIoControl.KERNEL32 ref: 00C0D874
CloseHandle.KERNEL32(00000000,0007C088,?,?,?), ref: 00C0D8F1

Strings

\\.\PhysicalDrive%d, xrefs: 00C0D76A

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseControlDeviceHandle$CreateErrorFileLast_memset_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1100394461-2935326385
Opcode ID: e1581e432fa0d8158bb5002c06eecfe037ab851e2f9e9da9ed20f249a9aa885b
Instruction ID: 264b1cc8602fca37ec7073314980d40b8cd184c5670bcf93d5d9b4803d3c71e3
Opcode Fuzzy Hash: e1581e432fa0d8158bb5002c06eecfe037ab851e2f9e9da9ed20f249a9aa885b
Instruction Fuzzy Hash: 935175B05083449FD360DF68CC85B6BB7E8FB89740F404A2DF595C62C1E7749908CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C24220 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00C24220(void* __edi, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v260;
				char _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				char _v296;
				char _v1320;
				struct _OVERLAPPED* _v1324;
				struct _OVERLAPPED* _v1328;
				struct _OVERLAPPED* _v1332;
				struct _OVERLAPPED* _v1336;
				struct _OVERLAPPED* _v1340;
				unsigned char _v1341;
				void _v1344;
				char _v1348;
				intOrPtr _v1352;
				long _v1356;
				void* _v1360;
				void* __ebx;
				void* __esi;
				signed int _t40;
				intOrPtr _t42;
				unsigned char _t53;
				void* _t63;
				signed short* _t64;
				void* _t66;
				void* _t69;
				signed char _t70;
				void* _t71;
				signed int* _t79;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int _t90;

				_t83 = __edi;
				_t90 =  &_v1360;
				_t40 =  *0xc58320; // 0x96c0a7a
				_v4 = _t40 ^ _t90;
				_t42 = _a4;
				_v1352 = _t42;
				if(_t42 == 0 || _a8 == 0) {
					return E00C2669E(0, _t69, _v4 ^ _t90, _t81, _t83, _t84);
				} else {
					_push(_t69);
					_push(_t84);
					_v1360 = 0;
					_t70 = 0;
					do {
						E00C09610( &_v260, 0x100, "\\\\.\\PhysicalDrive%d", _t70);
						_t90 = _t90 + 0x10;
						_t85 = CreateFileA( &_v260, 0xc0000000, 3, 0, 3, 0, 0);
						if(_t85 == 0xffffffff) {
							goto L13;
						} else {
							_t81 =  &_v1356;
							_v1344 = 0;
							_v1340 = 0;
							_v1336 = 0;
							_v1332 = 0;
							_v1328 = 0;
							_v1324 = 0;
							_v1356 = 0;
							if(DeviceIoControl(_t85, 0x74080, 0, 0,  &_v1344, 0x18,  &_v1356, 0) != 0) {
								_t53 = _v1341;
								if(_t53 > 0) {
									asm("sbb al, al");
									_v1348 = ( ~(_t53 >> _t70 & 0x00000010) & 0x000000b5) + 0xec;
									_v296 = 0;
									_v292 = 0;
									_v288 = 0;
									_v284 = 0;
									_v280 = 0;
									_v276 = 0;
									_v272 = 0;
									_v268 = 0;
									_v264 = 0;
									E00C266B0(_t83, 0xc5ac20, 0, 0x210);
									_t81 = _v1348;
									_t63 = E00C26520(_t85,  &_v296, 0xc5ac20, _v1348, _t70,  &_v1356);
									_t90 = _t90 + 0x24;
									if(_t63 != 0) {
										_t79 =  &_v1320;
										_t64 = 0xc5ac30;
										do {
											 *_t79 =  *_t64 & 0x0000ffff;
											_t64 =  &(_t64[1]);
											_t79 =  &(_t79[1]);
										} while (_t64 < 0xc5ae30);
										_t66 = E00C264B0( &_v1320, 0xa, 0x13);
										_t81 = _v1352;
										_t90 = _t90 + 0xc;
										if(E00C09700(_v1352, _a8, _t66) == 0) {
											_v1360 = 1;
										}
									}
								}
								CloseHandle(_t85);
								if(_v1360 == 0) {
									goto L13;
								}
							} else {
								CloseHandle(_t85);
								goto L13;
							}
						}
						break;
						L13:
						_t70 = _t70 + 1;
					} while (_t70 < 0x10);
					_pop(_t86);
					_pop(_t71);
					return E00C2669E(_v1360, _t71, _v4 ^ _t90, _t81, _t83, _t86);
				}
			}

0x00c24220
0x00c24220
0x00c24226
0x00c2422d
0x00c24234
0x00c2423b
0x00c24241
0x00c2442c
0x00c24255
0x00c24255
0x00c2425d
0x00c2425e
0x00c24266
0x00c24270
0x00c24283
0x00c24288
0x00c242a4
0x00c242a9
0x00000000
0x00c242af
0x00c242b2
0x00c242b9
0x00c242bd
0x00c242c1
0x00c242c5
0x00c242c9
0x00c242cd
0x00c242e0
0x00c242f0
0x00c242fe
0x00c24304
0x00c24317
0x00c2431d
0x00c24329
0x00c24330
0x00c24337
0x00c2433e
0x00c24345
0x00c2434c
0x00c24353
0x00c2435a
0x00c24361
0x00c24368
0x00c2436d
0x00c24386
0x00c2438b
0x00c24390
0x00c24392
0x00c24396
0x00c243a0
0x00c243a3
0x00c243a5
0x00c243a8
0x00c243ab
0x00c243bb
0x00c243c7
0x00c243cb
0x00c243d8
0x00c243da
0x00c243da
0x00c243d8
0x00c24390
0x00c243e3
0x00c243ee
0x00000000
0x00000000
0x00c242f2
0x00c242f3
0x00000000
0x00c242f3
0x00c242f0
0x00000000
0x00c243f0
0x00c243f0
0x00c243f1
0x00c243fe
0x00c24400
0x00c24415
0x00c24415

APIs

Part of subcall function 00C09610: _vswprintf_s.LIBCMT ref: 00C09643

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00C242A2
DeviceIoControl.KERNEL32 ref: 00C242E8
CloseHandle.KERNEL32(00000000), ref: 00C242F3
_memset.LIBCMT ref: 00C24368
CloseHandle.KERNEL32(00000000), ref: 00C243E3

Strings

\\.\PhysicalDrive%d, xrefs: 00C24271

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseHandle$ControlCreateDeviceFile_memset_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 759969516-2935326385
Opcode ID: f37970780940b66040eb941aa44fc998a7ff35fb88c9379c952bb405d97b2324
Instruction ID: be6184b912d26023f17d39bce0e684bdb738b60b0f0e22bd8a38307cacda3fd0
Opcode Fuzzy Hash: f37970780940b66040eb941aa44fc998a7ff35fb88c9379c952bb405d97b2324
Instruction Fuzzy Hash: C851ACB0509350AFD364DF289C82BABB7E8FB88705F40492DF699C6281E77499488F56

Uniqueness

Uniqueness Score: -1.00%

Function 00C245E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00C245E0(void* __ebx, void* __esi, void* __ebp, long _a4, intOrPtr _a8, void _a12, struct _OVERLAPPED* _a16, intOrPtr _a20, char _a24, char _a280, void _a1280, intOrPtr _a1304, signed int _a11280, intOrPtr _a11288, intOrPtr _a11292) {
				struct _OVERLAPPED* _v0;
				void* __edi;
				signed int _t32;
				intOrPtr _t34;
				void* _t54;
				void* _t55;
				void* _t69;
				void* _t70;
				signed int _t74;

				_t68 = __esi;
				_t53 = __ebx;
				E00C26E30(0x2c14);
				_t32 =  *0xc58320; // 0x96c0a7a
				_a11280 = _t32 ^ _t74;
				_t34 = _a11288;
				_a8 = _t34;
				if(_t34 == 0 || _a11292 == 0) {
					return E00C2669E(0, _t53, _a11280 ^ _t74, _t64, 0, _t68);
				} else {
					_push(__ebx);
					_push(__esi);
					_v0 = 0;
					_t54 = 0;
					do {
						E00C09610( &_a24, 0x100, "\\\\.\\PhysicalDrive%d", _t54);
						_t74 = _t74 + 0x10;
						_t69 = CreateFileA( &_a24, 0, 3, 0, 3, 0, 0);
						if(_t69 == 0xffffffff) {
							goto L8;
						} else {
							_a12 = 0;
							_a16 = 0;
							_a4 = 0;
							_a20 = 0;
							_a12 = 0;
							_a16 = 0;
							E00C266B0(0,  &_a1280, 0, 0x2710);
							_t74 = _t74 + 0xc;
							_t64 =  &_a12;
							if(DeviceIoControl(_t69, 0x2d1400,  &_a12, 0xc,  &_a1280, 0x2710,  &_a4, 0) != 0) {
								E00C266B0(0,  &_a280, 0, 0x3e8);
								_push( &_a280);
								_push(1);
								_push(_a1304);
								_push( &_a1280);
								E00C263A0();
								_t64 = _a11292;
								_t74 = _t74 + 0x1c;
								if(E00C09700(_a8, _a11292,  &_a280) == 0) {
									_v0 = 1;
								}
							}
							CloseHandle(_t69);
							if(_v0 == 0) {
								goto L8;
							}
						}
						break;
						L8:
						_t54 = _t54 + 1;
					} while (_t54 < 0x10);
					_pop(_t70);
					_pop(_t55);
					return E00C2669E(_v0, _t55, _a11280 ^ _t74, _t64, 0, _t70);
				}
			}

0x00c245e0
0x00c245e0
0x00c245e5
0x00c245ea
0x00c245f1
0x00c245f8
0x00c24602
0x00c24608
0x00c24762
0x00c2461b
0x00c2461b
0x00c24623
0x00c24624
0x00c24628
0x00c24630
0x00c24640
0x00c24645
0x00c24657
0x00c2465c
0x00000000
0x00c24662
0x00c24671
0x00c24675
0x00c2467a
0x00c2467e
0x00c24682
0x00c24686
0x00c2468a
0x00c2468f
0x00c246a7
0x00c246ba
0x00c246ca
0x00c246dd
0x00c246de
0x00c246e0
0x00c246e8
0x00c246e9
0x00c246ee
0x00c246f9
0x00c2470d
0x00c2470f
0x00c2470f
0x00c2470d
0x00c24718
0x00c24722
0x00000000
0x00000000
0x00c24722
0x00000000
0x00c24724
0x00c24724
0x00c24725
0x00c24732
0x00c24734
0x00c2474a
0x00c2474a

APIs

Part of subcall function 00C09610: _vswprintf_s.LIBCMT ref: 00C09643

CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,00C253AB,?,00000064), ref: 00C24655
_memset.LIBCMT ref: 00C2468A
DeviceIoControl.KERNEL32 ref: 00C246B2
_memset.LIBCMT ref: 00C246CA
CloseHandle.KERNEL32(00000000), ref: 00C24718

Strings

\\.\PhysicalDrive%d, xrefs: 00C24631

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 3752575622-2935326385
Opcode ID: 14ba39750091c18661bff06feb075d022d549d8f5ffe540472cd7657c1899bc3
Instruction ID: bef97a81108611c3230c924f68bbbeaa15190187b14b7137758b4e1113db64f8
Opcode Fuzzy Hash: 14ba39750091c18661bff06feb075d022d549d8f5ffe540472cd7657c1899bc3
Instruction Fuzzy Hash: 86414E71514350ABE324DF68DC8AEAFB7E8BBC9B10F40091DF55982181EBB09A54CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C24770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C24770(void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v260;
				char _v1284;
				struct _OVERLAPPED* _v1288;
				struct _OVERLAPPED* _v1292;
				struct _OVERLAPPED* _v1296;
				struct _OVERLAPPED* _v1300;
				struct _OVERLAPPED* _v1304;
				void _v1308;
				long _v1312;
				long _v1316;
				intOrPtr _v1320;
				void* _v1324;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				void* _t42;
				signed int _t46;
				void* _t47;
				void* _t49;
				struct _OVERLAPPED* _t50;
				void* _t58;
				void* _t59;
				signed int _t62;
				void* _t63;

				_t62 =  &_v1324;
				_t32 =  *0xc58320; // 0x96c0a7a
				_v4 = _t32 ^ _t62;
				_t50 = 0;
				_v1320 = _a4;
				_v1324 = 0;
				do {
					E00C19E80( &_v260, 0x100, "\\\\.\\PhysicalDrive%d", _t50);
					_t62 = _t62 + 0x10;
					_t57 =  &_v260;
					_t58 = CreateFileA( &_v260, 0xc0000000, 7, 0, 3, 0, 0);
					if(_t58 == 0xffffffff) {
						goto L9;
					}
					_v1308 = 0;
					_v1304 = 0;
					_v1300 = 0;
					_v1296 = 0;
					_v1292 = 0;
					_v1288 = 0;
					_v1312 = 0;
					if(DeviceIoControl(_t58, 0x74080, 0, 0,  &_v1308, 0x18,  &_v1312, 0) == 0) {
						goto L9;
					}
					_t42 = E00C27A03(_t50,  &_v260, _t58, 0x221);
					_t63 = _t62 + 4;
					_t57 =  &_v1316;
					_t59 = _t42;
					 *((char*)(_t59 + 0xa)) = 0xec;
					_v1316 = 0;
					if(DeviceIoControl(_t58, 0x7c088, _t59, 0x21, _t59, 0x221,  &_v1316, 0) == 0) {
						L8:
						CloseHandle(_t58);
						_push(_t59);
						E00C27501(_t50, _t57, _t58, _t59, _t70);
						_t62 = _t63 + 4;
						if(_v1324 != 0) {
							break;
						}
						goto L9;
					}
					_t46 = 0;
					do {
						 *(_t63 + 0x38 + _t46 * 4) =  *(_t59 + 0x10 + _t46 * 2) & 0x0000ffff;
						_t46 = _t46 + 1;
					} while (_t46 < 0x100);
					_t57 =  &_v1284;
					_t47 = E00C264B0( &_v1284, 0xa, 0x13);
					_t63 = _t63 + 0xc;
					_t49 = E00C09700(_v1320, _a8, _t47);
					_t70 = _t49;
					if(_t49 == 0) {
						_v1324 = 1;
					}
					goto L8;
					L9:
					_t50 =  &(_t50->Internal);
				} while (_t50 < 0x10);
				return E00C2669E(_v1324, _t50, _v4 ^ _t62, _t57, _t58, _t59);
			}

0x00c24770
0x00c24776
0x00c2477d
0x00c24794
0x00c24797
0x00c2479b
0x00c247a0
0x00c247b3
0x00c247b8
0x00c247ca
0x00c247d8
0x00c247dd
0x00000000
0x00000000
0x00c247e6
0x00c247ea
0x00c247ee
0x00c247f2
0x00c247f6
0x00c247fa
0x00c24814
0x00c24820
0x00000000
0x00000000
0x00c2482b
0x00c24830
0x00c24835
0x00c2483f
0x00c2484a
0x00c2484f
0x00c2485b
0x00c248a1
0x00c248a2
0x00c248a8
0x00c248a9
0x00c248ae
0x00c248b6
0x00000000
0x00000000
0x00000000
0x00c248b6
0x00c2485d
0x00c24860
0x00c24865
0x00c24869
0x00c2486a
0x00c24873
0x00c2487a
0x00c24883
0x00c24890
0x00c24895
0x00c24897
0x00c24899
0x00c24899
0x00000000
0x00c248b8
0x00c248b8
0x00c248b9
0x00c248de

APIs

CreateFileA.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,?,?,?), ref: 00C247D2
DeviceIoControl.KERNEL32 ref: 00C2481C
_malloc.LIBCMT ref: 00C2482B

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

DeviceIoControl.KERNEL32 ref: 00C24857
CloseHandle.KERNEL32(00000000), ref: 00C248A2

Strings

\\.\PhysicalDrive%d, xrefs: 00C247A1

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ControlDevice$AllocateCloseCreateFileHandleHeap_malloc
String ID: \\.\PhysicalDrive%d
API String ID: 3393598324-2935326385
Opcode ID: 0f7c5adf17550a02ddba37129f42133955c1120947c20827b134e47f6ef1a6c2
Instruction ID: c98a58b16dffef25ad2c9ca4d5713b2537f32f7a352d4616863f82c2b2a79c62
Opcode Fuzzy Hash: 0f7c5adf17550a02ddba37129f42133955c1120947c20827b134e47f6ef1a6c2
Instruction Fuzzy Hash: 1531A070604350AFE364DF64AC86F6BBAE8BB89715F40092CF699D61C0E7B095048B56

Uniqueness

Uniqueness Score: -1.00%

Function 00C2669E Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00C2669E(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xc58320; // 0x96c0a7a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xc5b430 = _t6;
				 *0xc5b42c = _t22;
				 *0xc5b428 = _t25;
				 *0xc5b424 = _t21;
				 *0xc5b420 = _t27;
				 *0xc5b41c = _t26;
				 *0xc5b448 = ss;
				 *0xc5b43c = cs;
				 *0xc5b418 = ds;
				 *0xc5b414 = es;
				 *0xc5b410 = fs;
				 *0xc5b40c = gs;
				asm("pushfd");
				_pop( *0xc5b440);
				 *0xc5b434 =  *_t31;
				 *0xc5b438 = _v0;
				 *0xc5b444 =  &_a4;
				 *0xc5b380 = 0x10001;
				_t11 =  *0xc5b438; // 0x0
				 *0xc5b334 = _t11;
				 *0xc5b328 = 0xc0000409;
				 *0xc5b32c = 1;
				_t12 =  *0xc58320; // 0x96c0a7a
				_v812 = _t12;
				_t13 =  *0xc58324; // 0xf693f585
				_v808 = _t13;
				 *0xc5b378 = IsDebuggerPresent();
				_push(1);
				E00C36C30(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xc4fb98);
				if( *0xc5b378 == 0) {
					_push(1);
					E00C36C30(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00c2669e
0x00c2669e
0x00c2669e
0x00c2669e
0x00c2669e
0x00c2669e
0x00c2669e
0x00c266a4
0x00c266a6
0x00c266a6
0x00c2d550
0x00c2d555
0x00c2d55b
0x00c2d561
0x00c2d567
0x00c2d56d
0x00c2d573
0x00c2d57a
0x00c2d581
0x00c2d588
0x00c2d58f
0x00c2d596
0x00c2d59d
0x00c2d59e
0x00c2d5a7
0x00c2d5af
0x00c2d5b7
0x00c2d5c2
0x00c2d5cc
0x00c2d5d1
0x00c2d5d6
0x00c2d5e0
0x00c2d5ea
0x00c2d5ef
0x00c2d5f5
0x00c2d5fa
0x00c2d606
0x00c2d60b
0x00c2d60d
0x00c2d615
0x00c2d620
0x00c2d62d
0x00c2d62f
0x00c2d631
0x00c2d636
0x00c2d64a

APIs

IsDebuggerPresent.KERNEL32 ref: 00C2D600
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C2D615
UnhandledExceptionFilter.KERNEL32(00C4FB98), ref: 00C2D620
GetCurrentProcess.KERNEL32(C0000409), ref: 00C2D63C
TerminateProcess.KERNEL32(00000000), ref: 00C2D643

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a5049929fe07b1bbed77fc0c9e8ebe1aac5c7fdeca0c08f89ef255c010fdaa5e
Instruction ID: 24d5d09d938385b55e69ebbaf0b24a3bf0da2921785034f2de197c31f8f72674
Opcode Fuzzy Hash: a5049929fe07b1bbed77fc0c9e8ebe1aac5c7fdeca0c08f89ef255c010fdaa5e
Instruction Fuzzy Hash: 4121CDBC9113089FD760DF25F88476C7FA4BB08716F90442AE409A7272EBB499C49F55

Uniqueness

Uniqueness Score: -1.00%

Function 00C09820 Relevance: 4.6, APIs: 3, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00C09820(unsigned int* __eax, void* __ecx) {
				void* __edi;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int* _t49;
				unsigned int _t50;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				char* _t94;
				char* _t95;
				void* _t97;
				void* _t98;
				char* _t99;
				char* _t101;
				char* _t102;
				char* _t103;
				unsigned int* _t104;
				unsigned int* _t105;
				unsigned int* _t106;
				unsigned int* _t108;
				unsigned int* _t109;
				unsigned int* _t110;
				unsigned int* _t111;
				unsigned int* _t113;
				unsigned int* _t114;
				unsigned int* _t115;
				intOrPtr _t116;
				void* _t120;

				_t49 = __eax;
				_t116 =  *((intOrPtr*)(__eax + 0x5c));
				_t87 = __eax + 0x1c;
				 *((char*)(_t87 + _t116)) = 0x80;
				_t117 = _t116 + 1;
				_t97 = __ecx;
				if(_t116 + 1 > 0x38) {
					E00C266B0(_t87, _t117 + _t87, 0, 0x40 - _t117);
					_push(1);
					_push(_t49);
					_t117 = 0;
					E00C099B0(_t87);
					_t120 = _t120 + 0x14;
				}
				E00C266B0(_t87, _t117 + _t87, 0, 0x38 - _t117);
				 *((char*)(_t87 + 0x38)) = _t49[6] & 0x000000ff;
				_t88 = _t87 + 0x38;
				 *((char*)(_t88 + 1)) = _t49[6] & 0x000000ff;
				_t89 = _t88 + 1;
				 *((char*)(_t89 + 1)) = _t49[6] & 0x000000ff;
				_t90 = _t89 + 1;
				 *((char*)(_t90 + 1)) = _t49[6] & 0x000000ff;
				_t91 = _t90 + 1;
				 *((char*)(_t91 + 1)) = _t49[5] & 0x000000ff;
				_t92 = _t91 + 1;
				 *((char*)(_t92 + 1)) = _t49[5] & 0x000000ff;
				_t94 = _t92 + 2;
				 *_t94 = _t49[5] & 0x000000ff;
				_t95 = _t94 + 1;
				 *_t95 = _t49[5] & 0x000000ff;
				_t96 = _t95 - 0x3f;
				_push(1);
				_push(_t49);
				E00C099B0(_t95 - 0x3f);
				_t49[0x17] = 0;
				E00C266B0(_t95 - 0x3f, _t96, 0, 0x40);
				_t37 =  *_t49;
				_t98 = _t97 + 1;
				 *((char*)(_t98 - 1)) = _t37 >> 0x18;
				_t99 = _t98 + 1;
				 *((char*)(_t99 - 1)) = _t37 >> 0x10;
				 *_t99 = _t37 >> 8;
				 *(_t99 + 1) = _t37;
				_t38 = _t49[1];
				_t101 = _t99 + 2;
				 *_t101 = _t38 >> 0x18;
				_t102 = _t101 + 1;
				 *_t102 = _t38 >> 0x10;
				_t103 = _t102 + 1;
				 *_t103 = _t38 >> 8;
				_t104 = _t103 + 1;
				 *_t104 = _t38;
				_t39 = _t49[2];
				_t105 =  &(_t104[0]);
				 *_t105 = _t39 >> 0x18;
				_t106 =  &(_t105[0]);
				 *_t106 = _t39 >> 0x10;
				_t108 =  &(_t106[0]);
				 *((char*)(_t108 - 1)) = _t39 >> 8;
				 *_t108 = _t39;
				_t40 = _t49[3];
				_t109 =  &(_t108[0]);
				 *_t109 = _t40 >> 0x18;
				_t110 =  &(_t109[0]);
				 *_t110 = _t40 >> 0x10;
				_t111 =  &(_t110[0]);
				 *_t111 = _t40 >> 8;
				_t111[0] = _t40;
				_t50 = _t49[4];
				_t113 =  &(_t111[0]);
				 *_t113 = _t50 >> 0x18;
				_t114 =  &(_t113[0]);
				 *_t114 = _t50 >> 0x10;
				_t115 =  &(_t114[0]);
				 *_t115 = _t50 >> 8;
				_t115[0] = _t50;
				return 1;
			}

0x00c09823
0x00c09825
0x00c09829
0x00c0982c
0x00c09830
0x00c09831
0x00c09836
0x00c09845
0x00c0984a
0x00c0984c
0x00c0984f
0x00c09851
0x00c09856
0x00c09856
0x00c09866
0x00c0986f
0x00c09876
0x00c09879
0x00c09880
0x00c09881
0x00c09888
0x00c09889
0x00c09890
0x00c09891
0x00c09898
0x00c09899
0x00c098a1
0x00c098a2
0x00c098a8
0x00c098a9
0x00c098ab
0x00c098ae
0x00c098b0
0x00c098b3
0x00c098bd
0x00c098c4
0x00c098c9
0x00c098cb
0x00c098d1
0x00c098d4
0x00c098da
0x00c098e2
0x00c098e4
0x00c098e7
0x00c098eb
0x00c098f1
0x00c098f3
0x00c098f9
0x00c098fb
0x00c09901
0x00c09903
0x00c09904
0x00c09906
0x00c09909
0x00c0990f
0x00c09913
0x00c0991a
0x00c0991f
0x00c09923
0x00c09926
0x00c09928
0x00c0992b
0x00c09931
0x00c09933
0x00c09939
0x00c0993b
0x00c09941
0x00c09943
0x00c09946
0x00c0994a
0x00c09950
0x00c09954
0x00c09958
0x00c0995c
0x00c09961
0x00c09963
0x00c0996e

APIs

_memset.LIBCMT ref: 00C09845
_memset.LIBCMT ref: 00C09866
_memset.LIBCMT ref: 00C098C4

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 955dea18266c62b5533b32b273cdcc2b0676893c6b43dff94e8b6a35c7786584
Instruction ID: 98a356c46036f2316cd40b5855e97a6599c66106d714baf2fe72377a70fce52a
Opcode Fuzzy Hash: 955dea18266c62b5533b32b273cdcc2b0676893c6b43dff94e8b6a35c7786584
Instruction Fuzzy Hash: 5441B75125D3D24BD71A8E3E1CC1769BFDA8FB3100B48459EE8C28B787C4A49595C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C02260 Relevance: 4.5, APIs: 3, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C02260(struct HINSTANCE__* _a4, struct HRSRC__* _a8, signed int _a12) {
				void* _t7;
				void* _t11;
				struct HINSTANCE__* _t15;
				signed int _t17;
				struct HRSRC__* _t19;
				signed int _t21;

				_t15 = _a4;
				_t19 = _a8;
				_t7 = LoadResource(_t15, _t19);
				if(_t7 != 0) {
					_t21 = LockResource(_t7);
					if(_t21 == 0) {
						L8:
						return 0;
					} else {
						_t11 = SizeofResource(_t15, _t19) + _t21;
						_t17 = _a12 & 0x0000000f;
						if(_t17 <= 0) {
							L7:
							if(_t21 < _t11) {
								asm("sbb eax, eax");
								return  ~( *_t21 & 0x0000ffff) & _t21;
							} else {
								goto L8;
							}
						} else {
							while(_t21 < _t11) {
								_t17 = _t17 - 1;
								_t21 = _t21 + 2 + ( *_t21 & 0x0000ffff) * 2;
								if(_t17 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L10;
							}
							goto L8;
						}
					}
				} else {
					return _t7;
				}
				L10:
			}

0x00c02261
0x00c02266
0x00c0226c
0x00c02274
0x00c02281
0x00c02285
0x00c022b4
0x00c022b9
0x00c02287
0x00c02293
0x00c02295
0x00c02298
0x00c022b0
0x00c022b2
0x00c022bf
0x00c022c6
0x00000000
0x00000000
0x00000000
0x00c022a0
0x00c022a0
0x00c022a4
0x00c022aa
0x00c022ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c022ae
0x00000000
0x00c022a0
0x00c02298
0x00c02278
0x00c02278
0x00c02278
0x00000000

APIs

LoadResource.KERNEL32(?,?,00000000,?,00C020B8,00000000,00000000,?,?,00000000,00000000,?,?,769C4A70,74D0FAA0,00C018C0), ref: 00C0226C
LockResource.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,769C4A70,74D0FAA0,00C018C0,?,00000000), ref: 00C0227B
SizeofResource.KERNEL32(?,?,?,00000000,00000000,?,?,769C4A70,74D0FAA0,00C018C0,?,00000000), ref: 00C02289

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 3f9ffb2061ca19b0287c7087758a8ee7cb4d928b339b6337b48e9344f2ac8a61
Instruction ID: 403332b37de293ed75dc20c6dc81b84cd1563739f9d905fcc05cab67ce37281b
Opcode Fuzzy Hash: 3f9ffb2061ca19b0287c7087758a8ee7cb4d928b339b6337b48e9344f2ac8a61
Instruction Fuzzy Hash: 40F0A93770022247CB219BB5DC88B6FB7E8FBC5772705042AF991D2151D330A940DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1BF90 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00C4EF28,00000000,00000001,00C4E7A0,?), ref: 00C1BFCE

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 5a2a99a818075ee833dbf055ebd61bf92255b0dc22f4a4808c219109729c62ae
Instruction ID: 5a421402129495229b857724798b48e8017f2a6d051fca67e3115f0c8b6efe07
Opcode Fuzzy Hash: 5a2a99a818075ee833dbf055ebd61bf92255b0dc22f4a4808c219109729c62ae
Instruction Fuzzy Hash: EE110578A40208EFDB00CB98C984B99B7F4FB49365F2181A9E804EB390D371AE81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C0EAB0 Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C0EAB0(signed int* __esi) {
				intOrPtr _v8;
				long _t10;
				struct _FILETIME* _t12;
				void* _t14;

				if(( *__esi | __esi[1]) == 0) {
					L5:
					return 0;
				} else {
					GetSystemTimeAsFileTime(_t12);
					_t14 = _v8 - __esi[1];
					_t10 = _t12->dwLowDateTime;
					if(_t14 < 0 || _t14 <= 0 && _t10 <=  *__esi) {
						goto L5;
					} else {
						return 1;
					}
				}
			}

0x00c0eab8
0x00c0eadf
0x00c0eae4
0x00c0eaba
0x00c0eabe
0x00c0eac8
0x00c0eacb
0x00c0eace
0x00000000
0x00c0ead6
0x00c0eade
0x00c0eade
0x00c0eace

APIs

GetSystemTimeAsFileTime.KERNEL32(-00000004,?,?,00C0FD74,?,?,?,?,?,?,?,?), ref: 00C0EABE

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 3df477f8c7755348c5215b2f7d2fd9c0eff15b01d045a57bb721e3ec9d0587b9
Instruction ID: 67fa6ab8ed3eb5010a4e7c9b12e05ae5eb02ab95a42f5dc16e05e00a05e9138c
Opcode Fuzzy Hash: 3df477f8c7755348c5215b2f7d2fd9c0eff15b01d045a57bb721e3ec9d0587b9
Instruction Fuzzy Hash: 89E0BF787585009FCA24DB54D58591ABBE1FB54700F944C68D8E7C2280E635AE44DA52

Uniqueness

Uniqueness Score: -1.00%

Function 00C259D0 Relevance: .6, Instructions: 637
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00C259D0(intOrPtr* __eax) {
				signed int _t252;
				signed int _t308;
				intOrPtr* _t319;
				intOrPtr _t357;
				signed int _t381;
				intOrPtr _t401;
				intOrPtr _t407;
				signed int _t409;
				intOrPtr _t415;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				intOrPtr* _t427;
				signed int _t430;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t446;
				signed int _t466;
				signed int _t483;
				signed int _t484;
				signed int _t497;
				signed int _t499;
				signed int _t501;
				signed int _t503;
				signed int _t505;
				signed int _t507;
				signed int _t509;
				signed int _t511;
				signed int _t518;
				signed int _t520;
				signed int _t522;
				signed int _t524;
				signed int _t526;
				signed int _t528;
				signed int _t530;
				signed int _t532;
				signed int _t534;
				signed int _t536;
				signed int _t542;
				intOrPtr _t543;
				signed int _t545;
				signed int _t547;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t555;
				signed int _t558;
				signed int _t560;
				signed int _t565;
				signed int _t567;
				signed int _t572;
				signed int _t574;
				signed int _t579;
				signed int _t583;
				signed int _t588;
				signed int _t590;
				signed int _t592;
				signed int _t594;
				signed int _t596;
				signed int _t598;
				intOrPtr _t602;
				intOrPtr _t603;
				signed int _t605;
				signed int _t607;
				signed int _t609;
				signed int _t611;
				signed int _t628;
				signed int _t629;
				signed int _t631;
				signed int _t633;
				signed int _t635;
				signed int _t637;
				signed int _t639;
				signed int _t641;
				signed int _t643;
				signed int _t645;
				signed int _t647;
				signed int _t649;
				signed int _t651;
				intOrPtr _t652;
				signed int _t661;
				signed int _t663;
				signed int _t665;
				signed int _t672;
				signed int _t674;
				intOrPtr _t763;
				intOrPtr _t764;
				intOrPtr _t783;
				intOrPtr _t784;
				void* _t785;

				_t427 =  *((intOrPtr*)(_t785 + 0x44));
				_t518 =  *(_t427 + 0xc);
				_t629 =  *(_t427 + 8);
				_t558 =  *(_t427 + 4);
				asm("rol ecx, 0x7");
				_t430 = ( !_t558 & _t518 | _t629 & _t558) +  *__eax +  *_t427 - 0x28955b88 + _t558;
				asm("rol edx, 0xc");
				_t520 = ( !_t430 & _t629 | _t558 & _t430) +  *((intOrPtr*)(__eax + 4)) + _t518 - 0x173848aa + _t430;
				asm("ror esi, 0xf");
				_t631 = ( !_t520 & _t558 | _t520 & _t430) +  *(__eax + 8) + _t629 + 0x242070db + _t520;
				asm("ror edi, 0xa");
				_t560 = ( !_t631 & _t430 | _t520 & _t631) +  *((intOrPtr*)(__eax + 0xc)) + _t558 - 0x3e423112 + _t631;
				 *(_t785 + 0x10) = _t560;
				_t565 =  *(_t785 + 0x10);
				asm("rol ecx, 0x7");
				_t432 = ( !_t560 & _t520 | _t631 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x10)) + _t430 - 0xa83f051 + _t565;
				asm("rol edx, 0xc");
				_t522 = ( !_t432 & _t631 | _t565 & _t432) +  *((intOrPtr*)(__eax + 0x14)) + _t520 + 0x4787c62a + _t432;
				asm("ror esi, 0xf");
				_t633 = ( !_t522 & _t565 | _t522 & _t432) +  *((intOrPtr*)(__eax + 0x18)) + _t631 - 0x57cfb9ed + _t522;
				 *((intOrPtr*)(_t785 + 0x14)) =  *((intOrPtr*)(__eax + 0x1c));
				_t357 =  *((intOrPtr*)(__eax + 0x20));
				asm("ror edi, 0xa");
				_t567 = ( !_t633 & _t432 | _t522 & _t633) +  *((intOrPtr*)(_t785 + 0x14)) + _t565 - 0x2b96aff + _t633;
				 *(_t785 + 0x10) = _t567;
				 *((intOrPtr*)(_t785 + 0x38)) = _t357;
				_t572 =  *(_t785 + 0x10);
				asm("rol ecx, 0x7");
				_t434 = ( !_t567 & _t522 | _t633 &  *(_t785 + 0x10)) + _t357 + _t432 + 0x698098d8 + _t572;
				asm("rol edx, 0xc");
				_t524 = ( !_t434 & _t633 | _t572 & _t434) +  *((intOrPtr*)(__eax + 0x24)) + _t522 - 0x74bb0851 + _t434;
				asm("ror esi, 0xf");
				_t635 = ( !_t524 & _t572 | _t524 & _t434) +  *((intOrPtr*)(__eax + 0x28)) + _t633 - 0xa44f + _t524;
				asm("ror edi, 0xa");
				_t574 = ( !_t635 & _t434 | _t524 & _t635) +  *((intOrPtr*)(__eax + 0x2c)) + _t572 - 0x76a32842 + _t635;
				 *(_t785 + 0x10) = _t574;
				_t579 =  *(_t785 + 0x10);
				 *((intOrPtr*)(_t785 + 0x18)) =  *((intOrPtr*)(__eax + 0x34));
				asm("rol ecx, 0x7");
				_t436 = ( !_t574 & _t524 | _t635 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x30)) + _t434 + 0x6b901122 + _t579;
				asm("rol edx, 0xc");
				_t526 = ( !_t436 & _t635 | _t579 & _t436) +  *((intOrPtr*)(_t785 + 0x18)) + _t524 - 0x2678e6d + _t436;
				_t381 =  !_t526;
				asm("ror esi, 0xf");
				_t637 = _t635 + (_t381 & _t579 | _t526 & _t436) +  *((intOrPtr*)(__eax + 0x38)) - 0x5986bc72 + _t526;
				_t583 =  !_t637;
				 *(_t785 + 0x1c) = _t583;
				asm("ror edi, 0xa");
				_t588 = (_t583 & _t436 | _t526 & _t637) +  *(__eax + 0x3c) +  *(_t785 + 0x10) + 0x49b40821 + _t637;
				asm("rol ecx, 0x5");
				_t438 = (_t381 & _t637 | _t526 & _t588) +  *((intOrPtr*)(__eax + 4)) + _t436 - 0x9e1da9e + _t588;
				asm("rol edx, 0x9");
				_t528 = ( *(_t785 + 0x1c) & _t588 | _t637 & _t438) +  *((intOrPtr*)(__eax + 0x18)) + _t526 - 0x3fbf4cc0 + _t438;
				asm("rol esi, 0xe");
				_t639 = ( !_t588 & _t438 | _t528 & _t588) +  *((intOrPtr*)(__eax + 0x2c)) + _t637 + 0x265e5a51 + _t528;
				asm("ror edi, 0xc");
				_t590 = ( !_t438 & _t528 | _t639 & _t438) +  *__eax + _t588 - 0x16493856 + _t639;
				_t401 =  *((intOrPtr*)(__eax + 0x14));
				asm("rol ecx, 0x5");
				 *(_t785 + 0x10) = _t438 + ( !_t528 & _t639 | _t528 & _t590) + _t401 - 0x29d0efa3 + _t590;
				 *((intOrPtr*)(_t785 + 0x28)) = _t401;
				_t446 =  *(_t785 + 0x10);
				asm("rol edx, 0x9");
				_t530 = ( !_t639 & _t590 | _t639 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x28)) + _t528 + 0x2441453 + _t446;
				asm("rol esi, 0xe");
				_t641 = _t639 + ( !_t590 & _t446 | _t530 & _t590) +  *(__eax + 0x3c) - 0x275e197f + _t530;
				asm("ror edi, 0xc");
				_t592 = ( !( *(_t785 + 0x10)) & _t530 | _t641 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x10)) + _t590 - 0x182c0438 + _t641;
				asm("rol ecx, 0x5");
				 *(_t785 + 0x10) = ( !_t530 & _t641 | _t530 & _t592) +  *((intOrPtr*)(__eax + 0x24)) +  *(_t785 + 0x10) + 0x21e1cde6 + _t592;
				_t466 =  *(_t785 + 0x10);
				asm("rol edx, 0x9");
				_t532 = ( !_t641 & _t592 | _t641 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x38)) + _t530 - 0x3cc8f82a + _t466;
				asm("rol esi, 0xe");
				_t643 = _t641 + ( !_t592 & _t466 | _t532 & _t592) +  *((intOrPtr*)(__eax + 0xc)) - 0xb2af279 + _t532;
				asm("ror edi, 0xc");
				_t594 = ( !( *(_t785 + 0x10)) & _t532 | _t643 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x20)) + _t592 + 0x455a14ed + _t643;
				asm("rol ecx, 0x5");
				 *(_t785 + 0x10) = ( !_t532 & _t643 | _t532 & _t594) +  *((intOrPtr*)(__eax + 0x34)) +  *(_t785 + 0x10) - 0x561c16fb + _t594;
				_t483 =  *(__eax + 8);
				 *(_t785 + 0x1c) = _t483;
				_t484 =  *(_t785 + 0x10);
				asm("rol edx, 0x9");
				_t534 = _t532 + ( !_t643 & _t594 | _t643 &  *(_t785 + 0x10)) + _t483 - 0x3105c08 + _t484;
				asm("rol esi, 0xe");
				_t645 = _t643 + ( !_t594 & _t484 | _t534 & _t594) +  *((intOrPtr*)(__eax + 0x1c)) + 0x676f02d9 + _t534;
				asm("ror edi, 0xc");
				_t596 = ( !( *(_t785 + 0x10)) & _t534 | _t645 &  *(_t785 + 0x10)) +  *((intOrPtr*)(__eax + 0x30)) + _t594 - 0x72d5b376 + _t645;
				asm("rol ecx, 0x4");
				_t497 = (_t534 ^ _t645 ^ _t596) + _t401 +  *(_t785 + 0x10) - 0x5c6be + _t596;
				_t407 =  *((intOrPtr*)(__eax + 0x2c));
				asm("rol edx, 0xb");
				_t536 = (_t645 ^ _t596 ^ _t497) +  *((intOrPtr*)(__eax + 0x20)) + _t534 - 0x788e097f + _t497;
				 *((intOrPtr*)(_t785 + 0x44)) = _t407;
				_t763 =  *((intOrPtr*)(__eax + 0x38));
				asm("rol esi, 0x10");
				_t647 = _t645 + (_t536 ^ _t596 ^ _t497) + _t407 + 0x6d9d6122 + _t536;
				_t409 = _t536 ^ _t647;
				 *(_t785 + 0x10) = _t409;
				asm("ror edi, 0x9");
				_t598 = (_t409 ^ _t497) + _t763 + _t596 - 0x21ac7f4 + _t647;
				 *((intOrPtr*)(_t785 + 0x24)) = _t763;
				_t764 =  *((intOrPtr*)(__eax + 4));
				_t415 =  *((intOrPtr*)(__eax + 0x10));
				 *((intOrPtr*)(_t785 + 0x34)) = _t764;
				asm("rol ecx, 0x4");
				_t499 = ( *(_t785 + 0x10) ^ _t598) + _t764 + _t497 - 0x5b4115bc + _t598;
				 *((intOrPtr*)(_t785 + 0x40)) = _t415;
				asm("rol ebx, 0xb");
				_t417 = _t536 + (_t647 ^ _t598 ^ _t499) + _t415 + 0x4bdecfa9 + _t499;
				asm("rol esi, 0x10");
				_t649 = (_t417 ^ _t598 ^ _t499) +  *((intOrPtr*)(__eax + 0x1c)) + _t647 - 0x944b4a0 + _t417;
				_t542 = _t417 ^ _t649;
				 *(_t785 + 0x10) = _t542;
				_t543 =  *((intOrPtr*)(__eax + 0x28));
				 *((intOrPtr*)(_t785 + 0x30)) = _t543;
				asm("ror edx, 0x9");
				_t545 = _t598 + (_t542 ^ _t499) + _t543 - 0x41404390 + _t649;
				_t602 =  *__eax;
				asm("rol ecx, 0x4");
				_t501 = ( *(_t785 + 0x10) ^ _t545) +  *((intOrPtr*)(__eax + 0x34)) + _t499 + 0x289b7ec6 + _t545;
				asm("rol ebx, 0xb");
				_t419 = _t417 + (_t649 ^ _t545 ^ _t501) + _t602 - 0x155ed806 + _t501;
				 *((intOrPtr*)(_t785 + 0x20)) = _t602;
				_t603 =  *((intOrPtr*)(__eax + 0xc));
				 *((intOrPtr*)(_t785 + 0x2c)) = _t603;
				asm("rol edi, 0x10");
				_t605 = _t649 + (_t419 ^ _t545 ^ _t501) + _t603 - 0x2b10cf7b + _t419;
				_t651 = _t419 ^ _t605;
				 *(_t785 + 0x10) = _t651;
				_t652 =  *((intOrPtr*)(__eax + 0x18));
				 *((intOrPtr*)(_t785 + 0x3c)) = _t652;
				_t783 =  *((intOrPtr*)(__eax + 0x24));
				asm("ror edx, 0x9");
				_t547 = _t545 + (_t651 ^ _t501) + _t652 + 0x4881d05 + _t605;
				asm("rol ecx, 0x4");
				_t503 = ( *(_t785 + 0x10) ^ _t547) + _t783 + _t501 - 0x262b2fc7 + _t547;
				 *((intOrPtr*)(_t785 + 0x48)) = _t783;
				_t784 =  *((intOrPtr*)(__eax + 0x30));
				_t252 =  *(__eax + 0x3c);
				asm("rol esi, 0xb");
				_t661 = (_t605 ^ _t547 ^ _t503) + _t784 + _t419 - 0x1924661b + _t503;
				_t424 =  *(_t785 + 0x1c);
				 *(_t785 + 0x10) = _t252;
				asm("rol edi, 0x10");
				_t607 = (_t661 ^ _t547 ^ _t503) + _t252 + _t605 + 0x1fa27cf8 + _t661;
				asm("ror edx, 0x9");
				_t549 = (_t661 ^ _t607 ^ _t503) + _t424 + _t547 - 0x3b53a99b + _t607;
				asm("rol ecx, 0x6");
				_t505 = (( !_t661 | _t549) ^ _t607) +  *((intOrPtr*)(_t785 + 0x20)) + _t503 - 0xbd6ddbc + _t549;
				asm("rol esi, 0xa");
				_t663 = (( !_t607 | _t505) ^ _t549) +  *((intOrPtr*)(_t785 + 0x14)) + _t661 + 0x432aff97 + _t505;
				asm("rol edi, 0xf");
				_t609 = (( !_t549 | _t663) ^ _t505) +  *((intOrPtr*)(_t785 + 0x24)) + _t607 - 0x546bdc59 + _t663;
				asm("ror edx, 0xb");
				_t551 = (( !_t505 | _t609) ^ _t663) +  *((intOrPtr*)(_t785 + 0x28)) + _t549 - 0x36c5fc7 + _t609;
				asm("rol ecx, 0x6");
				_t507 = (( !_t663 | _t551) ^ _t609) + _t784 + _t505 + 0x655b59c3 + _t551;
				asm("rol esi, 0xa");
				_t665 = (( !_t609 | _t507) ^ _t551) +  *((intOrPtr*)(_t785 + 0x2c)) + _t663 - 0x70f3336e + _t507;
				asm("rol edi, 0xf");
				_t611 = (( !_t551 | _t665) ^ _t507) +  *((intOrPtr*)(_t785 + 0x30)) + _t609 - 0x100b83 + _t665;
				asm("ror edx, 0xb");
				_t553 = (( !_t507 | _t611) ^ _t665) +  *((intOrPtr*)(_t785 + 0x34)) + _t551 - 0x7a7ba22f + _t611;
				asm("rol ecx, 0x6");
				_t509 = (( !_t665 | _t553) ^ _t611) +  *((intOrPtr*)(_t785 + 0x38)) + _t507 + 0x6fa87e4f + _t553;
				asm("rol eax, 0xa");
				_t308 = (( !_t611 | _t509) ^ _t553) +  *(_t785 + 0x10) + _t665 - 0x1d31920 + _t509;
				asm("rol esi, 0xf");
				_t672 = (( !_t553 | _t308) ^ _t509) +  *((intOrPtr*)(_t785 + 0x3c)) + _t611 - 0x5cfebcec + _t308;
				asm("ror edx, 0xb");
				_t555 = (( !_t509 | _t672) ^ _t308) +  *((intOrPtr*)(_t785 + 0x18)) + _t553 + 0x4e0811a1 + _t672;
				asm("rol ecx, 0x6");
				_t511 = (( !_t308 | _t555) ^ _t672) +  *((intOrPtr*)(_t785 + 0x40)) + _t509 - 0x8ac817e + _t555;
				asm("rol edi, 0xa");
				_t628 = (( !_t672 | _t511) ^ _t555) +  *((intOrPtr*)(_t785 + 0x44)) + _t308 - 0x42c50dcb + _t511;
				asm("rol esi, 0xf");
				_t674 = (( !_t555 | _t628) ^ _t511) + _t424 + _t672 + 0x2ad7d2bb + _t628;
				_t319 =  *((intOrPtr*)(_t785 + 0x50));
				asm("ror edx, 0xb");
				 *((intOrPtr*)(_t319 + 4)) =  *((intOrPtr*)(_t319 + 4)) + (( !_t511 | _t674) ^ _t628) +  *((intOrPtr*)(_t785 + 0x48)) + _t555 - 0x14792c6f + _t674;
				 *((intOrPtr*)(_t319 + 8)) =  *((intOrPtr*)(_t319 + 8)) + _t674;
				 *_t319 =  *_t319 + _t511;
				 *((intOrPtr*)(_t319 + 0xc)) =  *((intOrPtr*)(_t319 + 0xc)) + _t628;
				return _t319;
			}

0x00c259d4
0x00c259d8
0x00c259dd
0x00c259e1
0x00c259fd
0x00c25a00
0x00c25a16
0x00c25a19
0x00c25a33
0x00c25a36
0x00c25a51
0x00c25a54
0x00c25a56
0x00c25a6d
0x00c25a71
0x00c25a74
0x00c25a8c
0x00c25a8f
0x00c25aa7
0x00c25aaa
0x00c25aaf
0x00c25acc
0x00c25acf
0x00c25ad2
0x00c25ad4
0x00c25ae4
0x00c25aef
0x00c25af3
0x00c25af6
0x00c25b0e
0x00c25b11
0x00c25b2b
0x00c25b2e
0x00c25b49
0x00c25b4c
0x00c25b4e
0x00c25b68
0x00c25b6c
0x00c25b70
0x00c25b73
0x00c25b8c
0x00c25b8f
0x00c25b93
0x00c25ba9
0x00c25bac
0x00c25bb2
0x00c25bb4
0x00c25bce
0x00c25bd1
0x00c25beb
0x00c25bee
0x00c25bfe
0x00c25c01
0x00c25c1b
0x00c25c1e
0x00c25c35
0x00c25c38
0x00c25c44
0x00c25c50
0x00c25c55
0x00c25c65
0x00c25c75
0x00c25c79
0x00c25c7c
0x00c25c9c
0x00c25c9f
0x00c25cb5
0x00c25cb8
0x00c25cd2
0x00c25cd7
0x00c25cf5
0x00c25cfd
0x00c25d00
0x00c25d1a
0x00c25d1d
0x00c25d33
0x00c25d36
0x00c25d50
0x00c25d57
0x00c25d67
0x00c25d73
0x00c25d77
0x00c25d7b
0x00c25d7e
0x00c25d9a
0x00c25d9d
0x00c25db5
0x00c25db8
0x00c25dcd
0x00c25dd0
0x00c25de2
0x00c25de5
0x00c25de8
0x00c25df2
0x00c25dfd
0x00c25e00
0x00c25e03
0x00c25e07
0x00c25e09
0x00c25e1c
0x00c25e1f
0x00c25e23
0x00c25e27
0x00c25e33
0x00c25e36
0x00c25e3a
0x00c25e3d
0x00c25e47
0x00c25e52
0x00c25e55
0x00c25e67
0x00c25e6a
0x00c25e6e
0x00c25e70
0x00c25e76
0x00c25e7d
0x00c25e8c
0x00c25e8f
0x00c25ea1
0x00c25ea3
0x00c25ea6
0x00c25eb3
0x00c25eb6
0x00c25ebe
0x00c25ec2
0x00c25ec7
0x00c25ed2
0x00c25ed5
0x00c25ed9
0x00c25edd
0x00c25ee1
0x00c25ee8
0x00c25ef7
0x00c25efa
0x00c25efd
0x00c25f0a
0x00c25f0d
0x00c25f15
0x00c25f19
0x00c25f1c
0x00c25f28
0x00c25f2b
0x00c25f3c
0x00c25f40
0x00c25f44
0x00c25f47
0x00c25f58
0x00c25f5b
0x00c25f70
0x00c25f73
0x00c25f88
0x00c25f8b
0x00c25fa0
0x00c25fa3
0x00c25fb8
0x00c25fbb
0x00c25fce
0x00c25fd1
0x00c25fe6
0x00c25fe9
0x00c25ffe
0x00c26001
0x00c26016
0x00c26019
0x00c2602e
0x00c26035
0x00c26046
0x00c26049
0x00c2605e
0x00c26061
0x00c2607a
0x00c2607d
0x00c2608e
0x00c26091
0x00c260a6
0x00c260a9
0x00c260be
0x00c260c1
0x00c260d4
0x00c260df
0x00c260e6
0x00c260ee
0x00c260f9
0x00c260fb
0x00c26102

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390dfdf4b9ea32333300fc9057e662f8209510aa40f045774bdb22c753d4746b
Instruction ID: 2f5bd20dfdf8811118756d311ad70a8170244ae597dc099000ab618d47d0b37e
Opcode Fuzzy Hash: 390dfdf4b9ea32333300fc9057e662f8209510aa40f045774bdb22c753d4746b
Instruction Fuzzy Hash: 9532F5B7A583194FC70CCE85DC805A5B3E2FBD8304B0E597D9959D7316EBB4EA098AC0

Uniqueness

Uniqueness Score: -1.00%

Function 00C14850 Relevance: .6, Instructions: 583
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E00C14850(intOrPtr* __edi) {
				void* _t207;
				signed int _t212;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				signed int _t222;
				signed int _t224;
				signed int _t226;
				signed int _t228;
				signed int _t230;
				signed int _t232;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed int _t240;
				signed int _t242;
				signed int _t253;
				signed int _t254;
				signed int _t311;
				signed int _t316;
				signed int _t407;
				signed int _t413;
				signed int _t425;
				signed int _t519;
				signed int _t521;
				signed int _t523;
				signed int _t525;
				signed int _t527;
				signed int _t529;
				signed int _t531;
				signed int _t533;
				signed int _t542;
				signed int _t544;
				signed int _t546;
				signed int _t548;
				signed int _t550;
				signed int _t552;
				signed int _t554;
				signed int _t565;
				signed int _t567;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t579;
				signed int _t581;
				signed int _t583;
				signed int _t585;
				signed int _t593;
				signed int _t595;
				signed int _t597;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t605;
				signed int _t607;
				signed int _t609;
				signed int _t611;
				signed int _t613;
				signed int _t615;
				signed int _t617;
				signed int _t619;
				signed int _t625;
				signed int _t627;
				signed int _t633;
				signed int _t635;
				signed int _t637;
				signed int _t639;
				signed int _t641;
				signed int _t642;
				signed int _t704;
				void* _t713;

				_t254 =  *(__edi + 8);
				_t642 =  *(__edi + 0xc);
				_t603 =  *(__edi + 4);
				E00C14F30(_t207, _t713 + 0x14);
				asm("rol eax, 0x7");
				_t212 = ( !_t603 & _t642 | _t254 & _t603) +  *__edi +  *((intOrPtr*)(_t713 + 0x14)) - 0x28955b88 + _t603;
				asm("rol ecx, 0xc");
				_t519 = ( !_t212 & _t254 | _t603 & _t212) +  *((intOrPtr*)(_t713 + 0x18)) + _t642 - 0x173848aa + _t212;
				asm("ror edx, 0xf");
				_t565 = ( !_t519 & _t603 | _t519 & _t212) +  *((intOrPtr*)(_t713 + 0x1c)) + _t254 + 0x242070db + _t519;
				asm("ror esi, 0xa");
				_t605 = ( !_t565 & _t212 | _t519 & _t565) +  *((intOrPtr*)(_t713 + 0x20)) + _t603 - 0x3e423112 + _t565;
				asm("rol eax, 0x7");
				_t214 = ( !_t605 & _t519 | _t565 & _t605) +  *((intOrPtr*)(_t713 + 0x24)) + _t212 - 0xa83f051 + _t605;
				asm("rol ecx, 0xc");
				_t521 = ( !_t214 & _t565 | _t605 & _t214) +  *((intOrPtr*)(_t713 + 0x28)) + _t519 + 0x4787c62a + _t214;
				asm("ror edx, 0xf");
				_t567 = ( !_t521 & _t605 | _t521 & _t214) +  *((intOrPtr*)(_t713 + 0x2c)) + _t565 - 0x57cfb9ed + _t521;
				asm("ror esi, 0xa");
				_t607 = ( !_t567 & _t214 | _t521 & _t567) +  *((intOrPtr*)(_t713 + 0x30)) + _t605 - 0x2b96aff + _t567;
				asm("rol eax, 0x7");
				_t216 = ( !_t607 & _t521 | _t567 & _t607) +  *((intOrPtr*)(_t713 + 0x34)) + _t214 + 0x698098d8 + _t607;
				asm("rol ecx, 0xc");
				_t523 = ( !_t216 & _t567 | _t607 & _t216) +  *((intOrPtr*)(_t713 + 0x38)) + _t521 - 0x74bb0851 + _t216;
				asm("ror edx, 0xf");
				_t569 = ( !_t523 & _t607 | _t523 & _t216) +  *((intOrPtr*)(_t713 + 0x3c)) + _t567 - 0xa44f + _t523;
				asm("ror esi, 0xa");
				_t609 = ( !_t569 & _t216 | _t523 & _t569) +  *((intOrPtr*)(_t713 + 0x40)) + _t607 - 0x76a32842 + _t569;
				asm("rol eax, 0x7");
				_t218 = ( !_t609 & _t523 | _t569 & _t609) +  *((intOrPtr*)(_t713 + 0x44)) + _t216 + 0x6b901122 + _t609;
				asm("rol ecx, 0xc");
				_t525 = ( !_t218 & _t569 | _t609 & _t218) +  *((intOrPtr*)(_t713 + 0x48)) + _t523 - 0x2678e6d + _t218;
				_t311 =  !_t525;
				 *(_t713 + 0xc) = _t311;
				asm("ror edx, 0xf");
				_t571 = (_t311 & _t609 | _t525 & _t218) +  *((intOrPtr*)(_t713 + 0x4c)) + _t569 - 0x5986bc72 + _t525;
				_t316 =  !_t571;
				 *(_t713 + 0x10) = _t316;
				asm("ror esi, 0xa");
				_t611 = (_t316 & _t218 | _t525 & _t571) +  *((intOrPtr*)(_t713 + 0x50)) + _t609 + 0x49b40821 + _t571;
				asm("rol eax, 0x5");
				_t220 = ( *(_t713 + 0xc) & _t571 | _t525 & _t611) +  *((intOrPtr*)(_t713 + 0x18)) + _t218 - 0x9e1da9e + _t611;
				asm("rol ecx, 0x9");
				_t527 = ( *(_t713 + 0x10) & _t611 | _t571 & _t220) +  *((intOrPtr*)(_t713 + 0x2c)) + _t525 - 0x3fbf4cc0 + _t220;
				asm("rol edx, 0xe");
				_t573 = ( !_t611 & _t220 | _t527 & _t611) +  *((intOrPtr*)(_t713 + 0x40)) + _t571 + 0x265e5a51 + _t527;
				asm("ror esi, 0xc");
				_t613 = ( !_t220 & _t527 | _t573 & _t220) +  *((intOrPtr*)(_t713 + 0x14)) + _t611 - 0x16493856 + _t573;
				asm("rol eax, 0x5");
				_t222 = ( !_t527 & _t573 | _t527 & _t613) +  *((intOrPtr*)(_t713 + 0x28)) + _t220 - 0x29d0efa3 + _t613;
				asm("rol ecx, 0x9");
				_t529 = ( !_t573 & _t613 | _t573 & _t222) +  *((intOrPtr*)(_t713 + 0x3c)) + _t527 + 0x2441453 + _t222;
				asm("rol edx, 0xe");
				_t575 = ( !_t613 & _t222 | _t529 & _t613) +  *((intOrPtr*)(_t713 + 0x50)) + _t573 - 0x275e197f + _t529;
				asm("ror esi, 0xc");
				_t615 = ( !_t222 & _t529 | _t575 & _t222) +  *((intOrPtr*)(_t713 + 0x24)) + _t613 - 0x182c0438 + _t575;
				asm("rol eax, 0x5");
				_t224 = ( !_t529 & _t575 | _t529 & _t615) +  *((intOrPtr*)(_t713 + 0x38)) + _t222 + 0x21e1cde6 + _t615;
				asm("rol ecx, 0x9");
				_t531 = ( !_t575 & _t615 | _t575 & _t224) +  *((intOrPtr*)(_t713 + 0x4c)) + _t529 - 0x3cc8f82a + _t224;
				asm("rol edx, 0xe");
				_t577 = ( !_t615 & _t224 | _t531 & _t615) +  *((intOrPtr*)(_t713 + 0x20)) + _t575 - 0xb2af279 + _t531;
				asm("ror esi, 0xc");
				_t617 = ( !_t224 & _t531 | _t577 & _t224) +  *((intOrPtr*)(_t713 + 0x34)) + _t615 + 0x455a14ed + _t577;
				asm("rol eax, 0x5");
				_t226 = ( !_t531 & _t577 | _t531 & _t617) +  *((intOrPtr*)(_t713 + 0x48)) + _t224 - 0x561c16fb + _t617;
				asm("rol ecx, 0x9");
				_t533 = ( !_t577 & _t617 | _t577 & _t226) +  *((intOrPtr*)(_t713 + 0x1c)) + _t531 - 0x3105c08 + _t226;
				asm("rol edx, 0xe");
				_t579 = ( !_t617 & _t226 | _t533 & _t617) +  *((intOrPtr*)(_t713 + 0x30)) + _t577 + 0x676f02d9 + _t533;
				asm("ror esi, 0xc");
				_t619 = ( !_t226 & _t533 | _t579 & _t226) +  *((intOrPtr*)(_t713 + 0x44)) + _t617 - 0x72d5b376 + _t579;
				asm("rol eax, 0x4");
				_t228 = (_t533 ^ _t579 ^ _t619) +  *((intOrPtr*)(_t713 + 0x28)) + _t226 - 0x5c6be + _t619;
				asm("rol ebx, 0xb");
				_t407 = (_t579 ^ _t619 ^ _t228) +  *((intOrPtr*)(_t713 + 0x34)) + _t533 - 0x788e097f + _t228;
				asm("rol edx, 0x10");
				_t581 = (_t407 ^ _t619 ^ _t228) +  *((intOrPtr*)(_t713 + 0x40)) + _t579 + 0x6d9d6122 + _t407;
				_t704 = _t407 ^ _t581;
				asm("ror ecx, 0x9");
				_t542 = (_t704 ^ _t228) +  *((intOrPtr*)(_t713 + 0x4c)) + _t619 - 0x21ac7f4 + _t581;
				asm("rol eax, 0x4");
				_t230 = _t228 + (_t704 ^ _t542) +  *((intOrPtr*)(_t713 + 0x18)) - 0x5b4115bc + _t542;
				asm("rol esi, 0xb");
				_t625 = (_t581 ^ _t542 ^ _t230) +  *((intOrPtr*)(_t713 + 0x24)) + _t407 + 0x4bdecfa9 + _t230;
				asm("rol edx, 0x10");
				_t583 = (_t625 ^ _t542 ^ _t230) +  *((intOrPtr*)(_t713 + 0x30)) + _t581 - 0x944b4a0 + _t625;
				_t413 = _t625 ^ _t583;
				asm("ror ecx, 0x9");
				_t544 = _t542 + (_t413 ^ _t230) +  *((intOrPtr*)(_t713 + 0x3c)) - 0x41404390 + _t583;
				asm("rol eax, 0x4");
				_t232 = (_t413 ^ _t544) +  *((intOrPtr*)(_t713 + 0x48)) + _t230 + 0x289b7ec6 + _t544;
				asm("rol esi, 0xb");
				_t627 = (_t583 ^ _t544 ^ _t232) +  *((intOrPtr*)(_t713 + 0x14)) + _t625 - 0x155ed806 + _t232;
				asm("rol ebx, 0x10");
				_t425 = (_t627 ^ _t544 ^ _t232) +  *((intOrPtr*)(_t713 + 0x20)) + _t583 - 0x2b10cf7b + _t627;
				_t585 = _t627 ^ _t425;
				asm("ror ecx, 0x9");
				_t546 = _t544 + (_t585 ^ _t232) +  *((intOrPtr*)(_t713 + 0x2c)) + 0x4881d05 + _t425;
				asm("rol eax, 0x4");
				_t234 = (_t585 ^ _t546) +  *((intOrPtr*)(_t713 + 0x38)) + _t232 - 0x262b2fc7 + _t546;
				asm("rol edx, 0xb");
				_t593 = (_t425 ^ _t546 ^ _t234) +  *((intOrPtr*)(_t713 + 0x44)) + _t627 - 0x1924661b + _t234;
				asm("rol esi, 0x10");
				_t633 = (_t593 ^ _t546 ^ _t234) +  *((intOrPtr*)(_t713 + 0x50)) + _t425 + 0x1fa27cf8 + _t593;
				asm("ror ecx, 0x9");
				_t548 = (_t593 ^ _t633 ^ _t234) +  *((intOrPtr*)(_t713 + 0x1c)) + _t546 - 0x3b53a99b + _t633;
				asm("rol eax, 0x6");
				_t236 = (( !_t593 | _t548) ^ _t633) +  *((intOrPtr*)(_t713 + 0x14)) + _t234 - 0xbd6ddbc + _t548;
				asm("rol edx, 0xa");
				_t595 = (( !_t633 | _t236) ^ _t548) +  *((intOrPtr*)(_t713 + 0x30)) + _t593 + 0x432aff97 + _t236;
				asm("rol esi, 0xf");
				_t635 = (( !_t548 | _t595) ^ _t236) +  *((intOrPtr*)(_t713 + 0x4c)) + _t633 - 0x546bdc59 + _t595;
				asm("ror ecx, 0xb");
				_t550 = (( !_t236 | _t635) ^ _t595) +  *((intOrPtr*)(_t713 + 0x28)) + _t548 - 0x36c5fc7 + _t635;
				asm("rol eax, 0x6");
				_t238 = (( !_t595 | _t550) ^ _t635) +  *((intOrPtr*)(_t713 + 0x44)) + _t236 + 0x655b59c3 + _t550;
				asm("rol edx, 0xa");
				_t597 = (( !_t635 | _t238) ^ _t550) +  *((intOrPtr*)(_t713 + 0x20)) + _t595 - 0x70f3336e + _t238;
				asm("rol esi, 0xf");
				_t637 = (( !_t550 | _t597) ^ _t238) +  *((intOrPtr*)(_t713 + 0x3c)) + _t635 - 0x100b83 + _t597;
				asm("ror ecx, 0xb");
				_t552 = (( !_t238 | _t637) ^ _t597) +  *((intOrPtr*)(_t713 + 0x18)) + _t550 - 0x7a7ba22f + _t637;
				asm("rol eax, 0x6");
				_t240 = (( !_t597 | _t552) ^ _t637) +  *((intOrPtr*)(_t713 + 0x34)) + _t238 + 0x6fa87e4f + _t552;
				asm("rol edx, 0xa");
				_t599 = (( !_t637 | _t240) ^ _t552) +  *((intOrPtr*)(_t713 + 0x50)) + _t597 - 0x1d31920 + _t240;
				asm("rol esi, 0xf");
				_t639 = (( !_t552 | _t599) ^ _t240) +  *((intOrPtr*)(_t713 + 0x2c)) + _t637 - 0x5cfebcec + _t599;
				asm("ror ecx, 0xb");
				_t554 = (( !_t240 | _t639) ^ _t599) +  *((intOrPtr*)(_t713 + 0x48)) + _t552 + 0x4e0811a1 + _t639;
				asm("rol eax, 0x6");
				_t242 = (( !_t599 | _t554) ^ _t639) +  *((intOrPtr*)(_t713 + 0x24)) + _t240 - 0x8ac817e + _t554;
				asm("rol edx, 0xa");
				_t601 = (( !_t639 | _t242) ^ _t554) +  *((intOrPtr*)(_t713 + 0x40)) + _t599 - 0x42c50dcb + _t242;
				asm("rol esi, 0xf");
				_t641 = (( !_t554 | _t601) ^ _t242) +  *((intOrPtr*)(_t713 + 0x1c)) + _t639 + 0x2ad7d2bb + _t601;
				 *__edi =  *__edi + _t242;
				asm("ror eax, 0xb");
				 *(__edi + 4) = (( !_t242 | _t641) ^ _t601) +  *((intOrPtr*)(_t713 + 0x38)) + _t554 - 0x14792c6f +  *(__edi + 4) + _t641;
				 *(__edi + 8) =  *(__edi + 8) + _t641;
				_t253 =  *(__edi + 0xc) + _t601;
				 *(__edi + 0xc) = _t253;
				return _t253;
			}

0x00c14854
0x00c14858
0x00c1485c
0x00c14863
0x00c14883
0x00c14886
0x00c1489f
0x00c148a2
0x00c148bd
0x00c148c0
0x00c148d9
0x00c148dc
0x00c148f5
0x00c148f8
0x00c1490f
0x00c14912
0x00c1492b
0x00c1492e
0x00c14949
0x00c1494c
0x00c14965
0x00c14968
0x00c1497f
0x00c14982
0x00c1499d
0x00c149a0
0x00c149b9
0x00c149bc
0x00c149d5
0x00c149d8
0x00c149ef
0x00c149f2
0x00c149f6
0x00c149f8
0x00c14a0f
0x00c14a12
0x00c14a16
0x00c14a18
0x00c14a37
0x00c14a3a
0x00c14a53
0x00c14a56
0x00c14a67
0x00c14a6a
0x00c14a83
0x00c14a86
0x00c14aa1
0x00c14aa4
0x00c14abd
0x00c14ac0
0x00c14ad7
0x00c14ada
0x00c14af3
0x00c14afa
0x00c14b11
0x00c14b14
0x00c14b2d
0x00c14b30
0x00c14b47
0x00c14b4a
0x00c14b63
0x00c14b66
0x00c14b81
0x00c14b84
0x00c14b9d
0x00c14ba0
0x00c14bb7
0x00c14bba
0x00c14bd3
0x00c14bd8
0x00c14bef
0x00c14bf2
0x00c14c05
0x00c14c08
0x00c14c1b
0x00c14c1e
0x00c14c33
0x00c14c36
0x00c14c38
0x00c14c49
0x00c14c4c
0x00c14c5f
0x00c14c62
0x00c14c71
0x00c14c74
0x00c14c87
0x00c14c8a
0x00c14c8e
0x00c14c9f
0x00c14ca2
0x00c14cb1
0x00c14cb4
0x00c14cc7
0x00c14cca
0x00c14cdd
0x00c14ce0
0x00c14ce4
0x00c14cf5
0x00c14cf8
0x00c14d0b
0x00c14d0e
0x00c14d1d
0x00c14d20
0x00c14d33
0x00c14d36
0x00c14d49
0x00c14d4c
0x00c14d61
0x00c14d64
0x00c14d79
0x00c14d7c
0x00c14d91
0x00c14d94
0x00c14da9
0x00c14dac
0x00c14dc1
0x00c14dc8
0x00c14dd9
0x00c14ddc
0x00c14df1
0x00c14df4
0x00c14e09
0x00c14e0c
0x00c14e21
0x00c14e24
0x00c14e39
0x00c14e3c
0x00c14e55
0x00c14e58
0x00c14e69
0x00c14e6c
0x00c14e81
0x00c14e84
0x00c14e99
0x00c14e9c
0x00c14eb5
0x00c14eba
0x00c14ec4
0x00c14ecd
0x00c14ed5
0x00c14edd
0x00c14ee4
0x00c14ee7
0x00c14eee

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b439e512d2f2274f2d51447746bdfa11f260257c9624696f8b482fc4d82d582e
Instruction ID: 3cc7896f78123a44e577051f274fc21684be6093ad14438dd612763a482152a4
Opcode Fuzzy Hash: b439e512d2f2274f2d51447746bdfa11f260257c9624696f8b482fc4d82d582e
Instruction Fuzzy Hash: 1412C5BBB983194FDB48CEE5DCC169573E1FB98304F09A43C9A55C7306F6E8AA094790

Uniqueness

Uniqueness Score: -1.00%

Function 00C04540 Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00C04540(signed int __ecx, intOrPtr _a8, char _a12) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v52;
				char _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				signed int _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t115;
				signed int _t116;
				intOrPtr _t119;
				void* _t126;
				signed int _t127;
				intOrPtr _t140;
				intOrPtr _t153;
				signed int _t174;
				char* _t176;
				intOrPtr _t177;
				char* _t179;
				char* _t188;
				unsigned int _t198;
				intOrPtr _t210;
				signed int _t215;
				unsigned int _t224;
				signed int _t245;
				intOrPtr* _t248;
				intOrPtr _t252;
				unsigned int _t267;
				intOrPtr _t269;
				signed int _t272;
				signed int _t273;
				void* _t274;

				_push(0xffffffff);
				_push(0xc4cf80);
				_push( *[fs:0x0]);
				_t115 =  *0xc58320; // 0x96c0a7a
				_t116 = _t115 ^ _t273;
				_v24 = _t116;
				_push(_t116);
				 *[fs:0x0] =  &_v16;
				_v20 = _t274 - 0x54;
				_t174 = __ecx;
				_v96 = _a12;
				_t119 =  *((intOrPtr*)(__ecx + 0xc));
				_v84 = __ecx;
				if(_t119 != 0) {
					_t267 = ((0x92492493 * ( *((intOrPtr*)(__ecx + 0x14)) - _t119) >> 0x20) +  *((intOrPtr*)(__ecx + 0x14)) - _t119 >> 4 >> 0x1f) + ((0x92492493 * ( *((intOrPtr*)(__ecx + 0x14)) - _t119) >> 0x20) +  *((intOrPtr*)(__ecx + 0x14)) - _t119 >> 4);
					__eflags = _t267;
				} else {
					_t267 = 0;
				}
				_t248 =  *((intOrPtr*)(_t174 + 0x10));
				_t184 = _t248 -  *((intOrPtr*)(_t174 + 0xc));
				_t221 = (0x92492493 * (_t248 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _t184 >> 4;
				_t126 = ((0x92492493 * (_t248 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _t184 >> 4 >> 0x1f) + ((0x92492493 * (_t248 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _t184 >> 4);
				if(0x9249249 - _t126 < 1) {
					_t126 = E00C04B30(_t174, _t221, _t248, _t267, _t273);
				}
				_t127 = _t126 + 1;
				if(_t267 >= _t127) {
					_t224 = (0x92492493 * (_t248 - _a8) >> 0x20) + _t248 - _a8 >> 4;
					__eflags = (_t224 >> 0x1f) + _t224 - 1;
					if((_t224 >> 0x1f) + _t224 >= 1) {
						E00C03E60( &_v80, _v96);
						_v8 = 5;
						_t250 =  *((intOrPtr*)(_t174 + 0x10));
						_t225 =  *((intOrPtr*)(_t174 + 0x10));
						 *((intOrPtr*)(_t174 + 0x10)) = E00C04E30( &_v80,  *((intOrPtr*)(_t174 + 0x10)), _t250 - 0x1c, _t250);
						E00C04E80(_t250 - 0x1c, _a8, _t250, __eflags);
						_t176 =  &_v80;
						E00C04E60(_a8, _t176, _a8 + 0x1c);
						_t188 = _t176;
					} else {
						E00C03E60( &_v52, _v96);
						_v8 = 2;
						E00C04E30( &_v52,  *((intOrPtr*)(_t174 + 0x10)), _a8, _a8 + 0x1c);
						_v8 = 3;
						_t225 =  &_v52;
						E00C04270( *((intOrPtr*)(_t174 + 0x10)) - _a8,  &_v52,  *((intOrPtr*)(_t174 + 0x10)), 1 - ((0x92492493 * ( *((intOrPtr*)(_t174 + 0x10)) - _a8) >> 0x20) +  *((intOrPtr*)(_t174 + 0x10)) - _a8 >> 4 >> 0x1f) + ((0x92492493 * ( *((intOrPtr*)(_t174 + 0x10)) - _a8) >> 0x20) +  *((intOrPtr*)(_t174 + 0x10)) - _a8 >> 4));
						_v8 = 2;
						 *((intOrPtr*)(_t174 + 0x10)) =  *((intOrPtr*)(_t174 + 0x10)) + 0x1c;
						_t100 =  *((intOrPtr*)(_t174 + 0x10)) - 0x1c; // 0x0
						_t179 =  &_v52;
						E00C04E60(_a8, _t179, _t100);
						_t188 = _t179;
					}
					_t140 = E00C03E90(_t188);
				} else {
					_t198 = _t267 >> 1;
					if(0x9249249 - _t198 >= _t267) {
						_t272 = _t267 + _t198;
						__eflags = _t272;
					} else {
						_t272 = 0;
					}
					if(_t272 < _t127) {
						_t272 = _t127;
					}
					_t153 = E00C04BC0(_t174, _t272, _t248);
					_v8 = 0;
					_t259 = ((0x92492493 * (_a8 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _a8 -  *((intOrPtr*)(_t174 + 0xc)) >> 4 >> 0x1f) + ((0x92492493 * (_a8 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _a8 -  *((intOrPtr*)(_t174 + 0xc)) >> 4);
					_v92 = 0;
					_v88 = _t153;
					_v84 = 0;
					_push(_v84);
					_push(_v84);
					_v100 = ((0x92492493 * (_a8 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _a8 -  *((intOrPtr*)(_t174 + 0xc)) >> 4 >> 0x1f) + ((0x92492493 * (_a8 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _a8 -  *((intOrPtr*)(_t174 + 0xc)) >> 4);
					E00C05020(1, _t153 + ((((0x92492493 * (_a8 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _a8 -  *((intOrPtr*)(_t174 + 0xc)) >> 4 >> 0x1f) + ((0x92492493 * (_a8 -  *((intOrPtr*)(_t174 + 0xc))) >> 0x20) + _a8 -  *((intOrPtr*)(_t174 + 0xc)) >> 4)) * 8 - _t259) * 4, _v96);
					_v84 = 0;
					_push(_v84);
					_push(_v84);
					_v92 = 1;
					E00C052A0( *((intOrPtr*)(_t174 + 0xc)), _v88, _a8);
					_v84 = 0;
					_push(_v84);
					_push(_v84);
					_v92 = 2;
					E00C052A0(_a8, _v88 + ((_t259 + 1) * 8 - _t259 + 1) * 4,  *((intOrPtr*)(_t174 + 0x10)));
					_t210 =  *((intOrPtr*)(_t174 + 0xc));
					_t245 = ((0x92492493 * ( *((intOrPtr*)(_t174 + 0x10)) - _t210) >> 0x20) +  *((intOrPtr*)(_t174 + 0x10)) - _t210 >> 4) + ((0x92492493 * ( *((intOrPtr*)(_t174 + 0x10)) - _t210) >> 0x20) +  *((intOrPtr*)(_t174 + 0x10)) - _t210 >> 4 >> 0x1f) + 1;
					_v84 = _t245;
					_t285 = _t210;
					if(_t210 != 0) {
						_push(_v84);
						E00C051B0(_t210,  *((intOrPtr*)(_t174 + 0x10)));
						E00C2657F(_t174, _v84,  *((intOrPtr*)(_t174 + 0x10)), _t272, _t285,  *((intOrPtr*)(_t174 + 0xc)));
						_t245 = _v84;
					}
					_t140 = _v88;
					 *((intOrPtr*)(_t174 + 0x14)) = _t140 + (_t272 * 8 - _t272) * 4;
					_t215 = _t245 * 8 - _t245;
					_t225 = _t140 + _t215 * 4;
					 *((intOrPtr*)(_t174 + 0x10)) = _t140 + _t215 * 4;
					 *((intOrPtr*)(_t174 + 0xc)) = _t140;
				}
				 *[fs:0x0] = _v16;
				_pop(_t252);
				_pop(_t269);
				_pop(_t177);
				return E00C2669E(_t140, _t177, _v24 ^ _t273, _t225, _t252, _t269);
			}

0x00c04543
0x00c04545
0x00c04550
0x00c04554
0x00c04559
0x00c0455b
0x00c04561
0x00c04565
0x00c0456b
0x00c04571
0x00c04573
0x00c04576
0x00c04579
0x00c0457e
0x00c0459a
0x00c0459a
0x00c04580
0x00c04580
0x00c04580
0x00c0459c
0x00c045a1
0x00c045ad
0x00c045b5
0x00c045c1
0x00c045c3
0x00c045c3
0x00c045c8
0x00c045cb
0x00c04778
0x00c04782
0x00c04785
0x00c04827
0x00c0482c
0x00c04833
0x00c0483b
0x00c04842
0x00c0484a
0x00c04855
0x00c04858
0x00c0485d
0x00c0478b
0x00c04792
0x00c04797
0x00c047a9
0x00c047ae
0x00c047d4
0x00c047d7
0x00c047dc
0x00c047e3
0x00c047ed
0x00c047f0
0x00c047f3
0x00c047f8
0x00c047f8
0x00c0485f
0x00c045d1
0x00c045d3
0x00c045de
0x00c045e4
0x00c045e4
0x00c045e0
0x00c045e0
0x00c045e0
0x00c045e8
0x00c045ea
0x00c045ea
0x00c045ee
0x00c0460b
0x00c04611
0x00c04613
0x00c0461d
0x00c04625
0x00c0462f
0x00c04633
0x00c0463b
0x00c0463e
0x00c04649
0x00c04653
0x00c04657
0x00c0465c
0x00c04663
0x00c0467e
0x00c04685
0x00c04689
0x00c0468e
0x00c04695
0x00c0469a
0x00c046b6
0x00c046ba
0x00c046bd
0x00c046bf
0x00c046c7
0x00c046ca
0x00c046d3
0x00c046d8
0x00c046db
0x00c046de
0x00c046ed
0x00c046f7
0x00c046f9
0x00c046fc
0x00c046ff
0x00c046ff
0x00c04867
0x00c0486f
0x00c04870
0x00c04871
0x00c0487f

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e5892d9f6bb85e10081ad8739a48fb76caa4a9db1af5dd97138cd752dae64f
Instruction ID: 920824a4a0877f2fb4f700f46e374bee58f4d53ccfe1ed9a339fd862dcf30a5a
Opcode Fuzzy Hash: 84e5892d9f6bb85e10081ad8739a48fb76caa4a9db1af5dd97138cd752dae64f
Instruction Fuzzy Hash: A2915675A001558FCB0CDFA8C894A9EB776FF84714F058629E9169F389DB70E905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C13CD0 Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C13CD0(char* __eax, signed char* __edi) {
				unsigned int _t116;
				unsigned int _t117;
				unsigned int _t118;
				unsigned int _t119;
				unsigned int _t120;
				unsigned int _t121;
				unsigned int _t122;
				signed int _t140;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed char* _t193;
				char* _t194;
				char* _t197;
				void* _t198;
				char* _t200;
				void* _t201;
				void* _t202;
				char* _t204;
				char* _t205;
				char* _t206;
				char* _t207;
				char* _t209;
				void* _t210;
				char* _t213;
				void* _t214;
				char* _t216;
				void* _t217;
				void* _t218;
				char* _t220;
				void* _t221;
				void* _t222;
				char* _t224;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				void* _t229;

				_t193 = __edi;
				_t140 = __edi[0x20];
				_t194 = __eax;
				_t116 = (__edi[0x24] << 0x00000020 | _t140) << 3;
				_t226 = __edi[0x20] & 0x0000003f;
				__edi[_t226 + 0x28] = 0x80;
				_t227 = _t226 + 1;
				_t143 = _t140 + _t140 + _t140 + _t140 + _t140 + _t140 + _t140 + _t140;
				 *(_t229 + 0x10) = _t116;
				while(_t227 != 0x38) {
					_t228 = _t227 & 0x0000003f;
					if(_t228 == 0) {
						E00C13BD0(_t193);
						_t116 =  *(_t229 + 0x10);
					}
					_t193[_t228 + 0x28] = 0;
					_t227 = _t228 + 1;
				}
				_t117 = (_t116 << 0x00000020 | _t143) << 8;
				_t144 = _t143 << 8;
				_t118 = (_t117 << 0x00000020 | _t144) << 8;
				_t193[_t227 + 0x28] = _t116 >> 0x18;
				_t145 = _t144 << 8;
				_t119 = (_t118 << 0x00000020 | _t145) << 8;
				_t193[_t227 + 0x29] = _t117 >> 0x18;
				_t146 = _t145 << 8;
				_t120 = (_t119 << 0x00000020 | _t146) << 8;
				_t193[_t227 + 0x2a] = _t118 >> 0x18;
				_t147 = _t146 << 8;
				_t121 = (_t120 << 0x00000020 | _t147) << 8;
				_t193[_t227 + 0x2b] = _t119 >> 0x18;
				_t148 = _t147 << 8;
				_t122 = (_t121 << 0x00000020 | _t148) << 8;
				_t193[_t227 + 0x2c] = _t120 >> 0x18;
				_t193[_t227 + 0x2d] = _t121 >> 0x18;
				 *(_t229 + 0xc) = _t148 << 8;
				_t193[_t227 + 0x2e] = _t122 >> 0x18;
				_t193[_t227 + 0x2f] = _t122 >> 0x10;
				E00C13BD0(_t193);
				 *_t194 = _t193[3] & 0x000000ff;
				 *((char*)(_t194 + 1)) = _t193[2] & 0x000000ff;
				_t197 = _t194 + 3;
				 *((char*)(_t197 - 1)) =  *_t193 >> 8;
				 *_t197 =  *_t193 & 0x000000ff;
				 *((char*)(_t197 + 1)) = _t193[7] & 0x000000ff;
				_t198 = _t197 + 1;
				 *((char*)(_t198 + 1)) = _t193[6] & 0x000000ff;
				_t200 = _t198 + 2;
				 *_t200 = _t193[4] >> 8;
				 *((char*)(_t200 + 1)) = _t193[4] & 0x000000ff;
				_t201 = _t200 + 1;
				 *((char*)(_t201 + 1)) = _t193[0xb] & 0x000000ff;
				_t202 = _t201 + 1;
				 *((char*)(_t202 + 1)) = _t193[0xa] & 0x000000ff;
				_t204 = _t202 + 2;
				 *_t204 = _t193[8] >> 8;
				_t205 = _t204 + 1;
				 *_t205 = _t193[8] & 0x000000ff;
				_t206 = _t205 + 1;
				 *_t206 = _t193[0xf] & 0x000000ff;
				_t207 = _t206 + 1;
				 *_t207 = _t193[0xe] & 0x000000ff;
				_t209 = _t207 + 2;
				 *((char*)(_t209 - 1)) = _t193[0xc] >> 8;
				 *_t209 = _t193[0xc] & 0x000000ff;
				 *((char*)(_t209 + 1)) = _t193[0x13] & 0x000000ff;
				_t210 = _t209 + 1;
				 *((char*)(_t210 + 1)) = _t193[0x12] & 0x000000ff;
				_t213 = _t210 + 3;
				 *((char*)(_t213 - 1)) = _t193[0x10] >> 8;
				 *_t213 = _t193[0x10] & 0x000000ff;
				 *((char*)(_t213 + 1)) = _t193[0x17] & 0x000000ff;
				_t214 = _t213 + 1;
				 *((char*)(_t214 + 1)) = _t193[0x16] & 0x000000ff;
				_t216 = _t214 + 2;
				 *_t216 = _t193[0x14] >> 8;
				 *((char*)(_t216 + 1)) = _t193[0x14] & 0x000000ff;
				_t217 = _t216 + 1;
				 *((char*)(_t217 + 1)) = _t193[0x1b] & 0x000000ff;
				_t218 = _t217 + 1;
				 *((char*)(_t218 + 1)) = _t193[0x1a] & 0x000000ff;
				_t220 = _t218 + 2;
				 *_t220 = _t193[0x18] >> 8;
				 *((char*)(_t220 + 1)) = _t193[0x18] & 0x000000ff;
				_t221 = _t220 + 1;
				 *((char*)(_t221 + 1)) = _t193[0x1f] & 0x000000ff;
				_t222 = _t221 + 1;
				 *((char*)(_t222 + 1)) = _t193[0x1e] & 0x000000ff;
				_t224 = _t222 + 2;
				 *_t224 = _t193[0x1c] >> 8;
				 *((char*)(_t224 + 1)) = _t193[0x1c] & 0x000000ff;
				 *_t193 = 0x6a09e667;
				_t193[4] = 0xbb67ae85;
				_t193[8] = 0x3c6ef372;
				_t193[0xc] = 0xa54ff53a;
				_t193[0x10] = 0x510e527f;
				_t193[0x14] = 0x9b05688c;
				_t193[0x18] = 0x1f83d9ab;
				_t193[0x1c] = 0x5be0cd19;
				_t193[0x20] = 0;
				_t193[0x24] = 0;
				return 0;
			}

0x00c13cd0
0x00c13cd4
0x00c13cdc
0x00c13ce1
0x00c13ce7
0x00c13cec
0x00c13cf1
0x00c13cf2
0x00c13cf4
0x00c13cfb
0x00c13cfd
0x00c13d00
0x00c13d04
0x00c13d09
0x00c13d09
0x00c13d0d
0x00c13d12
0x00c13d13
0x00c13d1a
0x00c13d20
0x00c13d23
0x00c13d2a
0x00c13d30
0x00c13d33
0x00c13d3a
0x00c13d40
0x00c13d43
0x00c13d4a
0x00c13d50
0x00c13d53
0x00c13d5a
0x00c13d60
0x00c13d63
0x00c13d6a
0x00c13d73
0x00c13d82
0x00c13d86
0x00c13d8a
0x00c13d8e
0x00c13d97
0x00c13d9d
0x00c13da4
0x00c13da8
0x00c13dae
0x00c13db4
0x00c13dbb
0x00c13dbc
0x00c13dc3
0x00c13dc7
0x00c13dcd
0x00c13dd4
0x00c13dd5
0x00c13ddc
0x00c13ddd
0x00c13de4
0x00c13de8
0x00c13dee
0x00c13def
0x00c13df5
0x00c13df6
0x00c13dfc
0x00c13dfd
0x00c13e03
0x00c13e07
0x00c13e0e
0x00c13e14
0x00c13e1b
0x00c13e1c
0x00c13e24
0x00c13e28
0x00c13e2f
0x00c13e35
0x00c13e3c
0x00c13e3d
0x00c13e44
0x00c13e48
0x00c13e4e
0x00c13e55
0x00c13e56
0x00c13e5d
0x00c13e5e
0x00c13e65
0x00c13e69
0x00c13e6f
0x00c13e76
0x00c13e77
0x00c13e7e
0x00c13e7f
0x00c13e86
0x00c13e8a
0x00c13e90
0x00c13e97
0x00c13e9d
0x00c13ea4
0x00c13eab
0x00c13eb2
0x00c13eb9
0x00c13ec0
0x00c13ec7
0x00c13ece
0x00c13ed1
0x00c13ed8

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5437e10c3ccbbf219971d31049fba2a77a211274c78406d09a9c6ab9f49c5bf4
Instruction ID: 91a467888aa78ed9e3a7c6a6c0a87a922dcc2513bbdc8797379fea4c6c72a57a
Opcode Fuzzy Hash: 5437e10c3ccbbf219971d31049fba2a77a211274c78406d09a9c6ab9f49c5bf4
Instruction Fuzzy Hash: B671995410DBE29BC316CF3948D02A8FFE1AE67101708869DD8F643B86C658E1A5DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00C139D0 Relevance: .2, Instructions: 167
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00C139D0(intOrPtr* _a4, intOrPtr _a8) {
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _v120;
				intOrPtr* _t116;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t144;
				intOrPtr* _t150;
				intOrPtr* _t162;
				intOrPtr _t183;
				intOrPtr* _t190;
				signed int _t191;
				void* _t217;

				_t217 =  &_v120;
				_t116 = _a4;
				_v96 =  *_t116;
				_v92 =  *((intOrPtr*)(_t116 + 4));
				_v88 =  *((intOrPtr*)(_t116 + 8));
				_v84 =  *((intOrPtr*)(_t116 + 0xc));
				_v80 =  *((intOrPtr*)(_t116 + 0x10));
				_v76 =  *((intOrPtr*)(_t116 + 0x14));
				_v72 =  *((intOrPtr*)(_t116 + 0x18));
				_t191 = 0;
				_v68 =  *((intOrPtr*)(_t116 + 0x1c));
				_v116 = 0;
				_v100 = _a8 -  &_v64;
				do {
					_t144 = 1;
					_t162 =  &_v64;
					_v112 = 1;
					_t25 = _t144 - 5; // -4
					_t119 = _t25;
					_v108 = _t162;
					_v120 = 0xc52900 + _t191 * 4;
					_v104 = 0x10;
					do {
						if(_t191 == 0) {
							_t183 =  *((intOrPtr*)(_v100 + _t162));
							 *_t162 = _t183;
						} else {
							_t32 = _t144 - 3; // -2
							_t36 = _t144 - 1; // 0x0
							asm("ror ebx, 0x12");
							asm("ror ebp, 0x7");
							asm("ror esi, 0x13");
							asm("ror ebp, 0x11");
							_t190 = _t217 + 0x48 + (_t36 & 0x0000000f) * 4;
							 *_t190 =  *_t190 + ( *(_t217 + 0x48 + (_t144 & 0x0000000f) * 4) ^  *(_t217 + 0x48 + (_t144 & 0x0000000f) * 4) ^  *(_t217 + 0x48 + (_t144 & 0x0000000f) * 4) >> 0x00000003) + ( *(_t217 + 0x48 + (_t32 & 0x0000000f) * 4) ^  *(_t217 + 0x48 + (_t32 & 0x0000000f) * 4) ^  *(_t217 + 0x48 + (_t32 & 0x0000000f) * 4) >> 0x0000000a) +  *((intOrPtr*)(_t217 + 0x48 + (_t144 + 0xfffffff8 & 0x0000000f) * 4));
							_t183 =  *_t190;
						}
						_t48 = _t119 + 2; // -2
						_t52 = _t119 + 3; // -1
						asm("ror ebx, 0x19");
						asm("ror ebp, 0xb");
						asm("ror ebp, 0x6");
						_t53 = _t119 + 1; // -3
						_t150 = _t217 + 0x28 + (_t52 & 0x00000007) * 4;
						 *_t150 =  *_t150 + ( *(_t217 + 0x28 + (_t119 & 0x00000007) * 4) ^  *(_t217 + 0x28 + (_t119 & 0x00000007) * 4) ^  *(_t217 + 0x28 + (_t119 & 0x00000007) * 4)) + (( *(_t217 + 0x28 + (_t53 & 0x00000007) * 4) ^  *(_t217 + 0x28 + (_t48 & 0x00000007) * 4)) &  *(_t217 + 0x28 + (_t119 & 0x00000007) * 4) ^  *(_t217 + 0x28 + (_t48 & 0x00000007) * 4)) +  *_v120 + _t183;
						_t61 = _t119 - 1; // -5
						 *((intOrPtr*)(_t217 + 0x28 + (_t61 & 0x00000007) * 4)) =  *((intOrPtr*)(_t217 + 0x28 + (_t61 & 0x00000007) * 4)) +  *_t150;
						_t71 = _t119 - 4; // -8
						_v120 = _v120 + 4;
						_t77 = _t119 - 3; // -7
						asm("ror edi, 0x16");
						asm("ror ebx, 0xd");
						asm("ror ebx, 0x2");
						_t81 = _t119 - 2; // -6
						_t191 = _v116;
						 *_t150 =  *_t150 + ( *(_t217 + 0x28 + (_t71 & 0x00000007) * 4) ^  *(_t217 + 0x28 + (_t71 & 0x00000007) * 4) ^  *(_t217 + 0x28 + (_t71 & 0x00000007) * 4)) + ( *(_t217 + 0x28 + (_t81 & 0x00000007) * 4) & ( *(_t217 + 0x28 + (_t77 & 0x00000007) * 4) |  *(_t217 + 0x28 + (_t71 & 0x00000007) * 4)) |  *(_t217 + 0x28 + (_t77 & 0x00000007) * 4) &  *(_t217 + 0x28 + (_t71 & 0x00000007) * 4));
						_t144 = _v112 + 1;
						_t162 = _v108 + 4;
						_t119 = _t119 - 1;
						_t88 =  &_v104;
						 *_t88 = _v104 - 1;
						_v112 = _t144;
						_v108 = _t162;
					} while ( *_t88 != 0);
					_t191 = _t191 + 0x10;
					_v116 = _t191;
				} while (_t191 < 0x40);
				_t120 = _a4;
				 *_t120 =  *_t120 + _v96;
				 *((intOrPtr*)(_t120 + 4)) =  *((intOrPtr*)(_t120 + 4)) + _v92;
				 *((intOrPtr*)(_t120 + 8)) =  *((intOrPtr*)(_t120 + 8)) + _v88;
				 *((intOrPtr*)(_t120 + 0xc)) =  *((intOrPtr*)(_t120 + 0xc)) + _v84;
				 *((intOrPtr*)(_t120 + 0x10)) =  *((intOrPtr*)(_t120 + 0x10)) + _v80;
				 *((intOrPtr*)(_t120 + 0x14)) =  *((intOrPtr*)(_t120 + 0x14)) + _v76;
				 *((intOrPtr*)(_t120 + 0x18)) =  *((intOrPtr*)(_t120 + 0x18)) + _v72;
				 *((intOrPtr*)(_t120 + 0x1c)) =  *((intOrPtr*)(_t120 + 0x1c)) + _v68;
				return _t120;
			}

0x00c139d0
0x00c139d3
0x00c139dc
0x00c139e3
0x00c139ea
0x00c139f2
0x00c139f9
0x00c13a01
0x00c13a10
0x00c13a14
0x00c13a1d
0x00c13a21
0x00c13a25
0x00c13a30
0x00c13a30
0x00c13a35
0x00c13a40
0x00c13a44
0x00c13a44
0x00c13a47
0x00c13a4b
0x00c13a4f
0x00c13a57
0x00c13a59
0x00c13ab0
0x00c13ab3
0x00c13a5b
0x00c13a68
0x00c13a72
0x00c13a78
0x00c13a7b
0x00c13a87
0x00c13a8c
0x00c13aa2
0x00c13aa6
0x00c13aa8
0x00c13aa8
0x00c13ac2
0x00c13acc
0x00c13ad2
0x00c13ad5
0x00c13adc
0x00c13ae1
0x00c13af9
0x00c13aff
0x00c13b03
0x00c13b09
0x00c13b11
0x00c13b1b
0x00c13b20
0x00c13b2c
0x00c13b31
0x00c13b38
0x00c13b3d
0x00c13b55
0x00c13b5b
0x00c13b61
0x00c13b62
0x00c13b65
0x00c13b66
0x00c13b66
0x00c13b6b
0x00c13b6f
0x00c13b6f
0x00c13b79
0x00c13b7c
0x00c13b80
0x00c13b89
0x00c13b94
0x00c13b9a
0x00c13ba1
0x00c13ba8
0x00c13bb3
0x00c13bb6
0x00c13bc1
0x00c13bc4
0x00c13bce

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a2cbbee76b40b1023aae8de0d346eaee2de4a059f8cf7aec1eb463ae6fc3d9
Instruction ID: 09eb78d2b7266e1419acd0e10d0c29cd12ce353065d5ac9194ed2bde9a102850
Opcode Fuzzy Hash: e8a2cbbee76b40b1023aae8de0d346eaee2de4a059f8cf7aec1eb463ae6fc3d9
Instruction Fuzzy Hash: 976159725087118FC318DF49D48494AF3E1FFC8328F1A8A6DE9885B361D771EA59CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C06E60 Relevance: .1, Instructions: 59
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C06E60(void* __edi, void* __esi) {
				signed char _t17;
				unsigned char _t19;
				unsigned char _t20;
				unsigned char _t21;
				unsigned char _t22;
				unsigned char _t23;
				unsigned char _t24;
				unsigned char _t25;
				unsigned char _t26;
				signed char _t27;
				void* _t36;
				void* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				_t17 = 0;
				_t36 = 0;
				if(__esi > 0) {
					do {
						_t19 =  *(_t36 + _t37) ^ _t17;
						if((_t19 & 0x00000001) == 0) {
							_t20 = _t19 >> 1;
						} else {
							_t20 = _t19 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t20 & 0x00000001) == 0) {
							_t21 = _t20 >> 1;
						} else {
							_t21 = _t20 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t21 & 0x00000001) == 0) {
							_t22 = _t21 >> 1;
						} else {
							_t22 = _t21 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t22 & 0x00000001) == 0) {
							_t23 = _t22 >> 1;
						} else {
							_t23 = _t22 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t23 & 0x00000001) == 0) {
							_t24 = _t23 >> 1;
						} else {
							_t24 = _t23 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t24 & 0x00000001) == 0) {
							_t25 = _t24 >> 1;
						} else {
							_t25 = _t24 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t25 & 0x00000001) == 0) {
							_t26 = _t25 >> 1;
						} else {
							_t26 = _t25 >> 0x00000001 ^ 0x0000008c;
						}
						if((_t26 & 0x00000001) == 0) {
							_t27 = _t26 >> 1;
						} else {
							_t27 = _t26 >> 0x00000001 ^ 0x0000008c;
						}
						_t36 = _t36 + 1;
						_t17 = _t27;
					} while (_t36 < _t38);
				}
				return _t17;
			}

0x00c06e60
0x00c06e60
0x00c06e60
0x00c06e62
0x00c06e66
0x00c06e68
0x00c06e6b
0x00c06e70
0x00c06e79
0x00c06e72
0x00c06e74
0x00c06e74
0x00c06e7e
0x00c06e87
0x00c06e80
0x00c06e82
0x00c06e82
0x00c06e8c
0x00c06e95
0x00c06e8e
0x00c06e90
0x00c06e90
0x00c06e9a
0x00c06ea3
0x00c06e9c
0x00c06e9e
0x00c06e9e
0x00c06ea8
0x00c06eb1
0x00c06eaa
0x00c06eac
0x00c06eac
0x00c06eb6
0x00c06ebf
0x00c06eb8
0x00c06eba
0x00c06eba
0x00c06ec4
0x00c06ecd
0x00c06ec6
0x00c06ec8
0x00c06ec8
0x00c06ed2
0x00c06edb
0x00c06ed4
0x00c06ed6
0x00c06ed6
0x00c06edd
0x00c06ede
0x00c06ee0
0x00c06e68
0x00c06ee4

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9271273bdbe4e4e1a7a42b2a790ada785bacc9cc96101a48ac55629196a006
Instruction ID: 782c4a7e580b1f920d0b9470e014d3f7ecf1f575abb7262f0da1d3ba82a0024b
Opcode Fuzzy Hash: fa9271273bdbe4e4e1a7a42b2a790ada785bacc9cc96101a48ac55629196a006
Instruction Fuzzy Hash: 3401081A456F2887DF15482BC8313F303C04B06778CA4A3154ABA423E677EAB9E9F449

Uniqueness

Uniqueness Score: -1.00%

Function 00C46568 Relevance: 48.3, APIs: 32, Instructions: 311
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E00C46568(void* __edx, intOrPtr* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr* _t90;
				intOrPtr* _t91;
				unsigned int _t94;
				signed char _t96;
				void* _t98;
				signed int _t100;
				signed int _t110;
				unsigned int _t112;
				signed char _t114;
				intOrPtr* _t119;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr* _t136;
				unsigned int _t138;
				void* _t142;
				void* _t149;
				signed int* _t150;
				intOrPtr* _t154;
				char* _t156;
				signed int* _t159;
				intOrPtr* _t161;
				signed int _t162;
				signed int _t165;
				void* _t168;
				signed int* _t170;
				void* _t176;
				signed char _t185;
				void* _t194;
				void* _t218;
				signed int _t221;
				signed int* _t224;
				signed int _t225;
				void* _t227;
				void* _t228;
				void* _t230;

				_t218 = __edx;
				_t90 =  *0xc5bd94; // 0x0
				_t189 =  *_t90;
				_t228 = _t227 - 0x30;
				if(_t189 != 0) {
					__eflags = _t189 - 0x36;
					if(_t189 < 0x36) {
						L5:
						__eflags = _t189 - 0x5f;
						if(_t189 == 0x5f) {
							goto L7;
						} else {
							E00C43016(_a4, 2);
							goto L2;
						}
					} else {
						__eflags = _t189 - 0x39;
						if(_t189 <= 0x39) {
							L7:
							_t185 = _t189 - 0x36;
							_t91 = _t90 + 1;
							 *0xc5bd94 = _t91;
							__eflags = _t185 - 0x29;
							if(_t185 != 0x29) {
								__eflags = _t185;
								if(_t185 < 0) {
									goto L15;
								} else {
									__eflags = _t185 - 3;
									goto L14;
								}
								goto L16;
							} else {
								_t189 =  *_t91;
								__eflags = _t189;
								if(_t189 == 0) {
									E00C43A6E(_t189, _a4, 1, _a8);
									goto L18;
								} else {
									_t185 = _t189 - 0x3d;
									__eflags = _t185 - 4;
									 *0xc5bd94 = _t91 + 1;
									if(_t185 < 4) {
										L15:
										_t185 = _t185 | 0xffffffff;
										__eflags = _t185;
									} else {
										__eflags = _t185 - 7;
										L14:
										if(__eflags > 0) {
											goto L15;
										}
									}
									L16:
									__eflags = _t185 - 0xffffffff;
									if(_t185 != 0xffffffff) {
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 & 0xffff0000;
										_t224 = _a8;
										_v12 =  *_t224;
										_t221 = _t185 & 0x00000002;
										__eflags = _t221;
										_v8 = _t224[1];
										if(_t221 == 0) {
											L27:
											__eflags = _t185 & 0x00000004;
											if((_t185 & 0x00000004) != 0) {
												_t138 =  *0xc5bda4; // 0x0
												__eflags =  !(_t138 >> 1) & 0x00000001;
												if(__eflags == 0) {
													_t142 = E00C454AD(_t218, __eflags,  &_v52);
													_t189 =  &_v12;
													E00C42C09( &_v12, _t142);
												} else {
													_t149 = E00C43A4A(_t189,  &_v36, 0x20, E00C454AD(_t218, __eflags,  &_v44));
													_t228 = _t228 + 0x10;
													_t150 = E00C437F6(_t149,  &_v52,  &_v12);
													_t189 =  *_t150;
													_v12 =  *_t150;
													_v8 = _t150[1];
												}
											}
											_t94 =  *0xc5bda4; // 0x0
											_t96 =  !(_t94 >> 1);
											__eflags = _t96 & 0x00000001;
											if((_t96 & 0x00000001) == 0) {
												_t98 = E00C43713(_t189,  &_v52);
												_t191 =  &_v12;
												E00C42C09( &_v12, _t98);
											} else {
												_t136 = E00C437F6(E00C43713(_t189,  &_v44),  &_v52,  &_v12);
												_t191 =  *_t136;
												_v12 =  *_t136;
												_v8 =  *((intOrPtr*)(_t136 + 4));
											}
											__eflags =  *_t224;
											if( *_t224 != 0) {
												_t129 = E00C43A4A(_t191,  &_v44, 0x28,  &_v12);
												_t228 = _t228 + 0xc;
												_t130 = E00C43AB6(_t129,  &_v52, 0x29);
												_v12 =  *_t130;
												_v8 =  *((intOrPtr*)(_t130 + 4));
											}
											_t100 = E00C42A71(0xc5bd74, 8, 0);
											__eflags = _t100;
											if(_t100 == 0) {
												_t225 = 0;
												__eflags = 0;
											} else {
												 *(_t100 + 4) = 0;
												 *(_t100 + 4) =  *(_t100 + 4) & 0xffff00ff;
												 *_t100 = 0;
												_t225 = _t100;
											}
											E00C432B3( &_v28, _t225);
											_pop(_t194);
											E00C43607( &_v12, E00C43AB6(E00C43A4A(_t194,  &_v36, 0x28, E00C43D24(_t194,  &_v44)),  &_v52, 0x29));
											_t110 =  *0xc5bda4; // 0x0
											__eflags = (_t110 & 0x00000060) - 0x60;
											if((_t110 & 0x00000060) != 0x60) {
												__eflags = _t221;
												if(_t221 != 0) {
													E00C43607( &_v12,  &_v20);
												}
											}
											_t112 =  *0xc5bda4; // 0x0
											_t114 =  !(_t112 >> 8);
											__eflags = _t114 & 0x00000001;
											_push( &_v52);
											if((_t114 & 0x00000001) == 0) {
												E00C42C09( &_v12, E00C43E00());
											} else {
												E00C43607( &_v12, E00C43E00());
											}
											__eflags = _t225;
											if(_t225 == 0) {
												_push(3);
												goto L51;
											} else {
												 *_t225 = _v12;
												 *((intOrPtr*)(_t225 + 4)) = _v8;
												_t119 = _a4;
												 *_t119 = _v28;
												 *((intOrPtr*)(_t119 + 4)) = _v24;
											}
										} else {
											_t154 = E00C43A92(_t189,  &_v36, "::",  &_v12);
											_t211 =  *_t154;
											_v8 =  *((intOrPtr*)(_t154 + 4));
											_t156 =  *0xc5bd94; // 0x0
											_t230 = _t228 + 0xc;
											__eflags =  *_t156;
											_v12 =  *_t154;
											_push( &_v12);
											if( *_t156 == 0) {
												_push(1);
												_push( &_v52);
												_t159 = E00C43A6E(_t211);
												_t228 = _t230 + 0xc;
											} else {
												_t176 = E00C43A4A(_t211,  &_v52, 0x20, E00C462F8(_t218));
												_t228 = _t230 + 0x10;
												_t159 = E00C437F6(_t176,  &_v44,  &_v36);
											}
											_t212 =  *_t159;
											_v8 = _t159[1];
											_t161 =  *0xc5bd94; // 0x0
											_t162 =  *_t161;
											_v12 =  *_t159;
											__eflags = _t162;
											if(_t162 == 0) {
												E00C43A6E(_t212, _a4, 1,  &_v12);
												goto L52;
											} else {
												__eflags = _t162 - 0x40;
												if(_t162 != 0x40) {
													_push(2);
													L51:
													E00C43016(_a4);
													L52:
													_t119 = _a4;
												} else {
													_t165 =  *0xc5bda4; // 0x0
													 *0xc5bd94 =  *0xc5bd94 + 1;
													__eflags = (_t165 & 0x00000060) - 0x60;
													_push( &_v52);
													if((_t165 & 0x00000060) == 0x60) {
														_t168 = E00C42F3F();
														_t189 =  &_v20;
														E00C42C09( &_v20, _t168);
													} else {
														_t170 = E00C42F3F();
														_t189 =  *_t170;
														_v20 =  *_t170;
														_v16 = _t170[1];
													}
													goto L27;
												}
											}
										}
									} else {
										E00C43016(_a4, 2);
										L18:
										_t119 = _a4;
									}
								}
							}
							return _t119;
						} else {
							goto L5;
						}
					}
				} else {
					E00C43A6E(_t189, _a4, 1, _a8);
					L2:
					return _a4;
				}
			}

0x00c46568
0x00c4656d
0x00c46572
0x00c46574
0x00c46579
0x00c46590
0x00c46593
0x00c4659a
0x00c4659a
0x00c4659d
0x00000000
0x00c4659f
0x00c465a4
0x00000000
0x00c465a4
0x00c46595
0x00c46595
0x00c46598
0x00c465ab
0x00c465af
0x00c465b2
0x00c465b3
0x00c465b8
0x00c465bb
0x00c465eb
0x00c465ed
0x00000000
0x00c465ef
0x00c465ef
0x00000000
0x00c465ef
0x00000000
0x00c465bd
0x00c465bd
0x00c465bf
0x00c465c1
0x00c465e1
0x00000000
0x00c465c3
0x00c465c6
0x00c465ca
0x00c465cd
0x00c465d2
0x00c465f4
0x00c465f4
0x00c465f4
0x00c465d4
0x00c465d4
0x00c465f2
0x00c465f2
0x00000000
0x00000000
0x00c465f2
0x00c465f7
0x00c465f7
0x00c465fa
0x00c4660e
0x00c46612
0x00c4661a
0x00c46620
0x00c46628
0x00c46628
0x00c4662b
0x00c4662e
0x00c466de
0x00c466de
0x00c466e1
0x00c466e7
0x00c466f0
0x00c466f2
0x00c4675a
0x00c46761
0x00c46764
0x00c466f4
0x00c4670c
0x00c46711
0x00c46716
0x00c4671b
0x00c46720
0x00c46723
0x00c46723
0x00c466f2
0x00c46769
0x00c46770
0x00c46772
0x00c46774
0x00c467a0
0x00c467a7
0x00c467aa
0x00c46776
0x00c4678a
0x00c4678f
0x00c46794
0x00c46797
0x00c46797
0x00c467b1
0x00c467b3
0x00c467c5
0x00c467ca
0x00c467cf
0x00c467d9
0x00c467dc
0x00c467dc
0x00c467e7
0x00c467ec
0x00c467ee
0x00c46801
0x00c46801
0x00c467f0
0x00c467f0
0x00c467f4
0x00c467fb
0x00c467fd
0x00c467fd
0x00c46808
0x00c4680e
0x00c46838
0x00c4683d
0x00c46845
0x00c46847
0x00c46849
0x00c4684b
0x00c46854
0x00c46854
0x00c4684b
0x00c46859
0x00c46861
0x00c46863
0x00c46868
0x00c46869
0x00c46886
0x00c4686b
0x00c46875
0x00c46875
0x00c4688b
0x00c4688d
0x00c468aa
0x00000000
0x00c4688f
0x00c46892
0x00c46897
0x00c4689d
0x00c468a0
0x00c468a5
0x00c468a5
0x00c46634
0x00c46641
0x00c46646
0x00c4664b
0x00c4664e
0x00c46653
0x00c46656
0x00c4665c
0x00c4665f
0x00c46660
0x00c4668a
0x00c4668c
0x00c4668d
0x00c46692
0x00c46662
0x00c46676
0x00c4667b
0x00c46680
0x00c46680
0x00c46695
0x00c4669a
0x00c4669d
0x00c466a2
0x00c466a4
0x00c466a7
0x00c466a9
0x00c46749
0x00000000
0x00c466af
0x00c466af
0x00c466b1
0x00c46739
0x00c468ac
0x00c468af
0x00c468b4
0x00c468b4
0x00c466b7
0x00c466b7
0x00c466bc
0x00c466c5
0x00c466ca
0x00c466cb
0x00c46728
0x00c4672f
0x00c46732
0x00c466cd
0x00c466cd
0x00c466d3
0x00c466d8
0x00c466db
0x00c466db
0x00000000
0x00c466cb
0x00c466b1
0x00c466a9
0x00c465fc
0x00c46601
0x00c46606
0x00c46606
0x00c46606
0x00c465fa
0x00c465c1
0x00c468bb
0x00000000
0x00000000
0x00000000
0x00c46598
0x00c4657b
0x00c46583
0x00c4658b
0x00c4658f
0x00c4658f

APIs

operator+.LIBCMT ref: 00C465E1
DName::DName.LIBCMT ref: 00C46601
operator+.LIBCMT ref: 00C46641
UnDecorator::getScope.LIBCMT ref: 00C4666A
operator+.LIBCMT ref: 00C46676
DName::operator+.LIBCMT ref: 00C46680
operator+.LIBCMT ref: 00C46583

Part of subcall function 00C43A6E: DName::DName.LIBCMT ref: 00C43A81
Part of subcall function 00C43A6E: DName::operator+.LIBCMT ref: 00C43A88

DName::DName.LIBCMT ref: 00C465A4
operator+.LIBCMT ref: 00C4668D
UnDecorator::getThisType.LIBCMT ref: 00C466CD
operator+.LIBCMT ref: 00C4670C
DName::operator+.LIBCMT ref: 00C46716
UnDecorator::getThisType.LIBCMT ref: 00C46728
DName::operator|=.LIBCMT ref: 00C46732
operator+.LIBCMT ref: 00C46749
DName::DName.LIBCMT ref: 00C468AF

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: operator+$NameName::$Decorator::getName::operator+$ThisType$Name::operator|=Scope
String ID:
API String ID: 398566123-0
Opcode ID: c94661a1db5d9905470c622f712d45b82dd3149449690893910e58b1aa135b3f
Instruction ID: d8e836f0cff717c3d3f0b2e5de779080d8c571fe06feeb60f9b9bfeeb8ea3a15
Opcode Fuzzy Hash: c94661a1db5d9905470c622f712d45b82dd3149449690893910e58b1aa135b3f
Instruction Fuzzy Hash: 98B181B5900208AFDF10DFE4D986EED7BB8BF49310F14406AF552AB295EB309B44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C183F0 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 447
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C183F0(intOrPtr __ecx, signed short* __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				short _v536;
				char _v540;
				char _v544;
				int _v548;
				PWCHAR* _v552;
				char _v556;
				char _v560;
				intOrPtr _v564;
				char _v568;
				char _v1088;
				signed int _v1608;
				char _v2128;
				short _v2640;
				char _v2648;
				intOrPtr _v2652;
				signed short* _v2656;
				signed short* _v2660;
				signed int _v2664;
				signed int _v3184;
				signed short* _v3188;
				char _v3708;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t160;
				void* _t170;
				intOrPtr _t189;
				intOrPtr _t192;
				signed int _t198;
				signed int _t203;
				void* _t207;
				signed int _t208;
				signed int _t214;
				signed int _t234;
				intOrPtr _t249;
				intOrPtr _t250;
				intOrPtr _t251;
				intOrPtr _t252;
				intOrPtr _t253;
				intOrPtr _t254;
				signed char _t279;
				void* _t295;
				char* _t374;
				void* _t376;
				void* _t377;
				signed int _t378;
				void* _t379;
				void* _t380;
				void* _t385;

				_t372 = __edx;
				_t160 =  *0xc58320; // 0x96c0a7a
				_v8 = _t160 ^ _t378;
				_v12 = __ecx;
				E00C266B0(_t376,  &_v536, 0, 0x20a);
				_t380 = _t379 + 0xc;
				if(GetModuleFileNameW(0,  &_v536, 0x104) == 0) {
					L75:
					__eflags = _v8 ^ _t378;
					return E00C2669E(_t165, _t295, _v8 ^ _t378, _t372, _t376, _t377);
				}
				E00C01860(_t295, _t378, PathFindFileNameW( &_v536));
				_t170 = E00C01E30( &_v540);
				_t392 = _t170;
				if(_t170 == 0) {
					L74:
					_t165 = E00C01910( &_v540, _t372);
					goto L75;
				} else {
					PathRemoveExtensionW(E00C01930( &_v540));
					E00C19180( &_v540,  &_v544, 0, 4);
					if(E00C18D60( &_v544, _t392, L"Inst") != 0) {
						_v548 = 0;
						_v552 = CommandLineToArgvW(GetCommandLineW(),  &_v548);
						if(_v552 != 0 && _v548 == 2) {
							E00C01860(_t295, _t378,  *_v552);
							E00C01860(_t295, _t378, _v552[1]);
							_t279 = E00C19270( &_v560);
							_t280 = _t279 & 0x000000ff;
							if((_t279 & 0x000000ff) == 0) {
								if(E00C18FB0(_t280,  &_v560, L"--IniReInstal", 0) >= 0) {
									_t285 = _v12;
									 *((intOrPtr*)(_v12 + 0x28)) = 1;
								}
								_v564 = E00C18FB0(_t285,  &_v560, "=", 0);
								if(_v564 >= 0) {
									E00C19140( &_v560,  &_v568, _v564 + 1);
									E00C19080( &_v568, 0x20);
									if(E00C01E30( &_v568) != 0) {
										E00C18D30( &_v540,  &_v568);
									}
									E00C01910( &_v568, _t372);
								}
							}
							LocalFree(_v552);
							E00C01910( &_v560, _t372);
							E00C01910( &_v556, _t372);
						}
					}
					E00C18DC0( &_v540, L"__", " ");
					E00C266B0(_t376,  &_v1088, 0, 0x208);
					E00C266B0(_t376,  &_v1608, 0, 0x208);
					E00C266B0(_t376,  &_v2128, 0, 0x208);
					E00C266B0(_t376,  &_v2648, 0, 0x208);
					 *(_v12 + 0x24) = 0;
					_push(_v12 + 0x24);
					_push(0x104);
					_push( &_v2648);
					_push(0x104);
					_push( &_v1608);
					_push(0x104);
					_push( &_v2128);
					_push(_v12);
					_push(0x104);
					_t374 =  &_v1088;
					_t189 = E00C26659(E00C01930( &_v540), L"%s %d %s %s %s %d", _t374);
					_t385 = _t380 + 0x60;
					_v2652 = _t189;
					_v2656 =  &_v1088;
					while(( *_v2656 & 0x0000ffff) != 0) {
						_v2656 =  &(_v2656[1]);
					}
					_t192 = _v12;
					__eflags =  *(_t192 + 8);
					if( *(_t192 + 8) == 0) {
						_t249 = _v12;
						__eflags =  *(_t249 + 0xc);
						if( *(_t249 + 0xc) == 0) {
							_t250 = _v12;
							__eflags =  *(_t250 + 0x10);
							if( *(_t250 + 0x10) == 0) {
								_t251 = _v12;
								__eflags =  *(_t251 + 0x14);
								if( *(_t251 + 0x14) == 0) {
									_t252 = _v12;
									__eflags =  *(_t252 + 0x18);
									if( *(_t252 + 0x18) == 0) {
										_t253 = _v12;
										__eflags =  *(_t253 + 0x1c);
										if( *(_t253 + 0x1c) == 0) {
											_t254 = _v12;
											__eflags =  *(_t254 + 0x20);
											if( *(_t254 + 0x20) == 0) {
												 *((intOrPtr*)(_v12 + 8)) = 1;
											}
										}
									}
								}
							}
						}
					}
					_v2640 = 0;
					__eflags = _v2652 - 3;
					if(_v2652 != 3) {
						L52:
						E00C266B0(_t376,  &_v3184, 0, 0x208);
						_t198 = E00C18AC0(_v12,  &_v2128,  &_v2128, E00C2658A( &_v2128),  &_v3184, 0x104);
						__eflags = _t198;
						if(_t198 == 0) {
							__eflags = 0;
							_v3184 = 0;
						}
						__eflags = _v1608 & 0x0000ffff;
						if((_v1608 & 0x0000ffff) != 0) {
							_v3188 =  &_v1608;
							__eflags = ( *_v3188 & 0x0000ffff) - 0x68;
							if(( *_v3188 & 0x0000ffff) == 0x68) {
								L61:
								_t203 =  &(_v3188[1]);
								__eflags = _t203;
								_v3188 = _t203;
								L62:
								E00C266B0(_t376,  &_v3708, 0, 0x208);
								_t207 = E00C2658A(_v3188);
								_t372 = _v3188;
								_t208 = E00C18AC0(_v12, _v3188, _v3188, _t207,  &_v3708, 0x104);
								__eflags = _t208;
								if(_t208 == 0) {
									__eflags = _v12 + 4;
									E00C019A0(_v12 + 4, _t377, L"https://hao.360.cn");
								} else {
									__eflags = _v3188 -  &_v1608;
									if(_v3188 !=  &_v1608) {
										__eflags = _v12 + 4;
										E00C019A0(_v12 + 4, _t377, L"https://");
									} else {
										E00C019A0(_v12 + 4, _t377, L"http://");
									}
									E00C19240(_v12 + 4,  &_v3708);
								}
								E00C19240(_v12 + 4, "/");
								__eflags = _v3184 & 0x0000ffff;
								if((_v3184 & 0x0000ffff) != 0) {
									__eflags = _v12 + 4;
									E00C19240(_v12 + 4,  &_v3184);
								}
								E00C19030(_v12 + 4);
								_t214 = E00C18C60(_v12, _t372,  &_v2648);
								__eflags = _t214;
								if(_t214 == 0) {
									__eflags = _v12 + 4;
									E00C019A0(_v12 + 4, _t377, L"https://hao.360.cn/?installer");
								}
								goto L73;
							}
							__eflags = ( *_v3188 & 0x0000ffff) - 0x48;
							if(( *_v3188 & 0x0000ffff) != 0x48) {
								goto L62;
							}
							goto L61;
						} else {
							__eflags = _v3184 & 0x0000ffff;
							if((_v3184 & 0x0000ffff) == 0) {
								__eflags = _v12 + 4;
								E00C019A0(_v12 + 4, _t377, L"https://hao.360.cn/?installer");
							} else {
								E00C019A0(_v12 + 4, _t377, L"https://hao.360.cn/");
								E00C19240(_v12 + 4,  &_v3184);
							}
							L73:
							E00C01910( &_v544, _t372);
							goto L74;
						}
					} else {
						_v2660 =  &_v2128;
						while(1) {
							__eflags =  *_v2660 & 0x0000ffff;
							if(( *_v2660 & 0x0000ffff) == 0) {
								break;
							}
							__eflags = ( *_v2660 & 0x0000ffff) - 0x41;
							if(( *_v2660 & 0x0000ffff) < 0x41) {
								L43:
								__eflags = ( *_v2660 & 0x0000ffff) - 0x61;
								if(( *_v2660 & 0x0000ffff) < 0x61) {
									L45:
									__eflags = ( *_v2660 & 0x0000ffff) - 0x30;
									if(( *_v2660 & 0x0000ffff) < 0x30) {
										L48:
										 *_v2660 = 0;
										break;
									}
									__eflags = ( *_v2660 & 0x0000ffff) - 0x39;
									if(( *_v2660 & 0x0000ffff) > 0x39) {
										goto L48;
									}
									L47:
									_v2660 =  &(_v2660[1]);
									continue;
								}
								__eflags = ( *_v2660 & 0x0000ffff) - 0x7a;
								if(( *_v2660 & 0x0000ffff) <= 0x7a) {
									goto L47;
								}
								goto L45;
							}
							__eflags = ( *_v2660 & 0x0000ffff) - 0x5a;
							if(( *_v2660 & 0x0000ffff) <= 0x5a) {
								goto L47;
							}
							goto L43;
						}
						_t234 = E00C2658A( &_v2128);
						_t385 = _t385 + 4;
						_v2664 = _t234;
						asm("cdq");
						__eflags = _v2664 - _v2664 - _t374 >> 1 << 1;
						if(_v2664 != _v2664 - _t374 >> 1 << 1) {
							__eflags = 0;
							 *((short*)(_t378 + _v2664 * 2 - 0x84e)) = 0;
						}
						goto L52;
					}
				}
			}

0x00c183f0
0x00c183f9
0x00c18400
0x00c18406
0x00c18417
0x00c1841c
0x00c18435
0x00c18aa7
0x00c18aaa
0x00c18ab4
0x00c18ab4
0x00c1844f
0x00c1845a
0x00c1845f
0x00c18461
0x00c18a99
0x00c18a9f
0x00000000
0x00c18467
0x00c18473
0x00c1848a
0x00c184a1
0x00c184a7
0x00c184c5
0x00c184d2
0x00c184f4
0x00c18509
0x00c18514
0x00c18519
0x00c1851e
0x00c18538
0x00c1853a
0x00c1853d
0x00c1853d
0x00c18556
0x00c18563
0x00c1857c
0x00c18589
0x00c1859b
0x00c185aa
0x00c185aa
0x00c185b5
0x00c185b5
0x00c18563
0x00c185c1
0x00c185cd
0x00c185d8
0x00c185d8
0x00c184d2
0x00c185ed
0x00c18600
0x00c18616
0x00c1862c
0x00c18642
0x00c1864d
0x00c1865a
0x00c1865b
0x00c18666
0x00c18667
0x00c18672
0x00c18673
0x00c1867e
0x00c18682
0x00c18683
0x00c18688
0x00c186a0
0x00c186a5
0x00c186a8
0x00c186b4
0x00c186ba
0x00c1878e
0x00c1878e
0x00c18799
0x00c1879c
0x00c187a0
0x00c187a2
0x00c187a5
0x00c187a9
0x00c187ab
0x00c187ae
0x00c187b2
0x00c187b4
0x00c187b7
0x00c187bb
0x00c187bd
0x00c187c0
0x00c187c4
0x00c187c6
0x00c187c9
0x00c187cd
0x00c187cf
0x00c187d2
0x00c187d6
0x00c187db
0x00c187db
0x00c187d6
0x00c187cd
0x00c187c4
0x00c187bb
0x00c187b2
0x00c187a9
0x00c187e4
0x00c187eb
0x00c187f2
0x00c188c2
0x00c188d0
0x00c188fe
0x00c18903
0x00c18905
0x00c18907
0x00c18909
0x00c18909
0x00c18917
0x00c18919
0x00c18965
0x00c18974
0x00c18977
0x00c18987
0x00c1898d
0x00c1898d
0x00c18990
0x00c18996
0x00c189a4
0x00c189bf
0x00c189c8
0x00c189d2
0x00c189d7
0x00c189d9
0x00c18a29
0x00c18a2c
0x00c189db
0x00c189e7
0x00c189e9
0x00c18a05
0x00c18a08
0x00c189eb
0x00c189f6
0x00c189f6
0x00c18a1a
0x00c18a1a
0x00c18a3c
0x00c18a48
0x00c18a4a
0x00c18a56
0x00c18a59
0x00c18a59
0x00c18a64
0x00c18a73
0x00c18a78
0x00c18a7a
0x00c18a86
0x00c18a89
0x00c18a89
0x00000000
0x00c18a7a
0x00c18982
0x00c18985
0x00000000
0x00000000
0x00000000
0x00c1891b
0x00c18922
0x00c18924
0x00c18952
0x00c18955
0x00c18926
0x00c18931
0x00c18943
0x00c18943
0x00c18a8e
0x00c18a94
0x00000000
0x00c18a94
0x00c187f8
0x00c187fe
0x00c18804
0x00c1880d
0x00c1880f
0x00000000
0x00000000
0x00c1881a
0x00c1881d
0x00c1882d
0x00c18836
0x00c18839
0x00c18849
0x00c18852
0x00c18855
0x00c18876
0x00c1887e
0x00000000
0x00c1887e
0x00c18860
0x00c18863
0x00000000
0x00000000
0x00c18865
0x00c1886e
0x00000000
0x00c18883
0x00c18844
0x00c18847
0x00000000
0x00000000
0x00000000
0x00c18847
0x00c18828
0x00c1882b
0x00000000
0x00000000
0x00000000
0x00c1882b
0x00c1888f
0x00c18894
0x00c18897
0x00c188a3
0x00c188aa
0x00c188b0
0x00c188b2
0x00c188ba
0x00c188ba
0x00000000
0x00c188b0
0x00c187f2

APIs

_memset.LIBCMT ref: 00C18417
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C1842D
PathFindFileNameW.SHLWAPI(?), ref: 00C18442
PathRemoveExtensionW.SHLWAPI(00000000,00000000), ref: 00C18473
GetCommandLineW.KERNEL32(00000000,Inst,?,00000000,00000004), ref: 00C184B8
CommandLineToArgvW.SHELL32(00000000), ref: 00C184BF
LocalFree.KERNEL32(00000000,?), ref: 00C185C1
_memset.LIBCMT ref: 00C18600
_memset.LIBCMT ref: 00C18616
_memset.LIBCMT ref: 00C1862C
_memset.LIBCMT ref: 00C18642
_swscanf.LIBCMT ref: 00C186A0
_wcslen.LIBCMT ref: 00C1888F
_memset.LIBCMT ref: 00C188D0
_wcslen.LIBCMT ref: 00C188EB
_memset.LIBCMT ref: 00C189A4
_wcslen.LIBCMT ref: 00C189BF

Strings

%s %d %s %s %s %d, xrefs: 00C1868F
Inst, xrefs: 00C1848F
https://, xrefs: 00C189FD
https://hao.360.cn, xrefs: 00C18A21
--IniReInstal, xrefs: 00C18526
http://, xrefs: 00C189EB
https://hao.360.cn/, xrefs: 00C18926
https://hao.360.cn/?installer, xrefs: 00C1894A, 00C18A7E

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$_wcslen$CommandFileLineNamePath$ArgvExtensionFindFreeLocalModuleRemove_swscanf
String ID: %s %d %s %s %s %d$--IniReInstal$Inst$http://$https://$https://hao.360.cn$https://hao.360.cn/$https://hao.360.cn/?installer
API String ID: 22948964-338244194
Opcode ID: 76141fea4acf79a9003fd8165c9679ae3a127e8868aa321fa007b62def8fb1ca
Instruction ID: aeadb808349b10a65da15860ba04dc2a6b26d10fa30d69b265d4f32fb3890838
Opcode Fuzzy Hash: 76141fea4acf79a9003fd8165c9679ae3a127e8868aa321fa007b62def8fb1ca
Instruction Fuzzy Hash: 52021571A04218ABDB24DB54CC95BEDB7B4BF16304F5400D9F50AA6291EB70AFC8EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C21840 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00C21840(struct HWND__** __ecx, struct HWND__* _a4) {
				struct HWND__** _v8;
				signed int _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct HWND__* _v64;
				signed int _v68;
				struct HMONITOR__* _v72;
				signed int _v76;
				intOrPtr _v84;
				struct HWND__* _v88;
				intOrPtr _v92;
				struct tagMONITORINFO _v116;
				int _v120;
				signed int _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				int _v136;
				int _v140;
				struct HWND__** _t148;
				struct HMONITOR__* _t165;
				struct HWND__* _t200;

				_v8 = __ecx;
				_v12 = E00C21AC0(_v8);
				if(_a4 == 0) {
					if((_v12 & 0x40000000) == 0) {
						_a4 = GetWindow( *_v8, 4);
					} else {
						_a4 = GetParent( *_v8);
					}
				}
				GetWindowRect( *_v8,  &_v28);
				if((_v12 & 0x40000000) != 0) {
					_v64 = GetParent( *_v8);
					GetClientRect(_v64,  &_v44);
					GetClientRect(_a4,  &_v60);
					_t200 = _a4;
					MapWindowPoints(_t200, _v64,  &_v60, 2);
					L24:
					_v128 = _v28.right - _v28.left;
					_v132 = _v28.bottom - _v28.top;
					asm("cdq");
					asm("cdq");
					_v136 = (_v60.right + _v60.left - _t200 >> 1) - (_v128 - _t200 >> 1);
					asm("cdq");
					asm("cdq");
					_v140 = (_v60.top + _v60.bottom - _t200 >> 1) - (_v132 - _t200 >> 1);
					if(_v136 + _v128 > _v44.right) {
						_v136 = _v44.right - _v128;
					}
					if(_v136 < _v44.left) {
						_v136 = _v44.left;
					}
					if(_v140 + _v132 > _v44.bottom) {
						_v140 = _v44.bottom - _v132;
					}
					if(_v140 < _v44.top) {
						_v140 = _v44.top;
					}
					return SetWindowPos( *_v8, 0, _v136, _v140, 0xffffffff, 0xffffffff, 0x15);
				}
				if(_a4 != 0) {
					_v68 = GetWindowLongW(_a4, 0xfffffff0);
					if((_v68 & 0x10000000) == 0 || (_v68 & 0x20000000) != 0) {
						_a4 = 0;
					}
				}
				_v72 = 0;
				if(_a4 == 0) {
					_t148 = _v8;
					__imp__MonitorFromWindow( *_t148, 2);
					_v72 = _t148;
				} else {
					_t165 = _a4;
					__imp__MonitorFromWindow(_t165, 2);
					_v72 = _t165;
				}
				while(1) {
					_v76 = 0 | _v72 != 0x00000000;
					if(_v76 == 0) {
						break;
					}
					if(0 != 0) {
						continue;
					}
					_v116.cbSize = 0x28;
					_v120 = GetMonitorInfoW(_v72,  &_v116);
					while(1) {
						_v124 = 0 | _v120 != 0x00000000;
						if(_v124 == 0) {
							break;
						}
						if(0 != 0) {
							continue;
						}
						_v44.left = _v116.rcWork;
						_v44.top = _v92;
						_t200 = _v88;
						_v44.right = _t200;
						_v44.bottom = _v84;
						if(_a4 != 0) {
							GetWindowRect(_a4,  &_v60);
						} else {
							_v60.left = _v44.left;
							_v60.top = _v44.top;
							_t200 = _v44.right;
							_v60.right = _t200;
							_v60.bottom = _v44.bottom;
						}
						goto L24;
					}
					return 0;
				}
				return 0;
			}

0x00c2184c
0x00c21857
0x00c2185e
0x00c21868
0x00c21889
0x00c2186a
0x00c21876
0x00c21876
0x00c21868
0x00c21896
0x00c218a4
0x00c219af
0x00c219ba
0x00c219c8
0x00c219d8
0x00c219dc
0x00c219e2
0x00c219e8
0x00c219f1
0x00c219fa
0x00c21a04
0x00c21a0b
0x00c21a17
0x00c21a21
0x00c21a28
0x00c21a3a
0x00c21a42
0x00c21a42
0x00c21a51
0x00c21a56
0x00c21a56
0x00c21a68
0x00c21a70
0x00c21a70
0x00c21a7f
0x00c21a84
0x00c21a84
0x00000000
0x00c21aa6
0x00c218ae
0x00c218bc
0x00c218c7
0x00c218d3
0x00c218d3
0x00c218c7
0x00c218da
0x00c218e5
0x00c218fa
0x00c21900
0x00c21906
0x00c218e7
0x00c218e9
0x00c218ed
0x00c218f3
0x00c218f3
0x00c21909
0x00c21912
0x00c21919
0x00000000
0x00000000
0x00c21924
0x00000000
0x00000000
0x00c21926
0x00c2193b
0x00c2193e
0x00c21947
0x00c2194e
0x00000000
0x00000000
0x00c21959
0x00000000
0x00000000
0x00c2195e
0x00c21964
0x00c21967
0x00c2196a
0x00c21970
0x00c21977
0x00c2199b
0x00c21979
0x00c2197c
0x00c21982
0x00c21985
0x00c21988
0x00c2198e
0x00c2198e
0x00000000
0x00c219a1
0x00000000
0x00c21950
0x00000000

APIs

Part of subcall function 00C21AC0: GetWindowLongW.USER32(?,000000F0), ref: 00C21AD4

GetParent.USER32 ref: 00C21870
GetWindow.USER32(?,00000004), ref: 00C21883
GetWindowRect.USER32 ref: 00C21896
GetWindowLongW.USER32(00000000,000000F0), ref: 00C218B6
MonitorFromWindow.USER32(00000000,00000002), ref: 00C218ED
MonitorFromWindow.USER32(?,00000002), ref: 00C21900
GetMonitorInfoW.USER32 ref: 00C21935
GetWindowRect.USER32 ref: 00C2199B
GetParent.USER32 ref: 00C219A9
GetClientRect.USER32 ref: 00C219BA
GetClientRect.USER32 ref: 00C219C8
MapWindowPoints.USER32 ref: 00C219DC
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,?,?), ref: 00C21AA6

Strings

(, xrefs: 00C21926

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientFromLongParent$InfoPoints
String ID: (
API String ID: 882428731-3887548279
Opcode ID: 32562fa719fbc55fc82cb0b94e50b65270ff01434b8b6a950c4f0ee6cdbf8cc5
Instruction ID: b91209564ddc2ebd87ca73fbd1b8bc8e26f47050377851ceb68845694daeebdd
Opcode Fuzzy Hash: 32562fa719fbc55fc82cb0b94e50b65270ff01434b8b6a950c4f0ee6cdbf8cc5
Instruction Fuzzy Hash: 8791E5B5E00219EFCB14DFA8D984BDDBBF5BB18300F248569E915E7290DB34AA84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B4A0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 207
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00C0B4A0(void* __ebp, intOrPtr _a4) {
				int _v4;
				char _v12;
				signed int _v20;
				short _v540;
				char _v1060;
				char _v1164;
				char _v1268;
				char _v1372;
				struct _FILETIME _v1380;
				int _v1384;
				int _v1388;
				int _v1392;
				int _v1396;
				intOrPtr _v1400;
				char _v1404;
				int _v1408;
				int _v1412;
				void* _v1416;
				void* _v1420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				signed int _t69;
				int _t74;
				int _t79;
				intOrPtr* _t82;
				void* _t83;
				intOrPtr* _t87;
				long _t89;
				void* _t94;
				void* _t97;
				void* _t105;
				intOrPtr _t113;
				CHAR* _t119;
				void* _t124;
				void* _t125;
				void* _t126;
				void* _t131;
				void* _t132;
				void* _t136;
				void* _t137;
				signed int _t138;

				_push(0xffffffff);
				_push(0xc4ce4b);
				_push( *[fs:0x0]);
				_t138 = _t137 - 0x580;
				_t67 =  *0xc58320; // 0x96c0a7a
				_v20 = _t67 ^ _t138;
				_push(__ebp);
				_push(_t125);
				_t69 =  *0xc58320; // 0x96c0a7a
				_push(_t69 ^ _t138);
				 *[fs:0x0] =  &_v12;
				_v1400 = _a4;
				_v1388 = 0;
				_v1384 = 0;
				_v4 = 0;
				_v1416 = 0;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkCards", 0, 8,  &_v1416) != 0) {
					L33:
					_t74 = 0;
					L34:
					 *[fs:0x0] = _v12;
					_pop(_t126);
					_pop(_t131);
					_pop(_t105);
					return E00C2669E(_t74, _t105, _v20 ^ _t138, _t122, _t126, _t131);
				}
				_t132 = _v1416;
				_v1388 = _t132;
				_v1384 = 0;
				E00C266B0(_t125,  &_v1372, 0, 0x64);
				E00C266B0(_t125,  &_v1268, 0, 0x64);
				_t138 = _t138 + 0x18;
				_t79 = 0;
				_v1396 = 0;
				while(1) {
					_t122 =  &_v1392;
					_v1392 = 0x104;
					if(RegEnumKeyExW(_t132, _t79,  &_v540,  &_v1392, 0, 0, 0,  &_v1380) != 0) {
						break;
					}
					_t122 =  &_v1420;
					_v1412 = 0;
					_v1420 = 0;
					_t89 = RegOpenKeyExW(_t132,  &_v540, 0, 1,  &_v1420);
					_v1408 = 0;
					if(_t89 != 0) {
						L19:
						_t79 = _v1396 + 1;
						_v1396 = _t79;
						if(_t79 < 0x64) {
							continue;
						}
						break;
					}
					_t136 = _v1420;
					_v1404 = 0x104;
					_t129 =  &_v1404;
					_v1412 = _t136;
					if(E00C094B0( &_v1404,  &_v1060,  &_v1412, L"ServiceName") != 0) {
						L16:
						if(_t136 != 0) {
							RegCloseKey(_t136);
							_v1412 = 0;
						}
						_t132 = _v1416;
						_v1408 = 0;
						goto L19;
					}
					_t122 =  &_v1404;
					_v1404 = 0;
					_v1420 = 0;
					_t94 = E00C0B110( &_v1420, _t136,  &_v1060,  &_v1404);
					_t138 = _t138 + 8;
					if(_t94 == 0 || _v1404 != 0) {
						E00C266B0(_t129,  &_v1164, 0, 0x64);
						_t122 =  &_v1164;
						_t97 = E00C0B320( &_v1420, _t136,  &_v1060,  &_v1164);
						_t138 = _t138 + 0x14;
						if(_t97 == 0) {
							goto L16;
						}
						if(_v1420 == 0) {
							if(_v1372 == 0 || lstrcmpA( &_v1164,  &_v1372) < 0) {
								_t119 =  &_v1372;
								L15:
								_t122 = 0x64;
								E00C096B0( &_v1164, _t119, 0x64);
							}
							goto L16;
						}
						if(_v1268 == 0) {
							L11:
							_t119 =  &_v1268;
							goto L15;
						}
						_t122 =  &_v1164;
						if(lstrcmpA( &_v1164,  &_v1268) >= 0) {
							goto L16;
						}
						goto L11;
					} else {
						goto L16;
					}
				}
				if(_v1372 == 0) {
					if(_v1268 == 0) {
						if(_t132 != 0) {
							RegCloseKey(_t132);
						}
						goto L33;
					}
					_t82 =  &_v1268;
					_t122 = _t82 + 1;
					do {
						_t113 =  *_t82;
						_t82 = _t82 + 1;
					} while (_t113 != 0);
					_t114 =  &_v1268;
					_t83 = _t82 - _t122;
					_push( &_v1268);
					L24:
					E00C08AA0(_v1400, _t114, _t83);
					if(_t132 != 0) {
						RegCloseKey(_t132);
					}
					_t74 = 1;
					goto L34;
				}
				_t87 =  &_v1372;
				_t124 = _t87 + 1;
				do {
					_t114 =  *_t87;
					_t87 = _t87 + 1;
				} while (_t114 != 0);
				_t83 = _t87 - _t124;
				_t122 =  &_v1372;
				_push( &_v1372);
				goto L24;
			}

0x00c0b4a0
0x00c0b4a2
0x00c0b4ad
0x00c0b4ae
0x00c0b4b4
0x00c0b4bb
0x00c0b4c3
0x00c0b4c5
0x00c0b4c6
0x00c0b4cd
0x00c0b4d5
0x00c0b4e4
0x00c0b4e8
0x00c0b4ec
0x00c0b4fd
0x00c0b509
0x00c0b515
0x00c0b72e
0x00c0b72e
0x00c0b730
0x00c0b737
0x00c0b73f
0x00c0b740
0x00c0b742
0x00c0b757
0x00c0b757
0x00c0b51b
0x00c0b527
0x00c0b52b
0x00c0b52f
0x00c0b542
0x00c0b547
0x00c0b54a
0x00c0b54c
0x00c0b550
0x00c0b558
0x00c0b56c
0x00c0b578
0x00000000
0x00000000
0x00c0b57e
0x00c0b58f
0x00c0b593
0x00c0b597
0x00c0b59d
0x00c0b5a3
0x00c0b6af
0x00c0b6b3
0x00c0b6b7
0x00c0b6bb
0x00000000
0x00000000
0x00000000
0x00c0b6bb
0x00c0b5a9
0x00c0b5b6
0x00c0b5bb
0x00c0b5c6
0x00c0b5d1
0x00c0b698
0x00c0b69a
0x00c0b69d
0x00c0b6a3
0x00c0b6a3
0x00c0b6a7
0x00c0b6ab
0x00000000
0x00c0b6ab
0x00c0b5d7
0x00c0b5e3
0x00c0b5e7
0x00c0b5eb
0x00c0b5f0
0x00c0b5f5
0x00c0b60c
0x00c0b614
0x00c0b628
0x00c0b62d
0x00c0b632
0x00000000
0x00000000
0x00c0b638
0x00c0b66a
0x00c0b683
0x00c0b687
0x00c0b68e
0x00c0b693
0x00c0b693
0x00000000
0x00c0b66a
0x00c0b641
0x00c0b65d
0x00c0b65d
0x00000000
0x00c0b65d
0x00c0b64b
0x00c0b65b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0b5f5
0x00c0b6c5
0x00c0b702
0x00c0b725
0x00c0b728
0x00c0b728
0x00000000
0x00c0b725
0x00c0b704
0x00c0b70b
0x00c0b710
0x00c0b710
0x00c0b712
0x00c0b713
0x00c0b717
0x00c0b71e
0x00c0b720
0x00c0b6de
0x00c0b6e4
0x00c0b6eb
0x00c0b6ee
0x00c0b6ee
0x00c0b6f4
0x00000000
0x00c0b6f4
0x00c0b6c7
0x00c0b6cb
0x00c0b6d0
0x00c0b6d0
0x00c0b6d2
0x00c0b6d3
0x00c0b6d7
0x00c0b6d9
0x00c0b6dd
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00000008,?,096C0A7A,00000000,?,?,?), ref: 00C0B50D
_memset.LIBCMT ref: 00C0B52F
_memset.LIBCMT ref: 00C0B542
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 00C0B570
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,?,?,?,?), ref: 00C0B597
RegCloseKey.ADVAPI32(?,?,ServiceName,?,?,?,?,?,?), ref: 00C0B69D

Part of subcall function 00C0B110: RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318},00000000,00000008,?,?,?,?,00000000), ref: 00C0B15E
Part of subcall function 00C0B110: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00C0B1A4
Part of subcall function 00C0B110: RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00C0B1CB
Part of subcall function 00C0B110: StrCmpIW.SHLWAPI(?,?,?,NetCfgInstanceId), ref: 00C0B208
Part of subcall function 00C0B110: RegCloseKey.ADVAPI32(?,?,NetCfgInstanceId), ref: 00C0B217
Part of subcall function 00C0B110: RegCloseKey.ADVAPI32(?), ref: 00C0B29B

_memset.LIBCMT ref: 00C0B60C
lstrcmpA.KERNEL32(?,?,?,?,?,?,?,?,ServiceName,?,?,?,?,?,?), ref: 00C0B653
lstrcmpA.KERNEL32(?,?,?,?,?,?,?,?,ServiceName,?,?,?,?,?,?), ref: 00C0B679
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?), ref: 00C0B6EE
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?), ref: 00C0B728

Part of subcall function 00C094B0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00C06FB7), ref: 00C094D7

Strings

ServiceName, xrefs: 00C0B5AD
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00C0B4F8

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Close$Open$_memset$Enumlstrcmp$QueryValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
API String ID: 425290413-1795789498
Opcode ID: 3edbefc485b4d736c3136a1b002a3ae3669a2aa73826f888a86d7d0e807e9963
Instruction ID: 01ac4e5b200191f3370418924bf74fa533af5aa5a558635c50f8ace628e6876d
Opcode Fuzzy Hash: 3edbefc485b4d736c3136a1b002a3ae3669a2aa73826f888a86d7d0e807e9963
Instruction Fuzzy Hash: EA715EB15083809FD724DF25C885BABB7E8FB89744F04492DF59993280EB719E09CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C130C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 153
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C130C0(intOrPtr _a4, int _a8) {
				int _v8;
				int _v12;
				void* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t32;
				void* _t38;
				void* _t41;
				intOrPtr _t43;
				void* _t46;
				long _t47;
				long _t48;
				long _t50;
				int _t54;
				void* _t55;
				short* _t56;
				void* _t65;
				void* _t66;
				int _t67;
				int* _t70;
				int* _t72;

				_t67 = 0;
				_t66 = 0;
				_v20 = 0;
				_v8 = 0;
				if(_a4 == 0 || _a8 == 0) {
					L4:
					return _t32 | 0xffffffff;
				} else {
					_t32 = E00C27A03(_t55, _t63, 0, 0x200);
					_t56 = _t32;
					_t70 =  &(( &_v28)[1]);
					if(_t56 != 0) {
						__eflags = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkCards", 0, 0x20119,  &_v24);
						if(__eflags != 0) {
							L22:
							_push(_t56);
							E00C27501(_t56, _t63, _t66, _t67, __eflags);
							return _v20;
						} else {
							_t63 = _v24;
							_v28 = 0x100;
							_t38 = RegEnumKeyExW(_v24, 0, _t56,  &_v28, 0, 0, 0, 0);
							__eflags = _t38;
							if(_t38 == 0) {
								do {
									_t46 = _v24;
									__eflags = _t46;
									if(_t46 == 0) {
										_t46 = 0x80000002;
									}
									_t47 = RegOpenKeyExW(_t46, _t56, 0, 0x20119,  &_v16);
									__eflags = _t47;
									if(_t47 == 0) {
										_t65 = _v16;
										_t13 =  &(_t56[2]); // 0x4
										_v12 = 1;
										_v28 = 0x200;
										_t50 = RegQueryValueExA(_t65, "ServiceName", 0,  &_v12, _t13,  &_a8);
										__eflags = _t50;
										if(_t50 == 0) {
											 *_t56 = 0x5c2e5c5c;
											_t54 = E00C13030(_t56);
											__eflags = _t65 - _t66;
											if(__eflags >= 0) {
												if(__eflags > 0) {
													L14:
													_v8 = _t54;
													_t66 = _t65;
												} else {
													__eflags = _t54 - _v8;
													if(_t54 > _v8) {
														goto L14;
													}
												}
											}
										}
										RegCloseKey(_v16);
									}
									_t63 = _v24;
									_t67 = _t67 + 1;
									_v28 = 0x100;
									_t48 = RegEnumKeyExW(_v24, _t67, _t56,  &_v28, 0, 0, 0, 0);
									__eflags = _t48;
								} while (_t48 == 0);
							}
							RegCloseKey(_v24);
							__eflags = _t66;
							if(_t66 > 0) {
								L19:
								_push(_t66);
								_t41 = E00C103A0(_t56, 0x200, "%012I64X", _v8);
								_t72 =  &(_t70[3]);
								__eflags = _t41;
								if(__eflags != 0) {
									_t63 = _a4;
									_t43 = E00C12C50(_a8, "MAC:", _a4, _t56);
									_t70 =  &(_t72[3]);
									_v20 = _t43;
									goto L22;
								} else {
									_push(_t56);
									_v20 = 0xffffffff;
									E00C27501(_t56, _t63, _t66, _t67, __eflags);
									return _v20;
								}
							} else {
								__eflags = _v8;
								if(__eflags <= 0) {
									goto L22;
								} else {
									goto L19;
								}
							}
						}
					} else {
						SetLastError(8);
						goto L4;
					}
				}
			}

0x00c130c6
0x00c130c9
0x00c130cb
0x00c130cf
0x00c130d7
0x00c130fa
0x00c13104
0x00c130df
0x00c130e4
0x00c130e9
0x00c130eb
0x00c130f0
0x00c13120
0x00c13122
0x00c13264
0x00c13264
0x00c13265
0x00c13278
0x00c13128
0x00c13128
0x00c1313e
0x00c13146
0x00c13148
0x00c1314a
0x00c13150
0x00c13150
0x00c13154
0x00c13156
0x00c13158
0x00c13158
0x00c1316b
0x00c13171
0x00c13173
0x00c1317a
0x00c1317e
0x00c1318f
0x00c13197
0x00c1319f
0x00c131a5
0x00c131a7
0x00c131ab
0x00c131b1
0x00c131b6
0x00c131b8
0x00c131ba
0x00c131c2
0x00c131c2
0x00c131c6
0x00c131bc
0x00c131bc
0x00c131c0
0x00000000
0x00000000
0x00c131c0
0x00c131ba
0x00c131b8
0x00c131cd
0x00c131cd
0x00c131d3
0x00c131e5
0x00c131e8
0x00c131f0
0x00c131f2
0x00c131f2
0x00c13150
0x00c131ff
0x00c13205
0x00c13207
0x00c13210
0x00c13214
0x00c13220
0x00c13225
0x00c13228
0x00c1322a
0x00c13249
0x00c13258
0x00c1325d
0x00c13260
0x00000000
0x00c1322c
0x00c1322c
0x00c1322d
0x00c13235
0x00c13248
0x00c13248
0x00c13209
0x00c13209
0x00c1320e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c1320e
0x00c13207
0x00c130f2
0x00c130f4
0x00000000
0x00c130f4
0x00c130f0

APIs

_malloc.LIBCMT ref: 00C130E4

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

SetLastError.KERNEL32(00000008,00000000,?,?,?,?,00C12D7D,00000000,00002000,?,?,00C0E6AF,?,?,?,00C0ED1E), ref: 00C130F4

Part of subcall function 00C27501: __lock.LIBCMT ref: 00C2751F
Part of subcall function 00C27501: ___sbh_find_block.LIBCMT ref: 00C2752A
Part of subcall function 00C27501: ___sbh_free_block.LIBCMT ref: 00C27539
Part of subcall function 00C27501: RtlFreeHeap.NTDLL(00000000,?,00C54DD0,0000000C,00C2F4ED,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C), ref: 00C27569
Part of subcall function 00C27501: GetLastError.KERNEL32(?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375,?,?,?,00C2F5A7,0000000D), ref: 00C2757A

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00020119,?,00000000,?,?,?,?,00C12D7D,00000000,00002000,?,?,00C0E6AF), ref: 00C1311A
RegEnumKeyExW.ADVAPI32 ref: 00C13146
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020119,?), ref: 00C1316B
RegQueryValueExA.ADVAPI32(?,ServiceName,00000000,?,00000004,?), ref: 00C1319F
RegCloseKey.ADVAPI32(?), ref: 00C131CD
RegEnumKeyExW.ADVAPI32(00000000,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 00C131F0
RegCloseKey.ADVAPI32(00000000), ref: 00C131FF

Strings

%012I64X, xrefs: 00C13216
MAC:, xrefs: 00C13253
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00C13110
ServiceName, xrefs: 00C13189

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseEnumErrorHeapLastOpen$AllocateFreeQueryValue___sbh_find_block___sbh_free_block__lock_malloc
String ID: %012I64X$MAC:$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
API String ID: 2979117458-1531755283
Opcode ID: ee1dfdd8f49ec2bfa106052b67723fd72466a10bcb5934b5eab7a5117a80f510
Instruction ID: 0a776b62e78d7d77d49b31dbf9885d527457ffb34fbdeec8520758b8bac69440
Opcode Fuzzy Hash: ee1dfdd8f49ec2bfa106052b67723fd72466a10bcb5934b5eab7a5117a80f510
Instruction Fuzzy Hash: 0F41D171204340ABE310DF55DC86F9FBBE8FF8AB58F50051CF96896181E670EA4997A3

Uniqueness

Uniqueness Score: -1.00%

Function 00C24A30 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C24A30(CHAR* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v264;
				char _v524;
				char _v624;
				char _v724;
				CHAR* _v728;
				int _v732;
				int _v736;
				void* _v740;
				int _v744;
				void* _v748;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t66;
				char* _t67;
				void* _t70;
				int _t71;
				char _t87;
				void* _t94;
				CHAR* _t96;
				void* _t97;
				int _t98;
				void* _t100;
				signed int _t101;

				_t101 =  &_v748;
				_t43 =  *0xc58320; // 0x96c0a7a
				_v4 = _t43 ^ _t101;
				_t96 = _a4;
				_v728 = _t96;
				if(_t96 == 0 || _a8 == 0) {
					L24:
					return E00C2669E(0, _t70, _v4 ^ _t101, _t88, _t96, _t97);
				} else {
					E00C266B0(_t96,  &_v724, 0, 0x64);
					_t101 = _t101 + 0xc;
					if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkCards", 0, 8,  &_v748) == 0) {
						_push(_t70);
						_push(_t97);
						_t71 = 0;
						_t88 =  &_v744;
						_t98 = 0x104;
						_v744 = 0x104;
						if(RegEnumKeyExA(_v748, 0,  &_v524,  &_v744, 0, 0, 0, 0) == 0) {
							do {
								if(RegOpenKeyExA(_v748,  &_v524, 0, 1,  &_v740) == 0) {
									_t92 = _v740;
									_v736 = 1;
									_v732 = _t98;
									if(RegQueryValueExA(_v740, "ServiceName", 0,  &_v736,  &_v264,  &_v732) == 0) {
										E00C266B0(_t96,  &_v624, _t62, 0x64);
										_t96 =  &_v624;
										_t66 = E00C24920(_t92, _t96,  &_v264, 0x64);
										_t101 = _t101 + 0x14;
										if(_t66 != 0 && (_v724 == 0 || lstrcmpA(_t96,  &_v724) < 0)) {
											_t67 =  &_v724;
											_t94 = 0x64;
											_t100 =  &_v624 - _t67;
											while(1) {
												_t27 = _t94 + 0x7fffff9a; // 0x7ffffffe
												if(_t27 == 0) {
													break;
												}
												_t87 =  *((intOrPtr*)(_t100 + _t67));
												if(_t87 == 0) {
													break;
												} else {
													 *_t67 = _t87;
													_t67 = _t67 + 1;
													_t94 = _t94 - 1;
													if(_t94 != 0) {
														continue;
													} else {
														L16:
														_t67 = _t67 - 1;
													}
												}
												L17:
												 *_t67 = 0;
												_t98 = 0x104;
												goto L18;
											}
											if(_t94 == 0) {
												goto L16;
											}
											goto L17;
										}
									}
									L18:
									RegCloseKey(_v740);
								}
								_t88 = _v748;
								_t71 = _t71 + 1;
								_v744 = _t98;
							} while (RegEnumKeyExA(_v748, _t71,  &_v524,  &_v744, 0, 0, 0, 0) == 0);
							_t96 = _v728;
						}
						RegCloseKey(_v748);
						_pop(_t97);
						_pop(_t70);
					}
					if(_v724 == 0) {
						goto L24;
					} else {
						return E00C2669E(0 | E00C09700(_t96, _a8,  &_v724) >= 0x00000000, _t70, _v16 ^ _t101, _a8, _t96, _t97);
					}
				}
			}

0x00c24a30
0x00c24a36
0x00c24a3d
0x00c24a45
0x00c24a4c
0x00c24a52
0x00c24c31
0x00c24c48
0x00c24a66
0x00c24a6f
0x00c24a74
0x00c24a92
0x00c24a9c
0x00c24a9d
0x00c24a9e
0x00c24aa4
0x00c24ab2
0x00c24ab8
0x00c24ac4
0x00c24ad0
0x00c24aee
0x00c24af9
0x00c24b12
0x00c24b1a
0x00c24b26
0x00c24b37
0x00c24b46
0x00c24b4d
0x00c24b52
0x00c24b57
0x00c24b72
0x00c24b7f
0x00c24b84
0x00c24b86
0x00c24b86
0x00c24b8e
0x00000000
0x00000000
0x00c24b90
0x00c24b95
0x00000000
0x00c24b97
0x00c24b97
0x00c24b99
0x00c24b9a
0x00c24b9d
0x00000000
0x00c24b9f
0x00c24ba5
0x00c24ba5
0x00c24ba5
0x00c24b9d
0x00c24ba6
0x00c24ba6
0x00c24ba9
0x00000000
0x00c24ba9
0x00c24ba3
0x00000000
0x00000000
0x00000000
0x00c24ba3
0x00c24b57
0x00c24bae
0x00c24bb3
0x00c24bb3
0x00c24bb9
0x00c24bd2
0x00c24bd5
0x00c24bdf
0x00c24be7
0x00c24be7
0x00c24bf0
0x00c24bf6
0x00c24bf7
0x00c24bf7
0x00c24bfd
0x00000000
0x00c24bff
0x00c24c30
0x00c24c30
0x00c24bfd

APIs

_memset.LIBCMT ref: 00C24A6F
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00000008,?,?,?,?), ref: 00C24A8A
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00C24ABC
RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?,?,?,?), ref: 00C24AE6
RegQueryValueExA.ADVAPI32 ref: 00C24B1E
_memset.LIBCMT ref: 00C24B37

Part of subcall function 00C24920: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000104,00000000), ref: 00C2496E

lstrcmpA.KERNEL32(?,00000000), ref: 00C24B68
RegCloseKey.ADVAPI32(?), ref: 00C24BB3
RegEnumKeyExA.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00C24BD9
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00C24BF0

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00C24A80
ServiceName, xrefs: 00C24B0C

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseEnumOpen_memset$CreateFileQueryValuelstrcmp
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
API String ID: 2630661138-1795789498
Opcode ID: 8ba42981e8b568d3113fdef2d9be6cc86c5228dfec7f76c6524f10a1e7f6de41
Instruction ID: 76907464abb718e45cab4f417b6b0ec02b2e7041beae715cf7ec191b8c48f66a
Opcode Fuzzy Hash: 8ba42981e8b568d3113fdef2d9be6cc86c5228dfec7f76c6524f10a1e7f6de41
Instruction Fuzzy Hash: 7C519F75604351AFE724CB64DC85FAFB7EDBB88704F04492CF59996580EB70EA08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C0E740 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C0E740(char** __eax, char* __ecx, intOrPtr* _a4) {
				int _v4;
				void* _v8;
				int _v12;
				int _v16;
				void* __ebp;
				int* _t47;
				int* _t60;
				int _t66;
				int _t67;
				int _t68;
				char* _t69;
				void* _t84;
				char** _t85;

				_t85 = __eax;
				_t69 = __ecx;
				_v4 = 0;
				_t47 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\360MachineSignature", 0, 0x20119,  &_v8);
				if(_t47 != 0) {
					return 0;
				} else {
					 *_t85 = _t47;
					_t85[1] = _t47;
					_t85[2] = _t47;
					_t85[3] = _t47;
					_t85[4] = _t47;
					_t85[5] = _t47;
					_t85[6] = _t47;
					_t85[7] = _t47;
					_t85[8] = _t47;
					_t83 = 0x400;
					_v16 = 0x400;
					if(RegQueryValueExW(_v8, L"Operator", _t47,  &_v12, _t69,  &_v16) != 0) {
						L4:
						_v16 = _t83;
						if(RegQueryValueExW(_v8, L"IssueDate", 0,  &_v12, _t69,  &_v16) != 0) {
							L7:
							_v16 = _t83;
							if(RegQueryValueExW(_v8, L"ExpirationDate", 0,  &_v12, _t69,  &_v16) != 0) {
								L10:
								_v16 = _t83;
								if(RegQueryValueExW(_v8, L"SignData", 0,  &_v12, _t69,  &_v16) != 0 || _v12 != 3) {
									goto L15;
								} else {
									_t60 = _v16;
									_t84 = _t83 - _t60;
									_t85[7] = _t60;
									_t85[8] = _t69;
									if(_t84 == 0 || E00C0E640( &(_t85[3])) == 0) {
										goto L15;
									} else {
										 *_a4 = 0x400 - _t84;
										RegCloseKey(_v8);
										return 1;
									}
								}
							} else {
								if(_v12 != 1) {
									goto L15;
								} else {
									_t66 = _v16;
									_t85[2] = _t69;
									_t83 = _t83 - _t66;
									_t69 =  &(_t69[_t66]);
									if(_t83 == 0) {
										goto L15;
									} else {
										goto L10;
									}
								}
							}
						} else {
							if(_v12 != 1) {
								goto L15;
							} else {
								_t67 = _v16;
								_t85[1] = _t69;
								_t83 = _t83 - _t67;
								_t69 =  &(_t69[_t67]);
								if(_t83 == 0) {
									goto L15;
								} else {
									goto L7;
								}
							}
						}
					} else {
						if(_v12 != 1) {
							L15:
							RegCloseKey(_v8);
							return _v4;
						} else {
							_t68 = _v16;
							_t83 = 0x400 - _t68;
							 *_t85 = _t69;
							_t69 = _t68 + _t69;
							if(0x400 == 0) {
								goto L15;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x00c0e747
0x00c0e760
0x00c0e762
0x00c0e766
0x00c0e76e
0x00c0e8da
0x00c0e774
0x00c0e774
0x00c0e776
0x00c0e779
0x00c0e77c
0x00c0e784
0x00c0e788
0x00c0e790
0x00c0e794
0x00c0e797
0x00c0e7a3
0x00c0e7a9
0x00c0e7b5
0x00c0e7d3
0x00c0e7f0
0x00c0e7f8
0x00c0e818
0x00c0e82f
0x00c0e837
0x00c0e84f
0x00c0e866
0x00c0e86e
0x00000000
0x00c0e877
0x00c0e877
0x00c0e87b
0x00c0e87d
0x00c0e880
0x00c0e883
0x00000000
0x00c0e891
0x00c0e8a1
0x00c0e8a8
0x00c0e8b7
0x00c0e8b7
0x00c0e883
0x00c0e839
0x00c0e83e
0x00000000
0x00c0e840
0x00c0e840
0x00c0e844
0x00c0e847
0x00c0e849
0x00c0e84d
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0e84d
0x00c0e83e
0x00c0e7fa
0x00c0e7ff
0x00000000
0x00c0e805
0x00c0e805
0x00c0e809
0x00c0e80c
0x00c0e80e
0x00c0e812
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0e812
0x00c0e7ff
0x00c0e7b7
0x00c0e7bc
0x00c0e8b8
0x00c0e8c1
0x00c0e8d0
0x00c0e7c2
0x00c0e7c2
0x00c0e7c6
0x00c0e7c8
0x00c0e7ca
0x00c0e7cd
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0e7cd
0x00c0e7bc
0x00c0e7b5

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360MachineSignature,00000000,00020119,?,00000000,00C52B08,00000000,?,?,?,00C0ED1E,?,?), ref: 00C0E766
RegQueryValueExW.ADVAPI32(?,Operator,00000000,?,00000000,?,?,?,00C0ED1E,?,?), ref: 00C0E7AD
RegQueryValueExW.ADVAPI32(?,IssueDate,00000000,?,00000000,?,?,?,00C0ED1E,?,?), ref: 00C0E7F4
RegQueryValueExW.ADVAPI32(?,ExpirationDate,00000000,?,00000000,?,?,?,00C0ED1E,?,?), ref: 00C0E833
RegQueryValueExW.ADVAPI32(?,SignData,00000000,?,00000000,?,?,?,00C0ED1E,?,?), ref: 00C0E86A
RegCloseKey.ADVAPI32(?), ref: 00C0E8A8
RegCloseKey.ADVAPI32(?,?,?,00C0ED1E,?,?), ref: 00C0E8C1

Strings

ExpirationDate, xrefs: 00C0E829
SignData, xrefs: 00C0E860
Operator, xrefs: 00C0E79E
SOFTWARE\360MachineSignature, xrefs: 00C0E756
IssueDate, xrefs: 00C0E7EA

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: QueryValue$Close$Open
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 2895014784-1479031278
Opcode ID: 24c8d61f793538c7fbccb2bb5ebe002b894b6bb69ef866925b46fef883d8b0d5
Instruction ID: 4b7a7bd2205dc557ac7e4f2de0b3880b614c8d77815c1f8ccd71e0f01cff4ca8
Opcode Fuzzy Hash: 24c8d61f793538c7fbccb2bb5ebe002b894b6bb69ef866925b46fef883d8b0d5
Instruction Fuzzy Hash: 45512CB16443029FD320DF68D884A6BBBE8FB84750F444E2DF595D3280E770E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C236D8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C236D8() {
				int _t3;
				void* _t5;
				long _t7;
				long _t12;
				long _t17;
				struct HINSTANCE__* _t23;
				void* _t25;
				LONG* _t29;

				_t3 = IsProcessorFeaturePresent(0xc);
				if(_t3 != 0) {
					_t23 = LoadLibraryA("kernel32.dll");
					__eflags = _t23;
					if(_t23 != 0) {
						 *0xc5a9bc = GetProcAddress(_t23, "InterlockedPushEntrySList");
						 *0xc5a9c0 = GetProcAddress(_t23, "InterlockedPopEntrySList");
					}
					__eflags =  *0xc5a9bc; // 0x778c2190
					if(__eflags == 0) {
						L12:
						_t5 = 0;
						__eflags = 0;
					} else {
						__eflags =  *0xc5a9c0; // 0x778c21f0
						if(__eflags == 0) {
							goto L12;
						} else {
							_t29 =  *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x34;
							_t7 =  *_t29;
							__eflags = _t7;
							if(_t7 != 0) {
								L11:
								 *0xc5a9b8 = _t7;
								_t5 = 1;
							} else {
								_t25 = HeapAlloc(GetProcessHeap(), 0, 8);
								__eflags = _t25;
								if(_t25 == 0) {
									goto L12;
								} else {
									 *_t25 = 0;
									 *((intOrPtr*)(_t25 + 4)) = 0;
									_t12 = InterlockedCompareExchange(_t29, _t25, 0);
									__eflags = _t12;
									if(_t12 != 0) {
										HeapFree(GetProcessHeap(), 0, _t25);
									}
									_t7 =  *_t29;
									goto L11;
								}
							}
						}
					}
					return _t5;
				} else {
					_t17 = _t3 + 1;
					 *0xc5a9b8 = _t17;
					return _t17;
				}
			}

0x00c236da
0x00c236e2
0x00c236f9
0x00c236fd
0x00c236ff
0x00c23715
0x00c2371c
0x00c2371c
0x00c23721
0x00c23727
0x00c23787
0x00c23787
0x00c23787
0x00c23729
0x00c23729
0x00c2372f
0x00000000
0x00c23731
0x00c2373a
0x00c2373d
0x00c2373f
0x00c23741
0x00c2377d
0x00c2377d
0x00c23784
0x00c23743
0x00c23755
0x00c23759
0x00c2375b
0x00000000
0x00c2375d
0x00c23760
0x00c23762
0x00c23765
0x00c2376b
0x00c2376d
0x00c23775
0x00c23775
0x00c2377b
0x00000000
0x00c2377b
0x00c2375b
0x00c23741
0x00c2372f
0x00c2378c
0x00c236e4
0x00c236e4
0x00c236e5
0x00c236ea
0x00c236ea

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00C237C0,?,00C1B47E), ref: 00C236DA
LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,00C1B47E), ref: 00C236F3
GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 00C2370D
GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 00C2371A
GetProcessHeap.KERNEL32(00000000,00000008,?,?,?,?,00C1B47E), ref: 00C2374C
HeapAlloc.KERNEL32(00000000,?,?,?,?,00C1B47E), ref: 00C2374F
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00C23765
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00C1B47E), ref: 00C23772
HeapFree.KERNEL32(00000000,?,?,?,?,00C1B47E), ref: 00C23775

Strings

kernel32.dll, xrefs: 00C236EE
InterlockedPushEntrySList, xrefs: 00C23707
InterlockedPopEntrySList, xrefs: 00C2370F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Heap$AddressProcProcess$AllocCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
API String ID: 3830925854-2586642590
Opcode ID: 5b07e89a62657435fe9899c01ac873f16bd95044a69f806df66b46f36892a75b
Instruction ID: 2105d55968ca9f5e4bf8574bfa0b75b374d3e41cabd15cae3b66c04388b49e1c
Opcode Fuzzy Hash: 5b07e89a62657435fe9899c01ac873f16bd95044a69f806df66b46f36892a75b
Instruction Fuzzy Hash: F511EFF9A003A1AFDB208F76AC88F1E7BA8FB49B42B02483DE511D3250D7748940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C0AFE0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C0AFE0(int __ecx, void* __ebp, void* __eflags, intOrPtr* _a4) {
				signed int _v4;
				char _v528;
				short _v532;
				int _v536;
				intOrPtr* _v540;
				void* _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				void* _t41;
				WCHAR* _t47;
				WCHAR* _t50;

				_t53 =  &_v544;
				_t26 =  *0xc58320; // 0x96c0a7a
				_v4 = _t26 ^  &_v544;
				_t41 = __ecx;
				_t49 =  &_v544;
				_t50 =  &_v528;
				_v540 = _a4;
				_v544 = 0x104;
				_v536 = __ecx;
				_v532 = 0;
				if(E00C094B0( &_v544, _t50,  &_v536, L"DriverDesc") != 0) {
					L3:
					if( *_v540 != 0) {
						L11:
						return E00C2669E(1, _t41, _v4 ^ _t53, _t48, _t49, _t50);
					}
					_t48 =  &_v544;
					_v536 = 0;
					_v532 = 0;
					_v544 = 0;
					if(RegOpenKeyExW(_t41, L"NDI\\Interfaces", 0, 1,  &_v544) != 0) {
						goto L11;
					}
					_t41 = _v544;
					_t49 =  &_v544;
					_t50 =  &_v528;
					_v536 = _t41;
					_v532 = 0;
					_v544 = 0x104;
					if(E00C094B0( &_v544, _t50,  &_v536, L"LowerRange") != 0) {
						L9:
						if(_t41 != 0) {
							RegCloseKey(_t41);
						}
						goto L11;
					}
					_t47 = _t50;
					_t50 = StrStrIW;
					if(StrStrIW(_t47, L"wlan") != 0) {
						L8:
						 *_v544 = 1;
						goto L9;
					}
					_t48 =  &_v532;
					if(StrStrIW( &_v532, L"vwifi") == 0) {
						goto L9;
					}
					goto L8;
				}
				_t48 = _t50;
				if(StrStrIW(_t50, L"Wireless") == 0) {
					goto L3;
				}
				 *_v544 = 1;
				goto L11;
			}

0x00c0afe0
0x00c0afe6
0x00c0afed
0x00c0afff
0x00c0b00d
0x00c0b011
0x00c0b015
0x00c0b019
0x00c0b021
0x00c0b025
0x00c0b030
0x00c0b053
0x00c0b059
0x00c0b0eb
0x00c0b108
0x00c0b108
0x00c0b05f
0x00c0b06d
0x00c0b071
0x00c0b075
0x00c0b081
0x00000000
0x00000000
0x00c0b083
0x00c0b091
0x00c0b095
0x00c0b099
0x00c0b09d
0x00c0b0a1
0x00c0b0b0
0x00c0b0e0
0x00c0b0e2
0x00c0b0e5
0x00c0b0e5
0x00000000
0x00c0b0e2
0x00c0b0b2
0x00c0b0b4
0x00c0b0c4
0x00c0b0d6
0x00c0b0da
0x00000000
0x00c0b0da
0x00c0b0cb
0x00c0b0d4
0x00000000
0x00000000
0x00000000
0x00c0b0d4
0x00c0b037
0x00c0b042
0x00000000
0x00000000
0x00c0b048
0x00000000

APIs

Part of subcall function 00C094B0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00C06FB7), ref: 00C094D7

StrStrIW.SHLWAPI(?,Wireless), ref: 00C0B03A
RegOpenKeyExW.ADVAPI32(?,NDI\Interfaces,00000000,00000001,?), ref: 00C0B079
StrStrIW.SHLWAPI(?,wlan,?,LowerRange), ref: 00C0B0C0
StrStrIW.SHLWAPI(?,vwifi), ref: 00C0B0D0
RegCloseKey.ADVAPI32(?,?,LowerRange), ref: 00C0B0E5

Strings

LowerRange, xrefs: 00C0B087
vwifi, xrefs: 00C0B0C6
DriverDesc, xrefs: 00C0B001
wlan, xrefs: 00C0B0BA
NDI\Interfaces, xrefs: 00C0B067
Wireless, xrefs: 00C0B032

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DriverDesc$LowerRange$NDI\Interfaces$Wireless$vwifi$wlan
API String ID: 3677997916-590455766
Opcode ID: 41d7ada04ea9e825e17938cfd8ac993407bcfae1aa5bed1ef69930620bf97dbc
Instruction ID: bf1a6a4f8f95a899584e1c072c0d09b066d103088c2dea66ee5f2ee27910f61a
Opcode Fuzzy Hash: 41d7ada04ea9e825e17938cfd8ac993407bcfae1aa5bed1ef69930620bf97dbc
Instruction Fuzzy Hash: 7A319EB46043059FC310CF55D880A5FBBE8FB88B88F40481DF465A3280D7B5EA49CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D430 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00C1D430(WCHAR** __ecx, WCHAR** __edx, WCHAR* _a4, void* _a8) {
				signed int _v8;
				WCHAR** _v12;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				signed int _v33;
				signed int _v40;
				signed int _v41;
				signed int _v42;
				char* _v48;
				char* _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v128;
				signed int _v132;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t122;
				signed int _t124;
				signed int _t142;
				signed int _t149;
				signed int _t158;
				signed int _t165;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				WCHAR* _t181;
				signed int _t183;
				signed int _t185;
				WCHAR* _t194;
				signed int _t196;
				void* _t200;
				void* _t259;
				void* _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t250 = __edx;
				_t122 =  *0xc58320; // 0x96c0a7a
				_v8 = _t122 ^ _t261;
				_v12 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					_t124 = 0x80004003;
				} else {
					 *_a8 = 0;
					_v16 = lstrlenW(_a4) << 1;
					E00C1D870( &_v28, _v16);
					__eflags = _v20;
					if(_v20 != 0) {
						 *_v12 = _a4;
						_v32 = 0;
						_v33 = 0;
						_v32 = E00C1F570( &_v33);
						__eflags = _v32;
						if(_v32 >= 0) {
							_v40 = 0;
							_v41 = 0;
							_v42 = 0;
							while(1) {
								_t250 =  *( *_v12) & 0x0000ffff;
								__eflags =  *( *_v12) & 0x0000ffff;
								if(( *( *_v12) & 0x0000ffff) == 0) {
									break;
								}
								__eflags = (_v33 & 0x000000ff) - 1;
								if((_v33 & 0x000000ff) != 1) {
									L33:
									_t250 =  *( *_v12) & 0x0000ffff;
									__eflags = ( *( *_v12) & 0x0000ffff) - 0x25;
									if(( *( *_v12) & 0x0000ffff) != 0x25) {
										_t142 = E00C1D990( &_v28,  *_v12);
										__eflags = _t142;
										if(_t142 != 0) {
											L51:
											 *_v12 = CharNextW( *_v12);
											continue;
										}
										_v32 = 0x8007000e;
										break;
									}
									 *_v12 = CharNextW( *_v12);
									_t250 =  *( *_v12) & 0x0000ffff;
									__eflags = ( *( *_v12) & 0x0000ffff) - 0x25;
									if(( *( *_v12) & 0x0000ffff) != 0x25) {
										_t149 = E00C1DC50( *_v12, 0x25);
										_t263 = _t262 + 8;
										_v60 = _t149;
										__eflags = _v60;
										if(_v60 != 0) {
											__eflags = _v60 -  *_v12 >> 1 - 0x1f;
											if(__eflags <= 0) {
												_v64 = _v60 -  *_v12 >> 1;
												_t250 =  *_v12;
												E00C1D830( &_v128, 0x20,  *_v12, _v64);
												_t262 = _t263 + 0x10;
												_v132 = E00C1DC10(_v12[1], __eflags,  &_v128);
												__eflags = _v132;
												if(_v132 != 0) {
													_t158 = E00C1DB40( &_v28, _v132);
													__eflags = _t158;
													if(_t158 != 0) {
														while(1) {
															__eflags =  *_v12 - _v60;
															if( *_v12 == _v60) {
																break;
															}
															 *_v12 = CharNextW( *_v12);
														}
														L48:
														goto L51;
													}
													_v32 = 0x8007000e;
													break;
												}
												_v32 = E00C1D080(_v12, 0x202);
												break;
											}
											_v32 = 0x80004005;
											break;
										}
										_v32 = E00C1D080(_v12, 0x203);
										break;
									}
									_t165 = E00C1D990( &_v28,  *_v12);
									__eflags = _t165;
									if(_t165 != 0) {
										goto L48;
									}
									_v32 = 0x8007000e;
									break;
								}
								_v48 = L"HKCU\r\n{\tSoftware\r\n\t{\r\n\t\tClasses";
								_v52 = L"\r\n\t}\r\n}\r\n";
								__eflags = _v40;
								if(_v40 != 0) {
									L16:
									__eflags = ( *( *_v12) & 0x0000ffff) - 0x27;
									if(( *( *_v12) & 0x0000ffff) != 0x27) {
										L23:
										__eflags = _v42 & 0x000000ff;
										if((_v42 & 0x000000ff) == 0) {
											__eflags = ( *( *_v12) & 0x0000ffff) - 0x7b;
											if(( *( *_v12) & 0x0000ffff) == 0x7b) {
												_t177 = _v40 + 1;
												__eflags = _t177;
												_v40 = _t177;
											}
										}
										__eflags = _v42 & 0x000000ff;
										if((_v42 & 0x000000ff) != 0) {
											goto L33;
										} else {
											_t250 =  *( *_v12) & 0x0000ffff;
											__eflags = ( *( *_v12) & 0x0000ffff) - 0x7d;
											if(( *( *_v12) & 0x0000ffff) != 0x7d) {
												goto L33;
											}
											_t171 = _v40 - 1;
											__eflags = _t171;
											_v40 = _t171;
											if(_t171 != 0) {
												goto L33;
											}
											__eflags = (_v41 & 0x000000ff) - 1;
											if((_v41 & 0x000000ff) != 1) {
												goto L33;
											}
											_t174 = E00C1DB40( &_v28, _v52);
											__eflags = _t174;
											if(_t174 != 0) {
												_v41 = 0;
												goto L33;
											}
											_v32 = 0x8007000e;
											break;
										}
									}
									__eflags = _v42 & 0x000000ff;
									if((_v42 & 0x000000ff) != 0) {
										_t179 = E00C1D3E0(_v12);
										__eflags = _t179;
										if(_t179 == 0) {
											_t181 = CharNextW( *_v12);
											_t250 = _v12;
											 *_v12 = _t181;
											_t183 = E00C1D990( &_v28,  *_v12);
											__eflags = _t183;
											if(_t183 != 0) {
												goto L23;
											}
											_v32 = 0x8007000e;
											break;
										}
										_v42 = 0;
										goto L23;
									}
									_v42 = 1;
									goto L23;
								}
								_v56 = 0;
								_t185 = E00C1D810( *_v12, L"HKCR");
								_t262 = _t262 + 8;
								_v56 = _t185;
								__eflags = _v56;
								if(_v56 == 0) {
									goto L16;
								}
								__eflags = _v56 -  *_v12;
								if(_v56 !=  *_v12) {
									goto L16;
								}
								 *_v12 = CharNextW( *_v12);
								 *_v12 = CharNextW( *_v12);
								 *_v12 = CharNextW( *_v12);
								_t194 = CharNextW( *_v12);
								_t250 = _v12;
								 *_v12 = _t194;
								_t196 = E00C1DB40( &_v28, _v48);
								__eflags = _t196;
								if(_t196 != 0) {
									_v41 = 1;
									goto L16;
								}
								_v32 = 0x8007000e;
								break;
							}
							__eflags = _v32;
							if(_v32 >= 0) {
								 *_a8 = E00C1DBD0( &_v28);
							}
							_v200 = _v32;
							E00C1D970( &_v28);
							_t124 = _v200;
							L55:
							return E00C2669E(_t124, _t200, _v8 ^ _t261, _t250, _t259, _t260);
						}
						_v204 = _v32;
						E00C1D970( &_v28);
						_t124 = _v204;
						goto L55;
					}
					_v208 = 0x8007000e;
					E00C1D970( &_v28);
					_t124 = _v208;
				}
			}

0x00c1d430
0x00c1d439
0x00c1d440
0x00c1d446
0x00c1d44d
0x00c1d455
0x00c1d45f
0x00c1d462
0x00c1d474
0x00c1d47e
0x00c1d483
0x00c1d487
0x00c1d4ac
0x00c1d4ae
0x00c1d4b5
0x00c1d4c2
0x00c1d4c5
0x00c1d4c9
0x00c1d4e7
0x00c1d4ee
0x00c1d4f2
0x00c1d4f6
0x00c1d4fb
0x00c1d4fe
0x00c1d500
0x00000000
0x00000000
0x00c1d50a
0x00c1d50d
0x00c1d67f
0x00c1d684
0x00c1d687
0x00c1d68a
0x00c1d7aa
0x00c1d7af
0x00c1d7b1
0x00c1d7bc
0x00c1d7cb
0x00000000
0x00c1d7cb
0x00c1d7b3
0x00000000
0x00c1d7b3
0x00c1d69f
0x00c1d6a6
0x00c1d6a9
0x00c1d6ac
0x00c1d6d9
0x00c1d6de
0x00c1d6e1
0x00c1d6e4
0x00c1d6e8
0x00c1d709
0x00c1d70c
0x00c1d724
0x00c1d72e
0x00c1d737
0x00c1d73c
0x00c1d74e
0x00c1d751
0x00c1d755
0x00c1d770
0x00c1d775
0x00c1d777
0x00c1d782
0x00c1d787
0x00c1d78a
0x00000000
0x00000000
0x00c1d79b
0x00c1d79b
0x00c1d79f
0x00000000
0x00c1d79f
0x00c1d779
0x00000000
0x00c1d779
0x00c1d764
0x00000000
0x00c1d764
0x00c1d70e
0x00000000
0x00c1d70e
0x00c1d6f7
0x00000000
0x00c1d6f7
0x00c1d6b7
0x00c1d6bc
0x00c1d6be
0x00000000
0x00c1d6cc
0x00c1d6c0
0x00000000
0x00c1d6c0
0x00c1d513
0x00c1d51a
0x00c1d521
0x00c1d525
0x00c1d5bc
0x00c1d5c4
0x00c1d5c7
0x00c1d618
0x00c1d61c
0x00c1d61e
0x00c1d628
0x00c1d62b
0x00c1d630
0x00c1d630
0x00c1d633
0x00c1d633
0x00c1d62b
0x00c1d63a
0x00c1d63c
0x00000000
0x00c1d63e
0x00c1d643
0x00c1d646
0x00c1d649
0x00000000
0x00000000
0x00c1d64e
0x00c1d64e
0x00c1d651
0x00c1d654
0x00000000
0x00000000
0x00c1d65a
0x00c1d65d
0x00000000
0x00000000
0x00c1d666
0x00c1d66b
0x00c1d66d
0x00c1d67b
0x00000000
0x00c1d67b
0x00c1d66f
0x00000000
0x00c1d66f
0x00c1d63c
0x00c1d5cd
0x00c1d5cf
0x00c1d5da
0x00c1d5df
0x00c1d5e1
0x00c1d5ef
0x00c1d5f5
0x00c1d5f8
0x00c1d603
0x00c1d608
0x00c1d60a
0x00000000
0x00000000
0x00c1d60c
0x00000000
0x00c1d60c
0x00c1d5e3
0x00000000
0x00c1d5e3
0x00c1d5d1
0x00000000
0x00c1d5d1
0x00c1d52b
0x00c1d53d
0x00c1d542
0x00c1d545
0x00c1d548
0x00c1d54c
0x00000000
0x00000000
0x00c1d554
0x00c1d556
0x00000000
0x00000000
0x00c1d567
0x00c1d578
0x00c1d589
0x00c1d591
0x00c1d597
0x00c1d59a
0x00c1d5a3
0x00c1d5a8
0x00c1d5aa
0x00c1d5b8
0x00000000
0x00c1d5b8
0x00c1d5ac
0x00000000
0x00c1d5ac
0x00c1d7d2
0x00c1d7d6
0x00c1d7e3
0x00c1d7e3
0x00c1d7e8
0x00c1d7f1
0x00c1d7f6
0x00c1d7ff
0x00c1d80c
0x00c1d80c
0x00c1d4ce
0x00c1d4d7
0x00c1d4dc
0x00000000
0x00c1d4dc
0x00c1d489
0x00c1d496
0x00c1d49b
0x00c1d49b

APIs

lstrlenW.KERNEL32(00000000), ref: 00C1D46C
CharNextW.USER32(00000000), ref: 00C1D55E
CharNextW.USER32 ref: 00C1D56F
CharNextW.USER32 ref: 00C1D580
CharNextW.USER32 ref: 00C1D591

Part of subcall function 00C1D970: CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C1D7F6), ref: 00C1D983

Strings

HKCR, xrefs: 00C1D532

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CharNext$FreeTasklstrlen
String ID: HKCR
API String ID: 1034012546-1562042865
Opcode ID: 4a25d3a21f2f750670a8f93f013664f9f767739128c3445eff21857fabb69e53
Instruction ID: 16763adf6dd09263e38750e162a0edbef9f6a587398154d9aa6ece26a9d1338b
Opcode Fuzzy Hash: 4a25d3a21f2f750670a8f93f013664f9f767739128c3445eff21857fabb69e53
Instruction Fuzzy Hash: EDD12974A00219DFDB14DFA5C490BEDBBB1BF4A314F104499E456AB390DB35AAC1EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C06EF0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 143
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00C06EF0(void* __ebp, intOrPtr _a4, intOrPtr* _a8) {
				char _v4;
				char _v12;
				signed int _v16;
				char _v36;
				char _v120;
				intOrPtr _v124;
				int _v128;
				char _v132;
				char _v136;
				void* _v140;
				char _v144;
				void* _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				signed int _t47;
				char _t52;
				void* _t57;
				intOrPtr* _t67;
				intOrPtr* _t72;
				void* _t73;
				int _t78;
				void* _t79;
				intOrPtr _t81;
				WCHAR* _t92;
				intOrPtr _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t107;
				intOrPtr* _t111;
				void* _t113;
				signed int _t114;

				_push(0xffffffff);
				_push(0xc4cec6);
				_push( *[fs:0x0]);
				_t114 = _t113 - 0x84;
				_t45 =  *0xc58320; // 0x96c0a7a
				_v16 = _t45 ^ _t114;
				_push(_t101);
				_t47 =  *0xc58320; // 0x96c0a7a
				_push(_t47 ^ _t114);
				 *[fs:0x0] =  &_v12;
				_t111 = _a8;
				_t78 = 0;
				_v124 = _a4;
				 *_t111 = 0;
				_v132 = 0;
				_v128 = 0;
				_v4 = 0;
				_v140 = 0;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\360Safe\\Liveup", 0, 0x201,  &_v140) != 0) {
					L16:
					_t52 = 0;
					L17:
					 *[fs:0x0] = _v12;
					_pop(_t102);
					_pop(_t107);
					_pop(_t79);
					return E00C2669E(_t52, _t79, _v16 ^ _t114, _t96, _t102, _t107);
				}
				_t96 = _v140;
				_v132 = _v140;
				_v128 = 0x200;
				E00C266B0(_t101,  &_v120, 0, 0x64);
				_t114 = _t114 + 0xc;
				_v144 = 0x32;
				if(E00C094B0( &_v144,  &_v120,  &_v132, L"m2") != 0 || _v144 != 0x2d) {
					L14:
					_t57 = _v140;
					if(_t57 != _t78) {
						RegCloseKey(_t57);
					}
					goto L16;
				} else {
					_t97 =  *0xc5a910; // 0xc4f8dc
					_t20 = _t97 + 0xc; // 0xc23088
					_v144 =  *((intOrPtr*)( *_t20))() + 0x10;
					_v4 = 1;
					E00C07B10( &_v144,  &_v120);
					_t98 =  &_v36;
					_v136 = 0;
					E00C26659(_t98, L"%x",  &_v136);
					_t81 = _v144;
					_t114 = _t114 + 0xc;
					if(_v136 != (E00C06E60(_t81, 0x2a) & 0x000000ff)) {
						_t67 = _t81 - 0x10;
						_v4 = 0;
						asm("lock xadd [ecx], edx");
						_t96 = (_t98 | 0xffffffff) - 1;
						if((_t98 | 0xffffffff) - 1 <= 0) {
							_t96 =  *((intOrPtr*)( *_t67));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t67)) + 4))))(_t67);
						}
						_t78 = 0;
						goto L14;
					}
					E00C07D50( &_v136,  &_v120, _v124, 0x2a);
					_t92 =  &_v120;
					if(StrCmpNIW(_t92, L"ffffffff", 8) == 0) {
						 *_t111 = 1;
					}
					_t72 = _t81 - 0x10;
					_v12 = 0;
					_t96 = _t72 + 0xc;
					asm("lock xadd [edx], ecx");
					if((_t92 | 0xffffffff) - 1 <= 0) {
						_t96 =  *((intOrPtr*)( *_t72));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t72)) + 4))))(_t72);
					}
					_t73 = _v148;
					if(_t73 != 0) {
						RegCloseKey(_t73);
					}
					_t52 = 1;
					goto L17;
				}
			}

0x00c06ef0
0x00c06ef2
0x00c06efd
0x00c06efe
0x00c06f04
0x00c06f0b
0x00c06f15
0x00c06f16
0x00c06f1d
0x00c06f25
0x00c06f32
0x00c06f39
0x00c06f3b
0x00c06f3f
0x00c06f42
0x00c06f46
0x00c06f5a
0x00c06f66
0x00c06f72
0x00c070c8
0x00c070c8
0x00c070ca
0x00c070d1
0x00c070d9
0x00c070da
0x00c070dc
0x00c070f1
0x00c070f1
0x00c06f78
0x00c06f84
0x00c06f88
0x00c06f90
0x00c06f95
0x00c06faa
0x00c06fb9
0x00c070b9
0x00c070b9
0x00c070bf
0x00c070c2
0x00c070c2
0x00000000
0x00c06fca
0x00c06fca
0x00c06fd0
0x00c06fdd
0x00c06fe7
0x00c06fef
0x00c06ff9
0x00c07006
0x00c0700e
0x00c07013
0x00c07017
0x00c0702d
0x00c07093
0x00c07096
0x00c070a4
0x00c070a8
0x00c070ab
0x00c070af
0x00c070b5
0x00c070b5
0x00c070b7
0x00000000
0x00c070b7
0x00c07037
0x00c07043
0x00c07050
0x00c07052
0x00c07052
0x00c07059
0x00c0705c
0x00c07064
0x00c0706a
0x00c07071
0x00c07075
0x00c0707b
0x00c0707b
0x00c0707d
0x00c07083
0x00c07086
0x00c07086
0x00c0708c
0x00000000
0x00c0708c

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360Safe\Liveup,00000000,00000201,?,096C0A7A,00000000,?), ref: 00C06F6A
_memset.LIBCMT ref: 00C06F90

Part of subcall function 00C094B0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00C06FB7), ref: 00C094D7

RegCloseKey.ADVAPI32(?), ref: 00C070C2

Part of subcall function 00C07B10: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00C06FF4), ref: 00C07B2E
Part of subcall function 00C07B10: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,-00000010,-00000001,00000000,00000000), ref: 00C07B65

_swscanf.LIBCMT ref: 00C0700E

Part of subcall function 00C26659: _vscan_fn.LIBCMT ref: 00C26670

StrCmpNIW.SHLWAPI(?,ffffffff,00000008,?,?,00C53A54,00000064), ref: 00C07048
RegCloseKey.ADVAPI32(?), ref: 00C07086

Strings

2, xrefs: 00C06FAA
-, xrefs: 00C06FBF
ffffffff, xrefs: 00C0703E
SOFTWARE\360Safe\Liveup, xrefs: 00C06F55

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ByteCharCloseMultiWide$OpenQueryValue_memset_swscanf_vscan_fn
String ID: -$2$SOFTWARE\360Safe\Liveup$ffffffff
API String ID: 3516239013-1203591585
Opcode ID: c5b4c25f171b32c627cb93c6ff17da159e9fb5daef0370e2a650a9028d85858e
Instruction ID: 05c84083ee38c9588572a1069c7c6e7a61ca60acfe17e0df48315df33617a3e2
Opcode Fuzzy Hash: c5b4c25f171b32c627cb93c6ff17da159e9fb5daef0370e2a650a9028d85858e
Instruction Fuzzy Hash: 00517B716083419FD314CF68C885B5AB7E4FF88318F408A2DF5A997291DB75AA08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B110 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C0B110(intOrPtr __ecx, void* __ebp, WCHAR* _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v532;
				char _v1052;
				char _v1056;
				struct _FILETIME _v1060;
				void* _v1068;
				WCHAR* _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				void* _v1084;
				int _v1088;
				void* _v1092;
				int _v1096;
				int _v1100;
				int _v1104;
				void* _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr* _t44;
				int _t46;
				int _t48;
				void* _t50;
				long _t53;
				void* _t59;
				void* _t62;
				void* _t64;
				signed int _t80;

				_t80 =  &_v1108;
				_t41 =  *0xc58320; // 0x96c0a7a
				_v8 = _t41 ^ _t80;
				_v1072 = _a4;
				_t44 = _a8;
				 *_t44 = 0;
				_v1076 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0;
				_v1080 = _t44;
				_v1084 = 0;
				if(RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}", 0, 8,  &_v1084) != 0) {
					_t46 = 0;
					goto L21;
				} else {
					_t76 = _v1084;
					_t48 = 0;
					_v1068 = _t76;
					_v1088 = 0;
					while(1) {
						_t74 =  &_v532;
						_t77 = 0x104;
						_v1104 = 0x104;
						if(RegEnumKeyExW(_t76, _t48,  &_v532,  &_v1104, 0, 0, 0,  &_v1060) != 0) {
							break;
						}
						_v1100 = 0;
						_v1092 = 0;
						_t53 = RegOpenKeyExW(_t76,  &_v532, 0, 1,  &_v1092);
						_v1096 = 0;
						if(_t53 != 0) {
							L11:
							_t48 = _v1088 + 1;
							_v1088 = _t48;
							if(_t48 < 0x100) {
								_t76 = _v1068;
								continue;
							}
							break;
						}
						_t64 = _v1092;
						_t74 =  &_v1100;
						_v1104 = 0x104;
						_t76 =  &_v1104;
						_t77 =  &_v1052;
						_v1100 = _t64;
						if(E00C094B0( &_v1104, _t77,  &_v1100, L"NetCfgInstanceId") != 0 || StrCmpIW(_t77, _v1072) != 0) {
							if(_t64 != 0) {
								RegCloseKey(_t64);
								_v1100 = 0;
							}
							_v1096 = 0;
							goto L11;
						} else {
							_t74 =  &_v1104;
							_t76 =  &_v1108;
							_t77 =  &_v1056;
							_v1108 = 0x104;
							_t59 = E00C094B0( &_v1108, _t77,  &_v1104, L"BusType");
							__eflags = _t59;
							if(_t59 == 0) {
								_push(_t77);
								_t62 = E00C2A8B4();
								_t80 = _t80 + 4;
								__eflags = _t62 - 5;
								if(__eflags == 0) {
									_t74 = _v1080;
									 *_v1084 = 1;
									E00C0AFE0(_t64, 0, __eflags, _v1080);
									_t80 = _t80 + 4;
								}
							}
							__eflags = _t64;
							if(_t64 != 0) {
								RegCloseKey(_t64);
							}
							break;
						}
					}
					_t50 = _v1068;
					if(_t50 != 0) {
						RegCloseKey(_t50);
					}
					_t46 = 1;
					L21:
					return E00C2669E(_t46, _t64, _v8 ^ _t80, _t74, _t76, _t77);
				}
			}

0x00c0b110
0x00c0b116
0x00c0b11d
0x00c0b130
0x00c0b134
0x00c0b13c
0x00c0b13e
0x00c0b142
0x00c0b156
0x00c0b15a
0x00c0b166
0x00c0b178
0x00000000
0x00c0b168
0x00c0b168
0x00c0b16c
0x00c0b16e
0x00c0b172
0x00c0b184
0x00c0b191
0x00c0b19a
0x00c0b1a0
0x00c0b1ac
0x00000000
0x00000000
0x00c0b1c3
0x00c0b1c7
0x00c0b1cb
0x00c0b1d1
0x00c0b1d7
0x00c0b225
0x00c0b229
0x00c0b22f
0x00c0b233
0x00c0b180
0x00000000
0x00c0b180
0x00000000
0x00c0b239
0x00c0b1d9
0x00c0b1e2
0x00c0b1e6
0x00c0b1eb
0x00c0b1ef
0x00c0b1f3
0x00c0b1fe
0x00c0b214
0x00c0b217
0x00c0b21d
0x00c0b21d
0x00c0b221
0x00000000
0x00c0b23b
0x00c0b240
0x00c0b245
0x00c0b249
0x00c0b24d
0x00c0b255
0x00c0b25a
0x00c0b25c
0x00c0b260
0x00c0b261
0x00c0b266
0x00c0b269
0x00c0b26c
0x00c0b272
0x00c0b276
0x00c0b27f
0x00c0b284
0x00c0b284
0x00c0b26c
0x00c0b287
0x00c0b289
0x00c0b28c
0x00c0b28c
0x00000000
0x00c0b289
0x00c0b1fe
0x00c0b292
0x00c0b298
0x00c0b29b
0x00c0b29b
0x00c0b2a1
0x00c0b2a6
0x00c0b2be
0x00c0b2be

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318},00000000,00000008,?,?,?,?,00000000), ref: 00C0B15E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00C0B1A4
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00C0B1CB

Part of subcall function 00C094B0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00C06FB7), ref: 00C094D7

StrCmpIW.SHLWAPI(?,?,?,NetCfgInstanceId), ref: 00C0B208
RegCloseKey.ADVAPI32(?,?,NetCfgInstanceId), ref: 00C0B217
RegCloseKey.ADVAPI32(?), ref: 00C0B28C
RegCloseKey.ADVAPI32(?), ref: 00C0B29B

Strings

BusType, xrefs: 00C0B23B
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, xrefs: 00C0B14C
NetCfgInstanceId, xrefs: 00C0B1DD

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Close$Open$EnumQueryValue
String ID: BusType$NetCfgInstanceId$SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
API String ID: 1772848689-2100781267
Opcode ID: 59630295f1b2cf094915745f30f71c4395c2ca2d24913d9b392223c40fefe2f4
Instruction ID: e7ea125514248d48d786077c5d56e89f088b7ba5b70b46507314c39ee4b4cc5b
Opcode Fuzzy Hash: 59630295f1b2cf094915745f30f71c4395c2ca2d24913d9b392223c40fefe2f4
Instruction Fuzzy Hash: BC415AB5508344AFC310CF55D884A5FBBE8FB88744F40491DF59A97250E770EA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C07100 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C07100(char** __ecx, void* __edx, char** _a4) {
				int _v4;
				char _v12;
				int _v16;
				int _v20;
				int _v24;
				signed int _t23;
				int _t31;
				char* _t32;
				void* _t35;
				int _t36;
				void* _t51;
				void* _t57;
				char** _t60;
				char* _t62;
				signed int _t63;
				char* _t65;
				void* _t70;
				signed int _t71;

				_t51 = __edx;
				_push(0xffffffff);
				_push(0xc4cb38);
				_push( *[fs:0x0]);
				_t71 = _t70 - 0xc;
				_t23 =  *0xc58320; // 0x96c0a7a
				_push(_t23 ^ _t71);
				 *[fs:0x0] =  &_v12;
				_t60 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_t4 =  &_v24; // 0x96c0a7a
				_v4 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\360Safe\\Liveup", 0, 0x202, _t4) != 0) {
					 *[fs:0x0] = _v12;
					return 0;
				} else {
					_t29 =  *_t60;
					_t57 = _v24;
					_v20 = _t57;
					_v16 = 0x200;
					if( *((intOrPtr*)( *_t60 - 0xc)) != 0) {
						_t35 = E00C268D3(_t51, _t29, _t50);
						_t71 = _t71 + 8;
						if(_t35 != 0) {
							_t65 =  *_t60;
							if(_t65 != 0) {
								_t36 = lstrlenW(_t65);
								_t13 = _t36 + 2; // 0x2
								RegSetValueExW(_t57, L"m2_old", 0, 1, _t65, _t36 + _t13);
							}
						}
					}
					_t62 =  *_a4;
					if(_t62 != 0) {
						_t31 = lstrlenW(_t62);
						_t17 = _t31 + 2; // 0x2
						_t32 = RegSetValueExW(_t57, L"m2", 0, 1, _t62, _t31 + _t17);
					} else {
						_t32 =  &(_t62[0xd]);
					}
					_t63 = 0 | _t32 == 0x00000000;
					if(_t57 != 0) {
						RegCloseKey(_t57);
					}
					 *[fs:0x0] = _v12;
					return _t63;
				}
			}

0x00c07100
0x00c07100
0x00c07102
0x00c0710d
0x00c0710e
0x00c07115
0x00c0711c
0x00c07121
0x00c07127
0x00c0712b
0x00c0712f
0x00c07133
0x00c07143
0x00c0714c
0x00c07158
0x00c07212
0x00c07221
0x00c0715e
0x00c0715e
0x00c07160
0x00c07173
0x00c07177
0x00c0717f
0x00c07197
0x00c0719c
0x00c071a1
0x00c071a3
0x00c071a7
0x00c071aa
0x00c071ac
0x00c071bc
0x00c071bc
0x00c071a7
0x00c071a1
0x00c071c2
0x00c071c6
0x00c071ce
0x00c071d0
0x00c071e0
0x00c071c8
0x00c071c8
0x00c071c8
0x00c071e9
0x00c071ed
0x00c071f0
0x00c071f0
0x00c071fc
0x00c0720b
0x00c0720b

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360Safe\Liveup,00000000,00000202,zl,096C0A7A,00000000,?), ref: 00C07150
__wcsicoll.LIBCMT ref: 00C07197
lstrlenW.KERNEL32(?), ref: 00C071AA
RegSetValueExW.ADVAPI32(?,m2_old,00000000,00000001,?,00000002), ref: 00C071BC
lstrlenW.KERNEL32(?), ref: 00C071CE
RegSetValueExW.ADVAPI32(?,00C53A54,00000000,00000001,?,00000002), ref: 00C071E0

Part of subcall function 00C02370: __CxxThrowException@8.LIBCMT ref: 00C02382

RegCloseKey.ADVAPI32(?), ref: 00C071F0

Strings

zl, xrefs: 00C07133, 00C07137
m2_old, xrefs: 00C071B6
SOFTWARE\360Safe\Liveup, xrefs: 00C0713E

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Valuelstrlen$CloseException@8OpenThrow__wcsicoll
String ID: SOFTWARE\360Safe\Liveup$m2_old$zl
API String ID: 1256771195-1973734546
Opcode ID: bce025aa08815b65bc050e9f5e1555ccae0cd0fbec7d85c60fda47aa834c4fa5
Instruction ID: da0bcf4d7bdc2c81807efea5c6b96630704c2d915da343fbe96dd709080d42cf
Opcode Fuzzy Hash: bce025aa08815b65bc050e9f5e1555ccae0cd0fbec7d85c60fda47aa834c4fa5
Instruction Fuzzy Hash: 3F31C176A08300AFD324CF14DC85F6BB7E8FB84B10F54062DF959A72D0D775AA08CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B760 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 169
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00C0B760(void* __ebp, intOrPtr _a4) {
				int _v4;
				char _v8;
				char _v12;
				signed int _v20;
				short _v540;
				char _v1060;
				struct _FILETIME _v1068;
				int _v1072;
				int _v1076;
				char _v1080;
				int _v1084;
				void* _v1088;
				intOrPtr _v1092;
				void* _v1096;
				int _v1100;
				int _v1104;
				int _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t62;
				signed int _t67;
				int _t69;
				void* _t78;
				intOrPtr* _t84;
				int _t89;
				void* _t90;
				signed int _t106;
				void* _t109;
				void* _t110;
				void* _t115;
				signed int _t121;
				void* _t126;
				void* _t127;
				signed int _t128;

				_push(0xffffffff);
				_push(0xc4d0f1);
				_push( *[fs:0x0]);
				_t128 = _t127 - 0x448;
				_t60 =  *0xc58320; // 0x96c0a7a
				_v20 = _t60 ^ _t128;
				_t62 =  *0xc58320; // 0x96c0a7a
				_push(_t62 ^ _t128);
				 *[fs:0x0] =  &_v12;
				_t89 = 0;
				_v1092 = _a4;
				_v1076 = 0;
				_v1072 = 0;
				_v4 = 0;
				_v1096 = 0;
				if(RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}", 0, 8,  &_v1096) != 0) {
					_t67 = 0;
				} else {
					_t110 = _v1096;
					_t69 = 0;
					_v1076 = _t110;
					_v1072 = 0;
					_v1084 = 0;
					while(1) {
						_t104 =  &_v540;
						_v1100 = 0x104;
						if(RegEnumKeyExW(_t110, _t69,  &_v540,  &_v1100, _t89, _t89, _t89,  &_v1068) != 0) {
							break;
						}
						_v1108 = _t89;
						_v4 = 1;
						_v1088 = _t89;
						if(RegOpenKeyExW(_t110,  &_v540, _t89, 1,  &_v1088) != _t89) {
							_v4 = _t89;
							_v1104 = _t89;
						} else {
							_t126 = _v1088;
							_t104 =  &_v1108;
							_v1100 = 0x104;
							_v1108 = _t126;
							_v1104 = _t89;
							if(E00C094B0( &_v1100,  &_v1060,  &_v1108, L"BusType") == 0) {
								_push( &_v1060);
								_t78 = E00C2A8B4();
								_t128 = _t128 + 4;
								if(_t78 != 5) {
									goto L5;
								} else {
									_v1100 = 0x104;
									if(E00C094B0( &_v1100,  &_v1060,  &_v1108, L"NetCfgInstanceId") != 0) {
										goto L5;
									} else {
										_t106 =  &_v1080;
										E00C0BE40( &_v1060, _t126, _t106);
										_v8 = 2;
										E00C0C070( &_v1084, _v1096);
										_v8 = 1;
										_t84 = _v1084 + 0xfffffff0;
										asm("lock xadd [ecx], edx");
										_t104 = (_t106 | 0xffffffff) - 1;
										if((_t106 | 0xffffffff) - 1 <= 0) {
											_t104 =  *((intOrPtr*)( *_t84));
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t84)) + 4))))(_t84);
										}
										_v4 = 0;
										if(_t126 != 0) {
											RegCloseKey(_t126);
											_v1108 = 0;
										}
										_v1104 = 0;
										_t89 = 0;
									}
								}
							} else {
								L5:
								_v4 = _t89;
								if(_t126 != _t89) {
									RegCloseKey(_t126);
									_v1108 = _t89;
								}
								_v1104 = _t89;
							}
						}
						_t110 = _v1096;
						_t69 = _v1084 + 1;
						_v1084 = _t69;
						if(_t69 < 0x100) {
							continue;
						}
						break;
					}
					asm("sbb esi, esi");
					_t121 =  ~( ~( *((intOrPtr*)(_v1092 + 0x10)) -  *((intOrPtr*)(_v1092 + 0xc)) & 0xfffffffc));
					if(_t110 != _t89) {
						RegCloseKey(_t110);
					}
					_t67 = _t121;
				}
				 *[fs:0x0] = _v12;
				_pop(_t109);
				_pop(_t115);
				_pop(_t90);
				return E00C2669E(_t67, _t90, _v20 ^ _t128, _t104, _t109, _t115);
			}

0x00c0b760
0x00c0b762
0x00c0b76d
0x00c0b76e
0x00c0b774
0x00c0b77b
0x00c0b786
0x00c0b78d
0x00c0b795
0x00c0b7a2
0x00c0b7a4
0x00c0b7a8
0x00c0b7ac
0x00c0b7bd
0x00c0b7c9
0x00c0b7d5
0x00c0b893
0x00c0b7db
0x00c0b7db
0x00c0b7df
0x00c0b7e1
0x00c0b7e5
0x00c0b7e9
0x00c0b7f0
0x00c0b7fd
0x00c0b80c
0x00c0b818
0x00000000
0x00000000
0x00c0b81e
0x00c0b832
0x00c0b83b
0x00c0b847
0x00c0b89a
0x00c0b8a1
0x00c0b849
0x00c0b849
0x00c0b852
0x00c0b856
0x00c0b863
0x00c0b867
0x00c0b872
0x00c0b8ae
0x00c0b8af
0x00c0b8b4
0x00c0b8ba
0x00000000
0x00c0b8bc
0x00c0b8ce
0x00c0b8dd
0x00000000
0x00c0b8df
0x00c0b8df
0x00c0b8e6
0x00c0b8f3
0x00c0b8fb
0x00c0b900
0x00c0b90c
0x00c0b915
0x00c0b919
0x00c0b91c
0x00c0b920
0x00c0b926
0x00c0b926
0x00c0b92a
0x00c0b933
0x00c0b936
0x00c0b93c
0x00c0b93c
0x00c0b940
0x00c0b944
0x00c0b944
0x00c0b8dd
0x00c0b874
0x00c0b874
0x00c0b874
0x00c0b87d
0x00c0b880
0x00c0b886
0x00c0b886
0x00c0b88a
0x00c0b88a
0x00c0b872
0x00c0b94a
0x00c0b94e
0x00c0b954
0x00c0b958
0x00000000
0x00000000
0x00000000
0x00c0b958
0x00c0b96d
0x00c0b96f
0x00c0b973
0x00c0b976
0x00c0b976
0x00c0b97c
0x00c0b97c
0x00c0b985
0x00c0b98d
0x00c0b98e
0x00c0b990
0x00c0b9a5

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318},00000000,00000008,?,096C0A7A,00000000,?,?,00000000), ref: 00C0B7CD
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C0B810
RegOpenKeyExW.ADVAPI32(?), ref: 00C0B83F

Part of subcall function 00C094B0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00C06FB7), ref: 00C094D7

RegCloseKey.ADVAPI32(?,00000000), ref: 00C0B880
RegCloseKey.ADVAPI32(?), ref: 00C0B936
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C0B976

Strings

BusType, xrefs: 00C0B84D
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, xrefs: 00C0B7B8
NetCfgInstanceId, xrefs: 00C0B8BC

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Close$Open$EnumQueryValue
String ID: BusType$NetCfgInstanceId$SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
API String ID: 1772848689-2100781267
Opcode ID: 4636bb0372c2310d655e6d9de469d64ee7e9e3e540e69c669e31ec3523c7de45
Instruction ID: a4d5991d057c688873ba335a52686957ac9d45684bc487ab2f242c4f7fae3025
Opcode Fuzzy Hash: 4636bb0372c2310d655e6d9de469d64ee7e9e3e540e69c669e31ec3523c7de45
Instruction Fuzzy Hash: DB616DB15083409FC310CF69C880A5BFBE8FBC9718F444A2DF69997291D775EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C454AD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C454AD(void* __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char* _t15;
				intOrPtr* _t18;
				void* _t21;
				void* _t24;
				void* _t41;

				_t41 = __edx;
				E00C433E2( &_v12, E00C42A53(0));
				_t15 =  *0xc5bd94; // 0x0
				if( *_t15 == 0) {
					E00C432F7( &_v12, 1);
					goto L8;
				} else {
					 *0xc5bd94 = _t15 + 1;
					_t21 =  *_t15 - 0x30;
					if(_t21 == 0) {
						E00C43890( &_v12, "void");
						goto L8;
					} else {
						_t24 = _t21;
						if(_t24 == 0) {
							E00C43607( &_v12, E00C45278(_t41, __eflags,  &_v20));
							goto L8;
						} else {
							if(_t24 != 3) {
								L8:
								E00C43890( &_v12, ") ");
								_t18 = _a4;
								 *_t18 = _v12;
								 *((intOrPtr*)(_t18 + 4)) = _v8;
								return _t18;
							} else {
								E00C43016(_a4, 2);
								return _a4;
							}
						}
					}
				}
			}

0x00c454ad
0x00c454c3
0x00c454c8
0x00c454d0
0x00c45523
0x00000000
0x00c454d2
0x00c454d6
0x00c454dd
0x00c454e0
0x00c45517
0x00000000
0x00c454e2
0x00c454e3
0x00c454e4
0x00c45508
0x00000000
0x00c454e6
0x00c454e9
0x00c45528
0x00c45530
0x00c45538
0x00c4553b
0x00c45540
0x00c45544
0x00c454eb
0x00c454f0
0x00c454f9
0x00c454f9
0x00c454e9
0x00c454e4
0x00c454e0

APIs

UnDecorator::UScore.LIBCMT ref: 00C454B7
DName::DName.LIBCMT ref: 00C454C3

Part of subcall function 00C433E2: DName::doPchar.LIBCMT ref: 00C4340F

DName::DName.LIBCMT ref: 00C454F0

Part of subcall function 00C43016: DNameStatusNode::make.LIBCMT ref: 00C43044

UnDecorator::getScopedName.LIBCMT ref: 00C454FE
DName::operator+=.LIBCMT ref: 00C45508
DName::operator+=.LIBCMT ref: 00C45517
DName::operator+=.LIBCMT ref: 00C45523
DName::operator+=.LIBCMT ref: 00C45530

Strings

void, xrefs: 00C4550F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: NameName::operator+=$Name::$Decorator::Decorator::getName::doNode::makePcharScopedScoreStatus
String ID: void
API String ID: 2229739886-3531332078
Opcode ID: e5628779be14e06abfb3c2545d1fbeaf1d6f6aeb270f176eee05272d804bbec4
Instruction ID: ca478ecd4ed76a21e7f88b5db45b6516d8f480ef84c11b6f3a18efb940d1a65e
Opcode Fuzzy Hash: e5628779be14e06abfb3c2545d1fbeaf1d6f6aeb270f176eee05272d804bbec4
Instruction Fuzzy Hash: 55118E74900648ABDB18EB64C85ABBD7BB5BB40300F040059F806AB2E2DB709F85DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C2C4 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00C4C2C4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v16;
				intOrPtr _v36;
				char _v52;
				char _v92;
				intOrPtr* _t34;
				intOrPtr* _t37;

				_push(0x44);
				E00C482B7(0xc4c9ce, __ebx, __edi, __esi);
				E00C03E20( &_v52, "invalid string position");
				_v16 = _v16 & 0x00000000;
				E00C4C23D( &_v92,  &_v52);
				E00C291AE( &_v92, 0xc557c8);
				asm("int3");
				_push(0x44);
				E00C482B7(0xc4c9f1, __ebx, __edi, __esi);
				E00C03E20( &_v52, "invalid string argument");
				_v16 = _v16 & 0x00000000;
				_t34 =  &_v92;
				E00C4C1EE(_t34,  &_v52);
				E00C291AE( &_v92, 0xc55830);
				asm("int3");
				_push(__esi);
				_t37 = _t34;
				E00C030F0(_v36);
				 *_t37 = 0xc52138;
				return _t37;
			}

0x00c4c2c4
0x00c4c2cb
0x00c4c2d8
0x00c4c2dd
0x00c4c2e8
0x00c4c2f6
0x00c4c2fb
0x00c4c2fc
0x00c4c303
0x00c4c310
0x00c4c315
0x00c4c31d
0x00c4c320
0x00c4c32e
0x00c4c333
0x00c4c339
0x00c4c33d
0x00c4c33f
0x00c4c344
0x00c4c34e

APIs

__EH_prolog3.LIBCMT ref: 00C4C2CB
std::bad_exception::bad_exception.LIBCMT ref: 00C4C2E8
__CxxThrowException@8.LIBCMT ref: 00C4C2F6

Part of subcall function 00C291AE: RaiseException.KERNEL32(?,?,?,?), ref: 00C291F0

__EH_prolog3.LIBCMT ref: 00C4C303
std::bad_exception::bad_exception.LIBCMT ref: 00C4C320
__CxxThrowException@8.LIBCMT ref: 00C4C32E

Part of subcall function 00C030F0: std::exception::exception.LIBCMT ref: 00C0311E

Strings

zl, xrefs: 00C4C336
invalid string argument, xrefs: 00C4C308
invalid string position, xrefs: 00C4C2D0

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Exception@8H_prolog3Throwstd::bad_exception::bad_exception$ExceptionRaisestd::exception::exception
String ID: invalid string argument$invalid string position$zl
API String ID: 1783365832-940452901
Opcode ID: cfb8045e6f517728dee73806956a4ccfbc92be41914e742843c90a74e5dc69fb
Instruction ID: cced564bfe998d8a344287298cbecf6b1cffdf99ffc471980a19a01dbf11e744
Opcode Fuzzy Hash: cfb8045e6f517728dee73806956a4ccfbc92be41914e742843c90a74e5dc69fb
Instruction Fuzzy Hash: DE014F72951218ABCB04EBE0CC46EDEB77DEF24721F400425F600A6492DFB19A48E764

Uniqueness

Uniqueness Score: -1.00%

Function 00C25170 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C25170(intOrPtr* __edi, void* __eflags) {
				signed int _v4;
				signed int _v44;
				char _v264;
				void _v284;
				char _v531;
				void _v532;
				void _v540;
				char _v648;
				int _v664;
				int _v668;
				void* __ebx;
				void* __esi;
				signed int _t26;
				char* _t31;
				int _t36;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t43;
				intOrPtr _t52;
				intOrPtr* _t55;
				intOrPtr _t56;
				char _t57;
				void* _t59;
				void* _t62;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t66;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				signed int _t72;
				void* _t73;

				_t73 = __eflags;
				_t67 = __edi;
				_t26 =  *0xc58320; // 0x96c0a7a
				_v4 = _t26 ^ _t70;
				E00C266B0(__edi,  &_v648, 0, 0x80);
				_t46 =  &_v648;
				E00C24050( &_v648, _t67, _t73, 0x80);
				_t31 =  &_v264;
				_t71 = _t70 + 0x10;
				_t68 = 0x104;
				_t59 = _t67 - _t31;
				while(1) {
					_t5 = _t68 + 0x7ffffefa; // 0x7ffffffe
					if(_t5 == 0) {
						break;
					}
					_t57 =  *((intOrPtr*)(_t59 + _t31));
					if(_t57 == 0) {
						break;
					} else {
						 *_t31 = _t57;
						_t31 = _t31 + 1;
						_t68 = _t68 - 1;
						if(_t68 != 0) {
							continue;
						} else {
							L6:
							_t31 = _t31 - 1;
						}
					}
					L7:
					 *_t31 = 0;
					E00C0DFD0(_t67,  &_v264, 0x104,  &_v648);
					_v664 = 1;
					_v532 = 0;
					E00C266B0(_t67,  &_v531, 0, 0xff);
					_t72 = _t71 + 0xc;
					_v668 = 0x100;
					_t36 = SHGetValueA(0x80000002, "Software\\360Safe\\Liveup", "mid",  &_v664,  &_v532,  &_v668);
					_t69 = SHSetValueA;
					if(_t36 == 0) {
						_t55 = _t67;
						_t42 =  &_v540;
						while(1) {
							_t63 =  *_t42;
							if(_t63 !=  *_t55) {
								break;
							}
							if(_t63 == 0) {
								L13:
								_t42 = 0;
							} else {
								_t66 =  *((intOrPtr*)(_t42 + 1));
								if(_t66 !=  *((intOrPtr*)(_t55 + 1))) {
									break;
								} else {
									_t42 = _t42 + 2;
									_t55 = _t55 + 2;
									if(_t66 != 0) {
										continue;
									} else {
										goto L13;
									}
								}
							}
							L15:
							if(_t42 != 0) {
								_t43 =  &_v540;
								_t64 = _t43 + 1;
								do {
									_t56 =  *_t43;
									_t43 = _t43 + 1;
								} while (_t56 != 0);
								SHSetValueA(0x80000002, "Software\\360Safe\\Liveup", "mid_old", 1,  &_v540, _t43 - _t64);
							}
							goto L19;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L15;
					}
					L19:
					_t37 =  &_v284;
					_t62 = _t37 + 1;
					do {
						_t52 =  *_t37;
						_t37 = _t37 + 1;
					} while (_t52 != 0);
					return E00C2669E(SHSetValueA(0x80000002, "Software\\360Safe\\Liveup", "mid", 1,  &_v284, _t37 - _t62), _t46, _v44 ^ _t72, _t62, _t67, _t69);
				}
				__eflags = _t68;
				if(_t68 == 0) {
					goto L6;
				}
				goto L7;
			}

0x00c25170
0x00c25170
0x00c25176
0x00c2517d
0x00c25192
0x00c2519c
0x00c251a2
0x00c251a7
0x00c251b2
0x00c251b5
0x00c251ba
0x00c251c0
0x00c251c0
0x00c251c8
0x00000000
0x00000000
0x00c251ca
0x00c251cf
0x00000000
0x00c251d1
0x00c251d1
0x00c251d3
0x00c251d4
0x00c251d7
0x00000000
0x00c251d9
0x00c251df
0x00c251df
0x00c251df
0x00c251d7
0x00c251e0
0x00c251e5
0x00c251f5
0x00c25209
0x00c25211
0x00c25219
0x00c2521e
0x00c25242
0x00c2524a
0x00c25250
0x00c25258
0x00c2525a
0x00c2525c
0x00c25263
0x00c25263
0x00c25267
0x00000000
0x00000000
0x00c2526b
0x00c2527f
0x00c2527f
0x00c2526d
0x00c2526d
0x00c25273
0x00000000
0x00c25275
0x00c25275
0x00c25278
0x00c2527d
0x00000000
0x00000000
0x00000000
0x00000000
0x00c2527d
0x00c25273
0x00c25288
0x00c2528a
0x00c2528c
0x00c25293
0x00c25296
0x00c25296
0x00c25298
0x00c25299
0x00c252b9
0x00c252b9
0x00000000
0x00c2528a
0x00c25283
0x00c25285
0x00000000
0x00c25285
0x00c252bb
0x00c252bb
0x00c252c2
0x00c252c5
0x00c252c5
0x00c252c7
0x00c252c8
0x00c25300
0x00c25300
0x00c251db
0x00c251dd
0x00000000
0x00000000
0x00000000

APIs

_memset.LIBCMT ref: 00C25192

Part of subcall function 00C24050: _memset.LIBCMT ref: 00C24085
Part of subcall function 00C24050: _memset.LIBCMT ref: 00C2412B
Part of subcall function 00C24050: _strncat.LIBCMT ref: 00C241AF

_memset.LIBCMT ref: 00C25219
SHGetValueA.SHLWAPI ref: 00C2524A
SHSetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid_old,00000001,?,?), ref: 00C252B9
SHSetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,00000001,?,?), ref: 00C252E8

Strings

mid_old, xrefs: 00C252AA
mid, xrefs: 00C25233, 00C252D9
Software\360Safe\Liveup, xrefs: 00C25238, 00C252AF, 00C252DE

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$Value$_strncat
String ID: Software\360Safe\Liveup$mid$mid_old
API String ID: 2533611499-1528303271
Opcode ID: 6b14574c9767e6c644419d9b9cb93ffc3d1c7c3ab3306665d5beec9a3cbe8ddf
Instruction ID: bae002ac106dc860dc90cada86a5372e06a6b7054ce3e412a33cc9d5477af473
Opcode Fuzzy Hash: 6b14574c9767e6c644419d9b9cb93ffc3d1c7c3ab3306665d5beec9a3cbe8ddf
Instruction Fuzzy Hash: E74126316083519FE721CF20AC95FFB7BD9BF95700F04451CE99A975C2E7719A0887A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C24C50 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00C24C50(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				signed char _v259;
				char _v260;
				signed int _v276;
				char _v314;
				short _v316;
				signed char* _v320;
				void* _v324;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t33;
				char* _t40;
				void* _t42;
				void* _t48;
				signed int _t49;
				char _t61;
				void* _t65;
				void* _t71;
				void* _t72;
				signed int _t73;
				signed int _t74;
				void* _t75;

				_t73 =  &_v324;
				_t28 =  *0xc58320; // 0x96c0a7a
				_v4 = _t28 ^ _t73;
				_t70 = _a4;
				E00C266B0(_a4,  &_v324, 0, 0x40);
				_t62 = 0x100;
				_v324 = 0x37;
				_v320 =  &_v260;
				_v316 = 0x100;
				_t33 = E00C23DB0( &_v324);
				_t74 = _t73 + 0x10;
				if(_t33 != 0) {
					L10:
					return E00C2669E(0, _t48, _v4 ^ _t74, _t62, _t70, _t71);
				} else {
					_push(_t48);
					_t49 = _v259 & 0x000000ff;
					_push(_t71);
					E00C266B0(_t70,  &_v324, 0, 0x40);
					_v324 = 0x32;
					_v276 = _t49;
					E00C23DB0( &_v324);
					E00C266B0(_t70,  &_v324, 0, 0x40);
					_t40 =  &_v314;
					_t75 = _t74 + 0x1c;
					_v324 = 0x33;
					_v276 = _t49;
					_t72 = 0x10;
					_t65 = "*               " - _t40;
					while(1) {
						_t18 = _t72 + 0x7fffffee; // 0x7ffffffe
						if(_t18 == 0) {
							break;
						}
						_t61 =  *((intOrPtr*)(_t65 + _t40));
						if(_t61 == 0) {
							break;
						} else {
							 *_t40 = _t61;
							_t40 = _t40 + 1;
							_t72 = _t72 - 1;
							if(_t72 != 0) {
								continue;
							} else {
								L7:
								_t40 = _t40 - 1;
							}
						}
						L8:
						 *_t40 = 0;
						_t62 = 0x258;
						_v320 = 0xc5a9c8;
						_v316 = 0x258;
						_t42 = E00C23DB0( &_v324);
						_t74 = _t75 + 4;
						_pop(_t71);
						_pop(_t48);
						if(_t42 != 0) {
							goto L10;
						} else {
							_push( *0xc5a9cd & 0x000000ff);
							_push( *0xc5a9cc & 0x000000ff);
							_push( *0xc5a9cb & 0x000000ff);
							_push( *0xc5a9ca & 0x000000ff);
							return E00C2669E(0 | E00C09610(_t70, _a8, "%02X%02X%02X%02X%02X%02X",  *0xc5a9c8 & 0x000000ff) >= 0x00000000, _t48, _v4 ^ _t74 + 0x00000024, 0 | E00C09610(_t70, _a8, "%02X%02X%02X%02X%02X%02X",  *0xc5a9c8 & 0x000000ff) >= 0x00000000, _t70, _t71,  *0xc5a9c9 & 0x000000ff);
						}
						goto L11;
					}
					if(_t72 == 0) {
						goto L7;
					}
					goto L8;
				}
				L11:
			}

0x00c24c50
0x00c24c56
0x00c24c5d
0x00c24c65
0x00c24c75
0x00c24c82
0x00c24c88
0x00c24c8d
0x00c24c91
0x00c24c96
0x00c24c9b
0x00c24ca0
0x00c24dad
0x00c24dc4
0x00c24ca6
0x00c24ca6
0x00c24ca7
0x00c24cac
0x00c24cb6
0x00c24cc0
0x00c24cc5
0x00c24cc9
0x00c24cd7
0x00c24cdc
0x00c24ce7
0x00c24cea
0x00c24cef
0x00c24cf3
0x00c24cf8
0x00c24d00
0x00c24d00
0x00c24d08
0x00000000
0x00000000
0x00c24d0a
0x00c24d0f
0x00000000
0x00c24d11
0x00c24d11
0x00c24d13
0x00c24d14
0x00c24d17
0x00000000
0x00c24d19
0x00c24d1f
0x00c24d1f
0x00c24d1f
0x00c24d17
0x00c24d20
0x00c24d20
0x00c24d27
0x00c24d2d
0x00c24d35
0x00c24d3a
0x00c24d3f
0x00c24d42
0x00c24d43
0x00c24d46
0x00000000
0x00c24d48
0x00c24d5d
0x00c24d65
0x00c24d6d
0x00c24d75
0x00c24dac
0x00c24dac
0x00000000
0x00c24d46
0x00c24d1d
0x00000000
0x00000000
0x00000000
0x00c24d1d
0x00000000

APIs

_memset.LIBCMT ref: 00C24C75

Part of subcall function 00C23DB0: GetProcAddress.KERNEL32(00000000,Netbios), ref: 00C23DD3

_memset.LIBCMT ref: 00C24CB6
_memset.LIBCMT ref: 00C24CD7

Strings

7, xrefs: 00C24C88
2, xrefs: 00C24CC0
* , xrefs: 00C24CE0
3, xrefs: 00C24CEA
%02X%02X%02X%02X%02X%02X, xrefs: 00C24D7F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$AddressProc
String ID: %02X%02X%02X%02X%02X%02X$* $2$3$7
API String ID: 2047085092-1802369251
Opcode ID: b82938c6d506923401db6873fd95a4c6ad503466580d2b8795ded5393d3024dc
Instruction ID: 45223eaceba07ab8cc6f35c3222517c5b98f96b5366da96345f562d33b613b34
Opcode Fuzzy Hash: b82938c6d506923401db6873fd95a4c6ad503466580d2b8795ded5393d3024dc
Instruction Fuzzy Hash: CD417B705083E06BD315CB29EC51BAFBBE86F95300F44481DF9D957292E6789208C773

Uniqueness

Uniqueness Score: -1.00%

Function 00C06680 Relevance: 13.6, APIs: 9, Instructions: 80
libraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C06680(WCHAR* __eax, void* _a4) {
				int _v4;
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t14;
				void* _t21;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t34;
				WCHAR* _t35;
				void* _t36;
				long _t38;

				_t40 =  &_v8;
				_t25 = 0;
				_t34 = LoadLibraryExW(__eax, 0, 2);
				if(_t34 != 0) {
					_t31 = FindResourceW(_t34, 1, 0x10);
					if(_t31 != 0) {
						_t38 = SizeofResource(_t34, _t31);
						_t31 = LoadResource(_t34, _t31);
						if(_t31 != 0) {
							_t21 = LockResource(_t31);
							_v8 = _t21;
							if(_t21 != 0) {
								_t25 = E00C27A03(0, _t29, _t31, _t38);
								_t40 =  &(( &_v8)[1]);
								if(_t25 != 0) {
									E00C2F920(_t25, _t31, _t34, _t25, _v8, _t38);
									_t40 =  &(_t40[3]);
								}
							}
							FreeResource(_t31);
						}
					}
					FreeLibrary(_t34);
				}
				_t35 = 0;
				if(_t25 != 0) {
					_t30 =  &_v4;
					_v8 = 0;
					_v4 = 0;
					_t14 = VerQueryValueW(_t25, 0xc53afc,  &_v8,  &_v4);
					_t48 = _t14;
					if(_t14 != 0) {
						_t36 = _v8;
						memcpy(_a4, _t36, 0xd << 2);
						_t40 =  &(_t40[3]);
						_t31 = _t36 + 0x1a;
						_t35 = 1;
					}
					_push(_t25);
					E00C27501(_t25, _t30, _t31, _t35, _t48);
				}
				return _t35;
			}

0x00c06680
0x00c06688
0x00c06692
0x00c06696
0x00c066a3
0x00c066a7
0x00c066b4
0x00c066bc
0x00c066c0
0x00c066c3
0x00c066c9
0x00c066cf
0x00c066d7
0x00c066d9
0x00c066de
0x00c066e7
0x00c066ec
0x00c066ec
0x00c066de
0x00c066f0
0x00c066f0
0x00c066f6
0x00c066f8
0x00c066f8
0x00c066fe
0x00c06702
0x00c06704
0x00c06714
0x00c06718
0x00c0671c
0x00c06721
0x00c06723
0x00c06725
0x00c06732
0x00c06732
0x00c06732
0x00c06734
0x00c06734
0x00c06739
0x00c0673a
0x00c0673f
0x00c0674a

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,74CB4EE0,?,?,00C06607,?), ref: 00C0668C
FindResourceW.KERNEL32(00000000,00000001,00000010), ref: 00C0669D
SizeofResource.KERNEL32(00000000,00000000,74CB4E00), ref: 00C066AC
LoadResource.KERNEL32(00000000,00000000), ref: 00C066B6
LockResource.KERNEL32(00000000), ref: 00C066C3
_malloc.LIBCMT ref: 00C066D2

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

FreeResource.KERNEL32(00000000), ref: 00C066F0
FreeLibrary.KERNEL32(00000000), ref: 00C066F8
VerQueryValueW.VERSION(00000000,00C53AFC,?,?), ref: 00C0671C

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$AllocateFindHeapLockQuerySizeofValue_malloc
String ID:
API String ID: 3235057611-0
Opcode ID: 7ee08c979b44c415730cf39cba09999e24a770eca4816ca1d736d59726732783
Instruction ID: a3946012adfa3b6e4b0cdcb6660d0a07acb662e9201e74aabb70dcebe80cb54e
Opcode Fuzzy Hash: 7ee08c979b44c415730cf39cba09999e24a770eca4816ca1d736d59726732783
Instruction Fuzzy Hash: 111105765003216BD311AF64AC88F6F7AACBB89B50F050438FD1193242EFB6DA15C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C07620 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 219
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00C07620(signed int* __ebx, void* __eflags) {
				char _v8;
				char _v16;
				struct _OVERLAPPED* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				long _v40;
				int _v44;
				char _v48;
				void _v52;
				struct _OVERLAPPED* _v56;
				signed int _v60;
				char _v64;
				char _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed int _t74;
				signed int _t79;
				void* _t81;
				void* _t84;
				signed int _t90;
				intOrPtr* _t95;
				signed int _t100;
				signed int _t107;
				signed int _t111;
				signed int* _t127;
				void* _t129;
				signed int _t141;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				void* _t157;
				void* _t164;
				void* _t172;
				void* _t173;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t179;
				void* _t186;

				_t127 = __ebx;
				_t176 = (_t174 & 0xfffffff8) - 0x34;
				_t71 =  *0xc58320; // 0x96c0a7a
				 *[fs:0x0] =  &_v16;
				_t74 =  *0xc5a910; // 0xc4f8dc
				_t2 = _t74 + 0xc; // 0xc23088
				_v68 =  *((intOrPtr*)( *_t2))(_t71 ^ _t176, _t157, _t164,  *[fs:0x0], 0xc4d270, 0xffffffff) + 0x10;
				_v8 = 0;
				_v56 = 0;
				_v64 = 1;
				E00C068C0(0xc5a910,  &_v64, __eflags);
				_t129 =  &_v68;
				_t79 = E00C06EF0(_t173, _t129,  &_v56);
				_t177 = _t176 + 8;
				_v60 = _t79;
				if(_t79 == 0) {
					L6:
					_t148 =  *0xc5a910; // 0xc4f8dc
					_t24 = _t148 + 0xc; // 0xc23088
					_t81 =  *((intOrPtr*)( *_t24))();
					_t149 =  *0xc5a910; // 0xc4f8dc
					_v36 = _t81 + 0x10;
					_t26 = _t149 + 0xc; // 0xc23088
					_t84 =  *((intOrPtr*)( *_t26))();
					_t150 =  *0xc5a910; // 0xc4f8dc
					_v32 = _t84 + 0x10;
					_t28 = _t150 + 0xc; // 0xc23088
					_v28 =  *((intOrPtr*)( *_t28))() + 0x10;
					_v8 = 1;
					_v24 = 0;
					E00C07330(_t150,  &_v36);
					_t90 = _v24;
					__eflags = _t90 & 0x00000003;
					if((_t90 & 0x00000003) != 0) {
						__eflags = _v60;
						if(__eflags == 0) {
							L17:
							_v44 = _t90;
							__eflags = (_t90 & 0x00000003) - 3;
							if((_t90 & 0x00000003) == 3) {
								L19:
								_t150 =  *_t127;
								__eflags =  *(_t150 - 0xc);
								if(__eflags != 0) {
									L25:
									E00C07100( &_v68, _t150, _t127);
									L26:
									E00C07950(_t150,  &_v36);
									_v8 = 0xffffffff;
									_t95 = _v68 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									__eflags = (_t150 | 0xffffffff) - 1;
									L27:
									if(_t186 <= 0) {
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t95)) + 4))))(_t95);
									}
									L29:
									 *[fs:0x0] = _v16;
									return 1;
								}
								L20:
								_t100 = E00C073B0( &_v36, __eflags, _t127, _v64);
								_t177 = _t177 + 8;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L25;
								}
								__eflags = _v60;
								if(_v60 == 0) {
									goto L25;
								}
								__eflags = _v56;
								if(_v56 == 0) {
									goto L25;
								}
								E00C083A0( &_v68, _t127);
								L24:
								E00C07950(_t150,  &_v36);
								E00C07D20( &_v68, _t150);
								goto L29;
							}
							Sleep(0x1f4);
							E00C07330(_t150,  &_v36);
							__eflags = _v44 - _v24;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						_t141 =  &_v36;
						_t107 = E00C073B0(_t141, __eflags, _t127, _v64);
						_t179 = _t177 + 8;
						__eflags = _t107;
						if(_t107 != 0) {
							_t142 = _v68;
							_v68 = _v68 == 0;
							if(_v68 == 0) {
								_push(0x80004005);
								E00C02370();
							}
							_t111 = E00C268D3(_t150,  *_t127, _t142);
							_t177 = _t179 + 8;
							__eflags = _t111;
							if(_t111 == 0) {
								goto L24;
							} else {
								_t90 = _v24;
								goto L17;
							}
						}
						E00C083A0( &_v68, _t127);
						E00C07950(_t150,  &_v36);
						_v8 = 0xffffffff;
						_t95 = _v68 + 0xfffffff0;
						asm("lock xadd [edx], ecx");
						__eflags = (_t141 | 0xffffffff) - 1;
						goto L27;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L17;
					}
					__eflags = _v56;
					if(_v56 == 0) {
						goto L17;
					}
					E00C083A0( &_v68, _t127);
					goto L26;
				}
				if(_v64 == 0) {
					L5:
					E00C083A0( &_v68, _t127);
					_v8 = 0xffffffff;
					_t95 = _v68 + 0xfffffff0;
					asm("lock xadd [edx], ecx");
					_t186 = (_t129 | 0xffffffff) - 1;
					goto L27;
				}
				_v48 = GetCurrentProcessId();
				_v52 = 0;
				_t172 = CreateFileW(L"\\\\.\\360SelfProtection", 0x80, 3, 0, 3, 0, 0);
				if(_t172 == 0xffffffff) {
					goto L6;
				}
				_t129 =  &_v48;
				_v44 = DeviceIoControl(_t172, 0x22204c, _t129, 4,  &_v52, 4,  &_v40, 0);
				CloseHandle(_t172);
				if(_v44 == 0 || _v52 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x00c07620
0x00c07634
0x00c07639
0x00c07645
0x00c0764b
0x00c07650
0x00c0765d
0x00c07663
0x00c0766b
0x00c0766f
0x00c07677
0x00c07681
0x00c07686
0x00c0768b
0x00c0768e
0x00c07694
0x00c0772f
0x00c0772f
0x00c07735
0x00c0773d
0x00c0773f
0x00c07748
0x00c0774c
0x00c07754
0x00c07756
0x00c0775f
0x00c07763
0x00c07770
0x00c07774
0x00c0777d
0x00c07781
0x00c07786
0x00c0778a
0x00c0778c
0x00c077b2
0x00c077b6
0x00c07830
0x00c07830
0x00c07837
0x00c07839
0x00c07859
0x00c07859
0x00c0785b
0x00c0785e
0x00c078a1
0x00c078a6
0x00c078ae
0x00c078b2
0x00c078b7
0x00c078c3
0x00c078cc
0x00c078d1
0x00c078d3
0x00c078d3
0x00c078dd
0x00c078dd
0x00c078df
0x00c078e8
0x00c078f5
0x00c078f5
0x00c07860
0x00c0786a
0x00c0786f
0x00c07872
0x00c07874
0x00000000
0x00000000
0x00c07876
0x00c0787a
0x00000000
0x00000000
0x00c0787c
0x00c07880
0x00000000
0x00000000
0x00c07888
0x00c0788d
0x00c07891
0x00c0789a
0x00000000
0x00c0789a
0x00c07840
0x00c0784a
0x00c07853
0x00c07857
0x00000000
0x00000000
0x00000000
0x00c07857
0x00c077be
0x00c077c2
0x00c077c7
0x00c077ca
0x00c077cc
0x00c07803
0x00c0780e
0x00c07810
0x00c07812
0x00c07817
0x00c07817
0x00c07820
0x00c07825
0x00c07828
0x00c0782a
0x00000000
0x00c0782c
0x00c0782c
0x00000000
0x00c0782c
0x00c0782a
0x00c077d4
0x00c077dd
0x00c077e2
0x00c077ee
0x00c077f7
0x00c077fc
0x00000000
0x00c077fc
0x00c0778e
0x00c07792
0x00000000
0x00000000
0x00c07798
0x00c0779c
0x00000000
0x00000000
0x00c077a8
0x00000000
0x00c077a8
0x00c0769e
0x00c07703
0x00c07709
0x00c0770e
0x00c0771a
0x00c07723
0x00c07728
0x00000000
0x00c07728
0x00c076b7
0x00c076bb
0x00c076c5
0x00c076ca
0x00000000
0x00000000
0x00c076db
0x00c076ed
0x00c076f1
0x00c076fb
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00C06EF0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360Safe\Liveup,00000000,00000201,?,096C0A7A,00000000,?), ref: 00C06F6A
Part of subcall function 00C06EF0: _memset.LIBCMT ref: 00C06F90
Part of subcall function 00C06EF0: _swscanf.LIBCMT ref: 00C0700E
Part of subcall function 00C06EF0: StrCmpNIW.SHLWAPI(?,ffffffff,00000008,?,?,00C53A54,00000064), ref: 00C07048

GetCurrentProcessId.KERNEL32 ref: 00C076A0
CreateFileW.KERNEL32(\\.\360SelfProtection,00000080,00000003,00000000,00000003,00000000,00000000), ref: 00C076BF
DeviceIoControl.KERNEL32 ref: 00C076E6
CloseHandle.KERNEL32(00000000), ref: 00C076F1
__wcsicoll.LIBCMT ref: 00C07820
Sleep.KERNEL32(000001F4), ref: 00C07840

Strings

\\.\360SelfProtection, xrefs: 00C076B2

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleOpenProcessSleep__wcsicoll_memset_swscanf
String ID: \\.\360SelfProtection
API String ID: 3005933722-936859468
Opcode ID: 610b0f8c5414e24f7fdef0dfa098c41884a3245d17d33a3ed5d3bfd94374ecb1
Instruction ID: af17c95f18db1e340453df934b90bab8bf980955644ed2f45fc9200900b40fe2
Opcode Fuzzy Hash: 610b0f8c5414e24f7fdef0dfa098c41884a3245d17d33a3ed5d3bfd94374ecb1
Instruction Fuzzy Hash: 93817A719083019FD718DF28C885A1AB7E5FF85720F148B2DF5A5972E1EB30EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C20F40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00C20F40(intOrPtr __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v4112;
				char _v4116;
				signed int _v4120;
				intOrPtr _v4124;
				char _v4644;
				intOrPtr _v4648;
				char _v4652;
				intOrPtr _v4656;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t46;
				signed int _t59;
				void* _t64;
				void* _t74;
				void* _t76;
				intOrPtr _t79;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t103;

				_t103 = __eflags;
				_t93 = __edx;
				E00C26E30(0x126c);
				_t33 =  *0xc58320; // 0x96c0a7a
				_v8 = _t33 ^ _t96;
				_v12 = __ecx;
				_v16 = E00C21DD0(E00C22C80());
				_push(_v16);
				_push(0);
				_push(0x5dc);
				_t79 =  *0xc58000; // 0xc4e5f4
				E00C19C80(_t103, 0, _t79, 0x98967f);
				_t98 = _t97 + 0x18;
				if(E00C21F00(E00C22C80()) != 0) {
					L3:
					E00C266B0(_t94,  &_v4112, 0, 0x1000);
					_t99 = _t98 + 0xc;
					E00C21DF0(E00C22C80(),  &_v4116);
					_t46 = E00C01E30( &_v4116);
					__eflags = _t46;
					if(_t46 == 0) {
						E00C27B2B( &_v4112, 0x800, L"--silent-install=3_1_1");
						_t100 = _t99 + 0xc;
					} else {
						E00C27C6C( &_v4112, 0x800, 0x7ff, L"--silent-install=3_1_1 --homepage=%s", _v4116);
						_t100 = _t99 + 0x14;
					}
					_v4120 = E00C21EE0(E00C22C80());
					__eflags = _v4120 & 0x00000004;
					if((_v4120 & 0x00000004) != 0) {
						E00C21380( &_v4112, 0x800, L" --nocloud");
					}
					__eflags = E00C21F00(E00C22C80());
					if(__eflags != 0) {
						_push(_v16);
						_push(0);
						_push(0x5de);
						_t90 =  *0xc58000; // 0xc4e5f4
						E00C19C80(__eflags, 0, _t90, 0x98967f);
						_t100 = _t100 + 0x18;
						E00C21380( &_v4112, 0x800, L" --IniReInstal");
					}
					E00C266B0(_t94,  &_v4652, 0, 0x214);
					_v4124 = 0;
					_v4652 = _v16;
					_v4648 = 2;
					_t59 = E00C20EB0(_v12, _t93, __eflags, _v16);
					__eflags = _t59;
					if(_t59 != 0) {
						_v4648 = 1;
					}
					E00C05A40( &_v4644, 0x103,  &_v4112);
					_push( &_v4652);
					_v4656 = E00C011C0();
					_t64 = E00C01910( &_v4116, _t93);
				} else {
					_push(1);
					_push(1);
					_t74 = E00C01080();
					_t105 = _t74;
					if(_t74 == 0) {
						goto L3;
					} else {
						_push(_v16);
						_push(0);
						_push(0x5dd);
						_t92 =  *0xc58000; // 0xc4e5f4
						_t64 = E00C19C80(_t105, 0, _t92, 0x98967f);
					}
				}
				return E00C2669E(_t64, _t76, _v8 ^ _t96, _t93, _t94, _t95);
			}

0x00c20f40
0x00c20f40
0x00c20f48
0x00c20f4d
0x00c20f54
0x00c20f5a
0x00c20f69
0x00c20f6f
0x00c20f70
0x00c20f72
0x00c20f7c
0x00c20f85
0x00c20f8a
0x00c20f9b
0x00c20fd0
0x00c20fde
0x00c20fe3
0x00c20ff4
0x00c20fff
0x00c21004
0x00c21006
0x00c21040
0x00c21045
0x00c21008
0x00c21025
0x00c2102a
0x00c2102a
0x00c21054
0x00c21060
0x00c21063
0x00c21076
0x00c21076
0x00c21087
0x00c21089
0x00c2108e
0x00c2108f
0x00c21091
0x00c2109b
0x00c210a4
0x00c210a9
0x00c210bd
0x00c210bd
0x00c210d0
0x00c210d8
0x00c210e5
0x00c210eb
0x00c210fc
0x00c21101
0x00c21103
0x00c21105
0x00c21105
0x00c21122
0x00c2112d
0x00c21133
0x00c2113f
0x00c20f9d
0x00c20f9d
0x00c20f9f
0x00c20fa1
0x00c20fa6
0x00c20fa8
0x00000000
0x00c20faa
0x00c20fad
0x00c20fae
0x00c20fb0
0x00c20fba
0x00c20fc3
0x00c20fc8
0x00c20fa8
0x00c21154

APIs

Part of subcall function 00C19C80: _memset.LIBCMT ref: 00C19CAB
Part of subcall function 00C19C80: _memset.LIBCMT ref: 00C19CC8
Part of subcall function 00C19C80: InterlockedCompareExchange.KERNEL32(00C5A3A0,00000001,00000000), ref: 00C19CD9
Part of subcall function 00C19C80: _vswprintf_s.LIBCMT ref: 00C19D25

_memset.LIBCMT ref: 00C20FDE
__snwprintf_s.LIBCMT ref: 00C21025
_memset.LIBCMT ref: 00C210D0

Strings

--nocloud, xrefs: 00C21065
--silent-install=3_1_1, xrefs: 00C2102F
--IniReInstal, xrefs: 00C210AC
--silent-install=3_1_1 --homepage=%s, xrefs: 00C2100F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$CompareExchangeInterlocked__snwprintf_s_vswprintf_s
String ID: --IniReInstal$ --nocloud$--silent-install=3_1_1$--silent-install=3_1_1 --homepage=%s
API String ID: 1922653116-3922493753
Opcode ID: 3fd75f19f2cb1bbd6d11bad24320c2085b2efdb9a046c1b6e34736585e3c79b4
Instruction ID: 955654b65dba62bd4aa03439dc2c236943a3115b162209bbc7f8ce4ed1c937c2
Opcode Fuzzy Hash: 3fd75f19f2cb1bbd6d11bad24320c2085b2efdb9a046c1b6e34736585e3c79b4
Instruction Fuzzy Hash: E251B975E40214BBEB20F7A0DC47FDD73A8AB14740F040195F945E65C1EEB49A84DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C24430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C24430(void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v260;
				char _v722;
				char _v780;
				char _v782;
				intOrPtr _v796;
				intOrPtr _v804;
				intOrPtr _v808;
				char _v816;
				void _v820;
				char _v1844;
				long _v1848;
				intOrPtr _v1852;
				signed int _v1856;
				void* _v1860;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t47;
				void* _t49;
				signed int _t51;
				char _t52;
				void* _t61;
				void* _t62;
				signed int _t65;

				_t65 =  &_v1860;
				_t34 =  *0xc58320; // 0x96c0a7a
				_v4 = _t34 ^ _t65;
				_t51 = 0;
				_t61 = DeviceIoControl;
				_v1852 = _a4;
				_v1860 = 0;
				_v1856 = 0;
				do {
					E00C09610( &_v260, 0x100, "\\\\.\\Scsi%d:", _t51);
					_t65 = _t65 + 0x10;
					_t59 =  &_v260;
					_t62 = CreateFileA( &_v260, 0xc0000000, 3, 0, 3, 0, 0);
					if(_t62 != 0xffffffff) {
						_t52 = 0;
						do {
							E00C266B0(_t61,  &_v820, 0, 0x22d);
							_v820 = 0x1c;
							_v808 = 0x2710;
							_v796 = 0x211;
							_v804 = 0x1b0501;
							E00C29590( &_v816, "SCSIDISK", 8);
							_t65 = _t65 + 0x18;
							_t59 =  &_v1848;
							_v782 = 0xec;
							_v780 = _t52;
							if(DeviceIoControl(_t62, 0x4d008,  &_v820, 0x3c,  &_v820, 0x22d,  &_v1848, 0) == 0 || _v722 == 0) {
								L8:
								if(_v1860 == 0) {
									goto L9;
								}
							} else {
								_t47 = 0;
								do {
									 *(_t65 + 0x20 + _t47 * 4) =  *(_t65 + 0x44c + _t47 * 2) & 0x0000ffff;
									_t47 = _t47 + 1;
								} while (_t47 < 0x100);
								_t49 = E00C264B0( &_v1844, 0xa, 0x13);
								_t59 = _v1852;
								_t65 = _t65 + 0xc;
								if(E00C09700(_v1852, _a8, _t49) >= 0) {
									_v1860 = 1;
								} else {
									goto L8;
								}
							}
							L12:
							CloseHandle(_t62);
							_t51 = _v1856;
							goto L13;
							L9:
							_t52 = _t52 + 1;
						} while (_t52 < 2);
						goto L12;
					}
					L13:
					_t51 = _t51 + 1;
					_v1856 = _t51;
				} while (_t51 < 0x10);
				return E00C2669E(_v1860, _t51, _v4 ^ _t65, _t59, _t61, _t62);
			}

0x00c24430
0x00c24436
0x00c2443d
0x00c2444e
0x00c24451
0x00c24457
0x00c2445b
0x00c2445f
0x00c24470
0x00c24483
0x00c24488
0x00c2449a
0x00c244a8
0x00c244ad
0x00c244b3
0x00c244c0
0x00c244cf
0x00c244e3
0x00c244ee
0x00c244f9
0x00c24504
0x00c2450b
0x00c24510
0x00c24515
0x00c24532
0x00c2453a
0x00c24545
0x00c2458f
0x00c24594
0x00000000
0x00000000
0x00c24551
0x00c24551
0x00c24553
0x00c2455b
0x00c2455f
0x00c24560
0x00c24570
0x00c2457c
0x00c24580
0x00c2458d
0x00c245a2
0x00000000
0x00000000
0x00000000
0x00c2458d
0x00c245aa
0x00c245ab
0x00c245b1
0x00000000
0x00c24596
0x00c24596
0x00c24597
0x00000000
0x00c245a0
0x00c245b5
0x00c245b5
0x00c245b9
0x00c245b9
0x00c245df

APIs

Part of subcall function 00C09610: _vswprintf_s.LIBCMT ref: 00C09643

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?), ref: 00C244A2
_memset.LIBCMT ref: 00C244CF
_strncpy.LIBCMT ref: 00C2450B
DeviceIoControl.KERNEL32 ref: 00C24541
CloseHandle.KERNEL32(00000000), ref: 00C245AB

Strings

SCSIDISK, xrefs: 00C244DD
\\.\Scsi%d:, xrefs: 00C24471

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset_strncpy_vswprintf_s
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 170396225-2176293039
Opcode ID: 97812927ab4349ad4525c1c36353be629d77af37ed8c0ac0e557c2ab3602defe
Instruction ID: 4f638a7800e1b04c55e2a1be9ec48a6abbbfb2b29d79afec617295c0e7a04853
Opcode Fuzzy Hash: 97812927ab4349ad4525c1c36353be629d77af37ed8c0ac0e557c2ab3602defe
Instruction Fuzzy Hash: 6E4171B1648350ABE334DF24EC85FABB7D8FB88704F00092DB689961C1D7B5A548CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00C02CB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C02CB0(void* __edx, WCHAR* _a4) {
				signed int _v4;
				long _v12;
				void _v72;
				intOrPtr _v314;
				void _v320;
				long _v324;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				void* _t38;
				void* _t39;
				void* _t40;

				_t37 = __edx;
				_t41 =  &_v324;
				_t16 =  *0xc58320; // 0x96c0a7a
				_v4 = _t16 ^  &_v324;
				_t30 = 0;
				_t40 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				if(_t40 != 0xffffffff) {
					_t39 = ReadFile;
					if(ReadFile(_t40,  &_v72, 0x40,  &_v324, 0) != 0 && _v324 == 0x40) {
						_t37 = 0x5a4d;
						if(_v72 == 0x5a4d && SetFilePointer(_t40, _v12, 0, 0) == _v12) {
							_t37 =  &_v320;
							if(ReadFile(_t40,  &_v320, 0xf8,  &_v324, 0) != 0 && _v324 == 0xf8 && _v320 == 0x4550 && _v314 != 0) {
								_t30 = 1;
							}
						}
					}
					CloseHandle(_t40);
					return E00C2669E(_t30, _t30, _v4 ^ _t41, _t37, _t39, _t40);
				} else {
					return E00C2669E(0, 0, _v4 ^ _t41, _t37, _t38, _t40);
				}
			}

0x00c02cb0
0x00c02cb0
0x00c02cb6
0x00c02cbd
0x00c02cce
0x00c02ce3
0x00c02ce8
0x00c02d04
0x00c02d20
0x00c02d29
0x00c02d36
0x00c02d60
0x00c02d6a
0x00c02d87
0x00c02d87
0x00c02d6a
0x00c02d36
0x00c02d8d
0x00c02dac
0x00c02cea
0x00c02d03
0x00c02d03

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000), ref: 00C02CDD
ReadFile.KERNEL32(00000000,?,00000040,00000000,00000000,?,?,00000000), ref: 00C02D1C
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 00C02D45
ReadFile.KERNEL32(00000000,?,000000F8,00000000,00000000), ref: 00C02D66
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00C02D8D

Strings

@, xrefs: 00C02D22
PE, xrefs: 00C02D76

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointer
String ID: @$PE
API String ID: 3856724686-957972822
Opcode ID: 90350e71eae8e9c7098bc6d25d25c11fe2b28463c87c188ab6f50e2e3ce797e0
Instruction ID: c4646bc73ed3052133d41f5e714068473bcbb38655a7b814ea5aad72a71b71e1
Opcode Fuzzy Hash: 90350e71eae8e9c7098bc6d25d25c11fe2b28463c87c188ab6f50e2e3ce797e0
Instruction Fuzzy Hash: AC214A71614301ABE634DB64DC89FEF72A8FB88710F404929F669870D0D7B49E08CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E7D0 Relevance: 10.8, APIs: 7, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C1E7D0(intOrPtr __ecx, signed int __edx, intOrPtr _a4, short* _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v8208;
				signed short _v8212;
				int _v8216;
				int _v8220;
				int _v8224;
				char _v8484;
				signed int _v8488;
				WCHAR* _v8492;
				WCHAR* _v8496;
				char _v8500;
				intOrPtr _v8508;
				char _v8520;
				intOrPtr _v8524;
				signed int _v8528;
				int _v8532;
				char _v8792;
				signed int _v8796;
				intOrPtr _v8864;
				signed int _v8868;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t127;
				void* _t133;
				intOrPtr _t148;
				intOrPtr _t178;
				char* _t201;
				void* _t205;
				signed char _t210;
				void* _t218;
				void* _t270;
				void* _t271;
				signed int _t272;
				void* _t273;
				void* _t274;

				_t266 = __edx;
				E00C26E30(0x22a0);
				_t127 =  *0xc58320; // 0x96c0a7a
				_v8 = _t127 ^ _t272;
				_v12 = __ecx;
				_v8212 = 0;
				_v8216 = 0;
				_v8220 = 0;
				_v16 = E00C1D1B0(_v12,  &_v8208);
				if(_v16 >= 0) {
					_t133 = E00C1EDF0( &_v8208,  &_v8212);
					_t274 = _t273 + 8;
					if(_t133 != 0) {
						E00C1D100(_v12);
						_v16 = E00C1D1B0(_v12,  &_v8208);
						if(_v16 >= 0) {
							_v8868 = _v8212 & 0x0000ffff;
							if(_v8868 > 0x13) {
								if(_v8868 == 0x4008) {
									_v8224 = lstrlenW( &_v8208) + 2;
									E00C1FAB0( &_v8484);
									E00C1FB20( &_v8484, _v8224);
									if(E00C1FB00( &_v8484) == 0) {
										_v8216 = 0xe;
										L24:
										E00C1FAD0( &_v8484);
										L35:
										if(_v8216 == 0) {
											_v16 = E00C1D1B0(_v12, _a12);
											if(_v16 >= 0) {
												_t148 = 0;
											} else {
												_t148 = _v16;
											}
										} else {
											_v8220 = 0x204;
											_t148 = E00C1E4F0(_v8216);
										}
										L40:
										return E00C2669E(_t148, _t218, _v8 ^ _t272, _t266, _t270, _t271);
									}
									_v8488 = E00C1FB00( &_v8484);
									_v8492 =  &_v8208;
									_v8224 = 0;
									while(( *_v8492 & 0x0000ffff) != 0) {
										_v8496 = CharNextW(_v8492);
										if(( *_v8492 & 0x0000ffff) != 0x5c || ( *_v8496 & 0x0000ffff) != 0x30) {
											_t266 =  *_v8492;
											 *_v8488 =  *_v8492;
											_v8488 = _v8488 + 2;
											_v8492 =  &(_v8492[1]);
										} else {
											 *_v8488 = 0;
											_t266 = _v8488 + 2;
											_v8488 = _v8488 + 2;
											_v8492 = CharNextW(_v8496);
										}
										_v8224 = _v8224 + 1;
									}
									 *_v8488 = 0;
									_v8488 = _v8488 + 2;
									 *_v8488 = 0;
									_v8216 = E00C1ED50(_a4, _a8, E00C1FB00( &_v8484));
									goto L24;
								}
								goto L35;
							}
							if(_v8868 == 0x13) {
								_v8508 = E00C02500();
								E00C1F5A0( &_v8520);
								_t178 = E00C1C5E0( &_v8208);
								_t274 = _t274 + 8;
								_v8524 = _t178;
								__imp__#277(_v8524, 0, 0,  &_v8500, 0x400);
								_v8216 = E00C1ECA0(_a4, _a8, _v8500);
								E00C1F5C0( &_v8520);
								goto L35;
							}
							if(_v8868 == 8) {
								_v8216 = E00C1ECE0(_a4, _a8,  &_v8208, 1);
								goto L35;
							}
							if(_v8868 == 0x11) {
								_v8528 = lstrlenW( &_v8208);
								if((_v8528 & 0x00000001) == 0) {
									asm("cdq");
									_v8532 = _v8528 - _t266 >> 1;
									E00C1FB50( &_v8792);
									E00C1FBC0( &_v8792, _v8532);
									if(E00C1FBA0( &_v8792) != 0) {
										E00C266B0(_t270, E00C1FBA0( &_v8792), 0, _v8532);
										_t274 = _t274 + 0xc;
										_v8796 = 0;
										while(_v8796 < _v8528) {
											_t205 = E00C1FBA0( &_v8792);
											asm("cdq");
											_v8868 = _t205 + (_v8796 - _t266 >> 1);
											_t210 = E00C1EEC0( *(_t272 + _v8796 * 2 - 0x200c) & 0x0000ffff);
											_t274 = _t274 + 4;
											_t266 = (_t210 & 0x000000ff) << 1 - (_v8796 & 0x00000001) << 2;
											 *_v8868 =  *_v8868 & 0x000000ff | _t266;
											_v8796 = _v8796 + 1;
										}
										_t201 = E00C1FBA0( &_v8792);
										_v8216 = RegSetValueExW(E00C0D460(_a4), _a8, 0, 3, _t201, _v8532);
										E00C1FB70( &_v8792);
										goto L35;
									}
									_v8864 = 0x80004005;
									E00C1FB70( &_v8792);
									_t148 = _v8864;
									goto L40;
								}
								_t148 = 0x80004005;
								goto L40;
							}
							goto L35;
						}
						_t148 = _v16;
						goto L40;
					}
					_t148 = E00C1D080(_v12, 0x20f);
					goto L40;
				}
				_t148 = _v16;
				goto L40;
			}

0x00c1e7d0
0x00c1e7d8
0x00c1e7dd
0x00c1e7e4
0x00c1e7ea
0x00c1e7ef
0x00c1e7f6
0x00c1e800
0x00c1e819
0x00c1e820
0x00c1e838
0x00c1e83d
0x00c1e842
0x00c1e859
0x00c1e86d
0x00c1e874
0x00c1e885
0x00c1e892
0x00c1e8c6
0x00c1e8fd
0x00c1e909
0x00c1e91b
0x00c1e92d
0x00c1ea52
0x00c1ea5c
0x00c1ea62
0x00c1ec4a
0x00c1ec51
0x00c1ec7a
0x00c1ec81
0x00c1ec88
0x00c1ec83
0x00c1ec83
0x00c1ec83
0x00c1ec53
0x00c1ec53
0x00c1ec64
0x00c1ec69
0x00c1ec8d
0x00c1ec9a
0x00c1ec9a
0x00c1e93e
0x00c1e94a
0x00c1e950
0x00c1e95a
0x00c1e978
0x00c1e98a
0x00c1e9d5
0x00c1e9d8
0x00c1e9e4
0x00c1e9f3
0x00c1e99a
0x00c1e9a2
0x00c1e9ab
0x00c1e9ae
0x00c1e9c1
0x00c1e9c1
0x00c1ea02
0x00c1ea02
0x00c1ea15
0x00c1ea21
0x00c1ea2f
0x00c1ea4a
0x00000000
0x00c1ea4a
0x00000000
0x00c1e8c8
0x00c1e89b
0x00c1ea71
0x00c1ea7d
0x00c1ea8e
0x00c1ea93
0x00c1ea96
0x00c1eaae
0x00c1eac7
0x00c1ead3
0x00000000
0x00c1ead3
0x00c1e8a8
0x00c1e8e2
0x00000000
0x00c1e8e2
0x00c1e8b1
0x00c1eaea
0x00c1eaf9
0x00c1eb0b
0x00c1eb10
0x00c1eb1c
0x00c1eb2e
0x00c1eb40
0x00c1eb77
0x00c1eb7c
0x00c1eb7f
0x00c1eb9a
0x00c1ebae
0x00c1ebbb
0x00c1ebc2
0x00c1ebd7
0x00c1ebdc
0x00c1ebf5
0x00c1ec08
0x00c1eb94
0x00c1eb94
0x00c1ec1c
0x00c1ec39
0x00c1ec45
0x00000000
0x00c1ec45
0x00c1eb42
0x00c1eb52
0x00c1eb57
0x00000000
0x00c1eb57
0x00c1eafb
0x00000000
0x00c1eafb
0x00000000
0x00c1e8b7
0x00c1e876
0x00000000
0x00c1e876
0x00c1e84c
0x00000000
0x00c1e84c
0x00c1e822
0x00000000

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac20187ccba222ca1334035fd077f4f6418758a7a5eb89229e7c21ca37dbb7b
Instruction ID: 3194b26c93855d87f88199cb89a7ff879b7c4186fa1087b148cc73ca46ad50c1
Opcode Fuzzy Hash: fac20187ccba222ca1334035fd077f4f6418758a7a5eb89229e7c21ca37dbb7b
Instruction Fuzzy Hash: D8D1C671900228DBDB29DF64CC99AEDB7B4AF59300F0041EAE60AE7251D7309ED5EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C24050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C24050(void* __ebx, void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v275;
				char _v276;
				char _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				char _v468;
				void* __edi;
				void* __esi;
				signed int _t37;
				intOrPtr* _t43;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				void* _t60;
				void* _t62;
				void* _t66;
				intOrPtr _t69;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t77;
				void* _t82;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				void* _t90;
				char _t91;
				void* _t92;
				void* _t94;
				void* _t95;
				void* _t96;
				signed int _t99;
				signed int _t101;
				void* _t102;
				signed int _t103;
				void* _t104;

				_t66 = __ebx;
				_t101 = (_t99 & 0xfffffff8) - 0x1d0;
				_t37 =  *0xc58320; // 0x96c0a7a
				_v8 = _t37 ^ _t101;
				_push(_t90);
				_t94 = __ecx;
				_v276 = 0;
				E00C266B0(_t90,  &_v275, 0, 0x103);
				E00C26110( &_v468, 0);
				E00C09610( &_v276, 0x104, 0xc4f998, _t94);
				_t43 =  &_v276;
				_t102 = _t101 + 0x24;
				_t82 = _t43 + 1;
				do {
					_t69 =  *_t43;
					_t43 = _t43 + 1;
				} while (_t69 != 0);
				E00C26160( &_v468,  &_v276, _t43 - _t82);
				E00C26280( &_v468);
				E00C26280( &_v468);
				_v352 = _v376;
				_v356 = _v380;
				_v348 = _v372;
				_v344 = _v368;
				E00C266B0(_t90,  &_v340, 0, 0x40);
				_t103 = _t102 + 0x20;
				_t91 = 0;
				do {
					_v364 = 0;
					_v360 = 0;
					E00C09610( &_v364, 8, "%02x",  *(_t103 + _t91 + 0x78) & 0x000000ff);
					_t55 =  &_v340;
					_t104 = _t103 + 0x10;
					_t86 = _t55 + 1;
					do {
						_t74 =  *_t55;
						_t55 = _t55 + 1;
					} while (_t74 != 0);
					_t76 = 0x40 - _t55 - _t86;
					_t57 =  &_v364;
					_t95 = _t57 + 1;
					do {
						_t87 =  *_t57;
						_t57 = _t57 + 1;
					} while (_t87 != 0);
					if(0x40 >= _t57 - _t95) {
						_t59 =  &_v364;
						_t88 = _t59 + 1;
						do {
							_t77 =  *_t59;
							_t59 = _t59 + 1;
						} while (_t77 != 0);
						_t60 = _t59 - _t88;
					} else {
						_t60 = _t76;
					}
					_t89 =  &_v364;
					_t62 = E00C29450( &_v340,  &_v364, _t60);
					_t91 = _t91 + 1;
					_t103 = _t104 + 0xc;
				} while (_t91 < 0x10);
				if(_t66 != 0) {
					_t97 = _a4;
					E00C266B0(_t91, _t66, 0, _a4);
					E00C09610(_t66, _t97 - 1, 0xc4f998,  &_v340);
					_t62 = E00C293E2( &_v364, _t97 - 1, _t66);
					_t103 = _t103 + 0x20;
				}
				_pop(_t92);
				_pop(_t96);
				return E00C2669E(_t62, _t66, _v8 ^ _t103, _t89, _t92, _t96);
			}

0x00c24050
0x00c24056
0x00c2405c
0x00c24063
0x00c2406b
0x00c2407b
0x00c2407d
0x00c24085
0x00c24091
0x00c240a9
0x00c240ae
0x00c240b5
0x00c240b8
0x00c240c0
0x00c240c0
0x00c240c2
0x00c240c3
0x00c240d7
0x00c240e1
0x00c240eb
0x00c240fe
0x00c24105
0x00c2411d
0x00c24124
0x00c2412b
0x00c24130
0x00c24133
0x00c24135
0x00c24137
0x00c2413b
0x00c24151
0x00c24156
0x00c2415d
0x00c24160
0x00c24163
0x00c24163
0x00c24165
0x00c24166
0x00c24171
0x00c24173
0x00c24177
0x00c24180
0x00c24180
0x00c24182
0x00c24183
0x00c2418b
0x00c24191
0x00c24195
0x00c24198
0x00c24198
0x00c2419a
0x00c2419b
0x00c2419f
0x00c2418d
0x00c2418d
0x00c2418d
0x00c241a2
0x00c241af
0x00c241b4
0x00c241b5
0x00c241b8
0x00c241c3
0x00c241c5
0x00c241cc
0x00c241e1
0x00c241e7
0x00c241ec
0x00c241ec
0x00c241f6
0x00c241f7
0x00c24202

APIs

_memset.LIBCMT ref: 00C24085

Part of subcall function 00C09610: _vswprintf_s.LIBCMT ref: 00C09643

_memset.LIBCMT ref: 00C2412B
_strncat.LIBCMT ref: 00C241AF
_memset.LIBCMT ref: 00C241CC
__strlwr.LIBCMT ref: 00C241E7

Strings

%02x, xrefs: 00C24145

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$__strlwr_strncat_vswprintf_s
String ID: %02x
API String ID: 259801040-560843007
Opcode ID: fbccb53d5c7c1b62af3ee6156b82f3a868b3d2a6b643d7da8e7d4f55a4477b6b
Instruction ID: 5b5a31402a45ab2a3377feb4378c40d79d6cd19904d201f5408b0701c1920ebe
Opcode Fuzzy Hash: fbccb53d5c7c1b62af3ee6156b82f3a868b3d2a6b643d7da8e7d4f55a4477b6b
Instruction Fuzzy Hash: 7A41A071108791ABD334DB74D895FEB7BE8EF84700F044A1DF69987542EA71E608CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C24FD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00C24FD0(void* __edi, void* __ebp, intOrPtr _a4) {
				signed int _v4;
				signed int _v36;
				char _v1016;
				void _v1028;
				char _v1048;
				char _v1176;
				int _v1288;
				int _v1292;
				char _v1304;
				void* __ebx;
				void* __esi;
				signed int _t27;
				intOrPtr* _t35;
				void* _t36;
				char* _t37;
				char* _t38;
				int _t42;
				signed int _t43;
				void* _t47;
				CHAR* _t48;
				intOrPtr _t52;
				char _t61;
				char _t62;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				char* _t90;

				_t68 = __edi;
				_t75 =  &_v1292;
				_t27 =  *0xc58320; // 0x96c0a7a
				_v4 = _t27 ^ _t75;
				_t74 = _a4;
				if(__edi == 0 || _t74 < 0x20) {
					L22:
					__eflags = 0;
					return E00C2669E(0, _t47, _v4 ^ _t75, _t63, _t68, _t69);
				} else {
					_v1288 = 1;
					_v1292 = 0x400;
					E00C266B0(__edi,  &_v1028, 0, 0x400);
					_t75 = _t75 + 0xc;
					_t63 =  &_v1028;
					if(SHGetValueA(0x80000002, "Software\\360Safe\\Liveup", "mid",  &_v1288,  &_v1028,  &_v1292) != 0) {
						goto L22;
					} else {
						_t35 =  &_v1048;
						_t63 = _t35 + 1;
						do {
							_t52 =  *_t35;
							_t35 = _t35 + 1;
						} while (_t52 != 0);
						_t36 = _t35 - _t63;
						if(_t36 != 0x40) {
							goto L22;
						} else {
							_push(_t47);
							_t64 = _t36 + 0x40;
							_push(_t69);
							_t37 =  &_v1304;
							_t71 =  &_v1048 - _t37;
							while(_t64 != 0x60) {
								_t62 =  *((intOrPtr*)(_t71 + _t37));
								if(_t62 == 0) {
									break;
								} else {
									 *_t37 = _t62;
									_t37 = _t37 + 1;
									_t64 = _t64 - 1;
									if(_t64 != 0) {
										continue;
									} else {
										L12:
										_t37 = _t37 - 1;
									}
								}
								L13:
								 *_t37 = 0;
								_t38 =  &_v1176;
								_t72 = 0x80;
								_t66 =  &_v1016 - _t38;
								while(1) {
									_t18 = _t72 + 0x7fffff7e; // 0x7ffffffe
									if(_t18 == 0) {
										break;
									}
									_t61 =  *((intOrPtr*)(_t66 + _t38));
									if(_t61 == 0) {
										break;
									} else {
										 *_t38 = _t61;
										_t38 = _t38 + 1;
										_t72 = _t72 - 1;
										if(_t72 != 0) {
											continue;
										} else {
											L19:
											_t38 = _t38 - 1;
											_t90 = _t38;
										}
									}
									L20:
									_t63 =  &_v1048;
									 *_t38 = 0;
									E00C266B0(_t68,  &_v1048, 0, 0x400);
									_t48 =  &_v1048;
									E00C24050(_t48,  &_v1304, _t90, 0x400);
									_t75 = _t75 + 0x10;
									_t42 = lstrcmpiA(_t48,  &_v1176);
									_pop(_t69);
									_pop(_t47);
									if(_t42 != 0) {
										goto L22;
									} else {
										_t43 = E00C09700(_t68, _t74,  &_v1304);
										asm("sbb eax, eax");
										return E00C2669E( ~_t43 + 1, _t47, _v36 ^ _t75,  &_v1304, _t68, _t69);
									}
									goto L23;
								}
								__eflags = _t72;
								if(_t72 == 0) {
									goto L19;
								}
								goto L20;
							}
							__eflags = _t64;
							if(_t64 == 0) {
								goto L12;
							}
							goto L13;
						}
					}
				}
				L23:
			}

0x00c24fd0
0x00c24fd0
0x00c24fd6
0x00c24fdd
0x00c24fe5
0x00c24fee
0x00c2514d
0x00c25157
0x00c25164
0x00c24ffd
0x00c2500c
0x00c25014
0x00c2501c
0x00c25021
0x00c25029
0x00c2504d
0x00000000
0x00c25053
0x00c25053
0x00c2505a
0x00c25060
0x00c25060
0x00c25062
0x00c25063
0x00c25067
0x00c2506c
0x00000000
0x00c25072
0x00c25072
0x00c25073
0x00c25076
0x00c25077
0x00c25084
0x00c25086
0x00c2508d
0x00c25092
0x00000000
0x00c25094
0x00c25094
0x00c25096
0x00c25097
0x00c2509a
0x00000000
0x00c2509c
0x00c250a2
0x00c250a2
0x00c250a2
0x00c2509a
0x00c250a3
0x00c250a3
0x00c250a6
0x00c250b6
0x00c250bb
0x00c250c0
0x00c250c0
0x00c250c8
0x00000000
0x00000000
0x00c250ca
0x00c250cf
0x00000000
0x00c250d1
0x00c250d1
0x00c250d3
0x00c250d4
0x00c250d7
0x00000000
0x00c250d9
0x00c250df
0x00c250df
0x00c250df
0x00c250df
0x00c250d7
0x00c250e0
0x00c250e5
0x00c250ef
0x00c250f2
0x00c250fc
0x00c25107
0x00c2510c
0x00c2511a
0x00c25120
0x00c25121
0x00c25124
0x00000000
0x00c25126
0x00c2512d
0x00c25134
0x00c2514c
0x00c2514c
0x00000000
0x00c25124
0x00c250db
0x00c250dd
0x00000000
0x00000000
0x00000000
0x00c250dd
0x00c2509e
0x00c250a0
0x00000000
0x00000000
0x00000000
0x00c250a0
0x00c2506c
0x00c2504d
0x00000000

APIs

_memset.LIBCMT ref: 00C2501C
SHGetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,?,?,?,?,00000400), ref: 00C25045
_memset.LIBCMT ref: 00C250F2
lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,00000400), ref: 00C2511A

Strings

mid, xrefs: 00C25036
Software\360Safe\Liveup, xrefs: 00C2503B

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$Valuelstrcmpi
String ID: Software\360Safe\Liveup$mid
API String ID: 999496690-2395435937
Opcode ID: 9302dd737ff47fd98e9a802d8b8a4a74ada8b2bbfdbb07cbf7782e418473a8d7
Instruction ID: afef593bee67f616997dfa1f2e8d83f5b6421a57095d76f4a6fbdcf21a0c3122
Opcode Fuzzy Hash: 9302dd737ff47fd98e9a802d8b8a4a74ada8b2bbfdbb07cbf7782e418473a8d7
Instruction Fuzzy Hash: FD4104715047558BD734CB24EC51FFFB7E8AF85704F04491CE99A87581EB709A08CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C19B60 Relevance: 10.6, APIs: 7, Instructions: 82networkCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C19B7A
socket.WS2_32(00000002,00000001,00000006), ref: 00C19BAB

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _strlensocket
String ID:
API String ID: 2213519833-0
Opcode ID: 1757668a7f46dba2f04f4803f5faa8908ba79fe0dfcf76c276cd90345ab9e0bd
Instruction ID: 5c7c0d112b4b09542900451948c6ed91b7a3d84cbed45ab00e5f50bd00c1aae0
Opcode Fuzzy Hash: 1757668a7f46dba2f04f4803f5faa8908ba79fe0dfcf76c276cd90345ab9e0bd
Instruction Fuzzy Hash: 74314D78E10208AFDB10DFA4D855BEEB7B8FF09714F404959F516DB290D7349A80DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C03320 Relevance: 10.6, APIs: 7, Instructions: 82
networksleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C03320(void* __esi) {
				long _v8;
				intOrPtr _v12;
				int _v16;
				long _v24;
				long _v28;
				void _v36;
				void _v40;
				void _v56;
				intOrPtr _t18;
				long _t23;
				int _t35;
				void* _t37;

				_t37 = __esi;
				_t35 = 0;
				_v12 = 3;
				_v16 = 0;
				_v8 = 4;
				if(__esi != 0) {
					while(1) {
						_t18 = _v12;
						_v12 = _t18 - 1;
						if(_t18 <= 0) {
							break;
						}
						if(HttpSendRequestW(_t37, 0, 0, 0, 0) != 0) {
							_v36 = 0;
							_v28 = 4;
							_t35 = HttpQueryInfoW(_t37, 0x20000013,  &_v36,  &_v28, 0);
							if(_t35 == 0) {
								goto L8;
							} else {
								if(_v56 != 0xc8) {
									_t35 = 0;
									continue;
								}
							}
						} else {
							_t23 = GetLastError();
							if(_t23 == 0x2f0d || _t23 == 0x2f19) {
								_v24 = 4;
								InternetQueryOptionW(_t37, 0x1f,  &_v40,  &_v24);
								_v56 = _v56 | 0x00003180;
								InternetSetOptionW(_t37, 0x1f,  &_v56, 4);
								_t35 = HttpSendRequestW(_t37, 0, 0, 0, 0);
							}
							if(_t35 == 0) {
								L8:
								Sleep(0x3e8);
							}
							continue;
						}
						break;
					}
				}
				return _t35;
			}

0x00c03320
0x00c03324
0x00c03326
0x00c0332e
0x00c03332
0x00c0333c
0x00c03350
0x00c03350
0x00c03357
0x00c0335d
0x00000000
0x00000000
0x00c03372
0x00c033ea
0x00c033f2
0x00c03400
0x00c03404
0x00000000
0x00c03406
0x00c0340e
0x00c03410
0x00000000
0x00c03410
0x00c0340e
0x00c03374
0x00c03374
0x00c0337f
0x00c03395
0x00c0339d
0x00c0339f
0x00c033b1
0x00c033c2
0x00c033c2
0x00c033c6
0x00c033c8
0x00c033cd
0x00c033cd
0x00000000
0x00c033c6
0x00000000
0x00c03372
0x00c03418
0x00c0341f

APIs

HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C0336C
GetLastError.KERNEL32(?,?,?,00000000,20000013,?,?,00000000), ref: 00C03374
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C0339D
InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 00C033B1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C033C0
Sleep.KERNEL32(000003E8,?,?,?,00000000,20000013,?,?,00000000), ref: 00C033CD
HttpQueryInfoW.WININET(?,?,?,00000000,20000013), ref: 00C033FA

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Http$InternetOptionQueryRequestSend$ErrorInfoLastSleep
String ID:
API String ID: 3342051080-0
Opcode ID: a603a1d2b7ba0159add0d756fb6744e963bb92f5d33a22c6a794cebe61e1a5d6
Instruction ID: e4c5b018f29da90a8bc4535aaa41a23984371a96668abc5c8a0792464e26cd09
Opcode Fuzzy Hash: a603a1d2b7ba0159add0d756fb6744e963bb92f5d33a22c6a794cebe61e1a5d6
Instruction Fuzzy Hash: 5C21C475144702ABE312CF59CC85B6FB6E8BBC8B00F51451CF264A71E0DBB0DB098B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00C19C80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C19C80(void* __eflags, char* _a4, intOrPtr _a8, char _a12) {
				signed int _v8;
				long _v12;
				char _v527;
				char _v528;
				char _v1043;
				char _v1044;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t33;
				void* _t37;
				void* _t45;
				void* _t46;
				signed int _t47;
				void* _t48;
				void* _t50;

				_t19 =  *0xc58320; // 0x96c0a7a
				_v8 = _t19 ^ _t47;
				_v528 = 0;
				E00C266B0(_t45,  &_v527, 0, 0x200);
				_v1044 = 0;
				E00C266B0(_t45,  &_v1043, 0, 0x200);
				_t50 = _t48 + 0x18;
				if(InterlockedCompareExchange(0xc5a3a0, 1, 0) == 0) {
					E00C25490(_t47, 0xc5a3a8, 0x40);
					E00C19D90(0xc5a3f0, 0x40);
					_t50 = _t50 + 8;
				}
				_t55 = _a4;
				if(_a4 == 0) {
					_a4 = "/hips/update/inst.htm";
				}
				_v12 =  &_a12;
				E00C27280( &_v528, 0x200, _a8, _v12);
				_push( &_v528);
				_push(0xc5a3f0);
				E00C19E80( &_v1044, 0x200, "%s?m=%s&m2=%s&%s", _a4);
				_t33 = E00C19B00(E00C198B0(),  &_v1044, _t55, "s.360.cn", 0x50,  &_v1044);
				_v12 = 0;
				return E00C2669E(_t33, _t37, _v8 ^ _t47,  &_v1044, _t45, _t46, 0xc5a3a8);
			}

0x00c19c89
0x00c19c90
0x00c19c96
0x00c19cab
0x00c19cb3
0x00c19cc8
0x00c19ccd
0x00c19ce1
0x00c19cea
0x00c19cf6
0x00c19cfb
0x00c19cfb
0x00c19cfe
0x00c19d02
0x00c19d04
0x00c19d04
0x00c19d0e
0x00c19d25
0x00c19d33
0x00c19d34
0x00c19d53
0x00c19d70
0x00c19d75
0x00c19d8c

APIs

_memset.LIBCMT ref: 00C19CAB
_memset.LIBCMT ref: 00C19CC8
InterlockedCompareExchange.KERNEL32(00C5A3A0,00000001,00000000), ref: 00C19CD9
_vswprintf_s.LIBCMT ref: 00C19D25

Part of subcall function 00C25490: _memset.LIBCMT ref: 00C254A6

Part of subcall function 00C19D90: _memset.LIBCMT ref: 00C19DD1
Part of subcall function 00C19D90: _memset.LIBCMT ref: 00C19E02
Part of subcall function 00C19D90: __cftoe.LIBCMT ref: 00C19E24

Strings

%s?m=%s&m2=%s&%s, xrefs: 00C19D42
s.360.cn, xrefs: 00C19D64

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$CompareExchangeInterlocked__cftoe_vswprintf_s
String ID: %s?m=%s&m2=%s&%s$s.360.cn
API String ID: 2508440159-1827314013
Opcode ID: fdcfb4f41a4091d3cf7b5eb44322a14885ea1b707692045f366e6450f7668966
Instruction ID: c5b56483c1d28f8ad278401a139e474fc5f1b814a720817f4f44056015ce8cc0
Opcode Fuzzy Hash: fdcfb4f41a4091d3cf7b5eb44322a14885ea1b707692045f366e6450f7668966
Instruction Fuzzy Hash: 37210BB5A4030CBAEB10EF54DC87FDD7778EB04704F0041A4F608A61C2E6B0A6C8DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00C19A10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00C19A10(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				char _v2059;
				char _v2060;
				char _v4108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				intOrPtr _t28;
				void* _t29;
				void* _t34;
				void* _t43;
				void* _t44;
				signed int _t45;

				_t41 = __edx;
				E00C26E30(0x1048);
				_t18 =  *0xc58320; // 0x96c0a7a
				_v8 = _t18 ^ _t45;
				_v12 = __ecx;
				if( *_v12 != 0xffffffff) {
					_v2060 = 0;
					E00C266B0(_t43,  &_v2059, 0, 0x7ff);
					E00C09610( &_v2060, 0x800, "GET %s HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: zh-CN\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: %s\r\n\r\n", _a4);
					_t41 = _v12;
					_t28 =  *_v12;
					__imp__#19(_t28,  &_v2060, E00C26DA0( &_v2060), 0, _v12 + 4);
					if(_t28 == 0xffffffff) {
						_t29 = 0;
					} else {
						E00C266B0(_t43,  &_v4108, 0, 0x800);
						_t41 =  *_v12;
						__imp__#16( *_v12,  &_v4108, 0x7ff, 0);
						_t29 = 1;
					}
				} else {
					_t29 = 0;
				}
				return E00C2669E(_t29, _t34, _v8 ^ _t45, _t41, _t43, _t44);
			}

0x00c19a10
0x00c19a18
0x00c19a1d
0x00c19a24
0x00c19a2a
0x00c19a33
0x00c19a3c
0x00c19a51
0x00c19a75
0x00c19a96
0x00c19a99
0x00c19a9c
0x00c19aa5
0x00c19ad9
0x00c19aa7
0x00c19ab5
0x00c19ace
0x00c19ad1
0x00c19add
0x00c19add
0x00c19a35
0x00c19a35
0x00c19a35
0x00c19af2

APIs

_memset.LIBCMT ref: 00C19A51
_strlen.LIBCMT ref: 00C19A86
send.WS2_32(00000000,?,00000000,00000000), ref: 00C19A9C
_memset.LIBCMT ref: 00C19AB5
recv.WS2_32(?,?,000007FF,00000000), ref: 00C19AD1

Strings

GET %s HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: %s, xrefs: 00C19A64

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memset$_strlenrecvsend
String ID: GET %s HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: %s
API String ID: 2247825654-2343988929
Opcode ID: 569c271ce4fea57bd09560cfe119cd7d0e0d92225c54dcf5541d91b5c09b97f8
Instruction ID: d946d7801212b8b9ed342143ac36f919b6bb5da7c6f5057cfcd6cab0107569f4
Opcode Fuzzy Hash: 569c271ce4fea57bd09560cfe119cd7d0e0d92225c54dcf5541d91b5c09b97f8
Instruction Fuzzy Hash: ED21C575E00218ABD740DBA4DC85FDE77B8FF08714F5045A5F549E7281EE70AAC89BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C22BC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C22BC0(char* _a4, signed int _a8) {
				void* _v8;
				long _v12;
				int _v16;
				int _v20;
				signed int _v24;

				_v8 = 0;
				_v12 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe", 0, 0x20019,  &_v8);
				if(_v12 != 0) {
					return 0;
				}
				_v16 = 1;
				_v20 = _a8 << 1;
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _a4,  &_v20);
				RegCloseKey(_v8);
				_v24 = E00C2658A(_a4);
				if(_v24 != 0 && (_a4[_v24 * 2 - 2] & 0x0000ffff) != 0x5c) {
					 *((short*)(_a4 + _v24 * 2)) = 0x5c;
					_a4[2 + _v24 * 2] = 0;
				}
				return 1;
			}

0x00c22bc9
0x00c22beb
0x00c22bf2
0x00000000
0x00c22c72
0x00c22bf4
0x00c22c00
0x00c22c1a
0x00c22c24
0x00c22c36
0x00c22c3d
0x00c22c5a
0x00c22c66
0x00c22c66
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe,00000000,00020019,00000000), ref: 00C22BE5
RegQueryValueExW.ADVAPI32(00000000,Path,00000000,00000001,00000000,?), ref: 00C22C1A
RegCloseKey.ADVAPI32(00000000), ref: 00C22C24
_wcslen.LIBCMT ref: 00C22C2E

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00C22BDB
Path, xrefs: 00C22C11

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseOpenQueryValue_wcslen
String ID: Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
API String ID: 3367834004-1559094029
Opcode ID: 7de6e48109429a8bbf8bb124d78f32188e805ac5e39a14c5a1cd597b05376f68
Instruction ID: 3e9a82d8443cb35211fbd04788b4d5279cff90ad40a99578d3c916a254711dbb
Opcode Fuzzy Hash: 7de6e48109429a8bbf8bb124d78f32188e805ac5e39a14c5a1cd597b05376f68
Instruction Fuzzy Hash: AA210B79A00218EBDB10CF98D985BAEB7B9FF48700F108065E915A7291D7709A54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C063E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00C063E0(void* __ebx, void* __edi, WCHAR* __esi, void* __eflags) {
				signed int _v4;
				signed int _v12;
				signed int _v20;
				void* _v524;
				short _v532;
				signed int _t9;
				void* _t12;
				void* _t32;
				signed int _t36;
				signed int _t37;

				_t34 = __edi;
				_t36 =  &_v524;
				_t9 =  *0xc58320; // 0x96c0a7a
				_v4 = _t9 ^ _t36;
				_t12 = E00C266B0(__edi,  &_v524, 0, 0x208);
				_t37 = _t36 + 0xc;
				__imp__GetSystemWindowsDirectoryW( &_v524, 0x104);
				if(_t12 - 1 > 0x102) {
					return E00C2669E(0x80004005, __ebx, _v12 ^ _t37, _t32, _t34, __esi);
				} else {
					if(E00C06390() != 0) {
						PathCombineW(__esi,  &_v532, L"SysNative\\ntoskrnl.exe");
						return E00C2669E(0, __ebx, _v20 ^ _t37, _t32, _t34, __esi);
					} else {
						PathCombineW(__esi,  &_v532, L"System32\\ntoskrnl.exe");
						return E00C2669E(0, __ebx, _v20 ^ _t37,  &_v532, _t34, __esi);
					}
				}
			}

0x00c063e0
0x00c063e0
0x00c063e6
0x00c063ed
0x00c06400
0x00c06405
0x00c06412
0x00c0641e
0x00c06492
0x00c06420
0x00c06427
0x00c0645c
0x00c06478
0x00c06429
0x00c06434
0x00c06450
0x00c06450
0x00c06427

APIs

_memset.LIBCMT ref: 00C06400
GetSystemWindowsDirectoryW.KERNEL32 ref: 00C06412

Part of subcall function 00C06390: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00C06425), ref: 00C0639C
Part of subcall function 00C06390: GetProcAddress.KERNEL32(00000000), ref: 00C063A3
Part of subcall function 00C06390: GetCurrentProcess.KERNEL32(00C06425,?,00C06425), ref: 00C063BA

PathCombineW.SHLWAPI(?,?,System32\ntoskrnl.exe), ref: 00C06434
PathCombineW.SHLWAPI(?,?,SysNative\ntoskrnl.exe), ref: 00C0645C

Strings

System32\ntoskrnl.exe, xrefs: 00C06429
SysNative\ntoskrnl.exe, xrefs: 00C06451

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CombinePath$AddressCurrentDirectoryHandleModuleProcProcessSystemWindows_memset
String ID: SysNative\ntoskrnl.exe$System32\ntoskrnl.exe
API String ID: 3000881479-3236087421
Opcode ID: 4c4284cbaf9b9978661c043ff3225cc97e706e34d7275a9f2af26d23c9d1dc22
Instruction ID: 2c2283884214990a65666faae39c1af2848eb512838666a6dfc87b2f495fd4e9
Opcode Fuzzy Hash: 4c4284cbaf9b9978661c043ff3225cc97e706e34d7275a9f2af26d23c9d1dc22
Instruction Fuzzy Hash: D401B5B56003006BD664EB60DC4EB6F33D8BF8CB01F810918B9AAC6192EE749554D693

Uniqueness

Uniqueness Score: -1.00%

Function 00C43E00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 55%

			E00C43E00(intOrPtr* _a4) {
				signed int _v8;
				char _v12;
				char _v20;
				intOrPtr* _t11;
				intOrPtr _t12;
				void* _t15;
				intOrPtr* _t21;
				void* _t22;

				_t11 =  *0xc5bd94; // 0x0
				_t12 =  *_t11;
				if(_t12 == 0) {
					_push(0x29);
					_push(_a4);
					_t15 = E00C435E3(E00C433E2( &_v12, " throw("),  &_v20, 1);
					goto L5;
				} else {
					if(_t12 != 0x5a) {
						_push(0x29);
						_push(_a4);
						_t15 = E00C43A92(_t22,  &_v20, " throw(", E00C43D24(_t22,  &_v12));
						L5:
						E00C43AB6(_t15);
						return _a4;
					} else {
						 *0xc5bd94 =  *0xc5bd94 + 1;
						_t21 = _a4;
						 *_t21 = 0;
						 *(_t21 + 4) = _v8 & 0xffff0000;
						return _t21;
					}
				}
			}

0x00c43e05
0x00c43e0a
0x00c43e11
0x00c43e54
0x00c43e56
0x00c43e6e
0x00000000
0x00c43e13
0x00c43e15
0x00c43e32
0x00c43e34
0x00c43e4a
0x00c43e73
0x00c43e75
0x00c43e7e
0x00c43e17
0x00c43e17
0x00c43e20
0x00c43e2b
0x00c43e2d
0x00c43e31
0x00c43e31
0x00c43e15

APIs

UnDecorator::getArgumentTypes.LIBCMT ref: 00C43E3B
operator+.LIBCMT ref: 00C43E4A
DName::DName.LIBCMT ref: 00C43E67
DName::operator+.LIBCMT ref: 00C43E6E
DName::operator+.LIBCMT ref: 00C43E75

Strings

throw(, xrefs: 00C43E44, 00C43E5F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Name::operator+$ArgumentDecorator::getNameName::Typesoperator+
String ID: throw(
API String ID: 4203687869-3159766648
Opcode ID: b6f3128374222db59ab42e0cfe4bf958209aabd3015d8bd9222133fd8fad3662
Instruction ID: d909deea6d9de46fe1d27c985ce5307bc115adc55cb77be694f9c44b275fab1b
Opcode Fuzzy Hash: b6f3128374222db59ab42e0cfe4bf958209aabd3015d8bd9222133fd8fad3662
Instruction Fuzzy Hash: DA018434A40248ABDF10EFA4C846EED3BB5FB84308F044051B906AB291D770DF459B84

Uniqueness

Uniqueness Score: -1.00%

Function 00C073B0 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00C073B0(intOrPtr* __ecx, void* __eflags, WCHAR** _a4, signed int _a8) {
				char _v4;
				char _v12;
				char _v20;
				char _v24;
				signed int _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed char _t79;
				WCHAR* _t82;
				intOrPtr* _t92;
				intOrPtr* _t94;
				signed int _t100;
				void* _t102;
				signed int** _t105;
				intOrPtr* _t107;
				void* _t121;
				char _t122;
				signed int _t133;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t160;
				signed int _t162;
				void* _t169;
				intOrPtr* _t170;
				void* _t176;
				signed int _t180;
				void* _t183;
				WCHAR** _t184;
				void* _t186;
				signed int _t187;

				_t187 = _t186 - 0x14;
				_t71 =  *0xc58320; // 0x96c0a7a
				 *[fs:0x0] =  &_v12;
				_t184 = _a4;
				_t170 = __ecx;
				_t152 =  *0xc5a910; // 0xc4f8dc
				_v28 =  *((intOrPtr*)(__ecx + 0xc));
				_t5 = _t152 + 0xc; // 0xc23088
				_v20 = 0;
				_v32 =  *((intOrPtr*)( *_t5))(_t71 ^ _t187, _t169, _t176, _t183, _t121,  *[fs:0x0], 0xc4d210, 0xffffffff) + 0x10;
				_v4 = 0;
				_t178 = _t184;
				E00C07FD0(_t184);
				_t79 =  *(_t170 + 0xc);
				if((_t79 & 0x00000003) != 0) {
					__eflags = _t79 & 0x00000001;
					if((_t79 & 0x00000001) != 0) {
						E00C07BC0(_t121,  *((intOrPtr*)( *_t170 - 0xc)), _t178, _t184,  &_v32,  *_t170);
					}
					__eflags =  *(_t170 + 0xc) & 0x00000002;
					if(( *(_t170 + 0xc) & 0x00000002) != 0) {
						E00C07BC0(_t121,  *((intOrPtr*)( *((intOrPtr*)(_t170 + 4)) - 0xc)), _t178, _t184,  &_v32,  *((intOrPtr*)(_t170 + 4)));
					}
					__eflags =  *(_t170 + 0xc) & 0x00000008;
					if(__eflags != 0) {
						E00C07BC0(_t121,  *((intOrPtr*)(_t170 - 0xc)), _t178, _t184,  &_v32, _t170);
					}
					_push( *((intOrPtr*)(_v32 - 0xc)));
					E00C06C10(_t121, _v32, _t184, _t170, __eflags);
					_t187 = _t187 + 4;
					_t32 =  &_v28;
					 *_t32 = _v28 | 0x00000020;
					__eflags =  *_t32;
					_t122 = 1;
				} else {
					if(E00C07230(_t184, _t184) != 0) {
						_v28 = 0x10;
					}
					_t122 = 1;
					_v20 = 1;
				}
				_t82 =  *_t184;
				_t131 =  *((intOrPtr*)(_t82 - 0xc));
				if( *((intOrPtr*)(_t82 - 0xc)) != 0) {
					__eflags = _a8;
					if(_a8 == 0) {
						_t100 = StrCmpNIW(_t82, L"ffffffff", 8);
						__eflags = _t100;
						if(_t100 != 0) {
							E00C07ED0(_t184,  &_v24);
							_t160 =  &_v32;
							_v12 = _t122;
							_t102 = E00C07EF0(_t184, _t160);
							_t187 = _t187 + 4;
							_v12 = 2;
							E00C083A0(_t102, _t184);
							_v12 = _t122;
							_t105 = _v32 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t162 = (_t160 | 0xffffffff) - 1;
							__eflags = _t162;
							if(_t162 <= 0) {
								_t162 =  *( *_t105);
								 *((intOrPtr*)( *((intOrPtr*)(_t162 + 4))))(_t105);
							}
							_v12 = 0;
							_t107 = _v24 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							__eflags = (_t162 | 0xffffffff) - 1;
							if((_t162 | 0xffffffff) - 1 <= 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t107)) + 4))))(_t107);
							}
						}
					}
				} else {
					E00C088E0(_t184, _t131 + 0x28, _t131, _t170, _t178, _t184, L"0000000000000000000000000000000000000000");
					_v24 = 1;
				}
				_t154 =  *0xc5a910; // 0xc4f8dc
				_t50 = _t154 + 0xc; // 0xc23088
				_v24 =  *((intOrPtr*)( *_t50))() + 0x10;
				_v4 = 3;
				E00C07B10( &_v24,  *_t184);
				E00C09050("%02x", _v28 & 0x000000ff);
				_t133 = E00C06E60(_v24,  *((intOrPtr*)(_v24 - 0xc))) & 0x000000ff;
				_push(_t133);
				E00C09060(L"%02x%02x", _v28 & 0x000000ff);
				_v4 = 0;
				_t92 = _v24 + 0xfffffff0;
				asm("lock xadd [edx], ecx");
				if((_t133 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t92)) + 4))))(_t92);
				}
				_v4 = 0xffffffff;
				_t94 = _v32 + 0xfffffff0;
				_t180 = 0 | _v20 == 0x00000000;
				asm("lock xadd [edx], ecx");
				if(0xfffffffffffffffe <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t94)) + 4))))(_t94);
				}
				 *[fs:0x0] = _v12;
				return _t180;
			}

0x00c073be
0x00c073c5
0x00c073d1
0x00c073d7
0x00c073db
0x00c073e0
0x00c073e6
0x00c073ea
0x00c073f4
0x00c073fd
0x00c07401
0x00c07405
0x00c07407
0x00c0740c
0x00c07411
0x00c07431
0x00c07433
0x00c07440
0x00c07440
0x00c07445
0x00c07449
0x00c07457
0x00c07457
0x00c0745c
0x00c07460
0x00c0746e
0x00c0746e
0x00c0747a
0x00c0747d
0x00c07482
0x00c07485
0x00c07485
0x00c07485
0x00c0748a
0x00c07413
0x00c0741c
0x00c0741e
0x00c0741e
0x00c07426
0x00c0742b
0x00c0742b
0x00c0748f
0x00c07492
0x00c07497
0x00c074b5
0x00c074ba
0x00c074c8
0x00c074ce
0x00c074d0
0x00c074d8
0x00c074dd
0x00c074e4
0x00c074e8
0x00c074ed
0x00c074f2
0x00c074f7
0x00c074fc
0x00c07504
0x00c0750d
0x00c07511
0x00c07512
0x00c07514
0x00c07518
0x00c0751e
0x00c0751e
0x00c07520
0x00c07529
0x00c07532
0x00c07537
0x00c07539
0x00c07543
0x00c07543
0x00c07539
0x00c074d0
0x00c07499
0x00c074a3
0x00c074a8
0x00c074a8
0x00c07545
0x00c0754b
0x00c07558
0x00c0755c
0x00c07568
0x00c07581
0x00c07592
0x00c07595
0x00c0759e
0x00c075a3
0x00c075ac
0x00c075b8
0x00c075bf
0x00c075c9
0x00c075c9
0x00c075d1
0x00c075e0
0x00c075e6
0x00c075ed
0x00c075f4
0x00c075fe
0x00c075fe
0x00c07606
0x00c07615

APIs

Part of subcall function 00C07230: CoCreateGuid.OLE32(?,096C0A7A,?,?,?,?,00C4D158,000000FF,00C0741A), ref: 00C07268

StrCmpNIW.SHLWAPI(00000000,ffffffff,00000008), ref: 00C074C8

Strings

0000000000000000000000000000000000000000, xrefs: 00C07499
ffffffff, xrefs: 00C074C2
, xrefs: 00C07485
%02x%02x, xrefs: 00C07597
%02x, xrefs: 00C07578

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CreateGuid
String ID: $%02x$%02x%02x$0000000000000000000000000000000000000000$ffffffff
API String ID: 2531319410-3886543845
Opcode ID: 205ab4e00eea1e13447f516d47c8155b71e52804a21cbd1d6c053611ca5eb25e
Instruction ID: f7ff4553a248416a3827ff21932c096c702fbc50e9df7a40b318111a8684129a
Opcode Fuzzy Hash: 205ab4e00eea1e13447f516d47c8155b71e52804a21cbd1d6c053611ca5eb25e
Instruction Fuzzy Hash: 1B716A756087419FC348DF28C881B1AB7E5BF88324F14875CF8A98B2D2DB75E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C1CBA0 Relevance: 9.1, APIs: 6, Instructions: 144
libraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C1CBA0(intOrPtr __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				char _v32;
				intOrPtr _v36;
				char _v44;
				struct HINSTANCE__* _v48;
				struct HRSRC__* _v52;
				char* _v56;
				long _v60;
				char* _v64;
				char _v1092;
				WCHAR* _v1096;
				signed int _v1100;
				intOrPtr _v1168;
				intOrPtr _v1172;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				short _t86;
				short* _t88;
				void* _t91;
				intOrPtr _t98;
				void* _t108;
				void* _t133;
				void* _t134;
				signed int _t135;

				_t63 =  *0xc58320; // 0x96c0a7a
				_v8 = _t63 ^ _t135;
				_v12 = __ecx;
				_v20 = E00C02500();
				E00C1F5A0( &_v32);
				E00C1CE70( &_v44, _v12);
				E00C1FA10( &_v1092);
				_push(0x400);
				_v1096 = E00C1C950(_a4);
				_v48 = LoadLibraryExW(_v1096, 0, 2);
				if(_v48 != 0) {
					_v52 = FindResourceW(_v48, _a8, _a12);
					__eflags = _v52;
					if(_v52 != 0) {
						_v56 = LoadResource(_v48, _v52);
						__eflags = _v56;
						if(_v56 != 0) {
							_v60 = SizeofResource(_v48, _v52);
							_v64 = _v56;
							__eflags = _v60 + 1 - _v60;
							if(_v60 + 1 >= _v60) {
								E00C1FA80( &_v1092, _v60 + 1);
								_t86 = E00C1FA60( &_v1092);
								__eflags = _t86;
								if(_t86 != 0) {
									_t88 = E00C1FA60( &_v1092);
									_t132 = _v64;
									_v1100 = MultiByteToWideChar(E00C02500(), 0, _v64, _v60, _t88, _v60);
									__eflags = _v1100;
									if(_v1100 != 0) {
										_t91 = E00C1FA60( &_v1092);
										__eflags = 0;
										_t132 = _v1100;
										 *((short*)(_t91 + _v1100 * 2)) = 0;
										_v36 = E00C1CEA0( &_v44, _v1100, 0, E00C1FA60( &_v1092), _a16);
									} else {
										_v36 = E00C0D2E0();
									}
								} else {
									_v36 = 0x8007000e;
								}
								goto L13;
							}
							_v1172 = 0x8007000e;
							E00C1FA30( &_v1092);
							E00C1F5C0( &_v32);
							_t98 = _v1172;
							goto L16;
						}
						_v36 = E00C0D2E0();
						goto L13;
					}
					_v36 = E00C0D2E0();
					goto L13;
				} else {
					_v36 = E00C0D2E0();
					L13:
					if(_v48 != 0) {
						FreeLibrary(_v48);
					}
					_v1168 = _v36;
					E00C1FA30( &_v1092);
					E00C1F5C0( &_v32);
					_t98 = _v1168;
					L16:
					return E00C2669E(_t98, _t108, _v8 ^ _t135, _t132, _t133, _t134);
				}
			}

0x00c1cba9
0x00c1cbb0
0x00c1cbb6
0x00c1cbbe
0x00c1cbc4
0x00c1cbd0
0x00c1cbdb
0x00c1cbe0
0x00c1cbf1
0x00c1cc08
0x00c1cc0f
0x00c1cc30
0x00c1cc33
0x00c1cc37
0x00c1cc54
0x00c1cc57
0x00c1cc5b
0x00c1cc78
0x00c1cc7e
0x00c1cc87
0x00c1cc8a
0x00c1ccc1
0x00c1cccc
0x00c1ccd1
0x00c1ccd3
0x00c1cce8
0x00c1ccf2
0x00c1cd04
0x00c1cd0a
0x00c1cd11
0x00c1cd23
0x00c1cd28
0x00c1cd2a
0x00c1cd30
0x00c1cd4c
0x00c1cd13
0x00c1cd18
0x00c1cd18
0x00c1ccd5
0x00c1ccd5
0x00c1ccd5
0x00000000
0x00c1ccd3
0x00c1cc8c
0x00c1cc9c
0x00c1cca4
0x00c1cca9
0x00000000
0x00c1cca9
0x00c1cc62
0x00000000
0x00c1cc62
0x00c1cc3e
0x00000000
0x00c1cc11
0x00c1cc16
0x00c1cd4f
0x00c1cd53
0x00c1cd59
0x00c1cd59
0x00c1cd62
0x00c1cd6e
0x00c1cd76
0x00c1cd7b
0x00c1cd84
0x00c1cd91
0x00c1cd91

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00C1CC02
FindResourceW.KERNEL32(00000000,?,00000000), ref: 00C1CC2A
FreeLibrary.KERNEL32(00000000,00000000,00C1CE17), ref: 00C1CD59

Part of subcall function 00C0D2E0: GetLastError.KERNEL32(00C0D7BC), ref: 00C0D2E0

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Library$ErrorFindFreeLastLoadResource
String ID:
API String ID: 3418355812-0
Opcode ID: 114e1f4f36584713b18ef17023dd98275aff4921050337e7638adb9c67806e0e
Instruction ID: 17ab1b3468f7f149b15aa5e8f9f182d821ff05fe66fe9d49dcf2db2f4808b2c2
Opcode Fuzzy Hash: 114e1f4f36584713b18ef17023dd98275aff4921050337e7638adb9c67806e0e
Instruction Fuzzy Hash: 325109B1D50118AFCB14EFA4DC95BEEB7B4BF09300F004469F20AA7251DB349A85EF65

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B320 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C0B320(intOrPtr* __ecx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v524;
				signed char _v527;
				signed char _v528;
				signed char _v529;
				signed char _v530;
				signed int _v531;
				signed char _v532;
				void* _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr _t40;
				void* _t42;
				intOrPtr _t43;
				WCHAR* _t45;
				void* _t52;
				intOrPtr* _t57;
				void* _t58;
				intOrPtr _t60;
				signed int _t61;
				void* _t62;
				signed int _t63;

				_t61 =  &_v536;
				_t19 =  *0xc58320; // 0x96c0a7a
				_v4 = _t19 ^ _t61;
				_t60 = _a8;
				_t45 =  &_v524;
				_t57 = __ecx;
				E00C0D400(0x208, _t45, L"\\\\.\\%s", _a4);
				_t62 = _t61 + 8;
				_t58 = 0;
				_t25 = CreateFileW(_t45, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t25 != 0xffffffff) {
					_t58 = _t25;
					L2:
					_v536 = 0;
					_t27 = E00C0AF90(0x10213, 4, _t58,  &_v536);
					_t63 = _t62 + 8;
					if(_t27 == 0) {
						L14:
						_t55 = 4;
						_t29 = E00C0AF90(0x10202, 4, _t58,  &_v536);
						_t63 = _t63 + 8;
						if(_t29 == 0) {
							L20:
							_t57 = 0;
							_t11 = _t57 + 6; // 0x6
							_t55 = _t11;
							_t32 = E00C0AF90(0x1010101, _t11, _t58,  &_v532);
							_t63 = _t63 + 8;
							if(_t32 != 0) {
								_push(_v527 & 0x000000ff);
								_push(_v528 & 0x000000ff);
								_t55 = _v531 & 0x000000ff;
								_push(_v529 & 0x000000ff);
								_push(_v530 & 0x000000ff);
								_push(_v531 & 0x000000ff);
								E00C09610(_t60, 0x64, "%02X%02X%02X%02X%02X%02X", _v532 & 0x000000ff);
								_t63 = _t63 + 0x24;
								_t57 = 1;
							}
							if(_t58 != 0) {
								CloseHandle(_t58);
							}
							_t33 = _t57;
							L25:
							return E00C2669E(_t33, _t45, _v4 ^ _t63, _t55, _t57, _t58);
						}
						_t52 = _v536;
						_t40 = E00C0B2C0(_t52);
						if(_t40 != 0) {
							L11:
							if(_t58 != 0) {
								CloseHandle(_t58);
							}
							L13:
							_t33 = 0;
							goto L25;
						}
						if(_t52 == 1 || _t52 == 9) {
							_t40 = 1;
						}
						 *_t57 = _t40;
						goto L20;
					}
					_t42 = _v536;
					if(_t42 == 0) {
						goto L14;
					}
					if(_t42 == 0xe) {
						goto L20;
					}
					if(_t42 == 1 || _t42 == 9) {
						_t43 = 1;
					} else {
						_t43 = 0;
					}
					 *_t57 = _t43;
					if(_t43 != 0) {
						goto L20;
					} else {
						goto L11;
					}
				}
				if(E00C0D2E0() != 0) {
					goto L13;
				}
				goto L2;
			}

0x00c0b320
0x00c0b326
0x00c0b32d
0x00c0b33d
0x00c0b351
0x00c0b355
0x00c0b357
0x00c0b35c
0x00c0b35f
0x00c0b374
0x00c0b37d
0x00c0b3c7
0x00c0b388
0x00c0b398
0x00c0b3a0
0x00c0b3a5
0x00c0b3aa
0x00c0b3e8
0x00c0b3ee
0x00c0b3f8
0x00c0b3fd
0x00c0b402
0x00c0b424
0x00c0b429
0x00c0b42c
0x00c0b42c
0x00c0b434
0x00c0b439
0x00c0b43e
0x00c0b44f
0x00c0b455
0x00c0b456
0x00c0b45b
0x00c0b461
0x00c0b462
0x00c0b46c
0x00c0b471
0x00c0b474
0x00c0b474
0x00c0b47b
0x00c0b47e
0x00c0b47e
0x00c0b484
0x00c0b486
0x00c0b49e
0x00c0b49e
0x00c0b404
0x00c0b40a
0x00c0b411
0x00c0b3d6
0x00c0b3d8
0x00c0b3db
0x00c0b3db
0x00c0b3e1
0x00c0b3e1
0x00000000
0x00c0b3e1
0x00c0b416
0x00c0b41d
0x00c0b41d
0x00c0b422
0x00000000
0x00c0b422
0x00c0b3ac
0x00c0b3b2
0x00000000
0x00000000
0x00c0b3b7
0x00000000
0x00000000
0x00c0b3bc
0x00c0b3cb
0x00c0b3c3
0x00c0b3c3
0x00c0b3c3
0x00c0b3d0
0x00c0b3d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00c0b3d4
0x00c0b386
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00C0D400: _vswprintf_s.LIBCMT ref: 00C0D42C

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000), ref: 00C0B374
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?), ref: 00C0B3DB

Part of subcall function 00C0D2E0: GetLastError.KERNEL32(00C0D7BC), ref: 00C0D2E0

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 00C0B47E

Strings

\\.\%s, xrefs: 00C0B347
%02X%02X%02X%02X%02X%02X, xrefs: 00C0B464

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseHandle$CreateErrorFileLast_vswprintf_s
String ID: %02X%02X%02X%02X%02X%02X$\\.\%s
API String ID: 3942810406-1525991222
Opcode ID: ab7b43ccfd751b87acf17d305f4137a01e25cb9bffa2a28bcda1252f643e0ca8
Instruction ID: 0073692a7279c2fabccd67ac3d45572dd6583ee2b6de99e59b4a1d34e0d37465
Opcode Fuzzy Hash: ab7b43ccfd751b87acf17d305f4137a01e25cb9bffa2a28bcda1252f643e0ca8
Instruction Fuzzy Hash: 044122B16043525BD720CAA59C45B7FB6D8EF85700F140929FAA1C62D2EB34EE44C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00C24920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00C24920(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v264;
				signed char _v519;
				signed char _v520;
				signed char _v521;
				signed char _v522;
				signed char _v523;
				void _v524;
				void _v528;
				long _v532;
				void* __ebx;
				void* __esi;
				signed int _t20;
				void* _t45;
				void* _t50;
				signed int _t51;
				signed int _t52;

				_t49 = __edi;
				_t45 = __edx;
				_t51 =  &_v532;
				_t20 =  *0xc58320; // 0x96c0a7a
				_v4 = _t20 ^ _t51;
				E00C09610( &_v264, 0x104, "\\\\.\\%s", _a4);
				_t52 = _t51 + 0x10;
				_t36 = 0;
				_t50 = CreateFileA( &_v264, 0xc0000000, 3, 0, 3, 0, 0);
				if(_t50 != 0xffffffff) {
					_t46 =  &_v532;
					_v528 = 0x1010101;
					_v532 = 0;
					if(DeviceIoControl(_t50, 0x170002,  &_v528, 4,  &_v524, 0x104,  &_v532, 0) != 0 && _v532 > 0) {
						_push(_v519 & 0x000000ff);
						_push(_v520 & 0x000000ff);
						_push(_v521 & 0x000000ff);
						_push(_v522 & 0x000000ff);
						_t46 = _a8;
						_push(_v523 & 0x000000ff);
						E00C09610(__edi, _a8, "%02X%02X%02X%02X%02X%02X", _v524 & 0x000000ff);
						_t52 = _t52 + 0x24;
						_t36 = 1;
					}
					CloseHandle(_t50);
					return E00C2669E(_t36, _t36, _v4 ^ _t52, _t46, _t49, _t50);
				} else {
					return E00C2669E(0, 0, _v4 ^ _t52, _t45, __edi, _t50);
				}
			}

0x00c24920
0x00c24920
0x00c24920
0x00c24926
0x00c2492d
0x00c24950
0x00c24955
0x00c24958
0x00c24974
0x00c24979
0x00c24995
0x00c249b1
0x00c249b9
0x00c249c5
0x00c249dc
0x00c249e2
0x00c249e8
0x00c249ee
0x00c249ef
0x00c249f6
0x00c249ff
0x00c24a04
0x00c24a07
0x00c24a07
0x00c24a0d
0x00c24a2b
0x00c2497c
0x00c24993
0x00c24993

APIs

Part of subcall function 00C09610: _vswprintf_s.LIBCMT ref: 00C09643

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000104,00000000), ref: 00C2496E
DeviceIoControl.KERNEL32 ref: 00C249BD
CloseHandle.KERNEL32(00000000), ref: 00C24A0D

Strings

\\.\%s, xrefs: 00C2493E
%02X%02X%02X%02X%02X%02X, xrefs: 00C249F8

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_vswprintf_s
String ID: %02X%02X%02X%02X%02X%02X$\\.\%s
API String ID: 2864800763-1525991222
Opcode ID: 4d0ffe0225b45187e50acf9ca95a30cadd8e0095a73085d6c235c437769cb377
Instruction ID: f686165b85239e0f6e78a4fda9efb150db546541500c47595601ff808b0c7917
Opcode Fuzzy Hash: 4d0ffe0225b45187e50acf9ca95a30cadd8e0095a73085d6c235c437769cb377
Instruction Fuzzy Hash: 4121D3B11483506FD224EB649C86FFFB7ECAB89714F40491DB6E582181D6789A48C772

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A190 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C1A190() {
				char _v8;
				struct HWND__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;

				_v8 = 0;
				_v12 = FindWindowW(L"#32770", L"InstallerForChannel");
				while(_v12 == 0) {
					_v8 = _v8 + 1;
					if(_v8 >= 5) {
						break;
					}
					Sleep(0x3e8);
					_v12 = FindWindowW(L"#32770", L"InstallerForChannel");
				}
				if(_v12 == 0) {
					return 0;
				}
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v24 = 0x2711;
				_v20 = 0;
				_v16 = 0;
				return E00C1A150(_v12,  &_v24) & 0x000000ff;
			}

0x00c1a199
0x00c1a1b0
0x00c1a1b3
0x00c1a1c2
0x00c1a1c8
0x00000000
0x00000000
0x00c1a1cf
0x00c1a1e5
0x00c1a1e5
0x00c1a1ee
0x00000000
0x00c1a229
0x00c1a1f0
0x00c1a1f9
0x00c1a1fc
0x00c1a1ff
0x00c1a206
0x00c1a20d
0x00000000

APIs

FindWindowW.USER32(#32770,InstallerForChannel), ref: 00C1A1AA
Sleep.KERNEL32(000003E8), ref: 00C1A1CF
FindWindowW.USER32(#32770,InstallerForChannel), ref: 00C1A1DF

Strings

InstallerForChannel, xrefs: 00C1A1A0, 00C1A1D5
#32770, xrefs: 00C1A1A5, 00C1A1DA

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: FindWindow$Sleep
String ID: #32770$InstallerForChannel
API String ID: 891687636-1852972051
Opcode ID: 2538b6964fbb8882fec38cd18c5a76a84437fd4e739e202847d4830f904dea25
Instruction ID: 66046fe511c2eb8555c8694aab0774b42a6a1c3cc38db22bd8d8789c07cb1afa
Opcode Fuzzy Hash: 2538b6964fbb8882fec38cd18c5a76a84437fd4e739e202847d4830f904dea25
Instruction Fuzzy Hash: 97113974D01208EFEB00DFE9D9497EDBBF8FB45315F20406AE505A2280D7B55B849B62

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C1E510(void** __ecx, short* _a4) {
				void** _v8;
				struct HINSTANCE__* _v12;

				_v8 = __ecx;
				do {
				} while (0 != 0 || 0 != 0);
				if(( *0xc5a544 & 0x000000ff) == 0) {
					_v12 = GetModuleHandleW(L"Advapi32.dll");
					if(_v12 != 0) {
						 *0xc5a540 = GetProcAddress(_v12, "RegDeleteKeyExW");
					}
					 *0xc5a544 = 1;
				}
				if( *0xc5a540 == 0) {
					return RegDeleteKeyW( *_v8, _a4);
				} else {
					return  *0xc5a540( *_v8, _a4, _v8[1], 0);
				}
			}

0x00c1e519
0x00c1e51c
0x00c1e51c
0x00c1e52d
0x00c1e53a
0x00c1e541
0x00c1e552
0x00c1e552
0x00c1e557
0x00c1e557
0x00c1e565
0x00000000
0x00c1e567
0x00000000
0x00c1e57a

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00C1E534
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C1E54C
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C1E58C

Strings

RegDeleteKeyExW, xrefs: 00C1E543
Advapi32.dll, xrefs: 00C1E52F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 588496660-2191092095
Opcode ID: 1afde49c23a817200a533bb2c9061b4432b7765ef3a953b1bf56ef6ebbec3eb9
Instruction ID: c1c9603e5bbbd66e470acf54c1790f8e5df569342fbaa3139df51075e020eb95
Opcode Fuzzy Hash: 1afde49c23a817200a533bb2c9061b4432b7765ef3a953b1bf56ef6ebbec3eb9
Instruction Fuzzy Hash: 8F116D78600204EFC714CFA9E848F9EBBB9BB4A345F108269F915E3250F7749E80EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C06390 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C06390() {
				char _v4;
				intOrPtr _v12;
				void* _t9;
				intOrPtr* _t11;

				_t11 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				_v4 = 0;
				if(_t11 == 0) {
					return 0;
				} else {
					_t9 =  *_t11(GetCurrentProcess(),  &_v4);
					if(_t9 != 0) {
						return _v12;
					}
					return _t9;
				}
			}

0x00c063a9
0x00c063ad
0x00c063b3
0x00c063d0
0x00c063b5
0x00c063c1
0x00c063c5
0x00000000
0x00c063ca
0x00c063c9
0x00c063c9

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00C06425), ref: 00C0639C
GetProcAddress.KERNEL32(00000000), ref: 00C063A3
GetCurrentProcess.KERNEL32(00C06425,?,00C06425), ref: 00C063BA

Strings

IsWow64Process, xrefs: 00C06392
kernel32, xrefs: 00C06397

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: f01e5bd20a041d024bc0affcafc6d6355b41d4a1ba487909343bc955984a65dd
Instruction ID: c705efc9c271c5b0b7a2409c58983ace424e967c543d757d2a396dd307c558ef
Opcode Fuzzy Hash: f01e5bd20a041d024bc0affcafc6d6355b41d4a1ba487909343bc955984a65dd
Instruction Fuzzy Hash: A2E080B6941310A7C7109FB4AD0CB5F7FD8FA45756B014825F515C3150D770C914ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C11650 Relevance: 7.7, APIs: 5, Instructions: 212
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00C11650(intOrPtr* __eax, long _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a28) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _v24;
				long* _v28;
				long* _v40;
				void* __edi;
				void* __esi;
				long _t49;
				signed int _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				long _t57;
				long _t63;
				int _t67;
				long _t71;
				long _t72;
				long _t73;
				int _t74;
				int _t76;
				long _t80;
				long _t81;
				long _t82;
				long _t83;
				union _LARGE_INTEGER* _t84;
				long* _t87;
				signed int _t95;
				intOrPtr* _t96;
				intOrPtr _t105;
				signed int _t106;
				long _t107;
				long _t109;
				void* _t110;
				signed int* _t111;

				_t111 =  &_v24;
				_t110 = __eax + 0xccc;
				_t49 =  *((intOrPtr*)(__eax));
				_v12 = _t49;
				__imp__GetFileSizeEx(_t49, _a28);
				if(_t49 != 0) {
					_t87 = _v4 + 8;
					_t103 = 0;
					_t84 = 0;
					__eflags = 0 - _v0;
					_v16 = 0;
					_v28 = _t87;
					do {
						if(__eflags != 0) {
							_t105 =  *((intOrPtr*)(_t87 - 8));
							_t51 =  *(_t87 - 4);
						} else {
							_t96 = _a20;
							_t105 =  *_t96;
							_t51 =  *(_t96 + 4);
						}
						_t106 = _t105 - _t103;
						asm("sbb eax, ebx");
						_t95 = (_t51 << 0x00000020 | _t106) >> 0xf;
						_t107 = _t106 & 0x00007fff;
						__eflags = _t107;
						_v24 = _t95;
						if(_t107 != 0) {
							_t95 = _t95 + 1;
							__eflags = _t95;
							_v24 = _t95;
						} else {
							_t107 = 0x8000;
						}
						__eflags = _t95;
						if(_t95 <= 0) {
							L19:
							_t53 = _v16;
							__eflags = _t53 - _v0;
							if(_t53 >= _v0) {
								goto L33;
							} else {
								_t108 =  *_t87;
								__eflags =  *_t87;
								if( *_t87 == 0) {
									break;
								} else {
									__eflags = _t87[2];
									if(_t87[2] != 0) {
										L27:
										_t109 = _a4;
										__eflags = _t109;
										if(_t109 == 0) {
											L32:
											_t84 =  *(_t87 - 4);
											_t53 = _v16;
											_t103 =  *_t87 +  *((intOrPtr*)(_t87 - 8));
											asm("adc ebx, edx");
											goto L33;
										} else {
											__eflags = _t87[1];
											if(_t87[1] == 0) {
												goto L32;
											} else {
												_t57 =  *_t87;
												__eflags = _t57 - 0x8000;
												if(_t57 > 0x8000) {
													E00C15590(8, 0xc53300);
													__eflags = 0;
													return 0;
												} else {
													E00C266B0(_t103, _t110, 0, _t57);
													_t111 =  &(_t111[3]);
													_t63 =  *_t109(_a8, _t110,  *_v28);
													__eflags = _t63;
													if(_t63 == 0) {
														goto L37;
													} else {
														_t87 = _v40;
														goto L32;
													}
												}
											}
										}
									} else {
										_push(0);
										_t103 = _v20;
										_t67 = SetFilePointerEx(_v20, _v20, _t84, 0);
										__eflags = _t67;
										if(_t67 == 0) {
											goto L1;
										} else {
											_t71 = E00C10690(_t103, _t108);
											__eflags = _t71;
											if(_t71 == 0) {
												goto L38;
											} else {
												_t72 = _a12;
												__eflags = _t72;
												if(_t72 == 0) {
													L26:
													_t87 = _v28;
													goto L27;
												} else {
													_t73 =  *_t72(_a16, _t110,  *_v28);
													__eflags = _t73;
													if(_t73 == 0) {
														goto L37;
													} else {
														goto L26;
													}
												}
											}
										}
									}
								}
							}
						} else {
							while(1) {
								_push(0);
								_t74 = SetFilePointerEx(_v20, _t103, _t84, 0);
								__eflags = _t74;
								if(_t74 == 0) {
									goto L1;
								}
								_t76 = ReadFile(_v20, _t110, _t107,  &_v12, 0);
								__eflags = _t76;
								if(_t76 == 0) {
									goto L1;
								} else {
									__eflags = _t107 - _v12;
									if(_t107 != _v12) {
										E00C15590(1, 0xc53300);
										__eflags = 0;
										return 0;
									} else {
										_t80 = _a4;
										__eflags = _t80;
										if(_t80 == 0) {
											L15:
											_t81 = _a12;
											__eflags = _t81;
											if(_t81 == 0) {
												L17:
												_t103 = _t103 + _t107;
												asm("adc ebx, 0x0");
												_t26 =  &_v24;
												 *_t26 = _v24 - 1;
												__eflags =  *_t26;
												_t107 = 0x8000;
												if( *_t26 != 0) {
													continue;
												} else {
													_t87 = _v28;
													goto L19;
												}
											} else {
												_t82 =  *_t81(_a16, _t110, _t107);
												__eflags = _t82;
												if(_t82 == 0) {
													goto L37;
												} else {
													goto L17;
												}
											}
										} else {
											_t83 =  *_t80(_a8, _t110, _t107);
											__eflags = _t83;
											if(_t83 == 0) {
												L37:
												E00C15590(0x11, 0xc53300);
												L38:
												__eflags = 0;
												return 0;
											} else {
												goto L15;
											}
										}
									}
								}
								goto L39;
							}
							goto L1;
						}
						goto L39;
						L33:
						_t54 = _t53 + 1;
						_t87 =  &(_t87[6]);
						_v16 = _t54;
						_v28 = _t87;
						__eflags = _t54 - _v0;
					} while (__eflags <= 0);
					return 1;
				} else {
					L1:
					E00C152E0(0xc53300, 0xc53300);
					return 0;
				}
				L39:
			}

0x00c11650
0x00c1165b
0x00c11661
0x00c11665
0x00c11669
0x00c11671
0x00c11695
0x00c11698
0x00c1169a
0x00c1169c
0x00c116a0
0x00c116a4
0x00c116a8
0x00c116a8
0x00c116b7
0x00c116ba
0x00c116aa
0x00c116aa
0x00c116ae
0x00c116b2
0x00c116b2
0x00c116bd
0x00c116bf
0x00c116c3
0x00c116ca
0x00c116ca
0x00c116d0
0x00c116d4
0x00c116dd
0x00c116dd
0x00c116de
0x00c116d6
0x00c116d6
0x00c116d6
0x00c116e2
0x00c116e4
0x00c11774
0x00c11774
0x00c11778
0x00c1177c
0x00000000
0x00c11782
0x00c11782
0x00c11784
0x00c11786
0x00000000
0x00c1178c
0x00c1178c
0x00c11790
0x00c117df
0x00c117df
0x00c117e3
0x00c117e5
0x00c11819
0x00c1181b
0x00c1181e
0x00c11824
0x00c11827
0x00000000
0x00c117e7
0x00c117e7
0x00c117eb
0x00000000
0x00c117ed
0x00c117ed
0x00c117ef
0x00c117f4
0x00c11872
0x00c1187a
0x00c11883
0x00c117f6
0x00c117fa
0x00c11809
0x00c1180f
0x00c11811
0x00c11813
0x00000000
0x00c11815
0x00c11815
0x00000000
0x00c11815
0x00c11813
0x00c117f4
0x00c117eb
0x00c11792
0x00c11792
0x00c11798
0x00c1179d
0x00c117a3
0x00c117a5
0x00000000
0x00c117ab
0x00c117af
0x00c117b4
0x00c117b6
0x00000000
0x00c117bc
0x00c117bc
0x00c117c0
0x00c117c2
0x00c117db
0x00c117db
0x00000000
0x00c117c4
0x00c117d1
0x00c117d3
0x00c117d5
0x00000000
0x00000000
0x00000000
0x00000000
0x00c117d5
0x00c117c2
0x00c117b6
0x00c117a5
0x00c11790
0x00c11786
0x00c116ea
0x00c116ea
0x00c116ee
0x00c116f5
0x00c116fb
0x00c116fd
0x00000000
0x00000000
0x00c11711
0x00c11717
0x00c11719
0x00000000
0x00c1171f
0x00c1171f
0x00c11723
0x00c11856
0x00c1185e
0x00c11867
0x00c11729
0x00c11729
0x00c1172d
0x00c1172f
0x00c11742
0x00c11742
0x00c11746
0x00c11748
0x00c1175b
0x00c1175b
0x00c1175d
0x00c11760
0x00c11760
0x00c11760
0x00c11765
0x00c1176a
0x00000000
0x00c11770
0x00c11770
0x00000000
0x00c11770
0x00c1174a
0x00c11751
0x00c11753
0x00c11755
0x00000000
0x00000000
0x00000000
0x00000000
0x00c11755
0x00c11731
0x00c11738
0x00c1173a
0x00c1173c
0x00c11884
0x00c1188e
0x00c11899
0x00c11899
0x00c1189f
0x00000000
0x00000000
0x00000000
0x00c1173c
0x00c1172f
0x00c11723
0x00000000
0x00c11719
0x00000000
0x00c116ea
0x00000000
0x00c11829
0x00c11829
0x00c1182a
0x00c1182d
0x00c11831
0x00c11835
0x00c11835
0x00c1184b
0x00c11673
0x00c11673
0x00c1167d
0x00c1168e
0x00c1168e
0x00000000

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00C0EE40,?,?,?,?,?,?,?,?), ref: 00C11669
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00C116F5
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 00C11711
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00C1179D

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: File$Pointer$ReadSize
String ID:
API String ID: 1971422761-0
Opcode ID: 851802708f18efddcae7c6eff48c1d26fb8a0d41c87a45121215af82576285a9
Instruction ID: 8f29e2f597b447f68e919e94d81d0e2df7d0a777073a0f8708b0301de09810b8
Opcode Fuzzy Hash: 851802708f18efddcae7c6eff48c1d26fb8a0d41c87a45121215af82576285a9
Instruction Fuzzy Hash: 3761E335B042009BE710DA25DC40BABB7E8FBC6754F19446CFE54D7280DA3AEE45D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D1B0 Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C1D1B0(WCHAR** __ecx, short* _a4) {
				WCHAR** _v8;
				short* _v12;
				WCHAR* _v16;
				signed int _v20;
				intOrPtr _v24;
				WCHAR* _v28;
				signed int _v32;
				intOrPtr _v36;

				_v8 = __ecx;
				E00C1D100(_v8);
				if(( *( *_v8) & 0x0000ffff) != 0) {
					_v12 = _a4;
					if(( *( *_v8) & 0x0000ffff) != 0x27) {
						while(( *( *_v8) & 0x0000ffff) != 0 && E00C1D140(_v8,  *( *_v8) & 0x0000ffff) == 0) {
							_v28 =  *_v8;
							 *_v8 = CharNextW( *_v8);
							_v32 =  *_v8 - _v28 >> 1;
							_t58 = _v32 * 2; // 0x2
							if(_a4 + _t58 + 2 < _v12 + 0x2000) {
								_v36 = 0;
								while(_v36 < _v32) {
									 *_a4 =  *_v28;
									_v36 = _v36 + 1;
									_a4 = _a4 + 2;
									_v28 =  &(_v28[1]);
								}
								continue;
							}
							return E00C1D080(_v8, 0x215);
						}
						 *_a4 = 0;
						L28:
						return 0;
					}
					 *_v8 = CharNextW( *_v8);
					while(( *( *_v8) & 0x0000ffff) != 0 && E00C1D3E0(_v8) == 0) {
						if(( *( *_v8) & 0x0000ffff) == 0x27) {
							 *_v8 = CharNextW( *_v8);
						}
						_v16 =  *_v8;
						 *_v8 = CharNextW( *_v8);
						_v20 =  *_v8 - _v16 >> 1;
						_t25 = _v20 * 2; // 0x2
						if(_a4 + _t25 + 2 < _v12 + 0x2000) {
							_v24 = 0;
							while(_v24 < _v20) {
								 *_a4 =  *_v16;
								_v24 = _v24 + 1;
								_a4 = _a4 + 2;
								_v16 =  &(_v16[1]);
							}
							continue;
						} else {
							return E00C1D080(_v8, 0x215);
						}
					}
					if(( *( *_v8) & 0x0000ffff) != 0) {
						 *_a4 = 0;
						 *_v8 = CharNextW( *_v8);
						goto L28;
					}
					return E00C1D080(_v8, 0x203);
				}
				return E00C1D080(_v8, 0x203);
			}

0x00c1d1b9
0x00c1d1bf
0x00c1d1ce
0x00c1d1e5
0x00c1d1f3
0x00c1d311
0x00c1d33f
0x00c1d351
0x00c1d35d
0x00c1d366
0x00c1d374
0x00c1d385
0x00c1d3a9
0x00c1d3ba
0x00c1d394
0x00c1d39d
0x00c1d3a6
0x00c1d3a6
0x00000000
0x00c1d3bf
0x00000000
0x00c1d37e
0x00c1d3c9
0x00c1d3cc
0x00000000
0x00c1d3cc
0x00c1d208
0x00c1d20a
0x00c1d235
0x00c1d246
0x00c1d246
0x00c1d24d
0x00c1d25f
0x00c1d26b
0x00c1d274
0x00c1d282
0x00c1d296
0x00c1d2ba
0x00c1d2cb
0x00c1d2a5
0x00c1d2ae
0x00c1d2b7
0x00c1d2b7
0x00000000
0x00c1d284
0x00000000
0x00c1d28c
0x00c1d282
0x00c1d2df
0x00c1d2f8
0x00c1d30a
0x00000000
0x00c1d30a
0x00000000
0x00c1d2e9
0x00000000

APIs

Part of subcall function 00C1D100: CharNextW.USER32(?,?), ref: 00C1D127

CharNextW.USER32 ref: 00C1D1FF
CharNextW.USER32 ref: 00C1D23D
CharNextW.USER32 ref: 00C1D256

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 04dc36a3dac778a2600b6d819e82a0b69fcd49ddc6fbb4822ef2b98ba3bc0ae4
Instruction ID: 88e59ecf9108fda6c930175da3504c1e47a95f43c81380329e1675f0a41b3b20
Opcode Fuzzy Hash: 04dc36a3dac778a2600b6d819e82a0b69fcd49ddc6fbb4822ef2b98ba3bc0ae4
Instruction Fuzzy Hash: 2671E074A00219DFCB14CF99C591AFDB7B2FF8A304F204599E916AB364D731AE80EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C17CB0 Relevance: 7.6, APIs: 5, Instructions: 89
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C17CB0() {
				long _v8;
				char _v16;
				intOrPtr _v20;
				long _v24;
				char _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t16;
				long _t19;
				void* _t20;
				void* _t21;
				void* _t27;
				void** _t36;
				void* _t51;
				signed int _t52;
				void* _t53;

				_push(0xffffffff);
				_push(0xc4ca40);
				_push( *[fs:0x0]);
				_t16 =  *0xc58320; // 0x96c0a7a
				_push(_t16 ^ _t52);
				 *[fs:0x0] =  &_v16;
				_v20 = _t53 - 0x10;
				_t36 =  *0xc5c1f8;
				if(_t36 != 0) {
					_t19 = _t36[1];
					if(_t19 != 0xffffffff) {
						_t20 = TlsGetValue(_t19);
						_v24 = _t20;
						if(_t20 != 0) {
							goto L16;
						} else {
							_t36 =  *0xc5c1f8;
							goto L6;
						}
					} else {
						_v24 = 0;
						L6:
						_t21 =  *_t36;
						if(_t21 == 0 || WaitForSingleObject(_t21, 0xffffffff) != 0) {
							goto L1;
						} else {
							_v8 = 0;
							_t51 = E00C17DD0(0xc5c1f8, 0, _t52);
							_v24 = _t51;
							if(_t51 == 0) {
								_v28 = 1;
								E00C291AE( &_v28, 0xc559d0);
							}
							if(E00C18060( *0xc5c1f8, _t51) == 0) {
								_v32 = 4;
								E00C291AE( &_v32, 0xc559d0);
							}
							_v8 = 0xffffffff;
							_t27 =  *( *0xc5c1f8);
							if(_t27 != 0) {
								ReleaseMutex(_t27);
							}
							_t20 = _t51;
							L16:
							 *[fs:0x0] = _v16;
							return _t20;
						}
					}
				} else {
					L1:
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00c17cb3
0x00c17cb5
0x00c17cc0
0x00c17cc7
0x00c17cce
0x00c17cd2
0x00c17cd8
0x00c17cdb
0x00c17ce5
0x00c17cfb
0x00c17d01
0x00c17d09
0x00c17d0f
0x00c17d14
0x00000000
0x00c17d1a
0x00c17d1a
0x00000000
0x00c17d1a
0x00c17d03
0x00c17d03
0x00c17d20
0x00c17d20
0x00c17d24
0x00000000
0x00c17d33
0x00c17d33
0x00c17d40
0x00c17d42
0x00c17d47
0x00c17d49
0x00c17d59
0x00c17d59
0x00c17d6c
0x00c17d6e
0x00c17d7e
0x00c17d7e
0x00c17d83
0x00c17dae
0x00c17db2
0x00c17db5
0x00c17db5
0x00c17dbb
0x00c17dbd
0x00c17dc0
0x00c17dce
0x00c17dce
0x00c17d24
0x00c17ce7
0x00c17ce7
0x00c17cec
0x00c17cfa
0x00c17cfa

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,74CB4C30,00C53300), ref: 00C17D29
__CxxThrowException@8.LIBCMT ref: 00C17D59
__CxxThrowException@8.LIBCMT ref: 00C17D7E
ReleaseMutex.KERNEL32(00000000,?,74CB4C30,00C53300), ref: 00C17DB5

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Exception@8Throw$MutexObjectReleaseSingleWait
String ID:
API String ID: 1745458856-0
Opcode ID: db42877ae18321a4fb5b158580d7be91fc6b0ff6990c9cefac2127ea1e2a1d55
Instruction ID: 190d48bacd8a726ef61777aa894410b17dded20e80d4bfc3035b9061b338f1c4
Opcode Fuzzy Hash: db42877ae18321a4fb5b158580d7be91fc6b0ff6990c9cefac2127ea1e2a1d55
Instruction Fuzzy Hash: CF31E875A087099FDB10DF68EC85BAEB7B8FF46724F200319E821E3280DB3199809790

Uniqueness

Uniqueness Score: -1.00%

Function 00C2DA16 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00C2DA16(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xc54ef8);
				E00C286FC(__ebx, __edi, __esi);
				_t31 = E00C2F4FC(__ebx, _t35);
				_t15 =  *0xc58a54; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00C3135A(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xc58958; // 0x2602b88
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0xc58530;
								if(__eflags != 0) {
									_push(_t33);
									E00C27501(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0xc58958; // 0x2602b88
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xc58958; // 0x2602b88
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00C2DAB1();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00C287C5(_t29, 0x20);
				}
				return E00C28741(_t33);
			}

0x00c2da16
0x00c2da16
0x00c2da16
0x00c2da16
0x00c2da18
0x00c2da1d
0x00c2da27
0x00c2da29
0x00c2da31
0x00c2da52
0x00c2da58
0x00c2da5c
0x00c2da5f
0x00c2da62
0x00c2da68
0x00c2da6a
0x00c2da6c
0x00c2da6f
0x00c2da75
0x00c2da77
0x00c2da79
0x00c2da7f
0x00c2da81
0x00c2da82
0x00c2da87
0x00c2da7f
0x00c2da77
0x00c2da88
0x00c2da8d
0x00c2da90
0x00c2da96
0x00c2da9a
0x00c2da9a
0x00c2daa0
0x00c2daa7
0x00c2da39
0x00c2da39
0x00c2da39
0x00c2da3e
0x00c2da42
0x00c2da47
0x00c2da4f

APIs

__getptd.LIBCMT ref: 00C2DA22

Part of subcall function 00C2F4FC: __getptd_noexit.LIBCMT ref: 00C2F4FF
Part of subcall function 00C2F4FC: __amsg_exit.LIBCMT ref: 00C2F50C

__amsg_exit.LIBCMT ref: 00C2DA42
__lock.LIBCMT ref: 00C2DA52
InterlockedDecrement.KERNEL32(?), ref: 00C2DA6F
InterlockedIncrement.KERNEL32(02602B88), ref: 00C2DA9A

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 9a8c290a16a0c4af60d8bece7a688839efa0cfb375972df6db30872244a6e427
Instruction ID: 703fca3e41c947260d560473b8ccfbe781f4b7afc6e4320276bd7aa86e4e3f10
Opcode Fuzzy Hash: 9a8c290a16a0c4af60d8bece7a688839efa0cfb375972df6db30872244a6e427
Instruction Fuzzy Hash: 3901CE35D05731DBDA10AB24B806B5E7360BF20711F110105E822B3A81CF305AC6EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C1C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C1C1C0(void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				char _v52;
				signed int _v56;
				intOrPtr _v64;
				char _v76;
				short _v596;
				struct HINSTANCE__* _v600;
				long _v604;
				WCHAR* _v608;
				char _v1648;
				signed int _v1652;
				char _v2698;
				char _v2700;
				signed int _v2704;
				char* _v2708;
				intOrPtr _v2712;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				signed char _t129;
				signed int _t131;
				signed int _t145;
				struct HINSTANCE__* _t158;
				intOrPtr _t177;
				intOrPtr _t219;
				intOrPtr _t220;
				signed int _t221;
				void* _t222;
				void* _t224;
				void* _t225;

				_t111 =  *0xc58320; // 0x96c0a7a
				_v8 = _t111 ^ _t221;
				E00C1F0B0( &_v52);
				_v56 = E00C1C820( &_v52);
				_t229 = _v56;
				if(_v56 >= 0) {
					__eflags = _a16;
					if(_a16 == 0) {
						L5:
						_v56 =  *((intOrPtr*)( *((intOrPtr*)( *_a4 + 0x14))))( &_v52);
						__eflags = _v56;
						if(__eflags >= 0) {
							_v64 = E00C02500();
							E00C1F5A0( &_v76);
							_v600 = E00C1C600(0xc5a92c);
							_v604 = GetModuleFileNameW(_v600,  &_v596, 0x104);
							__eflags = _v604;
							if(_v604 != 0) {
								__eflags = _v604 - 0x104;
								if(_v604 != 0x104) {
									_v608 = 0;
									_push(0x400);
									_v608 = E00C1C5E0( &_v596);
									E00C1C620(_v608,  &_v1648, 0x208, _v608);
									_t224 = _t222 + 0x14;
									__eflags = _v600;
									if(_v600 == 0) {
										L13:
										_v2700 = 0x22;
										_t129 = E00C1C580( &_v2698, 0x20b,  &_v1648);
										_t225 = _t224 + 0xc;
										_t215 = _t129 & 0x000000ff;
										__eflags = _t129 & 0x000000ff;
										if((_t129 & 0x000000ff) != 0) {
											_t131 = E00C1C560( &_v2700);
											_t224 = _t225 + 4;
											_v2704 = _t131;
											 *((short*)(_t221 + _v2704 * 2 - 0xa88)) = 0x22;
											 *((short*)(_t221 + _v2704 * 2 - 0xa86)) = 0;
											_v1652 = E00C1C8B0( &_v52, L"Module",  &_v2700);
											L17:
											__eflags = _v1652;
											if(_v1652 >= 0) {
												_v1652 = E00C1C8B0( &_v52, L"Module_Raw",  &_v1648);
												__eflags = _v1652;
												if(_v1652 >= 0) {
													_v2708 = L"REGISTRY";
													_push(0x400);
													_v2712 = E00C1C5C0(_a8);
													__eflags = _a12;
													if(_a12 == 0) {
														_v2812 = E00C1CDA0( &_v52, _v608, _v2712, _v2708);
													} else {
														_v2812 = E00C1CB10( &_v52, _v608, _v2712, _v2708);
													}
													_t215 = _v2812;
													_v56 = _v2812;
													_v2780 = _v56;
													E00C1F5C0( &_v76);
													E00C1C6D0( &_v52, __eflags);
													_t145 = _v2780;
												} else {
													_v2784 = _v1652;
													E00C1F5C0( &_v76);
													E00C1C6D0( &_v52, __eflags);
													_t145 = _v2784;
												}
											} else {
												_v2788 = _v1652;
												E00C1F5C0( &_v76);
												E00C1C6D0( &_v52, __eflags);
												_t145 = _v2788;
											}
											goto L25;
										}
										_v2792 = 0x80004005;
										E00C1F5C0( &_v76);
										E00C1C6D0( &_v52, __eflags);
										_t145 = _v2792;
										goto L25;
									}
									_t158 = GetModuleHandleW(0);
									__eflags = _v600 - _t158;
									if(_v600 != _t158) {
										_v1652 = E00C1C8B0( &_v52, L"Module",  &_v1648);
										goto L17;
									}
									goto L13;
								}
								_v2796 = E00C0D2C0(0x7a);
								E00C1F5C0( &_v76);
								E00C1C6D0( &_v52, __eflags);
								_t145 = _v2796;
								goto L25;
							}
							_v2800 = E00C0D2E0();
							E00C1F5C0( &_v76);
							E00C1C6D0( &_v52, __eflags);
							_t145 = _v2800;
							goto L25;
						}
						_v2804 = _v56;
						E00C1C6D0( &_v52, __eflags);
						_t145 = _v2804;
						goto L25;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						__eflags =  *_a16;
						if( *_a16 == 0) {
							goto L5;
						}
						E00C1C8B0( &_v52,  *_a16,  *((intOrPtr*)(_a16 + 4)));
						_a16 = _a16 + 8;
					}
					goto L5;
				} else {
					_v2808 = _v56;
					E00C1C6D0( &_v52, _t229);
					_t145 = _v2808;
					L25:
					return E00C2669E(_t145, _t177, _v8 ^ _t221, _t215, _t219, _t220);
				}
			}

0x00c1c1c9
0x00c1c1d0
0x00c1c1d9
0x00c1c1e6
0x00c1c1e9
0x00c1c1ed
0x00c1c20b
0x00c1c20f
0x00c1c23a
0x00c1c24b
0x00c1c24e
0x00c1c252
0x00c1c275
0x00c1c27b
0x00c1c28a
0x00c1c2a9
0x00c1c2af
0x00c1c2b6
0x00c1c2e0
0x00c1c2ea
0x00c1c317
0x00c1c321
0x00c1c335
0x00c1c34e
0x00c1c353
0x00c1c356
0x00c1c35d
0x00c1c373
0x00c1c378
0x00c1c392
0x00c1c397
0x00c1c39a
0x00c1c39d
0x00c1c39f
0x00c1c3cd
0x00c1c3d2
0x00c1c3d5
0x00c1c3e6
0x00c1c3f6
0x00c1c413
0x00c1c436
0x00c1c436
0x00c1c43d
0x00c1c47b
0x00c1c481
0x00c1c488
0x00c1c4b1
0x00c1c4bb
0x00c1c4cc
0x00c1c4d2
0x00c1c4d6
0x00c1c51c
0x00c1c4d8
0x00c1c4f6
0x00c1c4f6
0x00c1c522
0x00c1c528
0x00c1c52e
0x00c1c537
0x00c1c53f
0x00c1c544
0x00c1c48a
0x00c1c490
0x00c1c499
0x00c1c4a1
0x00c1c4a6
0x00c1c4a6
0x00c1c43f
0x00c1c445
0x00c1c44e
0x00c1c456
0x00c1c45b
0x00c1c45b
0x00000000
0x00c1c43d
0x00c1c3a1
0x00c1c3ae
0x00c1c3b6
0x00c1c3bb
0x00000000
0x00c1c3bb
0x00c1c361
0x00c1c367
0x00c1c36d
0x00c1c430
0x00000000
0x00c1c430
0x00000000
0x00c1c36d
0x00c1c2f6
0x00c1c2ff
0x00c1c307
0x00c1c30c
0x00000000
0x00c1c30c
0x00c1c2bd
0x00c1c2c6
0x00c1c2ce
0x00c1c2d3
0x00000000
0x00c1c2d3
0x00c1c257
0x00c1c260
0x00c1c265
0x00000000
0x00000000
0x00000000
0x00000000
0x00c1c211
0x00c1c211
0x00c1c214
0x00c1c217
0x00000000
0x00000000
0x00c1c22a
0x00c1c235
0x00c1c235
0x00000000
0x00c1c1ef
0x00c1c1f2
0x00c1c1fb
0x00c1c200
0x00c1c54d
0x00c1c55a
0x00c1c55a

Strings

Module_Raw, xrefs: 00C1C46D
Module, xrefs: 00C1C405, 00C1C422

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID: Module$Module_Raw
API String ID: 0-3885325121
Opcode ID: f1f6679d02d5d6e89efaa76becc3150a0e7b1457f9d3d67f2f88af780ce1302f
Instruction ID: 08a3301ed892de85213fe1ccb0e2fcb7158716e740cee6f66eaecccdb7edd909
Opcode Fuzzy Hash: f1f6679d02d5d6e89efaa76becc3150a0e7b1457f9d3d67f2f88af780ce1302f
Instruction Fuzzy Hash: 1FA12AB1A502189BDB14DFA4DC95BEEB3B5BF56300F0040A9F40AA7241EB74AEC5EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F130 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C1F130(void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				char _v52;
				signed int _v56;
				intOrPtr _v64;
				char _v76;
				short _v596;
				struct HINSTANCE__* _v600;
				long _v604;
				WCHAR* _v608;
				char _v1648;
				signed int _v1652;
				char _v2698;
				char _v2700;
				signed int _v2704;
				char* _v2708;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t109;
				signed char _t127;
				signed int _t141;
				struct HINSTANCE__* _t154;
				intOrPtr _t173;
				intOrPtr _t215;
				intOrPtr _t216;
				signed int _t217;

				_t109 =  *0xc58320; // 0x96c0a7a
				_v8 = _t109 ^ _t217;
				E00C1F0B0( &_v52);
				_v56 = E00C1C820( &_v52);
				_t225 = _v56;
				if(_v56 >= 0) {
					__eflags = _a16;
					if(_a16 == 0) {
						L5:
						_v56 =  *((intOrPtr*)( *((intOrPtr*)( *_a4 + 0x14))))( &_v52);
						__eflags = _v56;
						if(__eflags >= 0) {
							_v64 = E00C02500();
							E00C1F5A0( &_v76);
							_v600 = E00C1C600(0xc5a92c);
							_v604 = GetModuleFileNameW(_v600,  &_v596, 0x104);
							__eflags = _v604;
							if(_v604 != 0) {
								__eflags = _v604 - 0x104;
								if(_v604 != 0x104) {
									_v608 = 0;
									_push(0x400);
									_v608 = E00C1C5E0( &_v596);
									E00C1C620(_v608,  &_v1648, 0x208, _v608);
									__eflags = _v600;
									if(_v600 == 0) {
										L13:
										_v2700 = 0x22;
										_t127 = E00C1C580( &_v2698, 0x20b,  &_v1648);
										_t211 = _t127 & 0x000000ff;
										__eflags = _t127 & 0x000000ff;
										if((_t127 & 0x000000ff) != 0) {
											_v2704 = E00C1C560( &_v2700);
											 *((short*)(_t217 + _v2704 * 2 - 0xa88)) = 0x22;
											 *((short*)(_t217 + _v2704 * 2 - 0xa86)) = 0;
											_v1652 = E00C1C8B0( &_v52, L"Module",  &_v2700);
											L17:
											__eflags = _v1652;
											if(_v1652 >= 0) {
												_v1652 = E00C1C8B0( &_v52, L"Module_Raw",  &_v1648);
												__eflags = _v1652;
												if(_v1652 >= 0) {
													_v2708 = L"REGISTRY";
													__eflags = _a12;
													if(__eflags == 0) {
														_v2808 = E00C1F510(__eflags,  &_v52, _v608, _a8, _v2708);
													} else {
														_v2808 = E00C1F4B0(__eflags,  &_v52, _v608, _a8, _v2708);
													}
													_t211 = _v2808;
													_v56 = _v2808;
													_v2776 = _v56;
													E00C1F5C0( &_v76);
													E00C1C6D0( &_v52, __eflags);
													_t141 = _v2776;
												} else {
													_v2780 = _v1652;
													E00C1F5C0( &_v76);
													E00C1C6D0( &_v52, __eflags);
													_t141 = _v2780;
												}
											} else {
												_v2784 = _v1652;
												E00C1F5C0( &_v76);
												E00C1C6D0( &_v52, __eflags);
												_t141 = _v2784;
											}
											goto L25;
										}
										_v2788 = 0x80004005;
										E00C1F5C0( &_v76);
										E00C1C6D0( &_v52, __eflags);
										_t141 = _v2788;
										goto L25;
									}
									_t154 = GetModuleHandleW(0);
									__eflags = _v600 - _t154;
									if(_v600 != _t154) {
										_v1652 = E00C1C8B0( &_v52, L"Module",  &_v1648);
										goto L17;
									}
									goto L13;
								}
								_v2792 = E00C0D2C0(0x7a);
								E00C1F5C0( &_v76);
								E00C1C6D0( &_v52, __eflags);
								_t141 = _v2792;
								goto L25;
							}
							_v2796 = E00C0D2E0();
							E00C1F5C0( &_v76);
							E00C1C6D0( &_v52, __eflags);
							_t141 = _v2796;
							goto L25;
						}
						_v2800 = _v56;
						E00C1C6D0( &_v52, __eflags);
						_t141 = _v2800;
						goto L25;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						__eflags =  *_a16;
						if( *_a16 == 0) {
							goto L5;
						}
						E00C1C8B0( &_v52,  *_a16,  *((intOrPtr*)(_a16 + 4)));
						_a16 = _a16 + 8;
					}
					goto L5;
				} else {
					_v2804 = _v56;
					E00C1C6D0( &_v52, _t225);
					_t141 = _v2804;
					L25:
					return E00C2669E(_t141, _t173, _v8 ^ _t217, _t211, _t215, _t216);
				}
			}

0x00c1f139
0x00c1f140
0x00c1f149
0x00c1f156
0x00c1f159
0x00c1f15d
0x00c1f17b
0x00c1f17f
0x00c1f1aa
0x00c1f1bb
0x00c1f1be
0x00c1f1c2
0x00c1f1e5
0x00c1f1eb
0x00c1f1fa
0x00c1f219
0x00c1f21f
0x00c1f226
0x00c1f250
0x00c1f25a
0x00c1f287
0x00c1f291
0x00c1f2a5
0x00c1f2be
0x00c1f2c6
0x00c1f2cd
0x00c1f2e3
0x00c1f2e8
0x00c1f302
0x00c1f30a
0x00c1f30d
0x00c1f30f
0x00c1f345
0x00c1f356
0x00c1f366
0x00c1f383
0x00c1f3a6
0x00c1f3a6
0x00c1f3ad
0x00c1f3eb
0x00c1f3f1
0x00c1f3f8
0x00c1f41e
0x00c1f428
0x00c1f42c
0x00c1f46c
0x00c1f42e
0x00c1f449
0x00c1f449
0x00c1f472
0x00c1f478
0x00c1f47e
0x00c1f487
0x00c1f48f
0x00c1f494
0x00c1f3fa
0x00c1f400
0x00c1f409
0x00c1f411
0x00c1f416
0x00c1f416
0x00c1f3af
0x00c1f3b5
0x00c1f3be
0x00c1f3c6
0x00c1f3cb
0x00c1f3cb
0x00000000
0x00c1f3ad
0x00c1f311
0x00c1f31e
0x00c1f326
0x00c1f32b
0x00000000
0x00c1f32b
0x00c1f2d1
0x00c1f2d7
0x00c1f2dd
0x00c1f3a0
0x00000000
0x00c1f3a0
0x00000000
0x00c1f2dd
0x00c1f266
0x00c1f26f
0x00c1f277
0x00c1f27c
0x00000000
0x00c1f27c
0x00c1f22d
0x00c1f236
0x00c1f23e
0x00c1f243
0x00000000
0x00c1f243
0x00c1f1c7
0x00c1f1d0
0x00c1f1d5
0x00000000
0x00000000
0x00000000
0x00000000
0x00c1f181
0x00c1f181
0x00c1f184
0x00c1f187
0x00000000
0x00000000
0x00c1f19a
0x00c1f1a5
0x00c1f1a5
0x00000000
0x00c1f15f
0x00c1f162
0x00c1f16b
0x00c1f170
0x00c1f49d
0x00c1f4aa
0x00c1f4aa

Strings

Module_Raw, xrefs: 00C1F3DD
Module, xrefs: 00C1F375, 00C1F392

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID:
String ID: Module$Module_Raw
API String ID: 0-3885325121
Opcode ID: b6f2c2e4485512a3b77e62c123917445528459be46c7ae38450130a30be75e95
Instruction ID: 659d985e9c85ce96c20efa3300efa59829719bc5627df1346eef20397e681c5a
Opcode Fuzzy Hash: b6f2c2e4485512a3b77e62c123917445528459be46c7ae38450130a30be75e95
Instruction Fuzzy Hash: 8FA1F771A102189BDB14EFA4DC85BEEB3B5BF56300F0041A9F40AA7241EB709EC6EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C04950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E00C04950(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				unsigned int _t65;
				intOrPtr _t67;
				unsigned int _t71;
				signed int _t72;
				signed int _t73;
				intOrPtr _t88;
				signed int _t92;
				signed int _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(0xc4cb60);
				_push( *[fs:0x0]);
				_t98 = _t97 - 0x1c;
				_t44 =  *0xc58320; // 0x96c0a7a
				_push(_t44 ^ _t97);
				 *[fs:0x0] =  &_v16;
				_v20 = _t98;
				_t88 = __ecx;
				_v24 = __ecx;
				_t47 = _a4;
				_t92 = _t47 | 0x0000000f;
				if(_t92 <= 0xfffffffe) {
					_t65 =  *(__ecx + 0x18);
					_t47 = 0xaaaaaaab * _t92;
					_t71 = _t65 >> 1;
					__eflags = 0xaaaaaaab * _t92 >> 0x20 >> 1 - _t71;
					if(__eflags < 0) {
						_t47 = 0xfffffffe - _t71;
						__eflags = _t65 - 0xfffffffe;
						if(__eflags <= 0) {
							_t92 = _t71 + _t65;
						}
					}
				} else {
					_t92 = _t47;
				}
				_t72 = _t92 + 1;
				_v8 = 0;
				if(_t72 > 0) {
					__eflags = (_t47 | 0xffffffff) / _t72 - 1;
					if(__eflags >= 0) {
						goto L7;
					} else {
						_v28 = 0;
						E00C28BA7( &_v44,  &_v28);
						_v44 = 0xc4fb04;
						E00C291AE( &_v44, 0xc55968);
						_t59 = _a4;
						_v32 = _t59;
						__eflags = _t59 + 1;
						_v20 = _t98;
						_v8 = 2;
						_a4 = E00C04CE0(0,  &_v44, _t88, _t59 + 1);
						return 0xc04a1f;
					}
				} else {
					_t72 = 0;
					L7:
					_t51 = E00C275AA(0, _t88, 0, _t72);
					_t99 = _t98 + 4;
					_a4 = _t51;
					_t67 = _a8;
					if(_t67 > 0) {
						if( *(_t88 + 0x18) < 0x10) {
							_t54 = _t88 + 4;
						} else {
							_t54 =  *(_t88 + 4);
						}
						E00C269C3(_t67, _a4, _a4, _t92 + 1, _t54, _t67);
						_t99 = _t99 + 0x10;
					}
					_t107 =  *(_t88 + 0x18) - 0x10;
					if( *(_t88 + 0x18) >= 0x10) {
						E00C2657F(_t67,  *(_t88 + 4), _t88, _t92, _t107,  *(_t88 + 4));
					}
					_t73 = _a4;
					_t52 = _t88 + 4;
					 *_t52 = 0;
					 *_t52 = _t73;
					 *(_t88 + 0x18) = _t92;
					 *((intOrPtr*)(_t88 + 0x14)) = _t67;
					if(_t92 >= 0x10) {
						_t52 = _t73;
					}
					 *((char*)(_t52 + _t67)) = 0;
					 *[fs:0x0] = _v16;
					return _t52;
				}
			}

0x00c04953
0x00c04955
0x00c04960
0x00c04961
0x00c04967
0x00c0496e
0x00c04972
0x00c04978
0x00c0497b
0x00c0497d
0x00c04980
0x00c04985
0x00c0498b
0x00c04991
0x00c04999
0x00c0499d
0x00c049a1
0x00c049a3
0x00c049aa
0x00c049ac
0x00c049ae
0x00c049b0
0x00c049b0
0x00c049ae
0x00c0498d
0x00c0498d
0x00c0498d
0x00c049b5
0x00c049b8
0x00c049bd
0x00c049d6
0x00c049d9
0x00000000
0x00c049db
0x00c049e2
0x00c049e5
0x00c049f3
0x00c049fa
0x00c049ff
0x00c04a05
0x00c04a08
0x00c04a09
0x00c04a0d
0x00c04a16
0x00c04a1e
0x00c04a1e
0x00c049bf
0x00c049bf
0x00c049c1
0x00c049c2
0x00c049c7
0x00c049ca
0x00c04a25
0x00c04a2a
0x00c04a30
0x00c04a37
0x00c04a32
0x00c04a32
0x00c04a32
0x00c04a44
0x00c04a49
0x00c04a49
0x00c04a4c
0x00c04a50
0x00c04a56
0x00c04a5b
0x00c04a5e
0x00c04a61
0x00c04a64
0x00c04a67
0x00c04a69
0x00c04a6c
0x00c04a72
0x00c04a74
0x00c04a74
0x00c04a76
0x00c04a7d
0x00c04a8b
0x00c04a8b

APIs

std::exception::exception.LIBCMT ref: 00C049E5
__CxxThrowException@8.LIBCMT ref: 00C049FA
_memcpy_s.LIBCMT ref: 00C04A44

Strings

zl, xrefs: 00C04950

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Exception@8Throw_memcpy_sstd::exception::exception
String ID: zl
API String ID: 464988439-2563081789
Opcode ID: 2e84bf016567701c35f21a276f720300fb8164b68db2259fae3dc7c291c2d80a
Instruction ID: 9bab64e53bd48c7f05502b4e63bdb723e959c08696805463788ec5e9c9e0b24a
Opcode Fuzzy Hash: 2e84bf016567701c35f21a276f720300fb8164b68db2259fae3dc7c291c2d80a
Instruction Fuzzy Hash: F941D6B1A04615AFCB08DF69C58199FB7B9FB08310F10423EE926977C1D770AA44CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00C105F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C105F0(long* __esi, intOrPtr _a4) {
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				long _v28;
				void* _t21;
				long* _t36;
				void* _t37;
				struct _FILETIME* _t38;

				_t36 = __esi;
				_v16.wYear = 0;
				_v16.wDayOfWeek = 0;
				_v16.wHour = 0;
				_v16.wSecond = 0;
				_push( &(_v16.wSecond));
				_push( &(_v16.wMinute));
				_push( &(_v16.wHour));
				_push( &(_v16.wDay));
				_push( &(_v16.wMonth));
				_t21 = E00C26614(_a4, L"%hu-%hu-%hu %hu:%hu:%hu",  &_v16);
				_t38 = _t37 + 0x20;
				if(_t21 == 3 || _t21 == 6) {
					if(SystemTimeToFileTime( &_v16,  &_v24) == 0 || LocalFileTimeToFileTime( &_v24, _t38) == 0) {
						goto L2;
					} else {
						_t36[1] = _v28;
						 *_t36 = _t38->dwLowDateTime;
						return 1;
					}
				} else {
					L2:
					return 0;
				}
			}

0x00c105f0
0x00c105f5
0x00c105f9
0x00c105fd
0x00c10601
0x00c10609
0x00c1060e
0x00c10613
0x00c10618
0x00c10621
0x00c1062d
0x00c10632
0x00c10638
0x00c10657
0x00000000
0x00c1066c
0x00c10673
0x00c10676
0x00c10680
0x00c10680
0x00c1063f
0x00c1063f
0x00c10644
0x00c10644

APIs

_swscanf.LIBCMT ref: 00C1062D

Part of subcall function 00C26614: _vscan_fn.LIBCMT ref: 00C2662B

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0E9B0,00000000,00000000), ref: 00C1064F
LocalFileTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00C0E9B0,00000000,00000000), ref: 00C10662

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 00C10627

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Time$File$LocalSystem_swscanf_vscan_fn
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 3712118799-1004895946
Opcode ID: 58183e5b47312b752d4d26567aa3888e3aeea4cbba640dbd341e53e02a43076a
Instruction ID: 23c5fd19b8eeeb76375a0419cfa4144822defcbdacb6044b465a7bfd0f952e18
Opcode Fuzzy Hash: 58183e5b47312b752d4d26567aa3888e3aeea4cbba640dbd341e53e02a43076a
Instruction Fuzzy Hash: DE112EB6504301AFC359DF65C880A9BB7E8BBCC700F048D1EF5A9C3200E674D688DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C20A40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C20A40(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t7;
				intOrPtr _t16;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				signed int _t23;

				_t7 =  *0xc58320; // 0x96c0a7a
				_v8 = _t7 ^ _t23;
				E00C266B0(_t21,  &_v528, 0, 0x208);
				E00C213E0( &_v528, 0x104, L"jsflag_%d", _a4);
				return E00C2669E(SHDeleteValueW(0x80000001, L"SOFTWARE\\KitTipCLSID",  &_v528), _t16, _v8 ^ _t23, _t20, _t21, _t22);
			}

0x00c20a49
0x00c20a50
0x00c20a64
0x00c20a81
0x00c20ab0

APIs

_memset.LIBCMT ref: 00C20A64
SHDeleteValueW.SHLWAPI(80000001,SOFTWARE\KitTipCLSID,?), ref: 00C20A9A

Strings

SOFTWARE\KitTipCLSID, xrefs: 00C20A90
jsflag_%d, xrefs: 00C20A70

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: DeleteValue_memset
String ID: SOFTWARE\KitTipCLSID$jsflag_%d
API String ID: 359987141-1331931182
Opcode ID: b3ae022884412354f55fa439b354efe8f161274c654f19e8ac7b0cecf3644f86
Instruction ID: 185c319df918b635fbad75bf2ba1732d0c6f334a8544a9b6fc9ba17d27bc72c7
Opcode Fuzzy Hash: b3ae022884412354f55fa439b354efe8f161274c654f19e8ac7b0cecf3644f86
Instruction Fuzzy Hash: 08F0E075A01318BBD710EB94EC4AFEE777CFB04700F5001A5FE09D6182DA706A44C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C124F0 Relevance: 6.2, APIs: 4, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C124F0(intOrPtr* __eax, intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				void* _t67;
				intOrPtr _t70;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t89;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				signed int _t111;
				long _t112;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t85 = 0;
				_t106 = __ecx;
				_t94 =  *((intOrPtr*)(__ecx + 0xc4));
				_t107 = __ecx + 0xccc;
				 *_t107 =  *((intOrPtr*)(__ecx + 4));
				 *((intOrPtr*)(_t107 + 4)) = 0;
				 *((intOrPtr*)(_t107 + 8)) = 4;
				 *((intOrPtr*)(_t107 + 0xc)) = 0;
				 *((intOrPtr*)(_t107 + 0x10)) = 1;
				 *((intOrPtr*)(_t107 + 0x18)) =  *((intOrPtr*)(__ecx + 8));
				 *((intOrPtr*)(_t107 + 0x1c)) = 0;
				 *(_t107 + 0x20) = 8;
				 *((intOrPtr*)(_t107 + 0x24)) = 0;
				 *((intOrPtr*)(_t107 + 0x28)) = 0;
				_t111 = 2;
				_t89 = __ecx + 0xcc;
				 *((intOrPtr*)(_t117 + 0x1c)) = _t94;
				 *((intOrPtr*)(_t117 + 0x18)) = 0;
				 *(_t117 + 0x10) = 2;
				 *((intOrPtr*)(__ecx + 0xb8)) = 0;
				 *((intOrPtr*)(__ecx + 0xbc)) = 0;
				 *((intOrPtr*)(__ecx + 0xc0)) = 0;
				if(__eax != 0) {
					 *__eax =  *((intOrPtr*)(__ecx + 0x14));
					_t94 =  *((intOrPtr*)(_t117 + 0x1c));
				}
				if( *((intOrPtr*)(_t117 + 0x34)) != _t85) {
					 *((intOrPtr*)(_t117 + 0x18)) = 0xc11b70;
				}
				 *((intOrPtr*)(_t117 + 0x20)) =  *((intOrPtr*)(_t106 + 0x10));
				if(_t94 <= _t85) {
					L9:
					 *((intOrPtr*)(_t117 + 0x14)) = _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2;
					_t63 = E00C27A03(_t85, _t94, _t106, _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2 + _t111 + _t111 * 2);
					_t118 = _t117 + 4;
					 *((intOrPtr*)(_t118 + 0x14)) = _t63;
					if(_t63 != _t85) {
						E00C2F920(_t85, _t106, _t107, _t63, _t107,  *((intOrPtr*)(_t118 + 0x10)));
						_t119 = _t118 + 0xc;
						_t95 = _t119 + 0x20;
						_push(_t119 + 0x20);
						_t112 =  *((intOrPtr*)(_t119 + 0x2c));
						_t67 = E00C11650(_t106, _t112, _t111, 0xc0ee40,  *((intOrPtr*)(_t118 + 0x3c)),  *((intOrPtr*)(_t118 + 0x24)), _t106);
						_t120 = _t119 + 0x1c;
						__eflags = _t67;
						if(__eflags != 0) {
							__eflags =  *((intOrPtr*)(_t120 + 0x1c)) - _t85;
							if( *((intOrPtr*)(_t120 + 0x1c)) == _t85) {
								asm("adc eax, ebx");
								_t114 = E00C4C870( *((intOrPtr*)(_t120 + 0x20)) + 7,  *((intOrPtr*)(_t120 + 0x24)), 8, _t85) + _t72 + E00C4C870( *((intOrPtr*)(_t120 + 0x20)) + 7,  *((intOrPtr*)(_t120 + 0x24)), 8, _t85) + _t72 + E00C4C870( *((intOrPtr*)(_t120 + 0x20)) + 7,  *((intOrPtr*)(_t120 + 0x24)), 8, _t85) + _t72 + E00C4C870( *((intOrPtr*)(_t120 + 0x20)) + 7,  *((intOrPtr*)(_t120 + 0x24)), 8, _t85) + _t72 -  *((intOrPtr*)(_t120 + 0x20));
								__eflags = _t114;
								if(_t114 != 0) {
									E00C266B0(_t106, _t107, _t85, _t114);
									_push(_t107);
									E00C14620(_t114,  *((intOrPtr*)(_t120 + 0x3c)));
									_t120 = _t120 + 0x10;
								}
							}
							_t108 =  *((intOrPtr*)(_t120 + 0x34));
							__eflags = _t108 - _t85;
							if(__eflags != 0) {
								_t70 = E00C11CA0(_t106, _t120 + 0x20);
								_t120 = _t120 + 4;
								 *_t108 = _t70;
							}
							_push( *((intOrPtr*)(_t120 + 0x14)));
							E00C27501(_t85,  *((intOrPtr*)(_t120 + 0x14)), _t106, _t108, __eflags);
							return 1;
						} else {
							_push(_t112);
							E00C27501(_t85, _t95, _t106, _t107, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						SetLastError(8);
						E00C152E0(0xc53300, 0xc53300);
						return 0;
					}
				}
				_t84 = _t107 + 0x3c;
				 *((intOrPtr*)(_t117 + 0x14)) = _t94;
				do {
					_t94 = 0xf000;
					if( *((intOrPtr*)(_t89 + 8)) == 0xf000) {
						asm("adc ebp, edx");
						 *((intOrPtr*)(_t84 - 8)) = 0;
						 *((intOrPtr*)(_t84 - 0xc)) =  *_t89 +  *((intOrPtr*)(_t117 + 0x20));
						_t102 =  *((intOrPtr*)(_t89 + 4)) + 7 >> 3;
						_t103 = ( *((intOrPtr*)(_t89 + 4)) + 7 >> 3) + _t102;
						_t104 = ( *((intOrPtr*)(_t89 + 4)) + 7 >> 3) + _t102 + _t103;
						_t85 = 0;
						_t94 = ( *((intOrPtr*)(_t89 + 4)) + 7 >> 3) + _t102 + _t103 + _t104;
						_t111 =  *(_t117 + 0x10) + 1;
						 *((intOrPtr*)(_t84 - 4)) = ( *((intOrPtr*)(_t89 + 4)) + 7 >> 3) + _t102 + _t103 + _t104;
						 *_t84 = 0;
						 *((intOrPtr*)(_t84 + 4)) = 0;
						 *(_t117 + 0x10) = _t111;
						_t84 = _t84 + 0x18;
					}
					_t89 = _t89 + 0xc;
					_t38 = _t117 + 0x14;
					 *_t38 =  *((intOrPtr*)(_t117 + 0x14)) - 1;
				} while ( *_t38 != 0);
				goto L9;
			}

0x00c124f5
0x00c124f9
0x00c124fe
0x00c12504
0x00c1250a
0x00c1250c
0x00c1250f
0x00c12516
0x00c12519
0x00c12523
0x00c12526
0x00c12529
0x00c12530
0x00c12533
0x00c12536
0x00c1253b
0x00c12541
0x00c12545
0x00c12549
0x00c1254d
0x00c12553
0x00c12559
0x00c12561
0x00c12566
0x00c12568
0x00c12568
0x00c12570
0x00c12572
0x00c12572
0x00c1257d
0x00c12583
0x00c125dc
0x00c125e7
0x00c125eb
0x00c125f0
0x00c125f3
0x00c125f9
0x00c12626
0x00c12633
0x00c12636
0x00c1263a
0x00c12644
0x00c1264b
0x00c12650
0x00c12653
0x00c12655
0x00c1266a
0x00c1266e
0x00c1267e
0x00c1268f
0x00c1268f
0x00c12693
0x00c12698
0x00c126a4
0x00c126a7
0x00c126ac
0x00c126ac
0x00c12693
0x00c126af
0x00c126b3
0x00c126b5
0x00c126bc
0x00c126c1
0x00c126c4
0x00c126c4
0x00c126ca
0x00c126cb
0x00c126df
0x00c12657
0x00c12657
0x00c12658
0x00c12660
0x00c12669
0x00c12669
0x00c125fb
0x00c125fd
0x00c1260d
0x00c1261e
0x00c1261e
0x00c125f9
0x00c12585
0x00c12588
0x00c12590
0x00c12590
0x00c12599
0x00c125a5
0x00c125a7
0x00c125ae
0x00c125b7
0x00c125ba
0x00c125bc
0x00c125be
0x00c125c0
0x00c125c2
0x00c125c3
0x00c125c6
0x00c125c8
0x00c125cb
0x00c125cf
0x00c125cf
0x00c125d2
0x00c125d5
0x00c125d5
0x00c125d5
0x00000000

APIs

_malloc.LIBCMT ref: 00C125EB
SetLastError.KERNEL32(00000008,?), ref: 00C125FD

Part of subcall function 00C11650: GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00C0EE40,?,?,?,?,?,?,?,?), ref: 00C11669

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C12682
_memset.LIBCMT ref: 00C12698

Part of subcall function 00C27501: __lock.LIBCMT ref: 00C2751F
Part of subcall function 00C27501: ___sbh_find_block.LIBCMT ref: 00C2752A
Part of subcall function 00C27501: ___sbh_free_block.LIBCMT ref: 00C27539
Part of subcall function 00C27501: RtlFreeHeap.NTDLL(00000000,?,00C54DD0,0000000C,00C2F4ED,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C), ref: 00C27569
Part of subcall function 00C27501: GetLastError.KERNEL32(?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375,?,?,?,00C2F5A7,0000000D), ref: 00C2757A

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ErrorLast$FileFreeHeapSizeUnothrow_t@std@@@___sbh_find_block___sbh_free_block__ehfuncinfo$??2@__lock_malloc_memset
String ID:
API String ID: 2739003063-0
Opcode ID: 850e25fa3670b1d8e876c0069f0020503ee167a09ab4160b9d690792c08b2d01
Instruction ID: 91c591b7a8f4f0d9d089d0d3fd9b0db541c2c328a9760c1b2cb723ea44a83ee6
Opcode Fuzzy Hash: 850e25fa3670b1d8e876c0069f0020503ee167a09ab4160b9d690792c08b2d01
Instruction Fuzzy Hash: 6451A0B5A043059FC300DF25D885A9BF7E5FB89304F448A3DF99883301E735EA599BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C0ECA0 Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C0ECA0(char* __edx, void* __ebp, void* __eflags) {
				signed int _v8;
				char _v24;
				char _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				char _v80;
				char _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t42;
				signed int _t46;
				signed int _t48;
				signed int _t52;
				intOrPtr _t53;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				void* _t67;
				void* _t71;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				void* _t79;
				void* _t81;

				_t70 = __edx;
				_t36 =  *0xc58320; // 0x96c0a7a
				_v8 = _t36 ^ _t77;
				_t76 = 0;
				_t72 = E00C27A03(_t59, __edx, _t71, 0x400);
				_t78 = _t77 + 4;
				_v80 = _t72;
				if(_t72 != 0) {
					_v76 = 0;
					_v72 = 0;
					_v68 = 0;
					_v64 = 0;
					_v60 = 0;
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_t42 = E00C0E740( &_v76, _t72,  &_v96);
					_t79 = _t78 + 4;
					__eflags = _t42;
					if(__eflags != 0) {
						_t46 = _v96;
						_t76 = 1;
						__eflags = _t46 - 0x80;
						if(_t46 < 0x80) {
							_t46 = 0x80;
						}
						_t74 = _t46 + _t46;
						__eflags = _t74 - 0x400;
						if(_t74 > 0x400) {
							_t74 = 0x400;
						}
						_t59 = E00C27A03(_t59, _t70, _t72, _t74);
						_t79 = _t79 + 4;
						_v96 = _t59;
						__eflags = _t59;
						if(__eflags != 0) {
							_t70 =  &_v76;
							_t48 = E00C0E950(_t59, _t74,  &_v76,  &_v92);
							_t81 = _t79 + 0xc;
							__eflags = _t48;
							if(__eflags != 0) {
								E00C0E560(_t59,  &_v24, __eflags, _t59, _v92);
								_t72 = _v48;
								_t70 =  &_v40;
								_v92 = 0x10;
								_t52 = E00C13EE0( &_v92, 0xc52c10,  &_v40, _v48, _t76,  &_v40, _v44);
								_t81 = _t81 + 0x10;
								__eflags = _t52;
								if(__eflags == 0) {
									_t53 = 0x10;
									_t67 = 0;
									__eflags = 0;
									while(1) {
										_t70 =  *((intOrPtr*)(_t81 + _t67 + 0x5c));
										__eflags =  *((intOrPtr*)(_t81 + _t67 + 0x5c)) -  *((intOrPtr*)(_t81 + _t67 + 0x4c));
										if(__eflags != 0) {
											goto L18;
										}
										_t53 = _t53 - 4;
										_t67 = _t67 + 4;
										__eflags = _t53 - 4;
										if(_t53 >= 4) {
											continue;
										} else {
											_t54 = _v68;
											__eflags = _v68;
											if(__eflags == 0) {
												L17:
												_t76 = 3;
											} else {
												_t74 =  &_v92;
												_t55 = E00C105F0( &_v92, _t54);
												_t81 = _t81 + 4;
												__eflags = _t55;
												if(__eflags != 0) {
													_t56 = E00C0EAB0( &_v92);
													_t76 = 2;
													__eflags = _t56;
													if(__eflags == 0) {
														goto L17;
													}
												}
											}
										}
										goto L18;
									}
								}
								L18:
								_t59 = _v96;
							}
							_push(_t59);
							E00C27501(_t59, _t70, _t72, _t74, __eflags);
							_t72 = _v80;
							_t79 = _t81 + 4;
						} else {
							SetLastError(8);
						}
					}
					E00C27501(_t59, _t70, _t72, _t74, __eflags);
					__eflags = _v8 ^ _t79 + 0x00000004;
					return E00C2669E(_t76, _t59, _v8 ^ _t79 + 0x00000004, _t70, _t72, _t74, _t72);
				} else {
					SetLastError(8);
					return E00C2669E(0, _t59, _v8 ^ _t78, _t70, _t72, _t74);
				}
			}

0x00c0eca0
0x00c0eca3
0x00c0ecaa
0x00c0ecb7
0x00c0ecbe
0x00c0ecc0
0x00c0ecc3
0x00c0ecc9
0x00c0ecea
0x00c0ecee
0x00c0ecf2
0x00c0ecf6
0x00c0ecfa
0x00c0ecfe
0x00c0ed02
0x00c0ed06
0x00c0ed0a
0x00c0ed19
0x00c0ed1e
0x00c0ed21
0x00c0ed23
0x00c0ed29
0x00c0ed2d
0x00c0ed32
0x00c0ed37
0x00c0ed39
0x00c0ed39
0x00c0ed3e
0x00c0ed41
0x00c0ed47
0x00c0ed49
0x00c0ed49
0x00c0ed54
0x00c0ed56
0x00c0ed59
0x00c0ed5d
0x00c0ed5f
0x00c0ed73
0x00c0ed79
0x00c0ed7e
0x00c0ed81
0x00c0ed83
0x00c0ed93
0x00c0ed9c
0x00c0eda1
0x00c0edaf
0x00c0edb7
0x00c0edbc
0x00c0edbf
0x00c0edc1
0x00c0edc3
0x00c0edc8
0x00c0edc8
0x00c0edd0
0x00c0edd0
0x00c0edd4
0x00c0edd8
0x00000000
0x00000000
0x00c0edda
0x00c0eddd
0x00c0ede0
0x00c0ede3
0x00000000
0x00c0ede5
0x00c0ede5
0x00c0ede9
0x00c0edeb
0x00c0ee0c
0x00c0ee0c
0x00c0eded
0x00c0edee
0x00c0edf2
0x00c0edf7
0x00c0edfa
0x00c0edfc
0x00c0edfe
0x00c0ee03
0x00c0ee08
0x00c0ee0a
0x00000000
0x00000000
0x00c0ee0a
0x00c0edfc
0x00c0edeb
0x00000000
0x00c0ede3
0x00c0edd0
0x00c0ee11
0x00c0ee11
0x00c0ee11
0x00c0ee15
0x00c0ee16
0x00c0ee1b
0x00c0ee1f
0x00c0ed61
0x00c0ed63
0x00c0ed63
0x00c0ed5f
0x00c0ee23
0x00c0ee35
0x00c0ee3f
0x00c0eccb
0x00c0eccd
0x00c0ece7
0x00c0ece7

APIs

_malloc.LIBCMT ref: 00C0ECB9

Part of subcall function 00C27A03: __FF_MSGBANNER.LIBCMT ref: 00C27A26
Part of subcall function 00C27A03: __NMSG_WRITE.LIBCMT ref: 00C27A2D
Part of subcall function 00C27A03: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00C30B61,?,00000001,?,?,00C312E4,00000018,00C550F0,0000000C,00C31375), ref: 00C27A7A

SetLastError.KERNEL32(00000008,?), ref: 00C0ECCD
_malloc.LIBCMT ref: 00C0ED4F
SetLastError.KERNEL32(00000008,?,?,?), ref: 00C0ED63

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ErrorLast_malloc$AllocateHeap
String ID:
API String ID: 1551238847-0
Opcode ID: bf21f79d70613d871ab80f9a8ea2616e019184675ed10d99ff428ca953f1905f
Instruction ID: 5e0573df84a37661fb2aad77719381bdf46941b0cec3e57a9c4084ec9291c3d6
Opcode Fuzzy Hash: bf21f79d70613d871ab80f9a8ea2616e019184675ed10d99ff428ca953f1905f
Instruction Fuzzy Hash: D5419DB26483048BD750EF24D88176FB7E4AB88354F040D3DFA5697281EA75EA49CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00C3BE93 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C3BE93(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00C2672A( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00C38726( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00C2AF2B(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00c3be9d
0x00c3bea4
0x00c3bebb
0x00000000
0x00c3beab
0x00c3bead
0x00c3bec7
0x00c3becc
0x00c3becf
0x00c3bed2
0x00c3befb
0x00c3bf02
0x00c3bf04
0x00c3bf85
0x00c3bfa0
0x00c3bfa2
0x00c3bee2
0x00c3bee2
0x00c3bee5
0x00c3bee7
0x00c3beea
0x00c3beea
0x00c3beea
0x00c3beea
0x00000000
0x00c3bef0
0x00c3bf64
0x00c3bf64
0x00c3bf69
0x00c3bf6f
0x00c3bf72
0x00c3bf74
0x00c3bf77
0x00c3bf77
0x00c3bf77
0x00c3bf77
0x00000000
0x00c3bf7b
0x00c3bf06
0x00c3bf09
0x00c3bf0f
0x00c3bf12
0x00c3bf39
0x00c3bf3c
0x00c3bf42
0x00000000
0x00000000
0x00c3bf44
0x00c3bf47
0x00000000
0x00000000
0x00c3bf49
0x00c3bf49
0x00c3bf4f
0x00c3bf52
0x00c3bec0
0x00c3bec0
0x00c3bf5b
0x00000000
0x00c3bf5b
0x00c3bf14
0x00c3bf17
0x00000000
0x00000000
0x00c3bf1b
0x00c3bf2c
0x00c3bf32
0x00c3bf34
0x00c3bf37
0x00000000
0x00000000
0x00000000
0x00c3bf37
0x00c3bed4
0x00c3bed7
0x00c3bed9
0x00c3bedf
0x00c3bedf
0x00000000
0x00c3beaf
0x00c3beaf
0x00c3beb4
0x00c3beb8
0x00c3beb8
0x00000000
0x00c3beb4
0x00c3bead

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C3BEC7
__isleadbyte_l.LIBCMT ref: 00C3BEFB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00C3BF2C
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00C3BF9A

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 962ef62f7407f0d8fa8e75b33ff67ec6bd49c0fc665cf21a3f31981fd75aafed
Instruction ID: 54c7b9879ab98bde645419470443b574e461e979e3c63487d63e3edbd573b354
Opcode Fuzzy Hash: 962ef62f7407f0d8fa8e75b33ff67ec6bd49c0fc665cf21a3f31981fd75aafed
Instruction Fuzzy Hash: 2F31DC31A24256EFDB20DFA8CC90AAE3BA5FF01310F1589A9F6658B1A1D730DE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C15010 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C15010(intOrPtr* _a4) {
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t18;
				intOrPtr _t21;
				char* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				long _t26;
				void* _t27;
				void* _t28;
				void* _t30;

				_t8 = GetLastError();
				_t9 = E00C2AF2B(_t30);
				_t27 = E00C17CB0();
				 *((intOrPtr*)(E00C2AF2B(_t30))) =  *_t9;
				SetLastError(_t8);
				if(_t27 == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t28 = _t27 + 8;
					_t32 = _t28;
					if(_t28 == 0) {
						L14:
						return _t28;
					} else {
						_t26 = GetLastError();
						_t21 =  *((intOrPtr*)(E00C2AF2B(_t32)));
						E00C14FC0(_t28);
						_t18 = _a4;
						if(_t18 == 0) {
							L13:
							 *((intOrPtr*)(_t28 + 4)) = _t26;
							 *((intOrPtr*)(_t28 + 8)) = 1;
							goto L14;
						} else {
							_t22 = L"__crt";
							while(1) {
								_t23 =  *_t18;
								if(_t23 !=  *_t22) {
									break;
								}
								if(_t23 == 0) {
									L8:
									_t18 = 0;
								} else {
									_t2 = _t18 + 2; // 0x1ec
									_t24 =  *_t2;
									if(_t24 != _t22[2]) {
										break;
									} else {
										_t18 = _t18 + 4;
										_t22 =  &(_t22[4]);
										if(_t24 != 0) {
											continue;
										} else {
											goto L8;
										}
									}
								}
								L11:
								if(_t18 != 0) {
									goto L13;
								} else {
									 *((intOrPtr*)(_t28 + 4)) = _t21;
									 *((intOrPtr*)(_t28 + 8)) = 2;
									return _t28;
								}
								goto L15;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L11;
						}
					}
				}
				L15:
			}

0x00c1501a
0x00c1501e
0x00c1502a
0x00c15032
0x00c15034
0x00c1503c
0x00c1508d
0x00c15090
0x00c1503e
0x00c1503e
0x00c15041
0x00c15043
0x00c150b6
0x00c150bb
0x00c15045
0x00c15047
0x00c1504e
0x00c15052
0x00c15057
0x00c1505d
0x00c150ab
0x00c150ab
0x00c150ae
0x00000000
0x00c1505f
0x00c1505f
0x00c15064
0x00c15064
0x00c1506a
0x00000000
0x00000000
0x00c1506f
0x00c15086
0x00c15086
0x00c15071
0x00c15071
0x00c15071
0x00c15079
0x00000000
0x00c1507b
0x00c1507b
0x00c1507e
0x00c15084
0x00000000
0x00000000
0x00000000
0x00000000
0x00c15084
0x00c15079
0x00c15096
0x00c15098
0x00000000
0x00c1509b
0x00c1509b
0x00c1509e
0x00c150aa
0x00c150aa
0x00000000
0x00c15098
0x00c15091
0x00c15093
0x00000000
0x00c15093
0x00c1505d
0x00c15043
0x00000000

APIs

GetLastError.KERNEL32(00000005,?,?,74CB4C30,00C151C1,00C53300,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C1501A

Part of subcall function 00C2AF2B: __getptd_noexit.LIBCMT ref: 00C2AF2B

SetLastError.KERNEL32(00000000,?,?,74CB4C30,00C151C1,00C53300,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C15034
GetLastError.KERNEL32(?,?,74CB4C30,00C151C1,00C53300,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C15045

Strings

__crt, xrefs: 00C1505F

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ErrorLast$__getptd_noexit
String ID: __crt
API String ID: 101986603-4026493915
Opcode ID: 9c04af3f33da8b4d17a63e03d842a332b784583e09969d3130aed709a760139b
Instruction ID: 3f74e7782dc8c14fc789ccb885778c56afc13e039f4d87569e31eb943360e04c
Opcode Fuzzy Hash: 9c04af3f33da8b4d17a63e03d842a332b784583e09969d3130aed709a760139b
Instruction Fuzzy Hash: 5111EE72701B1087D6206FF5E8416A6F3D4EFA6B617054569E515C7710EB32DDC1A3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C15240 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C15240(intOrPtr __eax, void* __ecx) {
				char _v4;
				char _v16;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t23;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t35;
				char* _t44;
				void* _t57;

				_push(__ecx);
				_push(__eax);
				L1();
				_t44 =  &_v4;
				_v4 = __eax;
				_t23 = E00C291AE(_t44, 0xc5599c);
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t44);
				_push(_t23);
				L1();
				_v16 = _t23;
				E00C291AE( &_v16, 0xc5599c);
				asm("int3");
				asm("int3");
				asm("int3");
				_push(__ebp);
				__ebp = __esp;
				_push(0xffffffff);
				_push(0xc4d180);
				__eax =  *[fs:0x0];
				_push( *[fs:0x0]);
				__esp = __esp - 8;
				__eax =  *0xc58320; // 0x96c0a7a
				_push(__eax);
				__eax =  &_v24;
				 *[fs:0x0] =  &_v24;
				_v28 = __esp;
				SetLastError(8);
				_v16 = 0;
				_push(0xc53300);
				0 = E00C15240(0, __ecx);
				_v32 = 1;
				__eax =  &_v32;
				__eax = E00C291AE( &_v32, 0xc5599c);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_v48 = __eax;
				SetLastError(GetLastError());
				_t57 = E00C15010(_v48);
				if(_t57 == 0) {
					return 5;
				} else {
					_t29 =  *((intOrPtr*)(_t57 + 8));
					if(_t29 != 1) {
						__eflags = _t29 - 2;
						if(__eflags == 0) {
							 *(E00C2AF2B(__eflags)) =  *(_t57 + 4);
						}
					} else {
						SetLastError( *(_t57 + 4));
					}
					if( *0xc5c1d8 != 0) {
						_t35 = E00C15360( &_v48);
						 *0xc5c1d8(_t35, _v48);
					}
					_t30 =  *((intOrPtr*)(_t57 + 8));
					if(_t30 != 1) {
						__eflags = _t30 - 2;
						if(__eflags == 0) {
							 *(E00C2AF2B(__eflags)) =  *(_t57 + 4);
						}
						return  *((intOrPtr*)(_t57 + 8));
					} else {
						SetLastError( *(_t57 + 4));
						return  *((intOrPtr*)(_t57 + 8));
					}
				}
			}

0x00c15240
0x00c15241
0x00c15242
0x00c1524f
0x00c15254
0x00c15258
0x00c1525d
0x00c1525e
0x00c1525f
0x00c15260
0x00c15261
0x00c15262
0x00c15274
0x00c15278
0x00c1527d
0x00c1527e
0x00c1527f
0x00c15280
0x00c15281
0x00c15283
0x00c15285
0x00c1528a
0x00c15290
0x00c15291
0x00c15297
0x00c1529e
0x00c1529f
0x00c152a2
0x00c152a8
0x00c152ad
0x00c152b3
0x00c152ba
0x00c152c1
0x00c152c6
0x00c152d2
0x00c152d6
0x00c152db
0x00c152dc
0x00c152dd
0x00c152de
0x00c152df
0x00c152e0
0x00c151b0
0x00c151c1
0x00c151c8
0x00c1523b
0x00c151ca
0x00c151ca
0x00c151d0
0x00c151da
0x00c151dd
0x00c151e7
0x00c151e7
0x00c151d2
0x00c151d6
0x00c151d6
0x00c151f0
0x00c151f7
0x00c15202
0x00c15208
0x00c1520b
0x00c15211
0x00c15220
0x00c15223
0x00c1522d
0x00c1522d
0x00c15235
0x00c15213
0x00c15217
0x00c1521f
0x00c1521f
0x00c15211

APIs

Part of subcall function 00C151A0: GetLastError.KERNEL32(?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C151A3
Part of subcall function 00C151A0: SetLastError.KERNEL32(00000000,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C151B0
Part of subcall function 00C151A0: SetLastError.KERNEL32(?), ref: 00C151D6
Part of subcall function 00C151A0: SetLastError.KERNEL32(?), ref: 00C15217

__CxxThrowException@8.LIBCMT ref: 00C15258

Part of subcall function 00C291AE: RaiseException.KERNEL32(?,?,?,?), ref: 00C291F0

__CxxThrowException@8.LIBCMT ref: 00C15278
SetLastError.KERNEL32(00000008,096C0A7A), ref: 00C152AD

Part of subcall function 00C15240: __CxxThrowException@8.LIBCMT ref: 00C152D6

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ErrorLast$Exception@8Throw$ExceptionRaise
String ID:
API String ID: 2285286292-0
Opcode ID: 08927f449d95f2ba3b85a401b19f4229f982df36c4c6ac06d31da04e1f393f71
Instruction ID: 2df56cf28936d1aede8abacfa007693f76e39927b478be40f7ac77e2a83b302b
Opcode Fuzzy Hash: 08927f449d95f2ba3b85a401b19f4229f982df36c4c6ac06d31da04e1f393f71
Instruction Fuzzy Hash: 7501B5F9D04708BBD704EBA1EC4AF8FB7ACEB04720F500D28B50593580E7B9A54896A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C068C0 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C068C0(void* __ecx, signed int* __esi, void* __eflags) {
				long _v4;
				void _v8;
				void* _v12;
				void* _v16;
				signed int _t15;
				signed int _t17;
				signed int _t28;
				void* _t32;

				if(E00C06860(__ecx, __esi, _t32, __eflags) != 0) {
					_v12 = 0;
					_t28 = 0;
					_t15 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
					__eflags = _t15;
					if(_t15 != 0) {
						_v8 = 0;
						_v4 = 0;
						_t17 = GetTokenInformation(_v12, 0x14,  &_v8, 4,  &_v4);
						__eflags = _t17;
						if(_t17 != 0) {
							_t28 = 1;
							__eflags = __esi;
							if(__esi != 0) {
								__eflags = _v12;
								_t10 = _v12 != 0;
								__eflags = _t10;
								 *__esi = 0 | _t10;
							}
						}
						CloseHandle(_v16);
						return _t28;
					} else {
						return _t15;
					}
				} else {
					if(__esi != 0) {
						 *__esi = 1;
					}
					return 1;
				}
			}

0x00c068ca
0x00c068e7
0x00c068ef
0x00c068f8
0x00c068fe
0x00c06900
0x00c0691a
0x00c0691e
0x00c06922
0x00c06928
0x00c0692a
0x00c0692c
0x00c06931
0x00c06933
0x00c06937
0x00c0693b
0x00c0693b
0x00c0693e
0x00c0693e
0x00c06933
0x00c06945
0x00c06951
0x00c06902
0x00c06906
0x00c06906
0x00c068cc
0x00c068ce
0x00c068d0
0x00c068d0
0x00c068de
0x00c068de

APIs

GetCurrentProcess.KERNEL32 ref: 00C068F1
OpenProcessToken.ADVAPI32(00000000), ref: 00C068F8
GetTokenInformation.ADVAPI32(00000000,00000014(TokenIntegrityLevel),00000000,00000004,00000000), ref: 00C06922
CloseHandle.KERNEL32(00000000), ref: 00C06945

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 11a96b2f928449387d7e04887e67dd6cb6a1cc53ec7bdca4c902ecb79bce538f
Instruction ID: e0eb7e5565e46a8b4326022dfb22702143c74aec6f57f46d467b79abee1eb720
Opcode Fuzzy Hash: 11a96b2f928449387d7e04887e67dd6cb6a1cc53ec7bdca4c902ecb79bce538f
Instruction Fuzzy Hash: 5A0152B66043016BD7108F14E945B6F77E8BFC4B04F45892DFA9986280E774C958DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00C27989 Relevance: 6.0, APIs: 4, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C27989(void* __ebx, void* __edi, long _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t3;
				void* _t4;
				long _t5;
				void* _t9;
				void* _t13;
				long _t16;
				long _t18;

				_t14 = __edi;
				_t9 = __ebx;
				if( *0xc5b6a8 == 0) {
					E00C32ABE(__edi);
					E00C328ED(_t13, 0x1e);
					E00C28819(0xff);
				}
				_t3 =  *0xc5d59c;
				if(_t3 != 1) {
					_t16 = _a4;
					__eflags = _t3 - 3;
					if(__eflags != 0) {
						L8:
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = _t16 + 1;
							__eflags = _t16;
						}
						_t18 = _t16 + 0x0000000f & 0xfffffff0;
						__eflags = _t18;
						_t4 = HeapAlloc( *0xc5b6a8, 0, _t18);
					} else {
						_push(_t16);
						_t4 = E00C2793A(_t9, _t13, _t14, _t16, __eflags);
						__eflags = _t4;
						if(_t4 == 0) {
							goto L8;
						}
					}
					return _t4;
				} else {
					_t5 = _a4;
					if(_t5 == 0) {
						_t5 = _t5 + 1;
					}
					return HeapAlloc( *0xc5b6a8, 0, _t5);
				}
			}

0x00c27989
0x00c27989
0x00c27995
0x00c27997
0x00c2799e
0x00c279a8
0x00c279ae
0x00c279af
0x00c279b7
0x00c279d3
0x00c279d6
0x00c279d9
0x00c279e6
0x00c279e6
0x00c279e8
0x00c279ea
0x00c279ea
0x00c279ea
0x00c279ee
0x00c279ee
0x00c279fa
0x00c279db
0x00c279db
0x00c279dc
0x00c279e2
0x00c279e4
0x00000000
0x00000000
0x00c279e4
0x00c27a02
0x00c279b9
0x00c279b9
0x00c279be
0x00c279c0
0x00c279c0
0x00c279d1
0x00c279d1

APIs

__FF_MSGBANNER.LIBCMT ref: 00C27997

Part of subcall function 00C32ABE: __set_error_mode.LIBCMT ref: 00C32AC0
Part of subcall function 00C32ABE: __set_error_mode.LIBCMT ref: 00C32ACD
Part of subcall function 00C32ABE: __NMSG_WRITE.LIBCMT ref: 00C32AE5
Part of subcall function 00C32ABE: __NMSG_WRITE.LIBCMT ref: 00C32AEF

__NMSG_WRITE.LIBCMT ref: 00C2799E

Part of subcall function 00C328ED: __set_error_mode.LIBCMT ref: 00C3291E
Part of subcall function 00C328ED: __set_error_mode.LIBCMT ref: 00C3292F
Part of subcall function 00C328ED: _strcpy_s.LIBCMT ref: 00C32963
Part of subcall function 00C328ED: __invoke_watson.LIBCMT ref: 00C32974
Part of subcall function 00C328ED: GetModuleFileNameA.KERNEL32(00000000,00C5B821,00000104), ref: 00C32990
Part of subcall function 00C328ED: _strcpy_s.LIBCMT ref: 00C329A5
Part of subcall function 00C328ED: __invoke_watson.LIBCMT ref: 00C329B8
Part of subcall function 00C328ED: _strlen.LIBCMT ref: 00C329C1
Part of subcall function 00C328ED: _strlen.LIBCMT ref: 00C329CE
Part of subcall function 00C328ED: __invoke_watson.LIBCMT ref: 00C329FB

Part of subcall function 00C28819: ___crtCorExitProcess.LIBCMT ref: 00C28821
Part of subcall function 00C28819: ExitProcess.KERNEL32 ref: 00C2882A

HeapAlloc.KERNEL32(00000000,?), ref: 00C279CA
HeapAlloc.KERNEL32(00000000,?), ref: 00C279FA

Part of subcall function 00C2793A: __lock.LIBCMT ref: 00C27957
Part of subcall function 00C2793A: ___sbh_alloc_block.LIBCMT ref: 00C27962

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: __set_error_mode$__invoke_watson$AllocExitHeapProcess_strcpy_s_strlen$FileModuleName___crt___sbh_alloc_block__lock
String ID:
API String ID: 913549098-0
Opcode ID: bd29999caf233a046f2853d5488dc7e2d6362133bcf8662614d223394770a7f8
Instruction ID: 12d3f61cdcb2a75e69da883fcb8d353b12afdf65fb3a7340061b2c53220ca2e5
Opcode Fuzzy Hash: bd29999caf233a046f2853d5488dc7e2d6362133bcf8662614d223394770a7f8
Instruction Fuzzy Hash: B0F0C83658A335ABDE217714FC81F7E3749EB01365F210121FC18AA8D1DB309DC0A584

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E216 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00C2E216(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0xc54f38);
				E00C286FC(__ebx, __edi, __esi);
				_t29 = E00C2F4FC(__ebx, _t31);
				_t13 =  *0xc58a54; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E00C3135A(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0xc58b38; // 0xc58a60
					 *((intOrPtr*)(_t30 - 0x1c)) = E00C2E1D8(_t8, _t25, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E00C2E280();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00C2F4FC(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E00C287C5(_t25, 0x20);
				}
				return E00C28741(_t29);
			}

0x00c2e216
0x00c2e216
0x00c2e216
0x00c2e216
0x00c2e216
0x00c2e218
0x00c2e21d
0x00c2e227
0x00c2e229
0x00c2e231
0x00c2e255
0x00c2e257
0x00c2e25d
0x00c2e261
0x00c2e264
0x00c2e26f
0x00c2e272
0x00c2e279
0x00c2e233
0x00c2e233
0x00c2e237
0x00000000
0x00c2e239
0x00c2e23e
0x00c2e23e
0x00c2e237
0x00c2e243
0x00c2e247
0x00c2e24c
0x00c2e254

APIs

__getptd.LIBCMT ref: 00C2E222

Part of subcall function 00C2F4FC: __getptd_noexit.LIBCMT ref: 00C2F4FF
Part of subcall function 00C2F4FC: __amsg_exit.LIBCMT ref: 00C2F50C

__getptd.LIBCMT ref: 00C2E239
__amsg_exit.LIBCMT ref: 00C2E247
__lock.LIBCMT ref: 00C2E257

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 092691b1e0ed9d0f343578083e843f8764b981b4aea60052a4e1dd922d0aec92
Instruction ID: bafc0a12c6a4e7b4b0c051ca7b3f9f29213ce00813f0fa323802bd19701c7862
Opcode Fuzzy Hash: 092691b1e0ed9d0f343578083e843f8764b981b4aea60052a4e1dd922d0aec92
Instruction Fuzzy Hash: F7F09072941734CBEB20BB68A402B5D33B86F00B11F240629F555B7AD2CF749A85EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C28351 Relevance: 6.0, APIs: 4, Instructions: 19
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00C28351(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t11;

				_t12 =  *0xc5d5c8;
				if( *0xc5d5c8 != 0 && E00C32830(_t12, 0xc5d5c8) != 0) {
					 *0xc5d5c8();
				}
				if(E00C2F483(_t6, _t9) != 0) {
					E00C2F645(_t6, _t9, _t10, _t11, _t2);
				}
				ExitThread(_a4);
			}

0x00c28356
0x00c2835d
0x00c2836e
0x00c2836e
0x00c2837b
0x00c2837e
0x00c28383
0x00c28387

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00C28364

Part of subcall function 00C32830: __FindPESection.LIBCMT ref: 00C3288B

__getptd_noexit.LIBCMT ref: 00C28374
__freeptd.LIBCMT ref: 00C2837E
ExitThread.KERNEL32 ref: 00C28387

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: 983bfc6372e14ec840a581c3a9581d20bad294b8a10c0417bf50ae44cf961d02
Instruction ID: 51b20e933af847ee4ee8ae52968f557ad7d29e31ab1509504b5db294074c2ef9
Opcode Fuzzy Hash: 983bfc6372e14ec840a581c3a9581d20bad294b8a10c0417bf50ae44cf961d02
Instruction Fuzzy Hash: F2D05B750017155ADF607775FC0D71D3A68AB4076DF984035F811948B1EE70DDC5D526

Uniqueness

Uniqueness Score: -1.00%

Function 00C042A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00C042A0(void* __ebx, intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t17;
				intOrPtr* _t19;
				intOrPtr* _t27;
				void* _t29;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t45;

				_t29 = __ebx;
				_t45 = _a4;
				_t44 = __ecx;
				if(_t45 == 0) {
					L12:
					_t41 = _a8;
					__eflags = _t41 - 0xfffffffe;
					if(__eflags > 0) {
						E00C4C28C(_t29, _t41, _t44, __eflags);
					}
					_t17 =  *((intOrPtr*)(_t44 + 0x18));
					__eflags = _t17 - _t41;
					if(_t17 >= _t41) {
						__eflags = _t41;
						if(__eflags != 0) {
							goto L16;
						} else {
							 *((intOrPtr*)(_t44 + 0x14)) = _t41;
							__eflags = _t17 - 0x10;
							if(_t17 < 0x10) {
								 *((char*)(_t44 + 4)) = 0;
								return _t44;
							} else {
								 *((char*)( *((intOrPtr*)(_t44 + 4)))) = 0;
								return _t44;
							}
						}
					} else {
						E00C04950(_t44,  *((intOrPtr*)(_t44 + 0x14)), _t41,  *((intOrPtr*)(_t44 + 0x14)));
						__eflags = _t41;
						L16:
						if(__eflags > 0) {
							_t33 =  *((intOrPtr*)(_t44 + 0x18));
							_push(_t29);
							_t30 = _t44 + 4;
							__eflags = _t33 - 0x10;
							if(_t33 < 0x10) {
								_t19 = _t30;
							} else {
								_t19 =  *_t30;
							}
							E00C269C3(_t30, _t33, _t19, _t33, _t45, _t41);
							__eflags =  *((intOrPtr*)(_t44 + 0x18)) - 0x10;
							 *((intOrPtr*)(_t44 + 0x14)) = _t41;
							if( *((intOrPtr*)(_t44 + 0x18)) >= 0x10) {
								_t30 =  *_t30;
							}
							 *((char*)(_t30 + _t41)) = 0;
						}
						return _t44;
					}
				} else {
					_t40 =  *((intOrPtr*)(__ecx + 0x18));
					_t27 = __ecx + 4;
					if(_t40 < 0x10) {
						_t35 = _t27;
					} else {
						_t35 =  *_t27;
					}
					if(_t45 < _t35) {
						goto L12;
					} else {
						if(_t40 < 0x10) {
							_t36 = _t27;
						} else {
							_t36 =  *_t27;
						}
						if( *((intOrPtr*)(_t44 + 0x14)) + _t36 <= _t45) {
							goto L12;
						} else {
							if(_t40 >= 0x10) {
								_t27 =  *_t27;
							}
							return E00C03F80(_t44, _t40, _t44, _t45 - _t27, _a8);
						}
					}
				}
			}

0x00c042a0
0x00c042a1
0x00c042a7
0x00c042ab
0x00c042f3
0x00c042f3
0x00c042f7
0x00c042fa
0x00c042fc
0x00c042fc
0x00c04301
0x00c04304
0x00c04306
0x00c04328
0x00c0432a
0x00000000
0x00c0432c
0x00c0432c
0x00c0432f
0x00c04332
0x00c04346
0x00c0434d
0x00c04334
0x00c04338
0x00c0433f
0x00c0433f
0x00c04332
0x00c04308
0x00c0430f
0x00c04314
0x00c04316
0x00c04316
0x00c04318
0x00c0431b
0x00c0431c
0x00c0431f
0x00c04322
0x00c04350
0x00c04324
0x00c04324
0x00c04324
0x00c04356
0x00c0435e
0x00c04362
0x00c04365
0x00c04367
0x00c04367
0x00c04369
0x00c0436d
0x00c04373
0x00c04373
0x00c042ad
0x00c042ad
0x00c042b0
0x00c042b6
0x00c042bc
0x00c042b8
0x00c042b8
0x00c042b8
0x00c042c0
0x00000000
0x00c042c2
0x00c042c5
0x00c042cb
0x00c042c7
0x00c042c7
0x00c042c7
0x00c042d4
0x00000000
0x00c042d6
0x00c042d9
0x00c042db
0x00c042db
0x00c042f0
0x00c042f0
0x00c042d4
0x00c042c0

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00C042FC
_memcpy_s.LIBCMT ref: 00C04356

Strings

zl, xrefs: 00C042A0

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_sstd::_
String ID: zl
API String ID: 923394732-2563081789
Opcode ID: 5b75de12594fe0d637c4bff87bc1c22b6b0b45893016aae3dd56257dc3708bcf
Instruction ID: fc4364e3dc731d8a8b9ac466c7da3fb7962fc521d9ba0d2cedf018fd95c40904
Opcode Fuzzy Hash: 5b75de12594fe0d637c4bff87bc1c22b6b0b45893016aae3dd56257dc3708bcf
Instruction Fuzzy Hash: 0021EA723006148FD72CDA8DE58096FB3EAEFD2710B50092EF262876E1D771AC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C03F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C03F80(intOrPtr __ecx, void* __edx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr* _t22;
				intOrPtr _t35;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t50;

				_t42 = __edx;
				_t35 = _a4;
				_t2 =  &_a8; // 0x96c0a7a
				_t50 =  *_t2;
				_t49 = __ecx;
				_t53 =  *((intOrPtr*)(_t35 + 0x14)) - _t50;
				if( *((intOrPtr*)(_t35 + 0x14)) < _t50) {
					E00C4C2C4(_t35, _t45, __ecx, _t53);
				}
				_t19 = _a12;
				_t47 =  *((intOrPtr*)(_t35 + 0x14)) - _t50;
				if(_t19 < _t47) {
					_t47 = _t19;
				}
				if(_t49 != _t35) {
					__eflags = _t47 - 0xfffffffe;
					if(__eflags > 0) {
						E00C4C28C(_t35, _t47, _t49, __eflags);
					}
					_t20 =  *((intOrPtr*)(_t49 + 0x18));
					__eflags = _t20 - _t47;
					if(_t20 >= _t47) {
						__eflags = _t47;
						if(__eflags != 0) {
							goto L10;
						} else {
							 *((intOrPtr*)(_t49 + 0x14)) = _t47;
							__eflags = _t20 - 0x10;
							if(_t20 < 0x10) {
								 *((char*)(_t49 + 4)) = 0;
								return _t49;
							} else {
								 *((char*)( *((intOrPtr*)(_t49 + 4)))) = 0;
								return _t49;
							}
						}
					} else {
						E00C04950(_t49, _t42, _t47,  *((intOrPtr*)(_t49 + 0x14)));
						__eflags = _t47;
						L10:
						if(__eflags > 0) {
							__eflags =  *((intOrPtr*)(_t35 + 0x18)) - 0x10;
							if( *((intOrPtr*)(_t35 + 0x18)) < 0x10) {
								_t43 = _t35 + 4;
							} else {
								_t43 =  *((intOrPtr*)(_t35 + 4));
							}
							_t38 =  *((intOrPtr*)(_t49 + 0x18));
							_t36 = _t49 + 4;
							__eflags = _t38 - 0x10;
							if(_t38 < 0x10) {
								_t22 = _t36;
							} else {
								_t22 =  *_t36;
							}
							E00C269C3(_t36, _t38, _t22, _t38, _t43 + _t50, _t47);
							__eflags =  *((intOrPtr*)(_t49 + 0x18)) - 0x10;
							 *((intOrPtr*)(_t49 + 0x14)) = _t47;
							if( *((intOrPtr*)(_t49 + 0x18)) >= 0x10) {
								_t36 =  *_t36;
							}
							 *((char*)(_t36 + _t47)) = 0;
						}
						return _t49;
					}
				} else {
					E00C04380(_t49, _t50, _t47 + _t50, 0xffffffff);
					E00C04380(_t49, _t50, 0, _t50);
					return _t49;
				}
			}

0x00c03f80
0x00c03f81
0x00c03f86
0x00c03f86
0x00c03f8c
0x00c03f8e
0x00c03f91
0x00c03f93
0x00c03f93
0x00c03f9b
0x00c03f9f
0x00c03fa3
0x00c03fa5
0x00c03fa5
0x00c03fa9
0x00c03fca
0x00c03fcd
0x00c03fcf
0x00c03fcf
0x00c03fd4
0x00c03fd7
0x00c03fd9
0x00c03ff6
0x00c03ff8
0x00000000
0x00c03ffa
0x00c03ffa
0x00c03ffd
0x00c04000
0x00c04015
0x00c0401d
0x00c04002
0x00c04006
0x00c0400e
0x00c0400e
0x00c04000
0x00c03fdb
0x00c03fe2
0x00c03fe7
0x00c03fe9
0x00c03fe9
0x00c03feb
0x00c03fef
0x00c04020
0x00c03ff1
0x00c03ff1
0x00c03ff1
0x00c04023
0x00c04026
0x00c04029
0x00c0402c
0x00c04032
0x00c0402e
0x00c0402e
0x00c0402e
0x00c0403a
0x00c04042
0x00c04046
0x00c04049
0x00c0404b
0x00c0404b
0x00c0404d
0x00c0404d
0x00c04057
0x00c04057
0x00c03fab
0x00c03fb2
0x00c03fbc
0x00c03fc7
0x00c03fc7

APIs

Part of subcall function 00C4C2C4: __EH_prolog3.LIBCMT ref: 00C4C2CB
Part of subcall function 00C4C2C4: std::bad_exception::bad_exception.LIBCMT ref: 00C4C2E8
Part of subcall function 00C4C2C4: __CxxThrowException@8.LIBCMT ref: 00C4C2F6
Part of subcall function 00C4C2C4: __EH_prolog3.LIBCMT ref: 00C4C303
Part of subcall function 00C4C2C4: std::bad_exception::bad_exception.LIBCMT ref: 00C4C320
Part of subcall function 00C4C2C4: __CxxThrowException@8.LIBCMT ref: 00C4C32E

std::_String_base::_Xlen.LIBCPMT ref: 00C03FCF

Part of subcall function 00C4C28C: __EH_prolog3.LIBCMT ref: 00C4C293
Part of subcall function 00C4C28C: __CxxThrowException@8.LIBCMT ref: 00C4C2BE

_memcpy_s.LIBCMT ref: 00C0403A

Strings

zl, xrefs: 00C03F86, 00C03FB7

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: Exception@8H_prolog3Throw$std::bad_exception::bad_exception$String_base::_Xlen_memcpy_sstd::_
String ID: zl
API String ID: 2526968523-2563081789
Opcode ID: 4c01747e5fe78d382a4757803d1b5d963c8db34cc800bebc6a442309c4395bde
Instruction ID: 1a4ddce18d169ee44d8a5a941640d1a5dc805bbbd4262b4fd678e439a46ca9b2
Opcode Fuzzy Hash: 4c01747e5fe78d382a4757803d1b5d963c8db34cc800bebc6a442309c4395bde
Instruction Fuzzy Hash: 3B21F5723006108BCB28DE8DE8C0A2BF7A9DFA1761B10455EE7518B6D2D772E945C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C084D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00C0850E
_memcpy_s.LIBCMT ref: 00C08523

Part of subcall function 00C02370: __CxxThrowException@8.LIBCMT ref: 00C02382

Strings

eeeeeeee, xrefs: 00C08506, 00C08507, 00C0850C, 00C08522

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: _memcpy_s$Exception@8Throw
String ID: eeeeeeee
API String ID: 93487992-1257926895
Opcode ID: a77cfb88b15d354dde837f523ac7d1d0d2540fb2806bc7102ad81d92c5beb4b9
Instruction ID: ce1e780f2a46e5c15faf39d938828927bc0b3b967d88a7ef59509afdb4ddd5d6
Opcode Fuzzy Hash: a77cfb88b15d354dde837f523ac7d1d0d2540fb2806bc7102ad81d92c5beb4b9
Instruction Fuzzy Hash: 8F01A932200604AFD710DF6CCC8999FB7EAEF88314B048529F9899B252DA30ED45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C1A560(void* __edx) {
				int _v8;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				intOrPtr _v88;
				void* __ebx;
				void* __ebp;
				signed char _t27;
				void* _t35;
				void* _t46;
				void* _t47;

				_t46 = __edx;
				_v8 = 0;
				_v12 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				if(_v12 == 0 || _v8 != 2) {
					L6:
					return 0;
				} else {
					E00C01860(_t35, _t47,  *_v12);
					E00C01860(_t35, _t47,  *((intOrPtr*)(_v12 + 4)));
					_t27 = E00C19270( &_v20);
					_t28 = _t27 & 0x000000ff;
					if((_t27 & 0x000000ff) != 0 || E00C18FB0(_t28,  &_v20, L"--IniReInstal", 0) < 0) {
						E00C01910( &_v20, _t46);
						E00C01910( &_v16, _t46);
						goto L6;
					} else {
						_v88 = 1;
						E00C01910( &_v20, _t46);
						E00C01910( &_v16, _t46);
						return _v88;
					}
				}
			}

0x00c1a560
0x00c1a569
0x00c1a581
0x00c1a588
0x00c1a5fb
0x00000000
0x00c1a590
0x00c1a599
0x00c1a5a8
0x00c1a5b0
0x00c1a5b5
0x00c1a5ba
0x00c1a5ee
0x00c1a5f6
0x00000000
0x00c1a5cf
0x00c1a5cf
0x00c1a5d9
0x00c1a5e1
0x00000000
0x00c1a5e6
0x00c1a5ba

APIs

GetCommandLineW.KERNEL32(00000000), ref: 00C1A574
CommandLineToArgvW.SHELL32(00000000), ref: 00C1A57B

Strings

--IniReInstal, xrefs: 00C1A5BE

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CommandLine$Argv
String ID: --IniReInstal
API String ID: 1106129467-1025191507
Opcode ID: 19de6cbd31a4d5a8a57bc994421647c966554311c6903058d63e8d7e4094f1df
Instruction ID: 1fbcf7476e82e291c785a37e44880cf6a72c0235ba8ebb2acb5774399c299480
Opcode Fuzzy Hash: 19de6cbd31a4d5a8a57bc994421647c966554311c6903058d63e8d7e4094f1df
Instruction Fuzzy Hash: BB114831914108ABCB04EBE0D995AEEF7B8FF15350F1444A9F812A31D1EB709B88EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C7D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00C0C7D0(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				char _v12;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v76;
				char _v80;
				char _v88;
				signed int _t12;
				intOrPtr* _t19;
				intOrPtr* _t29;
				void* _t30;
				void* _t33;

				_t33 = __eflags;
				_t29 = __esi;
				_push(0xffffffff);
				_push(0xc4cde8);
				_push( *[fs:0x0]);
				_t12 =  *0xc58320; // 0x96c0a7a
				_push(_t12 ^ _t30 - 0x00000044);
				 *[fs:0x0] =  &_v12;
				_v56 = 0xf;
				_v60 = 0;
				_v76 = 0;
				E00C042A0(__ebx,  &_v80, "vector<T> too long", 0x12);
				_t6 =  &_v88; // 0x96c0a7a
				_v12 = 0;
				E00C02F30(_t33, _t6);
				_v64 = 0xc52144;
				E00C291AE( &_v64, 0xc55930);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t19 = E00C275AA(__ebx, __edi, _t33, 4);
				if(_t19 == 0) {
					__eflags = 0;
					 *_t29 = 0;
					return _t29;
				} else {
					 *_t19 = _t29;
					 *_t29 = _t19;
					return _t29;
				}
			}

0x00c0c7d0
0x00c0c7d0
0x00c0c7d0
0x00c0c7d2
0x00c0c7dd
0x00c0c7e1
0x00c0c7e8
0x00c0c7ed
0x00c0c7fe
0x00c0c806
0x00c0c80e
0x00c0c813
0x00c0c818
0x00c0c821
0x00c0c829
0x00c0c838
0x00c0c840
0x00c0c845
0x00c0c846
0x00c0c847
0x00c0c848
0x00c0c849
0x00c0c84a
0x00c0c84b
0x00c0c84c
0x00c0c84d
0x00c0c84e
0x00c0c84f
0x00c0c852
0x00c0c85c
0x00c0c867
0x00c0c869
0x00c0c86d
0x00c0c85e
0x00c0c85e
0x00c0c860
0x00c0c864
0x00c0c864

APIs

__CxxThrowException@8.LIBCMT ref: 00C0C840

Part of subcall function 00C291AE: RaiseException.KERNEL32(?,?,?,?), ref: 00C291F0

Part of subcall function 00C275AA: _malloc.LIBCMT ref: 00C275C4

Strings

vector<T> too long, xrefs: 00C0C7F5
zl, xrefs: 00C0C818, 00C0C81C

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow_malloc
String ID: vector<T> too long$zl
API String ID: 1621474382-3979620504
Opcode ID: 4a4a6227496455caca8dd3157d41623f55e65be6594419a510db2c3b8407ab21
Instruction ID: fc844b579c939b33750f6ed07eb5633c9509d6549b7b1f852f9a067a0125e89d
Opcode Fuzzy Hash: 4a4a6227496455caca8dd3157d41623f55e65be6594419a510db2c3b8407ab21
Instruction Fuzzy Hash: AA017CB12183419FD340DF64C946B0BBBE4AB58B14F004A2DF589926C1E774DA48CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00C04B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00C04B30(void* __ebx, void* __edx, void* __edi, void* __esi, void* __ebp) {
				char _v12;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v76;
				char _v80;
				char _v88;
				signed int _t12;
				void* _t18;
				void* _t25;
				void* _t29;

				_t25 = __edx;
				_push(0xffffffff);
				_push(0xc4cf48);
				_push( *[fs:0x0]);
				_t12 =  *0xc58320; // 0x96c0a7a
				_t13 = _t12 ^ _t29 - 0x00000044;
				_push(_t12 ^ _t29 - 0x00000044);
				 *[fs:0x0] =  &_v12;
				_v56 = 0xf;
				_v60 = 0;
				_v76 = 0;
				E00C042A0(__ebx,  &_v80, "vector<T> too long", 0x12);
				_t6 =  &_v88; // 0x96c0a7a
				_v12 = 0;
				E00C02F30(_t13, _t6);
				_v64 = 0xc52144;
				_t18 = E00C291AE( &_v64, 0xc55930);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return E00C2657F(__ebx, _t25, __edi, __esi, _t13, _t18);
			}

0x00c04b30
0x00c04b30
0x00c04b32
0x00c04b3d
0x00c04b41
0x00c04b46
0x00c04b48
0x00c04b4d
0x00c04b5e
0x00c04b66
0x00c04b6e
0x00c04b73
0x00c04b78
0x00c04b81
0x00c04b89
0x00c04b98
0x00c04ba0
0x00c04ba5
0x00c04ba6
0x00c04ba7
0x00c04ba8
0x00c04ba9
0x00c04baa
0x00c04bab
0x00c04bac
0x00c04bad
0x00c04bae
0x00c04baf
0x00c04bb7

APIs

__CxxThrowException@8.LIBCMT ref: 00C04BA0

Part of subcall function 00C291AE: RaiseException.KERNEL32(?,?,?,?), ref: 00C291F0

Strings

vector<T> too long, xrefs: 00C04B55
zl, xrefs: 00C04B78, 00C04B7C

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: vector<T> too long$zl
API String ID: 3976011213-3979620504
Opcode ID: a4e71294591b5fac59a0224af6b5d0a907183e17a1c0e1350e04cdf018aa3229
Instruction ID: 145faedd1e398413a4279bbb061eb480d0be7ff85c158f8718b5e6a15bb65ac2
Opcode Fuzzy Hash: a4e71294591b5fac59a0224af6b5d0a907183e17a1c0e1350e04cdf018aa3229
Instruction Fuzzy Hash: 6FF0AFB500C340ABC304DB50C946B4BB7E8AB48B14F400A1CF48A626C1CB789608DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00C37C6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00C37C6F(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00C29AB9(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00C2F4FC(__ebx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00C2F4FC(_t19, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00C29A92(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00C3761E(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x00c37c6f
0x00c37c6f
0x00c37c6f
0x00c37c72
0x00c37c78
0x00c37c86
0x00c37c8c
0x00c37c94
0x00c37ca0
0x00c37ca8
0x00c37cb0
0x00c37cc4
0x00c37cc6
0x00c37cca
0x00c37ccf
0x00c37cd5
0x00c37cd7
0x00c37cd9
0x00c37cdc
0x00000000
0x00c37ce3
0x00c37cd7
0x00c37cca
0x00c37cc4
0x00c37cb0
0x00c37ce4

APIs

Part of subcall function 00C29AB9: __getptd.LIBCMT ref: 00C29ABF
Part of subcall function 00C29AB9: __getptd.LIBCMT ref: 00C29ACF

__getptd.LIBCMT ref: 00C37C7E

Part of subcall function 00C2F4FC: __getptd_noexit.LIBCMT ref: 00C2F4FF
Part of subcall function 00C2F4FC: __amsg_exit.LIBCMT ref: 00C2F50C

__getptd.LIBCMT ref: 00C37C8C

Strings

csm, xrefs: 00C37C9A

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 5b137bd0ab8a5874cb79dd82afdd43b5fbacbad61a47b8b322d6f3543054bedc
Instruction ID: ab9eca0122d6c5e60c146315a3cdd326eb5b32f1a44aec3218fdaaed91a8edc4
Opcode Fuzzy Hash: 5b137bd0ab8a5874cb79dd82afdd43b5fbacbad61a47b8b322d6f3543054bedc
Instruction Fuzzy Hash: 0D0169B48147098BDF34EF68E444AADB3B5BF10316F34566FF45096AA1DB308B81EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C23DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C23DB0(intOrPtr _a4) {
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_t2 =  *0xc5aec8; // 0x0
				if(_t2 != 0) {
					L6:
					return  *_t2(_a4);
				} else {
					_t4 = E00C23C90(_t8, _t9, _t10, L"Netapi32.dll");
					if(_t4 == 0) {
						L4:
						_t2 =  *0xc5aec8; // 0x0
					} else {
						_t2 = GetProcAddress(_t4, "Netbios");
						if(_t2 == 0) {
							goto L4;
						} else {
							 *0xc5aec8 = _t2;
						}
					}
					if(_t2 == 0) {
						return 0x40;
					} else {
						goto L6;
					}
				}
			}

0x00c23db0
0x00c23dba
0x00c23ded
0x00c23df5
0x00c23dbc
0x00c23dc1
0x00c23dcb
0x00c23de4
0x00c23de4
0x00c23dcd
0x00c23dd3
0x00c23ddb
0x00000000
0x00c23ddd
0x00c23ddd
0x00c23ddd
0x00c23ddb
0x00c23deb
0x00c23df9
0x00000000
0x00000000
0x00000000
0x00c23deb

APIs

GetProcAddress.KERNEL32(00000000,Netbios), ref: 00C23DD3

Strings

Netbios, xrefs: 00C23DCD
Netapi32.dll, xrefs: 00C23DBC

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: AddressProc
String ID: Netapi32.dll$Netbios
API String ID: 190572456-3142203730
Opcode ID: 569149372fd6868a1da9a7f794b8c92dae18713d08b8a0b44927ee2b3b41af31
Instruction ID: 5f28849b04b32f0f8952b7cd1d66ba364be34b0b023938a59975195c1a0c836f
Opcode Fuzzy Hash: 569149372fd6868a1da9a7f794b8c92dae18713d08b8a0b44927ee2b3b41af31
Instruction Fuzzy Hash: 35E0D8B97503517BA7008BB2BD82B1A3FA87614345B080125F411E2590E6AAD750D621

Uniqueness

Uniqueness Score: -1.00%

Function 00C151A0 Relevance: 5.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C151A0(char _a4) {
				intOrPtr _t16;
				intOrPtr _t17;
				void* _t22;
				void* _t32;

				SetLastError(GetLastError());
				_t32 = E00C15010(_a4);
				if(_t32 == 0) {
					return 5;
				} else {
					_t16 =  *((intOrPtr*)(_t32 + 8));
					if(_t16 != 1) {
						__eflags = _t16 - 2;
						if(__eflags == 0) {
							 *(E00C2AF2B(__eflags)) =  *(_t32 + 4);
						}
					} else {
						SetLastError( *(_t32 + 4));
					}
					if( *0xc5c1d8 != 0) {
						_t22 = E00C15360( &_a4);
						 *0xc5c1d8(_t22, _a4);
					}
					_t17 =  *((intOrPtr*)(_t32 + 8));
					if(_t17 != 1) {
						__eflags = _t17 - 2;
						if(__eflags == 0) {
							 *(E00C2AF2B(__eflags)) =  *(_t32 + 4);
						}
						return  *((intOrPtr*)(_t32 + 8));
					} else {
						SetLastError( *(_t32 + 4));
						return  *((intOrPtr*)(_t32 + 8));
					}
				}
			}

0x00c151b0
0x00c151c1
0x00c151c8
0x00c1523b
0x00c151ca
0x00c151ca
0x00c151d0
0x00c151da
0x00c151dd
0x00c151e7
0x00c151e7
0x00c151d2
0x00c151d6
0x00c151d6
0x00c151f0
0x00c151f7
0x00c15202
0x00c15208
0x00c1520b
0x00c15211
0x00c15220
0x00c15223
0x00c1522d
0x00c1522d
0x00c15235
0x00c15213
0x00c15217
0x00c1521f
0x00c1521f
0x00c15211

APIs

GetLastError.KERNEL32(?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C151A3
SetLastError.KERNEL32(00000000,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C151B0

Part of subcall function 00C15010: GetLastError.KERNEL32(00000005,?,?,74CB4C30,00C151C1,00C53300,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C1501A
Part of subcall function 00C15010: SetLastError.KERNEL32(00000000,?,?,74CB4C30,00C151C1,00C53300,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C15034
Part of subcall function 00C15010: GetLastError.KERNEL32(?,?,74CB4C30,00C151C1,00C53300,?,?,?,00C15247,00000000,?,00C152C6,00C53300), ref: 00C15045

SetLastError.KERNEL32(?), ref: 00C151D6

Part of subcall function 00C2AF2B: __getptd_noexit.LIBCMT ref: 00C2AF2B

SetLastError.KERNEL32(?), ref: 00C15217

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: ErrorLast$__getptd_noexit
String ID:
API String ID: 101986603-0
Opcode ID: 220745b0d4cda8b17739b93251427c24a75643aa1af687373497b7fcb4534653
Instruction ID: 356bc9d1147b6040b0ed35c3bfc30e96a6f3e31b38f78c169e96d1b729118ef7
Opcode Fuzzy Hash: 220745b0d4cda8b17739b93251427c24a75643aa1af687373497b7fcb4534653
Instruction Fuzzy Hash: 00117376600B10DBC620DBA5E8C4A9F73E9FBCA321B144829F66AC3610C734ED85E761

Uniqueness

Uniqueness Score: -1.00%

Function 00C24F20 Relevance: 5.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C24F20(char _a4, intOrPtr _a8) {
				char* _t9;
				intOrPtr _t15;
				char _t17;
				char _t20;
				void* _t22;
				char _t26;
				void* _t28;

				EnterCriticalSection(0xc5aeb0);
				if( *0xc5ae30 == 0) {
					_t26 = _a4;
					_t22 = E00C24DD0(_t15, _a8, _t26, _a8);
					if(_t22 == 0) {
						L11:
						LeaveCriticalSection(0xc5aeb0);
						return _t22;
					} else {
						_t9 = 0xc5ae30;
						_t20 = 0x80;
						_t28 = _t26 - 0xc5ae30;
						while(1) {
							_t5 = _t20 + 0x7fffff7e; // 0x7ffffffe
							if(_t5 == 0) {
								break;
							}
							_t17 =  *((intOrPtr*)(_t28 + _t9));
							if(_t17 == 0) {
								break;
							} else {
								 *_t9 = _t17;
								_t9 = _t9 + 1;
								_t20 = _t20 - 1;
								if(_t20 != 0) {
									continue;
								} else {
									 *((char*)(_t9 - 1)) = _t20;
									LeaveCriticalSection(0xc5aeb0);
									return _t22;
								}
							}
							goto L12;
						}
						if(_t20 == 0) {
							_t9 = _t9 - 1;
						}
						 *_t9 = 0;
						goto L11;
					}
				} else {
					E00C09700(_a4, _a8, 0xc5ae30);
					LeaveCriticalSection(0xc5aeb0);
					return 1;
				}
				L12:
			}

0x00c24f25
0x00c24f32
0x00c24f5e
0x00c24f6a
0x00c24f71
0x00c24fb4
0x00c24fb9
0x00c24fc3
0x00c24f73
0x00c24f73
0x00c24f78
0x00c24f7d
0x00c24f80
0x00c24f80
0x00c24f88
0x00000000
0x00000000
0x00c24f8a
0x00c24f8f
0x00000000
0x00c24f91
0x00c24f91
0x00c24f93
0x00c24f94
0x00c24f97
0x00000000
0x00c24f99
0x00c24f9f
0x00c24fa1
0x00c24fab
0x00c24fab
0x00c24f97
0x00000000
0x00c24f8f
0x00c24fae
0x00c24fb0
0x00c24fb0
0x00c24fb1
0x00000000
0x00c24fb1
0x00c24f34
0x00c24f43
0x00c24f4d
0x00c24f58
0x00c24f58
0x00000000

APIs

EnterCriticalSection.KERNEL32(00C5AEB0,00C25379,?,00001000,?,00000000,00001000,00000040), ref: 00C24F25
LeaveCriticalSection.KERNEL32(00C5AEB0,?,?,00C5AE30), ref: 00C24F4D
LeaveCriticalSection.KERNEL32(00C5AEB0,?,?,?), ref: 00C24FA1

Memory Dump Source

Source File: 00000001.00000002.514886221.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.514862592.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515352001.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515396376.0000000000C58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.515436092.0000000000C5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_Inst7__9510085.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 20966759b1830bc4ece100ed934c2d1c07b422d4b23298a34ab3ef9873a26f97
Instruction ID: cd5265f79356e69eb7b536a715189dc315eff625b64b70319cb8961d89620e03
Opcode Fuzzy Hash: 20966759b1830bc4ece100ed934c2d1c07b422d4b23298a34ab3ef9873a26f97
Instruction Fuzzy Hash: 4301263D2043605BEB1647B9BD05B5A3B92FBC7712F054268F86487790C7B0AC88C762

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Inst7__9510085.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\360ini[1].cab

C:\Users\user\AppData\Local\Temp\360ini.cab

C:\Users\user\AppData\Local\Temp\bCfYaEhIiUiPnHfJ.tmp

C:\Users\user\AppData\Local\Temp\cAaAjCwGnAxAmJlM\{EAFED793-831C-4949-A6C6-BBA0E659A8F1}.tmp

C:\Users\user\AppData\Local\Temp\cXhCjVwGaVyAoUmP\{9A91E1DD-4BFB-4029-88CE-478244A3C748}.tmp

C:\Users\user\AppData\Local\Temp\dCiUqYjVhBiQbTpE.tmp

C:\Users\user\AppData\Local\Temp\eKjNuHeSmTrLoJtI\{D0D0F78C-E32B-45d9-9F88-6FC2EC8776C2}.tmp

C:\Users\user\AppData\Local\Temp\gJsCuFfLfVtBkUlP.tmp

C:\Users\user\AppData\Local\Temp\gYtQtCcEiWiWnGiV.tmp

C:\Users\user\AppData\Local\Temp\hKfEzNcZqVxDcFtV.tmp

C:\Users\user\AppData\Local\Temp\jOwNzOmWaJiKuOkT\{75E63B99-FB7D-46f0-80F5-16829FE6223E}.tmp

C:\Users\user\AppData\Local\Temp\mCcQyFvLbDxJsJeF\{BE03A119-6DF6-4e06-8F37-F71682FCCCF8}.tmp

C:\Users\user\AppData\Local\Temp\mYfAfQaBcIkAnCxY\360ini.dll

C:\Users\user\AppData\Local\Temp\oOiVlOoEvGnWfArP.tmp

C:\Users\user\AppData\Local\Temp\rQyDqOiWmDbSxSkK.tmp

C:\Users\user\AppData\Local\Temp\rXvQzHoJbYgKvIvC\{67814E68-983E-4b54-A639-CF4292A50745}.tmp

C:\Users\user\AppData\Local\Temp\sJaXwXpNyUvEhRfL\{AE73F880-31EA-48cb-8E61-A7B9EC8FB18B}.tmp

Windows Analysis Report
Inst7__9510085.exe

Function 00C03420 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 356
networkCOMMONCrypto

Function 00C23856 Relevance: 10.6, APIs: 7, Instructions: 59
memoryCOMMON

Function 00C1A370 Relevance: 9.1, APIs: 6, Instructions: 66
processCOMMON